Malware Analysis Report

2025-06-16 01:03

Sample ID 221123-rc34tagc64
Target 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964
SHA256 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964
Tags
xtremerat persistence rat spyware upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964

Threat Level: Known bad

The file 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964 was found to be: Known bad.

Malicious Activity Summary

xtremerat persistence rat spyware upx

XtremeRAT

Executes dropped EXE

UPX packed file

Checks computer location settings

Loads dropped DLL

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in Windows directory

Program crash

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-11-23 14:03

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-23 14:03

Reported

2022-11-23 15:11

Platform

win7-20221111-en

Max time kernel

135s

Max time network

135s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe"

Signatures

XtremeRAT

persistence spyware rat xtremerat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\{9043-8547-9771-90}\appinit.exe N/A
N/A N/A C:\Windows\{9043-8547-9771-90}\appinit.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\{9043-8547-9771-90}\\appinit.exe" C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\{9043-8547-9771-90}\\appinit.exe" C:\Windows\{9043-8547-9771-90}\appinit.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\{9043-8547-9771-90}\\appinit.exe" C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\{9043-8547-9771-90}\\appinit.exe" C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\{9043-8547-9771-90}\\appinit.exe" C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Windows\{9043-8547-9771-90}\appinit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\{9043-8547-9771-90}\\appinit.exe" C:\Windows\{9043-8547-9771-90}\appinit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\{9043-8547-9771-90}\appinit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\explorer.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\{9043-8547-9771-90}\appinit.exe C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe N/A
File created C:\Windows\{9043-8547-9771-90}\appinit.exe C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe N/A
File opened for modification C:\Windows\{9043-8547-9771-90}\ C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe N/A
File opened for modification C:\Windows\{9043-8547-9771-90}\appinit.exe C:\Windows\{9043-8547-9771-90}\appinit.exe N/A
File opened for modification C:\Windows\{9043-8547-9771-90}\ C:\Windows\{9043-8547-9771-90}\appinit.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1828 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe
PID 1828 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe
PID 1828 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe
PID 1828 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe
PID 1828 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe
PID 1828 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe
PID 1828 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe
PID 1828 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe
PID 1828 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe
PID 1828 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe
PID 1828 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe
PID 1828 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe
PID 1476 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1476 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1476 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1476 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1476 wrote to memory of 700 N/A C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe C:\Windows\SysWOW64\explorer.exe
PID 1476 wrote to memory of 700 N/A C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe C:\Windows\SysWOW64\explorer.exe
PID 1476 wrote to memory of 700 N/A C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe C:\Windows\SysWOW64\explorer.exe
PID 1476 wrote to memory of 700 N/A C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe C:\Windows\SysWOW64\explorer.exe
PID 1476 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1476 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1476 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1476 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1476 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe C:\Windows\SysWOW64\explorer.exe
PID 1476 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe C:\Windows\SysWOW64\explorer.exe
PID 1476 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe C:\Windows\SysWOW64\explorer.exe
PID 1476 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe C:\Windows\SysWOW64\explorer.exe
PID 1476 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1476 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1476 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1476 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1476 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe C:\Windows\SysWOW64\explorer.exe
PID 1476 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe C:\Windows\SysWOW64\explorer.exe
PID 1476 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe C:\Windows\SysWOW64\explorer.exe
PID 1476 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe C:\Windows\SysWOW64\explorer.exe
PID 1476 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1476 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1476 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1476 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1476 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe C:\Windows\SysWOW64\explorer.exe
PID 1476 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe C:\Windows\SysWOW64\explorer.exe
PID 1476 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe C:\Windows\SysWOW64\explorer.exe
PID 1476 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe C:\Windows\SysWOW64\explorer.exe
PID 1476 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1476 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1476 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1476 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1476 wrote to memory of 340 N/A C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe C:\Windows\SysWOW64\explorer.exe
PID 1476 wrote to memory of 340 N/A C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe C:\Windows\SysWOW64\explorer.exe
PID 1476 wrote to memory of 340 N/A C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe C:\Windows\SysWOW64\explorer.exe
PID 1476 wrote to memory of 340 N/A C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe C:\Windows\SysWOW64\explorer.exe
PID 1476 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1476 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1476 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1476 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1476 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe C:\Windows\SysWOW64\explorer.exe
PID 1476 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe C:\Windows\SysWOW64\explorer.exe
PID 1476 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe C:\Windows\SysWOW64\explorer.exe
PID 1476 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe C:\Windows\SysWOW64\explorer.exe
PID 1476 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1476 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1476 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1476 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe C:\Program Files\Internet Explorer\iexplore.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe

"C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe"

C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe

"C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\{9043-8547-9771-90}\appinit.exe

"C:\Windows\{9043-8547-9771-90}\appinit.exe"

C:\Windows\{9043-8547-9771-90}\appinit.exe

"C:\Windows\{9043-8547-9771-90}\appinit.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
N/A 67.215.4.72:5611 tcp

Files

memory/1828-54-0x0000000075611000-0x0000000075613000-memory.dmp

memory/1828-55-0x0000000074610000-0x0000000074BBB000-memory.dmp

memory/1476-56-0x0000000000400000-0x000000000046F000-memory.dmp

memory/1476-57-0x0000000000400000-0x000000000046F000-memory.dmp

memory/1476-59-0x0000000000400000-0x000000000046F000-memory.dmp

memory/1476-60-0x0000000000400000-0x000000000046F000-memory.dmp

memory/1476-61-0x0000000000400000-0x000000000046F000-memory.dmp

memory/1476-62-0x0000000000400000-0x000000000046F000-memory.dmp

memory/1476-63-0x0000000000400000-0x000000000046F000-memory.dmp

memory/1476-65-0x000000000116373E-mapping.dmp

memory/1828-67-0x0000000074610000-0x0000000074BBB000-memory.dmp

memory/1476-66-0x0000000000400000-0x000000000046F000-memory.dmp

memory/1476-69-0x0000000000400000-0x000000000046F000-memory.dmp

memory/1476-70-0x0000000000400000-0x000000000046F000-memory.dmp

memory/1476-71-0x0000000000400000-0x000000000046F000-memory.dmp

\Windows\{9043-8547-9771-90}\appinit.exe

MD5 2e1b2aaeaef46f92436616cf7912f931
SHA1 db8e74884c960d1bc297a6ae15f1aa30d958e3ce
SHA256 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964
SHA512 0290bd2b250b3c626b38648d83dad74b0f7fc124da63d58cf5fde1f0be86843bccec3ee94237b8b0d775eccdb32334e05a8ad9e93c8274468e0fbc9551546ea1

memory/552-74-0x0000000000000000-mapping.dmp

\Windows\{9043-8547-9771-90}\appinit.exe

MD5 2e1b2aaeaef46f92436616cf7912f931
SHA1 db8e74884c960d1bc297a6ae15f1aa30d958e3ce
SHA256 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964
SHA512 0290bd2b250b3c626b38648d83dad74b0f7fc124da63d58cf5fde1f0be86843bccec3ee94237b8b0d775eccdb32334e05a8ad9e93c8274468e0fbc9551546ea1

C:\Windows\{9043-8547-9771-90}\appinit.exe

MD5 2e1b2aaeaef46f92436616cf7912f931
SHA1 db8e74884c960d1bc297a6ae15f1aa30d958e3ce
SHA256 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964
SHA512 0290bd2b250b3c626b38648d83dad74b0f7fc124da63d58cf5fde1f0be86843bccec3ee94237b8b0d775eccdb32334e05a8ad9e93c8274468e0fbc9551546ea1

C:\Windows\{9043-8547-9771-90}\appinit.exe

MD5 2e1b2aaeaef46f92436616cf7912f931
SHA1 db8e74884c960d1bc297a6ae15f1aa30d958e3ce
SHA256 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964
SHA512 0290bd2b250b3c626b38648d83dad74b0f7fc124da63d58cf5fde1f0be86843bccec3ee94237b8b0d775eccdb32334e05a8ad9e93c8274468e0fbc9551546ea1

memory/552-90-0x0000000073070000-0x000000007361B000-memory.dmp

C:\Windows\{9043-8547-9771-90}\appinit.exe

MD5 2e1b2aaeaef46f92436616cf7912f931
SHA1 db8e74884c960d1bc297a6ae15f1aa30d958e3ce
SHA256 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964
SHA512 0290bd2b250b3c626b38648d83dad74b0f7fc124da63d58cf5fde1f0be86843bccec3ee94237b8b0d775eccdb32334e05a8ad9e93c8274468e0fbc9551546ea1

memory/1656-87-0x000000000119373E-mapping.dmp

memory/1656-93-0x0000000000400000-0x000000000046F000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\E75qVgi25Ft3e12x\E75qVgi25Ft3e12x.nfo

MD5 05b1ef8e038e2ad1d7a1cd38e3af1302
SHA1 7ac8d37378cd67bdd7a42d4e732a67086ca091a5
SHA256 24d3a86d770068c5e3b2fed62815912faabd2ccf5a229b312406342d9318678b
SHA512 ed63c082f2708e552f0dd3dc7fb874ab52f37d5793005c8aeb4eb1a4a1281dfe0212853551e7a4ad588f96b24d002ffae33b55cf24b5ace52b4112b4353fe063

memory/1476-95-0x0000000000400000-0x000000000046F000-memory.dmp

memory/1656-96-0x0000000000400000-0x000000000046F000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\E75qVgi25Ft3e12x\E75qVgi25Ft3e12x.svr

MD5 ad69242f4bf9548496051bd95ac05e1e
SHA1 913292f6b83adf41337fd50201ad341500abc8b0
SHA256 2663fdfe0fe4c37532f919282d035579bf84a895be5971982437cffbd41bdb1b
SHA512 09bed3adc8427e4aeec4e32dfd0640da71d2839b62973e4bae94f0965c5836028511295d99be878af388789fc020117972c3cf51d5a2ef1899aeb9d43c2fd94e

memory/1608-99-0x0000000001610000-0x0000000001720000-memory.dmp

memory/1608-98-0x0000000001610000-0x0000000001720000-memory.dmp

memory/1608-102-0x0000000001610000-0x0000000001720000-memory.dmp

memory/1608-105-0x0000000001610000-0x0000000001720000-memory.dmp

memory/1608-107-0x000000000171D0D0-mapping.dmp

memory/1608-108-0x0000000001610000-0x0000000001720000-memory.dmp

memory/1608-110-0x0000000001610000-0x0000000001720000-memory.dmp

memory/1608-112-0x0000000001610000-0x0000000001720000-memory.dmp

memory/1608-111-0x0000000001610000-0x0000000001720000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\E75qVgi25Ft3e12x\E75qVgi25Ft3e12x.nfo

MD5 05b1ef8e038e2ad1d7a1cd38e3af1302
SHA1 7ac8d37378cd67bdd7a42d4e732a67086ca091a5
SHA256 24d3a86d770068c5e3b2fed62815912faabd2ccf5a229b312406342d9318678b
SHA512 ed63c082f2708e552f0dd3dc7fb874ab52f37d5793005c8aeb4eb1a4a1281dfe0212853551e7a4ad588f96b24d002ffae33b55cf24b5ace52b4112b4353fe063

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\E75qVgi25Ft3e12x\E75qVgi25Ft3e12x.dat

MD5 93e00066d099c0485cfffa1359246d26
SHA1 bc69a773f37b2f2071e25f755a66d47b871e5d98
SHA256 3b271649a94ad5be4ef46ecbb6a4e7363e8498b7e69b751737bf30df2e0d1dde
SHA512 d3dfe508cacae7d36f13908134b5b438b87429fcf93ccb060bcfa346c04633a99e9ca497297418c969537be1da2405171982794055dd0f52e59a82720d3b3d02

memory/1608-115-0x00000000016C5000-0x000000000171E000-memory.dmp

memory/1608-116-0x0000000001611000-0x00000000016C5000-memory.dmp

memory/1656-117-0x0000000000400000-0x000000000046F000-memory.dmp

memory/1608-118-0x00000000016C5000-0x000000000171E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-11-23 14:03

Reported

2022-11-23 15:10

Platform

win10v2004-20220901-en

Max time kernel

91s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe"

Signatures

XtremeRAT

persistence spyware rat xtremerat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\{9043-8547-9771-90}\appinit.exe N/A
N/A N/A C:\Windows\{9043-8547-9771-90}\appinit.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\{9043-8547-9771-90}\\appinit.exe" C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\{9043-8547-9771-90}\\appinit.exe" C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\{9043-8547-9771-90}\ C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe N/A
File opened for modification C:\Windows\{9043-8547-9771-90}\appinit.exe C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe N/A
File created C:\Windows\{9043-8547-9771-90}\appinit.exe C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4252 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe
PID 4252 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe
PID 4252 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe
PID 4252 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe
PID 4252 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe
PID 4252 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe
PID 4252 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe
PID 4252 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe
PID 4252 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe
PID 4252 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe
PID 4252 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe
PID 4252 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe
PID 4252 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe
PID 4252 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe
PID 4252 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe
PID 4252 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe
PID 3968 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3968 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3968 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe C:\Windows\SysWOW64\explorer.exe
PID 3968 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe C:\Windows\SysWOW64\explorer.exe
PID 3968 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe C:\Windows\SysWOW64\explorer.exe
PID 3968 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3968 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3968 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe C:\Windows\SysWOW64\explorer.exe
PID 3968 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe C:\Windows\SysWOW64\explorer.exe
PID 3968 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe C:\Windows\SysWOW64\explorer.exe
PID 3968 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3968 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3968 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe C:\Windows\SysWOW64\explorer.exe
PID 3968 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe C:\Windows\SysWOW64\explorer.exe
PID 3968 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe C:\Windows\SysWOW64\explorer.exe
PID 3968 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3968 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3968 wrote to memory of 4048 N/A C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe C:\Windows\SysWOW64\explorer.exe
PID 3968 wrote to memory of 4048 N/A C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe C:\Windows\SysWOW64\explorer.exe
PID 3968 wrote to memory of 4048 N/A C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe C:\Windows\SysWOW64\explorer.exe
PID 3968 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3968 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3968 wrote to memory of 3792 N/A C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe C:\Windows\SysWOW64\explorer.exe
PID 3968 wrote to memory of 3792 N/A C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe C:\Windows\SysWOW64\explorer.exe
PID 3968 wrote to memory of 3792 N/A C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe C:\Windows\SysWOW64\explorer.exe
PID 3968 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3968 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3968 wrote to memory of 3676 N/A C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe C:\Windows\SysWOW64\explorer.exe
PID 3968 wrote to memory of 3676 N/A C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe C:\Windows\SysWOW64\explorer.exe
PID 3968 wrote to memory of 3676 N/A C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe C:\Windows\SysWOW64\explorer.exe
PID 3968 wrote to memory of 4348 N/A C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3968 wrote to memory of 4348 N/A C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3968 wrote to memory of 3264 N/A C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe C:\Windows\SysWOW64\explorer.exe
PID 3968 wrote to memory of 3264 N/A C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe C:\Windows\SysWOW64\explorer.exe
PID 3968 wrote to memory of 3264 N/A C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe C:\Windows\SysWOW64\explorer.exe
PID 3968 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3968 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3968 wrote to memory of 3784 N/A C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe C:\Windows\SysWOW64\explorer.exe
PID 3968 wrote to memory of 3784 N/A C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe C:\Windows\SysWOW64\explorer.exe
PID 3968 wrote to memory of 3784 N/A C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe C:\Windows\SysWOW64\explorer.exe
PID 3968 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3968 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3968 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe C:\Windows\SysWOW64\explorer.exe
PID 3968 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe C:\Windows\SysWOW64\explorer.exe
PID 3968 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe C:\Windows\SysWOW64\explorer.exe
PID 3968 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3968 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3968 wrote to memory of 4052 N/A C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe C:\Windows\SysWOW64\explorer.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe

"C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe"

C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe

"C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe"

C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe

"C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\{9043-8547-9771-90}\appinit.exe

"C:\Windows\{9043-8547-9771-90}\appinit.exe"

C:\Windows\{9043-8547-9771-90}\appinit.exe

"C:\Windows\{9043-8547-9771-90}\appinit.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1032 -ip 1032

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1032 -s 12

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1032 -ip 1032

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1032 -s 56

Network

Country Destination Domain Proto
N/A 2.18.109.224:443 tcp
N/A 20.50.80.209:443 tcp
N/A 209.197.3.8:80 tcp
N/A 209.197.3.8:80 tcp
N/A 209.197.3.8:80 tcp
N/A 8.8.8.8:53 226.101.242.52.in-addr.arpa udp

Files

memory/4252-132-0x0000000074F10000-0x00000000754C1000-memory.dmp

memory/3968-133-0x0000000000000000-mapping.dmp

memory/3968-134-0x0000000000400000-0x000000000046F000-memory.dmp

memory/3968-135-0x0000000000400000-0x000000000046F000-memory.dmp

memory/4252-136-0x0000000074F10000-0x00000000754C1000-memory.dmp

memory/3968-137-0x0000000000400000-0x000000000046F000-memory.dmp

memory/3968-138-0x0000000000400000-0x000000000046F000-memory.dmp

memory/5004-139-0x0000000000000000-mapping.dmp

C:\Windows\{9043-8547-9771-90}\appinit.exe

MD5 2e1b2aaeaef46f92436616cf7912f931
SHA1 db8e74884c960d1bc297a6ae15f1aa30d958e3ce
SHA256 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964
SHA512 0290bd2b250b3c626b38648d83dad74b0f7fc124da63d58cf5fde1f0be86843bccec3ee94237b8b0d775eccdb32334e05a8ad9e93c8274468e0fbc9551546ea1

C:\Windows\{9043-8547-9771-90}\appinit.exe

MD5 2e1b2aaeaef46f92436616cf7912f931
SHA1 db8e74884c960d1bc297a6ae15f1aa30d958e3ce
SHA256 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964
SHA512 0290bd2b250b3c626b38648d83dad74b0f7fc124da63d58cf5fde1f0be86843bccec3ee94237b8b0d775eccdb32334e05a8ad9e93c8274468e0fbc9551546ea1

memory/1032-142-0x0000000000000000-mapping.dmp

C:\Windows\{9043-8547-9771-90}\appinit.exe

MD5 2e1b2aaeaef46f92436616cf7912f931
SHA1 db8e74884c960d1bc297a6ae15f1aa30d958e3ce
SHA256 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964
SHA512 0290bd2b250b3c626b38648d83dad74b0f7fc124da63d58cf5fde1f0be86843bccec3ee94237b8b0d775eccdb32334e05a8ad9e93c8274468e0fbc9551546ea1

memory/5004-144-0x00000000732A0000-0x0000000073851000-memory.dmp

memory/3968-145-0x0000000000400000-0x000000000046F000-memory.dmp