xtremerat | 1b3ba70615d988ba8f8ef1bde16efaf54f7e0d1eac5cc6ab55b6ede4afeee0f6

Analysis

max time kernel
188s
max time network
49s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
02-10-2022 15:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1b3ba70615d988ba8f8ef1bde16efaf54f7e0d1eac5cc6ab55b6ede4afeee0f6.exe
Size

40KB
MD5

5913e2dc1c1d0cdb54302a5c24433db6
SHA1

7cc331aa406baf20a74b4d932182368b1565fd65
SHA256

1b3ba70615d988ba8f8ef1bde16efaf54f7e0d1eac5cc6ab55b6ede4afeee0f6
SHA512

0680c556c53057858aeef16f81709fa730dbda527f9c4ad78d02a1c8554c78d4e97e63d1b4d9ad81820b34b02e197a5afa103179125e4c79300295b1ac87d717
SSDEEP

768:JhMKYD2IxcWxq2BR1jQWCGixWbPrKpZeCBOTrpjkwuUPCHNZBd2ct:rMBDtu6T/0WCMWpBOp1uqEb7

Score

10^/10

xtremerat aspackv2 persistence rat spyware upx

Malware Config

Signatures

Detect XtremeRAT payload 20 IoCs

resource	yara_rule
behavioral1/memory/976-63-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/976-66-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/976-71-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/1568-86-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/1568-87-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/1568-90-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/1840-102-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/1840-104-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/1716-117-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/1716-121-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/1312-133-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/1312-136-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/1724-148-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/1724-151-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/1924-163-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/1924-164-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/1924-166-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/752-180-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/752-183-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/1508-197-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat

ASPack v2.12-2.42 19 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x0008000000013a13-67.dat	aspack_v212_v242
behavioral1/files/0x0008000000013a13-70.dat	aspack_v212_v242
behavioral1/files/0x0008000000013a13-68.dat	aspack_v212_v242
behavioral1/files/0x0008000000013a13-75.dat	aspack_v212_v242
behavioral1/files/0x0008000000013a13-79.dat	aspack_v212_v242
behavioral1/files/0x0008000000013a13-89.dat	aspack_v212_v242
behavioral1/files/0x0008000000013a13-96.dat	aspack_v212_v242
behavioral1/files/0x0008000000013a13-105.dat	aspack_v212_v242
behavioral1/files/0x0008000000013a13-111.dat	aspack_v212_v242
behavioral1/files/0x0008000000013a13-120.dat	aspack_v212_v242
behavioral1/files/0x0008000000013a13-127.dat	aspack_v212_v242
behavioral1/files/0x0008000000013a13-135.dat	aspack_v212_v242
behavioral1/files/0x0008000000013a13-142.dat	aspack_v212_v242
behavioral1/files/0x0008000000013a13-150.dat	aspack_v212_v242
behavioral1/files/0x0008000000013a13-157.dat	aspack_v212_v242
behavioral1/files/0x0008000000013a13-167.dat	aspack_v212_v242
behavioral1/files/0x0008000000013a13-173.dat	aspack_v212_v242
behavioral1/files/0x0008000000013a13-182.dat	aspack_v212_v242
behavioral1/files/0x0008000000013a13-190.dat	aspack_v212_v242

Executes dropped EXE 16 IoCs

pid	Process
1368	Server.exe
1568	Server.exe
676	Server.exe
1840	Server.exe
1244	Server.exe
1716	Server.exe
632	Server.exe
1312	Server.exe
1588	Server.exe
1724	Server.exe
904	Server.exe
1924	Server.exe
1156	Server.exe
752	Server.exe
1724	Server.exe
1508	Server.exe

Modifies Installed Components in the registry 2 TTPs 18 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	1b3ba70615d988ba8f8ef1bde16efaf54f7e0d1eac5cc6ab55b6ede4afeee0f6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	1b3ba70615d988ba8f8ef1bde16efaf54f7e0d1eac5cc6ab55b6ede4afeee0f6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe

UPX packed file 22 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/976-58-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/976-62-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/976-63-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/976-66-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/976-71-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/1568-86-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/1568-87-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/1568-90-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/1840-102-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/1840-104-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/1716-117-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/1716-121-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/1312-133-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/1312-136-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/1724-148-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/1724-151-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/1924-163-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/1924-164-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/1924-166-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/752-180-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/752-183-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/1508-197-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx

Loads dropped DLL 2 IoCs

pid	Process
976	1b3ba70615d988ba8f8ef1bde16efaf54f7e0d1eac5cc6ab55b6ede4afeee0f6.exe
976	1b3ba70615d988ba8f8ef1bde16efaf54f7e0d1eac5cc6ab55b6ede4afeee0f6.exe

Adds Run key to start application 2 TTPs 36 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	Server.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run	1b3ba70615d988ba8f8ef1bde16efaf54f7e0d1eac5cc6ab55b6ede4afeee0f6.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	1b3ba70615d988ba8f8ef1bde16efaf54f7e0d1eac5cc6ab55b6ede4afeee0f6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	1b3ba70615d988ba8f8ef1bde16efaf54f7e0d1eac5cc6ab55b6ede4afeee0f6.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run	Server.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run	Server.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	1b3ba70615d988ba8f8ef1bde16efaf54f7e0d1eac5cc6ab55b6ede4afeee0f6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run	Server.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	Server.exe

Suspicious use of SetThreadContext 9 IoCs

description	pid	Process	procid_target
PID 1312 set thread context of 976	1312	1b3ba70615d988ba8f8ef1bde16efaf54f7e0d1eac5cc6ab55b6ede4afeee0f6.exe	27
PID 1368 set thread context of 1568	1368	Server.exe	37
PID 676 set thread context of 1840	676	Server.exe	47
PID 1244 set thread context of 1716	1244	Server.exe	57
PID 632 set thread context of 1312	632	Server.exe	67
PID 1588 set thread context of 1724	1588	Server.exe	77
PID 904 set thread context of 1924	904	Server.exe	87
PID 1156 set thread context of 752	1156	Server.exe	97
PID 1724 set thread context of 1508	1724	Server.exe	107

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\InstallDir\Server.exe	1b3ba70615d988ba8f8ef1bde16efaf54f7e0d1eac5cc6ab55b6ede4afeee0f6.exe
File opened for modification	C:\Windows\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\InstallDir\Server.exe	Server.exe
File created	C:\Windows\InstallDir\Server.exe	1b3ba70615d988ba8f8ef1bde16efaf54f7e0d1eac5cc6ab55b6ede4afeee0f6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
1312	1b3ba70615d988ba8f8ef1bde16efaf54f7e0d1eac5cc6ab55b6ede4afeee0f6.exe
1368	Server.exe
676	Server.exe
1244	Server.exe
632	Server.exe
1588	Server.exe
904	Server.exe
1156	Server.exe
1724	Server.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1312 wrote to memory of 976	1312	1b3ba70615d988ba8f8ef1bde16efaf54f7e0d1eac5cc6ab55b6ede4afeee0f6.exe	27
PID 1312 wrote to memory of 976	1312	1b3ba70615d988ba8f8ef1bde16efaf54f7e0d1eac5cc6ab55b6ede4afeee0f6.exe	27
PID 1312 wrote to memory of 976	1312	1b3ba70615d988ba8f8ef1bde16efaf54f7e0d1eac5cc6ab55b6ede4afeee0f6.exe	27
PID 1312 wrote to memory of 976	1312	1b3ba70615d988ba8f8ef1bde16efaf54f7e0d1eac5cc6ab55b6ede4afeee0f6.exe	27
PID 1312 wrote to memory of 976	1312	1b3ba70615d988ba8f8ef1bde16efaf54f7e0d1eac5cc6ab55b6ede4afeee0f6.exe	27
PID 1312 wrote to memory of 976	1312	1b3ba70615d988ba8f8ef1bde16efaf54f7e0d1eac5cc6ab55b6ede4afeee0f6.exe	27
PID 1312 wrote to memory of 976	1312	1b3ba70615d988ba8f8ef1bde16efaf54f7e0d1eac5cc6ab55b6ede4afeee0f6.exe	27
PID 1312 wrote to memory of 976	1312	1b3ba70615d988ba8f8ef1bde16efaf54f7e0d1eac5cc6ab55b6ede4afeee0f6.exe	27
PID 1312 wrote to memory of 976	1312	1b3ba70615d988ba8f8ef1bde16efaf54f7e0d1eac5cc6ab55b6ede4afeee0f6.exe	27
PID 976 wrote to memory of 1364	976	1b3ba70615d988ba8f8ef1bde16efaf54f7e0d1eac5cc6ab55b6ede4afeee0f6.exe	28
PID 976 wrote to memory of 1364	976	1b3ba70615d988ba8f8ef1bde16efaf54f7e0d1eac5cc6ab55b6ede4afeee0f6.exe	28
PID 976 wrote to memory of 1364	976	1b3ba70615d988ba8f8ef1bde16efaf54f7e0d1eac5cc6ab55b6ede4afeee0f6.exe	28
PID 976 wrote to memory of 1364	976	1b3ba70615d988ba8f8ef1bde16efaf54f7e0d1eac5cc6ab55b6ede4afeee0f6.exe	28
PID 976 wrote to memory of 1364	976	1b3ba70615d988ba8f8ef1bde16efaf54f7e0d1eac5cc6ab55b6ede4afeee0f6.exe	28
PID 976 wrote to memory of 1404	976	1b3ba70615d988ba8f8ef1bde16efaf54f7e0d1eac5cc6ab55b6ede4afeee0f6.exe	29
PID 976 wrote to memory of 1404	976	1b3ba70615d988ba8f8ef1bde16efaf54f7e0d1eac5cc6ab55b6ede4afeee0f6.exe	29
PID 976 wrote to memory of 1404	976	1b3ba70615d988ba8f8ef1bde16efaf54f7e0d1eac5cc6ab55b6ede4afeee0f6.exe	29
PID 976 wrote to memory of 1404	976	1b3ba70615d988ba8f8ef1bde16efaf54f7e0d1eac5cc6ab55b6ede4afeee0f6.exe	29
PID 976 wrote to memory of 1404	976	1b3ba70615d988ba8f8ef1bde16efaf54f7e0d1eac5cc6ab55b6ede4afeee0f6.exe	29
PID 976 wrote to memory of 1292	976	1b3ba70615d988ba8f8ef1bde16efaf54f7e0d1eac5cc6ab55b6ede4afeee0f6.exe	30
PID 976 wrote to memory of 1292	976	1b3ba70615d988ba8f8ef1bde16efaf54f7e0d1eac5cc6ab55b6ede4afeee0f6.exe	30
PID 976 wrote to memory of 1292	976	1b3ba70615d988ba8f8ef1bde16efaf54f7e0d1eac5cc6ab55b6ede4afeee0f6.exe	30
PID 976 wrote to memory of 1292	976	1b3ba70615d988ba8f8ef1bde16efaf54f7e0d1eac5cc6ab55b6ede4afeee0f6.exe	30
PID 976 wrote to memory of 1292	976	1b3ba70615d988ba8f8ef1bde16efaf54f7e0d1eac5cc6ab55b6ede4afeee0f6.exe	30
PID 976 wrote to memory of 1148	976	1b3ba70615d988ba8f8ef1bde16efaf54f7e0d1eac5cc6ab55b6ede4afeee0f6.exe	31
PID 976 wrote to memory of 1148	976	1b3ba70615d988ba8f8ef1bde16efaf54f7e0d1eac5cc6ab55b6ede4afeee0f6.exe	31
PID 976 wrote to memory of 1148	976	1b3ba70615d988ba8f8ef1bde16efaf54f7e0d1eac5cc6ab55b6ede4afeee0f6.exe	31
PID 976 wrote to memory of 1148	976	1b3ba70615d988ba8f8ef1bde16efaf54f7e0d1eac5cc6ab55b6ede4afeee0f6.exe	31
PID 976 wrote to memory of 1148	976	1b3ba70615d988ba8f8ef1bde16efaf54f7e0d1eac5cc6ab55b6ede4afeee0f6.exe	31
PID 976 wrote to memory of 1796	976	1b3ba70615d988ba8f8ef1bde16efaf54f7e0d1eac5cc6ab55b6ede4afeee0f6.exe	32
PID 976 wrote to memory of 1796	976	1b3ba70615d988ba8f8ef1bde16efaf54f7e0d1eac5cc6ab55b6ede4afeee0f6.exe	32
PID 976 wrote to memory of 1796	976	1b3ba70615d988ba8f8ef1bde16efaf54f7e0d1eac5cc6ab55b6ede4afeee0f6.exe	32
PID 976 wrote to memory of 1796	976	1b3ba70615d988ba8f8ef1bde16efaf54f7e0d1eac5cc6ab55b6ede4afeee0f6.exe	32
PID 976 wrote to memory of 1796	976	1b3ba70615d988ba8f8ef1bde16efaf54f7e0d1eac5cc6ab55b6ede4afeee0f6.exe	32
PID 976 wrote to memory of 596	976	1b3ba70615d988ba8f8ef1bde16efaf54f7e0d1eac5cc6ab55b6ede4afeee0f6.exe	33
PID 976 wrote to memory of 596	976	1b3ba70615d988ba8f8ef1bde16efaf54f7e0d1eac5cc6ab55b6ede4afeee0f6.exe	33
PID 976 wrote to memory of 596	976	1b3ba70615d988ba8f8ef1bde16efaf54f7e0d1eac5cc6ab55b6ede4afeee0f6.exe	33
PID 976 wrote to memory of 596	976	1b3ba70615d988ba8f8ef1bde16efaf54f7e0d1eac5cc6ab55b6ede4afeee0f6.exe	33
PID 976 wrote to memory of 596	976	1b3ba70615d988ba8f8ef1bde16efaf54f7e0d1eac5cc6ab55b6ede4afeee0f6.exe	33
PID 976 wrote to memory of 1520	976	1b3ba70615d988ba8f8ef1bde16efaf54f7e0d1eac5cc6ab55b6ede4afeee0f6.exe	34
PID 976 wrote to memory of 1520	976	1b3ba70615d988ba8f8ef1bde16efaf54f7e0d1eac5cc6ab55b6ede4afeee0f6.exe	34
PID 976 wrote to memory of 1520	976	1b3ba70615d988ba8f8ef1bde16efaf54f7e0d1eac5cc6ab55b6ede4afeee0f6.exe	34
PID 976 wrote to memory of 1520	976	1b3ba70615d988ba8f8ef1bde16efaf54f7e0d1eac5cc6ab55b6ede4afeee0f6.exe	34
PID 976 wrote to memory of 1520	976	1b3ba70615d988ba8f8ef1bde16efaf54f7e0d1eac5cc6ab55b6ede4afeee0f6.exe	34
PID 976 wrote to memory of 1640	976	1b3ba70615d988ba8f8ef1bde16efaf54f7e0d1eac5cc6ab55b6ede4afeee0f6.exe	35
PID 976 wrote to memory of 1640	976	1b3ba70615d988ba8f8ef1bde16efaf54f7e0d1eac5cc6ab55b6ede4afeee0f6.exe	35
PID 976 wrote to memory of 1640	976	1b3ba70615d988ba8f8ef1bde16efaf54f7e0d1eac5cc6ab55b6ede4afeee0f6.exe	35
PID 976 wrote to memory of 1640	976	1b3ba70615d988ba8f8ef1bde16efaf54f7e0d1eac5cc6ab55b6ede4afeee0f6.exe	35
PID 976 wrote to memory of 1368	976	1b3ba70615d988ba8f8ef1bde16efaf54f7e0d1eac5cc6ab55b6ede4afeee0f6.exe	36
PID 976 wrote to memory of 1368	976	1b3ba70615d988ba8f8ef1bde16efaf54f7e0d1eac5cc6ab55b6ede4afeee0f6.exe	36
PID 976 wrote to memory of 1368	976	1b3ba70615d988ba8f8ef1bde16efaf54f7e0d1eac5cc6ab55b6ede4afeee0f6.exe	36
PID 976 wrote to memory of 1368	976	1b3ba70615d988ba8f8ef1bde16efaf54f7e0d1eac5cc6ab55b6ede4afeee0f6.exe	36
PID 1368 wrote to memory of 1568	1368	Server.exe	37
PID 1368 wrote to memory of 1568	1368	Server.exe	37
PID 1368 wrote to memory of 1568	1368	Server.exe	37
PID 1368 wrote to memory of 1568	1368	Server.exe	37
PID 1368 wrote to memory of 1568	1368	Server.exe	37
PID 1368 wrote to memory of 1568	1368	Server.exe	37
PID 1368 wrote to memory of 1568	1368	Server.exe	37
PID 1368 wrote to memory of 1568	1368	Server.exe	37
PID 1368 wrote to memory of 1568	1368	Server.exe	37
PID 1568 wrote to memory of 328	1568	Server.exe	38
PID 1568 wrote to memory of 328	1568	Server.exe	38
PID 1568 wrote to memory of 328	1568	Server.exe	38

C:\Users\Admin\AppData\Local\Temp\1b3ba70615d988ba8f8ef1bde16efaf54f7e0d1eac5cc6ab55b6ede4afeee0f6.exe
"C:\Users\Admin\AppData\Local\Temp\1b3ba70615d988ba8f8ef1bde16efaf54f7e0d1eac5cc6ab55b6ede4afeee0f6.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1312
- C:\Users\Admin\AppData\Local\Temp\1b3ba70615d988ba8f8ef1bde16efaf54f7e0d1eac5cc6ab55b6ede4afeee0f6.exe
  2⤵
  - Modifies Installed Components in the registry
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:976
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:1364
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:1404
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:1292
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:1148
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:1796
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:596
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:1520
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:1640
- - C:\Windows\InstallDir\Server.exe
    "C:\Windows\InstallDir\Server.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1368
  - - C:\Windows\InstallDir\Server.exe
      4⤵
      Executes dropped EXE
      Modifies Installed Components in the registry
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1568
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:328
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1652
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1040
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1572
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1124
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:576
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:836
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:268
    - - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:676
      - C:\Windows\InstallDir\Server.exe
        
        6⤵
        Executes dropped EXE
        Modifies Installed Components in the registry
        Adds Run key to start application
        
        PID:1840
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:1092
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:1728
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:1068
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:1816
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:1608
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:316
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:1492
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:1456
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:1244
        
        C:\Windows\InstallDir\Server.exe
        
        8⤵
        Executes dropped EXE
        Modifies Installed Components in the registry
        Adds Run key to start application
        
        PID:1716
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:1988
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:280
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:1100
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:932
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:1536
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:968
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:1624
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:1732
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:632
        
        C:\Windows\InstallDir\Server.exe
        
        10⤵
        Executes dropped EXE
        Modifies Installed Components in the registry
        Adds Run key to start application
        
        PID:1312
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:1340
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:1984
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:1028
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:1940
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:1368
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:276
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:832
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:1012
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:1588
        
        C:\Windows\InstallDir\Server.exe
        
        12⤵
        Executes dropped EXE
        Modifies Installed Components in the registry
        Adds Run key to start application
        
        PID:1724
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:2012
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:676
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:1596
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:1036
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:1916
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:1176
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:668
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:1964
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:904
        
        C:\Windows\InstallDir\Server.exe
        
        14⤵
        Executes dropped EXE
        Modifies Installed Components in the registry
        Adds Run key to start application
        
        PID:1924
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:1928
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:1912
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:1644
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:1360
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:952
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:1992
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:1720
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:632
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:1156
        
        C:\Windows\InstallDir\Server.exe
        
        16⤵
        Executes dropped EXE
        Modifies Installed Components in the registry
        Adds Run key to start application
        
        PID:752
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:2024
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:1656
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:1840
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:1920
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:1628
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:1332
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:1244
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:532
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:1724
        
        C:\Windows\InstallDir\Server.exe
        
        18⤵
        Executes dropped EXE
        Modifies Installed Components in the registry
        Adds Run key to start application
        
        PID:1508
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        19⤵
        
        PID:1568
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        19⤵
        
        PID:1772

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\((Mutex)).cfg

Filesize
1KB

MD5
f5fe8cc151fd4ed9f72766457004b9ea

SHA1
793b5cac538d28413a0a50a259a06c013b4e7388

SHA256
283c6b279db5a562aab213c86be6888f1b4f1ff685518fa8c2bb803358cd777d

SHA512
aa8b36995df997461065d42d80acc482c587da411327b8023bc8d003562b9f8b7d5d2270aba67dc80c7293e3fe624819c3caaff862b60e933eb7c06f3ce6d638

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\((Mutex)).cfg

Filesize
1KB

MD5
f5fe8cc151fd4ed9f72766457004b9ea

SHA1
793b5cac538d28413a0a50a259a06c013b4e7388

SHA256
283c6b279db5a562aab213c86be6888f1b4f1ff685518fa8c2bb803358cd777d

SHA512
aa8b36995df997461065d42d80acc482c587da411327b8023bc8d003562b9f8b7d5d2270aba67dc80c7293e3fe624819c3caaff862b60e933eb7c06f3ce6d638

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\((Mutex)).cfg

Filesize
1KB

MD5
f5fe8cc151fd4ed9f72766457004b9ea

SHA1
793b5cac538d28413a0a50a259a06c013b4e7388

SHA256
283c6b279db5a562aab213c86be6888f1b4f1ff685518fa8c2bb803358cd777d

SHA512
aa8b36995df997461065d42d80acc482c587da411327b8023bc8d003562b9f8b7d5d2270aba67dc80c7293e3fe624819c3caaff862b60e933eb7c06f3ce6d638

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\((Mutex)).cfg

Filesize
1KB

MD5
f5fe8cc151fd4ed9f72766457004b9ea

SHA1
793b5cac538d28413a0a50a259a06c013b4e7388

SHA256
283c6b279db5a562aab213c86be6888f1b4f1ff685518fa8c2bb803358cd777d

SHA512
aa8b36995df997461065d42d80acc482c587da411327b8023bc8d003562b9f8b7d5d2270aba67dc80c7293e3fe624819c3caaff862b60e933eb7c06f3ce6d638

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\((Mutex)).cfg

Filesize
1KB

MD5
f5fe8cc151fd4ed9f72766457004b9ea

SHA1
793b5cac538d28413a0a50a259a06c013b4e7388

SHA256
283c6b279db5a562aab213c86be6888f1b4f1ff685518fa8c2bb803358cd777d

SHA512
aa8b36995df997461065d42d80acc482c587da411327b8023bc8d003562b9f8b7d5d2270aba67dc80c7293e3fe624819c3caaff862b60e933eb7c06f3ce6d638

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
40KB

MD5
5913e2dc1c1d0cdb54302a5c24433db6

SHA1
7cc331aa406baf20a74b4d932182368b1565fd65

SHA256
1b3ba70615d988ba8f8ef1bde16efaf54f7e0d1eac5cc6ab55b6ede4afeee0f6

SHA512
0680c556c53057858aeef16f81709fa730dbda527f9c4ad78d02a1c8554c78d4e97e63d1b4d9ad81820b34b02e197a5afa103179125e4c79300295b1ac87d717

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
40KB

MD5
5913e2dc1c1d0cdb54302a5c24433db6

SHA1
7cc331aa406baf20a74b4d932182368b1565fd65

SHA256
1b3ba70615d988ba8f8ef1bde16efaf54f7e0d1eac5cc6ab55b6ede4afeee0f6

SHA512
0680c556c53057858aeef16f81709fa730dbda527f9c4ad78d02a1c8554c78d4e97e63d1b4d9ad81820b34b02e197a5afa103179125e4c79300295b1ac87d717

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
40KB

MD5
5913e2dc1c1d0cdb54302a5c24433db6

SHA1
7cc331aa406baf20a74b4d932182368b1565fd65

SHA256
1b3ba70615d988ba8f8ef1bde16efaf54f7e0d1eac5cc6ab55b6ede4afeee0f6

SHA512
0680c556c53057858aeef16f81709fa730dbda527f9c4ad78d02a1c8554c78d4e97e63d1b4d9ad81820b34b02e197a5afa103179125e4c79300295b1ac87d717

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
40KB

MD5
5913e2dc1c1d0cdb54302a5c24433db6

SHA1
7cc331aa406baf20a74b4d932182368b1565fd65

SHA256
1b3ba70615d988ba8f8ef1bde16efaf54f7e0d1eac5cc6ab55b6ede4afeee0f6

SHA512
0680c556c53057858aeef16f81709fa730dbda527f9c4ad78d02a1c8554c78d4e97e63d1b4d9ad81820b34b02e197a5afa103179125e4c79300295b1ac87d717

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
40KB

MD5
5913e2dc1c1d0cdb54302a5c24433db6

SHA1
7cc331aa406baf20a74b4d932182368b1565fd65

SHA256
1b3ba70615d988ba8f8ef1bde16efaf54f7e0d1eac5cc6ab55b6ede4afeee0f6

SHA512
0680c556c53057858aeef16f81709fa730dbda527f9c4ad78d02a1c8554c78d4e97e63d1b4d9ad81820b34b02e197a5afa103179125e4c79300295b1ac87d717

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
40KB

MD5
5913e2dc1c1d0cdb54302a5c24433db6

SHA1
7cc331aa406baf20a74b4d932182368b1565fd65

SHA256
1b3ba70615d988ba8f8ef1bde16efaf54f7e0d1eac5cc6ab55b6ede4afeee0f6

SHA512
0680c556c53057858aeef16f81709fa730dbda527f9c4ad78d02a1c8554c78d4e97e63d1b4d9ad81820b34b02e197a5afa103179125e4c79300295b1ac87d717

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
40KB

MD5
5913e2dc1c1d0cdb54302a5c24433db6

SHA1
7cc331aa406baf20a74b4d932182368b1565fd65

SHA256
1b3ba70615d988ba8f8ef1bde16efaf54f7e0d1eac5cc6ab55b6ede4afeee0f6

SHA512
0680c556c53057858aeef16f81709fa730dbda527f9c4ad78d02a1c8554c78d4e97e63d1b4d9ad81820b34b02e197a5afa103179125e4c79300295b1ac87d717

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
40KB

MD5
5913e2dc1c1d0cdb54302a5c24433db6

SHA1
7cc331aa406baf20a74b4d932182368b1565fd65

SHA256
1b3ba70615d988ba8f8ef1bde16efaf54f7e0d1eac5cc6ab55b6ede4afeee0f6

SHA512
0680c556c53057858aeef16f81709fa730dbda527f9c4ad78d02a1c8554c78d4e97e63d1b4d9ad81820b34b02e197a5afa103179125e4c79300295b1ac87d717

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
40KB

MD5
5913e2dc1c1d0cdb54302a5c24433db6

SHA1
7cc331aa406baf20a74b4d932182368b1565fd65

SHA256
1b3ba70615d988ba8f8ef1bde16efaf54f7e0d1eac5cc6ab55b6ede4afeee0f6

SHA512
0680c556c53057858aeef16f81709fa730dbda527f9c4ad78d02a1c8554c78d4e97e63d1b4d9ad81820b34b02e197a5afa103179125e4c79300295b1ac87d717

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
40KB

MD5
5913e2dc1c1d0cdb54302a5c24433db6

SHA1
7cc331aa406baf20a74b4d932182368b1565fd65

SHA256
1b3ba70615d988ba8f8ef1bde16efaf54f7e0d1eac5cc6ab55b6ede4afeee0f6

SHA512
0680c556c53057858aeef16f81709fa730dbda527f9c4ad78d02a1c8554c78d4e97e63d1b4d9ad81820b34b02e197a5afa103179125e4c79300295b1ac87d717

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
40KB

MD5
5913e2dc1c1d0cdb54302a5c24433db6

SHA1
7cc331aa406baf20a74b4d932182368b1565fd65

SHA256
1b3ba70615d988ba8f8ef1bde16efaf54f7e0d1eac5cc6ab55b6ede4afeee0f6

SHA512
0680c556c53057858aeef16f81709fa730dbda527f9c4ad78d02a1c8554c78d4e97e63d1b4d9ad81820b34b02e197a5afa103179125e4c79300295b1ac87d717

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
40KB

MD5
5913e2dc1c1d0cdb54302a5c24433db6

SHA1
7cc331aa406baf20a74b4d932182368b1565fd65

SHA256
1b3ba70615d988ba8f8ef1bde16efaf54f7e0d1eac5cc6ab55b6ede4afeee0f6

SHA512
0680c556c53057858aeef16f81709fa730dbda527f9c4ad78d02a1c8554c78d4e97e63d1b4d9ad81820b34b02e197a5afa103179125e4c79300295b1ac87d717

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
40KB

MD5
5913e2dc1c1d0cdb54302a5c24433db6

SHA1
7cc331aa406baf20a74b4d932182368b1565fd65

SHA256
1b3ba70615d988ba8f8ef1bde16efaf54f7e0d1eac5cc6ab55b6ede4afeee0f6

SHA512
0680c556c53057858aeef16f81709fa730dbda527f9c4ad78d02a1c8554c78d4e97e63d1b4d9ad81820b34b02e197a5afa103179125e4c79300295b1ac87d717

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
40KB

MD5
5913e2dc1c1d0cdb54302a5c24433db6

SHA1
7cc331aa406baf20a74b4d932182368b1565fd65

SHA256
1b3ba70615d988ba8f8ef1bde16efaf54f7e0d1eac5cc6ab55b6ede4afeee0f6

SHA512
0680c556c53057858aeef16f81709fa730dbda527f9c4ad78d02a1c8554c78d4e97e63d1b4d9ad81820b34b02e197a5afa103179125e4c79300295b1ac87d717

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
40KB

MD5
5913e2dc1c1d0cdb54302a5c24433db6

SHA1
7cc331aa406baf20a74b4d932182368b1565fd65

SHA256
1b3ba70615d988ba8f8ef1bde16efaf54f7e0d1eac5cc6ab55b6ede4afeee0f6

SHA512
0680c556c53057858aeef16f81709fa730dbda527f9c4ad78d02a1c8554c78d4e97e63d1b4d9ad81820b34b02e197a5afa103179125e4c79300295b1ac87d717

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
40KB

MD5
5913e2dc1c1d0cdb54302a5c24433db6

SHA1
7cc331aa406baf20a74b4d932182368b1565fd65

SHA256
1b3ba70615d988ba8f8ef1bde16efaf54f7e0d1eac5cc6ab55b6ede4afeee0f6

SHA512
0680c556c53057858aeef16f81709fa730dbda527f9c4ad78d02a1c8554c78d4e97e63d1b4d9ad81820b34b02e197a5afa103179125e4c79300295b1ac87d717

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
40KB

MD5
5913e2dc1c1d0cdb54302a5c24433db6

SHA1
7cc331aa406baf20a74b4d932182368b1565fd65

SHA256
1b3ba70615d988ba8f8ef1bde16efaf54f7e0d1eac5cc6ab55b6ede4afeee0f6

SHA512
0680c556c53057858aeef16f81709fa730dbda527f9c4ad78d02a1c8554c78d4e97e63d1b4d9ad81820b34b02e197a5afa103179125e4c79300295b1ac87d717

Download Submit
\Windows\InstallDir\Server.exe

Filesize
40KB

MD5
5913e2dc1c1d0cdb54302a5c24433db6

SHA1
7cc331aa406baf20a74b4d932182368b1565fd65

SHA256
1b3ba70615d988ba8f8ef1bde16efaf54f7e0d1eac5cc6ab55b6ede4afeee0f6

SHA512
0680c556c53057858aeef16f81709fa730dbda527f9c4ad78d02a1c8554c78d4e97e63d1b4d9ad81820b34b02e197a5afa103179125e4c79300295b1ac87d717

Download Submit
\Windows\InstallDir\Server.exe

Filesize
40KB

MD5
5913e2dc1c1d0cdb54302a5c24433db6

SHA1
7cc331aa406baf20a74b4d932182368b1565fd65

SHA256
1b3ba70615d988ba8f8ef1bde16efaf54f7e0d1eac5cc6ab55b6ede4afeee0f6

SHA512
0680c556c53057858aeef16f81709fa730dbda527f9c4ad78d02a1c8554c78d4e97e63d1b4d9ad81820b34b02e197a5afa103179125e4c79300295b1ac87d717

Download Submit
memory/632-129-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/632-119-0x0000000000000000-mapping.dmp

Download
memory/676-98-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/676-88-0x0000000000000000-mapping.dmp

Download
memory/676-91-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/752-180-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/752-172-0x0000000000C93230-mapping.dmp

Download
memory/752-183-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/904-159-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/904-149-0x0000000000000000-mapping.dmp

Download
memory/976-71-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/976-63-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/976-62-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/976-59-0x0000000000C93230-mapping.dmp

Download
memory/976-65-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/976-58-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/976-61-0x0000000075831000-0x0000000075833000-memory.dmp

Filesize
8KB

Download
memory/976-66-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/1156-174-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1156-165-0x0000000000000000-mapping.dmp

Download
memory/1244-103-0x0000000000000000-mapping.dmp

Download
memory/1244-113-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1312-136-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/1312-126-0x0000000000C93230-mapping.dmp

Download
memory/1312-57-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1312-54-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1312-133-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/1312-64-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1368-76-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1368-72-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1368-69-0x0000000000000000-mapping.dmp

Download
memory/1368-81-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1508-197-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/1508-189-0x0000000000C93230-mapping.dmp

Download
memory/1568-90-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/1568-78-0x0000000000C93230-mapping.dmp

Download
memory/1568-86-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/1568-87-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/1588-134-0x0000000000000000-mapping.dmp

Download
memory/1716-110-0x0000000000C93230-mapping.dmp

Download
memory/1716-121-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/1716-117-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/1724-151-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/1724-187-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1724-148-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/1724-141-0x0000000000C93230-mapping.dmp

Download
memory/1724-184-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1724-192-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1724-181-0x0000000000000000-mapping.dmp

Download
memory/1840-104-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/1840-102-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/1840-95-0x0000000000C93230-mapping.dmp

Download
memory/1924-156-0x0000000000C93230-mapping.dmp

Download
memory/1924-164-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/1924-166-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/1924-163-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads