xtremerat | 7e0b313fcb9f1819a2e45dc0e68ff7c46918b2209ccd0ba60747767db8df5e46

Analysis

max time kernel
150s
max time network
19s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
16/03/2025, 20:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_7ba01bd96d2870c48c886f898b1d43dd.exe
Size

171KB
MD5

7ba01bd96d2870c48c886f898b1d43dd
SHA1

4cca4ade9db10a7a2f1c97c7ae5f227e9890e451
SHA256

7e0b313fcb9f1819a2e45dc0e68ff7c46918b2209ccd0ba60747767db8df5e46
SHA512

1be5554fcb278b8776cab66e29f35f6e95a11ed56f0cf799cea3526ac696bfd9022b69d44ba5ebf192a37dfa9ebd6e786dd5444fb519b21eeeab5ee1ed149f45
SSDEEP

3072:yEvb4VROJBCL3ce5ncyzG23UbuasNPp4boJi0oIDVc0SWiPGugnsPHjYvlpRD8kR:y0b4VROJBCL3ce5ncyzG23UbuasNPp4k

Score

10^/10

xtremerat discovery persistence rat spyware

Malware Config

Signatures

Detect XtremeRAT payload 6 IoCs

resource	yara_rule
behavioral1/memory/2712-2-0x0000000013140000-0x0000000013168000-memory.dmp	family_xtremerat
behavioral1/memory/2712-3-0x0000000013140000-0x0000000013168000-memory.dmp	family_xtremerat
behavioral1/memory/2712-4-0x0000000013140000-0x0000000013168000-memory.dmp	family_xtremerat
behavioral1/memory/2712-5-0x0000000013140000-0x0000000013168000-memory.dmp	family_xtremerat
behavioral1/memory/2980-11-0x0000000013140000-0x0000000013168000-memory.dmp	family_xtremerat
behavioral1/memory/2712-23-0x0000000013140000-0x0000000013168000-memory.dmp	family_xtremerat

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat
Xtremerat family
xtremerat

Boot or Logon Autostart Execution: Active Setup 2 TTPs 60 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{2K2XE438-25WR-S8BX-6BA4-018JF6N1X4K0}	JOPEr.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{2K2XE438-25WR-S8BX-6BA4-018JF6N1X4K0}	JOPEr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2K2XE438-25WR-S8BX-6BA4-018JF6N1X4K0}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe restart"	JOPEr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2K2XE438-25WR-S8BX-6BA4-018JF6N1X4K0}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe restart"	JOPEr.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{2K2XE438-25WR-S8BX-6BA4-018JF6N1X4K0}	JOPEr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2K2XE438-25WR-S8BX-6BA4-018JF6N1X4K0}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe restart"	JOPEr.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{2K2XE438-25WR-S8BX-6BA4-018JF6N1X4K0}	JOPEr.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{2K2XE438-25WR-S8BX-6BA4-018JF6N1X4K0}	JOPEr.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{2K2XE438-25WR-S8BX-6BA4-018JF6N1X4K0}	JOPEr.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{2K2XE438-25WR-S8BX-6BA4-018JF6N1X4K0}	JOPEr.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{2K2XE438-25WR-S8BX-6BA4-018JF6N1X4K0}	JOPEr.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{2K2XE438-25WR-S8BX-6BA4-018JF6N1X4K0}	JaffaCakes118_7ba01bd96d2870c48c886f898b1d43dd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2K2XE438-25WR-S8BX-6BA4-018JF6N1X4K0}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe restart"	JOPEr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2K2XE438-25WR-S8BX-6BA4-018JF6N1X4K0}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe restart"	JOPEr.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{2K2XE438-25WR-S8BX-6BA4-018JF6N1X4K0}	JOPEr.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{2K2XE438-25WR-S8BX-6BA4-018JF6N1X4K0}	JOPEr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2K2XE438-25WR-S8BX-6BA4-018JF6N1X4K0}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe restart"	JOPEr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2K2XE438-25WR-S8BX-6BA4-018JF6N1X4K0}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe restart"	JOPEr.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{2K2XE438-25WR-S8BX-6BA4-018JF6N1X4K0}	JOPEr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2K2XE438-25WR-S8BX-6BA4-018JF6N1X4K0}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe restart"	JOPEr.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{2K2XE438-25WR-S8BX-6BA4-018JF6N1X4K0}	JOPEr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2K2XE438-25WR-S8BX-6BA4-018JF6N1X4K0}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe restart"	JOPEr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2K2XE438-25WR-S8BX-6BA4-018JF6N1X4K0}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe restart"	JOPEr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2K2XE438-25WR-S8BX-6BA4-018JF6N1X4K0}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe restart"	JOPEr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2K2XE438-25WR-S8BX-6BA4-018JF6N1X4K0}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe restart"	JOPEr.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{2K2XE438-25WR-S8BX-6BA4-018JF6N1X4K0}	JOPEr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2K2XE438-25WR-S8BX-6BA4-018JF6N1X4K0}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe restart"	JOPEr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2K2XE438-25WR-S8BX-6BA4-018JF6N1X4K0}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe restart"	JOPEr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2K2XE438-25WR-S8BX-6BA4-018JF6N1X4K0}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe restart"	JOPEr.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{2K2XE438-25WR-S8BX-6BA4-018JF6N1X4K0}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{2K2XE438-25WR-S8BX-6BA4-018JF6N1X4K0}	JOPEr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2K2XE438-25WR-S8BX-6BA4-018JF6N1X4K0}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe restart"	JOPEr.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{2K2XE438-25WR-S8BX-6BA4-018JF6N1X4K0}	JOPEr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2K2XE438-25WR-S8BX-6BA4-018JF6N1X4K0}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe restart"	JOPEr.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{2K2XE438-25WR-S8BX-6BA4-018JF6N1X4K0}	JOPEr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2K2XE438-25WR-S8BX-6BA4-018JF6N1X4K0}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe restart"	JOPEr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2K2XE438-25WR-S8BX-6BA4-018JF6N1X4K0}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe restart"	JOPEr.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{2K2XE438-25WR-S8BX-6BA4-018JF6N1X4K0}	JOPEr.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{2K2XE438-25WR-S8BX-6BA4-018JF6N1X4K0}	JOPEr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2K2XE438-25WR-S8BX-6BA4-018JF6N1X4K0}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe restart"	JOPEr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2K2XE438-25WR-S8BX-6BA4-018JF6N1X4K0}\StubPath = "C:\\Windows\\system32\\SYSTEM\\JOPEr.exe restart"	JaffaCakes118_7ba01bd96d2870c48c886f898b1d43dd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2K2XE438-25WR-S8BX-6BA4-018JF6N1X4K0}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe restart"	JOPEr.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{2K2XE438-25WR-S8BX-6BA4-018JF6N1X4K0}	JOPEr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2K2XE438-25WR-S8BX-6BA4-018JF6N1X4K0}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe restart"	JOPEr.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{2K2XE438-25WR-S8BX-6BA4-018JF6N1X4K0}	JOPEr.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{2K2XE438-25WR-S8BX-6BA4-018JF6N1X4K0}	JOPEr.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{2K2XE438-25WR-S8BX-6BA4-018JF6N1X4K0}	JOPEr.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{2K2XE438-25WR-S8BX-6BA4-018JF6N1X4K0}	JOPEr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2K2XE438-25WR-S8BX-6BA4-018JF6N1X4K0}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe restart"	JOPEr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2K2XE438-25WR-S8BX-6BA4-018JF6N1X4K0}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe restart"	JOPEr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2K2XE438-25WR-S8BX-6BA4-018JF6N1X4K0}\StubPath = "C:\\Windows\\system32\\SYSTEM\\JOPEr.exe"	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{2K2XE438-25WR-S8BX-6BA4-018JF6N1X4K0}	JOPEr.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{2K2XE438-25WR-S8BX-6BA4-018JF6N1X4K0}	JOPEr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2K2XE438-25WR-S8BX-6BA4-018JF6N1X4K0}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe restart"	JOPEr.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{2K2XE438-25WR-S8BX-6BA4-018JF6N1X4K0}	JOPEr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2K2XE438-25WR-S8BX-6BA4-018JF6N1X4K0}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe restart"	JOPEr.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{2K2XE438-25WR-S8BX-6BA4-018JF6N1X4K0}	JOPEr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2K2XE438-25WR-S8BX-6BA4-018JF6N1X4K0}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe restart"	JOPEr.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{2K2XE438-25WR-S8BX-6BA4-018JF6N1X4K0}	JOPEr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2K2XE438-25WR-S8BX-6BA4-018JF6N1X4K0}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe restart"	JOPEr.exe

Executes dropped EXE 64 IoCs

pid	Process
2996	874Frog Dissector.exe
2164	JOPEr.exe
580	JOPEr.exe
968	JOPEr.exe
2412	874Frog Dissector.exe
1568	JOPEr.exe
1180	874Frog Dissector.exe
1792	JOPEr.exe
1264	JOPEr.exe
2400	JOPEr.exe
264	874Frog Dissector.exe
2236	JOPEr.exe
2004	874Frog Dissector.exe
1668	JOPEr.exe
1496	JOPEr.exe
1732	JOPEr.exe
1592	874Frog Dissector.exe
2056	JOPEr.exe
2620	874Frog Dissector.exe
1936	JOPEr.exe
472	JOPEr.exe
2952	874Frog Dissector.exe
2988	JOPEr.exe
2944	JOPEr.exe
2188	874Frog Dissector.exe
1424	JOPEr.exe
1444	JOPEr.exe
2292	JOPEr.exe
2140	874Frog Dissector.exe
2248	JOPEr.exe
2008	874Frog Dissector.exe
2400	JOPEr.exe
1672	JOPEr.exe
1108	874Frog Dissector.exe
2412	JOPEr.exe
1500	JOPEr.exe
2468	874Frog Dissector.exe
2072	JOPEr.exe
1908	JOPEr.exe
2820	874Frog Dissector.exe
2892	JOPEr.exe
1592	JOPEr.exe
1212	874Frog Dissector.exe
2828	JOPEr.exe
1208	JOPEr.exe
2840	874Frog Dissector.exe
672	JOPEr.exe
324	JOPEr.exe
1624	874Frog Dissector.exe
1616	JOPEr.exe
2056	JOPEr.exe
1492	JOPEr.exe
2776	874Frog Dissector.exe
812	JOPEr.exe
2424	874Frog Dissector.exe
1288	JOPEr.exe
2052	JOPEr.exe
1824	874Frog Dissector.exe
1896	JOPEr.exe
872	JOPEr.exe
2660	874Frog Dissector.exe
1756	JOPEr.exe
2452	JOPEr.exe
2608	JOPEr.exe

Loads dropped DLL 64 IoCs

pid	Process
2712	JaffaCakes118_7ba01bd96d2870c48c886f898b1d43dd.exe
2712	JaffaCakes118_7ba01bd96d2870c48c886f898b1d43dd.exe
2980	svchost.exe
2980	svchost.exe
2980	svchost.exe
2980	svchost.exe
580	JOPEr.exe
580	JOPEr.exe
1568	JOPEr.exe
1568	JOPEr.exe
2980	svchost.exe
2980	svchost.exe
2980	svchost.exe
2980	svchost.exe
1264	JOPEr.exe
1264	JOPEr.exe
2236	JOPEr.exe
2236	JOPEr.exe
2980	svchost.exe
2980	svchost.exe
2980	svchost.exe
2980	svchost.exe
1496	JOPEr.exe
1496	JOPEr.exe
2056	JOPEr.exe
2056	JOPEr.exe
2980	svchost.exe
2980	svchost.exe
472	JOPEr.exe
2980	svchost.exe
472	JOPEr.exe
2980	svchost.exe
2944	JOPEr.exe
2944	JOPEr.exe
2980	svchost.exe
2980	svchost.exe
2980	svchost.exe
2980	svchost.exe
1444	JOPEr.exe
1444	JOPEr.exe
2248	JOPEr.exe
2248	JOPEr.exe
2980	svchost.exe
2980	svchost.exe
1672	JOPEr.exe
1672	JOPEr.exe
2980	svchost.exe
2980	svchost.exe
1500	JOPEr.exe
1500	JOPEr.exe
2980	svchost.exe
2980	svchost.exe
1908	JOPEr.exe
1908	JOPEr.exe
2980	svchost.exe
2980	svchost.exe
1592	JOPEr.exe
1592	JOPEr.exe
2980	svchost.exe
2980	svchost.exe
1208	JOPEr.exe
1208	JOPEr.exe
2980	svchost.exe
2980	svchost.exe

Adds Run key to start application 2 TTPs 60 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe"	JOPEr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe"	JOPEr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe"	JOPEr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe"	JOPEr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe"	JOPEr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe"	JOPEr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe"	JOPEr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe"	JOPEr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe"	JOPEr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe"	JOPEr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe"	JOPEr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe"	JOPEr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe"	JOPEr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe"	JOPEr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe"	JOPEr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe"	JOPEr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe"	JOPEr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe"	JOPEr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe"	JOPEr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe"	JOPEr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe"	JOPEr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe"	JOPEr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\SYSTEM\\JOPEr.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe"	JOPEr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe"	JOPEr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe"	JOPEr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe"	JOPEr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe"	JOPEr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\SYSTEM\\JOPEr.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe"	JOPEr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe"	JOPEr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe"	JOPEr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe"	JOPEr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe"	JOPEr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe"	JOPEr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe"	JOPEr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe"	JOPEr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe"	JOPEr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe"	JOPEr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\SYSTEM\\JOPEr.exe"	JaffaCakes118_7ba01bd96d2870c48c886f898b1d43dd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe"	JOPEr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe"	JOPEr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe"	JOPEr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe"	JOPEr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe"	JOPEr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe"	JOPEr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe"	JOPEr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe"	JOPEr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe"	JOPEr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe"	JOPEr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe"	JOPEr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\SYSTEM\\JOPEr.exe"	JaffaCakes118_7ba01bd96d2870c48c886f898b1d43dd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe"	JOPEr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe"	JOPEr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe"	JOPEr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe"	JOPEr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe"	JOPEr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe"	JOPEr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe"	JOPEr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe"	JOPEr.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\SYSTEM\JOPEr.exe	JOPEr.exe
File opened for modification	C:\Windows\SysWOW64\SYSTEM\JOPEr.exe	JOPEr.exe
File opened for modification	C:\Windows\SysWOW64\SYSTEM\JOPEr.exe	JOPEr.exe
File opened for modification	C:\Windows\SysWOW64\SYSTEM\JOPEr.exe	JOPEr.exe
File opened for modification	C:\Windows\SysWOW64\SYSTEM\JOPEr.exe	JOPEr.exe
File created	C:\Windows\SysWOW64\SYSTEM\JOPEr.exe	JOPEr.exe
File opened for modification	C:\Windows\SysWOW64\SYSTEM\JOPEr.exe	JOPEr.exe
File created	C:\Windows\SysWOW64\SYSTEM\JOPEr.exe	JOPEr.exe
File opened for modification	C:\Windows\SysWOW64\SYSTEM\JOPEr.exe	JOPEr.exe
File created	C:\Windows\SysWOW64\SYSTEM\JOPEr.exe	JOPEr.exe
File created	C:\Windows\SysWOW64\SYSTEM\JOPEr.exe	JOPEr.exe
File opened for modification	C:\Windows\SysWOW64\SYSTEM\JOPEr.exe	JOPEr.exe
File opened for modification	C:\Windows\SysWOW64\SYSTEM\JOPEr.exe	JOPEr.exe
File opened for modification	C:\Windows\SysWOW64\SYSTEM\JOPEr.exe	JOPEr.exe
File opened for modification	C:\Windows\SysWOW64\SYSTEM\JOPEr.exe	JOPEr.exe
File created	C:\Windows\SysWOW64\SYSTEM\JOPEr.exe	JOPEr.exe
File created	C:\Windows\SysWOW64\SYSTEM\JOPEr.exe	JOPEr.exe
File created	C:\Windows\SysWOW64\SYSTEM\JOPEr.exe	JOPEr.exe
File created	C:\Windows\SysWOW64\SYSTEM\JOPEr.exe	JOPEr.exe
File opened for modification	C:\Windows\SysWOW64\SYSTEM\JOPEr.exe	JaffaCakes118_7ba01bd96d2870c48c886f898b1d43dd.exe
File opened for modification	C:\Windows\SysWOW64\SYSTEM\JOPEr.exe	JOPEr.exe
File created	C:\Windows\SysWOW64\SYSTEM\JOPEr.exe	JOPEr.exe
File created	C:\Windows\SysWOW64\SYSTEM\JOPEr.exe	JOPEr.exe
File created	C:\Windows\SysWOW64\SYSTEM\JOPEr.exe	JOPEr.exe
File opened for modification	C:\Windows\SysWOW64\SYSTEM\JOPEr.exe	JOPEr.exe
File opened for modification	C:\Windows\SysWOW64\SYSTEM\JOPEr.exe	JOPEr.exe
File opened for modification	C:\Windows\SysWOW64\SYSTEM\JOPEr.exe	JOPEr.exe
File opened for modification	C:\Windows\SysWOW64\SYSTEM\JOPEr.exe	JOPEr.exe
File opened for modification	C:\Windows\SysWOW64\SYSTEM\JOPEr.exe	JOPEr.exe
File opened for modification	C:\Windows\SysWOW64\SYSTEM\JOPEr.exe	JOPEr.exe
File opened for modification	C:\Windows\SysWOW64\SYSTEM\JOPEr.exe	JOPEr.exe
File opened for modification	C:\Windows\SysWOW64\SYSTEM\JOPEr.exe	JOPEr.exe
File opened for modification	C:\Windows\SysWOW64\SYSTEM\JOPEr.exe	JOPEr.exe
File created	C:\Windows\SysWOW64\SYSTEM\JOPEr.exe	JOPEr.exe
File created	C:\Windows\SysWOW64\SYSTEM\JOPEr.exe	JOPEr.exe
File opened for modification	C:\Windows\SysWOW64\SYSTEM\JOPEr.exe	JOPEr.exe
File created	C:\Windows\SysWOW64\SYSTEM\JOPEr.exe	JOPEr.exe
File created	C:\Windows\SysWOW64\SYSTEM\JOPEr.exe	JOPEr.exe
File opened for modification	C:\Windows\SysWOW64\SYSTEM\JOPEr.exe	JOPEr.exe
File opened for modification	C:\Windows\SysWOW64\SYSTEM\JOPEr.exe	JOPEr.exe
File opened for modification	C:\Windows\SysWOW64\SYSTEM\JOPEr.exe	JOPEr.exe
File created	C:\Windows\SysWOW64\SYSTEM\JOPEr.exe	JOPEr.exe
File created	C:\Windows\SysWOW64\SYSTEM\JOPEr.exe	JOPEr.exe
File opened for modification	C:\Windows\SysWOW64\SYSTEM\JOPEr.exe	JOPEr.exe
File opened for modification	C:\Windows\SysWOW64\SYSTEM\JOPEr.exe	JOPEr.exe
File opened for modification	C:\Windows\SysWOW64\SYSTEM\JOPEr.exe	JOPEr.exe
File opened for modification	C:\Windows\SysWOW64\SYSTEM\JOPEr.exe	JOPEr.exe
File opened for modification	C:\Windows\SysWOW64\SYSTEM\JOPEr.exe	JOPEr.exe
File opened for modification	C:\Windows\SysWOW64\SYSTEM\JOPEr.exe	JOPEr.exe
File opened for modification	C:\Windows\SysWOW64\SYSTEM\JOPEr.exe	JOPEr.exe
File opened for modification	C:\Windows\SysWOW64\SYSTEM\JOPEr.exe	JOPEr.exe
File opened for modification	C:\Windows\SysWOW64\SYSTEM\JOPEr.exe	JOPEr.exe
File created	C:\Windows\SysWOW64\SYSTEM\JOPEr.exe	JOPEr.exe
File opened for modification	C:\Windows\SysWOW64\SYSTEM\JOPEr.exe	JOPEr.exe
File opened for modification	C:\Windows\SysWOW64\SYSTEM\JOPEr.exe	JOPEr.exe
File created	C:\Windows\SysWOW64\SYSTEM\JOPEr.exe	JOPEr.exe
File created	C:\Windows\SysWOW64\SYSTEM\JOPEr.exe	JOPEr.exe
File opened for modification	C:\Windows\SysWOW64\SYSTEM\JOPEr.exe	JOPEr.exe
File opened for modification	C:\Windows\SysWOW64\SYSTEM\JOPEr.exe	JOPEr.exe
File created	C:\Windows\SysWOW64\SYSTEM\JOPEr.exe	JaffaCakes118_7ba01bd96d2870c48c886f898b1d43dd.exe
File opened for modification	C:\Windows\SysWOW64\SYSTEM\JOPEr.exe	JOPEr.exe
File opened for modification	C:\Windows\SysWOW64\SYSTEM\JOPEr.exe	JOPEr.exe
File opened for modification	C:\Windows\SysWOW64\SYSTEM\JOPEr.exe	JOPEr.exe
File opened for modification	C:\Windows\SysWOW64\SYSTEM\JOPEr.exe	JOPEr.exe

Suspicious use of SetThreadContext 29 IoCs

description	pid	Process	procid_target
PID 2076 set thread context of 2712	2076	JaffaCakes118_7ba01bd96d2870c48c886f898b1d43dd.exe	30
PID 2164 set thread context of 580	2164	JOPEr.exe	42
PID 968 set thread context of 1568	968	JOPEr.exe	53
PID 1792 set thread context of 1264	1792	JOPEr.exe	64
PID 2400 set thread context of 2236	2400	JOPEr.exe	75
PID 1668 set thread context of 1496	1668	JOPEr.exe	86
PID 1732 set thread context of 2056	1732	JOPEr.exe	97
PID 1936 set thread context of 472	1936	JOPEr.exe	108
PID 2988 set thread context of 2944	2988	JOPEr.exe	119
PID 1424 set thread context of 1444	1424	JOPEr.exe	130
PID 2292 set thread context of 2248	2292	JOPEr.exe	141
PID 2400 set thread context of 1672	2400	JOPEr.exe	152
PID 2412 set thread context of 1500	2412	JOPEr.exe	163
PID 2072 set thread context of 1908	2072	JOPEr.exe	174
PID 2892 set thread context of 1592	2892	JOPEr.exe	185
PID 2828 set thread context of 1208	2828	JOPEr.exe	196
PID 672 set thread context of 324	672	JOPEr.exe	207
PID 1616 set thread context of 2056	1616	JOPEr.exe	218
PID 1492 set thread context of 812	1492	JOPEr.exe	229
PID 1288 set thread context of 2052	1288	JOPEr.exe	240
PID 1896 set thread context of 872	1896	JOPEr.exe	251
PID 1756 set thread context of 2452	1756	JOPEr.exe	262
PID 2608 set thread context of 2112	2608	JOPEr.exe	273
PID 532 set thread context of 2820	532	JOPEr.exe	284
PID 3140 set thread context of 3164	3140	JOPEr.exe	295
PID 3308 set thread context of 3324	3308	JOPEr.exe	306
PID 3480 set thread context of 3496	3480	JOPEr.exe	317
PID 3620 set thread context of 3656	3620	JOPEr.exe	328
PID 3800 set thread context of 3816	3800	JOPEr.exe	339

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JOPEr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JOPEr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	874Frog Dissector.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JOPEr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	874Frog Dissector.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JOPEr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7ba01bd96d2870c48c886f898b1d43dd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JOPEr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	874Frog Dissector.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	874Frog Dissector.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JOPEr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JOPEr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JOPEr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JOPEr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JOPEr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JOPEr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JOPEr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JOPEr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	874Frog Dissector.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JOPEr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JOPEr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JOPEr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	874Frog Dissector.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JOPEr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JOPEr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JOPEr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JOPEr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	874Frog Dissector.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7ba01bd96d2870c48c886f898b1d43dd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	874Frog Dissector.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JOPEr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JOPEr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	874Frog Dissector.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JOPEr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JOPEr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	874Frog Dissector.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	874Frog Dissector.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JOPEr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	874Frog Dissector.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JOPEr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JOPEr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JOPEr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JOPEr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JOPEr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JOPEr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	874Frog Dissector.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JOPEr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JOPEr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JOPEr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JOPEr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JOPEr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	874Frog Dissector.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	874Frog Dissector.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JOPEr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	874Frog Dissector.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	874Frog Dissector.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	874Frog Dissector.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JOPEr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	874Frog Dissector.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JOPEr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JOPEr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JOPEr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JOPEr.exe

Suspicious use of SetWindowsHookEx 57 IoCs

pid	Process
2076	JaffaCakes118_7ba01bd96d2870c48c886f898b1d43dd.exe
2996	874Frog Dissector.exe
2164	JOPEr.exe
968	JOPEr.exe
2412	874Frog Dissector.exe
1180	874Frog Dissector.exe
1792	JOPEr.exe
2400	JOPEr.exe
264	874Frog Dissector.exe
2004	874Frog Dissector.exe
1668	JOPEr.exe
1732	JOPEr.exe
1592	874Frog Dissector.exe
2620	874Frog Dissector.exe
1936	JOPEr.exe
2952	874Frog Dissector.exe
2988	JOPEr.exe
2188	874Frog Dissector.exe
1424	JOPEr.exe
2292	JOPEr.exe
2140	874Frog Dissector.exe
2008	874Frog Dissector.exe
2400	JOPEr.exe
1108	874Frog Dissector.exe
2412	JOPEr.exe
2468	874Frog Dissector.exe
2072	JOPEr.exe
2820	874Frog Dissector.exe
2892	JOPEr.exe
1212	874Frog Dissector.exe
2828	JOPEr.exe
2840	874Frog Dissector.exe
672	JOPEr.exe
1624	874Frog Dissector.exe
1616	JOPEr.exe
1492	JOPEr.exe
2776	874Frog Dissector.exe
2424	874Frog Dissector.exe
1288	JOPEr.exe
1824	874Frog Dissector.exe
1896	JOPEr.exe
2660	874Frog Dissector.exe
1756	JOPEr.exe
2608	JOPEr.exe
1880	874Frog Dissector.exe
532	JOPEr.exe
2832	874Frog Dissector.exe
3132	874Frog Dissector.exe
3140	JOPEr.exe
3292	874Frog Dissector.exe
3308	JOPEr.exe
3464	874Frog Dissector.exe
3480	JOPEr.exe
3620	JOPEr.exe
3640	874Frog Dissector.exe
3784	874Frog Dissector.exe
3800	JOPEr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2076 wrote to memory of 2712	2076	JaffaCakes118_7ba01bd96d2870c48c886f898b1d43dd.exe	30
PID 2076 wrote to memory of 2712	2076	JaffaCakes118_7ba01bd96d2870c48c886f898b1d43dd.exe	30
PID 2076 wrote to memory of 2712	2076	JaffaCakes118_7ba01bd96d2870c48c886f898b1d43dd.exe	30
PID 2076 wrote to memory of 2712	2076	JaffaCakes118_7ba01bd96d2870c48c886f898b1d43dd.exe	30
PID 2076 wrote to memory of 2712	2076	JaffaCakes118_7ba01bd96d2870c48c886f898b1d43dd.exe	30
PID 2076 wrote to memory of 2712	2076	JaffaCakes118_7ba01bd96d2870c48c886f898b1d43dd.exe	30
PID 2076 wrote to memory of 2712	2076	JaffaCakes118_7ba01bd96d2870c48c886f898b1d43dd.exe	30
PID 2076 wrote to memory of 2712	2076	JaffaCakes118_7ba01bd96d2870c48c886f898b1d43dd.exe	30
PID 2076 wrote to memory of 2712	2076	JaffaCakes118_7ba01bd96d2870c48c886f898b1d43dd.exe	30
PID 2076 wrote to memory of 2712	2076	JaffaCakes118_7ba01bd96d2870c48c886f898b1d43dd.exe	30
PID 2076 wrote to memory of 2712	2076	JaffaCakes118_7ba01bd96d2870c48c886f898b1d43dd.exe	30
PID 2076 wrote to memory of 2712	2076	JaffaCakes118_7ba01bd96d2870c48c886f898b1d43dd.exe	30
PID 2076 wrote to memory of 2712	2076	JaffaCakes118_7ba01bd96d2870c48c886f898b1d43dd.exe	30
PID 2076 wrote to memory of 2712	2076	JaffaCakes118_7ba01bd96d2870c48c886f898b1d43dd.exe	30
PID 2076 wrote to memory of 2712	2076	JaffaCakes118_7ba01bd96d2870c48c886f898b1d43dd.exe	30
PID 2712 wrote to memory of 2980	2712	JaffaCakes118_7ba01bd96d2870c48c886f898b1d43dd.exe	31
PID 2712 wrote to memory of 2980	2712	JaffaCakes118_7ba01bd96d2870c48c886f898b1d43dd.exe	31
PID 2712 wrote to memory of 2980	2712	JaffaCakes118_7ba01bd96d2870c48c886f898b1d43dd.exe	31
PID 2712 wrote to memory of 2980	2712	JaffaCakes118_7ba01bd96d2870c48c886f898b1d43dd.exe	31
PID 2712 wrote to memory of 2980	2712	JaffaCakes118_7ba01bd96d2870c48c886f898b1d43dd.exe	31
PID 2712 wrote to memory of 2388	2712	JaffaCakes118_7ba01bd96d2870c48c886f898b1d43dd.exe	32
PID 2712 wrote to memory of 2388	2712	JaffaCakes118_7ba01bd96d2870c48c886f898b1d43dd.exe	32
PID 2712 wrote to memory of 2388	2712	JaffaCakes118_7ba01bd96d2870c48c886f898b1d43dd.exe	32
PID 2712 wrote to memory of 2388	2712	JaffaCakes118_7ba01bd96d2870c48c886f898b1d43dd.exe	32
PID 2712 wrote to memory of 2388	2712	JaffaCakes118_7ba01bd96d2870c48c886f898b1d43dd.exe	32
PID 2712 wrote to memory of 2928	2712	JaffaCakes118_7ba01bd96d2870c48c886f898b1d43dd.exe	33
PID 2712 wrote to memory of 2928	2712	JaffaCakes118_7ba01bd96d2870c48c886f898b1d43dd.exe	33
PID 2712 wrote to memory of 2928	2712	JaffaCakes118_7ba01bd96d2870c48c886f898b1d43dd.exe	33
PID 2712 wrote to memory of 2928	2712	JaffaCakes118_7ba01bd96d2870c48c886f898b1d43dd.exe	33
PID 2712 wrote to memory of 2928	2712	JaffaCakes118_7ba01bd96d2870c48c886f898b1d43dd.exe	33
PID 2712 wrote to memory of 3008	2712	JaffaCakes118_7ba01bd96d2870c48c886f898b1d43dd.exe	34
PID 2712 wrote to memory of 3008	2712	JaffaCakes118_7ba01bd96d2870c48c886f898b1d43dd.exe	34
PID 2712 wrote to memory of 3008	2712	JaffaCakes118_7ba01bd96d2870c48c886f898b1d43dd.exe	34
PID 2712 wrote to memory of 3008	2712	JaffaCakes118_7ba01bd96d2870c48c886f898b1d43dd.exe	34
PID 2712 wrote to memory of 3008	2712	JaffaCakes118_7ba01bd96d2870c48c886f898b1d43dd.exe	34
PID 2712 wrote to memory of 3012	2712	JaffaCakes118_7ba01bd96d2870c48c886f898b1d43dd.exe	35
PID 2712 wrote to memory of 3012	2712	JaffaCakes118_7ba01bd96d2870c48c886f898b1d43dd.exe	35
PID 2712 wrote to memory of 3012	2712	JaffaCakes118_7ba01bd96d2870c48c886f898b1d43dd.exe	35
PID 2712 wrote to memory of 3012	2712	JaffaCakes118_7ba01bd96d2870c48c886f898b1d43dd.exe	35
PID 2712 wrote to memory of 3012	2712	JaffaCakes118_7ba01bd96d2870c48c886f898b1d43dd.exe	35
PID 2712 wrote to memory of 3028	2712	JaffaCakes118_7ba01bd96d2870c48c886f898b1d43dd.exe	36
PID 2712 wrote to memory of 3028	2712	JaffaCakes118_7ba01bd96d2870c48c886f898b1d43dd.exe	36
PID 2712 wrote to memory of 3028	2712	JaffaCakes118_7ba01bd96d2870c48c886f898b1d43dd.exe	36
PID 2712 wrote to memory of 3028	2712	JaffaCakes118_7ba01bd96d2870c48c886f898b1d43dd.exe	36
PID 2712 wrote to memory of 3028	2712	JaffaCakes118_7ba01bd96d2870c48c886f898b1d43dd.exe	36
PID 2712 wrote to memory of 3056	2712	JaffaCakes118_7ba01bd96d2870c48c886f898b1d43dd.exe	37
PID 2712 wrote to memory of 3056	2712	JaffaCakes118_7ba01bd96d2870c48c886f898b1d43dd.exe	37
PID 2712 wrote to memory of 3056	2712	JaffaCakes118_7ba01bd96d2870c48c886f898b1d43dd.exe	37
PID 2712 wrote to memory of 3056	2712	JaffaCakes118_7ba01bd96d2870c48c886f898b1d43dd.exe	37
PID 2712 wrote to memory of 3056	2712	JaffaCakes118_7ba01bd96d2870c48c886f898b1d43dd.exe	37
PID 2712 wrote to memory of 2280	2712	JaffaCakes118_7ba01bd96d2870c48c886f898b1d43dd.exe	38
PID 2712 wrote to memory of 2280	2712	JaffaCakes118_7ba01bd96d2870c48c886f898b1d43dd.exe	38
PID 2712 wrote to memory of 2280	2712	JaffaCakes118_7ba01bd96d2870c48c886f898b1d43dd.exe	38
PID 2712 wrote to memory of 2280	2712	JaffaCakes118_7ba01bd96d2870c48c886f898b1d43dd.exe	38
PID 2712 wrote to memory of 2280	2712	JaffaCakes118_7ba01bd96d2870c48c886f898b1d43dd.exe	38
PID 2712 wrote to memory of 2932	2712	JaffaCakes118_7ba01bd96d2870c48c886f898b1d43dd.exe	39
PID 2712 wrote to memory of 2932	2712	JaffaCakes118_7ba01bd96d2870c48c886f898b1d43dd.exe	39
PID 2712 wrote to memory of 2932	2712	JaffaCakes118_7ba01bd96d2870c48c886f898b1d43dd.exe	39
PID 2712 wrote to memory of 2932	2712	JaffaCakes118_7ba01bd96d2870c48c886f898b1d43dd.exe	39
PID 2712 wrote to memory of 2996	2712	JaffaCakes118_7ba01bd96d2870c48c886f898b1d43dd.exe	40
PID 2712 wrote to memory of 2996	2712	JaffaCakes118_7ba01bd96d2870c48c886f898b1d43dd.exe	40
PID 2712 wrote to memory of 2996	2712	JaffaCakes118_7ba01bd96d2870c48c886f898b1d43dd.exe	40
PID 2712 wrote to memory of 2996	2712	JaffaCakes118_7ba01bd96d2870c48c886f898b1d43dd.exe	40
PID 2980 wrote to memory of 2164	2980	svchost.exe	41

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7ba01bd96d2870c48c886f898b1d43dd.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7ba01bd96d2870c48c886f898b1d43dd.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2076
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7ba01bd96d2870c48c886f898b1d43dd.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7ba01bd96d2870c48c886f898b1d43dd.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2712
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Loads dropped DLL
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2980
  - - C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
      "C:\Windows\system32\SYSTEM\JOPEr.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      PID:2164
    - - C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
        
        C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:580
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2788
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2824
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2856
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2596
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2844
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2168
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2576
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2760
      - C:\Users\Admin\AppData\Local\Temp\874Frog Dissector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\874Frog Dissector.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2412
  - - C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
      "C:\Windows\system32\SYSTEM\JOPEr.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:968
    - - C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
        
        C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1568
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1044
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2040
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:932
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2984
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1436
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:548
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:336
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1440
      - C:\Users\Admin\AppData\Local\Temp\874Frog Dissector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\874Frog Dissector.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1180
  - - C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
      "C:\Windows\system32\SYSTEM\JOPEr.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1792
    - - C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
        
        C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1264
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1676
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1760
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:836
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1748
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2436
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2176
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1600
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2260
      - C:\Users\Admin\AppData\Local\Temp\874Frog Dissector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\874Frog Dissector.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:264
  - - C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
      "C:\Windows\system32\SYSTEM\JOPEr.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2400
    - - C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
        
        C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2236
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2396
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1960
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1588
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:376
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:888
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:924
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1008
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2556
      - C:\Users\Admin\AppData\Local\Temp\874Frog Dissector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\874Frog Dissector.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2004
  - - C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
      "C:\Windows\system32\SYSTEM\JOPEr.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1668
    - - C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
        
        C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1496
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2460
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2068
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:436
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1664
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2568
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1632
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2336
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1052
      - C:\Users\Admin\AppData\Local\Temp\874Frog Dissector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\874Frog Dissector.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1592
  - - C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
      "C:\Windows\system32\SYSTEM\JOPEr.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1732
    - - C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
        
        C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2056
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:792
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2536
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2392
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2352
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2036
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1072
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1516
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1716
      - C:\Users\Admin\AppData\Local\Temp\874Frog Dissector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\874Frog Dissector.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2620
  - - C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
      "C:\Windows\system32\SYSTEM\JOPEr.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1936
    - - C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
        
        C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:472
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2716
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2652
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1452
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2464
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2724
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2976
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2712
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2964
      - C:\Users\Admin\AppData\Local\Temp\874Frog Dissector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\874Frog Dissector.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2952
  - - C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
      "C:\Windows\system32\SYSTEM\JOPEr.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2988
    - - C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
        
        C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2944
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2780
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2900
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2064
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:912
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2996
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2428
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1488
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1136
      - C:\Users\Admin\AppData\Local\Temp\874Frog Dissector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\874Frog Dissector.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2188
  - - C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
      "C:\Windows\system32\SYSTEM\JOPEr.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      PID:1424
    - - C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
        
        C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1444
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1572
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:968
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:616
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1928
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1532
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1820
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1260
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3036
      - C:\Users\Admin\AppData\Local\Temp\874Frog Dissector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\874Frog Dissector.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2140
  - - C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
      "C:\Windows\system32\SYSTEM\JOPEr.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      PID:2292
    - - C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
        
        C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2248
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1596
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:624
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2208
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2132
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:108
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2752
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2224
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:944
      - C:\Users\Admin\AppData\Local\Temp\874Frog Dissector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\874Frog Dissector.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2008
  - - C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
      "C:\Windows\system32\SYSTEM\JOPEr.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      PID:2400
    - - C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
        
        C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1672
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1048
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1800
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1736
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2108
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1980
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2516
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1992
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2380
      - C:\Users\Admin\AppData\Local\Temp\874Frog Dissector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\874Frog Dissector.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1108
  - - C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
      "C:\Windows\system32\SYSTEM\JOPEr.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2412
    - - C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
        
        C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1500
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1608
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1276
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1428
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1732
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2384
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2252
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1640
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1244
      - C:\Users\Admin\AppData\Local\Temp\874Frog Dissector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\874Frog Dissector.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2468
  - - C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
      "C:\Windows\system32\SYSTEM\JOPEr.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2072
    - - C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
        
        C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1908
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1552
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3068
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2004
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2128
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1892
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2312
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:816
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2916
      - C:\Users\Admin\AppData\Local\Temp\874Frog Dissector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\874Frog Dissector.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2820
  - - C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
      "C:\Windows\system32\SYSTEM\JOPEr.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2892
    - - C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
        
        C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1592
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2944
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2092
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2200
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1424
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2100
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2620
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2888
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2764
      - C:\Users\Admin\AppData\Local\Temp\874Frog Dissector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\874Frog Dissector.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1212
  - - C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
      "C:\Windows\system32\SYSTEM\JOPEr.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2828
    - - C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
        
        C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1208
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:572
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2216
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2120
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2248
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2480
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2640
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2376
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1520
      - C:\Users\Admin\AppData\Local\Temp\874Frog Dissector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\874Frog Dissector.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2840
  - - C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
      "C:\Windows\system32\SYSTEM\JOPEr.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:672
    - - C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
        
        C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:324
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1580
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2696
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1828
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2412
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2680
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2644
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2140
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2584
      - C:\Users\Admin\AppData\Local\Temp\874Frog Dissector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\874Frog Dissector.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1624
  - - C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
      "C:\Windows\system32\SYSTEM\JOPEr.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      PID:1616
    - - C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
        
        C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2056
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2432
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2284
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2076
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1644
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2264
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2988
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1948
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2868
      - C:\Users\Admin\AppData\Local\Temp\874Frog Dissector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\874Frog Dissector.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2776
  - - C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
      "C:\Windows\system32\SYSTEM\JOPEr.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1492
    - - C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
        
        C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:812
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2104
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2692
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2292
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3064
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1836
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1192
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2684
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1432
      - C:\Users\Admin\AppData\Local\Temp\874Frog Dissector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\874Frog Dissector.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2424
  - - C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
      "C:\Windows\system32\SYSTEM\JOPEr.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      PID:1288
    - - C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
        
        C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2052
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1672
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1864
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1500
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1560
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1648
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1536
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1100
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1160
      - C:\Users\Admin\AppData\Local\Temp\874Frog Dissector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\874Frog Dissector.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1824
  - - C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
      "C:\Windows\system32\SYSTEM\JOPEr.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      PID:1896
    - - C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
        
        C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:872
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1376
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2804
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1592
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1680
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2188
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1744
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1444
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1208
      - C:\Users\Admin\AppData\Local\Temp\874Frog Dissector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\874Frog Dissector.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2660
  - - C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
      "C:\Windows\system32\SYSTEM\JOPEr.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1756
    - - C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
        
        C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2452
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1464
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:916
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2072
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1896
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:776
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2808
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2272
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2056
      - C:\Users\Admin\AppData\Local\Temp\874Frog Dissector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\874Frog Dissector.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1880
  - - C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
      "C:\Windows\system32\SYSTEM\JOPEr.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2608
    - - C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
        
        C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2112
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2772
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2424
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:872
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1004
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2164
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:868
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2672
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1788
      - C:\Users\Admin\AppData\Local\Temp\874Frog Dissector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\874Frog Dissector.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2832
  - - C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
      "C:\Windows\system32\SYSTEM\JOPEr.exe"
      4⤵
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:532
    - - C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
        
        C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2820
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1824
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2112
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1756
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2940
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3084
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3092
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3104
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3112
      - C:\Users\Admin\AppData\Local\Temp\874Frog Dissector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\874Frog Dissector.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3132
  - - C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
      "C:\Windows\system32\SYSTEM\JOPEr.exe"
      4⤵
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      PID:3140
    - - C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
        
        C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3164
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3204
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3212
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3224
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3232
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3244
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3252
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3264
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3272
      - C:\Users\Admin\AppData\Local\Temp\874Frog Dissector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\874Frog Dissector.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3292
  - - C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
      "C:\Windows\system32\SYSTEM\JOPEr.exe"
      4⤵
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:3308
    - - C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
        
        C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3324
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3356
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3372
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3396
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3404
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3416
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3424
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3436
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3444
      - C:\Users\Admin\AppData\Local\Temp\874Frog Dissector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\874Frog Dissector.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3464
  - - C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
      "C:\Windows\system32\SYSTEM\JOPEr.exe"
      4⤵
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:3480
    - - C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
        
        C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3496
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3532
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3544
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3552
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3564
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3576
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3588
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3596
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3608
      - C:\Users\Admin\AppData\Local\Temp\874Frog Dissector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\874Frog Dissector.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3640
  - - C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
      "C:\Windows\system32\SYSTEM\JOPEr.exe"
      4⤵
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:3620
    - - C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
        
        C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3656
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3696
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3704
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3716
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3724
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3736
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3744
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3756
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3764
      - C:\Users\Admin\AppData\Local\Temp\874Frog Dissector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\874Frog Dissector.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3784
  - - C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
      "C:\Windows\system32\SYSTEM\JOPEr.exe"
      4⤵
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      PID:3800
    - - C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
        
        C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3816
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3856
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3864
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3876
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3884
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2388
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2928
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:3008
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:3012
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:3028
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:3056
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2280
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2932
- - C:\Users\Admin\AppData\Local\Temp\874Frog Dissector.exe
    "C:\Users\Admin\AppData\Local\Temp\874Frog Dissector.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\874Frog Dissector.exe.exe

Filesize
4B

MD5
a2ce4c7b743725199da04033b5b57469

SHA1
1ae348eafa097ab898941eafe912d711a407da10

SHA256
0fff86057dcfb3975c8bc44459740ba5ffb43551931163538df3f39a6bb991bc

SHA512
23bd59f57b16cd496b550c1bba09eb3f9a9dfe764ea03470e3cc43e4d0b4ca415d239772e4a9b930749e88cead9a7ec4b0a77d0dd310e61d8c6521ae6ff278b0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\nFy%6YVFN.cfg

Filesize
1KB

MD5
96bdba25bed655729de4ffdbe31837a5

SHA1
b4de15b0efaed6bf37254759526ea3e59523eb16

SHA256
2a60de1566e2ba26a583dfe1e24cbad657b18f413b5e67a4684ddd50ae9070a3

SHA512
97606cc9dabc9faa5aca1a61fa26960202914d098445abbe64a4ffe9f5def9bbef5b96298b3af59b74647f027a7f310948a93796ea8331721a8978640817d73e

Download Submit
C:\Users\Admin\AppData\Roaming\SYSTEM\JOPEr.exe

Filesize
128KB

MD5
81cf9eaccc34435b0768197cc7d76ad5

SHA1
78e8981ed313a2f80d34360a328bee3dd2226a71

SHA256
9f2764c3ecd3b9545d84a98ff5c73667ba4430468b47a1a1feeb75fe5c60f9f7

SHA512
3c922da92c5de1981675da53386109e68cb8872200243315f5c52c27cee9a0e6d01e8bae7af80832f2afe71b12f9de5feef2cde17fc1a32b58b745ffb1fdf20d

Download Submit
C:\Windows\SysWOW64\SYSTEM\JOPEr.exe

Filesize
171KB

MD5
7ba01bd96d2870c48c886f898b1d43dd

SHA1
4cca4ade9db10a7a2f1c97c7ae5f227e9890e451

SHA256
7e0b313fcb9f1819a2e45dc0e68ff7c46918b2209ccd0ba60747767db8df5e46

SHA512
1be5554fcb278b8776cab66e29f35f6e95a11ed56f0cf799cea3526ac696bfd9022b69d44ba5ebf192a37dfa9ebd6e786dd5444fb519b21eeeab5ee1ed149f45

Download Submit
\Users\Admin\AppData\Local\Temp\874Frog Dissector.exe

Filesize
48KB

MD5
61261563c1a70e4f2958cb77b7d8072a

SHA1
d8327098e87694348e468c9f54689a2f906d002c

SHA256
5cafac0e51a59e54b98b326c20f356aedeb04acbe2101cb34c7cede4dd53b686

SHA512
09c0556d62d92f565a80bb2fc88e7d071779b6d4bb71ec0a05783ec33e45d3d3dbef0d2a297a7c734914795a8f2eb639c926f8d570acf626a74bedbf37170e9f

Download Submit
memory/872-280-0x00000000770C0000-0x00000000771BA000-memory.dmp

Filesize
1000KB

Download
memory/872-279-0x00000000771C0000-0x00000000772DF000-memory.dmp

Filesize
1.1MB

Download
memory/872-281-0x0000000002480000-0x00000000030CA000-memory.dmp

Filesize
12.3MB

Download
memory/2712-2-0x0000000013140000-0x0000000013168000-memory.dmp

Filesize
160KB

Download
memory/2712-23-0x0000000013140000-0x0000000013168000-memory.dmp

Filesize
160KB

Download
memory/2712-5-0x0000000013140000-0x0000000013168000-memory.dmp

Filesize
160KB

Download
memory/2712-4-0x0000000013140000-0x0000000013168000-memory.dmp

Filesize
160KB

Download
memory/2712-3-0x0000000013140000-0x0000000013168000-memory.dmp

Filesize
160KB

Download
memory/2980-11-0x0000000013140000-0x0000000013168000-memory.dmp

Filesize
160KB

Download
memory/2980-9-0x0000000013140000-0x0000000013168000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads