xtremerat | 865ee3d67afe1fd11fbb5906094d7fb9ed1712f53678d49edc092657bd46d816

Analysis

max time kernel
151s
max time network
49s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
23/11/2022, 22:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

865ee3d67afe1fd11fbb5906094d7fb9ed1712f53678d49edc092657bd46d816.exe
Size

118KB
MD5

5177f64dcb7ee531eb5a96039656feda
SHA1

8affb58b0b0a489839c253b50c8bf0b371de971d
SHA256

865ee3d67afe1fd11fbb5906094d7fb9ed1712f53678d49edc092657bd46d816
SHA512

52b06d5df1655f179c96f2f9bf8be71e941bd811dd89ad54ec2b780b9b6fc5bd5c768de4961e3904fd62bce0c576c136eb5b294575c350f15b10f26a996022ca
SSDEEP

3072:YkYprM/xfKhNDbqWfHjghSWAif82nLW6jN:0YKhNDbTghSWAifHd

Score

10^/10

xtremerat persistence rat spyware

Malware Config

Extracted

Family

xtremerat

torrentt.no-ip.info

Signatures

Detect XtremeRAT payload 35 IoCs

resource	yara_rule
behavioral1/memory/932-60-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/932-63-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/932-62-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/932-61-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/932-59-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/932-64-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/932-65-0x0000000000C888F4-mapping.dmp	family_xtremerat
behavioral1/memory/932-66-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/932-68-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/932-70-0x0000000000C81000-0x0000000000C8A000-memory.dmp	family_xtremerat
behavioral1/memory/556-73-0x0000000000000000-mapping.dmp	family_xtremerat
behavioral1/memory/556-76-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/1144-90-0x0000000000C888F4-mapping.dmp	family_xtremerat
behavioral1/memory/1924-108-0x0000000000C888F4-mapping.dmp	family_xtremerat
behavioral1/memory/1568-126-0x0000000000C888F4-mapping.dmp	family_xtremerat
behavioral1/memory/1028-145-0x0000000000C888F4-mapping.dmp	family_xtremerat
behavioral1/memory/2000-163-0x0000000000C888F4-mapping.dmp	family_xtremerat
behavioral1/memory/268-182-0x0000000000C888F4-mapping.dmp	family_xtremerat
behavioral1/memory/1912-201-0x0000000000C888F4-mapping.dmp	family_xtremerat
behavioral1/memory/1368-220-0x0000000000C888F4-mapping.dmp	family_xtremerat
behavioral1/memory/2012-239-0x0000000000C888F4-mapping.dmp	family_xtremerat
behavioral1/memory/1968-257-0x0000000000C888F4-mapping.dmp	family_xtremerat
behavioral1/memory/1520-276-0x0000000000C888F4-mapping.dmp	family_xtremerat
behavioral1/memory/2012-294-0x0000000000C888F4-mapping.dmp	family_xtremerat
behavioral1/memory/1144-313-0x0000000000C888F4-mapping.dmp	family_xtremerat
behavioral1/memory/860-332-0x0000000000C888F4-mapping.dmp	family_xtremerat
behavioral1/memory/460-351-0x0000000000C888F4-mapping.dmp	family_xtremerat
behavioral1/memory/888-368-0x0000000000C888F4-mapping.dmp	family_xtremerat
behavioral1/memory/2152-386-0x0000000000C888F4-mapping.dmp	family_xtremerat
behavioral1/memory/2316-406-0x0000000000C888F4-mapping.dmp	family_xtremerat
behavioral1/memory/2480-424-0x0000000000C888F4-mapping.dmp	family_xtremerat
behavioral1/memory/2644-443-0x0000000000C888F4-mapping.dmp	family_xtremerat
behavioral1/memory/2816-462-0x0000000000C888F4-mapping.dmp	family_xtremerat
behavioral1/memory/2988-481-0x0000000000C888F4-mapping.dmp	family_xtremerat
behavioral1/memory/2120-499-0x0000000000C888F4-mapping.dmp	family_xtremerat

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat

Executes dropped EXE 46 IoCs

pid	Process
1180	Server.exe
1144	Server.exe
1480	Server.exe
1924	Server.exe
1440	Server.exe
1568	Server.exe
1448	Server.exe
1028	Server.exe
1540	Server.exe
2000	Server.exe
648	Server.exe
268	Server.exe
1520	Server.exe
1912	Server.exe
756	Server.exe
1368	Server.exe
1996	Server.exe
2012	Server.exe
1480	Server.exe
1968	Server.exe
1060	Server.exe
1520	Server.exe
1956	Server.exe
2012	Server.exe
240	Server.exe
1144	Server.exe
1644	Server.exe
860	Server.exe
1588	Server.exe
460	Server.exe
1900	Server.exe
888	Server.exe
2112	Server.exe
2152	Server.exe
2276	Server.exe
2316	Server.exe
2440	Server.exe
2480	Server.exe
2604	Server.exe
2644	Server.exe
2776	Server.exe
2816	Server.exe
2948	Server.exe
2988	Server.exe
1032	Server.exe
2120	Server.exe

Modifies Installed Components in the registry 2 TTPs 48 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Q11T5B6O-87WO-0X08-15QD-F885551E78K5}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Q11T5B6O-87WO-0X08-15QD-F885551E78K5}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	865ee3d67afe1fd11fbb5906094d7fb9ed1712f53678d49edc092657bd46d816.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Q11T5B6O-87WO-0X08-15QD-F885551E78K5}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Q11T5B6O-87WO-0X08-15QD-F885551E78K5}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Q11T5B6O-87WO-0X08-15QD-F885551E78K5}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Q11T5B6O-87WO-0X08-15QD-F885551E78K5}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Q11T5B6O-87WO-0X08-15QD-F885551E78K5}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Q11T5B6O-87WO-0X08-15QD-F885551E78K5}	865ee3d67afe1fd11fbb5906094d7fb9ed1712f53678d49edc092657bd46d816.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Q11T5B6O-87WO-0X08-15QD-F885551E78K5}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Q11T5B6O-87WO-0X08-15QD-F885551E78K5}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Q11T5B6O-87WO-0X08-15QD-F885551E78K5}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Q11T5B6O-87WO-0X08-15QD-F885551E78K5}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Q11T5B6O-87WO-0X08-15QD-F885551E78K5}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Q11T5B6O-87WO-0X08-15QD-F885551E78K5}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Q11T5B6O-87WO-0X08-15QD-F885551E78K5}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Q11T5B6O-87WO-0X08-15QD-F885551E78K5}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Q11T5B6O-87WO-0X08-15QD-F885551E78K5}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Q11T5B6O-87WO-0X08-15QD-F885551E78K5}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Q11T5B6O-87WO-0X08-15QD-F885551E78K5}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Q11T5B6O-87WO-0X08-15QD-F885551E78K5}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Q11T5B6O-87WO-0X08-15QD-F885551E78K5}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Q11T5B6O-87WO-0X08-15QD-F885551E78K5}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Q11T5B6O-87WO-0X08-15QD-F885551E78K5}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Q11T5B6O-87WO-0X08-15QD-F885551E78K5}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Q11T5B6O-87WO-0X08-15QD-F885551E78K5}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Q11T5B6O-87WO-0X08-15QD-F885551E78K5}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Q11T5B6O-87WO-0X08-15QD-F885551E78K5}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Q11T5B6O-87WO-0X08-15QD-F885551E78K5}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Q11T5B6O-87WO-0X08-15QD-F885551E78K5}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Q11T5B6O-87WO-0X08-15QD-F885551E78K5}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Q11T5B6O-87WO-0X08-15QD-F885551E78K5}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Q11T5B6O-87WO-0X08-15QD-F885551E78K5}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Q11T5B6O-87WO-0X08-15QD-F885551E78K5}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Q11T5B6O-87WO-0X08-15QD-F885551E78K5}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Q11T5B6O-87WO-0X08-15QD-F885551E78K5}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Q11T5B6O-87WO-0X08-15QD-F885551E78K5}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Q11T5B6O-87WO-0X08-15QD-F885551E78K5}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Q11T5B6O-87WO-0X08-15QD-F885551E78K5}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Q11T5B6O-87WO-0X08-15QD-F885551E78K5}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Q11T5B6O-87WO-0X08-15QD-F885551E78K5}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Q11T5B6O-87WO-0X08-15QD-F885551E78K5}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Q11T5B6O-87WO-0X08-15QD-F885551E78K5}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Q11T5B6O-87WO-0X08-15QD-F885551E78K5}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Q11T5B6O-87WO-0X08-15QD-F885551E78K5}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Q11T5B6O-87WO-0X08-15QD-F885551E78K5}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Q11T5B6O-87WO-0X08-15QD-F885551E78K5}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Q11T5B6O-87WO-0X08-15QD-F885551E78K5}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Q11T5B6O-87WO-0X08-15QD-F885551E78K5}	Server.exe

Loads dropped DLL 1 IoCs

pid	Process
556	svchost.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	Server.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	Server.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	Server.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	Server.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	865ee3d67afe1fd11fbb5906094d7fb9ed1712f53678d49edc092657bd46d816.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	865ee3d67afe1fd11fbb5906094d7fb9ed1712f53678d49edc092657bd46d816.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	Server.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	865ee3d67afe1fd11fbb5906094d7fb9ed1712f53678d49edc092657bd46d816.exe

Suspicious use of SetThreadContext 24 IoCs

description	pid	Process	procid_target
PID 1064 set thread context of 932	1064	865ee3d67afe1fd11fbb5906094d7fb9ed1712f53678d49edc092657bd46d816.exe	28
PID 1180 set thread context of 1144	1180	Server.exe	39
PID 1480 set thread context of 1924	1480	Server.exe	45
PID 1440 set thread context of 1568	1440	Server.exe	51
PID 1448 set thread context of 1028	1448	Server.exe	57
PID 1540 set thread context of 2000	1540	Server.exe	63
PID 648 set thread context of 268	648	Server.exe	69
PID 1520 set thread context of 1912	1520	Server.exe	75
PID 756 set thread context of 1368	756	Server.exe	81
PID 1996 set thread context of 2012	1996	Server.exe	87
PID 1480 set thread context of 1968	1480	Server.exe	93
PID 1060 set thread context of 1520	1060	Server.exe	99
PID 1956 set thread context of 2012	1956	Server.exe	105
PID 240 set thread context of 1144	240	Server.exe	111
PID 1644 set thread context of 860	1644	Server.exe	117
PID 1588 set thread context of 460	1588	Server.exe	123
PID 1900 set thread context of 888	1900	Server.exe	129
PID 2112 set thread context of 2152	2112	Server.exe	135
PID 2276 set thread context of 2316	2276	Server.exe	140
PID 2440 set thread context of 2480	2440	Server.exe	147
PID 2604 set thread context of 2644	2604	Server.exe	152
PID 2776 set thread context of 2816	2776	Server.exe	159
PID 2948 set thread context of 2988	2948	Server.exe	164
PID 1032 set thread context of 2120	1032	Server.exe	170

Drops file in Windows directory 47 IoCs

description	ioc	Process
File opened for modification	C:\Windows\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\InstallDir\	Server.exe
File opened for modification	C:\Windows\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\InstallDir\	Server.exe
File opened for modification	C:\Windows\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\InstallDir\	Server.exe
File opened for modification	C:\Windows\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\InstallDir\Server.exe	865ee3d67afe1fd11fbb5906094d7fb9ed1712f53678d49edc092657bd46d816.exe
File opened for modification	C:\Windows\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\InstallDir\	Server.exe
File opened for modification	C:\Windows\InstallDir\	Server.exe
File opened for modification	C:\Windows\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\InstallDir\	Server.exe
File opened for modification	C:\Windows\InstallDir\	Server.exe
File opened for modification	C:\Windows\InstallDir\	Server.exe
File opened for modification	C:\Windows\InstallDir\	Server.exe
File opened for modification	C:\Windows\InstallDir\	Server.exe
File opened for modification	C:\Windows\InstallDir\	Server.exe
File opened for modification	C:\Windows\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\InstallDir\	Server.exe
File opened for modification	C:\Windows\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\InstallDir\	Server.exe
File opened for modification	C:\Windows\InstallDir\	Server.exe
File opened for modification	C:\Windows\InstallDir\	Server.exe
File opened for modification	C:\Windows\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\InstallDir\	Server.exe
File opened for modification	C:\Windows\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\InstallDir\	865ee3d67afe1fd11fbb5906094d7fb9ed1712f53678d49edc092657bd46d816.exe
File opened for modification	C:\Windows\InstallDir\	Server.exe
File opened for modification	C:\Windows\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\InstallDir\	Server.exe
File opened for modification	C:\Windows\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\InstallDir\	Server.exe
File opened for modification	C:\Windows\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\InstallDir\	Server.exe
File opened for modification	C:\Windows\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\InstallDir\	Server.exe
File created	C:\Windows\InstallDir\Server.exe	865ee3d67afe1fd11fbb5906094d7fb9ed1712f53678d49edc092657bd46d816.exe
File opened for modification	C:\Windows\InstallDir\	Server.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	1064	865ee3d67afe1fd11fbb5906094d7fb9ed1712f53678d49edc092657bd46d816.exe
Token: SeDebugPrivilege	1180	Server.exe
Token: SeDebugPrivilege	1480	Server.exe
Token: SeDebugPrivilege	1440	Server.exe
Token: SeDebugPrivilege	1448	Server.exe
Token: SeDebugPrivilege	1540	Server.exe
Token: SeDebugPrivilege	648	Server.exe
Token: SeDebugPrivilege	1520	Server.exe
Token: SeDebugPrivilege	756	Server.exe
Token: SeDebugPrivilege	1996	Server.exe
Token: SeDebugPrivilege	1480	Server.exe
Token: SeDebugPrivilege	1060	Server.exe
Token: SeDebugPrivilege	1956	Server.exe
Token: SeDebugPrivilege	240	Server.exe
Token: SeDebugPrivilege	1644	Server.exe
Token: SeDebugPrivilege	1588	Server.exe
Token: SeDebugPrivilege	1900	Server.exe
Token: SeDebugPrivilege	2112	Server.exe
Token: SeDebugPrivilege	2276	Server.exe
Token: SeDebugPrivilege	2440	Server.exe
Token: SeDebugPrivilege	2604	Server.exe
Token: SeDebugPrivilege	2776	Server.exe
Token: SeDebugPrivilege	2948	Server.exe
Token: SeDebugPrivilege	1032	Server.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1064 wrote to memory of 968	1064	865ee3d67afe1fd11fbb5906094d7fb9ed1712f53678d49edc092657bd46d816.exe	27
PID 1064 wrote to memory of 968	1064	865ee3d67afe1fd11fbb5906094d7fb9ed1712f53678d49edc092657bd46d816.exe	27
PID 1064 wrote to memory of 968	1064	865ee3d67afe1fd11fbb5906094d7fb9ed1712f53678d49edc092657bd46d816.exe	27
PID 1064 wrote to memory of 968	1064	865ee3d67afe1fd11fbb5906094d7fb9ed1712f53678d49edc092657bd46d816.exe	27
PID 1064 wrote to memory of 932	1064	865ee3d67afe1fd11fbb5906094d7fb9ed1712f53678d49edc092657bd46d816.exe	28
PID 1064 wrote to memory of 932	1064	865ee3d67afe1fd11fbb5906094d7fb9ed1712f53678d49edc092657bd46d816.exe	28
PID 1064 wrote to memory of 932	1064	865ee3d67afe1fd11fbb5906094d7fb9ed1712f53678d49edc092657bd46d816.exe	28
PID 1064 wrote to memory of 932	1064	865ee3d67afe1fd11fbb5906094d7fb9ed1712f53678d49edc092657bd46d816.exe	28
PID 1064 wrote to memory of 932	1064	865ee3d67afe1fd11fbb5906094d7fb9ed1712f53678d49edc092657bd46d816.exe	28
PID 1064 wrote to memory of 932	1064	865ee3d67afe1fd11fbb5906094d7fb9ed1712f53678d49edc092657bd46d816.exe	28
PID 1064 wrote to memory of 932	1064	865ee3d67afe1fd11fbb5906094d7fb9ed1712f53678d49edc092657bd46d816.exe	28
PID 1064 wrote to memory of 932	1064	865ee3d67afe1fd11fbb5906094d7fb9ed1712f53678d49edc092657bd46d816.exe	28
PID 1064 wrote to memory of 932	1064	865ee3d67afe1fd11fbb5906094d7fb9ed1712f53678d49edc092657bd46d816.exe	28
PID 1064 wrote to memory of 932	1064	865ee3d67afe1fd11fbb5906094d7fb9ed1712f53678d49edc092657bd46d816.exe	28
PID 1064 wrote to memory of 932	1064	865ee3d67afe1fd11fbb5906094d7fb9ed1712f53678d49edc092657bd46d816.exe	28
PID 1064 wrote to memory of 932	1064	865ee3d67afe1fd11fbb5906094d7fb9ed1712f53678d49edc092657bd46d816.exe	28
PID 932 wrote to memory of 556	932	865ee3d67afe1fd11fbb5906094d7fb9ed1712f53678d49edc092657bd46d816.exe	29
PID 932 wrote to memory of 556	932	865ee3d67afe1fd11fbb5906094d7fb9ed1712f53678d49edc092657bd46d816.exe	29
PID 932 wrote to memory of 556	932	865ee3d67afe1fd11fbb5906094d7fb9ed1712f53678d49edc092657bd46d816.exe	29
PID 932 wrote to memory of 556	932	865ee3d67afe1fd11fbb5906094d7fb9ed1712f53678d49edc092657bd46d816.exe	29
PID 932 wrote to memory of 556	932	865ee3d67afe1fd11fbb5906094d7fb9ed1712f53678d49edc092657bd46d816.exe	29
PID 932 wrote to memory of 1936	932	865ee3d67afe1fd11fbb5906094d7fb9ed1712f53678d49edc092657bd46d816.exe	30
PID 932 wrote to memory of 1936	932	865ee3d67afe1fd11fbb5906094d7fb9ed1712f53678d49edc092657bd46d816.exe	30
PID 932 wrote to memory of 1936	932	865ee3d67afe1fd11fbb5906094d7fb9ed1712f53678d49edc092657bd46d816.exe	30
PID 932 wrote to memory of 1936	932	865ee3d67afe1fd11fbb5906094d7fb9ed1712f53678d49edc092657bd46d816.exe	30
PID 932 wrote to memory of 1936	932	865ee3d67afe1fd11fbb5906094d7fb9ed1712f53678d49edc092657bd46d816.exe	30
PID 932 wrote to memory of 1496	932	865ee3d67afe1fd11fbb5906094d7fb9ed1712f53678d49edc092657bd46d816.exe	31
PID 932 wrote to memory of 1496	932	865ee3d67afe1fd11fbb5906094d7fb9ed1712f53678d49edc092657bd46d816.exe	31
PID 932 wrote to memory of 1496	932	865ee3d67afe1fd11fbb5906094d7fb9ed1712f53678d49edc092657bd46d816.exe	31
PID 932 wrote to memory of 1496	932	865ee3d67afe1fd11fbb5906094d7fb9ed1712f53678d49edc092657bd46d816.exe	31
PID 932 wrote to memory of 1496	932	865ee3d67afe1fd11fbb5906094d7fb9ed1712f53678d49edc092657bd46d816.exe	31
PID 932 wrote to memory of 1488	932	865ee3d67afe1fd11fbb5906094d7fb9ed1712f53678d49edc092657bd46d816.exe	32
PID 932 wrote to memory of 1488	932	865ee3d67afe1fd11fbb5906094d7fb9ed1712f53678d49edc092657bd46d816.exe	32
PID 932 wrote to memory of 1488	932	865ee3d67afe1fd11fbb5906094d7fb9ed1712f53678d49edc092657bd46d816.exe	32
PID 932 wrote to memory of 1488	932	865ee3d67afe1fd11fbb5906094d7fb9ed1712f53678d49edc092657bd46d816.exe	32
PID 932 wrote to memory of 1488	932	865ee3d67afe1fd11fbb5906094d7fb9ed1712f53678d49edc092657bd46d816.exe	32
PID 932 wrote to memory of 1672	932	865ee3d67afe1fd11fbb5906094d7fb9ed1712f53678d49edc092657bd46d816.exe	33
PID 932 wrote to memory of 1672	932	865ee3d67afe1fd11fbb5906094d7fb9ed1712f53678d49edc092657bd46d816.exe	33
PID 932 wrote to memory of 1672	932	865ee3d67afe1fd11fbb5906094d7fb9ed1712f53678d49edc092657bd46d816.exe	33
PID 932 wrote to memory of 1672	932	865ee3d67afe1fd11fbb5906094d7fb9ed1712f53678d49edc092657bd46d816.exe	33
PID 932 wrote to memory of 1672	932	865ee3d67afe1fd11fbb5906094d7fb9ed1712f53678d49edc092657bd46d816.exe	33
PID 932 wrote to memory of 816	932	865ee3d67afe1fd11fbb5906094d7fb9ed1712f53678d49edc092657bd46d816.exe	34
PID 932 wrote to memory of 816	932	865ee3d67afe1fd11fbb5906094d7fb9ed1712f53678d49edc092657bd46d816.exe	34
PID 932 wrote to memory of 816	932	865ee3d67afe1fd11fbb5906094d7fb9ed1712f53678d49edc092657bd46d816.exe	34
PID 932 wrote to memory of 816	932	865ee3d67afe1fd11fbb5906094d7fb9ed1712f53678d49edc092657bd46d816.exe	34
PID 932 wrote to memory of 816	932	865ee3d67afe1fd11fbb5906094d7fb9ed1712f53678d49edc092657bd46d816.exe	34
PID 932 wrote to memory of 612	932	865ee3d67afe1fd11fbb5906094d7fb9ed1712f53678d49edc092657bd46d816.exe	35
PID 932 wrote to memory of 612	932	865ee3d67afe1fd11fbb5906094d7fb9ed1712f53678d49edc092657bd46d816.exe	35
PID 932 wrote to memory of 612	932	865ee3d67afe1fd11fbb5906094d7fb9ed1712f53678d49edc092657bd46d816.exe	35
PID 932 wrote to memory of 612	932	865ee3d67afe1fd11fbb5906094d7fb9ed1712f53678d49edc092657bd46d816.exe	35
PID 932 wrote to memory of 612	932	865ee3d67afe1fd11fbb5906094d7fb9ed1712f53678d49edc092657bd46d816.exe	35
PID 932 wrote to memory of 1000	932	865ee3d67afe1fd11fbb5906094d7fb9ed1712f53678d49edc092657bd46d816.exe	36
PID 932 wrote to memory of 1000	932	865ee3d67afe1fd11fbb5906094d7fb9ed1712f53678d49edc092657bd46d816.exe	36
PID 932 wrote to memory of 1000	932	865ee3d67afe1fd11fbb5906094d7fb9ed1712f53678d49edc092657bd46d816.exe	36
PID 932 wrote to memory of 1000	932	865ee3d67afe1fd11fbb5906094d7fb9ed1712f53678d49edc092657bd46d816.exe	36
PID 556 wrote to memory of 1180	556	svchost.exe	37
PID 556 wrote to memory of 1180	556	svchost.exe	37
PID 556 wrote to memory of 1180	556	svchost.exe	37
PID 556 wrote to memory of 1180	556	svchost.exe	37
PID 1180 wrote to memory of 1612	1180	Server.exe	38
PID 1180 wrote to memory of 1612	1180	Server.exe	38
PID 1180 wrote to memory of 1612	1180	Server.exe	38
PID 1180 wrote to memory of 1612	1180	Server.exe	38
PID 1180 wrote to memory of 1144	1180	Server.exe	39

C:\Users\Admin\AppData\Local\Temp\865ee3d67afe1fd11fbb5906094d7fb9ed1712f53678d49edc092657bd46d816.exe
"C:\Users\Admin\AppData\Local\Temp\865ee3d67afe1fd11fbb5906094d7fb9ed1712f53678d49edc092657bd46d816.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1064
- C:\Users\Admin\AppData\Local\Temp\865ee3d67afe1fd11fbb5906094d7fb9ed1712f53678d49edc092657bd46d816.exe
  865ee3d67afe1fd11fbb5906094d7fb9ed1712f53678d49edc092657bd46d816.exe
  2⤵
  PID:968
- C:\Users\Admin\AppData\Local\Temp\865ee3d67afe1fd11fbb5906094d7fb9ed1712f53678d49edc092657bd46d816.exe
  865ee3d67afe1fd11fbb5906094d7fb9ed1712f53678d49edc092657bd46d816.exe
  2⤵
  - Modifies Installed Components in the registry
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:932
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - Modifies Installed Components in the registry
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:556
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1180
    - - C:\Windows\InstallDir\Server.exe
        
        Server.exe
        5⤵
        
        PID:1612
    - - C:\Windows\InstallDir\Server.exe
        
        Server.exe
        5⤵
        Executes dropped EXE
        Modifies Installed Components in the registry
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:1144
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1748
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2004
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:392
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      PID:1480
    - - C:\Windows\InstallDir\Server.exe
        
        Server.exe
        5⤵
        
        PID:548
    - - C:\Windows\InstallDir\Server.exe
        
        Server.exe
        5⤵
        Executes dropped EXE
        Modifies Installed Components in the registry
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:1924
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1096
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:840
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1280
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      PID:1440
    - - C:\Windows\InstallDir\Server.exe
        
        Server.exe
        5⤵
        
        PID:1564
    - - C:\Windows\InstallDir\Server.exe
        
        Server.exe
        5⤵
        Executes dropped EXE
        Modifies Installed Components in the registry
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:1568
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:552
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:716
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1876
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      PID:1448
    - - C:\Windows\InstallDir\Server.exe
        
        Server.exe
        5⤵
        
        PID:1576
    - - C:\Windows\InstallDir\Server.exe
        
        Server.exe
        5⤵
        Executes dropped EXE
        Modifies Installed Components in the registry
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:1028
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1180
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1444
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1960
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      PID:1540
    - - C:\Windows\InstallDir\Server.exe
        
        Server.exe
        5⤵
        
        PID:1604
    - - C:\Windows\InstallDir\Server.exe
        
        Server.exe
        5⤵
        Executes dropped EXE
        Modifies Installed Components in the registry
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:2000
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:604
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1708
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1704
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      PID:648
    - - C:\Windows\InstallDir\Server.exe
        
        Server.exe
        5⤵
        
        PID:564
    - - C:\Windows\InstallDir\Server.exe
        
        Server.exe
        5⤵
        Executes dropped EXE
        Modifies Installed Components in the registry
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:268
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:720
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1148
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1984
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      PID:1520
    - - C:\Windows\InstallDir\Server.exe
        
        Server.exe
        5⤵
        
        PID:2036
    - - C:\Windows\InstallDir\Server.exe
        
        Server.exe
        5⤵
        Executes dropped EXE
        Modifies Installed Components in the registry
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:1912
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1504
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1940
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1464
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      PID:756
    - - C:\Windows\InstallDir\Server.exe
        
        Server.exe
        5⤵
        
        PID:1420
    - - C:\Windows\InstallDir\Server.exe
        
        Server.exe
        5⤵
        Executes dropped EXE
        Modifies Installed Components in the registry
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:1368
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:996
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1524
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:432
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      PID:1996
    - - C:\Windows\InstallDir\Server.exe
        
        Server.exe
        5⤵
        
        PID:1448
    - - C:\Windows\InstallDir\Server.exe
        
        Server.exe
        5⤵
        Executes dropped EXE
        Modifies Installed Components in the registry
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:2012
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:288
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1236
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1632
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      PID:1480
    - - C:\Windows\InstallDir\Server.exe
        
        Server.exe
        5⤵
        
        PID:1008
    - - C:\Windows\InstallDir\Server.exe
        
        Server.exe
        5⤵
        Executes dropped EXE
        Modifies Installed Components in the registry
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:1968
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:976
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1568
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1676
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      PID:1060
    - - C:\Windows\InstallDir\Server.exe
        
        Server.exe
        5⤵
        
        PID:2008
    - - C:\Windows\InstallDir\Server.exe
        
        Server.exe
        5⤵
        Executes dropped EXE
        Modifies Installed Components in the registry
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:1520
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1492
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1436
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1744
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      PID:1956
    - - C:\Windows\InstallDir\Server.exe
        
        Server.exe
        5⤵
        
        PID:1184
    - - C:\Windows\InstallDir\Server.exe
        
        Server.exe
        5⤵
        Executes dropped EXE
        Modifies Installed Components in the registry
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:2012
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1440
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1060
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:856
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      PID:240
    - - C:\Windows\InstallDir\Server.exe
        
        Server.exe
        5⤵
        
        PID:1896
    - - C:\Windows\InstallDir\Server.exe
        
        Server.exe
        5⤵
        Executes dropped EXE
        Modifies Installed Components in the registry
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:1144
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1036
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1520
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2028
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      PID:1644
    - - C:\Windows\InstallDir\Server.exe
        
        Server.exe
        5⤵
        
        PID:1924
    - - C:\Windows\InstallDir\Server.exe
        
        Server.exe
        5⤵
        Executes dropped EXE
        Modifies Installed Components in the registry
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:860
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1684
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1968
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1572
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1396
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1864
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2024
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      PID:1588
    - - C:\Windows\InstallDir\Server.exe
        
        Server.exe
        5⤵
        
        PID:2016
    - - C:\Windows\InstallDir\Server.exe
        
        Server.exe
        5⤵
        Executes dropped EXE
        
        PID:460
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      PID:1900
    - - C:\Windows\InstallDir\Server.exe
        
        Server.exe
        5⤵
        
        PID:1368
    - - C:\Windows\InstallDir\Server.exe
        
        Server.exe
        5⤵
        Executes dropped EXE
        Modifies Installed Components in the registry
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:888
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2080
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2096
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2104
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      PID:2112
    - - C:\Windows\InstallDir\Server.exe
        
        Server.exe
        5⤵
        
        PID:2144
    - - C:\Windows\InstallDir\Server.exe
        
        Server.exe
        5⤵
        Executes dropped EXE
        Modifies Installed Components in the registry
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:2152
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2244
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2260
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2268
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      PID:2276
    - - C:\Windows\InstallDir\Server.exe
        
        Server.exe
        5⤵
        Executes dropped EXE
        Modifies Installed Components in the registry
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:2316
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2408
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2424
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2432
    - - C:\Windows\InstallDir\Server.exe
        
        Server.exe
        5⤵
        
        PID:2308
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      PID:2440
    - - C:\Windows\InstallDir\Server.exe
        
        Server.exe
        5⤵
        
        PID:2472
    - - C:\Windows\InstallDir\Server.exe
        
        Server.exe
        5⤵
        Executes dropped EXE
        Modifies Installed Components in the registry
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:2480
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2572
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2588
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2596
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      PID:2604
    - - C:\Windows\InstallDir\Server.exe
        
        Server.exe
        5⤵
        Executes dropped EXE
        Modifies Installed Components in the registry
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:2644
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2744
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2760
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2768
    - - C:\Windows\InstallDir\Server.exe
        
        Server.exe
        5⤵
        
        PID:2636
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      PID:2776
    - - C:\Windows\InstallDir\Server.exe
        
        Server.exe
        5⤵
        
        PID:2808
    - - C:\Windows\InstallDir\Server.exe
        
        Server.exe
        5⤵
        Executes dropped EXE
        Modifies Installed Components in the registry
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:2816
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2916
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2932
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2940
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      PID:2948
    - - C:\Windows\InstallDir\Server.exe
        
        Server.exe
        5⤵
        Executes dropped EXE
        Modifies Installed Components in the registry
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:2988
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2052
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1456
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1596
    - - C:\Windows\InstallDir\Server.exe
        
        Server.exe
        5⤵
        
        PID:2980
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      PID:1032
    - - C:\Windows\InstallDir\Server.exe
        
        Server.exe
        5⤵
        Executes dropped EXE
        Modifies Installed Components in the registry
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:2120
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2228
    - - C:\Windows\InstallDir\Server.exe
        
        Server.exe
        5⤵
        
        PID:1376
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:1936
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:1496
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:1488
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:1672
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:816
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:612
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:1000

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\NG2Xj.cfg

Filesize
1KB

MD5
1137d66faa4f443d2e4aecd36c7bf5c0

SHA1
bddd827be94f766640897bd0da2c842b7a409817

SHA256
5c19b0088fe64bc2564ea7b615136dc2c0717ab2a43edf88ae24057937fe3f9e

SHA512
460f0aa60d515b90b492d2fd6e6c52902ca147a7bb9d162abb4de82c417c5883a8f7db658c138b9425051ea79ad3549dbe0723b3fcbdb9ce0c0baf80b7a931cb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\NG2Xj.cfg

Filesize
1KB

MD5
1137d66faa4f443d2e4aecd36c7bf5c0

SHA1
bddd827be94f766640897bd0da2c842b7a409817

SHA256
5c19b0088fe64bc2564ea7b615136dc2c0717ab2a43edf88ae24057937fe3f9e

SHA512
460f0aa60d515b90b492d2fd6e6c52902ca147a7bb9d162abb4de82c417c5883a8f7db658c138b9425051ea79ad3549dbe0723b3fcbdb9ce0c0baf80b7a931cb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\NG2Xj.cfg

Filesize
1KB

MD5
1137d66faa4f443d2e4aecd36c7bf5c0

SHA1
bddd827be94f766640897bd0da2c842b7a409817

SHA256
5c19b0088fe64bc2564ea7b615136dc2c0717ab2a43edf88ae24057937fe3f9e

SHA512
460f0aa60d515b90b492d2fd6e6c52902ca147a7bb9d162abb4de82c417c5883a8f7db658c138b9425051ea79ad3549dbe0723b3fcbdb9ce0c0baf80b7a931cb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\NG2Xj.cfg

Filesize
1KB

MD5
1137d66faa4f443d2e4aecd36c7bf5c0

SHA1
bddd827be94f766640897bd0da2c842b7a409817

SHA256
5c19b0088fe64bc2564ea7b615136dc2c0717ab2a43edf88ae24057937fe3f9e

SHA512
460f0aa60d515b90b492d2fd6e6c52902ca147a7bb9d162abb4de82c417c5883a8f7db658c138b9425051ea79ad3549dbe0723b3fcbdb9ce0c0baf80b7a931cb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\NG2Xj.cfg

Filesize
1KB

MD5
1137d66faa4f443d2e4aecd36c7bf5c0

SHA1
bddd827be94f766640897bd0da2c842b7a409817

SHA256
5c19b0088fe64bc2564ea7b615136dc2c0717ab2a43edf88ae24057937fe3f9e

SHA512
460f0aa60d515b90b492d2fd6e6c52902ca147a7bb9d162abb4de82c417c5883a8f7db658c138b9425051ea79ad3549dbe0723b3fcbdb9ce0c0baf80b7a931cb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\NG2Xj.cfg

Filesize
1KB

MD5
1137d66faa4f443d2e4aecd36c7bf5c0

SHA1
bddd827be94f766640897bd0da2c842b7a409817

SHA256
5c19b0088fe64bc2564ea7b615136dc2c0717ab2a43edf88ae24057937fe3f9e

SHA512
460f0aa60d515b90b492d2fd6e6c52902ca147a7bb9d162abb4de82c417c5883a8f7db658c138b9425051ea79ad3549dbe0723b3fcbdb9ce0c0baf80b7a931cb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\NG2Xj.cfg

Filesize
1KB

MD5
1137d66faa4f443d2e4aecd36c7bf5c0

SHA1
bddd827be94f766640897bd0da2c842b7a409817

SHA256
5c19b0088fe64bc2564ea7b615136dc2c0717ab2a43edf88ae24057937fe3f9e

SHA512
460f0aa60d515b90b492d2fd6e6c52902ca147a7bb9d162abb4de82c417c5883a8f7db658c138b9425051ea79ad3549dbe0723b3fcbdb9ce0c0baf80b7a931cb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\NG2Xj.cfg

Filesize
1KB

MD5
1137d66faa4f443d2e4aecd36c7bf5c0

SHA1
bddd827be94f766640897bd0da2c842b7a409817

SHA256
5c19b0088fe64bc2564ea7b615136dc2c0717ab2a43edf88ae24057937fe3f9e

SHA512
460f0aa60d515b90b492d2fd6e6c52902ca147a7bb9d162abb4de82c417c5883a8f7db658c138b9425051ea79ad3549dbe0723b3fcbdb9ce0c0baf80b7a931cb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\NG2Xj.cfg

Filesize
1KB

MD5
1137d66faa4f443d2e4aecd36c7bf5c0

SHA1
bddd827be94f766640897bd0da2c842b7a409817

SHA256
5c19b0088fe64bc2564ea7b615136dc2c0717ab2a43edf88ae24057937fe3f9e

SHA512
460f0aa60d515b90b492d2fd6e6c52902ca147a7bb9d162abb4de82c417c5883a8f7db658c138b9425051ea79ad3549dbe0723b3fcbdb9ce0c0baf80b7a931cb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\NG2Xj.cfg

Filesize
1KB

MD5
1137d66faa4f443d2e4aecd36c7bf5c0

SHA1
bddd827be94f766640897bd0da2c842b7a409817

SHA256
5c19b0088fe64bc2564ea7b615136dc2c0717ab2a43edf88ae24057937fe3f9e

SHA512
460f0aa60d515b90b492d2fd6e6c52902ca147a7bb9d162abb4de82c417c5883a8f7db658c138b9425051ea79ad3549dbe0723b3fcbdb9ce0c0baf80b7a931cb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\NG2Xj.cfg

Filesize
1KB

MD5
1137d66faa4f443d2e4aecd36c7bf5c0

SHA1
bddd827be94f766640897bd0da2c842b7a409817

SHA256
5c19b0088fe64bc2564ea7b615136dc2c0717ab2a43edf88ae24057937fe3f9e

SHA512
460f0aa60d515b90b492d2fd6e6c52902ca147a7bb9d162abb4de82c417c5883a8f7db658c138b9425051ea79ad3549dbe0723b3fcbdb9ce0c0baf80b7a931cb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\NG2Xj.cfg

Filesize
1KB

MD5
1137d66faa4f443d2e4aecd36c7bf5c0

SHA1
bddd827be94f766640897bd0da2c842b7a409817

SHA256
5c19b0088fe64bc2564ea7b615136dc2c0717ab2a43edf88ae24057937fe3f9e

SHA512
460f0aa60d515b90b492d2fd6e6c52902ca147a7bb9d162abb4de82c417c5883a8f7db658c138b9425051ea79ad3549dbe0723b3fcbdb9ce0c0baf80b7a931cb

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
118KB

MD5
5177f64dcb7ee531eb5a96039656feda

SHA1
8affb58b0b0a489839c253b50c8bf0b371de971d

SHA256
865ee3d67afe1fd11fbb5906094d7fb9ed1712f53678d49edc092657bd46d816

SHA512
52b06d5df1655f179c96f2f9bf8be71e941bd811dd89ad54ec2b780b9b6fc5bd5c768de4961e3904fd62bce0c576c136eb5b294575c350f15b10f26a996022ca

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
118KB

MD5
5177f64dcb7ee531eb5a96039656feda

SHA1
8affb58b0b0a489839c253b50c8bf0b371de971d

SHA256
865ee3d67afe1fd11fbb5906094d7fb9ed1712f53678d49edc092657bd46d816

SHA512
52b06d5df1655f179c96f2f9bf8be71e941bd811dd89ad54ec2b780b9b6fc5bd5c768de4961e3904fd62bce0c576c136eb5b294575c350f15b10f26a996022ca

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
118KB

MD5
5177f64dcb7ee531eb5a96039656feda

SHA1
8affb58b0b0a489839c253b50c8bf0b371de971d

SHA256
865ee3d67afe1fd11fbb5906094d7fb9ed1712f53678d49edc092657bd46d816

SHA512
52b06d5df1655f179c96f2f9bf8be71e941bd811dd89ad54ec2b780b9b6fc5bd5c768de4961e3904fd62bce0c576c136eb5b294575c350f15b10f26a996022ca

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
118KB

MD5
5177f64dcb7ee531eb5a96039656feda

SHA1
8affb58b0b0a489839c253b50c8bf0b371de971d

SHA256
865ee3d67afe1fd11fbb5906094d7fb9ed1712f53678d49edc092657bd46d816

SHA512
52b06d5df1655f179c96f2f9bf8be71e941bd811dd89ad54ec2b780b9b6fc5bd5c768de4961e3904fd62bce0c576c136eb5b294575c350f15b10f26a996022ca

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
118KB

MD5
5177f64dcb7ee531eb5a96039656feda

SHA1
8affb58b0b0a489839c253b50c8bf0b371de971d

SHA256
865ee3d67afe1fd11fbb5906094d7fb9ed1712f53678d49edc092657bd46d816

SHA512
52b06d5df1655f179c96f2f9bf8be71e941bd811dd89ad54ec2b780b9b6fc5bd5c768de4961e3904fd62bce0c576c136eb5b294575c350f15b10f26a996022ca

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
118KB

MD5
5177f64dcb7ee531eb5a96039656feda

SHA1
8affb58b0b0a489839c253b50c8bf0b371de971d

SHA256
865ee3d67afe1fd11fbb5906094d7fb9ed1712f53678d49edc092657bd46d816

SHA512
52b06d5df1655f179c96f2f9bf8be71e941bd811dd89ad54ec2b780b9b6fc5bd5c768de4961e3904fd62bce0c576c136eb5b294575c350f15b10f26a996022ca

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
118KB

MD5
5177f64dcb7ee531eb5a96039656feda

SHA1
8affb58b0b0a489839c253b50c8bf0b371de971d

SHA256
865ee3d67afe1fd11fbb5906094d7fb9ed1712f53678d49edc092657bd46d816

SHA512
52b06d5df1655f179c96f2f9bf8be71e941bd811dd89ad54ec2b780b9b6fc5bd5c768de4961e3904fd62bce0c576c136eb5b294575c350f15b10f26a996022ca

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
118KB

MD5
5177f64dcb7ee531eb5a96039656feda

SHA1
8affb58b0b0a489839c253b50c8bf0b371de971d

SHA256
865ee3d67afe1fd11fbb5906094d7fb9ed1712f53678d49edc092657bd46d816

SHA512
52b06d5df1655f179c96f2f9bf8be71e941bd811dd89ad54ec2b780b9b6fc5bd5c768de4961e3904fd62bce0c576c136eb5b294575c350f15b10f26a996022ca

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
118KB

MD5
5177f64dcb7ee531eb5a96039656feda

SHA1
8affb58b0b0a489839c253b50c8bf0b371de971d

SHA256
865ee3d67afe1fd11fbb5906094d7fb9ed1712f53678d49edc092657bd46d816

SHA512
52b06d5df1655f179c96f2f9bf8be71e941bd811dd89ad54ec2b780b9b6fc5bd5c768de4961e3904fd62bce0c576c136eb5b294575c350f15b10f26a996022ca

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
118KB

MD5
5177f64dcb7ee531eb5a96039656feda

SHA1
8affb58b0b0a489839c253b50c8bf0b371de971d

SHA256
865ee3d67afe1fd11fbb5906094d7fb9ed1712f53678d49edc092657bd46d816

SHA512
52b06d5df1655f179c96f2f9bf8be71e941bd811dd89ad54ec2b780b9b6fc5bd5c768de4961e3904fd62bce0c576c136eb5b294575c350f15b10f26a996022ca

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
118KB

MD5
5177f64dcb7ee531eb5a96039656feda

SHA1
8affb58b0b0a489839c253b50c8bf0b371de971d

SHA256
865ee3d67afe1fd11fbb5906094d7fb9ed1712f53678d49edc092657bd46d816

SHA512
52b06d5df1655f179c96f2f9bf8be71e941bd811dd89ad54ec2b780b9b6fc5bd5c768de4961e3904fd62bce0c576c136eb5b294575c350f15b10f26a996022ca

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
118KB

MD5
5177f64dcb7ee531eb5a96039656feda

SHA1
8affb58b0b0a489839c253b50c8bf0b371de971d

SHA256
865ee3d67afe1fd11fbb5906094d7fb9ed1712f53678d49edc092657bd46d816

SHA512
52b06d5df1655f179c96f2f9bf8be71e941bd811dd89ad54ec2b780b9b6fc5bd5c768de4961e3904fd62bce0c576c136eb5b294575c350f15b10f26a996022ca

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
118KB

MD5
5177f64dcb7ee531eb5a96039656feda

SHA1
8affb58b0b0a489839c253b50c8bf0b371de971d

SHA256
865ee3d67afe1fd11fbb5906094d7fb9ed1712f53678d49edc092657bd46d816

SHA512
52b06d5df1655f179c96f2f9bf8be71e941bd811dd89ad54ec2b780b9b6fc5bd5c768de4961e3904fd62bce0c576c136eb5b294575c350f15b10f26a996022ca

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
118KB

MD5
5177f64dcb7ee531eb5a96039656feda

SHA1
8affb58b0b0a489839c253b50c8bf0b371de971d

SHA256
865ee3d67afe1fd11fbb5906094d7fb9ed1712f53678d49edc092657bd46d816

SHA512
52b06d5df1655f179c96f2f9bf8be71e941bd811dd89ad54ec2b780b9b6fc5bd5c768de4961e3904fd62bce0c576c136eb5b294575c350f15b10f26a996022ca

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
118KB

MD5
5177f64dcb7ee531eb5a96039656feda

SHA1
8affb58b0b0a489839c253b50c8bf0b371de971d

SHA256
865ee3d67afe1fd11fbb5906094d7fb9ed1712f53678d49edc092657bd46d816

SHA512
52b06d5df1655f179c96f2f9bf8be71e941bd811dd89ad54ec2b780b9b6fc5bd5c768de4961e3904fd62bce0c576c136eb5b294575c350f15b10f26a996022ca

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
118KB

MD5
5177f64dcb7ee531eb5a96039656feda

SHA1
8affb58b0b0a489839c253b50c8bf0b371de971d

SHA256
865ee3d67afe1fd11fbb5906094d7fb9ed1712f53678d49edc092657bd46d816

SHA512
52b06d5df1655f179c96f2f9bf8be71e941bd811dd89ad54ec2b780b9b6fc5bd5c768de4961e3904fd62bce0c576c136eb5b294575c350f15b10f26a996022ca

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
118KB

MD5
5177f64dcb7ee531eb5a96039656feda

SHA1
8affb58b0b0a489839c253b50c8bf0b371de971d

SHA256
865ee3d67afe1fd11fbb5906094d7fb9ed1712f53678d49edc092657bd46d816

SHA512
52b06d5df1655f179c96f2f9bf8be71e941bd811dd89ad54ec2b780b9b6fc5bd5c768de4961e3904fd62bce0c576c136eb5b294575c350f15b10f26a996022ca

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
118KB

MD5
5177f64dcb7ee531eb5a96039656feda

SHA1
8affb58b0b0a489839c253b50c8bf0b371de971d

SHA256
865ee3d67afe1fd11fbb5906094d7fb9ed1712f53678d49edc092657bd46d816

SHA512
52b06d5df1655f179c96f2f9bf8be71e941bd811dd89ad54ec2b780b9b6fc5bd5c768de4961e3904fd62bce0c576c136eb5b294575c350f15b10f26a996022ca

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
118KB

MD5
5177f64dcb7ee531eb5a96039656feda

SHA1
8affb58b0b0a489839c253b50c8bf0b371de971d

SHA256
865ee3d67afe1fd11fbb5906094d7fb9ed1712f53678d49edc092657bd46d816

SHA512
52b06d5df1655f179c96f2f9bf8be71e941bd811dd89ad54ec2b780b9b6fc5bd5c768de4961e3904fd62bce0c576c136eb5b294575c350f15b10f26a996022ca

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
118KB

MD5
5177f64dcb7ee531eb5a96039656feda

SHA1
8affb58b0b0a489839c253b50c8bf0b371de971d

SHA256
865ee3d67afe1fd11fbb5906094d7fb9ed1712f53678d49edc092657bd46d816

SHA512
52b06d5df1655f179c96f2f9bf8be71e941bd811dd89ad54ec2b780b9b6fc5bd5c768de4961e3904fd62bce0c576c136eb5b294575c350f15b10f26a996022ca

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
118KB

MD5
5177f64dcb7ee531eb5a96039656feda

SHA1
8affb58b0b0a489839c253b50c8bf0b371de971d

SHA256
865ee3d67afe1fd11fbb5906094d7fb9ed1712f53678d49edc092657bd46d816

SHA512
52b06d5df1655f179c96f2f9bf8be71e941bd811dd89ad54ec2b780b9b6fc5bd5c768de4961e3904fd62bce0c576c136eb5b294575c350f15b10f26a996022ca

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
118KB

MD5
5177f64dcb7ee531eb5a96039656feda

SHA1
8affb58b0b0a489839c253b50c8bf0b371de971d

SHA256
865ee3d67afe1fd11fbb5906094d7fb9ed1712f53678d49edc092657bd46d816

SHA512
52b06d5df1655f179c96f2f9bf8be71e941bd811dd89ad54ec2b780b9b6fc5bd5c768de4961e3904fd62bce0c576c136eb5b294575c350f15b10f26a996022ca

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
118KB

MD5
5177f64dcb7ee531eb5a96039656feda

SHA1
8affb58b0b0a489839c253b50c8bf0b371de971d

SHA256
865ee3d67afe1fd11fbb5906094d7fb9ed1712f53678d49edc092657bd46d816

SHA512
52b06d5df1655f179c96f2f9bf8be71e941bd811dd89ad54ec2b780b9b6fc5bd5c768de4961e3904fd62bce0c576c136eb5b294575c350f15b10f26a996022ca

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
118KB

MD5
5177f64dcb7ee531eb5a96039656feda

SHA1
8affb58b0b0a489839c253b50c8bf0b371de971d

SHA256
865ee3d67afe1fd11fbb5906094d7fb9ed1712f53678d49edc092657bd46d816

SHA512
52b06d5df1655f179c96f2f9bf8be71e941bd811dd89ad54ec2b780b9b6fc5bd5c768de4961e3904fd62bce0c576c136eb5b294575c350f15b10f26a996022ca

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
118KB

MD5
5177f64dcb7ee531eb5a96039656feda

SHA1
8affb58b0b0a489839c253b50c8bf0b371de971d

SHA256
865ee3d67afe1fd11fbb5906094d7fb9ed1712f53678d49edc092657bd46d816

SHA512
52b06d5df1655f179c96f2f9bf8be71e941bd811dd89ad54ec2b780b9b6fc5bd5c768de4961e3904fd62bce0c576c136eb5b294575c350f15b10f26a996022ca

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
118KB

MD5
5177f64dcb7ee531eb5a96039656feda

SHA1
8affb58b0b0a489839c253b50c8bf0b371de971d

SHA256
865ee3d67afe1fd11fbb5906094d7fb9ed1712f53678d49edc092657bd46d816

SHA512
52b06d5df1655f179c96f2f9bf8be71e941bd811dd89ad54ec2b780b9b6fc5bd5c768de4961e3904fd62bce0c576c136eb5b294575c350f15b10f26a996022ca

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
118KB

MD5
5177f64dcb7ee531eb5a96039656feda

SHA1
8affb58b0b0a489839c253b50c8bf0b371de971d

SHA256
865ee3d67afe1fd11fbb5906094d7fb9ed1712f53678d49edc092657bd46d816

SHA512
52b06d5df1655f179c96f2f9bf8be71e941bd811dd89ad54ec2b780b9b6fc5bd5c768de4961e3904fd62bce0c576c136eb5b294575c350f15b10f26a996022ca

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
118KB

MD5
5177f64dcb7ee531eb5a96039656feda

SHA1
8affb58b0b0a489839c253b50c8bf0b371de971d

SHA256
865ee3d67afe1fd11fbb5906094d7fb9ed1712f53678d49edc092657bd46d816

SHA512
52b06d5df1655f179c96f2f9bf8be71e941bd811dd89ad54ec2b780b9b6fc5bd5c768de4961e3904fd62bce0c576c136eb5b294575c350f15b10f26a996022ca

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
118KB

MD5
5177f64dcb7ee531eb5a96039656feda

SHA1
8affb58b0b0a489839c253b50c8bf0b371de971d

SHA256
865ee3d67afe1fd11fbb5906094d7fb9ed1712f53678d49edc092657bd46d816

SHA512
52b06d5df1655f179c96f2f9bf8be71e941bd811dd89ad54ec2b780b9b6fc5bd5c768de4961e3904fd62bce0c576c136eb5b294575c350f15b10f26a996022ca

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
118KB

MD5
5177f64dcb7ee531eb5a96039656feda

SHA1
8affb58b0b0a489839c253b50c8bf0b371de971d

SHA256
865ee3d67afe1fd11fbb5906094d7fb9ed1712f53678d49edc092657bd46d816

SHA512
52b06d5df1655f179c96f2f9bf8be71e941bd811dd89ad54ec2b780b9b6fc5bd5c768de4961e3904fd62bce0c576c136eb5b294575c350f15b10f26a996022ca

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
118KB

MD5
5177f64dcb7ee531eb5a96039656feda

SHA1
8affb58b0b0a489839c253b50c8bf0b371de971d

SHA256
865ee3d67afe1fd11fbb5906094d7fb9ed1712f53678d49edc092657bd46d816

SHA512
52b06d5df1655f179c96f2f9bf8be71e941bd811dd89ad54ec2b780b9b6fc5bd5c768de4961e3904fd62bce0c576c136eb5b294575c350f15b10f26a996022ca

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
118KB

MD5
5177f64dcb7ee531eb5a96039656feda

SHA1
8affb58b0b0a489839c253b50c8bf0b371de971d

SHA256
865ee3d67afe1fd11fbb5906094d7fb9ed1712f53678d49edc092657bd46d816

SHA512
52b06d5df1655f179c96f2f9bf8be71e941bd811dd89ad54ec2b780b9b6fc5bd5c768de4961e3904fd62bce0c576c136eb5b294575c350f15b10f26a996022ca

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
118KB

MD5
5177f64dcb7ee531eb5a96039656feda

SHA1
8affb58b0b0a489839c253b50c8bf0b371de971d

SHA256
865ee3d67afe1fd11fbb5906094d7fb9ed1712f53678d49edc092657bd46d816

SHA512
52b06d5df1655f179c96f2f9bf8be71e941bd811dd89ad54ec2b780b9b6fc5bd5c768de4961e3904fd62bce0c576c136eb5b294575c350f15b10f26a996022ca

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
118KB

MD5
5177f64dcb7ee531eb5a96039656feda

SHA1
8affb58b0b0a489839c253b50c8bf0b371de971d

SHA256
865ee3d67afe1fd11fbb5906094d7fb9ed1712f53678d49edc092657bd46d816

SHA512
52b06d5df1655f179c96f2f9bf8be71e941bd811dd89ad54ec2b780b9b6fc5bd5c768de4961e3904fd62bce0c576c136eb5b294575c350f15b10f26a996022ca

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
118KB

MD5
5177f64dcb7ee531eb5a96039656feda

SHA1
8affb58b0b0a489839c253b50c8bf0b371de971d

SHA256
865ee3d67afe1fd11fbb5906094d7fb9ed1712f53678d49edc092657bd46d816

SHA512
52b06d5df1655f179c96f2f9bf8be71e941bd811dd89ad54ec2b780b9b6fc5bd5c768de4961e3904fd62bce0c576c136eb5b294575c350f15b10f26a996022ca

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
118KB

MD5
5177f64dcb7ee531eb5a96039656feda

SHA1
8affb58b0b0a489839c253b50c8bf0b371de971d

SHA256
865ee3d67afe1fd11fbb5906094d7fb9ed1712f53678d49edc092657bd46d816

SHA512
52b06d5df1655f179c96f2f9bf8be71e941bd811dd89ad54ec2b780b9b6fc5bd5c768de4961e3904fd62bce0c576c136eb5b294575c350f15b10f26a996022ca

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
118KB

MD5
5177f64dcb7ee531eb5a96039656feda

SHA1
8affb58b0b0a489839c253b50c8bf0b371de971d

SHA256
865ee3d67afe1fd11fbb5906094d7fb9ed1712f53678d49edc092657bd46d816

SHA512
52b06d5df1655f179c96f2f9bf8be71e941bd811dd89ad54ec2b780b9b6fc5bd5c768de4961e3904fd62bce0c576c136eb5b294575c350f15b10f26a996022ca

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
118KB

MD5
5177f64dcb7ee531eb5a96039656feda

SHA1
8affb58b0b0a489839c253b50c8bf0b371de971d

SHA256
865ee3d67afe1fd11fbb5906094d7fb9ed1712f53678d49edc092657bd46d816

SHA512
52b06d5df1655f179c96f2f9bf8be71e941bd811dd89ad54ec2b780b9b6fc5bd5c768de4961e3904fd62bce0c576c136eb5b294575c350f15b10f26a996022ca

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
118KB

MD5
5177f64dcb7ee531eb5a96039656feda

SHA1
8affb58b0b0a489839c253b50c8bf0b371de971d

SHA256
865ee3d67afe1fd11fbb5906094d7fb9ed1712f53678d49edc092657bd46d816

SHA512
52b06d5df1655f179c96f2f9bf8be71e941bd811dd89ad54ec2b780b9b6fc5bd5c768de4961e3904fd62bce0c576c136eb5b294575c350f15b10f26a996022ca

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
118KB

MD5
5177f64dcb7ee531eb5a96039656feda

SHA1
8affb58b0b0a489839c253b50c8bf0b371de971d

SHA256
865ee3d67afe1fd11fbb5906094d7fb9ed1712f53678d49edc092657bd46d816

SHA512
52b06d5df1655f179c96f2f9bf8be71e941bd811dd89ad54ec2b780b9b6fc5bd5c768de4961e3904fd62bce0c576c136eb5b294575c350f15b10f26a996022ca

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
118KB

MD5
5177f64dcb7ee531eb5a96039656feda

SHA1
8affb58b0b0a489839c253b50c8bf0b371de971d

SHA256
865ee3d67afe1fd11fbb5906094d7fb9ed1712f53678d49edc092657bd46d816

SHA512
52b06d5df1655f179c96f2f9bf8be71e941bd811dd89ad54ec2b780b9b6fc5bd5c768de4961e3904fd62bce0c576c136eb5b294575c350f15b10f26a996022ca

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
118KB

MD5
5177f64dcb7ee531eb5a96039656feda

SHA1
8affb58b0b0a489839c253b50c8bf0b371de971d

SHA256
865ee3d67afe1fd11fbb5906094d7fb9ed1712f53678d49edc092657bd46d816

SHA512
52b06d5df1655f179c96f2f9bf8be71e941bd811dd89ad54ec2b780b9b6fc5bd5c768de4961e3904fd62bce0c576c136eb5b294575c350f15b10f26a996022ca

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
118KB

MD5
5177f64dcb7ee531eb5a96039656feda

SHA1
8affb58b0b0a489839c253b50c8bf0b371de971d

SHA256
865ee3d67afe1fd11fbb5906094d7fb9ed1712f53678d49edc092657bd46d816

SHA512
52b06d5df1655f179c96f2f9bf8be71e941bd811dd89ad54ec2b780b9b6fc5bd5c768de4961e3904fd62bce0c576c136eb5b294575c350f15b10f26a996022ca

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
118KB

MD5
5177f64dcb7ee531eb5a96039656feda

SHA1
8affb58b0b0a489839c253b50c8bf0b371de971d

SHA256
865ee3d67afe1fd11fbb5906094d7fb9ed1712f53678d49edc092657bd46d816

SHA512
52b06d5df1655f179c96f2f9bf8be71e941bd811dd89ad54ec2b780b9b6fc5bd5c768de4961e3904fd62bce0c576c136eb5b294575c350f15b10f26a996022ca

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
118KB

MD5
5177f64dcb7ee531eb5a96039656feda

SHA1
8affb58b0b0a489839c253b50c8bf0b371de971d

SHA256
865ee3d67afe1fd11fbb5906094d7fb9ed1712f53678d49edc092657bd46d816

SHA512
52b06d5df1655f179c96f2f9bf8be71e941bd811dd89ad54ec2b780b9b6fc5bd5c768de4961e3904fd62bce0c576c136eb5b294575c350f15b10f26a996022ca

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
118KB

MD5
5177f64dcb7ee531eb5a96039656feda

SHA1
8affb58b0b0a489839c253b50c8bf0b371de971d

SHA256
865ee3d67afe1fd11fbb5906094d7fb9ed1712f53678d49edc092657bd46d816

SHA512
52b06d5df1655f179c96f2f9bf8be71e941bd811dd89ad54ec2b780b9b6fc5bd5c768de4961e3904fd62bce0c576c136eb5b294575c350f15b10f26a996022ca

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
118KB

MD5
5177f64dcb7ee531eb5a96039656feda

SHA1
8affb58b0b0a489839c253b50c8bf0b371de971d

SHA256
865ee3d67afe1fd11fbb5906094d7fb9ed1712f53678d49edc092657bd46d816

SHA512
52b06d5df1655f179c96f2f9bf8be71e941bd811dd89ad54ec2b780b9b6fc5bd5c768de4961e3904fd62bce0c576c136eb5b294575c350f15b10f26a996022ca

Download Submit
\Windows\InstallDir\Server.exe

Filesize
118KB

MD5
5177f64dcb7ee531eb5a96039656feda

SHA1
8affb58b0b0a489839c253b50c8bf0b371de971d

SHA256
865ee3d67afe1fd11fbb5906094d7fb9ed1712f53678d49edc092657bd46d816

SHA512
52b06d5df1655f179c96f2f9bf8be71e941bd811dd89ad54ec2b780b9b6fc5bd5c768de4961e3904fd62bce0c576c136eb5b294575c350f15b10f26a996022ca

Download Submit
memory/240-319-0x0000000073570000-0x0000000073B1B000-memory.dmp

Filesize
5.7MB

Download
memory/240-316-0x0000000073570000-0x0000000073B1B000-memory.dmp

Filesize
5.7MB

Download
memory/556-76-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/648-188-0x0000000072FC0000-0x000000007356B000-memory.dmp

Filesize
5.7MB

Download
memory/648-186-0x0000000072FC0000-0x000000007356B000-memory.dmp

Filesize
5.7MB

Download
memory/756-225-0x0000000072FC0000-0x000000007356B000-memory.dmp

Filesize
5.7MB

Download
memory/932-68-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/932-59-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/932-63-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/932-60-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/932-57-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/932-62-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/932-64-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/932-61-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/932-66-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/932-70-0x0000000000C81000-0x0000000000C8A000-memory.dmp

Filesize
36KB

Download
memory/932-56-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/1032-504-0x0000000073570000-0x0000000073B1B000-memory.dmp

Filesize
5.7MB

Download
memory/1060-279-0x0000000073570000-0x0000000073B1B000-memory.dmp

Filesize
5.7MB

Download
memory/1064-54-0x0000000075BB1000-0x0000000075BB3000-memory.dmp

Filesize
8KB

Download
memory/1064-69-0x0000000074760000-0x0000000074D0B000-memory.dmp

Filesize
5.7MB

Download
memory/1064-55-0x0000000074760000-0x0000000074D0B000-memory.dmp

Filesize
5.7MB

Download
memory/1440-131-0x0000000073570000-0x0000000073B1B000-memory.dmp

Filesize
5.7MB

Download
memory/1448-149-0x0000000072FC0000-0x000000007356B000-memory.dmp

Filesize
5.7MB

Download
memory/1480-262-0x0000000072FC0000-0x000000007356B000-memory.dmp

Filesize
5.7MB

Download
memory/1480-112-0x0000000072FC0000-0x000000007356B000-memory.dmp

Filesize
5.7MB

Download
memory/1520-205-0x0000000073570000-0x0000000073B1B000-memory.dmp

Filesize
5.7MB

Download
memory/1540-168-0x0000000073570000-0x0000000073B1B000-memory.dmp

Filesize
5.7MB

Download
memory/1588-355-0x0000000073570000-0x0000000073B1B000-memory.dmp

Filesize
5.7MB

Download
memory/1644-336-0x0000000072FC0000-0x000000007356B000-memory.dmp

Filesize
5.7MB

Download
memory/1900-373-0x0000000072FC0000-0x000000007356B000-memory.dmp

Filesize
5.7MB

Download
memory/1956-299-0x0000000072FC0000-0x000000007356B000-memory.dmp

Filesize
5.7MB

Download
memory/1996-244-0x0000000073570000-0x0000000073B1B000-memory.dmp

Filesize
5.7MB

Download
memory/2112-391-0x0000000073570000-0x0000000073B1B000-memory.dmp

Filesize
5.7MB

Download
memory/2276-411-0x0000000072FC0000-0x000000007356B000-memory.dmp

Filesize
5.7MB

Download
memory/2276-403-0x0000000072FC0000-0x000000007356B000-memory.dmp

Filesize
5.7MB

Download
memory/2440-429-0x0000000073570000-0x0000000073B1B000-memory.dmp

Filesize
5.7MB

Download
memory/2604-448-0x0000000072FC0000-0x000000007356B000-memory.dmp

Filesize
5.7MB

Download
memory/2776-467-0x0000000073570000-0x0000000073B1B000-memory.dmp

Filesize
5.7MB

Download
memory/2776-461-0x0000000073570000-0x0000000073B1B000-memory.dmp

Filesize
5.7MB

Download
memory/2948-486-0x0000000072FC0000-0x000000007356B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads