xtremerat | 0104ec1f1abdddfb62e1abeb0beada57b1b46bbcc712723d42e231732e366269

Analysis

max time kernel
150s
max time network
118s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
21/01/2025, 20:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_071f397a055b3c9fbd59de1e5520670b.exe
Size

88KB
MD5

071f397a055b3c9fbd59de1e5520670b
SHA1

09affce67ff7613d87c1b373ec7ff5402048141a
SHA256

0104ec1f1abdddfb62e1abeb0beada57b1b46bbcc712723d42e231732e366269
SHA512

a0d6b832106310090069a736fca1103d2cd4399be6c0ae046130300b75bb7128684b5f04a31f0b65ee726a696dd673f32776f5ca5165f0ab09918864e5817e47
SSDEEP

1536:dK9nQUbYuMezqoqs5c+PMwnaaD8aOxcrPdoK+1IK:CQUbYvoqs5c+PMwaELndor

Score

10^/10

xtremerat discovery persistence rat spyware upx

Malware Config

Signatures

Detect XtremeRAT payload 6 IoCs

resource	yara_rule
behavioral1/memory/2544-11-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/2544-10-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/2544-22-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/2196-48-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/2656-63-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/2656-74-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat
Xtremerat family
xtremerat

Boot or Logon Autostart Execution: Active Setup 2 TTPs 64 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\system32\\XtnatDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\system32\\XtnatDir\\Server.exe restart"	JaffaCakes118_071f397a055b3c9fbd59de1e5520670b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\system32\\XtnatDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\XtnatDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\system32\\XtnatDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\XtnatDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\XtnatDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\system32\\XtnatDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\XtnatDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\XtnatDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\system32\\XtnatDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\XtnatDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\system32\\XtnatDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\XtnatDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\system32\\XtnatDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\XtnatDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\XtnatDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\XtnatDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\XtnatDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\system32\\XtnatDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\XtnatDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\system32\\XtnatDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\XtnatDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\system32\\XtnatDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\system32\\XtnatDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\system32\\XtnatDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	JaffaCakes118_071f397a055b3c9fbd59de1e5520670b.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\XtnatDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\system32\\XtnatDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\system32\\XtnatDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\XtnatDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\XtnatDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\system32\\XtnatDir\\Server.exe restart"	Server.exe

Executes dropped EXE 62 IoCs

pid	Process
2800	Server.exe
2196	Server.exe
2624	Server.exe
2656	Server.exe
2920	Server.exe
3048	Server.exe
2644	Server.exe
536	Server.exe
264	Server.exe
1636	Server.exe
1944	Server.exe
2180	Server.exe
2352	Server.exe
1960	Server.exe
2804	Server.exe
1904	Server.exe
1224	Server.exe
2020	Server.exe
3024	Server.exe
3048	Server.exe
108	Server.exe
1720	Server.exe
1908	Server.exe
2476	Server.exe
2752	Server.exe
2884	Server.exe
2788	Server.exe
2656	Server.exe
2356	Server.exe
1600	Server.exe
2468	Server.exe
1088	Server.exe
2872	Server.exe
1224	Server.exe
2324	Server.exe
2656	Server.exe
2468	Server.exe
1944	Server.exe
1872	Server.exe
3052	Server.exe
2476	Server.exe
2296	Server.exe
1756	Server.exe
3064	Server.exe
1644	Server.exe
3052	Server.exe
2296	Server.exe
3088	Server.exe
3248	Server.exe
3280	Server.exe
3440	Server.exe
3468	Server.exe
3624	Server.exe
3656	Server.exe
3808	Server.exe
3836	Server.exe
3992	Server.exe
4024	Server.exe
3128	Server.exe
3208	Server.exe
3452	Server.exe
3492	Server.exe

Loads dropped DLL 49 IoCs

pid	Process
2544	JaffaCakes118_071f397a055b3c9fbd59de1e5520670b.exe
2544	JaffaCakes118_071f397a055b3c9fbd59de1e5520670b.exe
2800	Server.exe
2196	Server.exe
2196	Server.exe
2656	Server.exe
2656	Server.exe
3048	Server.exe
536	Server.exe
536	Server.exe
1636	Server.exe
2180	Server.exe
2180	Server.exe
1960	Server.exe
1904	Server.exe
1904	Server.exe
2020	Server.exe
3048	Server.exe
3048	Server.exe
1720	Server.exe
2476	Server.exe
2476	Server.exe
2884	Server.exe
2656	Server.exe
2656	Server.exe
1600	Server.exe
1088	Server.exe
1088	Server.exe
1224	Server.exe
2656	Server.exe
2656	Server.exe
1944	Server.exe
3052	Server.exe
3052	Server.exe
2296	Server.exe
3064	Server.exe
3064	Server.exe
3052	Server.exe
3088	Server.exe
3088	Server.exe
3280	Server.exe
3468	Server.exe
3468	Server.exe
3656	Server.exe
3836	Server.exe
3836	Server.exe
4024	Server.exe
3208	Server.exe
3208	Server.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\XtnatDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\XtnatDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\XtnatDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\XtnatDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\XtnatDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\XtnatDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\XtnatDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\XtnatDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\XtnatDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\XtnatDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\XtnatDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\XtnatDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\XtnatDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\XtnatDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\XtnatDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\XtnatDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\XtnatDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\XtnatDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\XtnatDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\XtnatDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\XtnatDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\XtnatDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\XtnatDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\XtnatDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\XtnatDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\XtnatDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\XtnatDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\XtnatDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\XtnatDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\XtnatDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\XtnatDir\\Server.exe"	JaffaCakes118_071f397a055b3c9fbd59de1e5520670b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\XtnatDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\XtnatDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\XtnatDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\XtnatDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\XtnatDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\XtnatDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\XtnatDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\XtnatDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\XtnatDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\XtnatDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\XtnatDir\\Server.exe"	JaffaCakes118_071f397a055b3c9fbd59de1e5520670b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\XtnatDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\XtnatDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\XtnatDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\XtnatDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\XtnatDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\XtnatDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\XtnatDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\XtnatDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\XtnatDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\XtnatDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\XtnatDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\XtnatDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\XtnatDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\XtnatDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\XtnatDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\XtnatDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\XtnatDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\XtnatDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\XtnatDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\XtnatDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\XtnatDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\XtnatDir\\Server.exe"	Server.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\XtnatDir\Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\XtnatDir\Server.exe	Server.exe
File created	C:\Windows\SysWOW64\XtnatDir\Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\XtnatDir\Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\XtnatDir\Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\XtnatDir\Server.exe	Server.exe
File created	C:\Windows\SysWOW64\XtnatDir\Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\XtnatDir\Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\XtnatDir\Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\XtnatDir\Server.exe	Server.exe
File created	C:\Windows\SysWOW64\XtnatDir\Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\XtnatDir\Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\XtnatDir\Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\XtnatDir\Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\XtnatDir\Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\XtnatDir\Server.exe	Server.exe
File created	C:\Windows\SysWOW64\XtnatDir\Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\XtnatDir\Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\XtnatDir\Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\XtnatDir\Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\XtnatDir\Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\XtnatDir\Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\XtnatDir\Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\XtnatDir\Server.exe	Server.exe
File created	C:\Windows\SysWOW64\XtnatDir\Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\XtnatDir\Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\XtnatDir\Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\XtnatDir\Server.exe	Server.exe
File created	C:\Windows\SysWOW64\XtnatDir\Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\XtnatDir\Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\XtnatDir\Server.exe	Server.exe
File created	C:\Windows\SysWOW64\XtnatDir\Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\XtnatDir\Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\XtnatDir\Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\XtnatDir\Server.exe	Server.exe
File created	C:\Windows\SysWOW64\XtnatDir\Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\XtnatDir\Server.exe	Server.exe
File created	C:\Windows\SysWOW64\XtnatDir\Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\XtnatDir\Server.exe	Server.exe
File created	C:\Windows\SysWOW64\XtnatDir\Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\XtnatDir\Server.exe	JaffaCakes118_071f397a055b3c9fbd59de1e5520670b.exe
File opened for modification	C:\Windows\SysWOW64\XtnatDir\Server.exe	Server.exe
File created	C:\Windows\SysWOW64\XtnatDir\Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\XtnatDir\Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\XtnatDir\Server.exe	Server.exe
File created	C:\Windows\SysWOW64\XtnatDir\Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\XtnatDir\Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\XtnatDir\Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\XtnatDir\Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\XtnatDir\Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\XtnatDir\Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\XtnatDir\Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\XtnatDir\Server.exe	Server.exe
File created	C:\Windows\SysWOW64\XtnatDir\Server.exe	JaffaCakes118_071f397a055b3c9fbd59de1e5520670b.exe
File opened for modification	C:\Windows\SysWOW64\XtnatDir\Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\XtnatDir\Server.exe	Server.exe
File created	C:\Windows\SysWOW64\XtnatDir\Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\XtnatDir\Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\XtnatDir\Server.exe	Server.exe
File created	C:\Windows\SysWOW64\XtnatDir\Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\XtnatDir\Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\XtnatDir\Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\XtnatDir\Server.exe	Server.exe
File created	C:\Windows\SysWOW64\XtnatDir\Server.exe	Server.exe

Suspicious use of SetThreadContext 32 IoCs

description	pid	Process	procid_target
PID 304 set thread context of 2544	304	JaffaCakes118_071f397a055b3c9fbd59de1e5520670b.exe	31
PID 2800 set thread context of 2196	2800	Server.exe	41
PID 2624 set thread context of 2656	2624	Server.exe	51
PID 2920 set thread context of 3048	2920	Server.exe	61
PID 2644 set thread context of 536	2644	Server.exe	71
PID 264 set thread context of 1636	264	Server.exe	81
PID 1944 set thread context of 2180	1944	Server.exe	91
PID 2352 set thread context of 1960	2352	Server.exe	101
PID 2804 set thread context of 1904	2804	Server.exe	111
PID 1224 set thread context of 2020	1224	Server.exe	121
PID 3024 set thread context of 3048	3024	Server.exe	131
PID 108 set thread context of 1720	108	Server.exe	141
PID 1908 set thread context of 2476	1908	Server.exe	151
PID 2752 set thread context of 2884	2752	Server.exe	161
PID 2788 set thread context of 2656	2788	Server.exe	171
PID 2356 set thread context of 1600	2356	Server.exe	181
PID 2468 set thread context of 1088	2468	Server.exe	191
PID 2872 set thread context of 1224	2872	Server.exe	201
PID 2324 set thread context of 2656	2324	Server.exe	211
PID 2468 set thread context of 1944	2468	Server.exe	221
PID 1872 set thread context of 3052	1872	Server.exe	231
PID 2476 set thread context of 2296	2476	Server.exe	241
PID 1756 set thread context of 3064	1756	Server.exe	251
PID 1644 set thread context of 3052	1644	Server.exe	261
PID 2296 set thread context of 3088	2296	Server.exe	271
PID 3248 set thread context of 3280	3248	Server.exe	281
PID 3440 set thread context of 3468	3440	Server.exe	291
PID 3624 set thread context of 3656	3624	Server.exe	301
PID 3808 set thread context of 3836	3808	Server.exe	311
PID 3992 set thread context of 4024	3992	Server.exe	321
PID 3128 set thread context of 3208	3128	Server.exe	331
PID 3452 set thread context of 3492	3452	Server.exe	341

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2544-7-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2544-11-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2544-10-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2544-9-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2544-4-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2544-3-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2544-22-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2196-38-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2196-48-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2656-63-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2656-74-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_071f397a055b3c9fbd59de1e5520670b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_071f397a055b3c9fbd59de1e5520670b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe

Suspicious use of SetWindowsHookEx 32 IoCs

pid	Process
304	JaffaCakes118_071f397a055b3c9fbd59de1e5520670b.exe
2800	Server.exe
2624	Server.exe
2920	Server.exe
2644	Server.exe
264	Server.exe
1944	Server.exe
2352	Server.exe
2804	Server.exe
1224	Server.exe
3024	Server.exe
108	Server.exe
1908	Server.exe
2752	Server.exe
2788	Server.exe
2356	Server.exe
2468	Server.exe
2872	Server.exe
2324	Server.exe
2468	Server.exe
1872	Server.exe
2476	Server.exe
1756	Server.exe
1644	Server.exe
2296	Server.exe
3248	Server.exe
3440	Server.exe
3624	Server.exe
3808	Server.exe
3992	Server.exe
3128	Server.exe
3452	Server.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 304 wrote to memory of 2544	304	JaffaCakes118_071f397a055b3c9fbd59de1e5520670b.exe	31
PID 304 wrote to memory of 2544	304	JaffaCakes118_071f397a055b3c9fbd59de1e5520670b.exe	31
PID 304 wrote to memory of 2544	304	JaffaCakes118_071f397a055b3c9fbd59de1e5520670b.exe	31
PID 304 wrote to memory of 2544	304	JaffaCakes118_071f397a055b3c9fbd59de1e5520670b.exe	31
PID 304 wrote to memory of 2544	304	JaffaCakes118_071f397a055b3c9fbd59de1e5520670b.exe	31
PID 304 wrote to memory of 2544	304	JaffaCakes118_071f397a055b3c9fbd59de1e5520670b.exe	31
PID 304 wrote to memory of 2544	304	JaffaCakes118_071f397a055b3c9fbd59de1e5520670b.exe	31
PID 304 wrote to memory of 2544	304	JaffaCakes118_071f397a055b3c9fbd59de1e5520670b.exe	31
PID 2544 wrote to memory of 2436	2544	JaffaCakes118_071f397a055b3c9fbd59de1e5520670b.exe	32
PID 2544 wrote to memory of 2436	2544	JaffaCakes118_071f397a055b3c9fbd59de1e5520670b.exe	32
PID 2544 wrote to memory of 2436	2544	JaffaCakes118_071f397a055b3c9fbd59de1e5520670b.exe	32
PID 2544 wrote to memory of 2436	2544	JaffaCakes118_071f397a055b3c9fbd59de1e5520670b.exe	32
PID 2544 wrote to memory of 2436	2544	JaffaCakes118_071f397a055b3c9fbd59de1e5520670b.exe	32
PID 2544 wrote to memory of 2052	2544	JaffaCakes118_071f397a055b3c9fbd59de1e5520670b.exe	33
PID 2544 wrote to memory of 2052	2544	JaffaCakes118_071f397a055b3c9fbd59de1e5520670b.exe	33
PID 2544 wrote to memory of 2052	2544	JaffaCakes118_071f397a055b3c9fbd59de1e5520670b.exe	33
PID 2544 wrote to memory of 2052	2544	JaffaCakes118_071f397a055b3c9fbd59de1e5520670b.exe	33
PID 2544 wrote to memory of 2052	2544	JaffaCakes118_071f397a055b3c9fbd59de1e5520670b.exe	33
PID 2544 wrote to memory of 2796	2544	JaffaCakes118_071f397a055b3c9fbd59de1e5520670b.exe	34
PID 2544 wrote to memory of 2796	2544	JaffaCakes118_071f397a055b3c9fbd59de1e5520670b.exe	34
PID 2544 wrote to memory of 2796	2544	JaffaCakes118_071f397a055b3c9fbd59de1e5520670b.exe	34
PID 2544 wrote to memory of 2796	2544	JaffaCakes118_071f397a055b3c9fbd59de1e5520670b.exe	34
PID 2544 wrote to memory of 2796	2544	JaffaCakes118_071f397a055b3c9fbd59de1e5520670b.exe	34
PID 2544 wrote to memory of 2188	2544	JaffaCakes118_071f397a055b3c9fbd59de1e5520670b.exe	35
PID 2544 wrote to memory of 2188	2544	JaffaCakes118_071f397a055b3c9fbd59de1e5520670b.exe	35
PID 2544 wrote to memory of 2188	2544	JaffaCakes118_071f397a055b3c9fbd59de1e5520670b.exe	35
PID 2544 wrote to memory of 2188	2544	JaffaCakes118_071f397a055b3c9fbd59de1e5520670b.exe	35
PID 2544 wrote to memory of 2188	2544	JaffaCakes118_071f397a055b3c9fbd59de1e5520670b.exe	35
PID 2544 wrote to memory of 1964	2544	JaffaCakes118_071f397a055b3c9fbd59de1e5520670b.exe	36
PID 2544 wrote to memory of 1964	2544	JaffaCakes118_071f397a055b3c9fbd59de1e5520670b.exe	36
PID 2544 wrote to memory of 1964	2544	JaffaCakes118_071f397a055b3c9fbd59de1e5520670b.exe	36
PID 2544 wrote to memory of 1964	2544	JaffaCakes118_071f397a055b3c9fbd59de1e5520670b.exe	36
PID 2544 wrote to memory of 1964	2544	JaffaCakes118_071f397a055b3c9fbd59de1e5520670b.exe	36
PID 2544 wrote to memory of 2260	2544	JaffaCakes118_071f397a055b3c9fbd59de1e5520670b.exe	37
PID 2544 wrote to memory of 2260	2544	JaffaCakes118_071f397a055b3c9fbd59de1e5520670b.exe	37
PID 2544 wrote to memory of 2260	2544	JaffaCakes118_071f397a055b3c9fbd59de1e5520670b.exe	37
PID 2544 wrote to memory of 2260	2544	JaffaCakes118_071f397a055b3c9fbd59de1e5520670b.exe	37
PID 2544 wrote to memory of 2260	2544	JaffaCakes118_071f397a055b3c9fbd59de1e5520670b.exe	37
PID 2544 wrote to memory of 2456	2544	JaffaCakes118_071f397a055b3c9fbd59de1e5520670b.exe	38
PID 2544 wrote to memory of 2456	2544	JaffaCakes118_071f397a055b3c9fbd59de1e5520670b.exe	38
PID 2544 wrote to memory of 2456	2544	JaffaCakes118_071f397a055b3c9fbd59de1e5520670b.exe	38
PID 2544 wrote to memory of 2456	2544	JaffaCakes118_071f397a055b3c9fbd59de1e5520670b.exe	38
PID 2544 wrote to memory of 2456	2544	JaffaCakes118_071f397a055b3c9fbd59de1e5520670b.exe	38
PID 2544 wrote to memory of 2748	2544	JaffaCakes118_071f397a055b3c9fbd59de1e5520670b.exe	39
PID 2544 wrote to memory of 2748	2544	JaffaCakes118_071f397a055b3c9fbd59de1e5520670b.exe	39
PID 2544 wrote to memory of 2748	2544	JaffaCakes118_071f397a055b3c9fbd59de1e5520670b.exe	39
PID 2544 wrote to memory of 2748	2544	JaffaCakes118_071f397a055b3c9fbd59de1e5520670b.exe	39
PID 2544 wrote to memory of 2800	2544	JaffaCakes118_071f397a055b3c9fbd59de1e5520670b.exe	40
PID 2544 wrote to memory of 2800	2544	JaffaCakes118_071f397a055b3c9fbd59de1e5520670b.exe	40
PID 2544 wrote to memory of 2800	2544	JaffaCakes118_071f397a055b3c9fbd59de1e5520670b.exe	40
PID 2544 wrote to memory of 2800	2544	JaffaCakes118_071f397a055b3c9fbd59de1e5520670b.exe	40
PID 2800 wrote to memory of 2196	2800	Server.exe	41
PID 2800 wrote to memory of 2196	2800	Server.exe	41
PID 2800 wrote to memory of 2196	2800	Server.exe	41
PID 2800 wrote to memory of 2196	2800	Server.exe	41
PID 2800 wrote to memory of 2196	2800	Server.exe	41
PID 2800 wrote to memory of 2196	2800	Server.exe	41
PID 2800 wrote to memory of 2196	2800	Server.exe	41
PID 2800 wrote to memory of 2196	2800	Server.exe	41
PID 2196 wrote to memory of 3000	2196	Server.exe	42
PID 2196 wrote to memory of 3000	2196	Server.exe	42
PID 2196 wrote to memory of 3000	2196	Server.exe	42
PID 2196 wrote to memory of 3000	2196	Server.exe	42
PID 2196 wrote to memory of 3000	2196	Server.exe	42

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_071f397a055b3c9fbd59de1e5520670b.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_071f397a055b3c9fbd59de1e5520670b.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:304
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_071f397a055b3c9fbd59de1e5520670b.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_071f397a055b3c9fbd59de1e5520670b.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2544
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2436
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2052
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2796
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2188
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:1964
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2260
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2456
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2748
- - C:\Windows\SysWOW64\XtnatDir\Server.exe
    "C:\Windows\system32\XtnatDir\Server.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2800
  - - C:\Windows\SysWOW64\XtnatDir\Server.exe
      C:\Windows\SysWOW64\XtnatDir\Server.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2196
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:3000
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2012
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2168
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2744
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2780
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2500
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2720
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2608
    - - C:\Users\Admin\AppData\Roaming\XtnatDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\XtnatDir\Server.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2624
      - C:\Users\Admin\AppData\Roaming\XtnatDir\Server.exe
        
        C:\Users\Admin\AppData\Roaming\XtnatDir\Server.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2656
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:2916
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:1124
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:608
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:2956
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:2692
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:2976
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:3016
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\XtnatDir\Server.exe
        
        "C:\Windows\system32\XtnatDir\Server.exe"
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2920
        
        C:\Windows\SysWOW64\XtnatDir\Server.exe
        
        C:\Windows\SysWOW64\XtnatDir\Server.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3048
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:2144
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:2504
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:1868
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:2024
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:2028
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:1416
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:1152
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:1156
        
        C:\Users\Admin\AppData\Roaming\XtnatDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\XtnatDir\Server.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2644
        
        C:\Users\Admin\AppData\Roaming\XtnatDir\Server.exe
        
        C:\Users\Admin\AppData\Roaming\XtnatDir\Server.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:536
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:2444
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:2192
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:2140
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:2584
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:2416
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:1136
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:1200
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:592
        
        C:\Windows\SysWOW64\XtnatDir\Server.exe
        
        "C:\Windows\system32\XtnatDir\Server.exe"
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:264
        
        C:\Windows\SysWOW64\XtnatDir\Server.exe
        
        C:\Windows\SysWOW64\XtnatDir\Server.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1636
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:2320
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:1688
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:1760
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:2836
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:888
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:1304
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:1676
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:2060
        
        C:\Users\Admin\AppData\Roaming\XtnatDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\XtnatDir\Server.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1944
        
        C:\Users\Admin\AppData\Roaming\XtnatDir\Server.exe
        
        C:\Users\Admin\AppData\Roaming\XtnatDir\Server.exe
        14⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2180
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:2496
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:1568
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:552
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:796
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:1068
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:1064
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:1640
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\XtnatDir\Server.exe
        
        "C:\Windows\system32\XtnatDir\Server.exe"
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2352
        
        C:\Windows\SysWOW64\XtnatDir\Server.exe
        
        C:\Windows\SysWOW64\XtnatDir\Server.exe
        16⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1960
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:1724
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:2380
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:2016
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:2764
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:2808
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:2756
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:2544
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:2848
        
        C:\Users\Admin\AppData\Roaming\XtnatDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\XtnatDir\Server.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2804
        
        C:\Users\Admin\AppData\Roaming\XtnatDir\Server.exe
        
        C:\Users\Admin\AppData\Roaming\XtnatDir\Server.exe
        18⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1904
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        19⤵
        
        PID:2616
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        19⤵
        
        PID:2676
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        19⤵
        
        PID:2072
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        19⤵
        
        PID:1876
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        19⤵
        
        PID:2312
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        19⤵
        
        PID:2636
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        19⤵
        
        PID:2440
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        19⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\XtnatDir\Server.exe
        
        "C:\Windows\system32\XtnatDir\Server.exe"
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1224
        
        C:\Windows\SysWOW64\XtnatDir\Server.exe
        
        C:\Windows\SysWOW64\XtnatDir\Server.exe
        20⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2020
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        21⤵
        
        PID:2932
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        21⤵
        
        PID:2924
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        21⤵
        
        PID:2952
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        21⤵
        
        PID:3040
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        21⤵
        
        PID:2348
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        21⤵
        
        PID:1184
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        21⤵
        
        PID:2704
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        21⤵
        
        PID:2672
        
        C:\Users\Admin\AppData\Roaming\XtnatDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\XtnatDir\Server.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3024
        
        C:\Users\Admin\AppData\Roaming\XtnatDir\Server.exe
        
        C:\Users\Admin\AppData\Roaming\XtnatDir\Server.exe
        22⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3048
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:1696
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:2088
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:2164
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:2076
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:2984
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:404
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:688
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:536
        
        C:\Windows\SysWOW64\XtnatDir\Server.exe
        
        "C:\Windows\system32\XtnatDir\Server.exe"
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:108
        
        C:\Windows\SysWOW64\XtnatDir\Server.exe
        
        C:\Windows\SysWOW64\XtnatDir\Server.exe
        24⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1720
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        25⤵
        
        PID:1360
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        25⤵
        
        PID:2200
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        25⤵
        
        PID:1652
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        25⤵
        
        PID:2244
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        25⤵
        
        PID:2184
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        25⤵
        
        PID:1828
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        25⤵
        
        PID:1940
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        25⤵
        
        PID:2248
        
        C:\Users\Admin\AppData\Roaming\XtnatDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\XtnatDir\Server.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1908
        
        C:\Users\Admin\AppData\Roaming\XtnatDir\Server.exe
        
        C:\Users\Admin\AppData\Roaming\XtnatDir\Server.exe
        26⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2476
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        27⤵
        
        PID:2352
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        27⤵
        
        PID:2412
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        27⤵
        
        PID:1552
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        27⤵
        
        PID:2400
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        27⤵
        
        PID:1784
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        27⤵
        
        PID:1884
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        27⤵
        
        PID:2520
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        27⤵
        
        PID:328
        
        C:\Windows\SysWOW64\XtnatDir\Server.exe
        
        "C:\Windows\system32\XtnatDir\Server.exe"
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2752
        
        C:\Windows\SysWOW64\XtnatDir\Server.exe
        
        C:\Windows\SysWOW64\XtnatDir\Server.exe
        28⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2884
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        29⤵
        
        PID:2648
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        29⤵
        
        PID:2840
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        29⤵
        
        PID:2252
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        29⤵
        
        PID:1488
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        29⤵
        
        PID:1560
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        29⤵
        
        PID:2372
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        29⤵
        
        PID:1596
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        29⤵
        
        PID:2524
        
        C:\Users\Admin\AppData\Roaming\XtnatDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\XtnatDir\Server.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2788
        
        C:\Users\Admin\AppData\Roaming\XtnatDir\Server.exe
        
        C:\Users\Admin\AppData\Roaming\XtnatDir\Server.exe
        30⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2656
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        31⤵
        
        PID:2996
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        31⤵
        
        PID:3068
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        31⤵
        
        PID:3012
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        31⤵
        
        PID:3008
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        31⤵
        
        PID:2644
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        31⤵
        
        PID:1060
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        31⤵
        
        PID:2700
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        31⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\XtnatDir\Server.exe
        
        "C:\Windows\system32\XtnatDir\Server.exe"
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2356
        
        C:\Windows\SysWOW64\XtnatDir\Server.exe
        
        C:\Windows\SysWOW64\XtnatDir\Server.exe
        32⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1600
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        33⤵
        
        PID:952
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        33⤵
        
        PID:832
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        33⤵
        
        PID:2572
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        33⤵
        
        PID:976
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        33⤵
        
        PID:576
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        33⤵
        
        PID:2148
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        33⤵
        
        PID:2136
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        33⤵
        
        PID:1000
        
        C:\Users\Admin\AppData\Roaming\XtnatDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\XtnatDir\Server.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2468
        
        C:\Users\Admin\AppData\Roaming\XtnatDir\Server.exe
        
        C:\Users\Admin\AppData\Roaming\XtnatDir\Server.exe
        34⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1088
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        35⤵
        
        PID:1580
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        35⤵
        
        PID:2716
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        35⤵
        
        PID:2220
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        35⤵
        
        PID:2800
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        35⤵
        
        PID:2724
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        35⤵
        
        PID:2752
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        35⤵
        
        PID:2640
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        35⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\XtnatDir\Server.exe
        
        "C:\Windows\system32\XtnatDir\Server.exe"
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2872
        
        C:\Windows\SysWOW64\XtnatDir\Server.exe
        
        C:\Windows\SysWOW64\XtnatDir\Server.exe
        36⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1224
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        37⤵
        
        PID:2944
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        37⤵
        
        PID:1244
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        37⤵
        
        PID:2948
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        37⤵
        
        PID:2564
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        37⤵
        
        PID:820
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        37⤵
        
        PID:1204
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        37⤵
        
        PID:768
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        37⤵
        
        PID:296
        
        C:\Users\Admin\AppData\Roaming\XtnatDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\XtnatDir\Server.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2324
        
        C:\Users\Admin\AppData\Roaming\XtnatDir\Server.exe
        
        C:\Users\Admin\AppData\Roaming\XtnatDir\Server.exe
        38⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2656
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        39⤵
        
        PID:2556
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        39⤵
        
        PID:1528
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        39⤵
        
        PID:2768
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        39⤵
        
        PID:612
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        39⤵
        
        PID:1052
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        39⤵
        
        PID:2156
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        39⤵
        
        PID:2268
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        39⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\XtnatDir\Server.exe
        
        "C:\Windows\system32\XtnatDir\Server.exe"
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2468
        
        C:\Windows\SysWOW64\XtnatDir\Server.exe
        
        C:\Windows\SysWOW64\XtnatDir\Server.exe
        40⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1944
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        41⤵
        
        PID:2804
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        41⤵
        
        PID:944
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        41⤵
        
        PID:924
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        41⤵
        
        PID:2408
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        41⤵
        
        PID:940
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        41⤵
        
        PID:2816
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        41⤵
        
        PID:2876
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        41⤵
        
        PID:2772
        
        C:\Users\Admin\AppData\Roaming\XtnatDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\XtnatDir\Server.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1872
        
        C:\Users\Admin\AppData\Roaming\XtnatDir\Server.exe
        
        C:\Users\Admin\AppData\Roaming\XtnatDir\Server.exe
        42⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3052
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        43⤵
        
        PID:2324
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        43⤵
        
        PID:2092
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        43⤵
        
        PID:2364
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        43⤵
        
        PID:1332
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        43⤵
        
        PID:884
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        43⤵
        
        PID:2684
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        43⤵
        
        PID:1968
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        43⤵
        
        PID:880
        
        C:\Windows\SysWOW64\XtnatDir\Server.exe
        
        "C:\Windows\system32\XtnatDir\Server.exe"
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2476
        
        C:\Windows\SysWOW64\XtnatDir\Server.exe
        
        C:\Windows\SysWOW64\XtnatDir\Server.exe
        44⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2296
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        45⤵
        
        PID:1092
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        45⤵
        
        PID:3048
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        45⤵
        
        PID:1352
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        45⤵
        
        PID:2356
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        45⤵
        
        PID:2096
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        45⤵
        
        PID:1872
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        45⤵
        
        PID:1076
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        45⤵
        
        PID:836
        
        C:\Users\Admin\AppData\Roaming\XtnatDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\XtnatDir\Server.exe"
        45⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1756
        
        C:\Users\Admin\AppData\Roaming\XtnatDir\Server.exe
        
        C:\Users\Admin\AppData\Roaming\XtnatDir\Server.exe
        46⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3064
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        47⤵
        
        PID:2904
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        47⤵
        
        PID:1700
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        47⤵
        
        PID:2960
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        47⤵
        
        PID:1356
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        47⤵
        
        PID:1952
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        47⤵
        
        PID:1920
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        47⤵
        
        PID:3036
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        47⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\XtnatDir\Server.exe
        
        "C:\Windows\system32\XtnatDir\Server.exe"
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1644
        
        C:\Windows\SysWOW64\XtnatDir\Server.exe
        
        C:\Windows\SysWOW64\XtnatDir\Server.exe
        48⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3052
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        49⤵
        
        PID:1704
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        49⤵
        
        PID:2824
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        49⤵
        
        PID:2240
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        49⤵
        
        PID:1824
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        49⤵
        
        PID:1440
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        49⤵
        
        PID:816
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        49⤵
        
        PID:1768
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        49⤵
        
        PID:1224
        
        C:\Users\Admin\AppData\Roaming\XtnatDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\XtnatDir\Server.exe"
        49⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2296
        
        C:\Users\Admin\AppData\Roaming\XtnatDir\Server.exe
        
        C:\Users\Admin\AppData\Roaming\XtnatDir\Server.exe
        50⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3088
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        51⤵
        
        PID:3152
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        51⤵
        
        PID:3168
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        51⤵
        
        PID:3176
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        51⤵
        
        PID:3192
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        51⤵
        
        PID:3200
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        51⤵
        
        PID:3212
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        51⤵
        
        PID:3220
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        51⤵
        
        PID:3232
        
        C:\Windows\SysWOW64\XtnatDir\Server.exe
        
        "C:\Windows\system32\XtnatDir\Server.exe"
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3248
        
        C:\Windows\SysWOW64\XtnatDir\Server.exe
        
        C:\Windows\SysWOW64\XtnatDir\Server.exe
        52⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3280
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        53⤵
        
        PID:3344
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        53⤵
        
        PID:3364
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        53⤵
        
        PID:3372
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        53⤵
        
        PID:3384
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        53⤵
        
        PID:3392
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        53⤵
        
        PID:3404
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        53⤵
        
        PID:3412
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        53⤵
        
        PID:3424
        
        C:\Users\Admin\AppData\Roaming\XtnatDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\XtnatDir\Server.exe"
        53⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3440
        
        C:\Users\Admin\AppData\Roaming\XtnatDir\Server.exe
        
        C:\Users\Admin\AppData\Roaming\XtnatDir\Server.exe
        54⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3468
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        55⤵
        
        PID:3532
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        55⤵
        
        PID:3544
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        55⤵
        
        PID:3556
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        55⤵
        
        PID:3564
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        55⤵
        
        PID:3576
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        55⤵
        
        PID:3584
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        55⤵
        
        PID:3596
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        55⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\XtnatDir\Server.exe
        
        "C:\Windows\system32\XtnatDir\Server.exe"
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3624
        
        C:\Windows\SysWOW64\XtnatDir\Server.exe
        
        C:\Windows\SysWOW64\XtnatDir\Server.exe
        56⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3656
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        57⤵
        
        PID:3720
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        57⤵
        
        PID:3732
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        57⤵
        
        PID:3744
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        57⤵
        
        PID:3752
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        57⤵
        
        PID:3764
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        57⤵
        
        PID:3772
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        57⤵
        
        PID:3784
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        57⤵
        
        PID:3792
        
        C:\Users\Admin\AppData\Roaming\XtnatDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\XtnatDir\Server.exe"
        57⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3808
        
        C:\Users\Admin\AppData\Roaming\XtnatDir\Server.exe
        
        C:\Users\Admin\AppData\Roaming\XtnatDir\Server.exe
        58⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3836
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        59⤵
        
        PID:3900
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        59⤵
        
        PID:3916
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        59⤵
        
        PID:3924
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        59⤵
        
        PID:3936
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        59⤵
        
        PID:3944
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        59⤵
        
        PID:3956
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        59⤵
        
        PID:3964
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        59⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\XtnatDir\Server.exe
        
        "C:\Windows\system32\XtnatDir\Server.exe"
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3992
        
        C:\Windows\SysWOW64\XtnatDir\Server.exe
        
        C:\Windows\SysWOW64\XtnatDir\Server.exe
        60⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4024
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        61⤵
        
        PID:4088
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        61⤵
        
        PID:2332
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        61⤵
        
        PID:2732
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        61⤵
        
        PID:2620
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        61⤵
        
        PID:3080
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        61⤵
        
        PID:3104
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        61⤵
        
        PID:3108
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        61⤵
        
        PID:3096
        
        C:\Users\Admin\AppData\Roaming\XtnatDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\XtnatDir\Server.exe"
        61⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3128
        
        C:\Users\Admin\AppData\Roaming\XtnatDir\Server.exe
        
        C:\Users\Admin\AppData\Roaming\XtnatDir\Server.exe
        62⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3208
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        63⤵
        
        PID:3292
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        63⤵
        
        PID:3308
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        63⤵
        
        PID:3316
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        63⤵
        
        PID:3332
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        63⤵
        
        PID:3340
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        63⤵
        
        PID:3356
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        63⤵
        
        PID:3400
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        63⤵
        
        PID:3284
        
        C:\Windows\SysWOW64\XtnatDir\Server.exe
        
        "C:\Windows\system32\XtnatDir\Server.exe"
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3452
        
        C:\Windows\SysWOW64\XtnatDir\Server.exe
        
        C:\Windows\SysWOW64\XtnatDir\Server.exe
        64⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3492
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        65⤵
        
        PID:3540
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        65⤵
        
        PID:3616
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        65⤵
        
        PID:3632
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        65⤵
        
        PID:3640
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        65⤵
        
        PID:3652
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        65⤵
        
        PID:3668
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        65⤵
        
        PID:3672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\UH-&P59S.cfg

Filesize
1KB

MD5
4a9353c513a44618e1659b00597d42e2

SHA1
f3e724214a1b70735ca5e43fc970834a2d502588

SHA256
e300a1f174ba16c66ff30705a42193d2ea749757ddc64ce0bb26df764f2990aa

SHA512
6d5bd53500919aaf9d7151b9a24a8d2571ab9e5aca6671f092ef4642a0c6cc0efd4c5f80731c722cd0c53244d66eea0f59fdf6324cdc4ac43f0e9b50f10e9fa1

Download Submit
\Windows\SysWOW64\XtnatDir\Server.exe

Filesize
88KB

MD5
071f397a055b3c9fbd59de1e5520670b

SHA1
09affce67ff7613d87c1b373ec7ff5402048141a

SHA256
0104ec1f1abdddfb62e1abeb0beada57b1b46bbcc712723d42e231732e366269

SHA512
a0d6b832106310090069a736fca1103d2cd4399be6c0ae046130300b75bb7128684b5f04a31f0b65ee726a696dd673f32776f5ca5165f0ab09918864e5817e47

Download Submit
memory/2196-48-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2196-38-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2544-4-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2544-5-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2544-2-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2544-3-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2544-9-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2544-22-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2544-10-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2544-11-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2544-7-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2656-63-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2656-74-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads