xtremerat | 7e0b313fcb9f1819a2e45dc0e68ff7c46918b2209ccd0ba60747767db8df5e46

Analysis

max time kernel
149s
max time network
112s
platform
windows10-2004_x64
resource
win10v2004-20250313-en
resource tags

arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system
submitted
16/03/2025, 20:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_7ba01bd96d2870c48c886f898b1d43dd.exe
Size

171KB
MD5

7ba01bd96d2870c48c886f898b1d43dd
SHA1

4cca4ade9db10a7a2f1c97c7ae5f227e9890e451
SHA256

7e0b313fcb9f1819a2e45dc0e68ff7c46918b2209ccd0ba60747767db8df5e46
SHA512

1be5554fcb278b8776cab66e29f35f6e95a11ed56f0cf799cea3526ac696bfd9022b69d44ba5ebf192a37dfa9ebd6e786dd5444fb519b21eeeab5ee1ed149f45
SSDEEP

3072:yEvb4VROJBCL3ce5ncyzG23UbuasNPp4boJi0oIDVc0SWiPGugnsPHjYvlpRD8kR:y0b4VROJBCL3ce5ncyzG23UbuasNPp4k

Score

10^/10

xtremerat discovery persistence rat spyware

Malware Config

Signatures

Detect XtremeRAT payload 7 IoCs

resource	yara_rule
behavioral2/memory/2316-3-0x0000000013140000-0x0000000013168000-memory.dmp	family_xtremerat
behavioral2/memory/2316-2-0x0000000013140000-0x0000000013168000-memory.dmp	family_xtremerat
behavioral2/memory/2316-4-0x0000000013140000-0x0000000013168000-memory.dmp	family_xtremerat
behavioral2/memory/2316-5-0x0000000013140000-0x0000000013168000-memory.dmp	family_xtremerat
behavioral2/memory/5100-9-0x0000000013140000-0x0000000013168000-memory.dmp	family_xtremerat
behavioral2/memory/2316-23-0x0000000013140000-0x0000000013168000-memory.dmp	family_xtremerat
behavioral2/memory/4640-31-0x0000000013140000-0x0000000013168000-memory.dmp	family_xtremerat

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat
Xtremerat family
xtremerat

Boot or Logon Autostart Execution: Active Setup 2 TTPs 60 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{2K2XE438-25WR-S8BX-6BA4-018JF6N1X4K0}	JaffaCakes118_7ba01bd96d2870c48c886f898b1d43dd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2K2XE438-25WR-S8BX-6BA4-018JF6N1X4K0}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe restart"	JOPEr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2K2XE438-25WR-S8BX-6BA4-018JF6N1X4K0}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe restart"	JOPEr.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{2K2XE438-25WR-S8BX-6BA4-018JF6N1X4K0}	JOPEr.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{2K2XE438-25WR-S8BX-6BA4-018JF6N1X4K0}	JOPEr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2K2XE438-25WR-S8BX-6BA4-018JF6N1X4K0}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe restart"	JOPEr.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{2K2XE438-25WR-S8BX-6BA4-018JF6N1X4K0}	JOPEr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2K2XE438-25WR-S8BX-6BA4-018JF6N1X4K0}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe restart"	JOPEr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2K2XE438-25WR-S8BX-6BA4-018JF6N1X4K0}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe restart"	JOPEr.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{2K2XE438-25WR-S8BX-6BA4-018JF6N1X4K0}	JOPEr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2K2XE438-25WR-S8BX-6BA4-018JF6N1X4K0}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe restart"	JOPEr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2K2XE438-25WR-S8BX-6BA4-018JF6N1X4K0}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe restart"	JOPEr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2K2XE438-25WR-S8BX-6BA4-018JF6N1X4K0}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe restart"	JOPEr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2K2XE438-25WR-S8BX-6BA4-018JF6N1X4K0}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe restart"	JOPEr.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{2K2XE438-25WR-S8BX-6BA4-018JF6N1X4K0}	JOPEr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2K2XE438-25WR-S8BX-6BA4-018JF6N1X4K0}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe restart"	JOPEr.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{2K2XE438-25WR-S8BX-6BA4-018JF6N1X4K0}	JOPEr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2K2XE438-25WR-S8BX-6BA4-018JF6N1X4K0}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe restart"	JOPEr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2K2XE438-25WR-S8BX-6BA4-018JF6N1X4K0}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe restart"	JOPEr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2K2XE438-25WR-S8BX-6BA4-018JF6N1X4K0}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe restart"	JOPEr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2K2XE438-25WR-S8BX-6BA4-018JF6N1X4K0}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe restart"	JOPEr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2K2XE438-25WR-S8BX-6BA4-018JF6N1X4K0}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe restart"	JOPEr.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{2K2XE438-25WR-S8BX-6BA4-018JF6N1X4K0}	JOPEr.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{2K2XE438-25WR-S8BX-6BA4-018JF6N1X4K0}	JOPEr.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{2K2XE438-25WR-S8BX-6BA4-018JF6N1X4K0}	JOPEr.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{2K2XE438-25WR-S8BX-6BA4-018JF6N1X4K0}	JOPEr.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{2K2XE438-25WR-S8BX-6BA4-018JF6N1X4K0}	JOPEr.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{2K2XE438-25WR-S8BX-6BA4-018JF6N1X4K0}	JOPEr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2K2XE438-25WR-S8BX-6BA4-018JF6N1X4K0}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe restart"	JOPEr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2K2XE438-25WR-S8BX-6BA4-018JF6N1X4K0}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe restart"	JOPEr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2K2XE438-25WR-S8BX-6BA4-018JF6N1X4K0}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe restart"	JOPEr.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{2K2XE438-25WR-S8BX-6BA4-018JF6N1X4K0}	JOPEr.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{2K2XE438-25WR-S8BX-6BA4-018JF6N1X4K0}	JOPEr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2K2XE438-25WR-S8BX-6BA4-018JF6N1X4K0}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe restart"	JOPEr.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{2K2XE438-25WR-S8BX-6BA4-018JF6N1X4K0}	JOPEr.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{2K2XE438-25WR-S8BX-6BA4-018JF6N1X4K0}	JOPEr.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{2K2XE438-25WR-S8BX-6BA4-018JF6N1X4K0}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2K2XE438-25WR-S8BX-6BA4-018JF6N1X4K0}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe restart"	JOPEr.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{2K2XE438-25WR-S8BX-6BA4-018JF6N1X4K0}	JOPEr.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{2K2XE438-25WR-S8BX-6BA4-018JF6N1X4K0}	JOPEr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2K2XE438-25WR-S8BX-6BA4-018JF6N1X4K0}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe restart"	JOPEr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2K2XE438-25WR-S8BX-6BA4-018JF6N1X4K0}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe restart"	JOPEr.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{2K2XE438-25WR-S8BX-6BA4-018JF6N1X4K0}	JOPEr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2K2XE438-25WR-S8BX-6BA4-018JF6N1X4K0}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe restart"	JOPEr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2K2XE438-25WR-S8BX-6BA4-018JF6N1X4K0}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe restart"	JOPEr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2K2XE438-25WR-S8BX-6BA4-018JF6N1X4K0}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe restart"	JOPEr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2K2XE438-25WR-S8BX-6BA4-018JF6N1X4K0}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe restart"	JOPEr.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{2K2XE438-25WR-S8BX-6BA4-018JF6N1X4K0}	JOPEr.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{2K2XE438-25WR-S8BX-6BA4-018JF6N1X4K0}	JOPEr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2K2XE438-25WR-S8BX-6BA4-018JF6N1X4K0}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe restart"	JOPEr.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{2K2XE438-25WR-S8BX-6BA4-018JF6N1X4K0}	JOPEr.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{2K2XE438-25WR-S8BX-6BA4-018JF6N1X4K0}	JOPEr.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{2K2XE438-25WR-S8BX-6BA4-018JF6N1X4K0}	JOPEr.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{2K2XE438-25WR-S8BX-6BA4-018JF6N1X4K0}	JOPEr.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{2K2XE438-25WR-S8BX-6BA4-018JF6N1X4K0}	JOPEr.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{2K2XE438-25WR-S8BX-6BA4-018JF6N1X4K0}	JOPEr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2K2XE438-25WR-S8BX-6BA4-018JF6N1X4K0}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe restart"	JOPEr.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{2K2XE438-25WR-S8BX-6BA4-018JF6N1X4K0}	JOPEr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2K2XE438-25WR-S8BX-6BA4-018JF6N1X4K0}\StubPath = "C:\\Windows\\system32\\SYSTEM\\JOPEr.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2K2XE438-25WR-S8BX-6BA4-018JF6N1X4K0}\StubPath = "C:\\Windows\\system32\\SYSTEM\\JOPEr.exe restart"	JaffaCakes118_7ba01bd96d2870c48c886f898b1d43dd.exe

Checks computer location settings 2 TTPs 28 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	JOPEr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	JOPEr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	JOPEr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	JOPEr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	JOPEr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	JOPEr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	JOPEr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	JOPEr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	JOPEr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	JOPEr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	JOPEr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	JOPEr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	JOPEr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	JOPEr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	JOPEr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	JOPEr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	JOPEr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	JOPEr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	JOPEr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	JOPEr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	JOPEr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	JaffaCakes118_7ba01bd96d2870c48c886f898b1d43dd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	JOPEr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	JOPEr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	JOPEr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	JOPEr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	JOPEr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	JOPEr.exe

Executes dropped EXE 64 IoCs

pid	Process
4476	874Frog Dissector.exe
5776	JOPEr.exe
4640	JOPEr.exe
836	874Frog Dissector.exe
5296	JOPEr.exe
4660	JOPEr.exe
4044	874Frog Dissector.exe
2116	JOPEr.exe
4108	JOPEr.exe
380	874Frog Dissector.exe
3552	JOPEr.exe
540	JOPEr.exe
5760	874Frog Dissector.exe
5748	JOPEr.exe
5728	JOPEr.exe
5536	874Frog Dissector.exe
3000	JOPEr.exe
1268	JOPEr.exe
2296	874Frog Dissector.exe
4636	JOPEr.exe
1848	JOPEr.exe
3888	874Frog Dissector.exe
5180	JOPEr.exe
6024	JOPEr.exe
3492	874Frog Dissector.exe
1728	JOPEr.exe
3484	JOPEr.exe
680	874Frog Dissector.exe
4484	JOPEr.exe
4492	JOPEr.exe
4680	874Frog Dissector.exe
1336	JOPEr.exe
4640	JOPEr.exe
1252	874Frog Dissector.exe
4284	JOPEr.exe
5144	JOPEr.exe
3292	874Frog Dissector.exe
4160	JOPEr.exe
5184	JOPEr.exe
4844	874Frog Dissector.exe
3432	JOPEr.exe
2188	JOPEr.exe
836	874Frog Dissector.exe
2808	JOPEr.exe
5940	JOPEr.exe
1768	874Frog Dissector.exe
4320	JOPEr.exe
2032	JOPEr.exe
5532	874Frog Dissector.exe
1680	JOPEr.exe
1568	JOPEr.exe
988	874Frog Dissector.exe
4936	JOPEr.exe
4480	JOPEr.exe
6068	JOPEr.exe
3632	874Frog Dissector.exe
792	JOPEr.exe
5692	874Frog Dissector.exe
1436	JOPEr.exe
2900	JOPEr.exe
5028	874Frog Dissector.exe
5168	JOPEr.exe
2848	JOPEr.exe
2484	874Frog Dissector.exe

Adds Run key to start application 2 TTPs 60 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe"	JOPEr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe"	JOPEr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe"	JOPEr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe"	JOPEr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe"	JOPEr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe"	JOPEr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe"	JOPEr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe"	JOPEr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe"	JOPEr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe"	JOPEr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe"	JOPEr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe"	JOPEr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe"	JOPEr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe"	JOPEr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe"	JOPEr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe"	JOPEr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe"	JOPEr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe"	JOPEr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe"	JOPEr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe"	JOPEr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe"	JOPEr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe"	JOPEr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe"	JOPEr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\SYSTEM\\JOPEr.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe"	JOPEr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe"	JOPEr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe"	JOPEr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe"	JOPEr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe"	JOPEr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe"	JOPEr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe"	JOPEr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe"	JOPEr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\SYSTEM\\JOPEr.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe"	JOPEr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe"	JOPEr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe"	JOPEr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe"	JOPEr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\SYSTEM\\JOPEr.exe"	JaffaCakes118_7ba01bd96d2870c48c886f898b1d43dd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe"	JOPEr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe"	JOPEr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe"	JOPEr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe"	JOPEr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe"	JOPEr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe"	JOPEr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe"	JOPEr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe"	JOPEr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe"	JOPEr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe"	JOPEr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe"	JOPEr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\SYSTEM\\JOPEr.exe"	JaffaCakes118_7ba01bd96d2870c48c886f898b1d43dd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe"	JOPEr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe"	JOPEr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe"	JOPEr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe"	JOPEr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe"	JOPEr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe"	JOPEr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe"	JOPEr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe"	JOPEr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe"	JOPEr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM\\JOPEr.exe"	JOPEr.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\SYSTEM\JOPEr.exe	JOPEr.exe
File created	C:\Windows\SysWOW64\SYSTEM\JOPEr.exe	JOPEr.exe
File opened for modification	C:\Windows\SysWOW64\SYSTEM\JOPEr.exe	JOPEr.exe
File created	C:\Windows\SysWOW64\SYSTEM\JOPEr.exe	JOPEr.exe
File opened for modification	C:\Windows\SysWOW64\SYSTEM\JOPEr.exe	JOPEr.exe
File opened for modification	C:\Windows\SysWOW64\SYSTEM\JOPEr.exe	JOPEr.exe
File created	C:\Windows\SysWOW64\SYSTEM\JOPEr.exe	JaffaCakes118_7ba01bd96d2870c48c886f898b1d43dd.exe
File created	C:\Windows\SysWOW64\SYSTEM\JOPEr.exe	JOPEr.exe
File created	C:\Windows\SysWOW64\SYSTEM\JOPEr.exe	JOPEr.exe
File opened for modification	C:\Windows\SysWOW64\SYSTEM\JOPEr.exe	JOPEr.exe
File opened for modification	C:\Windows\SysWOW64\SYSTEM\JOPEr.exe	JOPEr.exe
File opened for modification	C:\Windows\SysWOW64\SYSTEM\JOPEr.exe	JOPEr.exe
File created	C:\Windows\SysWOW64\SYSTEM\JOPEr.exe	JOPEr.exe
File opened for modification	C:\Windows\SysWOW64\SYSTEM\JOPEr.exe	JOPEr.exe
File opened for modification	C:\Windows\SysWOW64\SYSTEM\JOPEr.exe	JOPEr.exe
File created	C:\Windows\SysWOW64\SYSTEM\JOPEr.exe	JOPEr.exe
File created	C:\Windows\SysWOW64\SYSTEM\JOPEr.exe	JOPEr.exe
File opened for modification	C:\Windows\SysWOW64\SYSTEM\JOPEr.exe	JOPEr.exe
File opened for modification	C:\Windows\SysWOW64\SYSTEM\JOPEr.exe	JOPEr.exe
File created	C:\Windows\SysWOW64\SYSTEM\JOPEr.exe	JOPEr.exe
File opened for modification	C:\Windows\SysWOW64\SYSTEM\JOPEr.exe	JOPEr.exe
File opened for modification	C:\Windows\SysWOW64\SYSTEM\JOPEr.exe	JOPEr.exe
File opened for modification	C:\Windows\SysWOW64\SYSTEM\JOPEr.exe	JOPEr.exe
File opened for modification	C:\Windows\SysWOW64\SYSTEM\JOPEr.exe	JOPEr.exe
File created	C:\Windows\SysWOW64\SYSTEM\JOPEr.exe	JOPEr.exe
File created	C:\Windows\SysWOW64\SYSTEM\JOPEr.exe	JOPEr.exe
File opened for modification	C:\Windows\SysWOW64\SYSTEM\JOPEr.exe	JOPEr.exe
File opened for modification	C:\Windows\SysWOW64\SYSTEM\JOPEr.exe	JOPEr.exe
File created	C:\Windows\SysWOW64\SYSTEM\JOPEr.exe	JOPEr.exe
File opened for modification	C:\Windows\SysWOW64\SYSTEM\JOPEr.exe	JOPEr.exe
File created	C:\Windows\SysWOW64\SYSTEM\JOPEr.exe	JOPEr.exe
File created	C:\Windows\SysWOW64\SYSTEM\JOPEr.exe	JOPEr.exe
File opened for modification	C:\Windows\SysWOW64\SYSTEM\JOPEr.exe	JOPEr.exe
File opened for modification	C:\Windows\SysWOW64\SYSTEM\JOPEr.exe	JOPEr.exe
File opened for modification	C:\Windows\SysWOW64\SYSTEM\JOPEr.exe	JOPEr.exe
File created	C:\Windows\SysWOW64\SYSTEM\JOPEr.exe	JOPEr.exe
File opened for modification	C:\Windows\SysWOW64\SYSTEM\JOPEr.exe	JOPEr.exe
File opened for modification	C:\Windows\SysWOW64\SYSTEM\JOPEr.exe	JOPEr.exe
File opened for modification	C:\Windows\SysWOW64\SYSTEM\JOPEr.exe	JOPEr.exe
File opened for modification	C:\Windows\SysWOW64\SYSTEM\JOPEr.exe	JOPEr.exe
File opened for modification	C:\Windows\SysWOW64\SYSTEM\JOPEr.exe	JOPEr.exe
File opened for modification	C:\Windows\SysWOW64\SYSTEM\JOPEr.exe	JOPEr.exe
File opened for modification	C:\Windows\SysWOW64\SYSTEM\JOPEr.exe	JOPEr.exe
File created	C:\Windows\SysWOW64\SYSTEM\JOPEr.exe	JOPEr.exe
File created	C:\Windows\SysWOW64\SYSTEM\JOPEr.exe	JOPEr.exe
File opened for modification	C:\Windows\SysWOW64\SYSTEM\JOPEr.exe	JOPEr.exe
File opened for modification	C:\Windows\SysWOW64\SYSTEM\JOPEr.exe	JOPEr.exe
File opened for modification	C:\Windows\SysWOW64\SYSTEM\JOPEr.exe	JOPEr.exe
File opened for modification	C:\Windows\SysWOW64\SYSTEM\JOPEr.exe	JOPEr.exe
File opened for modification	C:\Windows\SysWOW64\SYSTEM\JOPEr.exe	JOPEr.exe
File opened for modification	C:\Windows\SysWOW64\SYSTEM\JOPEr.exe	JOPEr.exe
File opened for modification	C:\Windows\SysWOW64\SYSTEM\JOPEr.exe	JOPEr.exe
File opened for modification	C:\Windows\SysWOW64\SYSTEM\JOPEr.exe	JOPEr.exe
File opened for modification	C:\Windows\SysWOW64\SYSTEM\JOPEr.exe	JOPEr.exe
File opened for modification	C:\Windows\SysWOW64\SYSTEM\JOPEr.exe	JOPEr.exe
File created	C:\Windows\SysWOW64\SYSTEM\JOPEr.exe	JOPEr.exe
File opened for modification	C:\Windows\SysWOW64\SYSTEM\JOPEr.exe	JOPEr.exe
File opened for modification	C:\Windows\SysWOW64\SYSTEM\JOPEr.exe	JOPEr.exe
File opened for modification	C:\Windows\SysWOW64\SYSTEM\JOPEr.exe	JOPEr.exe
File opened for modification	C:\Windows\SysWOW64\SYSTEM\JOPEr.exe	JOPEr.exe
File created	C:\Windows\SysWOW64\SYSTEM\JOPEr.exe	JOPEr.exe
File opened for modification	C:\Windows\SysWOW64\SYSTEM\JOPEr.exe	JOPEr.exe
File opened for modification	C:\Windows\SysWOW64\SYSTEM\JOPEr.exe	JOPEr.exe
File created	C:\Windows\SysWOW64\SYSTEM\JOPEr.exe	JOPEr.exe

Suspicious use of SetThreadContext 29 IoCs

description	pid	Process	procid_target
PID 2132 set thread context of 2316	2132	JaffaCakes118_7ba01bd96d2870c48c886f898b1d43dd.exe	86
PID 5776 set thread context of 4640	5776	JOPEr.exe	102
PID 5296 set thread context of 4660	5296	JOPEr.exe	113
PID 2116 set thread context of 4108	2116	JOPEr.exe	124
PID 3552 set thread context of 540	3552	JOPEr.exe	135
PID 5748 set thread context of 5728	5748	JOPEr.exe	150
PID 3000 set thread context of 1268	3000	JOPEr.exe	161
PID 4636 set thread context of 1848	4636	JOPEr.exe	172
PID 5180 set thread context of 6024	5180	JOPEr.exe	183
PID 1728 set thread context of 3484	1728	JOPEr.exe	194
PID 4484 set thread context of 4492	4484	JOPEr.exe	205
PID 1336 set thread context of 4640	1336	JOPEr.exe	216
PID 4284 set thread context of 5144	4284	JOPEr.exe	227
PID 4160 set thread context of 5184	4160	JOPEr.exe	238
PID 3432 set thread context of 2188	3432	JOPEr.exe	249
PID 2808 set thread context of 5940	2808	JOPEr.exe	260
PID 4320 set thread context of 2032	4320	JOPEr.exe	271
PID 1680 set thread context of 1568	1680	JOPEr.exe	282
PID 4936 set thread context of 4480	4936	JOPEr.exe	295
PID 6068 set thread context of 792	6068	JOPEr.exe	306
PID 1436 set thread context of 2900	1436	JOPEr.exe	317
PID 5168 set thread context of 2848	5168	JOPEr.exe	328
PID 1040 set thread context of 1188	1040	JOPEr.exe	339
PID 2068 set thread context of 2736	2068	JOPEr.exe	350
PID 1132 set thread context of 4600	1132	JOPEr.exe	361
PID 5060 set thread context of 4464	5060	JOPEr.exe	372
PID 2216 set thread context of 2592	2216	JOPEr.exe	383
PID 4836 set thread context of 5424	4836	JOPEr.exe	394
PID 1356 set thread context of 5680	1356	JOPEr.exe	405

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JOPEr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JOPEr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JOPEr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JOPEr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	874Frog Dissector.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JOPEr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JOPEr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JOPEr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JOPEr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	874Frog Dissector.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JOPEr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	874Frog Dissector.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JOPEr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JOPEr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JOPEr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	874Frog Dissector.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JOPEr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JOPEr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	874Frog Dissector.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JOPEr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	874Frog Dissector.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JOPEr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JOPEr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	874Frog Dissector.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JOPEr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JOPEr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	874Frog Dissector.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JOPEr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	874Frog Dissector.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JOPEr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7ba01bd96d2870c48c886f898b1d43dd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JOPEr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JOPEr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	874Frog Dissector.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JOPEr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	874Frog Dissector.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JOPEr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JOPEr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JOPEr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	874Frog Dissector.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JOPEr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JOPEr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JOPEr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7ba01bd96d2870c48c886f898b1d43dd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JOPEr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JOPEr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	874Frog Dissector.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	874Frog Dissector.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JOPEr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	874Frog Dissector.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JOPEr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JOPEr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	874Frog Dissector.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JOPEr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	874Frog Dissector.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JOPEr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JOPEr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JOPEr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JOPEr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JOPEr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	874Frog Dissector.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JOPEr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JOPEr.exe

Suspicious use of SetWindowsHookEx 57 IoCs

pid	Process
2132	JaffaCakes118_7ba01bd96d2870c48c886f898b1d43dd.exe
4476	874Frog Dissector.exe
5776	JOPEr.exe
836	874Frog Dissector.exe
5296	JOPEr.exe
4044	874Frog Dissector.exe
2116	JOPEr.exe
380	874Frog Dissector.exe
3552	JOPEr.exe
5760	874Frog Dissector.exe
5748	JOPEr.exe
5536	874Frog Dissector.exe
3000	JOPEr.exe
2296	874Frog Dissector.exe
4636	JOPEr.exe
3888	874Frog Dissector.exe
5180	JOPEr.exe
3492	874Frog Dissector.exe
1728	JOPEr.exe
680	874Frog Dissector.exe
4484	JOPEr.exe
4680	874Frog Dissector.exe
1336	JOPEr.exe
1252	874Frog Dissector.exe
4284	JOPEr.exe
3292	874Frog Dissector.exe
4160	JOPEr.exe
4844	874Frog Dissector.exe
3432	JOPEr.exe
836	874Frog Dissector.exe
2808	JOPEr.exe
1768	874Frog Dissector.exe
4320	JOPEr.exe
5532	874Frog Dissector.exe
1680	JOPEr.exe
988	874Frog Dissector.exe
4936	JOPEr.exe
6068	JOPEr.exe
3632	874Frog Dissector.exe
5692	874Frog Dissector.exe
1436	JOPEr.exe
5028	874Frog Dissector.exe
5168	JOPEr.exe
2484	874Frog Dissector.exe
1040	JOPEr.exe
1496	874Frog Dissector.exe
2068	JOPEr.exe
1132	JOPEr.exe
5852	874Frog Dissector.exe
4568	874Frog Dissector.exe
5060	JOPEr.exe
1076	874Frog Dissector.exe
2216	JOPEr.exe
704	874Frog Dissector.exe
4836	JOPEr.exe
4624	874Frog Dissector.exe
1356	JOPEr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2132 wrote to memory of 2316	2132	JaffaCakes118_7ba01bd96d2870c48c886f898b1d43dd.exe	86
PID 2132 wrote to memory of 2316	2132	JaffaCakes118_7ba01bd96d2870c48c886f898b1d43dd.exe	86
PID 2132 wrote to memory of 2316	2132	JaffaCakes118_7ba01bd96d2870c48c886f898b1d43dd.exe	86
PID 2132 wrote to memory of 2316	2132	JaffaCakes118_7ba01bd96d2870c48c886f898b1d43dd.exe	86
PID 2132 wrote to memory of 2316	2132	JaffaCakes118_7ba01bd96d2870c48c886f898b1d43dd.exe	86
PID 2132 wrote to memory of 2316	2132	JaffaCakes118_7ba01bd96d2870c48c886f898b1d43dd.exe	86
PID 2132 wrote to memory of 2316	2132	JaffaCakes118_7ba01bd96d2870c48c886f898b1d43dd.exe	86
PID 2132 wrote to memory of 2316	2132	JaffaCakes118_7ba01bd96d2870c48c886f898b1d43dd.exe	86
PID 2132 wrote to memory of 2316	2132	JaffaCakes118_7ba01bd96d2870c48c886f898b1d43dd.exe	86
PID 2132 wrote to memory of 2316	2132	JaffaCakes118_7ba01bd96d2870c48c886f898b1d43dd.exe	86
PID 2132 wrote to memory of 2316	2132	JaffaCakes118_7ba01bd96d2870c48c886f898b1d43dd.exe	86
PID 2132 wrote to memory of 2316	2132	JaffaCakes118_7ba01bd96d2870c48c886f898b1d43dd.exe	86
PID 2132 wrote to memory of 2316	2132	JaffaCakes118_7ba01bd96d2870c48c886f898b1d43dd.exe	86
PID 2132 wrote to memory of 2316	2132	JaffaCakes118_7ba01bd96d2870c48c886f898b1d43dd.exe	86
PID 2316 wrote to memory of 5100	2316	JaffaCakes118_7ba01bd96d2870c48c886f898b1d43dd.exe	89
PID 2316 wrote to memory of 5100	2316	JaffaCakes118_7ba01bd96d2870c48c886f898b1d43dd.exe	89
PID 2316 wrote to memory of 5100	2316	JaffaCakes118_7ba01bd96d2870c48c886f898b1d43dd.exe	89
PID 2316 wrote to memory of 5100	2316	JaffaCakes118_7ba01bd96d2870c48c886f898b1d43dd.exe	89
PID 2316 wrote to memory of 732	2316	JaffaCakes118_7ba01bd96d2870c48c886f898b1d43dd.exe	91
PID 2316 wrote to memory of 732	2316	JaffaCakes118_7ba01bd96d2870c48c886f898b1d43dd.exe	91
PID 2316 wrote to memory of 732	2316	JaffaCakes118_7ba01bd96d2870c48c886f898b1d43dd.exe	91
PID 2316 wrote to memory of 5732	2316	JaffaCakes118_7ba01bd96d2870c48c886f898b1d43dd.exe	92
PID 2316 wrote to memory of 5732	2316	JaffaCakes118_7ba01bd96d2870c48c886f898b1d43dd.exe	92
PID 2316 wrote to memory of 5732	2316	JaffaCakes118_7ba01bd96d2870c48c886f898b1d43dd.exe	92
PID 2316 wrote to memory of 5600	2316	JaffaCakes118_7ba01bd96d2870c48c886f898b1d43dd.exe	93
PID 2316 wrote to memory of 5600	2316	JaffaCakes118_7ba01bd96d2870c48c886f898b1d43dd.exe	93
PID 2316 wrote to memory of 5600	2316	JaffaCakes118_7ba01bd96d2870c48c886f898b1d43dd.exe	93
PID 2316 wrote to memory of 4520	2316	JaffaCakes118_7ba01bd96d2870c48c886f898b1d43dd.exe	95
PID 2316 wrote to memory of 4520	2316	JaffaCakes118_7ba01bd96d2870c48c886f898b1d43dd.exe	95
PID 2316 wrote to memory of 4520	2316	JaffaCakes118_7ba01bd96d2870c48c886f898b1d43dd.exe	95
PID 2316 wrote to memory of 4324	2316	JaffaCakes118_7ba01bd96d2870c48c886f898b1d43dd.exe	96
PID 2316 wrote to memory of 4324	2316	JaffaCakes118_7ba01bd96d2870c48c886f898b1d43dd.exe	96
PID 2316 wrote to memory of 4324	2316	JaffaCakes118_7ba01bd96d2870c48c886f898b1d43dd.exe	96
PID 2316 wrote to memory of 4316	2316	JaffaCakes118_7ba01bd96d2870c48c886f898b1d43dd.exe	97
PID 2316 wrote to memory of 4316	2316	JaffaCakes118_7ba01bd96d2870c48c886f898b1d43dd.exe	97
PID 2316 wrote to memory of 4316	2316	JaffaCakes118_7ba01bd96d2870c48c886f898b1d43dd.exe	97
PID 2316 wrote to memory of 4364	2316	JaffaCakes118_7ba01bd96d2870c48c886f898b1d43dd.exe	98
PID 2316 wrote to memory of 4364	2316	JaffaCakes118_7ba01bd96d2870c48c886f898b1d43dd.exe	98
PID 2316 wrote to memory of 4364	2316	JaffaCakes118_7ba01bd96d2870c48c886f898b1d43dd.exe	98
PID 2316 wrote to memory of 4372	2316	JaffaCakes118_7ba01bd96d2870c48c886f898b1d43dd.exe	99
PID 2316 wrote to memory of 4372	2316	JaffaCakes118_7ba01bd96d2870c48c886f898b1d43dd.exe	99
PID 2316 wrote to memory of 4476	2316	JaffaCakes118_7ba01bd96d2870c48c886f898b1d43dd.exe	100
PID 2316 wrote to memory of 4476	2316	JaffaCakes118_7ba01bd96d2870c48c886f898b1d43dd.exe	100
PID 2316 wrote to memory of 4476	2316	JaffaCakes118_7ba01bd96d2870c48c886f898b1d43dd.exe	100
PID 5100 wrote to memory of 5776	5100	svchost.exe	101
PID 5100 wrote to memory of 5776	5100	svchost.exe	101
PID 5100 wrote to memory of 5776	5100	svchost.exe	101
PID 5776 wrote to memory of 4640	5776	JOPEr.exe	102
PID 5776 wrote to memory of 4640	5776	JOPEr.exe	102
PID 5776 wrote to memory of 4640	5776	JOPEr.exe	102
PID 5776 wrote to memory of 4640	5776	JOPEr.exe	102
PID 5776 wrote to memory of 4640	5776	JOPEr.exe	102
PID 5776 wrote to memory of 4640	5776	JOPEr.exe	102
PID 5776 wrote to memory of 4640	5776	JOPEr.exe	102
PID 5776 wrote to memory of 4640	5776	JOPEr.exe	102
PID 5776 wrote to memory of 4640	5776	JOPEr.exe	102
PID 5776 wrote to memory of 4640	5776	JOPEr.exe	102
PID 5776 wrote to memory of 4640	5776	JOPEr.exe	102
PID 5776 wrote to memory of 4640	5776	JOPEr.exe	102
PID 5776 wrote to memory of 4640	5776	JOPEr.exe	102
PID 5776 wrote to memory of 4640	5776	JOPEr.exe	102
PID 4640 wrote to memory of 6084	4640	JOPEr.exe	103
PID 4640 wrote to memory of 6084	4640	JOPEr.exe	103
PID 4640 wrote to memory of 6084	4640	JOPEr.exe	103

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7ba01bd96d2870c48c886f898b1d43dd.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7ba01bd96d2870c48c886f898b1d43dd.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2132
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7ba01bd96d2870c48c886f898b1d43dd.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7ba01bd96d2870c48c886f898b1d43dd.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Checks computer location settings
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2316
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5100
  - - C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
      "C:\Windows\system32\SYSTEM\JOPEr.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:5776
    - - C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
        
        C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4640
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:6084
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4832
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4672
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4724
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4776
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4788
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4212
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:1236
      - C:\Users\Admin\AppData\Local\Temp\874Frog Dissector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\874Frog Dissector.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:836
  - - C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
      "C:\Windows\system32\SYSTEM\JOPEr.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      PID:5296
    - - C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
        
        C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4660
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5968
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4280
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5096
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:724
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:3712
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4168
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:6088
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4172
      - C:\Users\Admin\AppData\Local\Temp\874Frog Dissector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\874Frog Dissector.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4044
  - - C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
      "C:\Windows\system32\SYSTEM\JOPEr.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2116
    - - C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
        
        C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4108
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4100
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:1140
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5452
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5404
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:2040
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:956
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:3416
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:6104
      - C:\Users\Admin\AppData\Local\Temp\874Frog Dissector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\874Frog Dissector.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:380
  - - C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
      "C:\Windows\system32\SYSTEM\JOPEr.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:3552
    - - C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
        
        C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:540
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:6064
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:6092
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:3532
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:6112
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:2768
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:1636
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:1476
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4016
      - C:\Users\Admin\AppData\Local\Temp\874Frog Dissector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\874Frog Dissector.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5760
  - - C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
      "C:\Windows\system32\SYSTEM\JOPEr.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:5748
    - - C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
        
        C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5728
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:384
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:3720
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5936
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:3408
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:544
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:1160
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:2192
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:228
      - C:\Users\Admin\AppData\Local\Temp\874Frog Dissector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\874Frog Dissector.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5536
  - - C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
      "C:\Windows\system32\SYSTEM\JOPEr.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:3000
    - - C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
        
        C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1268
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5232
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:2004
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:1544
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:2400
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:6016
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:2948
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5304
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:1624
      - C:\Users\Admin\AppData\Local\Temp\874Frog Dissector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\874Frog Dissector.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2296
  - - C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
      "C:\Windows\system32\SYSTEM\JOPEr.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:4636
    - - C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
        
        C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1848
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:1912
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:3500
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:2812
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4024
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:3472
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:1308
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5912
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5548
      - C:\Users\Admin\AppData\Local\Temp\874Frog Dissector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\874Frog Dissector.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3888
  - - C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
      "C:\Windows\system32\SYSTEM\JOPEr.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:5180
    - - C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
        
        C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6024
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:1936
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:2504
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4176
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:1200
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4404
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:2348
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:1232
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4272
      - C:\Users\Admin\AppData\Local\Temp\874Frog Dissector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\874Frog Dissector.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3492
  - - C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
      "C:\Windows\system32\SYSTEM\JOPEr.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      PID:1728
    - - C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
        
        C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3484
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:6004
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4340
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:2656
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5244
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:2160
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5248
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4300
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5344
      - C:\Users\Admin\AppData\Local\Temp\874Frog Dissector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\874Frog Dissector.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:680
  - - C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
      "C:\Windows\system32\SYSTEM\JOPEr.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:4484
    - - C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
        
        C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4492
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:2060
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4536
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:3020
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5776
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:2912
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:860
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:3940
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4420
      - C:\Users\Admin\AppData\Local\Temp\874Frog Dissector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\874Frog Dissector.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4680
  - - C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
      "C:\Windows\system32\SYSTEM\JOPEr.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1336
    - - C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
        
        C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4640
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4792
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:3420
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:1376
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4796
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:6136
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:6108
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4740
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:2336
      - C:\Users\Admin\AppData\Local\Temp\874Frog Dissector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\874Frog Dissector.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1252
  - - C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
      "C:\Windows\system32\SYSTEM\JOPEr.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:4284
    - - C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
        
        C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5144
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4804
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4960
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:3552
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:6100
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:1108
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5504
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5156
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:1524
      - C:\Users\Admin\AppData\Local\Temp\874Frog Dissector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\874Frog Dissector.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3292
  - - C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
      "C:\Windows\system32\SYSTEM\JOPEr.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:4160
    - - C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
        
        C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5184
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5636
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:2804
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4972
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:2996
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5996
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:2576
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5140
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5444
      - C:\Users\Admin\AppData\Local\Temp\874Frog Dissector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\874Frog Dissector.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4844
  - - C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
      "C:\Windows\system32\SYSTEM\JOPEr.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:3432
    - - C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
        
        C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2188
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5864
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:1532
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5796
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5748
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5668
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5696
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:1360
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4800
      - C:\Users\Admin\AppData\Local\Temp\874Frog Dissector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\874Frog Dissector.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:836
  - - C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
      "C:\Windows\system32\SYSTEM\JOPEr.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      PID:2808
    - - C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
        
        C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5940
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5664
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5728
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4220
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:764
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:1784
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:2696
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:3000
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:1240
      - C:\Users\Admin\AppData\Local\Temp\874Frog Dissector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\874Frog Dissector.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1768
  - - C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
      "C:\Windows\system32\SYSTEM\JOPEr.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:4320
    - - C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
        
        C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2032
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:3832
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:2756
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4816
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5112
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:3088
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:1468
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:3768
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:3100
      - C:\Users\Admin\AppData\Local\Temp\874Frog Dissector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\874Frog Dissector.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5532
  - - C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
      "C:\Windows\system32\SYSTEM\JOPEr.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1680
    - - C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
        
        C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1568
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5440
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4256
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:2076
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5568
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:2492
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4304
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:3516
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5380
      - C:\Users\Admin\AppData\Local\Temp\874Frog Dissector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\874Frog Dissector.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:988
  - - C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
      "C:\Windows\system32\SYSTEM\JOPEr.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      PID:4936
    - - C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
        
        C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4480
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4524
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:2920
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:1824
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5216
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:760
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4384
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5964
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:3856
      - C:\Users\Admin\AppData\Local\Temp\874Frog Dissector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\874Frog Dissector.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3632
  - - C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
      "C:\Windows\system32\SYSTEM\JOPEr.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:6068
    - - C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
        
        C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:792
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4780
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4492
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:2796
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4224
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4620
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4676
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:3304
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4684
      - C:\Users\Admin\AppData\Local\Temp\874Frog Dissector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\874Frog Dissector.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5692
  - - C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
      "C:\Windows\system32\SYSTEM\JOPEr.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1436
    - - C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
        
        C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2900
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5408
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:852
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:8
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4516
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5740
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5412
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:1928
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:720
      - C:\Users\Admin\AppData\Local\Temp\874Frog Dissector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\874Frog Dissector.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5028
  - - C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
      "C:\Windows\system32\SYSTEM\JOPEr.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      PID:5168
    - - C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
        
        C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2848
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:1380
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:3184
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:3560
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:2104
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:3384
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:1660
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4692
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:904
      - C:\Users\Admin\AppData\Local\Temp\874Frog Dissector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\874Frog Dissector.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2484
  - - C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
      "C:\Windows\system32\SYSTEM\JOPEr.exe"
      4⤵
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      PID:1040
    - - C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
        
        C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1188
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4900
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4148
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5688
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:1252
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:220
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4196
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:2944
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5324
      - C:\Users\Admin\AppData\Local\Temp\874Frog Dissector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\874Frog Dissector.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1496
  - - C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
      "C:\Windows\system32\SYSTEM\JOPEr.exe"
      4⤵
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2068
    - - C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
        
        C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2736
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:1676
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:3016
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:380
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5372
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5800
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:1500
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5048
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:3696
      - C:\Users\Admin\AppData\Local\Temp\874Frog Dissector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\874Frog Dissector.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5852
  - - C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
      "C:\Windows\system32\SYSTEM\JOPEr.exe"
      4⤵
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1132
    - - C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
        
        C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4600
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:836
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5552
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:1212
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:3824
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:3528
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:1568
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4472
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4040
      - C:\Users\Admin\AppData\Local\Temp\874Frog Dissector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\874Frog Dissector.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4568
  - - C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
      "C:\Windows\system32\SYSTEM\JOPEr.exe"
      4⤵
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:5060
    - - C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
        
        C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4464
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:368
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4476
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:6068
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:1924
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:2792
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5608
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4552
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4980
      - C:\Users\Admin\AppData\Local\Temp\874Frog Dissector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\874Frog Dissector.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1076
  - - C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
      "C:\Windows\system32\SYSTEM\JOPEr.exe"
      4⤵
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2216
    - - C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
        
        C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2592
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:2480
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4412
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:6096
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:2108
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:1428
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:2252
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5032
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5240
      - C:\Users\Admin\AppData\Local\Temp\874Frog Dissector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\874Frog Dissector.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:704
  - - C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
      "C:\Windows\system32\SYSTEM\JOPEr.exe"
      4⤵
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:4836
    - - C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
        
        C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5424
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5564
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4652
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:2676
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:3660
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:3508
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:6036
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:2880
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:1148
      - C:\Users\Admin\AppData\Local\Temp\874Frog Dissector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\874Frog Dissector.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4624
  - - C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
      "C:\Windows\system32\SYSTEM\JOPEr.exe"
      4⤵
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1356
    - - C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
        
        C:\Windows\SysWOW64\SYSTEM\JOPEr.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:5680
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:2340
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:212
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4104
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:3048
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:3292
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:732
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:5732
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:5600
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:4520
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:4324
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:4316
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:4364
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:4372
- - C:\Users\Admin\AppData\Local\Temp\874Frog Dissector.exe
    "C:\Users\Admin\AppData\Local\Temp\874Frog Dissector.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\874Frog Dissector.exe

Filesize
48KB

MD5
61261563c1a70e4f2958cb77b7d8072a

SHA1
d8327098e87694348e468c9f54689a2f906d002c

SHA256
5cafac0e51a59e54b98b326c20f356aedeb04acbe2101cb34c7cede4dd53b686

SHA512
09c0556d62d92f565a80bb2fc88e7d071779b6d4bb71ec0a05783ec33e45d3d3dbef0d2a297a7c734914795a8f2eb639c926f8d570acf626a74bedbf37170e9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\874Frog Dissector.exe.exe

Filesize
4B

MD5
a2ce4c7b743725199da04033b5b57469

SHA1
1ae348eafa097ab898941eafe912d711a407da10

SHA256
0fff86057dcfb3975c8bc44459740ba5ffb43551931163538df3f39a6bb991bc

SHA512
23bd59f57b16cd496b550c1bba09eb3f9a9dfe764ea03470e3cc43e4d0b4ca415d239772e4a9b930749e88cead9a7ec4b0a77d0dd310e61d8c6521ae6ff278b0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\nFy%6YVFN.cfg

Filesize
1KB

MD5
96bdba25bed655729de4ffdbe31837a5

SHA1
b4de15b0efaed6bf37254759526ea3e59523eb16

SHA256
2a60de1566e2ba26a583dfe1e24cbad657b18f413b5e67a4684ddd50ae9070a3

SHA512
97606cc9dabc9faa5aca1a61fa26960202914d098445abbe64a4ffe9f5def9bbef5b96298b3af59b74647f027a7f310948a93796ea8331721a8978640817d73e

Download Submit
C:\Windows\SysWOW64\SYSTEM\JOPEr.exe

Filesize
171KB

MD5
7ba01bd96d2870c48c886f898b1d43dd

SHA1
4cca4ade9db10a7a2f1c97c7ae5f227e9890e451

SHA256
7e0b313fcb9f1819a2e45dc0e68ff7c46918b2209ccd0ba60747767db8df5e46

SHA512
1be5554fcb278b8776cab66e29f35f6e95a11ed56f0cf799cea3526ac696bfd9022b69d44ba5ebf192a37dfa9ebd6e786dd5444fb519b21eeeab5ee1ed149f45

Download Submit
memory/2316-3-0x0000000013140000-0x0000000013168000-memory.dmp

Filesize
160KB

Download
memory/2316-2-0x0000000013140000-0x0000000013168000-memory.dmp

Filesize
160KB

Download
memory/2316-4-0x0000000013140000-0x0000000013168000-memory.dmp

Filesize
160KB

Download
memory/2316-5-0x0000000013140000-0x0000000013168000-memory.dmp

Filesize
160KB

Download
memory/2316-23-0x0000000013140000-0x0000000013168000-memory.dmp

Filesize
160KB

Download
memory/4640-31-0x0000000013140000-0x0000000013168000-memory.dmp

Filesize
160KB

Download
memory/5100-9-0x0000000013140000-0x0000000013168000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads