xtremerat | bd6af06b0b0cfd7f2e3cacd34b61380511c24e2669a4423cdce65fc33fc8cd0a

Analysis

max time kernel
150s
max time network
119s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
27-01-2025 20:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_4367880a707b638518519d649bee956d.exe
Size

205KB
MD5

4367880a707b638518519d649bee956d
SHA1

c02ecf3dd6c776f30ef523f1ec342779c484a55d
SHA256

bd6af06b0b0cfd7f2e3cacd34b61380511c24e2669a4423cdce65fc33fc8cd0a
SHA512

a94826529456963acabcc2c0c2ba8175e689166f7bc68febcefc41279158fc2be15b918b363599b6f3f94f304013c0727b3ea5af95c557c8c3cd1f685d14bd8c
SSDEEP

3072:7wYDa+LDdS5f39vDTgWTrHmyvVxKUiOpPPjlavX02U2dyyLWAHf3:7bDzk5pRHfntjb2U2dyKf

Score

10^/10

xtremerat discovery persistence rat spyware upx

Malware Config

Extracted

Family

xtremerat

ksa616.dyndns.biz

Signatures

Detect XtremeRAT payload 4 IoCs

resource	yara_rule
behavioral1/memory/2620-12-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/2620-11-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/2184-22-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/2880-26-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat
Xtremerat family
xtremerat

Boot or Logon Autostart Execution: Active Setup 2 TTPs 64 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	svchos.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	svchos.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	svchos.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	svchos.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\WINDOWS\\svchos.exe restart"	svchos.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\WINDOWS\\svchos.exe restart"	svchos.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\WINDOWS\\svchos.exe restart"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\WINDOWS\\svchos.exe restart"	svchos.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\WINDOWS\\svchos.exe restart"	svchos.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\WINDOWS\\svchos.exe restart"	svchos.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\WINDOWS\\svchos.exe restart"	svchos.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\WINDOWS\\svchos.exe restart"	svchos.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	svchos.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	JaffaCakes118_4367880a707b638518519d649bee956d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\WINDOWS\\svchos.exe restart"	svchos.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\WINDOWS\\svchos.exe restart"	svchos.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\WINDOWS\\svchos.exe restart"	svchos.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\WINDOWS\\svchos.exe restart"	svchos.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\WINDOWS\\svchos.exe restart"	svchos.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\WINDOWS\\svchos.exe restart"	svchos.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\WINDOWS\\svchos.exe restart"	svchos.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\WINDOWS\\svchos.exe restart"	svchos.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\WINDOWS\\svchos.exe restart"	svchos.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	svchos.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	svchos.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\WINDOWS\\svchos.exe restart"	svchos.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	svchos.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	svchos.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	svchos.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	svchos.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\WINDOWS\\svchos.exe restart"	svchos.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\WINDOWS\\svchos.exe restart"	svchos.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\WINDOWS\\svchos.exe restart"	svchos.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	svchos.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	svchos.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	svchos.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\WINDOWS\\svchos.exe restart"	svchos.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\WINDOWS\\svchos.exe restart"	svchos.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	svchos.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	svchos.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	svchos.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	svchos.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	svchos.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	svchos.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\WINDOWS\\svchos.exe restart"	svchos.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\WINDOWS\\svchos.exe restart"	svchos.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\WINDOWS\\svchos.exe restart"	svchos.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\WINDOWS\\svchos.exe restart"	svchos.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	svchos.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\WINDOWS\\svchos.exe restart"	svchos.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\WINDOWS\\svchos.exe restart"	svchos.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	svchos.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	svchos.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\WINDOWS\\svchos.exe restart"	svchos.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	svchos.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	svchos.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\WINDOWS\\svchos.exe restart"	svchos.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	svchos.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	svchos.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\WINDOWS\\svchos.exe restart"	svchos.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\WINDOWS\\svchos.exe restart"	svchos.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	svchos.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\WINDOWS\\svchos.exe restart"	svchos.exe

Executes dropped EXE 64 IoCs

pid	Process
2708	svchos.exe
2844	svchos.exe
2952	svchos.exe
356	svchos.exe
992	svchos.exe
1444	svchos.exe
2196	svchos.exe
640	svchos.exe
680	svchos.exe
1384	svchos.exe
1792	svchos.exe
1972	svchos.exe
1508	svchos.exe
2476	svchos.exe
2716	svchos.exe
2744	svchos.exe
2512	svchos.exe
3032	svchos.exe
2068	svchos.exe
2564	svchos.exe
3064	svchos.exe
2252	svchos.exe
2456	svchos.exe
2780	svchos.exe
2680	svchos.exe
2716	svchos.exe
1484	svchos.exe
1000	svchos.exe
2000	svchos.exe
1248	svchos.exe
2988	svchos.exe
2476	svchos.exe
1804	svchos.exe
2136	svchos.exe
2548	svchos.exe
2228	svchos.exe
2508	svchos.exe
2444	svchos.exe
2736	svchos.exe
1500	svchos.exe
2056	svchos.exe
496	svchos.exe
2196	svchos.exe
408	svchos.exe
3180	svchos.exe
3212	svchos.exe
3300	svchos.exe
3328	svchos.exe
3572	svchos.exe
3612	svchos.exe
3736	svchos.exe
3768	svchos.exe
3880	svchos.exe
3912	svchos.exe
3076	svchos.exe
2696	svchos.exe
3200	svchos.exe
3344	svchos.exe
3356	svchos.exe
3580	svchos.exe
3420	svchos.exe
3932	svchos.exe
2328	svchos.exe
3152	svchos.exe

Loads dropped DLL 1 IoCs

pid	Process
2620	JaffaCakes118_4367880a707b638518519d649bee956d.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\WINDOWS\\svchos.exe"	svchos.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\WINDOWS\\svchos.exe"	svchos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\WINDOWS\\svchos.exe"	svchos.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\WINDOWS\\svchos.exe"	svchos.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\WINDOWS\\svchos.exe"	svchos.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\WINDOWS\\svchos.exe"	svchos.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\WINDOWS\\svchos.exe"	svchos.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\WINDOWS\\svchos.exe"	svchos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\WINDOWS\\svchos.exe"	svchos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\WINDOWS\\svchos.exe"	svchos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\WINDOWS\\svchos.exe"	svchos.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\WINDOWS\\svchos.exe"	svchos.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\WINDOWS\\svchos.exe"	svchos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\WINDOWS\\svchos.exe"	svchos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\WINDOWS\\svchos.exe"	svchos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\WINDOWS\\svchos.exe"	svchos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\WINDOWS\\svchos.exe"	svchos.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\WINDOWS\\svchos.exe"	svchos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\WINDOWS\\svchos.exe"	svchos.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\WINDOWS\\svchos.exe"	svchos.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\WINDOWS\\svchos.exe"	svchos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\WINDOWS\\svchos.exe"	svchos.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\WINDOWS\\svchos.exe"	JaffaCakes118_4367880a707b638518519d649bee956d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\WINDOWS\\svchos.exe"	svchos.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\WINDOWS\\svchos.exe"	svchos.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\WINDOWS\\svchos.exe"	svchos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\WINDOWS\\svchos.exe"	svchos.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\WINDOWS\\svchos.exe"	svchos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\WINDOWS\\svchos.exe"	svchos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\WINDOWS\\svchos.exe"	svchos.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\WINDOWS\\svchos.exe"	svchos.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\WINDOWS\\svchos.exe"	svchos.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\WINDOWS\\svchos.exe"	svchos.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\WINDOWS\\svchos.exe"	svchos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\WINDOWS\\svchos.exe"	svchos.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\WINDOWS\\svchos.exe"	svchos.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\WINDOWS\\svchos.exe"	svchos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\WINDOWS\\svchos.exe"	svchos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\WINDOWS\\svchos.exe"	svchos.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\WINDOWS\\svchos.exe"	svchos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\WINDOWS\\svchos.exe"	svchos.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\WINDOWS\\svchos.exe"	svchos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\WINDOWS\\svchos.exe"	svchos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\WINDOWS\\svchos.exe"	svchos.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\WINDOWS\\svchos.exe"	svchos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\WINDOWS\\svchos.exe"	svchos.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\WINDOWS\\svchos.exe"	svchos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\WINDOWS\\svchos.exe"	svchos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\WINDOWS\\svchos.exe"	svchos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\WINDOWS\\svchos.exe"	svchos.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\WINDOWS\\svchos.exe"	svchos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\WINDOWS\\svchos.exe"	svchos.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\WINDOWS\\svchos.exe"	svchos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\WINDOWS\\svchos.exe"	svchos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\WINDOWS\\svchos.exe"	svchos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\WINDOWS\\svchos.exe"	svchos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\WINDOWS\\svchos.exe"	svchos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\WINDOWS\\svchos.exe"	svchos.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\WINDOWS\\svchos.exe"	svchos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\WINDOWS\\svchos.exe"	svchos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\WINDOWS\\svchos.exe"	svchos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\WINDOWS\\svchos.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\WINDOWS\\svchos.exe"	svchos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\WINDOWS\\svchos.exe"	svchos.exe

Suspicious use of SetThreadContext 64 IoCs

description	pid	Process	procid_target
PID 2116 set thread context of 2620	2116	JaffaCakes118_4367880a707b638518519d649bee956d.exe	31
PID 2708 set thread context of 2844	2708	svchos.exe	44
PID 2952 set thread context of 356	2952	svchos.exe	56
PID 992 set thread context of 1444	992	svchos.exe	60
PID 2196 set thread context of 640	2196	svchos.exe	71
PID 680 set thread context of 1384	680	svchos.exe	75
PID 1792 set thread context of 1972	1792	svchos.exe	93
PID 1508 set thread context of 2476	1508	svchos.exe	97
PID 2716 set thread context of 2744	2716	svchos.exe	115
PID 2512 set thread context of 3032	2512	svchos.exe	118
PID 2068 set thread context of 2564	2068	svchos.exe	137
PID 3064 set thread context of 2252	3064	svchos.exe	141
PID 2456 set thread context of 2780	2456	svchos.exe	146
PID 2680 set thread context of 2716	2680	svchos.exe	169
PID 1484 set thread context of 1000	1484	svchos.exe	173
PID 2000 set thread context of 1248	2000	svchos.exe	179
PID 2988 set thread context of 2476	2988	svchos.exe	200
PID 1804 set thread context of 2136	1804	svchos.exe	204
PID 2548 set thread context of 2508	2548	svchos.exe	211
PID 2228 set thread context of 2444	2228	svchos.exe	213
PID 2736 set thread context of 1500	2736	svchos.exe	229
PID 2056 set thread context of 496	2056	svchos.exe	235
PID 2196 set thread context of 408	2196	svchos.exe	251
PID 3180 set thread context of 3212	3180	svchos.exe	257
PID 3300 set thread context of 3328	3300	svchos.exe	261
PID 3572 set thread context of 3612	3572	svchos.exe	282
PID 3736 set thread context of 3768	3736	svchos.exe	289
PID 3880 set thread context of 3912	3880	svchos.exe	294
PID 3076 set thread context of 2696	3076	svchos.exe	309
PID 3200 set thread context of 3344	3200	svchos.exe	317
PID 3356 set thread context of 3580	3356	svchos.exe	320
PID 3420 set thread context of 3932	3420	svchos.exe	339
PID 2328 set thread context of 3152	2328	svchos.exe	350
PID 3240 set thread context of 3556	3240	svchos.exe	355
PID 3200 set thread context of 3836	3200	svchos.exe	357
PID 3368 set thread context of 3668	3368	svchos.exe	375
PID 3200 set thread context of 3940	3200	svchos.exe	383
PID 3984 set thread context of 3624	3984	svchos.exe	388
PID 3568 set thread context of 3640	3568	svchos.exe	404
PID 3620 set thread context of 2224	3620	svchos.exe	415
PID 4180 set thread context of 4228	4180	svchos.exe	422
PID 4188 set thread context of 4288	4188	svchos.exe	424
PID 4536 set thread context of 4568	4536	svchos.exe	441
PID 4716 set thread context of 4752	4716	svchos.exe	450
PID 4896 set thread context of 4928	4896	svchos.exe	458
PID 4936 set thread context of 5016	4936	svchos.exe	461
PID 4244 set thread context of 4308	4244	svchos.exe	476
PID 704 set thread context of 2624	704	svchos.exe	485
PID 4768 set thread context of 4804	4768	svchos.exe	494
PID 4372 set thread context of 4952	4372	svchos.exe	497
PID 3964 set thread context of 4316	3964	svchos.exe	508
PID 4264 set thread context of 4756	4264	svchos.exe	511
PID 4876 set thread context of 4992	4876	svchos.exe	523
PID 4720 set thread context of 5000	4720	svchos.exe	525
PID 3964 set thread context of 4596	3964	svchos.exe	536
PID 5056 set thread context of 4768	5056	svchos.exe	547
PID 2648 set thread context of 4292	2648	svchos.exe	558
PID 3640 set thread context of 4728	3640	svchos.exe	562
PID 4992 set thread context of 4788	4992	svchos.exe	574
PID 2624 set thread context of 4916	2624	svchos.exe	576
PID 2624 set thread context of 5076	2624	svchos.exe	587
PID 4720 set thread context of 4596	4720	svchos.exe	591
PID 5328 set thread context of 5368	5328	svchos.exe	609
PID 5448 set thread context of 5504	5448	svchos.exe	613

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2620-4-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/2620-12-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/2620-11-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/2620-10-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/2620-8-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/2620-5-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/2184-22-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/2880-26-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WINDOWS\svchos.exe	svchos.exe
File opened for modification	C:\Windows\WINDOWS\svchos.exe	svchos.exe
File opened for modification	C:\Windows\WINDOWS\svchos.exe	svchos.exe
File opened for modification	C:\Windows\WINDOWS\	svchos.exe
File opened for modification	C:\Windows\WINDOWS\	svchos.exe
File opened for modification	C:\Windows\WINDOWS\svchos.exe	JaffaCakes118_4367880a707b638518519d649bee956d.exe
File opened for modification	C:\Windows\WINDOWS\	svchos.exe
File opened for modification	C:\Windows\WINDOWS\svchos.exe	svchos.exe
File opened for modification	C:\Windows\WINDOWS\svchos.exe	svchos.exe
File opened for modification	C:\Windows\WINDOWS\	svchos.exe
File opened for modification	C:\Windows\WINDOWS\	JaffaCakes118_4367880a707b638518519d649bee956d.exe
File opened for modification	C:\Windows\WINDOWS\svchos.exe	svchos.exe
File opened for modification	C:\Windows\WINDOWS\	svchos.exe
File opened for modification	C:\Windows\WINDOWS\	svchos.exe
File opened for modification	C:\Windows\WINDOWS\	svchos.exe
File opened for modification	C:\Windows\WINDOWS\	svchos.exe
File opened for modification	C:\Windows\WINDOWS\svchos.exe	svchos.exe
File opened for modification	C:\Windows\WINDOWS\svchos.exe	svchos.exe
File opened for modification	C:\Windows\WINDOWS\svchos.exe	svchos.exe
File opened for modification	C:\Windows\WINDOWS\	svchos.exe
File opened for modification	C:\Windows\WINDOWS\	svchos.exe
File opened for modification	C:\Windows\WINDOWS\	svchos.exe
File opened for modification	C:\Windows\WINDOWS\	svchos.exe
File opened for modification	C:\Windows\WINDOWS\svchos.exe	svchos.exe
File opened for modification	C:\Windows\WINDOWS\svchos.exe	svchos.exe
File opened for modification	C:\Windows\WINDOWS\svchos.exe	svchos.exe
File opened for modification	C:\Windows\WINDOWS\svchos.exe	svchos.exe
File opened for modification	C:\Windows\WINDOWS\svchos.exe	svchos.exe
File opened for modification	C:\Windows\WINDOWS\svchos.exe	svchos.exe
File opened for modification	C:\Windows\WINDOWS\svchos.exe	svchos.exe
File opened for modification	C:\Windows\WINDOWS\	svchos.exe
File opened for modification	C:\Windows\WINDOWS\svchos.exe	svchos.exe
File opened for modification	C:\Windows\WINDOWS\	svchos.exe
File opened for modification	C:\Windows\WINDOWS\	svchos.exe
File opened for modification	C:\Windows\WINDOWS\svchos.exe	svchos.exe
File opened for modification	C:\Windows\WINDOWS\svchos.exe	svchos.exe
File opened for modification	C:\Windows\WINDOWS\svchos.exe	svchos.exe
File opened for modification	C:\Windows\WINDOWS\svchos.exe	svchos.exe
File opened for modification	C:\Windows\WINDOWS\	svchos.exe
File opened for modification	C:\Windows\WINDOWS\	svchos.exe
File opened for modification	C:\Windows\WINDOWS\	svchos.exe
File opened for modification	C:\Windows\WINDOWS\	svchos.exe
File opened for modification	C:\Windows\WINDOWS\svchos.exe	svchos.exe
File opened for modification	C:\Windows\WINDOWS\	svchos.exe
File opened for modification	C:\Windows\WINDOWS\svchos.exe	svchos.exe
File opened for modification	C:\Windows\WINDOWS\svchos.exe	svchos.exe
File opened for modification	C:\Windows\WINDOWS\	svchos.exe
File opened for modification	C:\Windows\WINDOWS\	svchos.exe
File opened for modification	C:\Windows\WINDOWS\	svchos.exe
File opened for modification	C:\Windows\WINDOWS\	svchos.exe
File opened for modification	C:\Windows\WINDOWS\	svchos.exe
File opened for modification	C:\Windows\WINDOWS\	svchos.exe
File opened for modification	C:\Windows\WINDOWS\	svchos.exe
File opened for modification	C:\Windows\WINDOWS\svchos.exe	svchos.exe
File opened for modification	C:\Windows\WINDOWS\	svchos.exe
File opened for modification	C:\Windows\WINDOWS\	svchos.exe
File opened for modification	C:\Windows\WINDOWS\svchos.exe	svchos.exe
File opened for modification	C:\Windows\WINDOWS\svchos.exe	svchos.exe
File opened for modification	C:\Windows\WINDOWS\	svchos.exe
File opened for modification	C:\Windows\WINDOWS\	svchos.exe
File opened for modification	C:\Windows\WINDOWS\svchos.exe	svchos.exe
File opened for modification	C:\Windows\WINDOWS\svchos.exe	svchos.exe
File opened for modification	C:\Windows\WINDOWS\	svchos.exe
File opened for modification	C:\Windows\WINDOWS\	svchos.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_4367880a707b638518519d649bee956d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchos.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2116	JaffaCakes118_4367880a707b638518519d649bee956d.exe
Token: 33	2116	JaffaCakes118_4367880a707b638518519d649bee956d.exe
Token: SeIncBasePriorityPrivilege	2116	JaffaCakes118_4367880a707b638518519d649bee956d.exe
Token: SeDebugPrivilege	2708	svchos.exe
Token: 33	2708	svchos.exe
Token: SeIncBasePriorityPrivilege	2708	svchos.exe
Token: SeDebugPrivilege	2952	svchos.exe
Token: 33	2952	svchos.exe
Token: SeIncBasePriorityPrivilege	2952	svchos.exe
Token: SeDebugPrivilege	992	svchos.exe
Token: 33	992	svchos.exe
Token: SeIncBasePriorityPrivilege	992	svchos.exe
Token: SeDebugPrivilege	2196	svchos.exe
Token: 33	2196	svchos.exe
Token: SeIncBasePriorityPrivilege	2196	svchos.exe
Token: SeDebugPrivilege	680	svchos.exe
Token: 33	680	svchos.exe
Token: SeIncBasePriorityPrivilege	680	svchos.exe
Token: SeDebugPrivilege	1792	svchos.exe
Token: 33	1792	svchos.exe
Token: SeIncBasePriorityPrivilege	1792	svchos.exe
Token: SeDebugPrivilege	1508	svchos.exe
Token: 33	1508	svchos.exe
Token: SeIncBasePriorityPrivilege	1508	svchos.exe
Token: SeDebugPrivilege	2716	svchos.exe
Token: 33	2716	svchos.exe
Token: SeIncBasePriorityPrivilege	2716	svchos.exe
Token: SeDebugPrivilege	2512	svchos.exe
Token: 33	2512	svchos.exe
Token: SeIncBasePriorityPrivilege	2512	svchos.exe
Token: SeDebugPrivilege	2068	svchos.exe
Token: 33	2068	svchos.exe
Token: SeIncBasePriorityPrivilege	2068	svchos.exe
Token: SeDebugPrivilege	3064	svchos.exe
Token: 33	3064	svchos.exe
Token: SeIncBasePriorityPrivilege	3064	svchos.exe
Token: SeDebugPrivilege	2456	svchos.exe
Token: 33	2456	svchos.exe
Token: SeIncBasePriorityPrivilege	2456	svchos.exe
Token: SeDebugPrivilege	2680	svchos.exe
Token: 33	2680	svchos.exe
Token: SeIncBasePriorityPrivilege	2680	svchos.exe
Token: SeDebugPrivilege	1484	svchos.exe
Token: 33	1484	svchos.exe
Token: SeIncBasePriorityPrivilege	1484	svchos.exe
Token: SeDebugPrivilege	2000	svchos.exe
Token: 33	2000	svchos.exe
Token: SeIncBasePriorityPrivilege	2000	svchos.exe
Token: SeDebugPrivilege	2988	svchos.exe
Token: 33	2988	svchos.exe
Token: SeIncBasePriorityPrivilege	2988	svchos.exe
Token: SeDebugPrivilege	1804	svchos.exe
Token: 33	1804	svchos.exe
Token: SeIncBasePriorityPrivilege	1804	svchos.exe
Token: SeDebugPrivilege	2548	svchos.exe
Token: 33	2548	svchos.exe
Token: SeIncBasePriorityPrivilege	2548	svchos.exe
Token: SeDebugPrivilege	2228	svchos.exe
Token: 33	2228	svchos.exe
Token: SeIncBasePriorityPrivilege	2228	svchos.exe
Token: SeDebugPrivilege	2736	svchos.exe
Token: 33	2736	svchos.exe
Token: SeIncBasePriorityPrivilege	2736	svchos.exe
Token: SeDebugPrivilege	2056	svchos.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2116 wrote to memory of 1752	2116	JaffaCakes118_4367880a707b638518519d649bee956d.exe	30
PID 2116 wrote to memory of 1752	2116	JaffaCakes118_4367880a707b638518519d649bee956d.exe	30
PID 2116 wrote to memory of 1752	2116	JaffaCakes118_4367880a707b638518519d649bee956d.exe	30
PID 2116 wrote to memory of 1752	2116	JaffaCakes118_4367880a707b638518519d649bee956d.exe	30
PID 2116 wrote to memory of 2620	2116	JaffaCakes118_4367880a707b638518519d649bee956d.exe	31
PID 2116 wrote to memory of 2620	2116	JaffaCakes118_4367880a707b638518519d649bee956d.exe	31
PID 2116 wrote to memory of 2620	2116	JaffaCakes118_4367880a707b638518519d649bee956d.exe	31
PID 2116 wrote to memory of 2620	2116	JaffaCakes118_4367880a707b638518519d649bee956d.exe	31
PID 2116 wrote to memory of 2620	2116	JaffaCakes118_4367880a707b638518519d649bee956d.exe	31
PID 2116 wrote to memory of 2620	2116	JaffaCakes118_4367880a707b638518519d649bee956d.exe	31
PID 2116 wrote to memory of 2620	2116	JaffaCakes118_4367880a707b638518519d649bee956d.exe	31
PID 2116 wrote to memory of 2620	2116	JaffaCakes118_4367880a707b638518519d649bee956d.exe	31
PID 2620 wrote to memory of 2184	2620	JaffaCakes118_4367880a707b638518519d649bee956d.exe	32
PID 2620 wrote to memory of 2184	2620	JaffaCakes118_4367880a707b638518519d649bee956d.exe	32
PID 2620 wrote to memory of 2184	2620	JaffaCakes118_4367880a707b638518519d649bee956d.exe	32
PID 2620 wrote to memory of 2184	2620	JaffaCakes118_4367880a707b638518519d649bee956d.exe	32
PID 2620 wrote to memory of 2184	2620	JaffaCakes118_4367880a707b638518519d649bee956d.exe	32
PID 2620 wrote to memory of 2824	2620	JaffaCakes118_4367880a707b638518519d649bee956d.exe	33
PID 2620 wrote to memory of 2824	2620	JaffaCakes118_4367880a707b638518519d649bee956d.exe	33
PID 2620 wrote to memory of 2824	2620	JaffaCakes118_4367880a707b638518519d649bee956d.exe	33
PID 2620 wrote to memory of 2824	2620	JaffaCakes118_4367880a707b638518519d649bee956d.exe	33
PID 2620 wrote to memory of 2880	2620	JaffaCakes118_4367880a707b638518519d649bee956d.exe	34
PID 2620 wrote to memory of 2880	2620	JaffaCakes118_4367880a707b638518519d649bee956d.exe	34
PID 2620 wrote to memory of 2880	2620	JaffaCakes118_4367880a707b638518519d649bee956d.exe	34
PID 2620 wrote to memory of 2880	2620	JaffaCakes118_4367880a707b638518519d649bee956d.exe	34
PID 2620 wrote to memory of 2880	2620	JaffaCakes118_4367880a707b638518519d649bee956d.exe	34
PID 2620 wrote to memory of 2824	2620	JaffaCakes118_4367880a707b638518519d649bee956d.exe	33
PID 2620 wrote to memory of 2828	2620	JaffaCakes118_4367880a707b638518519d649bee956d.exe	35
PID 2620 wrote to memory of 2828	2620	JaffaCakes118_4367880a707b638518519d649bee956d.exe	35
PID 2620 wrote to memory of 2828	2620	JaffaCakes118_4367880a707b638518519d649bee956d.exe	35
PID 2620 wrote to memory of 2828	2620	JaffaCakes118_4367880a707b638518519d649bee956d.exe	35
PID 2620 wrote to memory of 2828	2620	JaffaCakes118_4367880a707b638518519d649bee956d.exe	35
PID 2620 wrote to memory of 2268	2620	JaffaCakes118_4367880a707b638518519d649bee956d.exe	36
PID 2620 wrote to memory of 2268	2620	JaffaCakes118_4367880a707b638518519d649bee956d.exe	36
PID 2620 wrote to memory of 2268	2620	JaffaCakes118_4367880a707b638518519d649bee956d.exe	36
PID 2620 wrote to memory of 2268	2620	JaffaCakes118_4367880a707b638518519d649bee956d.exe	36
PID 2620 wrote to memory of 2268	2620	JaffaCakes118_4367880a707b638518519d649bee956d.exe	36
PID 2620 wrote to memory of 2812	2620	JaffaCakes118_4367880a707b638518519d649bee956d.exe	37
PID 2620 wrote to memory of 2812	2620	JaffaCakes118_4367880a707b638518519d649bee956d.exe	37
PID 2620 wrote to memory of 2812	2620	JaffaCakes118_4367880a707b638518519d649bee956d.exe	37
PID 2620 wrote to memory of 2812	2620	JaffaCakes118_4367880a707b638518519d649bee956d.exe	37
PID 2620 wrote to memory of 2812	2620	JaffaCakes118_4367880a707b638518519d649bee956d.exe	37
PID 2620 wrote to memory of 2688	2620	JaffaCakes118_4367880a707b638518519d649bee956d.exe	38
PID 2620 wrote to memory of 2688	2620	JaffaCakes118_4367880a707b638518519d649bee956d.exe	38
PID 2620 wrote to memory of 2688	2620	JaffaCakes118_4367880a707b638518519d649bee956d.exe	38
PID 2620 wrote to memory of 2688	2620	JaffaCakes118_4367880a707b638518519d649bee956d.exe	38
PID 2620 wrote to memory of 2688	2620	JaffaCakes118_4367880a707b638518519d649bee956d.exe	38
PID 2620 wrote to memory of 2640	2620	JaffaCakes118_4367880a707b638518519d649bee956d.exe	39
PID 2620 wrote to memory of 2640	2620	JaffaCakes118_4367880a707b638518519d649bee956d.exe	39
PID 2620 wrote to memory of 2640	2620	JaffaCakes118_4367880a707b638518519d649bee956d.exe	39
PID 2620 wrote to memory of 2640	2620	JaffaCakes118_4367880a707b638518519d649bee956d.exe	39
PID 2620 wrote to memory of 2640	2620	JaffaCakes118_4367880a707b638518519d649bee956d.exe	39
PID 2620 wrote to memory of 2864	2620	JaffaCakes118_4367880a707b638518519d649bee956d.exe	40
PID 2620 wrote to memory of 2864	2620	JaffaCakes118_4367880a707b638518519d649bee956d.exe	40
PID 2620 wrote to memory of 2864	2620	JaffaCakes118_4367880a707b638518519d649bee956d.exe	40
PID 2620 wrote to memory of 2864	2620	JaffaCakes118_4367880a707b638518519d649bee956d.exe	40
PID 2620 wrote to memory of 2864	2620	JaffaCakes118_4367880a707b638518519d649bee956d.exe	40
PID 2620 wrote to memory of 2796	2620	JaffaCakes118_4367880a707b638518519d649bee956d.exe	41
PID 2620 wrote to memory of 2796	2620	JaffaCakes118_4367880a707b638518519d649bee956d.exe	41
PID 2620 wrote to memory of 2796	2620	JaffaCakes118_4367880a707b638518519d649bee956d.exe	41
PID 2620 wrote to memory of 2796	2620	JaffaCakes118_4367880a707b638518519d649bee956d.exe	41
PID 2620 wrote to memory of 2708	2620	JaffaCakes118_4367880a707b638518519d649bee956d.exe	42
PID 2620 wrote to memory of 2708	2620	JaffaCakes118_4367880a707b638518519d649bee956d.exe	42
PID 2620 wrote to memory of 2708	2620	JaffaCakes118_4367880a707b638518519d649bee956d.exe	42

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4367880a707b638518519d649bee956d.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4367880a707b638518519d649bee956d.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2116
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4367880a707b638518519d649bee956d.exe
  JaffaCakes118_4367880a707b638518519d649bee956d.exe
  2⤵
  PID:1752
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4367880a707b638518519d649bee956d.exe
  JaffaCakes118_4367880a707b638518519d649bee956d.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2620
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Adds Run key to start application
    PID:2184
  - - C:\Windows\WINDOWS\svchos.exe
      "C:\Windows\WINDOWS\svchos.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:992
    - - C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        5⤵
        
        PID:2044
    - - C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1444
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3008
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3056
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3048
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2080
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2448
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2496
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1988
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2628
      - C:\Windows\WINDOWS\svchos.exe
        
        "C:\Windows\WINDOWS\svchos.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:680
        
        C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        7⤵
        
        PID:972
        
        C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        7⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1384
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2216
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1904
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1816
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1684
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2468
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:780
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1032
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1200
        
        C:\Windows\WINDOWS\svchos.exe
        
        "C:\Windows\WINDOWS\svchos.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1508
        
        C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        9⤵
        
        PID:2536
        
        C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2476
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2100
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2112
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2096
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2392
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2200
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2300
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2872
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2620
        
        C:\Windows\WINDOWS\svchos.exe
        
        "C:\Windows\WINDOWS\svchos.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:2512
        
        C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        11⤵
        
        PID:2756
        
        C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3032
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:1768
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:1776
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:1292
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:1196
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3052
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:2132
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:1504
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:456
        
        C:\Windows\WINDOWS\svchos.exe
        
        "C:\Windows\WINDOWS\svchos.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3064
        
        C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        13⤵
        
        PID:2452
        
        C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        13⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        
        PID:2252
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:1924
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:1332
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:1508
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:316
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:2784
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:2832
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:2976
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:1404
        
        C:\Windows\WINDOWS\svchos.exe
        
        "C:\Windows\WINDOWS\svchos.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:1484
        
        C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        15⤵
        
        PID:3068
        
        C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        15⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:1000
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:2552
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:1352
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:1676
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:1960
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:1572
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:1260
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:1512
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:2920
        
        C:\Windows\WINDOWS\svchos.exe
        
        "C:\Windows\WINDOWS\svchos.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:1804
        
        C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        17⤵
        
        PID:2312
        
        C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2136
  - - C:\Windows\WINDOWS\svchos.exe
      "C:\Windows\WINDOWS\svchos.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2196
    - - C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        5⤵
        
        PID:1688
    - - C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        5⤵
        Executes dropped EXE
        
        PID:640
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1124
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2128
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1328
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:956
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:768
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:836
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2460
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1256
      - C:\Windows\WINDOWS\svchos.exe
        
        "C:\Windows\WINDOWS\svchos.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1792
        
        C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        7⤵
        
        PID:2280
        
        C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        7⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1972
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1348
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2164
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2120
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1884
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1244
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2284
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2788
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2932
        
        C:\Windows\WINDOWS\svchos.exe
        
        "C:\Windows\WINDOWS\svchos.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2716
        
        C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        9⤵
        
        PID:1724
        
        C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2744
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:1092
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:1644
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3036
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:1948
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:992
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:1228
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2356
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2204
        
        C:\Windows\WINDOWS\svchos.exe
        
        "C:\Windows\WINDOWS\svchos.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:2068
        
        C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        11⤵
        
        PID:2500
        
        C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        
        PID:2564
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:1560
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:2384
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:1944
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:568
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:580
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:2172
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:320
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:2676
        
        C:\Windows\WINDOWS\svchos.exe
        
        "C:\Windows\WINDOWS\svchos.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:2680
        
        C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        13⤵
        
        PID:2752
        
        C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        13⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:2716
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:1104
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:2340
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:2072
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:896
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:1384
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:1448
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:1736
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:1888
        
        C:\Windows\WINDOWS\svchos.exe
        
        "C:\Windows\WINDOWS\svchos.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2988
        
        C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        15⤵
        
        PID:2252
        
        C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        15⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2476
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:1616
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:2664
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:620
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:2412
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:3016
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:2660
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:604
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:2148
        
        C:\Windows\WINDOWS\svchos.exe
        
        "C:\Windows\WINDOWS\svchos.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:2736
        
        C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        17⤵
        
        PID:2668
        
        C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        17⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1500
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:1516
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:2336
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:968
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:1252
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:2508
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:2680
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:2564
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:1600
        
        C:\Windows\WINDOWS\svchos.exe
        
        "C:\Windows\WINDOWS\svchos.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2196
        
        C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        19⤵
        
        PID:1484
        
        C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        19⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:408
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:3132
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:3168
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:3392
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:3432
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:3460
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:3484
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:3512
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:3536
        
        C:\Windows\WINDOWS\svchos.exe
        
        "C:\Windows\WINDOWS\svchos.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3572
        
        C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        21⤵
        
        PID:3604
        
        C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        21⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        
        PID:3612
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        22⤵
        
        PID:3688
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        22⤵
        
        PID:3728
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        22⤵
        
        PID:3972
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        22⤵
        
        PID:4004
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        22⤵
        
        PID:4024
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        22⤵
        
        PID:4040
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        22⤵
        
        PID:4060
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        22⤵
        
        PID:4076
        
        C:\Windows\WINDOWS\svchos.exe
        
        "C:\Windows\WINDOWS\svchos.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3076
        
        C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        23⤵
        
        PID:3108
        
        C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        23⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:2696
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        24⤵
        
        PID:496
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        24⤵
        
        PID:3236
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        24⤵
        
        PID:3264
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        24⤵
        
        PID:3684
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        24⤵
        
        PID:3716
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        24⤵
        
        PID:3784
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        24⤵
        
        PID:3820
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        24⤵
        
        PID:3816
        
        C:\Windows\WINDOWS\svchos.exe
        
        "C:\Windows\WINDOWS\svchos.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3420
        
        C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        25⤵
        
        PID:3924
        
        C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        25⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3932
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:4020
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:3616
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:3080
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:3876
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:1000
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:3160
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:3912
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:3260
        
        C:\Windows\WINDOWS\svchos.exe
        
        "C:\Windows\WINDOWS\svchos.exe"
        26⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3368
        
        C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        27⤵
        
        PID:3140
        
        C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        27⤵
        Boot or Logon Autostart Execution: Active Setup
        Drops file in Windows directory
        
        PID:3668
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        28⤵
        
        PID:3156
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        28⤵
        
        PID:3892
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        28⤵
        
        PID:3900
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        28⤵
        
        PID:3648
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        28⤵
        
        PID:3576
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        28⤵
        
        PID:3152
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        28⤵
        
        PID:1716
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        28⤵
        
        PID:1708
        
        C:\Windows\WINDOWS\svchos.exe
        
        "C:\Windows\WINDOWS\svchos.exe"
        28⤵
        Suspicious use of SetThreadContext
        
        PID:3568
        
        C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        29⤵
        
        PID:3936
        
        C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        29⤵
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:3640
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        30⤵
        
        PID:3384
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        30⤵
        
        PID:3364
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        30⤵
        
        PID:3960
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        30⤵
        
        PID:4156
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        30⤵
        
        PID:4416
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        30⤵
        
        PID:4444
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        30⤵
        
        PID:4468
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        30⤵
        
        PID:4496
        
        C:\Windows\WINDOWS\svchos.exe
        
        "C:\Windows\WINDOWS\svchos.exe"
        30⤵
        Suspicious use of SetThreadContext
        
        PID:4536
        
        C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        31⤵
        
        PID:4560
        
        C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        31⤵
        Drops file in Windows directory
        
        PID:4568
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        32⤵
        
        PID:4644
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        32⤵
        
        PID:4676
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        32⤵
        
        PID:4816
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        32⤵
        
        PID:4880
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        32⤵
        
        PID:5112
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        32⤵
        
        PID:3408
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        32⤵
        
        PID:3568
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        32⤵
        
        PID:4172
        
        C:\Windows\WINDOWS\svchos.exe
        
        "C:\Windows\WINDOWS\svchos.exe"
        32⤵
        Suspicious use of SetThreadContext
        
        PID:4244
        
        C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        33⤵
        
        PID:4272
        
        C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        33⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:4308
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        34⤵
        
        PID:4188
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        34⤵
        
        PID:4408
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        34⤵
        
        PID:4556
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        34⤵
        
        PID:4124
  - - C:\Windows\WINDOWS\svchos.exe
      "C:\Windows\WINDOWS\svchos.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      PID:2456
    - - C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        5⤵
        
        PID:1172
    - - C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:2780
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2380
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2352
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1492
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:696
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2304
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2616
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2708
  - - C:\Windows\WINDOWS\svchos.exe
      "C:\Windows\WINDOWS\svchos.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      PID:2000
    - - C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        5⤵
        
        PID:1056
    - - C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1248
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:680
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1040
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1976
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2484
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1620
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:988
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2728
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1952
      - C:\Windows\WINDOWS\svchos.exe
        
        "C:\Windows\WINDOWS\svchos.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:2548
        
        C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        7⤵
        
        PID:2964
        
        C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        7⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:2508
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1556
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2744
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2192
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:920
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1788
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1588
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2860
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2980
        
        C:\Windows\WINDOWS\svchos.exe
        
        "C:\Windows\WINDOWS\svchos.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:2056
        
        C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        9⤵
        
        PID:2476
        
        C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:496
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2736
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:356
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:1720
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:848
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2540
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2548
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2512
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3144
        
        C:\Windows\WINDOWS\svchos.exe
        
        "C:\Windows\WINDOWS\svchos.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3180
        
        C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        11⤵
        
        PID:3204
        
        C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:3212
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3288
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3424
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3452
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3476
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3504
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3528
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3592
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3704
        
        C:\Windows\WINDOWS\svchos.exe
        
        "C:\Windows\WINDOWS\svchos.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3736
        
        C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        13⤵
        
        PID:3760
        
        C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        13⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:3768
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3840
  - - C:\Windows\WINDOWS\svchos.exe
      "C:\Windows\WINDOWS\svchos.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2228
    - - C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        5⤵
        
        PID:2732
    - - C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2444
  - - C:\Windows\WINDOWS\svchos.exe
      "C:\Windows\WINDOWS\svchos.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      PID:3300
    - - C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        5⤵
        
        PID:3320
    - - C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:3328
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3412
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3444
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3468
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3496
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3520
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3548
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3696
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3856
      - C:\Windows\WINDOWS\svchos.exe
        
        "C:\Windows\WINDOWS\svchos.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3880
        
        C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        7⤵
        
        PID:3904
        
        C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        7⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:3912
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3996
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4012
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4032
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4048
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4068
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4084
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3228
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3248
        
        C:\Windows\WINDOWS\svchos.exe
        
        "C:\Windows\WINDOWS\svchos.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3200
        
        C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        9⤵
        
        PID:3336
        
        C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        9⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3344
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3628
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3744
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3296
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3800
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3752
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3328
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2124
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3672
        
        C:\Windows\WINDOWS\svchos.exe
        
        "C:\Windows\WINDOWS\svchos.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2328
        
        C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        11⤵
        
        PID:3124
        
        C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3152
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3316
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3768
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:1444
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3088
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:892
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3312
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3832
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3884
        
        C:\Windows\WINDOWS\svchos.exe
        
        "C:\Windows\WINDOWS\svchos.exe"
        12⤵
        Suspicious use of SetThreadContext
        
        PID:3200
        
        C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        13⤵
        
        PID:3888
        
        C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        13⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:3940
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3272
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3368
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3184
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:1500
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:1280
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:2328
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:2884
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3284
        
        C:\Windows\WINDOWS\svchos.exe
        
        "C:\Windows\WINDOWS\svchos.exe"
        14⤵
        Suspicious use of SetThreadContext
        
        PID:3620
        
        C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        15⤵
        
        PID:3380
        
        C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        15⤵
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:2224
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:4136
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:4364
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:4428
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:4452
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:4480
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:4520
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:4660
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:4684
        
        C:\Windows\WINDOWS\svchos.exe
        
        "C:\Windows\WINDOWS\svchos.exe"
        16⤵
        Suspicious use of SetThreadContext
        
        PID:4716
        
        C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        17⤵
        
        PID:4744
        
        C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        17⤵
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:4752
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:4836
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:4888
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:3772
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:4100
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:3968
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:3564
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:4296
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:4400
        
        C:\Windows\WINDOWS\svchos.exe
        
        "C:\Windows\WINDOWS\svchos.exe"
        18⤵
        Suspicious use of SetThreadContext
        
        PID:704
        
        C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        19⤵
        
        PID:4504
        
        C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        19⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2624
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:4636
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:4704
  - - C:\Windows\WINDOWS\svchos.exe
      "C:\Windows\WINDOWS\svchos.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      PID:3356
    - - C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        5⤵
        
        PID:3440
    - - C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:3580
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3664
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3216
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3776
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3808
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3756
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3988
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3096
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2196
      - C:\Windows\WINDOWS\svchos.exe
        
        "C:\Windows\WINDOWS\svchos.exe"
        6⤵
        Suspicious use of SetThreadContext
        
        PID:3240
        
        C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        7⤵
        
        PID:408
        
        C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        7⤵
        
        PID:3556
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3956
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3188
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3348
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3916
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3164
  - - C:\Windows\WINDOWS\svchos.exe
      "C:\Windows\WINDOWS\svchos.exe"
      4⤵
      Suspicious use of SetThreadContext
      PID:3200
    - - C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        5⤵
        
        PID:3724
    - - C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3836
  - - C:\Windows\WINDOWS\svchos.exe
      "C:\Windows\WINDOWS\svchos.exe"
      4⤵
      Suspicious use of SetThreadContext
      PID:3984
    - - C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        5⤵
        
        PID:3644
    - - C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        5⤵
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:3624
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3356
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3944
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2360
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3868
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2760
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3668
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3224
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4148
      - C:\Windows\WINDOWS\svchos.exe
        
        "C:\Windows\WINDOWS\svchos.exe"
        6⤵
        Suspicious use of SetThreadContext
        
        PID:4180
        
        C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        7⤵
        
        PID:4220
        
        C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:4228
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4384
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4436
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4460
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4488
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4528
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4668
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4692
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4856
        
        C:\Windows\WINDOWS\svchos.exe
        
        "C:\Windows\WINDOWS\svchos.exe"
        8⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4896
        
        C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        9⤵
        
        PID:4920
        
        C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:4928
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:5096
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3300
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4120
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3948
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4204
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4376
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4604
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4708
        
        C:\Windows\WINDOWS\svchos.exe
        
        "C:\Windows\WINDOWS\svchos.exe"
        10⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4768
        
        C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        11⤵
        
        PID:4796
        
        C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        11⤵
        Adds Run key to start application
        
        PID:4804
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:5048
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:5072
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:4976
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:5064
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:4936
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:5016
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:5092
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:4652
        
        C:\Windows\WINDOWS\svchos.exe
        
        "C:\Windows\WINDOWS\svchos.exe"
        12⤵
        Suspicious use of SetThreadContext
        
        PID:3964
        
        C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        13⤵
        
        PID:4312
        
        C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        13⤵
        
        PID:4316
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:4548
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:4624
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:4764
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:4760
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:4932
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:5104
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:4732
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:4828
        
        C:\Windows\WINDOWS\svchos.exe
        
        "C:\Windows\WINDOWS\svchos.exe"
        14⤵
        Suspicious use of SetThreadContext
        
        PID:4876
        
        C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        15⤵
        
        PID:4960
        
        C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        15⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4992
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:1336
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:3624
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:4808
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:4360
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:4208
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:4336
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:4244
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:4344
        
        C:\Windows\WINDOWS\svchos.exe
        
        "C:\Windows\WINDOWS\svchos.exe"
        16⤵
        Suspicious use of SetThreadContext
        
        PID:3964
        
        C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        17⤵
        
        PID:4580
        
        C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        17⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        
        PID:4596
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:4132
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:4800
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:4716
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:4740
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:4316
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:4956
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:4968
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:4868
        
        C:\Windows\WINDOWS\svchos.exe
        
        "C:\Windows\WINDOWS\svchos.exe"
        18⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:5056
        
        C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        19⤵
        
        PID:4308
        
        C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        19⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        
        PID:4768
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:4372
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:5000
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:5024
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:4848
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:4844
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:4908
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:4256
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:4544
        
        C:\Windows\WINDOWS\svchos.exe
        
        "C:\Windows\WINDOWS\svchos.exe"
        20⤵
        Suspicious use of SetThreadContext
        
        PID:2648
        
        C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        21⤵
        
        PID:4588
        
        C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        21⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4292
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        22⤵
        
        PID:4772
  - - C:\Windows\WINDOWS\svchos.exe
      "C:\Windows\WINDOWS\svchos.exe"
      4⤵
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      PID:4188
    - - C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        5⤵
        
        PID:4280
    - - C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        5⤵
        
        PID:4288
  - - C:\Windows\WINDOWS\svchos.exe
      "C:\Windows\WINDOWS\svchos.exe"
      4⤵
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      PID:4936
    - - C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        5⤵
        
        PID:5008
    - - C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        5⤵
        
        PID:5016
  - - C:\Windows\WINDOWS\svchos.exe
      "C:\Windows\WINDOWS\svchos.exe"
      4⤵
      Suspicious use of SetThreadContext
      PID:4372
    - - C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        5⤵
        
        PID:4944
    - - C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        5⤵
        
        PID:4952
  - - C:\Windows\WINDOWS\svchos.exe
      "C:\Windows\WINDOWS\svchos.exe"
      4⤵
      Suspicious use of SetThreadContext
      PID:4264
    - - C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        5⤵
        
        PID:3864
    - - C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4756
  - - C:\Windows\WINDOWS\svchos.exe
      "C:\Windows\WINDOWS\svchos.exe"
      4⤵
      Suspicious use of SetThreadContext
      PID:4720
    - - C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        5⤵
        
        PID:4896
    - - C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        5⤵
        
        PID:5000
  - - C:\Windows\WINDOWS\svchos.exe
      "C:\Windows\WINDOWS\svchos.exe"
      4⤵
      Suspicious use of SetThreadContext
      PID:3640
    - - C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        5⤵
        
        PID:4900
    - - C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4728
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4340
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4768
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4180
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4300
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4288
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4236
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5040
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:932
      - C:\Windows\WINDOWS\svchos.exe
        
        "C:\Windows\WINDOWS\svchos.exe"
        6⤵
        Suspicious use of SetThreadContext
        
        PID:4992
        
        C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        7⤵
        
        PID:4328
        
        C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4788
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5056
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3640
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4476
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4396
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4752
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4728
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4612
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5044
        
        C:\Windows\WINDOWS\svchos.exe
        
        "C:\Windows\WINDOWS\svchos.exe"
        8⤵
        Suspicious use of SetThreadContext
        
        PID:2624
        
        C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        9⤵
        
        PID:3964
        
        C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:5076
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4912
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:5196
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:5212
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:5232
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:5248
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:5268
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:5284
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:5304
        
        C:\Windows\WINDOWS\svchos.exe
        
        "C:\Windows\WINDOWS\svchos.exe"
        10⤵
        Suspicious use of SetThreadContext
        
        PID:5328
        
        C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        11⤵
        
        PID:5360
        
        C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:5368
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:5480
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:5708
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:5732
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:5760
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:5784
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:5812
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:5836
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:5864
        
        C:\Windows\WINDOWS\svchos.exe
        
        "C:\Windows\WINDOWS\svchos.exe"
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:5888
        
        C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        13⤵
        
        PID:5920
        
        C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        13⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:5928
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:6108
  - - C:\Windows\WINDOWS\svchos.exe
      "C:\Windows\WINDOWS\svchos.exe"
      4⤵
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      PID:2624
    - - C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        5⤵
        
        PID:4292
    - - C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4916
  - - C:\Windows\WINDOWS\svchos.exe
      "C:\Windows\WINDOWS\svchos.exe"
      4⤵
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      PID:4720
    - - C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        5⤵
        
        PID:4788
    - - C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4596
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5184
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5204
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5224
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5240
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5260
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5276
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5296
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5352
      - C:\Windows\WINDOWS\svchos.exe
        
        "C:\Windows\WINDOWS\svchos.exe"
        6⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:5448
        
        C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        7⤵
        
        PID:5496
        
        C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        7⤵
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:5504
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5588
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5716
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5740
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5768
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5792
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5820
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5844
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5904
        
        C:\Windows\WINDOWS\svchos.exe
        
        "C:\Windows\WINDOWS\svchos.exe"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:6016
        
        C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        9⤵
        
        PID:6040
        
        C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:6048
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:5140
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:5524
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:5544
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:5468
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:5452
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:5580
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:5636
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:5660
        
        C:\Windows\WINDOWS\svchos.exe
        
        "C:\Windows\WINDOWS\svchos.exe"
        10⤵
        
        PID:5596
        
        C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        11⤵
        
        PID:5604
        
        C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        11⤵
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:5800
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:5892
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:5128
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:5316
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:4864
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:5148
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:5512
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:6124
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:5676
        
        C:\Windows\WINDOWS\svchos.exe
        
        "C:\Windows\WINDOWS\svchos.exe"
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:5672
        
        C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        13⤵
        
        PID:5488
        
        C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        13⤵
        Boot or Logon Autostart Execution: Active Setup
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:5940
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:5992
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:6060
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:5168
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:5912
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:5872
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:5972
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:5996
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:5408
        
        C:\Windows\WINDOWS\svchos.exe
        
        "C:\Windows\WINDOWS\svchos.exe"
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:4616
        
        C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        15⤵
        
        PID:4620
        
        C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        15⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:5176
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:5396
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:5164
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:5320
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:4616
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:5324
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:6024
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:4792
  - - C:\Windows\WINDOWS\svchos.exe
      "C:\Windows\WINDOWS\svchos.exe"
      4⤵
      PID:5564
    - - C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        5⤵
        
        PID:5612
    - - C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        5⤵
        Adds Run key to start application
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:5620
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5696
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5724
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5752
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5776
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5804
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5828
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5856
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:6008
      - C:\Windows\WINDOWS\svchos.exe
        
        "C:\Windows\WINDOWS\svchos.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5148
        
        C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        7⤵
        
        PID:5136
        
        C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:5160
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2624
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5536
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5556
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5532
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2404
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5628
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5652
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5688
        
        C:\Windows\WINDOWS\svchos.exe
        
        "C:\Windows\WINDOWS\svchos.exe"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:5980
        
        C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        9⤵
        
        PID:6000
        
        C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:5976
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:6116
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:5416
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:5292
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:5376
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:5440
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:5392
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3196
  - - C:\Windows\WINDOWS\svchos.exe
      "C:\Windows\WINDOWS\svchos.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4872
    - - C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        5⤵
        
        PID:5380
    - - C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        5⤵
        
        PID:5388
  - - C:\Windows\WINDOWS\svchos.exe
      "C:\Windows\WINDOWS\svchos.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:6028
    - - C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        5⤵
        
        PID:5704
    - - C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4144
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5348
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5312
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5256
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5420
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5516
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5928
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5884
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5964
      - C:\Windows\WINDOWS\svchos.exe
        
        "C:\Windows\WINDOWS\svchos.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:6064
        
        C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        7⤵
        
        PID:6004
        
        C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Drops file in Windows directory
        
        PID:6092
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5956
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5952
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5900
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5876
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:6128
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5560
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5684
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5984
        
        C:\Windows\WINDOWS\svchos.exe
        
        "C:\Windows\WINDOWS\svchos.exe"
        8⤵
        
        PID:6064
        
        C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        9⤵
        
        PID:5568
        
        C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        9⤵
        Adds Run key to start application
        
        PID:5160
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:6140
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2276
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:5412
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:5880
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:6092
  - - C:\Windows\WINDOWS\svchos.exe
      "C:\Windows\WINDOWS\svchos.exe"
      4⤵
      PID:5600
    - - C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        5⤵
        
        PID:4720
    - - C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        5⤵
        
        PID:5164
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2824
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    PID:2880
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2828
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2268
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2812
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2688
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2640
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2864
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2796
- - C:\Windows\WINDOWS\svchos.exe
    "C:\Windows\WINDOWS\svchos.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    PID:2708
  - - C:\Windows\WINDOWS\svchos.exe
      svchos.exe
      4⤵
      PID:2852
  - - C:\Windows\WINDOWS\svchos.exe
      svchos.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      PID:2844
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2560
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2936
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2420
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2520
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:872
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1980
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1936
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1784
    - - C:\Windows\WINDOWS\svchos.exe
        
        "C:\Windows\WINDOWS\svchos.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:2952
      - C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        6⤵
        
        PID:1696
      - C:\Windows\WINDOWS\svchos.exe
        
        svchos.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:356
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:2972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\((Mutex)).cfg

Filesize
1KB

MD5
54ff8b632b4d5862be3a837f2d026607

SHA1
28f2c2806e40d64b45e2b6bb380e223af4e26b9b

SHA256
4d9e7d3897b27d0f74686cf22c9f22ef4a94333ef660753558165ecdc93b2e61

SHA512
d464307da20b26b481e9aa9e73d8b0f70de7ebcacc113e2932a6fbe34517e0a8673f51f120934c03723274a4f605aa6665ebbbdd2d15bd6928f396ff06a9f328

Download Submit
C:\Windows\WINDOWS\svchos.exe

Filesize
205KB

MD5
4367880a707b638518519d649bee956d

SHA1
c02ecf3dd6c776f30ef523f1ec342779c484a55d

SHA256
bd6af06b0b0cfd7f2e3cacd34b61380511c24e2669a4423cdce65fc33fc8cd0a

SHA512
a94826529456963acabcc2c0c2ba8175e689166f7bc68febcefc41279158fc2be15b918b363599b6f3f94f304013c0727b3ea5af95c557c8c3cd1f685d14bd8c

Download Submit
memory/2116-13-0x0000000074E80000-0x000000007542B000-memory.dmp

Filesize
5.7MB

Download
memory/2116-1-0x0000000074E80000-0x000000007542B000-memory.dmp

Filesize
5.7MB

Download
memory/2116-2-0x0000000074E80000-0x000000007542B000-memory.dmp

Filesize
5.7MB

Download
memory/2116-0-0x0000000074E81000-0x0000000074E82000-memory.dmp

Filesize
4KB

Download
memory/2184-22-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2620-3-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2620-6-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2620-5-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2620-8-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2620-10-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2620-11-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2620-12-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2620-4-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2844-32-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2880-26-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads