xtremerat | d0ab150d4dbe72adc755f6157a8adf1065720ad6d36af5731eb99644f60305b6

Analysis

max time kernel
72s
max time network
48s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
02-01-2025 12:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_6509b534a745133b64d524355a71b050.exe
Size

67KB
MD5

6509b534a745133b64d524355a71b050
SHA1

d4ecd58a840be99ec5cd62a4e9e14d1fcf68ac6f
SHA256

d0ab150d4dbe72adc755f6157a8adf1065720ad6d36af5731eb99644f60305b6
SHA512

c4b7055db8a0e283f41c869170b2fcab5bb4dc190e049e357be8671bba00e8543f1fe99a6262413fb36d982ac9b842f45fe8f3d285e8346a5e999252d9eed4a4
SSDEEP

1536:rBzvwXhupO/ijb7BT7/396+xuP3OL8U9vhc:rBvwcUifdT7/t6+xuP3c8Shc

Score

10^/10

xtremerat discovery persistence rat spyware upx

Malware Config

Signatures

Detect XtremeRAT payload 64 IoCs

resource	yara_rule
behavioral1/memory/2332-0-0x0000000000C80000-0x0000000000CA5000-memory.dmp	family_xtremerat
behavioral1/memory/3028-6-0x0000000000C80000-0x0000000000CA5000-memory.dmp	family_xtremerat
behavioral1/memory/2332-19-0x0000000000C80000-0x0000000000CA5000-memory.dmp	family_xtremerat
behavioral1/memory/2664-29-0x0000000000C80000-0x0000000000CA5000-memory.dmp	family_xtremerat
behavioral1/memory/2580-31-0x0000000000C80000-0x0000000000CA5000-memory.dmp	family_xtremerat
behavioral1/memory/2580-46-0x0000000000C80000-0x0000000000CA5000-memory.dmp	family_xtremerat
behavioral1/memory/1920-47-0x0000000000C80000-0x0000000000CA5000-memory.dmp	family_xtremerat
behavioral1/memory/1636-57-0x0000000000C80000-0x0000000000CA5000-memory.dmp	family_xtremerat
behavioral1/memory/1656-56-0x0000000000C80000-0x0000000000CA5000-memory.dmp	family_xtremerat
behavioral1/memory/1920-69-0x0000000000C80000-0x0000000000CA5000-memory.dmp	family_xtremerat
behavioral1/memory/1636-78-0x0000000000C80000-0x0000000000CA5000-memory.dmp	family_xtremerat
behavioral1/memory/1780-79-0x0000000000C80000-0x0000000000CA5000-memory.dmp	family_xtremerat
behavioral1/memory/2420-87-0x0000000000C80000-0x0000000000CA5000-memory.dmp	family_xtremerat
behavioral1/memory/928-102-0x0000000000C80000-0x0000000000CA5000-memory.dmp	family_xtremerat
behavioral1/memory/1780-111-0x0000000000C80000-0x0000000000CA5000-memory.dmp	family_xtremerat
behavioral1/memory/560-121-0x0000000000C80000-0x0000000000CA5000-memory.dmp	family_xtremerat
behavioral1/memory/2284-122-0x0000000000C80000-0x0000000000CA5000-memory.dmp	family_xtremerat
behavioral1/memory/1000-130-0x0000000000C80000-0x0000000000CA5000-memory.dmp	family_xtremerat
behavioral1/memory/3092-135-0x0000000000C80000-0x0000000000CA5000-memory.dmp	family_xtremerat
behavioral1/memory/1164-141-0x0000000000C80000-0x0000000000CA5000-memory.dmp	family_xtremerat
behavioral1/memory/2592-146-0x0000000000C80000-0x0000000000CA5000-memory.dmp	family_xtremerat
behavioral1/memory/2284-149-0x0000000000C80000-0x0000000000CA5000-memory.dmp	family_xtremerat
behavioral1/memory/2648-156-0x0000000000C80000-0x0000000000CA5000-memory.dmp	family_xtremerat
behavioral1/memory/3092-162-0x0000000000C80000-0x0000000000CA5000-memory.dmp	family_xtremerat
behavioral1/memory/3736-170-0x0000000000C80000-0x0000000000CA5000-memory.dmp	family_xtremerat
behavioral1/memory/3856-175-0x0000000000C80000-0x0000000000CA5000-memory.dmp	family_xtremerat
behavioral1/memory/3936-180-0x0000000000C80000-0x0000000000CA5000-memory.dmp	family_xtremerat
behavioral1/memory/4044-185-0x0000000000C80000-0x0000000000CA5000-memory.dmp	family_xtremerat
behavioral1/memory/3308-191-0x0000000000C80000-0x0000000000CA5000-memory.dmp	family_xtremerat
behavioral1/memory/3704-193-0x0000000000C80000-0x0000000000CA5000-memory.dmp	family_xtremerat
behavioral1/memory/3028-195-0x0000000000500000-0x0000000000525000-memory.dmp	family_xtremerat
behavioral1/memory/3028-194-0x0000000000500000-0x0000000000525000-memory.dmp	family_xtremerat
behavioral1/memory/4200-203-0x0000000000C80000-0x0000000000CA5000-memory.dmp	family_xtremerat
behavioral1/memory/3704-205-0x0000000000C80000-0x0000000000CA5000-memory.dmp	family_xtremerat
behavioral1/memory/4200-204-0x0000000000C80000-0x0000000000CA5000-memory.dmp	family_xtremerat
behavioral1/memory/4448-209-0x0000000000C80000-0x0000000000CA5000-memory.dmp	family_xtremerat
behavioral1/memory/4448-211-0x0000000000C80000-0x0000000000CA5000-memory.dmp	family_xtremerat
behavioral1/memory/4660-215-0x0000000000C80000-0x0000000000CA5000-memory.dmp	family_xtremerat
behavioral1/memory/4660-217-0x0000000000C80000-0x0000000000CA5000-memory.dmp	family_xtremerat
behavioral1/memory/4856-222-0x0000000000C80000-0x0000000000CA5000-memory.dmp	family_xtremerat
behavioral1/memory/4992-228-0x0000000000C80000-0x0000000000CA5000-memory.dmp	family_xtremerat
behavioral1/memory/5040-231-0x0000000000C80000-0x0000000000CA5000-memory.dmp	family_xtremerat
behavioral1/memory/5068-232-0x0000000000C80000-0x0000000000CA5000-memory.dmp	family_xtremerat
behavioral1/memory/5068-234-0x0000000000C80000-0x0000000000CA5000-memory.dmp	family_xtremerat
behavioral1/memory/3704-244-0x0000000000C80000-0x0000000000CA5000-memory.dmp	family_xtremerat
behavioral1/memory/3704-246-0x0000000000C80000-0x0000000000CA5000-memory.dmp	family_xtremerat
behavioral1/memory/5196-299-0x0000000000C80000-0x0000000000CA5000-memory.dmp	family_xtremerat
behavioral1/memory/5280-412-0x0000000000C80000-0x0000000000CA5000-memory.dmp	family_xtremerat
behavioral1/memory/5404-509-0x0000000000C80000-0x0000000000CA5000-memory.dmp	family_xtremerat
behavioral1/memory/5544-604-0x0000000000C80000-0x0000000000CA5000-memory.dmp	family_xtremerat
behavioral1/memory/5544-617-0x0000000000C80000-0x0000000000CA5000-memory.dmp	family_xtremerat
behavioral1/memory/5652-619-0x0000000000C80000-0x0000000000CA5000-memory.dmp	family_xtremerat
behavioral1/memory/5592-632-0x0000000000C80000-0x0000000000CA5000-memory.dmp	family_xtremerat
behavioral1/memory/6592-630-0x0000000000C80000-0x0000000000CA5000-memory.dmp	family_xtremerat
behavioral1/memory/5592-629-0x0000000000C80000-0x0000000000CA5000-memory.dmp	family_xtremerat
behavioral1/memory/5668-635-0x0000000000C80000-0x0000000000CA5000-memory.dmp	family_xtremerat
behavioral1/memory/6676-633-0x0000000000C80000-0x0000000000CA5000-memory.dmp	family_xtremerat
behavioral1/memory/5668-666-0x0000000000C80000-0x0000000000CA5000-memory.dmp	family_xtremerat
behavioral1/memory/6040-720-0x0000000000C80000-0x0000000000CA5000-memory.dmp	family_xtremerat
behavioral1/memory/5472-722-0x0000000000C80000-0x0000000000CA5000-memory.dmp	family_xtremerat
behavioral1/memory/6040-724-0x0000000000C80000-0x0000000000CA5000-memory.dmp	family_xtremerat
behavioral1/memory/5472-729-0x0000000000C80000-0x0000000000CA5000-memory.dmp	family_xtremerat
behavioral1/memory/5732-731-0x0000000000C80000-0x0000000000CA5000-memory.dmp	family_xtremerat
behavioral1/memory/6688-730-0x0000000000C80000-0x0000000000CA5000-memory.dmp	family_xtremerat

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat
Xtremerat family
xtremerat

Boot or Logon Autostart Execution: Active Setup 2 TTPs 64 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	JaffaCakes118_6509b534a745133b64d524355a71b050.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe

Executes dropped EXE 64 IoCs

pid	Process
2796	119Auto Spammer.exe
2664	Server.exe
2560	119Auto Spammer.exe
2580	Server.exe
1656	Server.exe
880	119Auto Spammer.exe
1920	Server.exe
2120	119Auto Spammer.exe
1636	Server.exe
2420	Server.exe
944	119Auto Spammer.exe
928	Server.exe
2196	119Auto Spammer.exe
1780	Server.exe
352	119Auto Spammer.exe
560	Server.exe
1000	Server.exe
2012	119Auto Spammer.exe
1164	Server.exe
2544	119Auto Spammer.exe
2592	Server.exe
1724	119Auto Spammer.exe
2284	Server.exe
1560	119Auto Spammer.exe
2648	Server.exe
3092	Server.exe
3708	119Auto Spammer.exe
3736	Server.exe
3836	119Auto Spammer.exe
3856	Server.exe
3900	119Auto Spammer.exe
3936	Server.exe
4008	119Auto Spammer.exe
4044	Server.exe
4092	119Auto Spammer.exe
3308	Server.exe
3704	Server.exe
4172	119Auto Spammer.exe
4200	Server.exe
4388	119Auto Spammer.exe
4448	Server.exe
4580	119Auto Spammer.exe
4660	Server.exe
4836	119Auto Spammer.exe
4856	Server.exe
4964	119Auto Spammer.exe
4992	Server.exe
5004	119Auto Spammer.exe
5040	Server.exe
5068	Server.exe
3876	119Auto Spammer.exe
3704	Server.exe
5176	119Auto Spammer.exe
5196	Server.exe
5264	119Auto Spammer.exe
5280	Server.exe
5396	119Auto Spammer.exe
5404	Server.exe
5524	119Auto Spammer.exe
5544	Server.exe
5572	119Auto Spammer.exe
5592	Server.exe
5624	119Auto Spammer.exe
5668	Server.exe

Loads dropped DLL 64 IoCs

pid	Process
2332	JaffaCakes118_6509b534a745133b64d524355a71b050.exe
2332	JaffaCakes118_6509b534a745133b64d524355a71b050.exe
2332	JaffaCakes118_6509b534a745133b64d524355a71b050.exe
2664	Server.exe
3028	svchost.exe
2580	Server.exe
1656	Server.exe
3028	svchost.exe
1920	Server.exe
1636	Server.exe
2420	Server.exe
3028	svchost.exe
928	Server.exe
1780	Server.exe
560	Server.exe
1000	Server.exe
3028	svchost.exe
1164	Server.exe
2592	Server.exe
2284	Server.exe
2648	Server.exe
3092	Server.exe
3028	svchost.exe
3736	Server.exe
3856	Server.exe
3936	Server.exe
4044	Server.exe
3308	Server.exe
3704	Server.exe
3028	svchost.exe
4200	Server.exe
4448	Server.exe
4660	Server.exe
4856	Server.exe
4992	Server.exe
5040	Server.exe
5068	Server.exe
3028	svchost.exe
3704	Server.exe
5196	Server.exe
5280	Server.exe
5404	Server.exe
5544	Server.exe
5652	Server.exe
5592	Server.exe
5668	Server.exe
3028	svchost.exe
6040	Server.exe
5472	Server.exe
5732	Server.exe
5340	Server.exe
6464	Server.exe
6676	Server.exe
6592	Server.exe
3028	svchost.exe
6824	Server.exe
6796	Server.exe
6472	Server.exe
6688	Server.exe
6892	Server.exe
7048	Server.exe
6124	Server.exe
3028	svchost.exe
5772	Server.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	JaffaCakes118_6509b534a745133b64d524355a71b050.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2332-0-0x0000000000C80000-0x0000000000CA5000-memory.dmp	upx
behavioral1/memory/3028-6-0x0000000000C80000-0x0000000000CA5000-memory.dmp	upx
behavioral1/files/0x0007000000016c7c-7.dat	upx
behavioral1/memory/2332-20-0x0000000002AD0000-0x0000000002AF5000-memory.dmp	upx
behavioral1/memory/2332-19-0x0000000000C80000-0x0000000000CA5000-memory.dmp	upx
behavioral1/memory/2664-29-0x0000000000C80000-0x0000000000CA5000-memory.dmp	upx
behavioral1/memory/2580-31-0x0000000000C80000-0x0000000000CA5000-memory.dmp	upx
behavioral1/memory/1656-37-0x0000000000C80000-0x0000000000CA5000-memory.dmp	upx
behavioral1/memory/2580-46-0x0000000000C80000-0x0000000000CA5000-memory.dmp	upx
behavioral1/memory/1920-47-0x0000000000C80000-0x0000000000CA5000-memory.dmp	upx
behavioral1/memory/1636-57-0x0000000000C80000-0x0000000000CA5000-memory.dmp	upx
behavioral1/memory/1656-56-0x0000000000C80000-0x0000000000CA5000-memory.dmp	upx
behavioral1/memory/1920-69-0x0000000000C80000-0x0000000000CA5000-memory.dmp	upx
behavioral1/memory/1636-78-0x0000000000C80000-0x0000000000CA5000-memory.dmp	upx
behavioral1/memory/1780-79-0x0000000000C80000-0x0000000000CA5000-memory.dmp	upx
behavioral1/memory/2420-87-0x0000000000C80000-0x0000000000CA5000-memory.dmp	upx
behavioral1/memory/1000-93-0x0000000000C80000-0x0000000000CA5000-memory.dmp	upx
behavioral1/memory/1164-104-0x0000000000C80000-0x0000000000CA5000-memory.dmp	upx
behavioral1/memory/928-102-0x0000000000C80000-0x0000000000CA5000-memory.dmp	upx
behavioral1/memory/1780-111-0x0000000000C80000-0x0000000000CA5000-memory.dmp	upx
behavioral1/memory/560-121-0x0000000000C80000-0x0000000000CA5000-memory.dmp	upx
behavioral1/memory/2284-122-0x0000000000C80000-0x0000000000CA5000-memory.dmp	upx
behavioral1/memory/1000-130-0x0000000000C80000-0x0000000000CA5000-memory.dmp	upx
behavioral1/memory/3092-135-0x0000000000C80000-0x0000000000CA5000-memory.dmp	upx
behavioral1/memory/3736-139-0x0000000000C80000-0x0000000000CA5000-memory.dmp	upx
behavioral1/memory/1164-141-0x0000000000C80000-0x0000000000CA5000-memory.dmp	upx
behavioral1/memory/2592-146-0x0000000000C80000-0x0000000000CA5000-memory.dmp	upx
behavioral1/memory/2284-149-0x0000000000C80000-0x0000000000CA5000-memory.dmp	upx
behavioral1/memory/2648-156-0x0000000000C80000-0x0000000000CA5000-memory.dmp	upx
behavioral1/memory/3308-158-0x0000000000C80000-0x0000000000CA5000-memory.dmp	upx
behavioral1/memory/3092-162-0x0000000000C80000-0x0000000000CA5000-memory.dmp	upx
behavioral1/memory/3736-170-0x0000000000C80000-0x0000000000CA5000-memory.dmp	upx
behavioral1/memory/3856-175-0x0000000000C80000-0x0000000000CA5000-memory.dmp	upx
behavioral1/memory/3936-180-0x0000000000C80000-0x0000000000CA5000-memory.dmp	upx
behavioral1/memory/4044-185-0x0000000000C80000-0x0000000000CA5000-memory.dmp	upx
behavioral1/memory/3308-191-0x0000000000C80000-0x0000000000CA5000-memory.dmp	upx
behavioral1/memory/3704-193-0x0000000000C80000-0x0000000000CA5000-memory.dmp	upx
behavioral1/memory/3028-194-0x0000000000500000-0x0000000000525000-memory.dmp	upx
behavioral1/memory/4200-203-0x0000000000C80000-0x0000000000CA5000-memory.dmp	upx
behavioral1/memory/3704-205-0x0000000000C80000-0x0000000000CA5000-memory.dmp	upx
behavioral1/memory/4200-204-0x0000000000C80000-0x0000000000CA5000-memory.dmp	upx
behavioral1/memory/4448-209-0x0000000000C80000-0x0000000000CA5000-memory.dmp	upx
behavioral1/memory/4448-211-0x0000000000C80000-0x0000000000CA5000-memory.dmp	upx
behavioral1/memory/4660-215-0x0000000000C80000-0x0000000000CA5000-memory.dmp	upx
behavioral1/memory/4660-217-0x0000000000C80000-0x0000000000CA5000-memory.dmp	upx
behavioral1/memory/4856-222-0x0000000000C80000-0x0000000000CA5000-memory.dmp	upx
behavioral1/memory/4992-228-0x0000000000C80000-0x0000000000CA5000-memory.dmp	upx
behavioral1/memory/5040-231-0x0000000000C80000-0x0000000000CA5000-memory.dmp	upx
behavioral1/memory/5068-232-0x0000000000C80000-0x0000000000CA5000-memory.dmp	upx
behavioral1/memory/5068-234-0x0000000000C80000-0x0000000000CA5000-memory.dmp	upx
behavioral1/memory/3704-244-0x0000000000C80000-0x0000000000CA5000-memory.dmp	upx
behavioral1/memory/3704-246-0x0000000000C80000-0x0000000000CA5000-memory.dmp	upx
behavioral1/memory/5196-299-0x0000000000C80000-0x0000000000CA5000-memory.dmp	upx
behavioral1/memory/5280-412-0x0000000000C80000-0x0000000000CA5000-memory.dmp	upx
behavioral1/memory/5404-509-0x0000000000C80000-0x0000000000CA5000-memory.dmp	upx
behavioral1/memory/5544-604-0x0000000000C80000-0x0000000000CA5000-memory.dmp	upx
behavioral1/memory/5544-617-0x0000000000C80000-0x0000000000CA5000-memory.dmp	upx
behavioral1/memory/5652-619-0x0000000000C80000-0x0000000000CA5000-memory.dmp	upx
behavioral1/memory/5592-632-0x0000000000C80000-0x0000000000CA5000-memory.dmp	upx
behavioral1/memory/6592-630-0x0000000000C80000-0x0000000000CA5000-memory.dmp	upx
behavioral1/memory/5592-629-0x0000000000C80000-0x0000000000CA5000-memory.dmp	upx
behavioral1/memory/5668-635-0x0000000000C80000-0x0000000000CA5000-memory.dmp	upx
behavioral1/memory/6676-633-0x0000000000C80000-0x0000000000CA5000-memory.dmp	upx
behavioral1/memory/5668-666-0x0000000000C80000-0x0000000000CA5000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	119Auto Spammer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	119Auto Spammer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	119Auto Spammer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	119Auto Spammer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	119Auto Spammer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	119Auto Spammer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	119Auto Spammer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	119Auto Spammer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	119Auto Spammer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	119Auto Spammer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	119Auto Spammer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	119Auto Spammer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	119Auto Spammer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	119Auto Spammer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	119Auto Spammer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	119Auto Spammer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	119Auto Spammer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	119Auto Spammer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	119Auto Spammer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	119Auto Spammer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	119Auto Spammer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	119Auto Spammer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	119Auto Spammer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	119Auto Spammer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	119Auto Spammer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	119Auto Spammer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	119Auto Spammer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6509b534a745133b64d524355a71b050.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	119Auto Spammer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{DC776601-C903-11EF-9CB4-D238DC34531D} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
2620	iexplore.exe
2184	iexplore.exe
2236	iexplore.exe
2948	iexplore.exe
2940	iexplore.exe
1676	iexplore.exe
1900	iexplore.exe
2512	iexplore.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2796	119Auto Spammer.exe
2796	119Auto Spammer.exe
2796	119Auto Spammer.exe
2796	119Auto Spammer.exe
2796	119Auto Spammer.exe
2796	119Auto Spammer.exe
2796	119Auto Spammer.exe
2796	119Auto Spammer.exe
2796	119Auto Spammer.exe
2796	119Auto Spammer.exe
2796	119Auto Spammer.exe
2796	119Auto Spammer.exe
2796	119Auto Spammer.exe
2796	119Auto Spammer.exe
2796	119Auto Spammer.exe
2796	119Auto Spammer.exe
2796	119Auto Spammer.exe
2796	119Auto Spammer.exe
2796	119Auto Spammer.exe
2796	119Auto Spammer.exe
2796	119Auto Spammer.exe
2796	119Auto Spammer.exe
2796	119Auto Spammer.exe
2796	119Auto Spammer.exe
2796	119Auto Spammer.exe
2796	119Auto Spammer.exe
2796	119Auto Spammer.exe
2796	119Auto Spammer.exe
2796	119Auto Spammer.exe
2796	119Auto Spammer.exe
2796	119Auto Spammer.exe
2796	119Auto Spammer.exe
2796	119Auto Spammer.exe
2796	119Auto Spammer.exe
2796	119Auto Spammer.exe
2796	119Auto Spammer.exe
2796	119Auto Spammer.exe
2796	119Auto Spammer.exe
2796	119Auto Spammer.exe
2796	119Auto Spammer.exe
2796	119Auto Spammer.exe
2796	119Auto Spammer.exe
2796	119Auto Spammer.exe
2796	119Auto Spammer.exe
2796	119Auto Spammer.exe
2796	119Auto Spammer.exe
2796	119Auto Spammer.exe
2796	119Auto Spammer.exe
2796	119Auto Spammer.exe
2796	119Auto Spammer.exe
2796	119Auto Spammer.exe
2796	119Auto Spammer.exe
2796	119Auto Spammer.exe
2796	119Auto Spammer.exe
2796	119Auto Spammer.exe
2796	119Auto Spammer.exe
2796	119Auto Spammer.exe
2796	119Auto Spammer.exe
2796	119Auto Spammer.exe
2796	119Auto Spammer.exe
2796	119Auto Spammer.exe
2796	119Auto Spammer.exe
2796	119Auto Spammer.exe
2796	119Auto Spammer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2332 wrote to memory of 3028	2332	JaffaCakes118_6509b534a745133b64d524355a71b050.exe	31
PID 2332 wrote to memory of 3028	2332	JaffaCakes118_6509b534a745133b64d524355a71b050.exe	31
PID 2332 wrote to memory of 3028	2332	JaffaCakes118_6509b534a745133b64d524355a71b050.exe	31
PID 2332 wrote to memory of 3028	2332	JaffaCakes118_6509b534a745133b64d524355a71b050.exe	31
PID 2332 wrote to memory of 3028	2332	JaffaCakes118_6509b534a745133b64d524355a71b050.exe	31
PID 2332 wrote to memory of 2916	2332	JaffaCakes118_6509b534a745133b64d524355a71b050.exe	32
PID 2332 wrote to memory of 2916	2332	JaffaCakes118_6509b534a745133b64d524355a71b050.exe	32
PID 2332 wrote to memory of 2916	2332	JaffaCakes118_6509b534a745133b64d524355a71b050.exe	32
PID 2332 wrote to memory of 2916	2332	JaffaCakes118_6509b534a745133b64d524355a71b050.exe	32
PID 2332 wrote to memory of 2916	2332	JaffaCakes118_6509b534a745133b64d524355a71b050.exe	32
PID 2332 wrote to memory of 2216	2332	JaffaCakes118_6509b534a745133b64d524355a71b050.exe	33
PID 2332 wrote to memory of 2216	2332	JaffaCakes118_6509b534a745133b64d524355a71b050.exe	33
PID 2332 wrote to memory of 2216	2332	JaffaCakes118_6509b534a745133b64d524355a71b050.exe	33
PID 2332 wrote to memory of 2216	2332	JaffaCakes118_6509b534a745133b64d524355a71b050.exe	33
PID 2332 wrote to memory of 2216	2332	JaffaCakes118_6509b534a745133b64d524355a71b050.exe	33
PID 2332 wrote to memory of 1452	2332	JaffaCakes118_6509b534a745133b64d524355a71b050.exe	34
PID 2332 wrote to memory of 1452	2332	JaffaCakes118_6509b534a745133b64d524355a71b050.exe	34
PID 2332 wrote to memory of 1452	2332	JaffaCakes118_6509b534a745133b64d524355a71b050.exe	34
PID 2332 wrote to memory of 1452	2332	JaffaCakes118_6509b534a745133b64d524355a71b050.exe	34
PID 2332 wrote to memory of 1452	2332	JaffaCakes118_6509b534a745133b64d524355a71b050.exe	34
PID 2332 wrote to memory of 1648	2332	JaffaCakes118_6509b534a745133b64d524355a71b050.exe	35
PID 2332 wrote to memory of 1648	2332	JaffaCakes118_6509b534a745133b64d524355a71b050.exe	35
PID 2332 wrote to memory of 1648	2332	JaffaCakes118_6509b534a745133b64d524355a71b050.exe	35
PID 2332 wrote to memory of 1648	2332	JaffaCakes118_6509b534a745133b64d524355a71b050.exe	35
PID 2332 wrote to memory of 1648	2332	JaffaCakes118_6509b534a745133b64d524355a71b050.exe	35
PID 2332 wrote to memory of 2696	2332	JaffaCakes118_6509b534a745133b64d524355a71b050.exe	36
PID 2332 wrote to memory of 2696	2332	JaffaCakes118_6509b534a745133b64d524355a71b050.exe	36
PID 2332 wrote to memory of 2696	2332	JaffaCakes118_6509b534a745133b64d524355a71b050.exe	36
PID 2332 wrote to memory of 2696	2332	JaffaCakes118_6509b534a745133b64d524355a71b050.exe	36
PID 2332 wrote to memory of 2696	2332	JaffaCakes118_6509b534a745133b64d524355a71b050.exe	36
PID 2332 wrote to memory of 2684	2332	JaffaCakes118_6509b534a745133b64d524355a71b050.exe	37
PID 2332 wrote to memory of 2684	2332	JaffaCakes118_6509b534a745133b64d524355a71b050.exe	37
PID 2332 wrote to memory of 2684	2332	JaffaCakes118_6509b534a745133b64d524355a71b050.exe	37
PID 2332 wrote to memory of 2684	2332	JaffaCakes118_6509b534a745133b64d524355a71b050.exe	37
PID 2332 wrote to memory of 2684	2332	JaffaCakes118_6509b534a745133b64d524355a71b050.exe	37
PID 2332 wrote to memory of 2748	2332	JaffaCakes118_6509b534a745133b64d524355a71b050.exe	38
PID 2332 wrote to memory of 2748	2332	JaffaCakes118_6509b534a745133b64d524355a71b050.exe	38
PID 2332 wrote to memory of 2748	2332	JaffaCakes118_6509b534a745133b64d524355a71b050.exe	38
PID 2332 wrote to memory of 2748	2332	JaffaCakes118_6509b534a745133b64d524355a71b050.exe	38
PID 2332 wrote to memory of 2748	2332	JaffaCakes118_6509b534a745133b64d524355a71b050.exe	38
PID 2332 wrote to memory of 2764	2332	JaffaCakes118_6509b534a745133b64d524355a71b050.exe	39
PID 2332 wrote to memory of 2764	2332	JaffaCakes118_6509b534a745133b64d524355a71b050.exe	39
PID 2332 wrote to memory of 2764	2332	JaffaCakes118_6509b534a745133b64d524355a71b050.exe	39
PID 2332 wrote to memory of 2764	2332	JaffaCakes118_6509b534a745133b64d524355a71b050.exe	39
PID 2332 wrote to memory of 2796	2332	JaffaCakes118_6509b534a745133b64d524355a71b050.exe	40
PID 2332 wrote to memory of 2796	2332	JaffaCakes118_6509b534a745133b64d524355a71b050.exe	40
PID 2332 wrote to memory of 2796	2332	JaffaCakes118_6509b534a745133b64d524355a71b050.exe	40
PID 2332 wrote to memory of 2796	2332	JaffaCakes118_6509b534a745133b64d524355a71b050.exe	40
PID 2332 wrote to memory of 2664	2332	JaffaCakes118_6509b534a745133b64d524355a71b050.exe	41
PID 2332 wrote to memory of 2664	2332	JaffaCakes118_6509b534a745133b64d524355a71b050.exe	41
PID 2332 wrote to memory of 2664	2332	JaffaCakes118_6509b534a745133b64d524355a71b050.exe	41
PID 2332 wrote to memory of 2664	2332	JaffaCakes118_6509b534a745133b64d524355a71b050.exe	41
PID 2664 wrote to memory of 2876	2664	Server.exe	42
PID 2664 wrote to memory of 2876	2664	Server.exe	42
PID 2664 wrote to memory of 2876	2664	Server.exe	42
PID 2664 wrote to memory of 2876	2664	Server.exe	42
PID 2664 wrote to memory of 2876	2664	Server.exe	42
PID 2664 wrote to memory of 2812	2664	Server.exe	43
PID 2664 wrote to memory of 2812	2664	Server.exe	43
PID 2664 wrote to memory of 2812	2664	Server.exe	43
PID 2664 wrote to memory of 2812	2664	Server.exe	43
PID 2664 wrote to memory of 2812	2664	Server.exe	43
PID 2664 wrote to memory of 2740	2664	Server.exe	44
PID 2664 wrote to memory of 2740	2664	Server.exe	44

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6509b534a745133b64d524355a71b050.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6509b534a745133b64d524355a71b050.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2332
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Loads dropped DLL
  - Adds Run key to start application
  PID:3028
- - C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
    "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1656
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:276
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1664
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1996
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2092
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2456
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1468
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1672
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2900
  - - C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe
      "C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2120
  - - C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
      "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      PID:1636
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2076
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2392
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1196
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2436
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1524
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1300
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:896
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2320
    - - C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2196
    - - C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        
        PID:1780
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1716
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:900
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1436
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1492
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1324
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2480
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2776
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2784
      - C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2544
      - C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        
        PID:2592
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:2536
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:1848
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:3476
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:3572
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:3612
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:3656
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:3728
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:3812
        
        C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3836
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3856
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3960
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4080
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2284
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4004
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2044
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4108
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4192
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4308
        
        C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe"
        8⤵
        Executes dropped EXE
        
        PID:4388
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4448
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:4696
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:4916
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:3768
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:3928
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:3972
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:4044
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:5116
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:5128
        
        C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe"
        9⤵
        Executes dropped EXE
        
        PID:5176
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:5196
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:5248
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:5432
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:5612
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:5812
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:5880
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:5944
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:6064
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:5424
        
        C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe"
        10⤵
        
        PID:5460
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Loads dropped DLL
        
        PID:5472
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:6052
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:4860
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:6548
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:7104
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:6220
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:6300
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:6528
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:6612
        
        C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe"
        11⤵
        
        PID:5700
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        11⤵
        Loads dropped DLL
        Adds Run key to start application
        
        PID:6688
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:6852
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:7004
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:6172
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:6860
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:7076
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:7256
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:7400
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:7496
        
        C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe"
        12⤵
        
        PID:7564
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:7592
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:7656
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:7816
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:7992
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:8076
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:8144
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:6724
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:8316
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:8416
        
        C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe"
        13⤵
        
        PID:8448
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:8484
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:8608
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:8796
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:8968
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:9060
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:7876
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:9072
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:9328
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:9460
        
        C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe"
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:9508
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        14⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        
        PID:9516
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:9588
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:9800
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:9964
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:10116
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:7760
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:10520
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:10672
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:10872
        
        C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe"
        15⤵
        
        PID:10920
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        15⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:10972
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:11120
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:7420
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:10632
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:11080
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:11484
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:11868
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:12112
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:9544
        
        C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe"
        16⤵
        
        PID:11360
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        16⤵
        
        PID:11552
- - C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
    "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    PID:2420
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2528
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2156
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2292
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2820
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:448
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2872
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1532
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1696
  - - C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe
      "C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe"
      4⤵
      Executes dropped EXE
      PID:352
  - - C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
      "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:560
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1852
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2336
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:400
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1948
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1592
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:3024
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1832
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2024
    - - C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe"
        5⤵
        Executes dropped EXE
        
        PID:1724
    - - C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2284
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2816
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3168
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3540
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3588
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3628
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3672
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3776
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3864
      - C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe"
        6⤵
        Executes dropped EXE
        
        PID:3900
      - C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3936
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:4016
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:3652
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:3996
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:3264
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:4076
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:4140
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:4260
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:4468
        
        C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe"
        7⤵
        Executes dropped EXE
        
        PID:4580
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4660
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4800
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5032
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4328
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4488
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4796
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3820
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5064
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5220
        
        C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe"
        8⤵
        Executes dropped EXE
        
        PID:5264
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:5280
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:5372
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:5504
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:5804
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:5872
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:5936
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:6004
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:5212
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:5044
        
        C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe"
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:5708
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Loads dropped DLL
        
        PID:5732
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:5532
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:6360
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:6816
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:6192
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:6264
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:6380
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:5748
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:6808
        
        C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe"
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:6868
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Loads dropped DLL
        
        PID:6892
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:6984
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:5452
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:6112
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:7100
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:7232
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:7316
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:7472
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:7616
        
        C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe"
        11⤵
        
        PID:7668
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        11⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:7696
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:7784
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:7940
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:8056
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:7560
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:6840
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:8288
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:8380
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:8540
        
        C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe"
        12⤵
        
        PID:8640
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:8684
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:8756
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:8924
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:9028
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:8500
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:7336
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:9304
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:9444
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:9624
        
        C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe"
        13⤵
        
        PID:9656
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        13⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        
        PID:9692
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:9772
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:9956
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:10108
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:9712
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:10488
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:10680
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:10856
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:11036
        
        C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe"
        14⤵
        
        PID:11112
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        14⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:11168
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:7716
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:8304
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:9572
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:11468
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:11876
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:12128
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:9640
- - C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
    "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    PID:1000
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2056
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2832
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1940
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1584
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3020
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2332
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2656
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1836
  - - C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe
      "C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1560
  - - C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
      "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2648
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:828
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:3532
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:3580
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:3620
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:3664
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:3756
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:3824
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:3984
    - - C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe"
        5⤵
        Executes dropped EXE
        
        PID:4008
    - - C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        
        PID:4044
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2688
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3948
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4056
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1164
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4128
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4228
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4380
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4756
      - C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe"
        6⤵
        Executes dropped EXE
        
        PID:4836
      - C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4856
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:4952
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:4252
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:4504
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:4720
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:4944
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:4204
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:5156
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:5356
        
        C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5396
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5404
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5464
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5692
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5820
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5888
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5952
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:6092
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5604
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5364
        
        C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe"
        8⤵
        
        PID:5196
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        8⤵
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:5340
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:6332
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:6696
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:5292
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:6252
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:6324
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:6568
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:6744
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:6992
        
        C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe"
        9⤵
        
        PID:7020
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Loads dropped DLL
        Adds Run key to start application
        
        PID:7048
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:6152
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3528
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:6920
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:7240
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:7324
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:7480
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:7624
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:7804
        
        C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe"
        10⤵
        
        PID:7828
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:7876
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:7980
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:8068
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:6944
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:7052
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:8280
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:8388
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:8548
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:8740
        
        C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe"
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:8804
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        11⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:8820
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:8904
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:9008
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:9192
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:8200
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:9256
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:9392
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:9552
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:9748
        
        C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe"
        12⤵
        
        PID:9808
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        12⤵
        Adds Run key to start application
        
        PID:9852
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:9896
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:10028
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:10132
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:8848
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:10504
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:10688
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:10864
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:11028
        
        C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe"
        13⤵
        
        PID:11104
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        13⤵
        
        PID:11196
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:10356
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:10636
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:9744
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:11460
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:11920
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:12136
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:8456
- - C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
    "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    PID:3092
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3324
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3556
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3604
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3644
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3688
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3800
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3908
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:4060
  - - C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe
      "C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe"
      4⤵
      Executes dropped EXE
      PID:4092
  - - C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
      "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:3308
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1120
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:992
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:3096
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:4100
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:4160
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:4296
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:4572
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:4888
    - - C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe"
        5⤵
        Executes dropped EXE
        
        PID:4964
    - - C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        
        PID:4992
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4136
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3932
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3976
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4828
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5080
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4240
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5316
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5476
      - C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5524
      - C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        
        PID:5544
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:5720
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:5832
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:5896
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:5964
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:5152
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:6140
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:5284
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:6352
        
        C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe"
        7⤵
        
        PID:6436
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Loads dropped DLL
        
        PID:6464
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:6952
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:6196
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:6272
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:6496
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:6580
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:6884
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:7056
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:6188
        
        C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:5660
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:6124
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:6800
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:7248
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:7392
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:7488
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:7688
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:7836
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:8000
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:8084
        
        C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe"
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:8148
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        System Location Discovery: System Language Discovery
        
        PID:8156
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:6488
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:6764
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:8324
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:8424
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:8580
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:8776
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:8944
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:9044
        
        C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe"
        10⤵
        
        PID:9108
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        10⤵
        Adds Run key to start application
        
        PID:9212
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:8296
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:9272
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:9420
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:9616
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:9832
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:9992
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:10124
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:10204
        
        C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe"
        11⤵
        
        PID:10300
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        
        PID:10368
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:10644
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:10840
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:11016
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:1512
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:9076
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:9372
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:9696
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:11492
        
        C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe"
        12⤵
        
        PID:11620
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        12⤵
        
        PID:11796
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:12072
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:12240
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:11520
- - C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
    "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    PID:3704
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3952
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2648
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3568
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:4116
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:4208
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:4316
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:4708
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:4928
  - - C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe
      "C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe"
      4⤵
      Executes dropped EXE
      PID:5004
  - - C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
      "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:5040
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:4216
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:3860
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:3940
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:4880
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:3736
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:5136
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:5328
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:5484
    - - C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5572
    - - C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        
        PID:5592
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5756
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5840
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5904
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5972
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4548
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5260
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5728
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:6420
      - C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe"
        6⤵
        
        PID:6656
      - C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Loads dropped DLL
        
        PID:6676
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:7064
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:6212
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:6292
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:6520
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:5652
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:6908
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:7120
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:6240
        
        C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:5828
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        7⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:5772
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:6980
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:7264
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:7408
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:7504
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:7708
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:7864
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:8008
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:8096
        
        C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe"
        8⤵
        
        PID:7332
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        8⤵
        Adds Run key to start application
        
        PID:6472
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:7644
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:7180
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:8340
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:8472
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:8632
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:8852
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:8976
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:9124
        
        C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe"
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:8180
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        
        PID:7420
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:5236
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:9344
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:9488
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:9668
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:9920
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:10044
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:10180
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:9768
        
        C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe"
        10⤵
        
        PID:9532
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        10⤵
        
        PID:10244
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:10600
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:10744
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:10928
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:11148
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:10328
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:10720
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:11072
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:11444
        
        C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe"
        11⤵
        
        PID:11604
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        11⤵
        
        PID:11660
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:12024
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:12212
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:11320
- - C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
    "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:5068
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:4248
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:4508
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:4784
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:4972
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:5028
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:5164
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:5380
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:5512
  - - C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe
      "C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:5624
  - - C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
      "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Loads dropped DLL
      Adds Run key to start application
      PID:5652
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:5796
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:5864
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:5928
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:5996
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:5208
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:5568
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:5088
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:6408
    - - C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6584
    - - C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        5⤵
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:6592
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:7088
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:6208
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:6284
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:6512
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:6572
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:6904
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:7136
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:6388
      - C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe"
        6⤵
        
        PID:6844
      - C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:6764
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:7192
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:7280
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:7448
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:7532
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:7740
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:7912
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:8032
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:8124
        
        C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:7604
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:7072
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:6124
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:8228
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:8364
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:8512
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:8656
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:8880
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:8992
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:9140
        
        C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:7596
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        8⤵
        Adds Run key to start application
        
        PID:9208
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:6472
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:9352
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:9480
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:9676
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:9912
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:10052
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:10168
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:10080
        
        C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe"
        9⤵
        
        PID:10292
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:10384
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:10664
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:10848
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:11056
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:10312
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:7432
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:10808
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:11088
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:11524
        
        C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe"
        10⤵
        
        PID:11764
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        10⤵
        
        PID:11832
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:12080
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:12248
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:11572
- - C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
    "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:5668
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:5788
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:5856
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:5920
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:5988
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:4452
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:5564
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:6016
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:6428
  - - C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe
      "C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:6768
  - - C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
      "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Loads dropped DLL
      Adds Run key to start application
      PID:6824
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:5444
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:6184
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:6312
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:5680
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:6628
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:6940
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:7152
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:6484
    - - C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe"
        5⤵
        
        PID:7012
    - - C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        5⤵
        
        PID:6924
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:7200
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:7288
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:7456
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:7552
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:7752
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:7924
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:8040
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:8132
      - C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe"
        6⤵
        
        PID:7640
      - C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:5236
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:8064
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:8212
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:8356
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:8520
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:8664
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:8888
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:9000
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:9148
        
        C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe"
        7⤵
        
        PID:9024
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:7716
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:920
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:9336
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:9468
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:9648
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:9904
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:10036
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:10144
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:9792
        
        C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe"
        8⤵
        
        PID:9092
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:10284
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:10592
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:10752
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:10936
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:11156
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:10336
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:2040
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:11204
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:11500
        
        C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe"
        9⤵
        
        PID:11580
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        9⤵
        
        PID:11612
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:11996
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:12176
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:11384
- - C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
    "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
    3⤵
    - Loads dropped DLL
    PID:6796
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:7156
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:6148
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:6308
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:6540
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:6620
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:6692
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:7144
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:6044
  - - C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe
      "C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5688
  - - C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
      "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
      4⤵
      Adds Run key to start application
      PID:7084
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:7216
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:7300
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:7464
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:7580
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:7768
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:7932
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:8048
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:5736
    - - C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe"
        5⤵
        
        PID:8140
    - - C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        5⤵
        
        PID:6676
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:7176
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:8260
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:8372
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:8532
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:8704
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:8912
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:9016
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:9200
      - C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe"
        6⤵
        
        PID:8588
      - C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        6⤵
        
        PID:8696
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:604
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:9288
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:9436
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:9608
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:9840
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:9980
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:10100
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:9732
        
        C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe"
        7⤵
        
        PID:8688
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        7⤵
        
        PID:10276
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:10616
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:10760
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:10944
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:11184
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:10396
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:10800
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:9740
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:11476
        
        C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe"
        8⤵
        
        PID:11592
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        8⤵
        
        PID:11632
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:11988
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:12168
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:11392
- - C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
    "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:6236
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:6828
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:7272
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:7424
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:7512
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:7724
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:7888
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:8016
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:8104
  - - C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe
      "C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe"
      4⤵
      PID:5636
  - - C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
      "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Adds Run key to start application
      PID:7600
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:7436
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:5772
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:8348
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:8504
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:8648
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:8864
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:8984
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:9132
    - - C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe"
        5⤵
        
        PID:5340
    - - C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:8304
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:9224
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:9364
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:9496
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:9700
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:9928
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:10064
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:10192
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:9180
      - C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe"
        6⤵
        
        PID:10376
      - C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        
        PID:10436
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:10712
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:10888
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:11064
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:7072
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:1964
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:10896
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:10904
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:11532
        
        C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe"
        7⤵
        
        PID:11680
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        7⤵
        
        PID:11740
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:12048
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:12228
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:11408
- - C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
    "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
    3⤵
    - Adds Run key to start application
    PID:8188
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3508
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:6236
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:8308
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:8408
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:8572
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:8764
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:8932
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:9036
  - - C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe
      "C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe"
      4⤵
      PID:9080
  - - C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
      "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      PID:9088
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:936
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:6676
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:9280
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:9428
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:9596
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:9816
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:9972
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:10092
    - - C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe"
        5⤵
        
        PID:10224
    - - C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        
        PID:8240
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:9864
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:10480
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:10652
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:10832
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:11008
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:712
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:7632
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:9376
      - C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe"
        6⤵
        
        PID:11228
      - C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        6⤵
        
        PID:9096
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:11424
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:11808
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:12104
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:8240
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:10456
- - C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
    "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - System Location Discovery: System Language Discovery
    PID:9180
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:7956
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:8772
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:9312
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:9452
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:9632
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:9868
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:10008
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:10152
  - - C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe
      "C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe"
      4⤵
      PID:10212
  - - C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
      "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      PID:8456
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:8820
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:10496
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:10704
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:10880
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:11044
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:10268
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:10272
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:9268
    - - C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe"
        5⤵
        
        PID:11232
    - - C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        5⤵
        
        PID:11292
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:11436
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:11816
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:12096
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:9576
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:10288
- - C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
    "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
    3⤵
    PID:8560
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:8564
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:10584
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:10728
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:10908
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:11096
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:8696
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:10532
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:10980
  - - C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe
      "C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe"
      4⤵
      PID:11328
  - - C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
      "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
      4⤵
      PID:11368
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:11556
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:12032
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:12204
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:9184
- - C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
    "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
    3⤵
    PID:9852
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:11416
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:11772
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:12088
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:8732
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:10476
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:2916
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:2216
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:1452
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:1648
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:2696
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:2684
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:2748
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:2764
- C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe
  "C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2796
- C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
  "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2664
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2876
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2812
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2740
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:1600
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2792
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2780
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2596
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2668
- - C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe
    "C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2560
- - C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
    "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2580
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2428
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:632
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2364
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1476
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1440
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1204
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:588
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:320
  - - C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe
      "C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe"
      4⤵
      Executes dropped EXE
      PID:880
  - - C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
      "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      PID:1920
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1896
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1972
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2532
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2140
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:3068
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2880
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1128
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2856
    - - C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:944
    - - C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        
        PID:928
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1200
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:696
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2100
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2500
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1788
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2496
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1692
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1928
      - C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe"
        6⤵
        Executes dropped EXE
        
        PID:2012
      - C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1164
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:2556
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:2720
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:2400
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:3288
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:3548
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:3596
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:3636
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:3680
        
        C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe"
        7⤵
        Executes dropped EXE
        
        PID:3708
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        
        PID:3736
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3792
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3888
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4036
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2068
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3808
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3260
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2592
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4148
        
        C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe"
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4172
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4200
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:4268
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:4480
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:4812
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:5048
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:4332
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:4604
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:3100
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:4960
        
        C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe"
        9⤵
        Executes dropped EXE
        
        PID:3876
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3704
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4236
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:5144
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:5348
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:5492
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:5764
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:5848
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:5912
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:5980
        
        C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe"
        10⤵
        
        PID:6020
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        10⤵
        Loads dropped DLL
        Adds Run key to start application
        
        PID:6040
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:6100
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:5676
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:5388
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:6340
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:6736
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:5060
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:6268
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:6404
        
        C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe"
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:6368
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:6472
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:5548
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:5712
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:6916
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:5096
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:5744
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:6640
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:7224
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:7308
        
        C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe"
        12⤵
        
        PID:7340
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:7360
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:7440
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:7520
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:7732
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:7896
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:8024
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:8112
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:7212
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:7964
        
        C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe"
        13⤵
        
        PID:8204
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        13⤵
        Boot or Logon Autostart Execution: Active Setup
        System Location Discovery: System Language Discovery
        
        PID:8240
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:8332
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:8432
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:8592
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:8784
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:8960
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:9052
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:8896
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:8836
        
        C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe"
        14⤵
        
        PID:9236
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        14⤵
        Boot or Logon Autostart Execution: Active Setup
        System Location Discovery: System Language Discovery
        
        PID:9264
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:9400
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:9560
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:9756
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:9948
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:10084
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:9892
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:10512
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:10696
        
        C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe"
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:10736
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        15⤵
        
        PID:10792
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:10952
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:11176
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:8488
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:10568
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:9520
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:11452
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:11860
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:12120
        
        C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe"
        16⤵
        
        PID:12152
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        16⤵
        
        PID:12184
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:12276
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:11640

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
PID:2184
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2184 CREDAT:275457 /prefetch:2
  2⤵
  PID:3332

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
PID:2236
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2236 CREDAT:275457 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1912

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
PID:2948
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2948 CREDAT:275457 /prefetch:2
  2⤵
  PID:3316

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
PID:2620
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2620 CREDAT:275457 /prefetch:2
  2⤵
  PID:2052

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
PID:1676
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1676 CREDAT:275457 /prefetch:2
  2⤵
  PID:3340

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
PID:1900
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1900 CREDAT:275457 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3108

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
PID:2512
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2512 CREDAT:275457 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3080

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
PID:2940
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2940 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  PID:3348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b01ccdc8174a329bcbd0cf98e097f146

SHA1
2260904f5aa321aea4cdb92ca26374165316cbef

SHA256
a6edf16f56b9ba72ded8cda94ba61f95b01bfd0208dc3517ca05e479fdd0b447

SHA512
a1e493839d5255ccb3dfc2ebc6aa0385cb244927649067f18582f86416b6465d6b0750594be6db4d3a492177accfcf79e35dc3597c1a17d34758bd983cb7939d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e8b625610c19389d0211c83c8182c550

SHA1
835e84eca7a49f36d30ff57204dab20a3a23e286

SHA256
8bedc16d1a4fed360f49892521c7820932ebaa7d4f8d32e4bb10cc8ed56fb711

SHA512
9e3e5a2fc4ddd21a5d5dbc83383c3eb3fa074245c066f9b90e6b61c3f555e293ebd3c4676c0a7bffbfbe5e23cf86248355d43fb336116df4fdc4c355536d0311

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e2906fc2ee44fa7ba902c7e387589252

SHA1
4bbc56c63e12c444d9e51a12760f9c071b90cb42

SHA256
5c99ef6e49d258c42def97c2b463741a10e9a9852a4a77da7f2cb67612b2748b

SHA512
34748d9aa8b848a0f3fe2c52c12a1e987c9caf2846b0fa1bd47da466ea41b37bbe493c809b0ee61a87663e9b22a8b27c3020130122fdb4ff0974b63e759c94e2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f3941e062fdba889532d14e9a472c7a9

SHA1
b827a1f073884479d58982d3d19e6186eaf64cd0

SHA256
c5c2b95b4cb44d9c6262f27d508ecee8043d19c365a4d248521b5c193e9a1c75

SHA512
f7c4748da64c5df5e3535347805af570dc55ecf1826b987861d231e867602069fc5b9168c4f6fbf9ff58b3e76e45db5eeda489715d33505ca6608e2e65f050a3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b17a6dca3608ba27b95d7e8311bda924

SHA1
0395311df6722c4daaca4fb251c731de4873c08b

SHA256
7ca77954ddfba97dbf6c1858cf49bad0414042384541de5d98e6175c9e4683a0

SHA512
fbc65167a2b6681648c17a7cfc12f9544cfc9b9b9b3a834495c429f9f87a29b919036c7f47a1901e6c1e320157a16481dfd9d72d1ec1241c5649447339b5f985

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cdad0f0efe1f17ca33ec6ce3aa356060

SHA1
112ef9a63feb5cc572a74764ed3a4b91af3425b0

SHA256
0366b5da6ae9fd73fe9f5f2450460c06be70cd65c309569ffb75497f37f662dc

SHA512
34aa569095fb7ce4b00d54c55ef6e458d22680b4ff8f920ee5032c8911b75cfb4661e4ddb559a01525ed9782ea2d6739bd9dcbde8329be10bbde69d88e202f59

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a01bef4d5867dd9a91457c0a65ee0ee2

SHA1
c165fd24e7a4d597b763fcf88eba5156113272f4

SHA256
f81b658f16677dd6b02369d05e1f957543994e408a5150f907ebb894384f3d84

SHA512
bcc14529b300b2c3000f986eb6fd703faad09f1e83ddc0d8e2ef926ac85a0294ce288cc5aede5d97d012338fc809acb200feef89f3d9c459721eaa32b68b79a3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
99c496931851c632cfc88ef9019779d7

SHA1
d556a03bd614cad06d137ee6ad4b28a7a9b8393d

SHA256
bd12a6d99fc4188f29838e38c0a6544d4f2848ca96fb2eda75a41bb547b9d64a

SHA512
86d48610b7c0ba85a75b031837ca4cb0de9c706a7d288ea678d3455155a49f6bb63026e96308d7d93e0200ecd80486092b8e31749f96e009f6288f1f6d99a8a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f73761ce7ba4a7b16f0694f2ae5bf405

SHA1
d5c0786b9d83939b1fd72f0928fae887462f8ed5

SHA256
ee36b982a303805df63197303bc20c55f82b1dcd5398a9ea8249208457aa3e24

SHA512
0939b0bc45bd806b55e989c0f97efa11491f798ed37fb12ea456406125b97ff9e8d263c395e3f7f7b6adde98fd02b30413db0a424ca904d9448a7ba26898f029

Download Submit
C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe

Filesize
31KB

MD5
12f40c9480a2151a83d55eab28761a0a

SHA1
406e4b5d1a8a4acbfc74eb73fec603c108a1fc60

SHA256
525f26881b42841c0c647bb9d0d3f27725b247162c3c4ac4a79050e15c371ce8

SHA512
0b109ee26548e98b1875ff990c7a8484fa8bd9a26725e33297033ef54e68c1779f4b17826d2d9b1ec9f3f37ff858ba947b9114183f71f172aec160f4c34512ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe.exe

Filesize
4B

MD5
a2ce4c7b743725199da04033b5b57469

SHA1
1ae348eafa097ab898941eafe912d711a407da10

SHA256
0fff86057dcfb3975c8bc44459740ba5ffb43551931163538df3f39a6bb991bc

SHA512
23bd59f57b16cd496b550c1bba09eb3f9a9dfe764ea03470e3cc43e4d0b4ca415d239772e4a9b930749e88cead9a7ec4b0a77d0dd310e61d8c6521ae6ff278b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab9DD8.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar9EB5.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe

Filesize
67KB

MD5
6509b534a745133b64d524355a71b050

SHA1
d4ecd58a840be99ec5cd62a4e9e14d1fcf68ac6f

SHA256
d0ab150d4dbe72adc755f6157a8adf1065720ad6d36af5731eb99644f60305b6

SHA512
c4b7055db8a0e283f41c869170b2fcab5bb4dc190e049e357be8671bba00e8543f1fe99a6262413fb36d982ac9b842f45fe8f3d285e8346a5e999252d9eed4a4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\((Mutex)).cfg

Filesize
1KB

MD5
cbb11f0bc57aad39ddecb0d9f68a33c8

SHA1
5dbfc596353ef5c750d28155c76d812875d6516e

SHA256
af30f8393b69a3eea003e0656cab29a353ff6432412d3ed17b2be408c1b76b36

SHA512
aa318534de60f0cae5f8e5d80c78499a47a082eb41514f4f8fa7fcef52412af106e9f88c5362616cb022538e1688b220343172199aa039b2de6e8dd8b1b45dcc

Download Submit
memory/560-121-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/928-102-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/1000-93-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/1000-130-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/1164-104-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/1164-141-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/1636-57-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/1636-78-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/1656-56-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/1656-37-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/1780-79-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/1780-111-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/1920-69-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/1920-47-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/2284-122-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/2284-149-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/2332-39-0x0000000002AD0000-0x0000000002AF5000-memory.dmp

Filesize
148KB

Download
memory/2332-19-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/2332-0-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/2332-20-0x0000000002AD0000-0x0000000002AF5000-memory.dmp

Filesize
148KB

Download
memory/2420-87-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/2580-31-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/2580-46-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/2592-146-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/2648-156-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/2664-29-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/2796-22-0x00000000011D0000-0x00000000011E0000-memory.dmp

Filesize
64KB

Download
memory/3028-163-0x0000000000500000-0x0000000000525000-memory.dmp

Filesize
148KB

Download
memory/3028-96-0x0000000000500000-0x0000000000525000-memory.dmp

Filesize
148KB

Download
memory/3028-36-0x0000000000360000-0x0000000000385000-memory.dmp

Filesize
148KB

Download
memory/3028-759-0x0000000000500000-0x0000000000525000-memory.dmp

Filesize
148KB

Download
memory/3028-61-0x0000000000500000-0x0000000000525000-memory.dmp

Filesize
148KB

Download
memory/3028-6-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/3028-195-0x0000000000500000-0x0000000000525000-memory.dmp

Filesize
148KB

Download
memory/3028-194-0x0000000000500000-0x0000000000525000-memory.dmp

Filesize
148KB

Download
memory/3028-4-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/3028-634-0x0000000000500000-0x0000000000525000-memory.dmp

Filesize
148KB

Download
memory/3028-758-0x0000000000500000-0x0000000000525000-memory.dmp

Filesize
148KB

Download
memory/3028-91-0x0000000000500000-0x0000000000525000-memory.dmp

Filesize
148KB

Download
memory/3092-135-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/3092-162-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/3308-158-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/3308-191-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/3704-244-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/3704-205-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/3704-246-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/3704-193-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/3736-170-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/3736-139-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/3856-175-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/3936-180-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/4044-185-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/4200-203-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/4200-204-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/4448-211-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/4448-209-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/4660-217-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/4660-215-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/4856-222-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/4992-228-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/5040-231-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/5068-232-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/5068-234-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/5196-299-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/5280-412-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/5340-742-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/5340-735-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/5404-509-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/5472-729-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/5472-722-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/5544-617-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/5544-604-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/5592-629-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/5592-632-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/5652-619-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/5668-635-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/5668-666-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/5732-731-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/5732-737-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/6040-724-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/6040-720-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/6124-753-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/6236-760-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/6464-743-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/6464-750-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/6472-785-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/6472-771-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/6592-630-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/6592-754-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/6592-764-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/6676-757-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/6676-755-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/6676-633-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/6688-730-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/6688-782-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/6796-761-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/6796-770-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/6824-762-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/6824-766-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads