xtremerat | 4a3fe586b3806381665e4f400b937f68449583b8fc1c84cb68c5c1b59d29ce98

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
27/01/2025, 01:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_3ac9c8a6b9ed672c4d024029d19ed9a8.exe
Size

74KB
MD5

3ac9c8a6b9ed672c4d024029d19ed9a8
SHA1

a2ab5d7330a8ab85dbdcffaa2d5bb2d42e8a729d
SHA256

4a3fe586b3806381665e4f400b937f68449583b8fc1c84cb68c5c1b59d29ce98
SHA512

06b484752ff69238976e21f489a7345820a304da2b5c94ca0c6773bc538812c4dc5f1ac09f10398270cc842f9c6618ad587b7553a0f9d86e0aceafb99ed17f38
SSDEEP

1536:mu3qrvUXdZEPSRdjDeUjiOb6boUtlEtIVK27juFqG0Tyi8KP41ARVodM:mu3q4CYdveO76boUtlEyH1RVv

Score

10^/10

xtremerat discovery persistence rat spyware upx

Malware Config

Extracted

Family

xtremerat

fifiwawa.zapto.org

Signatures

Detect XtremeRAT payload 4 IoCs

resource	yara_rule
behavioral1/memory/2836-18-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/2836-28-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/1912-35-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/2836-38-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat
Xtremerat family
xtremerat

Boot or Logon Autostart Execution: Active Setup 2 TTPs 64 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{G55H17M8-3217-YI1H-E65Q-N1HYO38SL0R7}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{G55H17M8-3217-YI1H-E65Q-N1HYO38SL0R7}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{G55H17M8-3217-YI1H-E65Q-N1HYO38SL0R7}\StubPath = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{G55H17M8-3217-YI1H-E65Q-N1HYO38SL0R7}\StubPath = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{G55H17M8-3217-YI1H-E65Q-N1HYO38SL0R7}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{G55H17M8-3217-YI1H-E65Q-N1HYO38SL0R7}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{G55H17M8-3217-YI1H-E65Q-N1HYO38SL0R7}\StubPath = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{G55H17M8-3217-YI1H-E65Q-N1HYO38SL0R7}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{G55H17M8-3217-YI1H-E65Q-N1HYO38SL0R7}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{G55H17M8-3217-YI1H-E65Q-N1HYO38SL0R7}\StubPath = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{G55H17M8-3217-YI1H-E65Q-N1HYO38SL0R7}\StubPath = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{G55H17M8-3217-YI1H-E65Q-N1HYO38SL0R7}\StubPath = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{G55H17M8-3217-YI1H-E65Q-N1HYO38SL0R7}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{G55H17M8-3217-YI1H-E65Q-N1HYO38SL0R7}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{G55H17M8-3217-YI1H-E65Q-N1HYO38SL0R7}\StubPath = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{G55H17M8-3217-YI1H-E65Q-N1HYO38SL0R7}\StubPath = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{G55H17M8-3217-YI1H-E65Q-N1HYO38SL0R7}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{G55H17M8-3217-YI1H-E65Q-N1HYO38SL0R7}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{G55H17M8-3217-YI1H-E65Q-N1HYO38SL0R7}\StubPath = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{G55H17M8-3217-YI1H-E65Q-N1HYO38SL0R7}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{G55H17M8-3217-YI1H-E65Q-N1HYO38SL0R7}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{G55H17M8-3217-YI1H-E65Q-N1HYO38SL0R7}	JaffaCakes118_3ac9c8a6b9ed672c4d024029d19ed9a8.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{G55H17M8-3217-YI1H-E65Q-N1HYO38SL0R7}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{G55H17M8-3217-YI1H-E65Q-N1HYO38SL0R7}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{G55H17M8-3217-YI1H-E65Q-N1HYO38SL0R7}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{G55H17M8-3217-YI1H-E65Q-N1HYO38SL0R7}\StubPath = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{G55H17M8-3217-YI1H-E65Q-N1HYO38SL0R7}\StubPath = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{G55H17M8-3217-YI1H-E65Q-N1HYO38SL0R7}\StubPath = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{G55H17M8-3217-YI1H-E65Q-N1HYO38SL0R7}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{G55H17M8-3217-YI1H-E65Q-N1HYO38SL0R7}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{G55H17M8-3217-YI1H-E65Q-N1HYO38SL0R7}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{G55H17M8-3217-YI1H-E65Q-N1HYO38SL0R7}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{G55H17M8-3217-YI1H-E65Q-N1HYO38SL0R7}\StubPath = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{G55H17M8-3217-YI1H-E65Q-N1HYO38SL0R7}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{G55H17M8-3217-YI1H-E65Q-N1HYO38SL0R7}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{G55H17M8-3217-YI1H-E65Q-N1HYO38SL0R7}\StubPath = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{G55H17M8-3217-YI1H-E65Q-N1HYO38SL0R7}\StubPath = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{G55H17M8-3217-YI1H-E65Q-N1HYO38SL0R7}\StubPath = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{G55H17M8-3217-YI1H-E65Q-N1HYO38SL0R7}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{G55H17M8-3217-YI1H-E65Q-N1HYO38SL0R7}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{G55H17M8-3217-YI1H-E65Q-N1HYO38SL0R7}\StubPath = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{G55H17M8-3217-YI1H-E65Q-N1HYO38SL0R7}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{G55H17M8-3217-YI1H-E65Q-N1HYO38SL0R7}\StubPath = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{G55H17M8-3217-YI1H-E65Q-N1HYO38SL0R7}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{G55H17M8-3217-YI1H-E65Q-N1HYO38SL0R7}\StubPath = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{G55H17M8-3217-YI1H-E65Q-N1HYO38SL0R7}\StubPath = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{G55H17M8-3217-YI1H-E65Q-N1HYO38SL0R7}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{G55H17M8-3217-YI1H-E65Q-N1HYO38SL0R7}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{G55H17M8-3217-YI1H-E65Q-N1HYO38SL0R7}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{G55H17M8-3217-YI1H-E65Q-N1HYO38SL0R7}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{G55H17M8-3217-YI1H-E65Q-N1HYO38SL0R7}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{G55H17M8-3217-YI1H-E65Q-N1HYO38SL0R7}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{G55H17M8-3217-YI1H-E65Q-N1HYO38SL0R7}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{G55H17M8-3217-YI1H-E65Q-N1HYO38SL0R7}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{G55H17M8-3217-YI1H-E65Q-N1HYO38SL0R7}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{G55H17M8-3217-YI1H-E65Q-N1HYO38SL0R7}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{G55H17M8-3217-YI1H-E65Q-N1HYO38SL0R7}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{G55H17M8-3217-YI1H-E65Q-N1HYO38SL0R7}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{G55H17M8-3217-YI1H-E65Q-N1HYO38SL0R7}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{G55H17M8-3217-YI1H-E65Q-N1HYO38SL0R7}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{G55H17M8-3217-YI1H-E65Q-N1HYO38SL0R7}\StubPath = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{G55H17M8-3217-YI1H-E65Q-N1HYO38SL0R7}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{G55H17M8-3217-YI1H-E65Q-N1HYO38SL0R7}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{G55H17M8-3217-YI1H-E65Q-N1HYO38SL0R7}	Server.exe

Executes dropped EXE 64 IoCs

pid	Process
752	Server.exe
2736	Server.exe
2944	Server.exe
1512	Server.exe
1660	Server.exe
1780	Server.exe
2796	Server.exe
2984	Server.exe
1532	Server.exe
2040	Server.exe
748	Server.exe
2864	Server.exe
2168	Server.exe
2384	Server.exe
2684	Server.exe
2660	Server.exe
752	Server.exe
2528	Server.exe
1812	Server.exe
2548	Server.exe
1560	Server.exe
1780	Server.exe
2456	Server.exe
1476	Server.exe
2392	Server.exe
560	Server.exe
2328	Server.exe
2452	Server.exe
480	Server.exe
1152	Server.exe
2640	Server.exe
1512	Server.exe
2308	Server.exe
2756	Server.exe
1108	Server.exe
1268	Server.exe
980	Server.exe
1620	Server.exe
1560	Server.exe
1968	Server.exe
280	Server.exe
1604	Server.exe
2864	Server.exe
1668	Server.exe
288	Server.exe
1568	Server.exe
2672	Server.exe
980	Server.exe
2132	Server.exe
2864	Server.exe
1960	Server.exe
2880	Server.exe
2656	Server.exe
2124	Server.exe
3140	Server.exe
3296	Server.exe
3512	Server.exe
3524	Server.exe
3560	Server.exe
3624	Server.exe
3652	Server.exe
3744	Server.exe
3884	Server.exe
4052	Server.exe

Loads dropped DLL 31 IoCs

pid	Process
2836	JaffaCakes118_3ac9c8a6b9ed672c4d024029d19ed9a8.exe
1912	svchost.exe
2736	Server.exe
1912	svchost.exe
1912	svchost.exe
1912	svchost.exe
1912	svchost.exe
1912	svchost.exe
1912	svchost.exe
1912	svchost.exe
1560	Server.exe
1912	svchost.exe
1912	svchost.exe
1912	svchost.exe
1912	svchost.exe
1912	svchost.exe
1912	svchost.exe
1912	svchost.exe
1912	svchost.exe
1912	svchost.exe
1912	svchost.exe
1912	svchost.exe
1912	svchost.exe
4100	Server.exe
1912	svchost.exe
1912	svchost.exe
1912	svchost.exe
1912	svchost.exe
1912	svchost.exe
1912	svchost.exe
1912	svchost.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\InstallDir\\Server.exe"	JaffaCakes118_3ac9c8a6b9ed672c4d024029d19ed9a8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\SysWOW64\\InstallDir\\Server.exe"	Server.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File created	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File created	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File created	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File created	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\	Server.exe
File created	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\	Server.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\	Server.exe
File created	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File created	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\	Server.exe
File created	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\	Server.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\	Server.exe
File created	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File created	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File created	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\	Server.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\	Server.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\	Server.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\	Server.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\	Server.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\	Server.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File created	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File created	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\	Server.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File created	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\	Server.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File created	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File created	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\Server.exe	Server.exe

Suspicious use of SetThreadContext 64 IoCs

description	pid	Process	procid_target
PID 2912 set thread context of 2836	2912	JaffaCakes118_3ac9c8a6b9ed672c4d024029d19ed9a8.exe	28
PID 752 set thread context of 2736	752	Server.exe	39
PID 2944 set thread context of 1660	2944	Server.exe	52
PID 1512 set thread context of 1780	1512	Server.exe	56
PID 2796 set thread context of 1532	2796	Server.exe	70
PID 2984 set thread context of 748	2984	Server.exe	77
PID 2040 set thread context of 2168	2040	Server.exe	84
PID 2864 set thread context of 2384	2864	Server.exe	92
PID 2684 set thread context of 2528	2684	Server.exe	108
PID 2660 set thread context of 1812	2660	Server.exe	113
PID 752 set thread context of 1560	752	Server.exe	117
PID 2548 set thread context of 1780	2548	Server.exe	124
PID 2456 set thread context of 560	2456	Server.exe	143
PID 1476 set thread context of 2328	1476	Server.exe	148
PID 2392 set thread context of 480	2392	Server.exe	152
PID 2452 set thread context of 2640	2452	Server.exe	160
PID 1152 set thread context of 1512	1152	Server.exe	169
PID 2308 set thread context of 1268	2308	Server.exe	187
PID 2756 set thread context of 1620	2756	Server.exe	190
PID 1108 set thread context of 1560	1108	Server.exe	194
PID 980 set thread context of 1968	980	Server.exe	196
PID 280 set thread context of 1668	280	Server.exe	220
PID 1604 set thread context of 1568	1604	Server.exe	223
PID 2864 set thread context of 2672	2864	Server.exe	229
PID 288 set thread context of 980	288	Server.exe	231
PID 2132 set thread context of 2864	2132	Server.exe	242
PID 1960 set thread context of 2124	1960	Server.exe	258
PID 2880 set thread context of 3140	2880	Server.exe	260
PID 2656 set thread context of 3296	2656	Server.exe	266
PID 3512 set thread context of 3652	3512	Server.exe	289
PID 3524 set thread context of 3744	3524	Server.exe	290
PID 3560 set thread context of 3884	3560	Server.exe	293
PID 3624 set thread context of 4052	3624	Server.exe	301
PID 3148 set thread context of 3348	3148	Server.exe	321
PID 1316 set thread context of 3700	1316	Server.exe	328
PID 3316 set thread context of 3812	3316	Server.exe	330
PID 3664 set thread context of 4060	3664	Server.exe	340
PID 3948 set thread context of 3352	3948	Server.exe	352
PID 3984 set thread context of 3836	3984	Server.exe	366
PID 3760 set thread context of 1712	3760	Server.exe	373
PID 3808 set thread context of 1340	3808	Server.exe	376
PID 3636 set thread context of 3888	3636	Server.exe	382
PID 3228 set thread context of 3348	3228	Server.exe	384
PID 2788 set thread context of 3360	2788	Server.exe	408
PID 3964 set thread context of 3300	3964	Server.exe	411
PID 3636 set thread context of 3160	3636	Server.exe	417
PID 3236 set thread context of 3964	3236	Server.exe	419
PID 2656 set thread context of 1712	2656	Server.exe	437
PID 4064 set thread context of 4336	4064	Server.exe	448
PID 4256 set thread context of 4488	4256	Server.exe	453
PID 4304 set thread context of 4600	4304	Server.exe	455
PID 4456 set thread context of 4760	4456	Server.exe	462
PID 4956 set thread context of 4116	4956	Server.exe	487
PID 5040 set thread context of 4332	5040	Server.exe	494
PID 5068 set thread context of 4428	5068	Server.exe	495
PID 3372 set thread context of 4612	3372	Server.exe	498
PID 2124 set thread context of 4812	2124	Server.exe	504
PID 5112 set thread context of 4760	5112	Server.exe	522
PID 3384 set thread context of 4404	3384	Server.exe	523
PID 4956 set thread context of 4100	4956	Server.exe	530
PID 4632 set thread context of 4616	4632	Server.exe	535
PID 4868 set thread context of 4184	4868	Server.exe	541
PID 4680 set thread context of 3228	4680	Server.exe	559
PID 4836 set thread context of 4140	4836	Server.exe	565

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2836-18-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/2836-17-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/2836-14-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/2836-28-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/1912-35-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/2836-38-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2912	JaffaCakes118_3ac9c8a6b9ed672c4d024029d19ed9a8.exe
Token: SeDebugPrivilege	752	Server.exe
Token: SeDebugPrivilege	2944	Server.exe
Token: SeDebugPrivilege	1512	Server.exe
Token: SeDebugPrivilege	2796	Server.exe
Token: SeDebugPrivilege	2984	Server.exe
Token: SeDebugPrivilege	2040	Server.exe
Token: SeDebugPrivilege	2864	Server.exe
Token: SeDebugPrivilege	2684	Server.exe
Token: SeDebugPrivilege	2660	Server.exe
Token: SeDebugPrivilege	752	Server.exe
Token: SeDebugPrivilege	2548	Server.exe
Token: SeDebugPrivilege	2456	Server.exe
Token: SeDebugPrivilege	1476	Server.exe
Token: SeDebugPrivilege	2392	Server.exe
Token: SeDebugPrivilege	2452	Server.exe
Token: SeDebugPrivilege	1152	Server.exe
Token: SeDebugPrivilege	2308	Server.exe
Token: SeDebugPrivilege	2756	Server.exe
Token: SeDebugPrivilege	1108	Server.exe
Token: SeDebugPrivilege	980	Server.exe
Token: SeDebugPrivilege	280	Server.exe
Token: SeDebugPrivilege	1604	Server.exe
Token: SeDebugPrivilege	2864	Server.exe
Token: SeDebugPrivilege	288	Server.exe
Token: SeDebugPrivilege	2132	Server.exe
Token: SeDebugPrivilege	1960	Server.exe
Token: SeDebugPrivilege	2880	Server.exe
Token: SeDebugPrivilege	2656	Server.exe
Token: SeDebugPrivilege	3512	Server.exe
Token: SeDebugPrivilege	3524	Server.exe
Token: SeDebugPrivilege	3560	Server.exe
Token: SeDebugPrivilege	3624	Server.exe
Token: SeDebugPrivilege	3148	Server.exe
Token: SeDebugPrivilege	1316	Server.exe
Token: SeDebugPrivilege	3316	Server.exe
Token: SeDebugPrivilege	3664	Server.exe
Token: SeDebugPrivilege	3948	Server.exe
Token: SeDebugPrivilege	3984	Server.exe
Token: SeDebugPrivilege	3760	Server.exe
Token: SeDebugPrivilege	3808	Server.exe
Token: SeDebugPrivilege	3636	Server.exe
Token: SeDebugPrivilege	3228	Server.exe
Token: SeDebugPrivilege	2788	Server.exe
Token: SeDebugPrivilege	3964	Server.exe
Token: SeDebugPrivilege	3636	Server.exe
Token: SeDebugPrivilege	3236	Server.exe
Token: SeDebugPrivilege	2656	Server.exe
Token: SeDebugPrivilege	4064	Server.exe
Token: SeDebugPrivilege	4256	Server.exe
Token: SeDebugPrivilege	4304	Server.exe
Token: SeDebugPrivilege	4456	Server.exe
Token: SeDebugPrivilege	4956	Server.exe
Token: SeDebugPrivilege	5040	Server.exe
Token: SeDebugPrivilege	5068	Server.exe
Token: SeDebugPrivilege	3372	Server.exe
Token: SeDebugPrivilege	2124	Server.exe
Token: SeDebugPrivilege	5112	Server.exe
Token: SeDebugPrivilege	3384	Server.exe
Token: SeDebugPrivilege	4956	Server.exe
Token: SeDebugPrivilege	4632	Server.exe
Token: SeDebugPrivilege	4868	Server.exe
Token: SeDebugPrivilege	4680	Server.exe
Token: SeDebugPrivilege	4836	Server.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2912 wrote to memory of 2836	2912	JaffaCakes118_3ac9c8a6b9ed672c4d024029d19ed9a8.exe	28
PID 2912 wrote to memory of 2836	2912	JaffaCakes118_3ac9c8a6b9ed672c4d024029d19ed9a8.exe	28
PID 2912 wrote to memory of 2836	2912	JaffaCakes118_3ac9c8a6b9ed672c4d024029d19ed9a8.exe	28
PID 2912 wrote to memory of 2836	2912	JaffaCakes118_3ac9c8a6b9ed672c4d024029d19ed9a8.exe	28
PID 2912 wrote to memory of 2836	2912	JaffaCakes118_3ac9c8a6b9ed672c4d024029d19ed9a8.exe	28
PID 2912 wrote to memory of 2836	2912	JaffaCakes118_3ac9c8a6b9ed672c4d024029d19ed9a8.exe	28
PID 2836 wrote to memory of 1912	2836	JaffaCakes118_3ac9c8a6b9ed672c4d024029d19ed9a8.exe	29
PID 2836 wrote to memory of 1912	2836	JaffaCakes118_3ac9c8a6b9ed672c4d024029d19ed9a8.exe	29
PID 2836 wrote to memory of 1912	2836	JaffaCakes118_3ac9c8a6b9ed672c4d024029d19ed9a8.exe	29
PID 2836 wrote to memory of 1912	2836	JaffaCakes118_3ac9c8a6b9ed672c4d024029d19ed9a8.exe	29
PID 2836 wrote to memory of 1912	2836	JaffaCakes118_3ac9c8a6b9ed672c4d024029d19ed9a8.exe	29
PID 2836 wrote to memory of 2416	2836	JaffaCakes118_3ac9c8a6b9ed672c4d024029d19ed9a8.exe	30
PID 2836 wrote to memory of 2416	2836	JaffaCakes118_3ac9c8a6b9ed672c4d024029d19ed9a8.exe	30
PID 2836 wrote to memory of 2416	2836	JaffaCakes118_3ac9c8a6b9ed672c4d024029d19ed9a8.exe	30
PID 2836 wrote to memory of 2416	2836	JaffaCakes118_3ac9c8a6b9ed672c4d024029d19ed9a8.exe	30
PID 2836 wrote to memory of 2416	2836	JaffaCakes118_3ac9c8a6b9ed672c4d024029d19ed9a8.exe	30
PID 2836 wrote to memory of 2044	2836	JaffaCakes118_3ac9c8a6b9ed672c4d024029d19ed9a8.exe	31
PID 2836 wrote to memory of 2044	2836	JaffaCakes118_3ac9c8a6b9ed672c4d024029d19ed9a8.exe	31
PID 2836 wrote to memory of 2044	2836	JaffaCakes118_3ac9c8a6b9ed672c4d024029d19ed9a8.exe	31
PID 2836 wrote to memory of 2044	2836	JaffaCakes118_3ac9c8a6b9ed672c4d024029d19ed9a8.exe	31
PID 2836 wrote to memory of 2044	2836	JaffaCakes118_3ac9c8a6b9ed672c4d024029d19ed9a8.exe	31
PID 2836 wrote to memory of 2288	2836	JaffaCakes118_3ac9c8a6b9ed672c4d024029d19ed9a8.exe	32
PID 2836 wrote to memory of 2288	2836	JaffaCakes118_3ac9c8a6b9ed672c4d024029d19ed9a8.exe	32
PID 2836 wrote to memory of 2288	2836	JaffaCakes118_3ac9c8a6b9ed672c4d024029d19ed9a8.exe	32
PID 2836 wrote to memory of 2288	2836	JaffaCakes118_3ac9c8a6b9ed672c4d024029d19ed9a8.exe	32
PID 2836 wrote to memory of 2288	2836	JaffaCakes118_3ac9c8a6b9ed672c4d024029d19ed9a8.exe	32
PID 2836 wrote to memory of 2232	2836	JaffaCakes118_3ac9c8a6b9ed672c4d024029d19ed9a8.exe	33
PID 2836 wrote to memory of 2232	2836	JaffaCakes118_3ac9c8a6b9ed672c4d024029d19ed9a8.exe	33
PID 2836 wrote to memory of 2232	2836	JaffaCakes118_3ac9c8a6b9ed672c4d024029d19ed9a8.exe	33
PID 2836 wrote to memory of 2232	2836	JaffaCakes118_3ac9c8a6b9ed672c4d024029d19ed9a8.exe	33
PID 2836 wrote to memory of 2232	2836	JaffaCakes118_3ac9c8a6b9ed672c4d024029d19ed9a8.exe	33
PID 2836 wrote to memory of 2292	2836	JaffaCakes118_3ac9c8a6b9ed672c4d024029d19ed9a8.exe	34
PID 2836 wrote to memory of 2292	2836	JaffaCakes118_3ac9c8a6b9ed672c4d024029d19ed9a8.exe	34
PID 2836 wrote to memory of 2292	2836	JaffaCakes118_3ac9c8a6b9ed672c4d024029d19ed9a8.exe	34
PID 2836 wrote to memory of 2292	2836	JaffaCakes118_3ac9c8a6b9ed672c4d024029d19ed9a8.exe	34
PID 2836 wrote to memory of 2292	2836	JaffaCakes118_3ac9c8a6b9ed672c4d024029d19ed9a8.exe	34
PID 2836 wrote to memory of 3056	2836	JaffaCakes118_3ac9c8a6b9ed672c4d024029d19ed9a8.exe	35
PID 2836 wrote to memory of 3056	2836	JaffaCakes118_3ac9c8a6b9ed672c4d024029d19ed9a8.exe	35
PID 2836 wrote to memory of 3056	2836	JaffaCakes118_3ac9c8a6b9ed672c4d024029d19ed9a8.exe	35
PID 2836 wrote to memory of 3056	2836	JaffaCakes118_3ac9c8a6b9ed672c4d024029d19ed9a8.exe	35
PID 2836 wrote to memory of 3056	2836	JaffaCakes118_3ac9c8a6b9ed672c4d024029d19ed9a8.exe	35
PID 2836 wrote to memory of 2268	2836	JaffaCakes118_3ac9c8a6b9ed672c4d024029d19ed9a8.exe	36
PID 2836 wrote to memory of 2268	2836	JaffaCakes118_3ac9c8a6b9ed672c4d024029d19ed9a8.exe	36
PID 2836 wrote to memory of 2268	2836	JaffaCakes118_3ac9c8a6b9ed672c4d024029d19ed9a8.exe	36
PID 2836 wrote to memory of 2268	2836	JaffaCakes118_3ac9c8a6b9ed672c4d024029d19ed9a8.exe	36
PID 2836 wrote to memory of 2268	2836	JaffaCakes118_3ac9c8a6b9ed672c4d024029d19ed9a8.exe	36
PID 2836 wrote to memory of 2128	2836	JaffaCakes118_3ac9c8a6b9ed672c4d024029d19ed9a8.exe	37
PID 2836 wrote to memory of 2128	2836	JaffaCakes118_3ac9c8a6b9ed672c4d024029d19ed9a8.exe	37
PID 2836 wrote to memory of 2128	2836	JaffaCakes118_3ac9c8a6b9ed672c4d024029d19ed9a8.exe	37
PID 2836 wrote to memory of 2128	2836	JaffaCakes118_3ac9c8a6b9ed672c4d024029d19ed9a8.exe	37
PID 2836 wrote to memory of 752	2836	JaffaCakes118_3ac9c8a6b9ed672c4d024029d19ed9a8.exe	38
PID 2836 wrote to memory of 752	2836	JaffaCakes118_3ac9c8a6b9ed672c4d024029d19ed9a8.exe	38
PID 2836 wrote to memory of 752	2836	JaffaCakes118_3ac9c8a6b9ed672c4d024029d19ed9a8.exe	38
PID 2836 wrote to memory of 752	2836	JaffaCakes118_3ac9c8a6b9ed672c4d024029d19ed9a8.exe	38
PID 752 wrote to memory of 2736	752	Server.exe	39
PID 752 wrote to memory of 2736	752	Server.exe	39
PID 752 wrote to memory of 2736	752	Server.exe	39
PID 752 wrote to memory of 2736	752	Server.exe	39
PID 752 wrote to memory of 2736	752	Server.exe	39
PID 752 wrote to memory of 2736	752	Server.exe	39
PID 2736 wrote to memory of 2504	2736	Server.exe	40
PID 2736 wrote to memory of 2504	2736	Server.exe	40
PID 2736 wrote to memory of 2504	2736	Server.exe	40
PID 2736 wrote to memory of 2504	2736	Server.exe	40

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3ac9c8a6b9ed672c4d024029d19ed9a8.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3ac9c8a6b9ed672c4d024029d19ed9a8.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2912
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3ac9c8a6b9ed672c4d024029d19ed9a8.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3ac9c8a6b9ed672c4d024029d19ed9a8.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2836
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - Loads dropped DLL
    PID:1912
  - - C:\Windows\SysWOW64\InstallDir\Server.exe
      "C:\Windows\system32\InstallDir\Server.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2944
    - - C:\Windows\SysWOW64\InstallDir\Server.exe
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1660
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1576
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1596
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1848
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:712
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2772
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2928
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2784
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2748
      - C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\SysWOW64\InstallDir\Server.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2984
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:748
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2324
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1544
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:532
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1224
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2412
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1236
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2220
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\SysWOW64\InstallDir\Server.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2684
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2528
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:276
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:308
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:924
  - - C:\Windows\SysWOW64\InstallDir\Server.exe
      "C:\Windows\system32\InstallDir\Server.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      PID:2796
    - - C:\Windows\SysWOW64\InstallDir\Server.exe
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1532
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2992
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1868
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1324
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1656
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3064
  - - C:\Windows\SysWOW64\InstallDir\Server.exe
      "C:\Windows\system32\InstallDir\Server.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      PID:2864
    - - C:\Windows\SysWOW64\InstallDir\Server.exe
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2384
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2768
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2152
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2608
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2708
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2676
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3016
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1900
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2424
      - C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\SysWOW64\InstallDir\Server.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:2548
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        
        PID:1780
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2984
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:872
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1584
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1572
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1700
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2004
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1488
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\SysWOW64\InstallDir\Server.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:2452
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2640
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:1748
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:1636
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2872
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2524
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:1520
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:1144
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2684
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\SysWOW64\InstallDir\Server.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:980
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1968
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:1192
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:392
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:2680
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:1740
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:1704
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:1028
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:2240
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:2264
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:288
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        13⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:980
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:2276
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:1356
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:1968
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:2996
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:2628
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:480
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:2196
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:1516
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2880
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        15⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3140
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:3244
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:3260
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:3280
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:3408
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:3436
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:3460
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:3488
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:3548
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3560
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        17⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3884
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:3976
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:4008
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:4036
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:3080
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:3120
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:3180
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:828
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:3292
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        18⤵
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:3316
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        19⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3812
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:3924
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:3960
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:2844
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:3856
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:3828
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:3224
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:3724
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:3824
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        20⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3808
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        21⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1340
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        22⤵
        
        PID:3524
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        22⤵
        
        PID:3324
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        22⤵
        
        PID:3880
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        22⤵
        
        PID:3332
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        22⤵
        
        PID:916
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        22⤵
        
        PID:3512
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        22⤵
        
        PID:3840
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        22⤵
        
        PID:4068
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        22⤵
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:3964
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        23⤵
        Adds Run key to start application
        
        PID:3300
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        24⤵
        
        PID:3624
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        24⤵
        
        PID:3348
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        24⤵
        
        PID:3836
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        24⤵
        
        PID:3108
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        24⤵
        
        PID:3644
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        24⤵
        
        PID:3320
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        24⤵
        
        PID:1956
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        24⤵
        
        PID:3692
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        24⤵
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:4064
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        25⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4336
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:4436
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:4444
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:4472
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:4684
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:4728
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:4840
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:4896
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:4928
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        26⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4956
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        27⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4116
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        28⤵
        
        PID:4264
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        28⤵
        
        PID:3160
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        28⤵
        
        PID:3964
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        28⤵
        
        PID:4572
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        28⤵
        
        PID:4776
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        28⤵
        
        PID:4952
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        28⤵
        
        PID:5048
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        28⤵
        
        PID:5104
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        28⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3384
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        29⤵
        System Location Discovery: System Language Discovery
        
        PID:4404
  - - C:\Windows\SysWOW64\InstallDir\Server.exe
      "C:\Windows\system32\InstallDir\Server.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      PID:752
    - - C:\Windows\SysWOW64\InstallDir\Server.exe
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1560
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2920
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:900
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:988
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:856
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2884
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:812
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2136
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1688
      - C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\SysWOW64\InstallDir\Server.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:2392
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:480
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2936
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2300
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:108
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1448
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2548
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1944
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1880
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\SysWOW64\InstallDir\Server.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2756
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1620
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:544
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2312
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2156
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:1380
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2780
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2700
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2528
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\SysWOW64\InstallDir\Server.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:1604
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        11⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1568
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:1804
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:576
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:2456
  - - C:\Windows\SysWOW64\InstallDir\Server.exe
      "C:\Windows\system32\InstallDir\Server.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2456
    - - C:\Windows\SysWOW64\InstallDir\Server.exe
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:560
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:840
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2856
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2948
  - - C:\Windows\SysWOW64\InstallDir\Server.exe
      "C:\Windows\system32\InstallDir\Server.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      PID:1152
    - - C:\Windows\SysWOW64\InstallDir\Server.exe
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1512
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2704
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3024
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2296
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2584
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2168
  - - C:\Windows\SysWOW64\InstallDir\Server.exe
      "C:\Windows\system32\InstallDir\Server.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      PID:1108
    - - C:\Windows\SysWOW64\InstallDir\Server.exe
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        
        PID:1560
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:664
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:800
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2640
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3032
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:936
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:892
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:692
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:752
      - C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:2864
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        7⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2672
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:280
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2736
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2192
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2284
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2900
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2972
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1532
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2728
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1960
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2124
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3124
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3252
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3268
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3400
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3424
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3452
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3476
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3504
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3524
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3744
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3868
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:4000
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:4028
  - - C:\Windows\SysWOW64\InstallDir\Server.exe
      "C:\Windows\system32\InstallDir\Server.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:280
    - - C:\Windows\SysWOW64\InstallDir\Server.exe
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1668
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2588
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1708
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2644
  - - C:\Windows\SysWOW64\InstallDir\Server.exe
      "C:\Windows\system32\InstallDir\Server.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2132
    - - C:\Windows\SysWOW64\InstallDir\Server.exe
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2864
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2140
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2400
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1112
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2752
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2596
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2132
  - - C:\Windows\SysWOW64\InstallDir\Server.exe
      "C:\Windows\system32\InstallDir\Server.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2656
    - - C:\Windows\SysWOW64\InstallDir\Server.exe
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3296
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3392
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3416
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3444
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3468
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3496
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3576
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3588
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3596
      - C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\SysWOW64\InstallDir\Server.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3624
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        
        PID:4052
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:868
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1960
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3172
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2308
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2880
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3336
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3584
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\SysWOW64\InstallDir\Server.exe"
        8⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3664
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        9⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4060
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:1668
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:1064
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:1548
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4052
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3772
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3544
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4092
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:980
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\SysWOW64\InstallDir\Server.exe"
        10⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3228
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3348
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3760
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:2208
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3780
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3936
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3848
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3572
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:4076
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3356
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\SysWOW64\InstallDir\Server.exe"
        12⤵
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:3236
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        13⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3964
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3752
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3684
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3376
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3388
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:2360
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:4188
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:4216
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\SysWOW64\InstallDir\Server.exe"
        14⤵
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:4304
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        15⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        
        PID:4600
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:4704
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:4736
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:4848
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:4904
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:4936
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:4984
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:5008
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\SysWOW64\InstallDir\Server.exe"
        16⤵
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:3372
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        17⤵
        Adds Run key to start application
        
        PID:4612
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:4452
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:4784
  - - C:\Windows\SysWOW64\InstallDir\Server.exe
      "C:\Windows\system32\InstallDir\Server.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3512
    - - C:\Windows\SysWOW64\InstallDir\Server.exe
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        
        PID:3652
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3816
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3992
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4020
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1252
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3104
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3164
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3192
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3196
      - C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\SysWOW64\InstallDir\Server.exe"
        6⤵
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:1316
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        7⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3700
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3792
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3564
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3968
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2280
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3088
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3344
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3296
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3712
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\SysWOW64\InstallDir\Server.exe"
        8⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3760
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        9⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1712
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3276
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3864
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3904
  - - C:\Windows\SysWOW64\InstallDir\Server.exe
      "C:\Windows\system32\InstallDir\Server.exe"
      4⤵
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      PID:3148
    - - C:\Windows\SysWOW64\InstallDir\Server.exe
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        5⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3348
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3144
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3380
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3672
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3952
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3940
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2832
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3748
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3240
      - C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\SysWOW64\InstallDir\Server.exe"
        6⤵
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:3984
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        7⤵
        Drops file in System32 directory
        
        PID:3836
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4080
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:264
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1652
  - - C:\Windows\SysWOW64\InstallDir\Server.exe
      "C:\Windows\system32\InstallDir\Server.exe"
      4⤵
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      PID:3948
    - - C:\Windows\SysWOW64\InstallDir\Server.exe
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3352
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3648
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3536
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1316
  - - C:\Windows\SysWOW64\InstallDir\Server.exe
      "C:\Windows\system32\InstallDir\Server.exe"
      4⤵
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3636
    - - C:\Windows\SysWOW64\InstallDir\Server.exe
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3888
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3232
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3708
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3776
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3788
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3220
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3540
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3984
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3688
      - C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\SysWOW64\InstallDir\Server.exe"
        6⤵
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:3636
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        System Location Discovery: System Language Discovery
        
        PID:3160
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3932
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3520
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2000
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2828
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3156
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3364
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4200
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4224
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\SysWOW64\InstallDir\Server.exe"
        8⤵
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:4256
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4488
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4580
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4720
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4744
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4888
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4920
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4976
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:5000
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\SysWOW64\InstallDir\Server.exe"
        10⤵
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:5068
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        11⤵
        
        PID:4428
  - - C:\Windows\SysWOW64\InstallDir\Server.exe
      "C:\Windows\system32\InstallDir\Server.exe"
      4⤵
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2788
    - - C:\Windows\SysWOW64\InstallDir\Server.exe
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        5⤵
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3360
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3208
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3484
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1332
  - - C:\Windows\SysWOW64\InstallDir\Server.exe
      "C:\Windows\system32\InstallDir\Server.exe"
      4⤵
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      PID:2656
    - - C:\Windows\SysWOW64\InstallDir\Server.exe
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1712
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4176
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4208
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4248
  - - C:\Windows\SysWOW64\InstallDir\Server.exe
      "C:\Windows\system32\InstallDir\Server.exe"
      4⤵
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      PID:4456
    - - C:\Windows\SysWOW64\InstallDir\Server.exe
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4760
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4876
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4912
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4944
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4992
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5016
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5096
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4232
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4296
      - C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\SysWOW64\InstallDir\Server.exe"
        6⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2124
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        
        PID:4812
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5056
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4488
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4600
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2656
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4136
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4860
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4260
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\SysWOW64\InstallDir\Server.exe"
        8⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4632
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        9⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4616
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4392
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3236
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:5040
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4640
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4620
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4808
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4240
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4460
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        10⤵
        
        PID:5084
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4612
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:4304
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:5076
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:4184
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:4324
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:4168
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:4648
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:4644
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:5084
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:4540
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        13⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1084
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:4636
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:4332
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3308
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:4456
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:2888
  - - C:\Windows\SysWOW64\InstallDir\Server.exe
      "C:\Windows\system32\InstallDir\Server.exe"
      4⤵
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:5040
    - - C:\Windows\SysWOW64\InstallDir\Server.exe
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        
        PID:4332
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4560
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4768
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4792
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4568
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3652
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4124
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4968
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4108
      - C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\SysWOW64\InstallDir\Server.exe"
        6⤵
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:4956
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        7⤵
        Loads dropped DLL
        
        PID:4100
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2212
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4804
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5080
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4408
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5064
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4400
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4624
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2472
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        8⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4680
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        9⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3228
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4388
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4484
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4104
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4680
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4528
  - - C:\Windows\SysWOW64\InstallDir\Server.exe
      "C:\Windows\system32\InstallDir\Server.exe"
      4⤵
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      PID:5112
    - - C:\Windows\SysWOW64\InstallDir\Server.exe
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Drops file in System32 directory
        
        PID:4760
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4520
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4544
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4672
  - - C:\Windows\SysWOW64\InstallDir\Server.exe
      "C:\Windows\system32\InstallDir\Server.exe"
      4⤵
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4868
    - - C:\Windows\SysWOW64\InstallDir\Server.exe
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        5⤵
        
        PID:4184
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4404
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4336
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3300
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5024
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4464
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2788
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4368
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1712
      - C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4292
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4532
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4396
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4244
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3640
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4420
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4764
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4376
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4676
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2124
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4700
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        
        PID:4828
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4540
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4760
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:5144
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:5272
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:5288
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:5352
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:5432
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:5460
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:5480
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        
        PID:5636
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:5760
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:5788
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:5836
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:5856
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:5876
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:5908
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:6044
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:6068
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:6096
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        13⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:5332
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:5572
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:5452
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:5744
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:5728
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:5752
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:5808
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:5888
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:5156
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        14⤵
        
        PID:5328
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        15⤵
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5560
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:5676
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:5680
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:5548
  - - C:\Windows\SysWOW64\InstallDir\Server.exe
      "C:\Windows\system32\InstallDir\Server.exe"
      4⤵
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      PID:4836
    - - C:\Windows\SysWOW64\InstallDir\Server.exe
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Drops file in System32 directory
        
        PID:4140
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5068
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4384
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4504
  - - C:\Windows\SysWOW64\InstallDir\Server.exe
      "C:\Windows\system32\InstallDir\Server.exe"
      4⤵
      PID:3360
    - - C:\Windows\SysWOW64\InstallDir\Server.exe
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:4348
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4412
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4832
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4588
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3360
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4812
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4660
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4144
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4416
      - C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\SysWOW64\InstallDir\Server.exe"
        6⤵
        
        PID:5128
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5316
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5416
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5444
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5488
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5508
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5516
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5528
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5772
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5800
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\SysWOW64\InstallDir\Server.exe"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:5812
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:5924
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:6028
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:6052
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:6132
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:5240
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4616
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:5152
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:5620
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:5656
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\SysWOW64\InstallDir\Server.exe"
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:5700
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Drops file in System32 directory
        
        PID:5812
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:5892
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3228
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:5132
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:5396
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:5252
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:4356
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:5916
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:5768
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\SysWOW64\InstallDir\Server.exe"
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:6084
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        13⤵
        Boot or Logon Autostart Execution: Active Setup
        Drops file in System32 directory
        
        PID:5376
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:5688
  - - C:\Windows\SysWOW64\InstallDir\Server.exe
      "C:\Windows\system32\InstallDir\Server.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4552
    - - C:\Windows\SysWOW64\InstallDir\Server.exe
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        
        PID:5164
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5264
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5280
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5300
  - - C:\Windows\SysWOW64\InstallDir\Server.exe
      "C:\Windows\system32\InstallDir\Server.exe"
      4⤵
      PID:5452
    - - C:\Windows\SysWOW64\InstallDir\Server.exe
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Drops file in System32 directory
        
        PID:5544
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5704
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5780
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5820
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5848
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5868
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5900
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:6036
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:6060
      - C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\SysWOW64\InstallDir\Server.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:6104
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Drops file in System32 directory
        
        PID:5412
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5536
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5644
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5500
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5480
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5428
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5980
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5200
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5364
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\SysWOW64\InstallDir\Server.exe"
        8⤵
        
        PID:5400
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5928
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:5976
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:6024
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:5172
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:5568
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:5128
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:6108
  - - C:\Windows\SysWOW64\InstallDir\Server.exe
      "C:\Windows\system32\InstallDir\Server.exe"
      4⤵
      PID:5884
    - - C:\Windows\SysWOW64\InstallDir\Server.exe
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        5⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4140
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5224
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4552
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4632
  - - C:\Windows\SysWOW64\InstallDir\Server.exe
      "C:\Windows\system32\InstallDir\Server.exe"
      4⤵
      PID:5680
    - - C:\Windows\SysWOW64\InstallDir\Server.exe
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5796
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4348
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5208
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5336
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5324
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:316
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4532
  - - C:\Windows\SysWOW64\InstallDir\Server.exe
      "C:\Windows\system32\InstallDir\Server.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5168
    - - C:\Windows\SysWOW64\InstallDir\Server.exe
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:6000
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5884
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:6124
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5580
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2416
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2044
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2288
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2232
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2292
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:3056
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2268
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2128
- - C:\Windows\SysWOW64\InstallDir\Server.exe
    "C:\Windows\system32\InstallDir\Server.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:752
  - - C:\Windows\SysWOW64\InstallDir\Server.exe
      C:\Windows\SysWOW64\InstallDir\Server.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2736
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2504
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2808
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2120
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2520
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2552
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2336
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2960
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1280
    - - C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:1512
      - C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1780
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:1076
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:2540
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:2692
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:2932
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:2716
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:2344
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:1528
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:2340
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:2040
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2168
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:2908
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:2840
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:2108
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:1300
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:1952
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:2668
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:2852
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:2720
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:2660
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        10⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1812
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:784
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:1480
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:2796
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:2968
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:2436
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:1504
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:684
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:1692
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1476
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2328
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:1788
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:1616
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:1904
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:940
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:1624
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:1540
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:2912
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:3008
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2308
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        14⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1268
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:3000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\St1WC5kt.cfg

Filesize
1KB

MD5
aad97b06909f4b5308f9f01581211d87

SHA1
6652a894e81b7a980cf965e2529e32cd02efe983

SHA256
9afa08e4877c533ea3bd0d6cb31ec4cf5fa16082bc0e5d0a0d5ba1b0b7c26003

SHA512
b281fe2f347a44374e191edc86e9c8b96937b8c3246ff8e08173d5e20f96a5e9cd95299e0f66f150e5b47eba7917bf1502125cba122e03ce6e523f4923673f28

Download Submit
C:\Windows\SysWOW64\InstallDir\Server.exe

Filesize
74KB

MD5
3ac9c8a6b9ed672c4d024029d19ed9a8

SHA1
a2ab5d7330a8ab85dbdcffaa2d5bb2d42e8a729d

SHA256
4a3fe586b3806381665e4f400b937f68449583b8fc1c84cb68c5c1b59d29ce98

SHA512
06b484752ff69238976e21f489a7345820a304da2b5c94ca0c6773bc538812c4dc5f1ac09f10398270cc842f9c6618ad587b7553a0f9d86e0aceafb99ed17f38

Download Submit
memory/1912-31-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/1912-35-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2836-28-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2836-18-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2836-38-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2836-17-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2836-14-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2912-21-0x0000000074530000-0x0000000074ADB000-memory.dmp

Filesize
5.7MB

Download
memory/2912-29-0x0000000000290000-0x0000000000390000-memory.dmp

Filesize
1024KB

Download
memory/2912-30-0x0000000074530000-0x0000000074ADB000-memory.dmp

Filesize
5.7MB

Download
memory/2912-0-0x0000000074531000-0x0000000074532000-memory.dmp

Filesize
4KB

Download
memory/2912-20-0x0000000074530000-0x0000000074ADB000-memory.dmp

Filesize
5.7MB

Download
memory/2912-19-0x0000000074530000-0x0000000074ADB000-memory.dmp

Filesize
5.7MB

Download
memory/2912-2-0x0000000074530000-0x0000000074ADB000-memory.dmp

Filesize
5.7MB

Download
memory/2912-1-0x0000000074530000-0x0000000074ADB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads