xtremerat | d0ab150d4dbe72adc755f6157a8adf1065720ad6d36af5731eb99644f60305b6

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
02-01-2025 12:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_6509b534a745133b64d524355a71b050.exe
Size

67KB
MD5

6509b534a745133b64d524355a71b050
SHA1

d4ecd58a840be99ec5cd62a4e9e14d1fcf68ac6f
SHA256

d0ab150d4dbe72adc755f6157a8adf1065720ad6d36af5731eb99644f60305b6
SHA512

c4b7055db8a0e283f41c869170b2fcab5bb4dc190e049e357be8671bba00e8543f1fe99a6262413fb36d982ac9b842f45fe8f3d285e8346a5e999252d9eed4a4
SSDEEP

1536:rBzvwXhupO/ijb7BT7/396+xuP3OL8U9vhc:rBvwcUifdT7/t6+xuP3c8Shc

Score

10^/10

xtremerat discovery persistence rat spyware upx

Malware Config

Signatures

Detect XtremeRAT payload 64 IoCs

resource	yara_rule
behavioral2/memory/4820-4-0x0000000000C80000-0x0000000000CA5000-memory.dmp	family_xtremerat
behavioral2/memory/4048-19-0x0000000000C80000-0x0000000000CA5000-memory.dmp	family_xtremerat
behavioral2/memory/3504-35-0x0000000000C80000-0x0000000000CA5000-memory.dmp	family_xtremerat
behavioral2/memory/3768-36-0x0000000000C80000-0x0000000000CA5000-memory.dmp	family_xtremerat
behavioral2/memory/1524-52-0x0000000000C80000-0x0000000000CA5000-memory.dmp	family_xtremerat
behavioral2/memory/3504-50-0x0000000000C80000-0x0000000000CA5000-memory.dmp	family_xtremerat
behavioral2/memory/4644-62-0x0000000000C80000-0x0000000000CA5000-memory.dmp	family_xtremerat
behavioral2/memory/3272-67-0x0000000000C80000-0x0000000000CA5000-memory.dmp	family_xtremerat
behavioral2/memory/4356-75-0x0000000000C80000-0x0000000000CA5000-memory.dmp	family_xtremerat
behavioral2/memory/1524-77-0x0000000000C80000-0x0000000000CA5000-memory.dmp	family_xtremerat
behavioral2/memory/1556-85-0x0000000000C80000-0x0000000000CA5000-memory.dmp	family_xtremerat
behavioral2/memory/1896-87-0x0000000000C80000-0x0000000000CA5000-memory.dmp	family_xtremerat
behavioral2/memory/4700-97-0x0000000000C80000-0x0000000000CA5000-memory.dmp	family_xtremerat
behavioral2/memory/3272-96-0x0000000000C80000-0x0000000000CA5000-memory.dmp	family_xtremerat
behavioral2/memory/4380-109-0x0000000000C80000-0x0000000000CA5000-memory.dmp	family_xtremerat
behavioral2/memory/4356-111-0x0000000000C80000-0x0000000000CA5000-memory.dmp	family_xtremerat
behavioral2/memory/1556-121-0x0000000000C80000-0x0000000000CA5000-memory.dmp	family_xtremerat
behavioral2/memory/2532-119-0x0000000000C80000-0x0000000000CA5000-memory.dmp	family_xtremerat
behavioral2/memory/4700-133-0x0000000000C80000-0x0000000000CA5000-memory.dmp	family_xtremerat
behavioral2/memory/4864-131-0x0000000000C80000-0x0000000000CA5000-memory.dmp	family_xtremerat
behavioral2/memory/2380-141-0x0000000000C80000-0x0000000000CA5000-memory.dmp	family_xtremerat
behavioral2/memory/2432-139-0x0000000000C80000-0x0000000000CA5000-memory.dmp	family_xtremerat
behavioral2/memory/2812-143-0x0000000000C80000-0x0000000000CA5000-memory.dmp	family_xtremerat
behavioral2/memory/4380-154-0x0000000000C80000-0x0000000000CA5000-memory.dmp	family_xtremerat
behavioral2/memory/2532-169-0x0000000000C80000-0x0000000000CA5000-memory.dmp	family_xtremerat
behavioral2/memory/4864-170-0x0000000000C80000-0x0000000000CA5000-memory.dmp	family_xtremerat
behavioral2/memory/2432-171-0x0000000000C80000-0x0000000000CA5000-memory.dmp	family_xtremerat
behavioral2/memory/2812-173-0x0000000000C80000-0x0000000000CA5000-memory.dmp	family_xtremerat
behavioral2/memory/2812-176-0x0000000000C80000-0x0000000000CA5000-memory.dmp	family_xtremerat
behavioral2/memory/5544-175-0x0000000000C80000-0x0000000000CA5000-memory.dmp	family_xtremerat
behavioral2/memory/5632-179-0x0000000000C80000-0x0000000000CA5000-memory.dmp	family_xtremerat
behavioral2/memory/940-181-0x0000000000C80000-0x0000000000CA5000-memory.dmp	family_xtremerat
behavioral2/memory/5708-184-0x0000000000C80000-0x0000000000CA5000-memory.dmp	family_xtremerat
behavioral2/memory/2432-186-0x0000000000C80000-0x0000000000CA5000-memory.dmp	family_xtremerat
behavioral2/memory/4864-188-0x0000000000C80000-0x0000000000CA5000-memory.dmp	family_xtremerat
behavioral2/memory/2532-194-0x0000000000C80000-0x0000000000CA5000-memory.dmp	family_xtremerat
behavioral2/memory/5544-202-0x0000000000C80000-0x0000000000CA5000-memory.dmp	family_xtremerat
behavioral2/memory/2520-200-0x0000000000C80000-0x0000000000CA5000-memory.dmp	family_xtremerat
behavioral2/memory/5632-208-0x0000000000C80000-0x0000000000CA5000-memory.dmp	family_xtremerat
behavioral2/memory/216-214-0x0000000000C80000-0x0000000000CA5000-memory.dmp	family_xtremerat
behavioral2/memory/5708-216-0x0000000000C80000-0x0000000000CA5000-memory.dmp	family_xtremerat
behavioral2/memory/5548-220-0x0000000000C80000-0x0000000000CA5000-memory.dmp	family_xtremerat
behavioral2/memory/5740-219-0x0000000000C80000-0x0000000000CA5000-memory.dmp	family_xtremerat
behavioral2/memory/5560-217-0x0000000000C80000-0x0000000000CA5000-memory.dmp	family_xtremerat
behavioral2/memory/4000-226-0x0000000000C80000-0x0000000000CA5000-memory.dmp	family_xtremerat
behavioral2/memory/5816-230-0x0000000000C80000-0x0000000000CA5000-memory.dmp	family_xtremerat
behavioral2/memory/5816-225-0x0000000000C80000-0x0000000000CA5000-memory.dmp	family_xtremerat
behavioral2/memory/5832-233-0x0000000000C80000-0x0000000000CA5000-memory.dmp	family_xtremerat
behavioral2/memory/5832-235-0x0000000000C80000-0x0000000000CA5000-memory.dmp	family_xtremerat
behavioral2/memory/2520-240-0x0000000000C80000-0x0000000000CA5000-memory.dmp	family_xtremerat
behavioral2/memory/6404-239-0x0000000000C80000-0x0000000000CA5000-memory.dmp	family_xtremerat
behavioral2/memory/2108-245-0x0000000000C80000-0x0000000000CA5000-memory.dmp	family_xtremerat
behavioral2/memory/216-246-0x0000000000C80000-0x0000000000CA5000-memory.dmp	family_xtremerat
behavioral2/memory/5560-252-0x0000000000C80000-0x0000000000CA5000-memory.dmp	family_xtremerat
behavioral2/memory/5548-251-0x0000000000C80000-0x0000000000CA5000-memory.dmp	family_xtremerat
behavioral2/memory/6720-253-0x0000000000C80000-0x0000000000CA5000-memory.dmp	family_xtremerat
behavioral2/memory/2108-255-0x0000000000C80000-0x0000000000CA5000-memory.dmp	family_xtremerat
behavioral2/memory/216-260-0x0000000000C80000-0x0000000000CA5000-memory.dmp	family_xtremerat
behavioral2/memory/5548-266-0x0000000000C80000-0x0000000000CA5000-memory.dmp	family_xtremerat
behavioral2/memory/4000-264-0x0000000000C80000-0x0000000000CA5000-memory.dmp	family_xtremerat
behavioral2/memory/5560-278-0x0000000000C80000-0x0000000000CA5000-memory.dmp	family_xtremerat
behavioral2/memory/3564-274-0x0000000000C80000-0x0000000000CA5000-memory.dmp	family_xtremerat
behavioral2/memory/7132-273-0x0000000000C80000-0x0000000000CA5000-memory.dmp	family_xtremerat
behavioral2/memory/5652-272-0x0000000000C80000-0x0000000000CA5000-memory.dmp	family_xtremerat

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat
Xtremerat family
xtremerat

Boot or Logon Autostart Execution: Active Setup 2 TTPs 64 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	JaffaCakes118_6509b534a745133b64d524355a71b050.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	JaffaCakes118_6509b534a745133b64d524355a71b050.exe

Checks computer location settings 2 TTPs 48 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	JaffaCakes118_6509b534a745133b64d524355a71b050.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Server.exe

Executes dropped EXE 64 IoCs

pid	Process
116	119Auto Spammer.exe
3768	Server.exe
2252	119Auto Spammer.exe
3504	Server.exe
4644	Server.exe
2020	119Auto Spammer.exe
1524	Server.exe
2760	119Auto Spammer.exe
1896	Server.exe
3272	Server.exe
3648	119Auto Spammer.exe
4356	Server.exe
2512	119Auto Spammer.exe
1556	Server.exe
1308	119Auto Spammer.exe
4700	Server.exe
2380	Server.exe
4420	119Auto Spammer.exe
4380	Server.exe
1684	119Auto Spammer.exe
2532	Server.exe
3120	119Auto Spammer.exe
4864	Server.exe
1896	119Auto Spammer.exe
2432	Server.exe
2812	Server.exe
3628	119Auto Spammer.exe
940	Server.exe
5180	119Auto Spammer.exe
5340	119Auto Spammer.exe
5376	119Auto Spammer.exe
5400	119Auto Spammer.exe
5544	Server.exe
5580	119Auto Spammer.exe
5632	Server.exe
5708	Server.exe
5740	Server.exe
5816	Server.exe
5832	Server.exe
2052	119Auto Spammer.exe
2520	Server.exe
5024	119Auto Spammer.exe
2108	Server.exe
5968	119Auto Spammer.exe
216	Server.exe
4776	119Auto Spammer.exe
5560	Server.exe
5568	119Auto Spammer.exe
5548	Server.exe
4000	Server.exe
5772	119Auto Spammer.exe
5652	Server.exe
6372	119Auto Spammer.exe
6404	Server.exe
6552	Server.exe
6612	119Auto Spammer.exe
6720	Server.exe
6816	119Auto Spammer.exe
6912	119Auto Spammer.exe
6896	Server.exe
6988	Server.exe
7020	119Auto Spammer.exe
7124	119Auto Spammer.exe
7132	Server.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	JaffaCakes118_6509b534a745133b64d524355a71b050.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4048-0-0x0000000000C80000-0x0000000000CA5000-memory.dmp	upx
behavioral2/memory/4820-4-0x0000000000C80000-0x0000000000CA5000-memory.dmp	upx
behavioral2/files/0x0007000000023c84-5.dat	upx
behavioral2/memory/4048-19-0x0000000000C80000-0x0000000000CA5000-memory.dmp	upx
behavioral2/memory/3504-35-0x0000000000C80000-0x0000000000CA5000-memory.dmp	upx
behavioral2/memory/3768-36-0x0000000000C80000-0x0000000000CA5000-memory.dmp	upx
behavioral2/memory/1524-52-0x0000000000C80000-0x0000000000CA5000-memory.dmp	upx
behavioral2/memory/3504-50-0x0000000000C80000-0x0000000000CA5000-memory.dmp	upx
behavioral2/memory/4644-62-0x0000000000C80000-0x0000000000CA5000-memory.dmp	upx
behavioral2/memory/1896-60-0x0000000000C80000-0x0000000000CA5000-memory.dmp	upx
behavioral2/memory/3272-67-0x0000000000C80000-0x0000000000CA5000-memory.dmp	upx
behavioral2/memory/4356-75-0x0000000000C80000-0x0000000000CA5000-memory.dmp	upx
behavioral2/memory/1524-77-0x0000000000C80000-0x0000000000CA5000-memory.dmp	upx
behavioral2/memory/1556-85-0x0000000000C80000-0x0000000000CA5000-memory.dmp	upx
behavioral2/memory/1896-87-0x0000000000C80000-0x0000000000CA5000-memory.dmp	upx
behavioral2/memory/4700-97-0x0000000000C80000-0x0000000000CA5000-memory.dmp	upx
behavioral2/memory/3272-96-0x0000000000C80000-0x0000000000CA5000-memory.dmp	upx
behavioral2/memory/4380-109-0x0000000000C80000-0x0000000000CA5000-memory.dmp	upx
behavioral2/memory/4356-111-0x0000000000C80000-0x0000000000CA5000-memory.dmp	upx
behavioral2/memory/1556-121-0x0000000000C80000-0x0000000000CA5000-memory.dmp	upx
behavioral2/memory/2532-119-0x0000000000C80000-0x0000000000CA5000-memory.dmp	upx
behavioral2/memory/4700-133-0x0000000000C80000-0x0000000000CA5000-memory.dmp	upx
behavioral2/memory/4864-131-0x0000000000C80000-0x0000000000CA5000-memory.dmp	upx
behavioral2/memory/2380-141-0x0000000000C80000-0x0000000000CA5000-memory.dmp	upx
behavioral2/memory/2432-139-0x0000000000C80000-0x0000000000CA5000-memory.dmp	upx
behavioral2/memory/2812-143-0x0000000000C80000-0x0000000000CA5000-memory.dmp	upx
behavioral2/memory/4380-154-0x0000000000C80000-0x0000000000CA5000-memory.dmp	upx
behavioral2/memory/2532-169-0x0000000000C80000-0x0000000000CA5000-memory.dmp	upx
behavioral2/memory/4864-170-0x0000000000C80000-0x0000000000CA5000-memory.dmp	upx
behavioral2/memory/2432-171-0x0000000000C80000-0x0000000000CA5000-memory.dmp	upx
behavioral2/memory/2812-173-0x0000000000C80000-0x0000000000CA5000-memory.dmp	upx
behavioral2/memory/2812-176-0x0000000000C80000-0x0000000000CA5000-memory.dmp	upx
behavioral2/memory/5544-175-0x0000000000C80000-0x0000000000CA5000-memory.dmp	upx
behavioral2/memory/5632-179-0x0000000000C80000-0x0000000000CA5000-memory.dmp	upx
behavioral2/memory/940-181-0x0000000000C80000-0x0000000000CA5000-memory.dmp	upx
behavioral2/memory/5708-184-0x0000000000C80000-0x0000000000CA5000-memory.dmp	upx
behavioral2/memory/2432-186-0x0000000000C80000-0x0000000000CA5000-memory.dmp	upx
behavioral2/memory/4864-188-0x0000000000C80000-0x0000000000CA5000-memory.dmp	upx
behavioral2/memory/2532-194-0x0000000000C80000-0x0000000000CA5000-memory.dmp	upx
behavioral2/memory/5544-202-0x0000000000C80000-0x0000000000CA5000-memory.dmp	upx
behavioral2/memory/2520-200-0x0000000000C80000-0x0000000000CA5000-memory.dmp	upx
behavioral2/memory/5632-208-0x0000000000C80000-0x0000000000CA5000-memory.dmp	upx
behavioral2/memory/216-214-0x0000000000C80000-0x0000000000CA5000-memory.dmp	upx
behavioral2/memory/5708-216-0x0000000000C80000-0x0000000000CA5000-memory.dmp	upx
behavioral2/memory/5548-220-0x0000000000C80000-0x0000000000CA5000-memory.dmp	upx
behavioral2/memory/5740-219-0x0000000000C80000-0x0000000000CA5000-memory.dmp	upx
behavioral2/memory/5560-217-0x0000000000C80000-0x0000000000CA5000-memory.dmp	upx
behavioral2/memory/4000-226-0x0000000000C80000-0x0000000000CA5000-memory.dmp	upx
behavioral2/memory/5816-230-0x0000000000C80000-0x0000000000CA5000-memory.dmp	upx
behavioral2/memory/5816-225-0x0000000000C80000-0x0000000000CA5000-memory.dmp	upx
behavioral2/memory/5832-233-0x0000000000C80000-0x0000000000CA5000-memory.dmp	upx
behavioral2/memory/5832-235-0x0000000000C80000-0x0000000000CA5000-memory.dmp	upx
behavioral2/memory/2520-240-0x0000000000C80000-0x0000000000CA5000-memory.dmp	upx
behavioral2/memory/6404-239-0x0000000000C80000-0x0000000000CA5000-memory.dmp	upx
behavioral2/memory/2108-245-0x0000000000C80000-0x0000000000CA5000-memory.dmp	upx
behavioral2/memory/216-246-0x0000000000C80000-0x0000000000CA5000-memory.dmp	upx
behavioral2/memory/5560-252-0x0000000000C80000-0x0000000000CA5000-memory.dmp	upx
behavioral2/memory/5548-251-0x0000000000C80000-0x0000000000CA5000-memory.dmp	upx
behavioral2/memory/6720-253-0x0000000000C80000-0x0000000000CA5000-memory.dmp	upx
behavioral2/memory/2108-255-0x0000000000C80000-0x0000000000CA5000-memory.dmp	upx
behavioral2/memory/216-260-0x0000000000C80000-0x0000000000CA5000-memory.dmp	upx
behavioral2/memory/5548-266-0x0000000000C80000-0x0000000000CA5000-memory.dmp	upx
behavioral2/memory/4000-264-0x0000000000C80000-0x0000000000CA5000-memory.dmp	upx
behavioral2/memory/5560-278-0x0000000000C80000-0x0000000000CA5000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	119Auto Spammer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	119Auto Spammer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	119Auto Spammer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	119Auto Spammer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	119Auto Spammer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	119Auto Spammer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	119Auto Spammer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	119Auto Spammer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	119Auto Spammer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	119Auto Spammer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	119Auto Spammer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	119Auto Spammer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	119Auto Spammer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	119Auto Spammer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	119Auto Spammer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6509b534a745133b64d524355a71b050.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	119Auto Spammer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	119Auto Spammer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	119Auto Spammer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	119Auto Spammer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	119Auto Spammer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	119Auto Spammer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	119Auto Spammer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	119Auto Spammer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	119Auto Spammer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	119Auto Spammer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	119Auto Spammer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	119Auto Spammer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	119Auto Spammer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	119Auto Spammer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
116	119Auto Spammer.exe
116	119Auto Spammer.exe
116	119Auto Spammer.exe
116	119Auto Spammer.exe
116	119Auto Spammer.exe
116	119Auto Spammer.exe
116	119Auto Spammer.exe
116	119Auto Spammer.exe
116	119Auto Spammer.exe
116	119Auto Spammer.exe
116	119Auto Spammer.exe
116	119Auto Spammer.exe
116	119Auto Spammer.exe
116	119Auto Spammer.exe
116	119Auto Spammer.exe
116	119Auto Spammer.exe
116	119Auto Spammer.exe
116	119Auto Spammer.exe
116	119Auto Spammer.exe
116	119Auto Spammer.exe
116	119Auto Spammer.exe
116	119Auto Spammer.exe
116	119Auto Spammer.exe
116	119Auto Spammer.exe
116	119Auto Spammer.exe
116	119Auto Spammer.exe
116	119Auto Spammer.exe
116	119Auto Spammer.exe
116	119Auto Spammer.exe
116	119Auto Spammer.exe
116	119Auto Spammer.exe
116	119Auto Spammer.exe
116	119Auto Spammer.exe
116	119Auto Spammer.exe
116	119Auto Spammer.exe
116	119Auto Spammer.exe
116	119Auto Spammer.exe
116	119Auto Spammer.exe
116	119Auto Spammer.exe
116	119Auto Spammer.exe
116	119Auto Spammer.exe
116	119Auto Spammer.exe
116	119Auto Spammer.exe
116	119Auto Spammer.exe
116	119Auto Spammer.exe
116	119Auto Spammer.exe
116	119Auto Spammer.exe
116	119Auto Spammer.exe
116	119Auto Spammer.exe
116	119Auto Spammer.exe
116	119Auto Spammer.exe
116	119Auto Spammer.exe
116	119Auto Spammer.exe
116	119Auto Spammer.exe
116	119Auto Spammer.exe
116	119Auto Spammer.exe
116	119Auto Spammer.exe
116	119Auto Spammer.exe
116	119Auto Spammer.exe
116	119Auto Spammer.exe
116	119Auto Spammer.exe
116	119Auto Spammer.exe
116	119Auto Spammer.exe
116	119Auto Spammer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4048 wrote to memory of 4820	4048	JaffaCakes118_6509b534a745133b64d524355a71b050.exe	83
PID 4048 wrote to memory of 4820	4048	JaffaCakes118_6509b534a745133b64d524355a71b050.exe	83
PID 4048 wrote to memory of 4820	4048	JaffaCakes118_6509b534a745133b64d524355a71b050.exe	83
PID 4048 wrote to memory of 4820	4048	JaffaCakes118_6509b534a745133b64d524355a71b050.exe	83
PID 4048 wrote to memory of 4448	4048	JaffaCakes118_6509b534a745133b64d524355a71b050.exe	84
PID 4048 wrote to memory of 4448	4048	JaffaCakes118_6509b534a745133b64d524355a71b050.exe	84
PID 4048 wrote to memory of 4448	4048	JaffaCakes118_6509b534a745133b64d524355a71b050.exe	84
PID 4048 wrote to memory of 4256	4048	JaffaCakes118_6509b534a745133b64d524355a71b050.exe	85
PID 4048 wrote to memory of 4256	4048	JaffaCakes118_6509b534a745133b64d524355a71b050.exe	85
PID 4048 wrote to memory of 4256	4048	JaffaCakes118_6509b534a745133b64d524355a71b050.exe	85
PID 4048 wrote to memory of 964	4048	JaffaCakes118_6509b534a745133b64d524355a71b050.exe	86
PID 4048 wrote to memory of 964	4048	JaffaCakes118_6509b534a745133b64d524355a71b050.exe	86
PID 4048 wrote to memory of 964	4048	JaffaCakes118_6509b534a745133b64d524355a71b050.exe	86
PID 4048 wrote to memory of 2660	4048	JaffaCakes118_6509b534a745133b64d524355a71b050.exe	87
PID 4048 wrote to memory of 2660	4048	JaffaCakes118_6509b534a745133b64d524355a71b050.exe	87
PID 4048 wrote to memory of 2660	4048	JaffaCakes118_6509b534a745133b64d524355a71b050.exe	87
PID 4048 wrote to memory of 4368	4048	JaffaCakes118_6509b534a745133b64d524355a71b050.exe	89
PID 4048 wrote to memory of 4368	4048	JaffaCakes118_6509b534a745133b64d524355a71b050.exe	89
PID 4048 wrote to memory of 4368	4048	JaffaCakes118_6509b534a745133b64d524355a71b050.exe	89
PID 4048 wrote to memory of 4248	4048	JaffaCakes118_6509b534a745133b64d524355a71b050.exe	90
PID 4048 wrote to memory of 4248	4048	JaffaCakes118_6509b534a745133b64d524355a71b050.exe	90
PID 4048 wrote to memory of 4248	4048	JaffaCakes118_6509b534a745133b64d524355a71b050.exe	90
PID 4048 wrote to memory of 3480	4048	JaffaCakes118_6509b534a745133b64d524355a71b050.exe	91
PID 4048 wrote to memory of 3480	4048	JaffaCakes118_6509b534a745133b64d524355a71b050.exe	91
PID 4048 wrote to memory of 3480	4048	JaffaCakes118_6509b534a745133b64d524355a71b050.exe	91
PID 4048 wrote to memory of 1776	4048	JaffaCakes118_6509b534a745133b64d524355a71b050.exe	92
PID 4048 wrote to memory of 1776	4048	JaffaCakes118_6509b534a745133b64d524355a71b050.exe	92
PID 4048 wrote to memory of 116	4048	JaffaCakes118_6509b534a745133b64d524355a71b050.exe	93
PID 4048 wrote to memory of 116	4048	JaffaCakes118_6509b534a745133b64d524355a71b050.exe	93
PID 4048 wrote to memory of 116	4048	JaffaCakes118_6509b534a745133b64d524355a71b050.exe	93
PID 4048 wrote to memory of 3768	4048	JaffaCakes118_6509b534a745133b64d524355a71b050.exe	94
PID 4048 wrote to memory of 3768	4048	JaffaCakes118_6509b534a745133b64d524355a71b050.exe	94
PID 4048 wrote to memory of 3768	4048	JaffaCakes118_6509b534a745133b64d524355a71b050.exe	94
PID 3768 wrote to memory of 1356	3768	Server.exe	95
PID 3768 wrote to memory of 1356	3768	Server.exe	95
PID 3768 wrote to memory of 1356	3768	Server.exe	95
PID 3768 wrote to memory of 4816	3768	Server.exe	96
PID 3768 wrote to memory of 4816	3768	Server.exe	96
PID 3768 wrote to memory of 4816	3768	Server.exe	96
PID 3768 wrote to memory of 3756	3768	Server.exe	97
PID 3768 wrote to memory of 3756	3768	Server.exe	97
PID 3768 wrote to memory of 3756	3768	Server.exe	97
PID 3768 wrote to memory of 2032	3768	Server.exe	98
PID 3768 wrote to memory of 2032	3768	Server.exe	98
PID 3768 wrote to memory of 2032	3768	Server.exe	98
PID 3768 wrote to memory of 4136	3768	Server.exe	99
PID 3768 wrote to memory of 4136	3768	Server.exe	99
PID 3768 wrote to memory of 4136	3768	Server.exe	99
PID 3768 wrote to memory of 2096	3768	Server.exe	100
PID 3768 wrote to memory of 2096	3768	Server.exe	100
PID 3768 wrote to memory of 2096	3768	Server.exe	100
PID 3768 wrote to memory of 1984	3768	Server.exe	101
PID 3768 wrote to memory of 1984	3768	Server.exe	101
PID 3768 wrote to memory of 1984	3768	Server.exe	101
PID 3768 wrote to memory of 4916	3768	Server.exe	102
PID 3768 wrote to memory of 4916	3768	Server.exe	102
PID 3768 wrote to memory of 2252	3768	Server.exe	103
PID 3768 wrote to memory of 2252	3768	Server.exe	103
PID 3768 wrote to memory of 2252	3768	Server.exe	103
PID 3768 wrote to memory of 3504	3768	Server.exe	104
PID 3768 wrote to memory of 3504	3768	Server.exe	104
PID 3768 wrote to memory of 3504	3768	Server.exe	104
PID 3504 wrote to memory of 4980	3504	Server.exe	105
PID 3504 wrote to memory of 4980	3504	Server.exe	105

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6509b534a745133b64d524355a71b050.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6509b534a745133b64d524355a71b050.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4048
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:4820
- - C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
    "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    PID:4644
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:5096
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:1252
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:392
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:3596
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:592
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:3092
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:1500
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:1120
  - - C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe
      "C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe"
      4⤵
      Executes dropped EXE
      PID:2760
  - - C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
      "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:1896
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:2200
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:2312
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:2300
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:1368
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:4656
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:3976
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:5020
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:4596
    - - C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2512
    - - C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1556
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:3928
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:1580
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:1212
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:2752
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:2680
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:2796
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:3168
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:2948
      - C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1684
      - C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2532
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:4788
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:1504
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:1560
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:3652
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:2372
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:4688
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:1744
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:1568
        
        C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5180
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:5832
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:5924
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:5996
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:6052
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:856
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:5128
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:5564
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:5256
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:3144
        
        C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe"
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5772
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:5652
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:6208
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:6284
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:6352
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:6480
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:6580
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:6692
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:6880
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:7064
        
        C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe"
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:5916
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:6716
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:6804
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:5560
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:6792
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:7280
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:7412
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:7572
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:7664
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:7796
        
        C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe"
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:8176
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        10⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:6668
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        11⤵
        
        PID:7912
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        11⤵
        
        PID:7916
        
        C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe"
        11⤵
        
        PID:8496
- - C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
    "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    PID:3272
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:4692
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:4584
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:3676
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:528
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:2416
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:5052
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:4760
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:4104
  - - C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe
      "C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1308
  - - C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
      "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:4700
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:372
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:652
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:1772
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:1668
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:2860
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:3956
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:1796
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:1412
    - - C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3120
    - - C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4864
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:2480
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:3492
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:2920
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:2336
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:388
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:3184
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:1076
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5208
      - C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5340
      - C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:5740
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:5808
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:5952
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:6016
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:6096
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:716
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:5436
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:5684
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:5800
        
        C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe"
        7⤵
        Executes dropped EXE
        
        PID:5968
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        
        PID:5548
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:4972
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:5816
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:6228
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:6292
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:6388
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:6500
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:6604
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:6708
        
        C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe"
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:6912
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:6988
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:5840
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:6572
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:5324
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:6868
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:7144
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:7272
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:7428
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:7580
        
        C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe"
        9⤵
        
        PID:7820
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:8036
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:6420
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:7028
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:8056
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:924
        
        C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe"
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:8580
- - C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
    "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:2380
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:4396
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:3896
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:1584
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:2140
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:4780
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:2972
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:1716
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:4860
  - - C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe
      "C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe"
      4⤵
      Executes dropped EXE
      PID:1896
  - - C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
      "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:2432
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:4508
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:4468
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:4356
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:3504
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:1556
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:4004
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:1756
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:5240
    - - C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe"
        5⤵
        Executes dropped EXE
        
        PID:5376
    - - C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Executes dropped EXE
        
        PID:5708
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5784
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5940
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:6004
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:6088
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:2968
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:3548
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5520
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5260
      - C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4776
      - C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:5560
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:5796
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:6156
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:6244
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:6308
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:6424
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:6524
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:6628
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:6776
        
        C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:7124
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3564
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:6748
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:7088
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:5744
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:6948
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:7264
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:7436
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:7588
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:7700
        
        C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe"
        8⤵
        
        PID:8108
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        8⤵
        Checks computer location settings
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:7192
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:7500
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:6992
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:6764
        
        C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe"
        9⤵
        
        PID:8572
- - C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
    "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:2812
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:4272
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:4724
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:3768
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:640
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:4340
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:4360
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:4164
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:5248
  - - C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe
      "C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:5400
  - - C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
      "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      PID:5544
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:5596
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:5700
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:5856
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:5972
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:6028
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:6112
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:5232
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:4536
    - - C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2052
    - - C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2520
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:2376
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:2508
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:1624
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4572
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5680
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:6180
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:6264
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:6324
      - C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:6372
      - C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:6404
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:6492
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:6596
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:6700
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:6872
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:7072
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:6452
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:4696
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:5828
        
        C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe"
        7⤵
        
        PID:6476
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4840
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:7232
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:7380
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:7524
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:7648
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:7756
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:7928
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:8096
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:6576
        
        C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe"
        8⤵
        
        PID:7968
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        8⤵
        
        PID:8008
- - C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
    "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:5816
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:5888
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:5988
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:6044
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:6136
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:5272
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:5112
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:5732
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:2220
  - - C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe
      "C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe"
      4⤵
      Executes dropped EXE
      PID:5568
  - - C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
      "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Checks computer location settings
      Executes dropped EXE
      PID:4000
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:4540
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:6188
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:6272
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:6336
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:6456
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:6536
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:6636
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:6784
    - - C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:7020
    - - C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        
        PID:7132
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:6440
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4936
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5736
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:6956
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:7160
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:7296
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:7420
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:7564
      - C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:7860
      - C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        6⤵
        Checks computer location settings
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:7956
        
        C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:7356
- - C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
    "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    PID:216
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:5640
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:5884
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:6164
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:6256
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:6316
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:6436
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:6516
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:6620
  - - C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe
      "C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:6816
  - - C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
      "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      PID:6896
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:7008
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:6176
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:6672
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:6728
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:1460
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:6216
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:7288
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:7404
    - - C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:7712
    - - C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        5⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:7772
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:8000
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:8168
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:6736
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5220
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:6408
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:3564
      - C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe"
        6⤵
        
        PID:8664
- - C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
    "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:6552
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:6680
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:6852
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:7040
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:6344
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:6564
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:7000
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:1392
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:216
  - - C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe
      "C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:7216
  - - C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
      "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
      4⤵
      Checks computer location settings
      Adds Run key to start application
      PID:7328
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:7468
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:7604
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:7676
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:7780
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:7948
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:8144
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:6808
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:4892
    - - C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:8204
    - - C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        5⤵
        
        PID:8320
- - C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
    "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
    3⤵
    - Checks computer location settings
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:5804
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:5552
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:5824
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:7320
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:7460
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:7596
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:7684
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:7788
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:7972
  - - C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe
      "C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe"
      4⤵
      PID:7988
  - - C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
      "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
      4⤵
      PID:4928
- - C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
    "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Checks computer location settings
    - Adds Run key to start application
    PID:7840
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:8016
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:7056
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:6944
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:7080
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:6812
  - - C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe
      "C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:8476
- - C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
    "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
    3⤵
    PID:7804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
  2⤵
  PID:4448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
  2⤵
  PID:4256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
  2⤵
  PID:964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
  2⤵
  PID:2660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
  2⤵
  PID:4368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
  2⤵
  PID:4248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
  2⤵
  PID:3480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
  2⤵
  PID:1776
- C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe
  "C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:116
- C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
  "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3768
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:1356
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:4816
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:3756
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:2032
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:4136
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:2096
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:1984
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:4916
- - C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe
    "C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2252
- - C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
    "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3504
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:4980
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:1664
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:3200
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:3196
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:3924
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:1468
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:3788
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:4228
  - - C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe
      "C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe"
      4⤵
      Executes dropped EXE
      PID:2020
  - - C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
      "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1524
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:3472
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:3404
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:3580
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:3908
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:2960
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:2600
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:1040
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:4976
    - - C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe"
        5⤵
        Executes dropped EXE
        
        PID:3648
    - - C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4356
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:316
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:548
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:2436
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:3868
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:1640
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5000
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:1628
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:1592
      - C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4420
      - C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4380
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:4908
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:2564
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:1456
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:2596
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:2592
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:3064
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:1892
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:4644
        
        C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe"
        7⤵
        Executes dropped EXE
        
        PID:3628
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        
        PID:940
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:4320
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:5160
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:5288
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:5368
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:5428
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:5452
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:5480
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:5492
        
        C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe"
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5580
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:5632
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:5688
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:5864
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:5980
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:6036
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:6124
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:5276
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:3980
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:5316
        
        C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5024
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2108
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:5936
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:4576
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:1008
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:6148
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:6236
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:6300
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:6412
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:6508
        
        C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe"
        10⤵
        Executes dropped EXE
        
        PID:6612
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:6720
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        11⤵
        
        PID:6840
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        11⤵
        
        PID:7048
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        11⤵
        
        PID:6348
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        11⤵
        
        PID:6568
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        11⤵
        
        PID:5748
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        11⤵
        
        PID:5476
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        11⤵
        
        PID:5084
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        11⤵
        
        PID:7304
        
        C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe"
        11⤵
        
        PID:7480
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:7516
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:7632
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:7744
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:7892
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:8064
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:7176
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:7708
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:7164
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:6552
        
        C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe"
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:8504
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        12⤵
        
        PID:8588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe

Filesize
31KB

MD5
12f40c9480a2151a83d55eab28761a0a

SHA1
406e4b5d1a8a4acbfc74eb73fec603c108a1fc60

SHA256
525f26881b42841c0c647bb9d0d3f27725b247162c3c4ac4a79050e15c371ce8

SHA512
0b109ee26548e98b1875ff990c7a8484fa8bd9a26725e33297033ef54e68c1779f4b17826d2d9b1ec9f3f37ff858ba947b9114183f71f172aec160f4c34512ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\119Auto Spammer.exe.exe

Filesize
4B

MD5
a2ce4c7b743725199da04033b5b57469

SHA1
1ae348eafa097ab898941eafe912d711a407da10

SHA256
0fff86057dcfb3975c8bc44459740ba5ffb43551931163538df3f39a6bb991bc

SHA512
23bd59f57b16cd496b550c1bba09eb3f9a9dfe764ea03470e3cc43e4d0b4ca415d239772e4a9b930749e88cead9a7ec4b0a77d0dd310e61d8c6521ae6ff278b0

Download Submit
C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe

Filesize
67KB

MD5
6509b534a745133b64d524355a71b050

SHA1
d4ecd58a840be99ec5cd62a4e9e14d1fcf68ac6f

SHA256
d0ab150d4dbe72adc755f6157a8adf1065720ad6d36af5731eb99644f60305b6

SHA512
c4b7055db8a0e283f41c869170b2fcab5bb4dc190e049e357be8671bba00e8543f1fe99a6262413fb36d982ac9b842f45fe8f3d285e8346a5e999252d9eed4a4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\((Mutex)).cfg

Filesize
1KB

MD5
cbb11f0bc57aad39ddecb0d9f68a33c8

SHA1
5dbfc596353ef5c750d28155c76d812875d6516e

SHA256
af30f8393b69a3eea003e0656cab29a353ff6432412d3ed17b2be408c1b76b36

SHA512
aa318534de60f0cae5f8e5d80c78499a47a082eb41514f4f8fa7fcef52412af106e9f88c5362616cb022538e1688b220343172199aa039b2de6e8dd8b1b45dcc

Download Submit
memory/116-22-0x0000000004E50000-0x0000000004EEC000-memory.dmp

Filesize
624KB

Download
memory/116-44-0x00000000732CE000-0x00000000732CF000-memory.dmp

Filesize
4KB

Download
memory/116-21-0x0000000000410000-0x0000000000420000-memory.dmp

Filesize
64KB

Download
memory/116-51-0x00000000732C0000-0x0000000073A70000-memory.dmp

Filesize
7.7MB

Download
memory/116-20-0x00000000732CE000-0x00000000732CF000-memory.dmp

Filesize
4KB

Download
memory/116-26-0x00000000054A0000-0x0000000005A44000-memory.dmp

Filesize
5.6MB

Download
memory/116-27-0x0000000004EF0000-0x0000000004F82000-memory.dmp

Filesize
584KB

Download
memory/116-28-0x0000000004E10000-0x0000000004E1A000-memory.dmp

Filesize
40KB

Download
memory/116-29-0x00000000732C0000-0x0000000073A70000-memory.dmp

Filesize
7.7MB

Download
memory/116-30-0x0000000005140000-0x0000000005196000-memory.dmp

Filesize
344KB

Download
memory/216-214-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/216-246-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/216-260-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/940-181-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/1524-77-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/1524-52-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/1556-85-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/1556-121-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/1896-60-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/1896-87-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/2108-255-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/2108-245-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/2380-141-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/2432-186-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/2432-171-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/2432-139-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/2520-200-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/2520-240-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/2532-169-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/2532-119-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/2532-194-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/2812-176-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/2812-143-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/2812-173-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/3272-67-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/3272-96-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/3504-50-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/3504-35-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/3564-274-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/3564-314-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/3564-339-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/3768-36-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/4000-226-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/4000-271-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/4000-264-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/4048-0-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/4048-19-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/4356-111-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/4356-75-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/4380-109-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/4380-154-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/4644-62-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/4700-133-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/4700-97-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/4820-4-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/4840-337-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/4864-170-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/4864-188-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/4864-131-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/5544-202-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/5544-175-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/5548-251-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/5548-220-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/5548-266-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/5560-217-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/5560-278-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/5560-252-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/5632-179-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/5632-208-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/5652-283-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/5652-272-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/5708-184-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/5708-216-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/5740-219-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/5804-327-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/5816-230-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/5816-225-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/5832-235-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/5832-233-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/6404-281-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/6404-239-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/6404-292-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/6552-297-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/6552-290-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/6668-336-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/6716-341-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/6716-322-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/6720-307-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/6720-299-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/6720-253-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/6896-316-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/6896-303-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/6988-305-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/6988-329-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/6988-263-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/7132-312-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/7132-326-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/7132-273-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/7192-335-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/7328-298-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/7516-304-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/7840-317-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/7956-323-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/8008-382-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download
memory/8588-399-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Filesize
148KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads