xtremerat | 990a1f1b3d72f336c8403b4c914f9b72af24fb2ed9bb9ba1bb0c3103a5656fd8

Analysis

max time kernel
147s
max time network
144s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
01-02-2025 07:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_6f6151e8aa76392fecf4cc68e7734883.exe
Size

361KB
MD5

6f6151e8aa76392fecf4cc68e7734883
SHA1

508cd8e74e7c4e179c9912f3d5071c3f92287115
SHA256

990a1f1b3d72f336c8403b4c914f9b72af24fb2ed9bb9ba1bb0c3103a5656fd8
SHA512

c8280a45b5beab76dd90b7c4049878e8b0e655b2b3c3eba61e5c3cabeed57325d5531d27225752434796f77221ddc964e7e60896563a8c1b3f01293bbd8a7772
SSDEEP

6144:LuIlWqB+ihabs7Ch9KwyF5LeLodp2D1Mmakda0qLFiJ2pH8o5zw:y6Wq4aaE6KwyF5L0Y2D1PqLbcMzw

Score

10^/10

xtremerat discovery persistence rat spyware upx

Malware Config

Signatures

Detect XtremeRAT payload 2 IoCs

resource	yara_rule
behavioral1/memory/2980-29-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/2360-35-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat
Xtremerat family
xtremerat

Boot or Logon Autostart Execution: Active Setup 2 TTPs 64 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Process not Found
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Process not Found
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Process not Found
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Process not Found
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Process not Found
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Process not Found
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Process not Found
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Process not Found
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Process not Found
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Process not Found
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Process not Found
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Process not Found
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Process not Found
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Process not Found
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Process not Found
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Process not Found
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Process not Found
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Process not Found
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Process not Found

Executes dropped EXE 64 IoCs

pid	Process
2756	Server.exe
2768	Server.exe
2764	Server.exe
2288	Server.exe
2124	Server.exe
3036	Server.exe
1256	Server.exe
2900	Server.exe
1644	Server.exe
2776	Server.exe
824	Server.exe
2472	Server.exe
1788	Server.exe
2228	Server.exe
1864	Server.exe
2516	Server.exe
1972	Server.exe
1780	Server.exe
3016	Server.exe
2716	Server.exe
2568	Server.exe
1380	Server.exe
2120	Server.exe
2280	Server.exe
2304	Server.exe
1016	Server.exe
2184	Server.exe
2168	Server.exe
2444	Server.exe
1612	Server.exe
1240	Server.exe
1712	Server.exe
2740	Server.exe
2708	Server.exe
3060	Server.exe
1352	Server.exe
2916	Server.exe
2908	Server.exe
2392	Server.exe
2004	Server.exe
2168	Server.exe
2580	Server.exe
536	Server.exe
548	Server.exe
2320	Server.exe
1860	Server.exe
2272	Server.exe
2108	Server.exe
692	Server.exe
936	Server.exe
1904	Server.exe
2528	Server.exe
2308	Server.exe
1796	Server.exe
1608	Server.exe
2604	Server.exe
2636	Server.exe
1720	Server.exe
2528	Server.exe
1484	Server.exe
864	Server.exe
2016	Server.exe
924	Server.exe
3080	Server.exe

Loads dropped DLL 1 IoCs

pid	Process
2980	JaffaCakes118_6f6151e8aa76392fecf4cc68e7734883.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Process not Found

AutoIT Executable 53 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/1172-20-0x0000000000400000-0x00000000004C0000-memory.dmp	autoit_exe
behavioral1/memory/2756-54-0x0000000000400000-0x00000000004C0000-memory.dmp	autoit_exe
behavioral1/memory/2288-85-0x0000000000400000-0x00000000004C0000-memory.dmp	autoit_exe
behavioral1/memory/1256-98-0x0000000000400000-0x00000000004C0000-memory.dmp	autoit_exe
behavioral1/memory/1256-114-0x0000000000400000-0x00000000004C0000-memory.dmp	autoit_exe
behavioral1/memory/2776-144-0x0000000000400000-0x00000000004C0000-memory.dmp	autoit_exe
behavioral1/memory/1788-159-0x0000000000400000-0x00000000004C0000-memory.dmp	autoit_exe
behavioral1/memory/1788-175-0x0000000000400000-0x00000000004C0000-memory.dmp	autoit_exe
behavioral1/memory/2516-203-0x0000000000400000-0x00000000004C0000-memory.dmp	autoit_exe
behavioral1/memory/3016-233-0x0000000000400000-0x00000000004C0000-memory.dmp	autoit_exe
behavioral1/memory/1380-247-0x0000000000400000-0x00000000004C0000-memory.dmp	autoit_exe
behavioral1/memory/1380-263-0x0000000000400000-0x00000000004C0000-memory.dmp	autoit_exe
behavioral1/memory/2304-292-0x0000000000400000-0x00000000004C0000-memory.dmp	autoit_exe
behavioral1/memory/2168-322-0x0000000000400000-0x00000000004C0000-memory.dmp	autoit_exe
behavioral1/memory/1240-335-0x0000000000400000-0x00000000004C0000-memory.dmp	autoit_exe
behavioral1/memory/1240-351-0x0000000000400000-0x00000000004C0000-memory.dmp	autoit_exe
behavioral1/memory/2708-380-0x0000000000400000-0x00000000004C0000-memory.dmp	autoit_exe
behavioral1/memory/2916-409-0x0000000000400000-0x00000000004C0000-memory.dmp	autoit_exe
behavioral1/memory/2004-439-0x0000000000400000-0x00000000004C0000-memory.dmp	autoit_exe
behavioral1/memory/2580-469-0x0000000000400000-0x00000000004C0000-memory.dmp	autoit_exe
behavioral1/memory/1860-498-0x0000000000400000-0x00000000004C0000-memory.dmp	autoit_exe
behavioral1/memory/692-526-0x0000000000400000-0x00000000004C0000-memory.dmp	autoit_exe
behavioral1/memory/2528-553-0x0000000000400000-0x00000000004C0000-memory.dmp	autoit_exe
behavioral1/memory/1608-579-0x0000000000400000-0x00000000004C0000-memory.dmp	autoit_exe
behavioral1/memory/1720-588-0x0000000000400000-0x00000000004C0000-memory.dmp	autoit_exe
behavioral1/memory/1720-609-0x0000000000400000-0x00000000004C0000-memory.dmp	autoit_exe
behavioral1/memory/864-630-0x0000000000400000-0x00000000004C0000-memory.dmp	autoit_exe
behavioral1/memory/3080-658-0x0000000000400000-0x00000000004C0000-memory.dmp	autoit_exe
behavioral1/memory/3280-670-0x0000000000400000-0x00000000004C0000-memory.dmp	autoit_exe
behavioral1/memory/3280-689-0x0000000000400000-0x00000000004C0000-memory.dmp	autoit_exe
behavioral1/memory/3472-696-0x0000000000400000-0x00000000004C0000-memory.dmp	autoit_exe
behavioral1/memory/3472-713-0x0000000000400000-0x00000000004C0000-memory.dmp	autoit_exe
behavioral1/memory/3612-739-0x0000000000400000-0x00000000004C0000-memory.dmp	autoit_exe
behavioral1/memory/3812-766-0x0000000000400000-0x00000000004C0000-memory.dmp	autoit_exe
behavioral1/memory/3872-792-0x0000000000400000-0x00000000004C0000-memory.dmp	autoit_exe
behavioral1/memory/3100-819-0x0000000000400000-0x00000000004C0000-memory.dmp	autoit_exe
behavioral1/memory/3656-842-0x0000000000400000-0x00000000004C0000-memory.dmp	autoit_exe
behavioral1/memory/3832-869-0x0000000000400000-0x00000000004C0000-memory.dmp	autoit_exe
behavioral1/memory/3036-878-0x0000000000400000-0x00000000004C0000-memory.dmp	autoit_exe
behavioral1/memory/3036-897-0x0000000000400000-0x00000000004C0000-memory.dmp	autoit_exe
behavioral1/memory/3308-902-0x0000000000400000-0x00000000004C0000-memory.dmp	autoit_exe
behavioral1/memory/3308-917-0x0000000000400000-0x00000000004C0000-memory.dmp	autoit_exe
behavioral1/memory/3972-946-0x0000000000400000-0x00000000004C0000-memory.dmp	autoit_exe
behavioral1/memory/3912-971-0x0000000000400000-0x00000000004C0000-memory.dmp	autoit_exe
behavioral1/memory/1652-999-0x0000000000400000-0x00000000004C0000-memory.dmp	autoit_exe
behavioral1/memory/4064-1023-0x0000000000400000-0x00000000004C0000-memory.dmp	autoit_exe
behavioral1/memory/3732-1048-0x0000000000400000-0x00000000004C0000-memory.dmp	autoit_exe
behavioral1/memory/4204-1073-0x0000000000400000-0x00000000004C0000-memory.dmp	autoit_exe
behavioral1/memory/4308-1101-0x0000000000400000-0x00000000004C0000-memory.dmp	autoit_exe
behavioral1/memory/4524-1122-0x0000000000400000-0x00000000004C0000-memory.dmp	autoit_exe
behavioral1/memory/4724-1149-0x0000000000400000-0x00000000004C0000-memory.dmp	autoit_exe
behavioral1/memory/4872-1158-0x0000000000400000-0x00000000004C0000-memory.dmp	autoit_exe
behavioral1/memory/4872-1175-0x0000000000400000-0x00000000004C0000-memory.dmp	autoit_exe

Suspicious use of SetThreadContext 64 IoCs

description	pid	Process	procid_target
PID 1172 set thread context of 1448	1172	JaffaCakes118_6f6151e8aa76392fecf4cc68e7734883.exe	30
PID 1448 set thread context of 2980	1448	JaffaCakes118_6f6151e8aa76392fecf4cc68e7734883.exe	31
PID 2756 set thread context of 2768	2756	Server.exe	42
PID 2768 set thread context of 2764	2768	Server.exe	43
PID 2288 set thread context of 2124	2288	Server.exe	53
PID 2124 set thread context of 3036	2124	Server.exe	54
PID 1256 set thread context of 2900	1256	Server.exe	57
PID 2900 set thread context of 1644	2900	Server.exe	58
PID 2776 set thread context of 824	2776	Server.exe	74
PID 824 set thread context of 2472	824	Server.exe	75
PID 1788 set thread context of 2228	1788	Server.exe	79
PID 2228 set thread context of 1864	2228	Server.exe	80
PID 2516 set thread context of 1972	2516	Server.exe	84
PID 1972 set thread context of 1780	1972	Server.exe	85
PID 3016 set thread context of 2716	3016	Server.exe	105
PID 2716 set thread context of 2568	2716	Server.exe	106
PID 1380 set thread context of 2120	1380	Server.exe	111
PID 2120 set thread context of 2280	2120	Server.exe	112
PID 2304 set thread context of 1016	2304	Server.exe	117
PID 1016 set thread context of 2184	1016	Server.exe	118
PID 2168 set thread context of 2444	2168	Server.exe	121
PID 2444 set thread context of 1612	2444	Server.exe	122
PID 1240 set thread context of 1712	1240	Server.exe	147
PID 1712 set thread context of 2740	1712	Server.exe	148
PID 2708 set thread context of 3060	2708	Server.exe	154
PID 3060 set thread context of 1352	3060	Server.exe	155
PID 2916 set thread context of 2908	2916	Server.exe	161
PID 2908 set thread context of 2392	2908	Server.exe	162
PID 2004 set thread context of 2168	2004	Server.exe	165
PID 2168 set thread context of 536	2168	Server.exe	167
PID 2580 set thread context of 548	2580	Server.exe	168
PID 548 set thread context of 2320	548	Server.exe	169
PID 1860 set thread context of 2272	1860	Server.exe	200
PID 2272 set thread context of 2108	2272	Server.exe	201
PID 692 set thread context of 936	692	Server.exe	208
PID 936 set thread context of 1904	936	Server.exe	209
PID 2528 set thread context of 2308	2528	Server.exe	215
PID 2308 set thread context of 1796	2308	Server.exe	216
PID 1608 set thread context of 2604	1608	Server.exe	219
PID 2604 set thread context of 2636	2604	Server.exe	221
PID 1720 set thread context of 2528	1720	Server.exe	224
PID 2528 set thread context of 1484	2528	Server.exe	225
PID 864 set thread context of 2016	864	Server.exe	229
PID 2016 set thread context of 924	2016	Server.exe	230
PID 3080 set thread context of 3132	3080	Server.exe	263
PID 3132 set thread context of 3200	3132	Server.exe	265
PID 3280 set thread context of 3332	3280	Server.exe	272
PID 3332 set thread context of 3392	3332	Server.exe	273
PID 3472 set thread context of 3524	3472	Server.exe	280
PID 3524 set thread context of 3584	3524	Server.exe	281
PID 3612 set thread context of 3676	3612	Server.exe	284
PID 3676 set thread context of 3744	3676	Server.exe	285
PID 3812 set thread context of 3880	3812	Server.exe	292
PID 3880 set thread context of 3980	3880	Server.exe	294
PID 3872 set thread context of 4016	3872	Server.exe	295
PID 4016 set thread context of 4080	4016	Server.exe	296
PID 3100 set thread context of 3196	3100	Server.exe	301
PID 3196 set thread context of 1904	3196	Server.exe	302
PID 3656 set thread context of 3708	3656	Server.exe	337
PID 3708 set thread context of 264	3708	Server.exe	339
PID 3832 set thread context of 3988	3832	Server.exe	347
PID 3988 set thread context of 4036	3988	Server.exe	348
PID 3036 set thread context of 3160	3036	Server.exe	356
PID 3160 set thread context of 2440	3160	Server.exe	357

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1172-0-0x0000000000400000-0x00000000004C0000-memory.dmp	upx
behavioral1/memory/1172-20-0x0000000000400000-0x00000000004C0000-memory.dmp	upx
behavioral1/memory/2980-24-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2980-29-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2980-27-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2360-35-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/files/0x000700000001960a-36.dat	upx
behavioral1/memory/2756-54-0x0000000000400000-0x00000000004C0000-memory.dmp	upx
behavioral1/memory/2288-69-0x0000000000400000-0x00000000004C0000-memory.dmp	upx
behavioral1/memory/2288-85-0x0000000000400000-0x00000000004C0000-memory.dmp	upx
behavioral1/memory/1256-98-0x0000000000400000-0x00000000004C0000-memory.dmp	upx
behavioral1/memory/1256-114-0x0000000000400000-0x00000000004C0000-memory.dmp	upx
behavioral1/memory/2776-128-0x0000000000400000-0x00000000004C0000-memory.dmp	upx
behavioral1/memory/2776-144-0x0000000000400000-0x00000000004C0000-memory.dmp	upx
behavioral1/memory/1788-159-0x0000000000400000-0x00000000004C0000-memory.dmp	upx
behavioral1/memory/1788-175-0x0000000000400000-0x00000000004C0000-memory.dmp	upx
behavioral1/memory/2516-203-0x0000000000400000-0x00000000004C0000-memory.dmp	upx
behavioral1/memory/3016-217-0x0000000000400000-0x00000000004C0000-memory.dmp	upx
behavioral1/memory/3016-233-0x0000000000400000-0x00000000004C0000-memory.dmp	upx
behavioral1/memory/1380-247-0x0000000000400000-0x00000000004C0000-memory.dmp	upx
behavioral1/memory/1380-263-0x0000000000400000-0x00000000004C0000-memory.dmp	upx
behavioral1/memory/2304-276-0x0000000000400000-0x00000000004C0000-memory.dmp	upx
behavioral1/memory/2304-292-0x0000000000400000-0x00000000004C0000-memory.dmp	upx
behavioral1/memory/2168-302-0x0000000000400000-0x00000000004C0000-memory.dmp	upx
behavioral1/memory/2168-322-0x0000000000400000-0x00000000004C0000-memory.dmp	upx
behavioral1/memory/1240-335-0x0000000000400000-0x00000000004C0000-memory.dmp	upx
behavioral1/memory/1240-351-0x0000000000400000-0x00000000004C0000-memory.dmp	upx
behavioral1/memory/2708-380-0x0000000000400000-0x00000000004C0000-memory.dmp	upx
behavioral1/memory/2916-393-0x0000000000400000-0x00000000004C0000-memory.dmp	upx
behavioral1/memory/2916-409-0x0000000000400000-0x00000000004C0000-memory.dmp	upx
behavioral1/memory/2004-421-0x0000000000400000-0x00000000004C0000-memory.dmp	upx
behavioral1/memory/2004-439-0x0000000000400000-0x00000000004C0000-memory.dmp	upx
behavioral1/memory/2580-447-0x0000000000400000-0x00000000004C0000-memory.dmp	upx
behavioral1/memory/2580-469-0x0000000000400000-0x00000000004C0000-memory.dmp	upx
behavioral1/memory/1860-478-0x0000000000400000-0x00000000004C0000-memory.dmp	upx
behavioral1/memory/1860-498-0x0000000000400000-0x00000000004C0000-memory.dmp	upx
behavioral1/memory/692-526-0x0000000000400000-0x00000000004C0000-memory.dmp	upx
behavioral1/memory/2528-553-0x0000000000400000-0x00000000004C0000-memory.dmp	upx
behavioral1/memory/1608-579-0x0000000000400000-0x00000000004C0000-memory.dmp	upx
behavioral1/memory/1720-588-0x0000000000400000-0x00000000004C0000-memory.dmp	upx
behavioral1/memory/1720-609-0x0000000000400000-0x00000000004C0000-memory.dmp	upx
behavioral1/memory/864-630-0x0000000000400000-0x00000000004C0000-memory.dmp	upx
behavioral1/memory/3080-658-0x0000000000400000-0x00000000004C0000-memory.dmp	upx
behavioral1/memory/3280-670-0x0000000000400000-0x00000000004C0000-memory.dmp	upx
behavioral1/memory/3280-689-0x0000000000400000-0x00000000004C0000-memory.dmp	upx
behavioral1/memory/3472-696-0x0000000000400000-0x00000000004C0000-memory.dmp	upx
behavioral1/memory/3472-713-0x0000000000400000-0x00000000004C0000-memory.dmp	upx
behavioral1/memory/3612-720-0x0000000000400000-0x00000000004C0000-memory.dmp	upx
behavioral1/memory/3612-739-0x0000000000400000-0x00000000004C0000-memory.dmp	upx
behavioral1/memory/3872-758-0x0000000000400000-0x00000000004C0000-memory.dmp	upx
behavioral1/memory/3812-766-0x0000000000400000-0x00000000004C0000-memory.dmp	upx
behavioral1/memory/3872-792-0x0000000000400000-0x00000000004C0000-memory.dmp	upx
behavioral1/memory/3100-819-0x0000000000400000-0x00000000004C0000-memory.dmp	upx
behavioral1/memory/3656-842-0x0000000000400000-0x00000000004C0000-memory.dmp	upx
behavioral1/memory/3832-869-0x0000000000400000-0x00000000004C0000-memory.dmp	upx
behavioral1/memory/3036-878-0x0000000000400000-0x00000000004C0000-memory.dmp	upx
behavioral1/memory/3036-897-0x0000000000400000-0x00000000004C0000-memory.dmp	upx
behavioral1/memory/3308-902-0x0000000000400000-0x00000000004C0000-memory.dmp	upx
behavioral1/memory/3308-917-0x0000000000400000-0x00000000004C0000-memory.dmp	upx
behavioral1/memory/3972-930-0x0000000000400000-0x00000000004C0000-memory.dmp	upx
behavioral1/memory/3912-937-0x0000000000400000-0x00000000004C0000-memory.dmp	upx
behavioral1/memory/3972-946-0x0000000000400000-0x00000000004C0000-memory.dmp	upx
behavioral1/memory/3912-971-0x0000000000400000-0x00000000004C0000-memory.dmp	upx
behavioral1/memory/1652-999-0x0000000000400000-0x00000000004C0000-memory.dmp	upx

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\InstallDir\Server.exe	JaffaCakes118_6f6151e8aa76392fecf4cc68e7734883.exe
File created	C:\Windows\InstallDir\Server.exe	JaffaCakes118_6f6151e8aa76392fecf4cc68e7734883.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6f6151e8aa76392fecf4cc68e7734883.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1172	JaffaCakes118_6f6151e8aa76392fecf4cc68e7734883.exe
1172	JaffaCakes118_6f6151e8aa76392fecf4cc68e7734883.exe
1172	JaffaCakes118_6f6151e8aa76392fecf4cc68e7734883.exe
2756	Server.exe
2756	Server.exe
2756	Server.exe
2288	Server.exe
2288	Server.exe
2288	Server.exe
1256	Server.exe
1256	Server.exe
1256	Server.exe
2776	Server.exe
2776	Server.exe
2776	Server.exe
1788	Server.exe
1788	Server.exe
1788	Server.exe
2516	Server.exe
2516	Server.exe
2516	Server.exe
3016	Server.exe
3016	Server.exe
3016	Server.exe
1380	Server.exe
1380	Server.exe
1380	Server.exe
2304	Server.exe
2304	Server.exe
2304	Server.exe
2168	Server.exe
2168	Server.exe
2168	Server.exe
1240	Server.exe
1240	Server.exe
1240	Server.exe
2708	Server.exe
2708	Server.exe
2708	Server.exe
2916	Server.exe
2916	Server.exe
2916	Server.exe
2004	Server.exe
2004	Server.exe
2004	Server.exe
2580	Server.exe
2580	Server.exe
2580	Server.exe
1860	Server.exe
1860	Server.exe
1860	Server.exe
692	Server.exe
692	Server.exe
692	Server.exe
2528	Server.exe
2528	Server.exe
2528	Server.exe
1608	Server.exe
1608	Server.exe
1608	Server.exe
1720	Server.exe
1720	Server.exe
1720	Server.exe
864	Server.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1172	JaffaCakes118_6f6151e8aa76392fecf4cc68e7734883.exe
1172	JaffaCakes118_6f6151e8aa76392fecf4cc68e7734883.exe
1172	JaffaCakes118_6f6151e8aa76392fecf4cc68e7734883.exe
2756	Server.exe
2756	Server.exe
2756	Server.exe
2288	Server.exe
2288	Server.exe
2288	Server.exe
1256	Server.exe
1256	Server.exe
1256	Server.exe
2776	Server.exe
2776	Server.exe
2776	Server.exe
1788	Server.exe
1788	Server.exe
1788	Server.exe
2516	Server.exe
2516	Server.exe
2516	Server.exe
3016	Server.exe
3016	Server.exe
3016	Server.exe
1380	Server.exe
1380	Server.exe
1380	Server.exe
2304	Server.exe
2304	Server.exe
2304	Server.exe
2168	Server.exe
2168	Server.exe
2168	Server.exe
1240	Server.exe
1240	Server.exe
1240	Server.exe
2708	Server.exe
2708	Server.exe
2708	Server.exe
2916	Server.exe
2916	Server.exe
2916	Server.exe
2004	Server.exe
2004	Server.exe
2004	Server.exe
2580	Server.exe
2580	Server.exe
2580	Server.exe
1860	Server.exe
1860	Server.exe
1860	Server.exe
692	Server.exe
692	Server.exe
692	Server.exe
2528	Server.exe
2528	Server.exe
2528	Server.exe
1608	Server.exe
1608	Server.exe
1608	Server.exe
1720	Server.exe
1720	Server.exe
1720	Server.exe
864	Server.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1448	JaffaCakes118_6f6151e8aa76392fecf4cc68e7734883.exe
2768	Server.exe
2124	Server.exe
2900	Server.exe
824	Server.exe
2228	Server.exe
1972	Server.exe
2716	Server.exe
2120	Server.exe
1016	Server.exe
2444	Server.exe
1712	Server.exe
3060	Server.exe
2908	Server.exe
2168	Server.exe
548	Server.exe
2272	Server.exe
936	Server.exe
2308	Server.exe
2604	Server.exe
2528	Server.exe
2016	Server.exe
3132	Server.exe
3332	Server.exe
3524	Server.exe
3676	Server.exe
3880	Server.exe
4016	Server.exe
3196	Server.exe
3708	Server.exe
3988	Server.exe
3160	Server.exe
3696	Server.exe
4024	Server.exe
3140	Server.exe
3980	Server.exe
3180	Server.exe
3876	Server.exe
4248	Server.exe
4400	Server.exe
4568	Server.exe
4776	Server.exe
4924	Server.exe
5088	Server.exe
4548	Server.exe
4796	Server.exe
4904	Server.exe
844	Server.exe
4792	Server.exe
5036	Server.exe
4172	Server.exe
3736	Server.exe
5068	Server.exe
5136	Server.exe
5288	Server.exe
5488	Server.exe
5704	Server.exe
5844	Server.exe
5976	Server.exe
5188	Server.exe
5404	Server.exe
5920	Server.exe
3744	Server.exe
5372	Server.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1172 wrote to memory of 1448	1172	JaffaCakes118_6f6151e8aa76392fecf4cc68e7734883.exe	30
PID 1172 wrote to memory of 1448	1172	JaffaCakes118_6f6151e8aa76392fecf4cc68e7734883.exe	30
PID 1172 wrote to memory of 1448	1172	JaffaCakes118_6f6151e8aa76392fecf4cc68e7734883.exe	30
PID 1172 wrote to memory of 1448	1172	JaffaCakes118_6f6151e8aa76392fecf4cc68e7734883.exe	30
PID 1172 wrote to memory of 1448	1172	JaffaCakes118_6f6151e8aa76392fecf4cc68e7734883.exe	30
PID 1172 wrote to memory of 1448	1172	JaffaCakes118_6f6151e8aa76392fecf4cc68e7734883.exe	30
PID 1448 wrote to memory of 2980	1448	JaffaCakes118_6f6151e8aa76392fecf4cc68e7734883.exe	31
PID 1448 wrote to memory of 2980	1448	JaffaCakes118_6f6151e8aa76392fecf4cc68e7734883.exe	31
PID 1448 wrote to memory of 2980	1448	JaffaCakes118_6f6151e8aa76392fecf4cc68e7734883.exe	31
PID 1448 wrote to memory of 2980	1448	JaffaCakes118_6f6151e8aa76392fecf4cc68e7734883.exe	31
PID 1448 wrote to memory of 2980	1448	JaffaCakes118_6f6151e8aa76392fecf4cc68e7734883.exe	31
PID 1448 wrote to memory of 2980	1448	JaffaCakes118_6f6151e8aa76392fecf4cc68e7734883.exe	31
PID 1448 wrote to memory of 2980	1448	JaffaCakes118_6f6151e8aa76392fecf4cc68e7734883.exe	31
PID 1448 wrote to memory of 2980	1448	JaffaCakes118_6f6151e8aa76392fecf4cc68e7734883.exe	31
PID 1448 wrote to memory of 2980	1448	JaffaCakes118_6f6151e8aa76392fecf4cc68e7734883.exe	31
PID 2980 wrote to memory of 2360	2980	JaffaCakes118_6f6151e8aa76392fecf4cc68e7734883.exe	32
PID 2980 wrote to memory of 2360	2980	JaffaCakes118_6f6151e8aa76392fecf4cc68e7734883.exe	32
PID 2980 wrote to memory of 2360	2980	JaffaCakes118_6f6151e8aa76392fecf4cc68e7734883.exe	32
PID 2980 wrote to memory of 2360	2980	JaffaCakes118_6f6151e8aa76392fecf4cc68e7734883.exe	32
PID 2980 wrote to memory of 2360	2980	JaffaCakes118_6f6151e8aa76392fecf4cc68e7734883.exe	32
PID 2980 wrote to memory of 1976	2980	JaffaCakes118_6f6151e8aa76392fecf4cc68e7734883.exe	33
PID 2980 wrote to memory of 1976	2980	JaffaCakes118_6f6151e8aa76392fecf4cc68e7734883.exe	33
PID 2980 wrote to memory of 1976	2980	JaffaCakes118_6f6151e8aa76392fecf4cc68e7734883.exe	33
PID 2980 wrote to memory of 1976	2980	JaffaCakes118_6f6151e8aa76392fecf4cc68e7734883.exe	33
PID 2980 wrote to memory of 1976	2980	JaffaCakes118_6f6151e8aa76392fecf4cc68e7734883.exe	33
PID 2980 wrote to memory of 2808	2980	JaffaCakes118_6f6151e8aa76392fecf4cc68e7734883.exe	34
PID 2980 wrote to memory of 2808	2980	JaffaCakes118_6f6151e8aa76392fecf4cc68e7734883.exe	34
PID 2980 wrote to memory of 2808	2980	JaffaCakes118_6f6151e8aa76392fecf4cc68e7734883.exe	34
PID 2980 wrote to memory of 2808	2980	JaffaCakes118_6f6151e8aa76392fecf4cc68e7734883.exe	34
PID 2980 wrote to memory of 2808	2980	JaffaCakes118_6f6151e8aa76392fecf4cc68e7734883.exe	34
PID 2980 wrote to memory of 3064	2980	JaffaCakes118_6f6151e8aa76392fecf4cc68e7734883.exe	35
PID 2980 wrote to memory of 3064	2980	JaffaCakes118_6f6151e8aa76392fecf4cc68e7734883.exe	35
PID 2980 wrote to memory of 3064	2980	JaffaCakes118_6f6151e8aa76392fecf4cc68e7734883.exe	35
PID 2980 wrote to memory of 3064	2980	JaffaCakes118_6f6151e8aa76392fecf4cc68e7734883.exe	35
PID 2980 wrote to memory of 3064	2980	JaffaCakes118_6f6151e8aa76392fecf4cc68e7734883.exe	35
PID 2980 wrote to memory of 2920	2980	JaffaCakes118_6f6151e8aa76392fecf4cc68e7734883.exe	36
PID 2980 wrote to memory of 2920	2980	JaffaCakes118_6f6151e8aa76392fecf4cc68e7734883.exe	36
PID 2980 wrote to memory of 2920	2980	JaffaCakes118_6f6151e8aa76392fecf4cc68e7734883.exe	36
PID 2980 wrote to memory of 2920	2980	JaffaCakes118_6f6151e8aa76392fecf4cc68e7734883.exe	36
PID 2980 wrote to memory of 2920	2980	JaffaCakes118_6f6151e8aa76392fecf4cc68e7734883.exe	36
PID 2980 wrote to memory of 3012	2980	JaffaCakes118_6f6151e8aa76392fecf4cc68e7734883.exe	37
PID 2980 wrote to memory of 3012	2980	JaffaCakes118_6f6151e8aa76392fecf4cc68e7734883.exe	37
PID 2980 wrote to memory of 3012	2980	JaffaCakes118_6f6151e8aa76392fecf4cc68e7734883.exe	37
PID 2980 wrote to memory of 3012	2980	JaffaCakes118_6f6151e8aa76392fecf4cc68e7734883.exe	37
PID 2980 wrote to memory of 3012	2980	JaffaCakes118_6f6151e8aa76392fecf4cc68e7734883.exe	37
PID 2980 wrote to memory of 1872	2980	JaffaCakes118_6f6151e8aa76392fecf4cc68e7734883.exe	38
PID 2980 wrote to memory of 1872	2980	JaffaCakes118_6f6151e8aa76392fecf4cc68e7734883.exe	38
PID 2980 wrote to memory of 1872	2980	JaffaCakes118_6f6151e8aa76392fecf4cc68e7734883.exe	38
PID 2980 wrote to memory of 1872	2980	JaffaCakes118_6f6151e8aa76392fecf4cc68e7734883.exe	38
PID 2980 wrote to memory of 1872	2980	JaffaCakes118_6f6151e8aa76392fecf4cc68e7734883.exe	38
PID 2980 wrote to memory of 3000	2980	JaffaCakes118_6f6151e8aa76392fecf4cc68e7734883.exe	39
PID 2980 wrote to memory of 3000	2980	JaffaCakes118_6f6151e8aa76392fecf4cc68e7734883.exe	39
PID 2980 wrote to memory of 3000	2980	JaffaCakes118_6f6151e8aa76392fecf4cc68e7734883.exe	39
PID 2980 wrote to memory of 3000	2980	JaffaCakes118_6f6151e8aa76392fecf4cc68e7734883.exe	39
PID 2980 wrote to memory of 3000	2980	JaffaCakes118_6f6151e8aa76392fecf4cc68e7734883.exe	39
PID 2980 wrote to memory of 2876	2980	JaffaCakes118_6f6151e8aa76392fecf4cc68e7734883.exe	40
PID 2980 wrote to memory of 2876	2980	JaffaCakes118_6f6151e8aa76392fecf4cc68e7734883.exe	40
PID 2980 wrote to memory of 2876	2980	JaffaCakes118_6f6151e8aa76392fecf4cc68e7734883.exe	40
PID 2980 wrote to memory of 2876	2980	JaffaCakes118_6f6151e8aa76392fecf4cc68e7734883.exe	40
PID 2980 wrote to memory of 2756	2980	JaffaCakes118_6f6151e8aa76392fecf4cc68e7734883.exe	41
PID 2980 wrote to memory of 2756	2980	JaffaCakes118_6f6151e8aa76392fecf4cc68e7734883.exe	41
PID 2980 wrote to memory of 2756	2980	JaffaCakes118_6f6151e8aa76392fecf4cc68e7734883.exe	41
PID 2980 wrote to memory of 2756	2980	JaffaCakes118_6f6151e8aa76392fecf4cc68e7734883.exe	41
PID 2756 wrote to memory of 2768	2756	Server.exe	42

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6f6151e8aa76392fecf4cc68e7734883.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6f6151e8aa76392fecf4cc68e7734883.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1172
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6f6151e8aa76392fecf4cc68e7734883.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6f6151e8aa76392fecf4cc68e7734883.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1448
- - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6f6151e8aa76392fecf4cc68e7734883.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6f6151e8aa76392fecf4cc68e7734883.exe"
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious use of WriteProcessMemory
    PID:2980
  - - C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      PID:2360
    - - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1256
      - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2900
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1644
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2556
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2140
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2364
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2116
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1040
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2416
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:976
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1920
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1788
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2228
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        
        PID:1864
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:1112
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:1680
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:1672
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:1476
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:2952
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:2800
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:2220
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:2548
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1380
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2120
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        13⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2280
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:2940
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:1160
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:1640
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:2488
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:2352
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:608
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:2656
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:2704
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2708
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3060
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        16⤵
        Executes dropped EXE
        
        PID:1352
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:1940
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:2980
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:2720
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:2708
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:2132
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:2340
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:1592
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:580
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:692
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:936
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        19⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1904
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:1544
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:2944
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:2536
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:2472
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:2804
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:692
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:1848
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:3268
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        20⤵
        Suspicious use of SetThreadContext
        
        PID:3280
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        21⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3332
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        22⤵
        
        PID:3392
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:3444
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:3824
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:3324
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:3388
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:3476
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:3576
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:3636
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:3816
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        23⤵
        Suspicious use of SetThreadContext
        
        PID:3832
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        24⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3988
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        25⤵
        
        PID:4036
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:4056
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:3976
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:4088
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:3984
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:4012
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:3212
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:1516
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:3364
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        26⤵
        
        PID:3732
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        27⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3876
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        28⤵
        Adds Run key to start application
        
        PID:4136
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        29⤵
        
        PID:4184
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        29⤵
        
        PID:4672
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        29⤵
        
        PID:4888
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        29⤵
        
        PID:3208
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        29⤵
        
        PID:4256
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        29⤵
        
        PID:4316
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        29⤵
        
        PID:4408
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        29⤵
        
        PID:4480
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        29⤵
        
        PID:4500
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        30⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4548
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        31⤵
        Adds Run key to start application
        
        PID:4572
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        32⤵
        
        PID:3972
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        32⤵
        
        PID:4168
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        32⤵
        
        PID:4488
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        32⤵
        
        PID:4968
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        32⤵
        
        PID:5060
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        32⤵
        
        PID:5100
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        32⤵
        
        PID:5040
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        32⤵
        
        PID:4764
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        32⤵
        
        PID:4948
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        33⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5068
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        34⤵
        
        PID:4952
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        35⤵
        
        PID:4612
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        35⤵
        
        PID:5572
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        35⤵
        
        PID:6060
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        35⤵
        
        PID:5312
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        35⤵
        
        PID:5584
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        35⤵
        
        PID:5724
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        35⤵
        
        PID:5776
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        35⤵
        
        PID:5836
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        35⤵
        
        PID:5884
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        36⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5920
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        37⤵
        
        PID:6000
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        38⤵
        
        PID:6040
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        38⤵
        
        PID:4952
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        38⤵
        
        PID:6036
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        38⤵
        
        PID:5908
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        38⤵
        
        PID:352
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        38⤵
        
        PID:5028
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        38⤵
        
        PID:6072
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        38⤵
        
        PID:6148
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        38⤵
        
        PID:6160
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        39⤵
        
        PID:6212
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        40⤵
        Adds Run key to start application
        
        PID:6268
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        41⤵
        
        PID:6316
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        41⤵
        
        PID:6744
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        41⤵
        
        PID:7112
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        41⤵
        
        PID:6436
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        41⤵
        
        PID:6984
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        41⤵
        
        PID:6000
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        41⤵
        
        PID:6220
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        41⤵
        
        PID:6376
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        41⤵
        
        PID:5204
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        42⤵
        
        PID:6464
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        43⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        
        PID:6616
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        44⤵
        
        PID:6700
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        44⤵
        
        PID:6516
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        44⤵
        
        PID:6880
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        44⤵
        
        PID:5204
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        44⤵
        
        PID:7264
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        44⤵
        
        PID:7508
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        44⤵
        
        PID:7588
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        44⤵
        
        PID:7672
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        44⤵
        
        PID:7692
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        45⤵
        
        PID:7732
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        46⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:7796
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        47⤵
        
        PID:7848
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        47⤵
        
        PID:6924
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        47⤵
        
        PID:7840
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        47⤵
        
        PID:8156
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        47⤵
        
        PID:8140
    - - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2516
      - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1972
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1780
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1900
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2852
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2892
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2816
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2368
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2864
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1524
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3056
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2304
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1016
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        10⤵
        Executes dropped EXE
        
        PID:2184
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:756
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:2376
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:2936
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:2040
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:1064
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:1216
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:3020
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:2204
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2916
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2908
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        13⤵
        Executes dropped EXE
        
        PID:2392
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:1648
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:2904
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:2236
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:2764
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:2244
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:2924
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:2060
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:1240
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2528
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2308
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        16⤵
        Executes dropped EXE
        
        PID:1796
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:1800
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:1288
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:2192
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:2436
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:1408
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:2056
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:3228
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:3452
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        17⤵
        Suspicious use of SetThreadContext
        
        PID:3472
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        18⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3524
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        19⤵
        
        PID:3584
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:3668
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:3152
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:3380
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:3480
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:3544
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:3008
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:3844
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:3968
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        20⤵
        Suspicious use of SetThreadContext
        
        PID:3036
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        21⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3160
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        22⤵
        
        PID:2440
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:3680
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:3740
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:3124
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:2564
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:3144
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:4064
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:3348
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:4160
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        23⤵
        
        PID:4204
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        24⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4248
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        25⤵
        
        PID:4320
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:4440
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:4712
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:3276
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:4260
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:3840
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:4376
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:4360
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:4668
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        26⤵
        
        PID:3920
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        27⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4796
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        28⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:4856
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        29⤵
        
        PID:4464
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        29⤵
        
        PID:4552
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        29⤵
        
        PID:4456
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        29⤵
        
        PID:4908
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        29⤵
        
        PID:3504
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        29⤵
        
        PID:4300
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        29⤵
        
        PID:264
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        29⤵
        
        PID:5032
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        29⤵
        
        PID:4564
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        30⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5136
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        31⤵
        System Location Discovery: System Language Discovery
        
        PID:5196
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        32⤵
        
        PID:5252
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        32⤵
        
        PID:5608
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        32⤵
        
        PID:4572
    - - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2168
      - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2444
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        7⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1612
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1644
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1676
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1704
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1884
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1724
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2928
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2784
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2064
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2004
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2168
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        10⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:536
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:2180
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:1636
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:2268
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:1696
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:3048
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:2184
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:2148
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:1572
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1608
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2604
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        13⤵
        Executes dropped EXE
        
        PID:2636
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:1076
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:2888
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3044
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:336
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:1080
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:2448
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3260
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3516
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        14⤵
        Suspicious use of SetThreadContext
        
        PID:3612
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        15⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3676
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        16⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        
        PID:3744
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:3800
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:3356
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:3400
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:3496
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:3556
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:2144
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:2884
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:4092
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        17⤵
        
        PID:3308
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        18⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3696
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        19⤵
        
        PID:3772
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:3916
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:1484
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:3116
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:1652
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:3248
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:3912
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:3992
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:4192
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        20⤵
        
        PID:4308
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        21⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4400
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        22⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:4488
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:4628
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:4860
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:3768
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:4212
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:3944
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:4384
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:4468
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:4772
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        23⤵
        
        PID:4872
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        24⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4904
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        25⤵
        Adds Run key to start application
        
        PID:5076
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:5112
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:4756
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:4824
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:4700
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:5052
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:4524
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:4800
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:5024
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        26⤵
        
        PID:5224
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        27⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5288
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        28⤵
        
        PID:5360
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        29⤵
        
        PID:5408
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        29⤵
        
        PID:5632
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        29⤵
        
        PID:4896
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        29⤵
        
        PID:5492
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        29⤵
        
        PID:5692
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        29⤵
        
        PID:5752
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        29⤵
        
        PID:5824
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        29⤵
        
        PID:6008
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        29⤵
        
        PID:6080
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        30⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3744
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        31⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:5204
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        32⤵
        
        PID:5280
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        32⤵
        
        PID:5916
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        32⤵
        
        PID:5468
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        32⤵
        
        PID:5600
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        32⤵
        
        PID:3028
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        32⤵
        
        PID:5276
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        32⤵
        
        PID:6116
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        32⤵
        
        PID:6292
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        32⤵
        
        PID:6340
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        33⤵
        
        PID:6380
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        34⤵
        
        PID:6452
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        35⤵
        
        PID:6524
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        35⤵
        
        PID:6784
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        35⤵
        
        PID:6248
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        35⤵
        
        PID:6648
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        35⤵
        
        PID:7028
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        35⤵
        
        PID:6208
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        35⤵
        
        PID:6240
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        35⤵
        
        PID:6664
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        35⤵
        System Location Discovery: System Language Discovery
        
        PID:6728
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        36⤵
        
        PID:5376
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        37⤵
        
        PID:6912
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        38⤵
        
        PID:2792
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        38⤵
        
        PID:4996
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        38⤵
        
        PID:6920
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        38⤵
        
        PID:6688
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        38⤵
        
        PID:7312
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        38⤵
        
        PID:7532
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        38⤵
        
        PID:7612
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        38⤵
        
        PID:7820
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        38⤵
        
        PID:7860
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        39⤵
        System Location Discovery: System Language Discovery
        
        PID:7900
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        40⤵
        
        PID:7964
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        41⤵
        
        PID:8052
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        41⤵
        
        PID:7236
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        41⤵
        
        PID:7884
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        41⤵
        
        PID:7248
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        41⤵
        
        PID:7340
    - - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2580
      - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:548
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        7⤵
        Executes dropped EXE
        
        PID:2320
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2724
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1604
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1716
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1180
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2160
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2916
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2820
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1512
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1720
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2528
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        
        PID:1484
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:2248
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:2012
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:2644
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:896
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:3016
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:3088
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:3300
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:3756
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        11⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3812
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        12⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3880
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        13⤵
        
        PID:3980
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3108
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3292
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:1852
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3532
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3596
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3664
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3948
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3432
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        14⤵
        
        PID:3972
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        15⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4024
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        16⤵
        
        PID:3172
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:3716
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:3200
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:3096
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:4044
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:3192
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:3820
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:3204
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:4392
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:4524
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        18⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4568
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        19⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:4648
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:4692
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:4976
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:4224
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:4268
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:4332
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:4448
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:4308
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:4876
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        20⤵
        
        PID:5096
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        21⤵
        Suspicious use of SetWindowsHookEx
        
        PID:844
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        22⤵
        Adds Run key to start application
        
        PID:4504
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:4584
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:5004
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:4052
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:4108
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:4540
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:4152
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:4460
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:5420
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        23⤵
        
        PID:5448
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        24⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5488
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        25⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        
        PID:5548
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:5592
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:6084
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:5352
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:5044
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:5732
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:5784
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:5860
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:3656
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        26⤵
        
        PID:4640
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        27⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5372
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        28⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:5508
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        29⤵
        
        PID:5880
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        29⤵
        
        PID:5504
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        29⤵
        
        PID:6052
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        29⤵
        
        PID:5988
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        29⤵
        
        PID:5268
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        29⤵
        
        PID:5548
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        29⤵
        
        PID:6056
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        29⤵
        
        PID:6476
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        29⤵
        
        PID:6576
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        30⤵
        
        PID:6628
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        31⤵
        
        PID:6684
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        32⤵
        
        PID:6736
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        32⤵
        
        PID:7048
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        32⤵
        
        PID:6288
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        32⤵
        
        PID:6828
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        32⤵
        
        PID:7068
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        32⤵
        
        PID:7160
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        32⤵
        
        PID:6140
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        32⤵
        
        PID:6928
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        32⤵
        
        PID:1400
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        33⤵
        
        PID:6408
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        34⤵
        
        PID:6520
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        35⤵
        
        PID:6640
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        35⤵
        
        PID:3612
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        35⤵
        
        PID:6580
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        35⤵
        
        PID:6472
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        35⤵
        
        PID:7448
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        35⤵
        
        PID:7548
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        35⤵
        
        PID:7632
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        35⤵
        
        PID:7972
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        35⤵
        
        PID:8032
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        36⤵
        
        PID:8104
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        37⤵
        Adds Run key to start application
        
        PID:8160
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        38⤵
        
        PID:7172
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        38⤵
        
        PID:7764
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        38⤵
        
        PID:8084
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        38⤵
        
        PID:7860
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        38⤵
        
        PID:7756
    - - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:864
      - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2016
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        7⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:924
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2752
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1860
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2608
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1608
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2668
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3184
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3416
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3780
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        8⤵
        Suspicious use of SetThreadContext
        
        PID:3872
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        9⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4016
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        10⤵
        
        PID:4080
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:3104
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:3280
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:2828
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:3548
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:3600
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:3776
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:3964
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:3940
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        11⤵
        
        PID:3912
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        12⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3140
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        13⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:3652
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3720
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3704
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:4000
    - - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        5⤵
        Suspicious use of SetThreadContext
        
        PID:3100
      - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        6⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3196
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        7⤵
        
        PID:1904
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3312
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3408
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3508
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3564
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2636
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3888
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3156
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3624
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        8⤵
        
        PID:1652
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        9⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3980
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        10⤵
        
        PID:3920
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:3036
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:3928
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:3932
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:3588
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:3216
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:3320
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:4340
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:4704
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        11⤵
        
        PID:4724
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        12⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4776
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        13⤵
        
        PID:4836
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:5016
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:4232
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:4276
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:4348
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:4420
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:4484
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:4940
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:4596
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        14⤵
        
        PID:4624
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        15⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4792
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        16⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        
        PID:4844
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:5108
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:4972
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:4104
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:3860
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:4784
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:4884
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:5388
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:5624
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        17⤵
        
        PID:5652
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        18⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5704
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        19⤵
        
        PID:5756
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:5924
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:5304
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:5568
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:5716
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:5768
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:5828
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:5076
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:5904
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        20⤵
        
        PID:3612
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:5936
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        22⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:4996
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:5324
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:4948
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:5364
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:5968
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:4556
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:5996
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:6440
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:6768
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        23⤵
        
        PID:6796
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        24⤵
        
        PID:6848
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        25⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:6904
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:7072
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:6312
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:6860
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:6076
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:6020
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:1084
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:6840
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:6452
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        26⤵
        
        PID:6580
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        27⤵
        
        PID:6892
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        28⤵
        
        PID:6324
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        29⤵
        
        PID:6300
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        29⤵
        
        PID:6176
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        29⤵
        
        PID:6560
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        29⤵
        
        PID:7484
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        29⤵
        
        PID:7564
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        29⤵
        
        PID:7648
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        29⤵
        
        PID:8004
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        29⤵
        
        PID:7212
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        29⤵
        
        PID:7248
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        30⤵
        
        PID:7356
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        31⤵
        
        PID:7468
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        32⤵
        
        PID:7780
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        32⤵
        
        PID:8112
    - - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        5⤵
        
        PID:4064
      - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3180
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        7⤵
        
        PID:3748
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3288
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3996
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4060
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2108
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3352
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4128
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4512
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4736
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4872
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        9⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4924
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:4992
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:4120
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:4240
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:4284
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:4356
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:4428
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:4588
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:3852
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:3424
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        11⤵
        
        PID:3744
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        12⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5036
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        13⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        
        PID:5084
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:4728
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:4036
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:4404
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:4528
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:4832
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:4492
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:5428
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:5640
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        14⤵
        
        PID:5796
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        15⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5844
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        16⤵
        
        PID:5968
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:6120
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:5528
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:5648
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:5740
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:4620
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:5868
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:5192
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:5816
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        17⤵
        
        PID:6112
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        18⤵
        
        PID:5160
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        19⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:5368
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:5760
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:5464
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:5360
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:5184
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:6132
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:5396
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:6488
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:6776
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        20⤵
        
        PID:6840
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        21⤵
        
        PID:6960
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        22⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:7016
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:7092
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:5240
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:6936
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:7128
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:7148
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:6368
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:6968
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:6792
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:6728
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        24⤵
        
        PID:6720
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        25⤵
        Adds Run key to start application
        
        PID:5216
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:7016
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:6420
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:6824
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:7500
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:7580
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:7664
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:8020
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:7228
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        26⤵
        
        PID:7256
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        27⤵
        
        PID:7328
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        28⤵
        System Location Discovery: System Language Discovery
        
        PID:7720
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        29⤵
        
        PID:7736
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        29⤵
        
        PID:8072
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        29⤵
        
        PID:7924
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        29⤵
        
        PID:7752
    - - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        5⤵
        
        PID:5044
      - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5088
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        7⤵
        
        PID:3872
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4156
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4216
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4296
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4368
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4436
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4660
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3100
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4780
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        8⤵
        
        PID:5068
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        9⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4172
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        10⤵
        Adds Run key to start application
        
        PID:3612
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:4416
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:5064
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:5104
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:4544
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:4808
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:3748
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:5436
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:5672
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        11⤵
        
        PID:5852
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        12⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5976
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:6072
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:5124
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:5516
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:5660
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:5664
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:5056
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:5812
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:4504
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:5960
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        14⤵
        
        PID:4640
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:5756
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        16⤵
        
        PID:5396
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:6092
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:5232
    - - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        5⤵
        
        PID:4764
      - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3736
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        7⤵
        
        PID:4928
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4872
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4988
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2568
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4320
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4992
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5344
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5616
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5132
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        8⤵
        
        PID:5156
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        9⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5188
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        10⤵
        
        PID:5268
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:5328
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:5560
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:5700
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:5780
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:4724
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:5208
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:5892
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:6100
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        11⤵
        
        PID:1904
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        12⤵
        
        PID:5580
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        13⤵
        
        PID:5156
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:5340
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:5944
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:348
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:5472
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:5884
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:6328
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:6752
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:7120
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        14⤵
        
        PID:7132
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        15⤵
        
        PID:6156
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        16⤵
        
        PID:6176
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:6276
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:6812
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:7036
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:6172
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:6260
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:6672
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:6696
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:6796
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        17⤵
        
        PID:6924
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        18⤵
        
        PID:6272
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        19⤵
        Adds Run key to start application
        
        PID:1400
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:6256
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:5484
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:7440
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:7540
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:7624
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:7948
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:7192
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:2156
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        20⤵
        
        PID:7896
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        21⤵
        
        PID:7928
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        22⤵
        
        PID:7108
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:8032
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:7916
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:7472
    - - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        5⤵
        
        PID:5320
      - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5404
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        7⤵
        
        PID:5452
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5540
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5684
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5652
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5804
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5992
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5524
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5224
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5196
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        8⤵
        
        PID:5456
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        9⤵
        
        PID:5416
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:1084
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:3856
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:5972
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:5152
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:5532
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:6180
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:6708
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:7040
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:6280
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:5216
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        12⤵
        
        PID:6348
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        13⤵
        
        PID:6384
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:6608
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:7012
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:6200
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:6224
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:6400
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:7132
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:5460
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:6460
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        14⤵
        
        PID:6804
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        15⤵
        
        PID:6868
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        16⤵
        Adds Run key to start application
        
        PID:6268
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:6864
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:7296
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:7524
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:7604
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:7772
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:6872
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:7812
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:8116
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:8140
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        18⤵
        
        PID:6904
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        19⤵
        
        PID:7348
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:7252
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:5216
    - - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        5⤵
        
        PID:5264
      - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        6⤵
        
        PID:1904
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        7⤵
        
        PID:5448
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:6128
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:6068
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5180
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5952
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:6428
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:6760
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:7140
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5008
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        8⤵
        
        PID:6620
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        9⤵
        
        PID:6660
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        10⤵
        
        PID:5484
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:5236
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:7088
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:6112
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:6336
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:6948
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:6600
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:6844
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:6808
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        11⤵
        
        PID:6416
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        12⤵
        
        PID:6804
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        13⤵
        
        PID:6044
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:6992
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:7492
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:7572
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:7656
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:8012
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:7224
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:7876
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:7376
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        14⤵
        
        PID:7384
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        15⤵
        
        PID:6616
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        16⤵
        
        PID:7792
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:7956
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:7292
    - - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        5⤵
        
        PID:6892
      - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        6⤵
        
        PID:6896
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        
        PID:6940
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:7024
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:6192
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:6016
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:6352
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:6576
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5656
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:6412
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:6684
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        8⤵
        
        PID:6924
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        9⤵
        
        PID:7184
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        10⤵
        
        PID:7240
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:7284
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:7516
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:7596
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:7680
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:8184
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:7692
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:7620
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:7892
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        11⤵
        
        PID:7912
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        12⤵
        
        PID:5508
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        13⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:8180
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:7080
    - - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        5⤵
        
        PID:7304
      - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        6⤵
        
        PID:7360
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        7⤵
        
        PID:7416
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:7476
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:7556
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:7640
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:7996
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:7204
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:6976
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:7392
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2576
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        8⤵
        
        PID:7380
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        9⤵
        
        PID:6044
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        10⤵
        
        PID:7324
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:7056
    - - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:7872
      - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:7980
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1976
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2808
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3064
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2920
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3012
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1872
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3000
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2876
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:2756
    - - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2768
      - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2764
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:1200
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:2468
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:1520
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:404
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:444
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:1996
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:2284
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:2688
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2288
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2124
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        
        PID:3036
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3040
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2188
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2300
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2328
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2356
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2316
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2532
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:1928
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2776
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:824
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        12⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2472
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:1616
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:2500
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:2000
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:2968
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:2332
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:2964
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:2956
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:2712
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3016
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2716
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        15⤵
        Executes dropped EXE
        
        PID:2568
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:2744
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:2520
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:1500
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:556
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:1916
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:2680
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:2052
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:2112
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1240
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1712
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        18⤵
        Executes dropped EXE
        
        PID:2740
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        19⤵
        
        PID:776
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        19⤵
        
        PID:2264
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        19⤵
        
        PID:2832
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        19⤵
        
        PID:2092
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        19⤵
        
        PID:2172
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        19⤵
        
        PID:1332
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        19⤵
        
        PID:2164
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        19⤵
        
        PID:1780
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1860
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2272
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        21⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2108
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        22⤵
        
        PID:596
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        22⤵
        
        PID:1584
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        22⤵
        
        PID:2008
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        22⤵
        
        PID:2232
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        22⤵
        
        PID:676
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        22⤵
        
        PID:864
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        22⤵
        
        PID:2020
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        22⤵
        
        PID:2392
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3080
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        23⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3132
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        24⤵
        Adds Run key to start application
        
        PID:3200
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        25⤵
        
        PID:3252
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        25⤵
        
        PID:3460
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        25⤵
        
        PID:3956
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        25⤵
        
        PID:3296
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        25⤵
        
        PID:3440
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        25⤵
        
        PID:3488
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        25⤵
        
        PID:3592
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        25⤵
        
        PID:3644
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        25⤵
        Suspicious use of SetThreadContext
        
        PID:3656
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        26⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3708
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        27⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:264
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        28⤵
        
        PID:916
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        28⤵
        
        PID:4076
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        28⤵
        
        PID:3136
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        28⤵
        
        PID:4028
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        28⤵
        
        PID:2932
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        28⤵
        
        PID:3952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PE-SCRYPTED.BIN

Filesize
56KB

MD5
0ce4eff5ddd360dd1ec3173fe8b907bb

SHA1
6d91c4fb80c1ed86d3c0b0b94f46444ed2be8af4

SHA256
f7cb870773c4f578703ff156fddcd161af7164cd6b7778ab74fd709c1ccb7cb2

SHA512
a2cf62282295a3ff51eb18c72b80068e5d7019df64d48f955aaad167b4a6f8290982508b35588e18566e6555b6eabf55e064901b66f0dfbc53efb41ac980f70f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\((Mutex)).cfg

Filesize
1KB

MD5
e231aa3a824bc2656dd5c40ff89cf0fa

SHA1
de77ca52ef1f4b3a1a58d86d10c28c6450337671

SHA256
c346b0ae9b3b77df71b917d17c5578764becae7b9070420d70fa21daf5f1f2de

SHA512
9c7ef344681df07ebe2fb8f3674d3e02db50256147773cedc844fe0a13deac70d6c85385256571b461c039a6ca913bceb48d50517e520e32726953b2455484e4

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
361KB

MD5
6f6151e8aa76392fecf4cc68e7734883

SHA1
508cd8e74e7c4e179c9912f3d5071c3f92287115

SHA256
990a1f1b3d72f336c8403b4c914f9b72af24fb2ed9bb9ba1bb0c3103a5656fd8

SHA512
c8280a45b5beab76dd90b7c4049878e8b0e655b2b3c3eba61e5c3cabeed57325d5531d27225752434796f77221ddc964e7e60896563a8c1b3f01293bbd8a7772

Download Submit
memory/548-476-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/692-526-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/824-152-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/864-630-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/1016-304-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1172-0-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/1172-20-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/1240-351-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/1240-335-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/1256-98-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/1256-114-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/1380-263-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/1380-247-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/1448-21-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1448-16-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1448-28-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1448-13-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1448-7-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1448-9-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/1448-11-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1448-17-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1608-579-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/1652-999-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/1712-359-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1720-588-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/1720-609-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/1788-175-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/1788-159-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/1860-478-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/1860-498-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/1972-211-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2004-421-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2004-439-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2016-628-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2016-639-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2120-271-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2124-93-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2168-302-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2168-451-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2168-322-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2228-183-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2272-504-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2288-69-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2288-85-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2304-292-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2304-276-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2308-558-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2360-34-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2360-35-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2444-330-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2516-203-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2528-553-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2528-612-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2580-447-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2580-469-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2708-380-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2756-54-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2768-64-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2776-128-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2776-144-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2900-122-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2908-417-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2916-409-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2916-393-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2980-27-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2980-29-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2980-24-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/3016-217-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/3016-233-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/3036-897-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/3036-878-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/3060-390-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3080-658-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/3100-819-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/3132-666-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3140-980-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3280-670-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/3280-689-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/3308-917-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/3308-902-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/3472-696-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/3472-713-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/3612-739-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/3612-720-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/3656-842-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/3676-742-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3676-747-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3732-1048-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/3812-766-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/3832-869-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/3872-792-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/3872-758-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/3880-776-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3880-764-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3912-937-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/3912-971-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/3972-930-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/3972-946-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/4064-1006-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/4064-1023-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/4204-1073-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/4308-1078-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/4308-1101-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/4524-1122-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/4724-1149-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/4872-1158-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/4872-1175-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads