Malware Analysis Report

2025-06-16 01:05

Sample ID 221123-y8q8fscb79
Target 1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4
SHA256 1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4
Tags
xtremerat persistence rat spyware upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4

Threat Level: Known bad

The file 1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4 was found to be: Known bad.

Malicious Activity Summary

xtremerat persistence rat spyware upx

Detect XtremeRAT payload

XtremeRAT

Modifies Installed Components in the registry

UPX packed file

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Drops desktop.ini file(s)

Suspicious use of SetThreadContext

Drops file in Windows directory

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Checks SCSI registry key(s)

Modifies registry class

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-11-23 20:27

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-23 20:27

Reported

2022-11-23 23:33

Platform

win7-20221111-en

Max time kernel

148s

Max time network

33s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4.exe"

Signatures

Detect XtremeRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XtremeRAT

persistence spyware rat xtremerat

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6X05Y61Y-KU8F-VAM6-OEN2-1T0Q20C4EGNI}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{6X05Y61Y-KU8F-VAM6-OEN2-1T0Q20C4EGNI} C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6X05Y61Y-KU8F-VAM6-OEN2-1T0Q20C4EGNI}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" C:\Windows\InstallDir\Server.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{6X05Y61Y-KU8F-VAM6-OEN2-1T0Q20C4EGNI} C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6X05Y61Y-KU8F-VAM6-OEN2-1T0Q20C4EGNI}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" C:\Windows\InstallDir\Server.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{6X05Y61Y-KU8F-VAM6-OEN2-1T0Q20C4EGNI} C:\Users\Admin\AppData\Local\Temp\1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6X05Y61Y-KU8F-VAM6-OEN2-1T0Q20C4EGNI}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" C:\Users\Admin\AppData\Local\Temp\1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{6X05Y61Y-KU8F-VAM6-OEN2-1T0Q20C4EGNI} C:\Windows\SysWOW64\svchost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Local\Temp\1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4.exe N/A
Key created \REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Local\Temp\1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4.exe N/A
Key created \REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4.exe N/A
Key created \REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Windows\InstallDir\Server.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Windows\SysWOW64\explorer.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\InstallDir\Server.exe C:\Users\Admin\AppData\Local\Temp\1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4.exe N/A
File created C:\Windows\InstallDir\Server.exe C:\Users\Admin\AppData\Local\Temp\1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4.exe N/A
File opened for modification C:\Windows\InstallDir\ C:\Users\Admin\AppData\Local\Temp\1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4.exe N/A
File opened for modification C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe N/A
File opened for modification C:\Windows\InstallDir\ C:\Windows\InstallDir\Server.exe N/A
File opened for modification C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe N/A
File opened for modification C:\Windows\InstallDir\ C:\Windows\InstallDir\Server.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1364 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4.exe C:\Users\Admin\AppData\Local\Temp\1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4.exe
PID 1364 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4.exe C:\Users\Admin\AppData\Local\Temp\1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4.exe
PID 1364 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4.exe C:\Users\Admin\AppData\Local\Temp\1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4.exe
PID 1364 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4.exe C:\Users\Admin\AppData\Local\Temp\1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4.exe
PID 1364 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4.exe C:\Users\Admin\AppData\Local\Temp\1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4.exe
PID 1364 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4.exe C:\Users\Admin\AppData\Local\Temp\1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4.exe
PID 1364 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4.exe C:\Users\Admin\AppData\Local\Temp\1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4.exe
PID 1364 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4.exe C:\Users\Admin\AppData\Local\Temp\1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4.exe
PID 1364 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4.exe C:\Users\Admin\AppData\Local\Temp\1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4.exe
PID 1364 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4.exe C:\Users\Admin\AppData\Local\Temp\1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4.exe
PID 1364 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4.exe C:\Users\Admin\AppData\Local\Temp\1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4.exe
PID 1364 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4.exe C:\Users\Admin\AppData\Local\Temp\1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4.exe
PID 1596 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4.exe C:\Windows\SysWOW64\svchost.exe
PID 1596 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4.exe C:\Windows\SysWOW64\svchost.exe
PID 1596 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4.exe C:\Windows\SysWOW64\svchost.exe
PID 1596 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4.exe C:\Windows\SysWOW64\svchost.exe
PID 1596 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4.exe C:\Windows\SysWOW64\svchost.exe
PID 1596 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1596 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1596 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1596 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1596 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4.exe C:\Windows\SysWOW64\explorer.exe
PID 1596 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4.exe C:\Windows\SysWOW64\explorer.exe
PID 1596 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4.exe C:\Windows\SysWOW64\explorer.exe
PID 1596 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4.exe C:\Windows\SysWOW64\explorer.exe
PID 1596 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4.exe C:\Windows\SysWOW64\explorer.exe
PID 944 wrote to memory of 1340 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\InstallDir\Server.exe
PID 944 wrote to memory of 1340 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\InstallDir\Server.exe
PID 944 wrote to memory of 1340 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\InstallDir\Server.exe
PID 944 wrote to memory of 1340 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\InstallDir\Server.exe
PID 1116 wrote to memory of 1824 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\InstallDir\Server.exe
PID 1116 wrote to memory of 1824 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\InstallDir\Server.exe
PID 1116 wrote to memory of 1824 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\InstallDir\Server.exe
PID 1116 wrote to memory of 1824 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\InstallDir\Server.exe
PID 1116 wrote to memory of 1556 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\InstallDir\Server.exe
PID 1116 wrote to memory of 1556 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\InstallDir\Server.exe
PID 1116 wrote to memory of 1556 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\InstallDir\Server.exe
PID 1116 wrote to memory of 1556 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\InstallDir\Server.exe
PID 1340 wrote to memory of 1984 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 1340 wrote to memory of 1984 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 1340 wrote to memory of 1984 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 1340 wrote to memory of 1984 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 1340 wrote to memory of 1984 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 1340 wrote to memory of 1984 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 1340 wrote to memory of 1984 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 1340 wrote to memory of 1984 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 1340 wrote to memory of 1984 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 1340 wrote to memory of 1984 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 1340 wrote to memory of 1984 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 1340 wrote to memory of 1984 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 1984 wrote to memory of 1628 N/A C:\Windows\InstallDir\Server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1984 wrote to memory of 1628 N/A C:\Windows\InstallDir\Server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1984 wrote to memory of 1628 N/A C:\Windows\InstallDir\Server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1984 wrote to memory of 1628 N/A C:\Windows\InstallDir\Server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1984 wrote to memory of 536 N/A C:\Windows\InstallDir\Server.exe C:\Windows\SysWOW64\explorer.exe
PID 1984 wrote to memory of 536 N/A C:\Windows\InstallDir\Server.exe C:\Windows\SysWOW64\explorer.exe
PID 1984 wrote to memory of 536 N/A C:\Windows\InstallDir\Server.exe C:\Windows\SysWOW64\explorer.exe
PID 1984 wrote to memory of 536 N/A C:\Windows\InstallDir\Server.exe C:\Windows\SysWOW64\explorer.exe
PID 1824 wrote to memory of 844 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 1824 wrote to memory of 844 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 1824 wrote to memory of 844 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 1824 wrote to memory of 844 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 1824 wrote to memory of 844 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 1824 wrote to memory of 844 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4.exe

"C:\Users\Admin\AppData\Local\Temp\1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4.exe"

C:\Users\Admin\AppData\Local\Temp\1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4.exe

C:\Users\Admin\AppData\Local\Temp\1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\InstallDir\Server.exe

"C:\Windows\InstallDir\Server.exe"

C:\Windows\InstallDir\Server.exe

"C:\Windows\InstallDir\Server.exe"

C:\Windows\InstallDir\Server.exe

"C:\Windows\InstallDir\Server.exe"

C:\Windows\InstallDir\Server.exe

C:\Windows\InstallDir\Server.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\InstallDir\Server.exe

C:\Windows\InstallDir\Server.exe

C:\Windows\InstallDir\Server.exe

"C:\Windows\InstallDir\Server.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\InstallDir\Server.exe

C:\Windows\InstallDir\Server.exe

C:\Windows\InstallDir\Server.exe

C:\Windows\InstallDir\Server.exe

Network

N/A

Files

memory/1596-54-0x0000000000C80000-0x0000000000CEE000-memory.dmp

memory/1596-55-0x0000000000C80000-0x0000000000CEE000-memory.dmp

memory/1596-57-0x0000000000C80000-0x0000000000CEE000-memory.dmp

memory/1596-59-0x0000000000C80000-0x0000000000CEE000-memory.dmp

memory/1596-62-0x0000000000C80000-0x0000000000CEE000-memory.dmp

memory/1596-65-0x0000000000C80000-0x0000000000CEE000-memory.dmp

memory/1596-67-0x0000000000C80000-0x0000000000CEE000-memory.dmp

memory/1596-70-0x0000000000C80000-0x0000000000CEE000-memory.dmp

memory/1596-72-0x0000000000C88B20-mapping.dmp

memory/1596-73-0x0000000075001000-0x0000000075003000-memory.dmp

memory/1596-74-0x0000000000C80000-0x0000000000CEE000-memory.dmp

memory/1596-75-0x0000000000C81000-0x0000000000C8A000-memory.dmp

memory/1116-78-0x0000000000000000-mapping.dmp

memory/1116-79-0x0000000000C80000-0x0000000000CEE000-memory.dmp

C:\Windows\InstallDir\Server.exe

MD5 5244590f29e5fdf4267f60fe2a06ea90
SHA1 00ea26b62e1962ccd9a64ddec59d0700accadb6e
SHA256 1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4
SHA512 48f252a903222289520a594ee904fcf76ff7c3f70c2b733af02ef0f2bd430bca3f5934da4704de5c4d86d87e2e5a663aa0f80c9406d3dba7be077535af5bc885

memory/944-84-0x0000000000000000-mapping.dmp

memory/944-86-0x0000000074201000-0x0000000074203000-memory.dmp

memory/944-87-0x0000000000C80000-0x0000000000CEE000-memory.dmp

\Windows\InstallDir\Server.exe

MD5 5244590f29e5fdf4267f60fe2a06ea90
SHA1 00ea26b62e1962ccd9a64ddec59d0700accadb6e
SHA256 1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4
SHA512 48f252a903222289520a594ee904fcf76ff7c3f70c2b733af02ef0f2bd430bca3f5934da4704de5c4d86d87e2e5a663aa0f80c9406d3dba7be077535af5bc885

memory/1340-90-0x0000000000000000-mapping.dmp

\Windows\InstallDir\Server.exe

MD5 5244590f29e5fdf4267f60fe2a06ea90
SHA1 00ea26b62e1962ccd9a64ddec59d0700accadb6e
SHA256 1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4
SHA512 48f252a903222289520a594ee904fcf76ff7c3f70c2b733af02ef0f2bd430bca3f5934da4704de5c4d86d87e2e5a663aa0f80c9406d3dba7be077535af5bc885

C:\Windows\InstallDir\Server.exe

MD5 5244590f29e5fdf4267f60fe2a06ea90
SHA1 00ea26b62e1962ccd9a64ddec59d0700accadb6e
SHA256 1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4
SHA512 48f252a903222289520a594ee904fcf76ff7c3f70c2b733af02ef0f2bd430bca3f5934da4704de5c4d86d87e2e5a663aa0f80c9406d3dba7be077535af5bc885

memory/944-92-0x0000000000C80000-0x0000000000CEE000-memory.dmp

\Windows\InstallDir\Server.exe

MD5 5244590f29e5fdf4267f60fe2a06ea90
SHA1 00ea26b62e1962ccd9a64ddec59d0700accadb6e
SHA256 1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4
SHA512 48f252a903222289520a594ee904fcf76ff7c3f70c2b733af02ef0f2bd430bca3f5934da4704de5c4d86d87e2e5a663aa0f80c9406d3dba7be077535af5bc885

memory/1824-94-0x0000000000000000-mapping.dmp

C:\Windows\InstallDir\Server.exe

MD5 5244590f29e5fdf4267f60fe2a06ea90
SHA1 00ea26b62e1962ccd9a64ddec59d0700accadb6e
SHA256 1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4
SHA512 48f252a903222289520a594ee904fcf76ff7c3f70c2b733af02ef0f2bd430bca3f5934da4704de5c4d86d87e2e5a663aa0f80c9406d3dba7be077535af5bc885

\Windows\InstallDir\Server.exe

MD5 5244590f29e5fdf4267f60fe2a06ea90
SHA1 00ea26b62e1962ccd9a64ddec59d0700accadb6e
SHA256 1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4
SHA512 48f252a903222289520a594ee904fcf76ff7c3f70c2b733af02ef0f2bd430bca3f5934da4704de5c4d86d87e2e5a663aa0f80c9406d3dba7be077535af5bc885

memory/1556-97-0x0000000000000000-mapping.dmp

C:\Windows\InstallDir\Server.exe

MD5 5244590f29e5fdf4267f60fe2a06ea90
SHA1 00ea26b62e1962ccd9a64ddec59d0700accadb6e
SHA256 1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4
SHA512 48f252a903222289520a594ee904fcf76ff7c3f70c2b733af02ef0f2bd430bca3f5934da4704de5c4d86d87e2e5a663aa0f80c9406d3dba7be077535af5bc885

memory/1984-117-0x0000000000C88B20-mapping.dmp

C:\Windows\InstallDir\Server.exe

MD5 5244590f29e5fdf4267f60fe2a06ea90
SHA1 00ea26b62e1962ccd9a64ddec59d0700accadb6e
SHA256 1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4
SHA512 48f252a903222289520a594ee904fcf76ff7c3f70c2b733af02ef0f2bd430bca3f5934da4704de5c4d86d87e2e5a663aa0f80c9406d3dba7be077535af5bc885

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\pXFtxf.cfg

MD5 892fb7ae7b1a8c59133b27f958ccb550
SHA1 13a80dff0481d5aee88c51d2130186a0a9194932
SHA256 1678881e96078de557abfd5f5e5a18f468c625a255c2976bdc3251713ad7bfd8
SHA512 8538ecca79bec6269159cacff826e05752650174e6963c78aa0d29071d9fafaf31f17523d7b1b7596dedca11a691fdfa4f28c35b4a4593ef6b13a5c04bd9f884

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\pXFtxf.xtr

MD5 6426d400c96fb9ffef4eaa54f6647f4c
SHA1 70a37871aff432790b6adf7d3fc4eb929476e082
SHA256 98bba0cf4c57ecd35b227f45e4aa6dd50ef7cfb1160235cc14687c96eb09fa3c
SHA512 2c8b4d3ab066cbfca6cf0c8d89d5044152b5e3d7100249cbedd1c816e3a4a94efc8bc6b79c1dab4bdf96e3ce476d6caccf625cfbe0aff3bf5e7a29dfcfa948c5

memory/844-141-0x0000000000C88B20-mapping.dmp

C:\Windows\InstallDir\Server.exe

MD5 5244590f29e5fdf4267f60fe2a06ea90
SHA1 00ea26b62e1962ccd9a64ddec59d0700accadb6e
SHA256 1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4
SHA512 48f252a903222289520a594ee904fcf76ff7c3f70c2b733af02ef0f2bd430bca3f5934da4704de5c4d86d87e2e5a663aa0f80c9406d3dba7be077535af5bc885

memory/536-154-0x000000000170F3A0-mapping.dmp

\Windows\InstallDir\Server.exe

MD5 5244590f29e5fdf4267f60fe2a06ea90
SHA1 00ea26b62e1962ccd9a64ddec59d0700accadb6e
SHA256 1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4
SHA512 48f252a903222289520a594ee904fcf76ff7c3f70c2b733af02ef0f2bd430bca3f5934da4704de5c4d86d87e2e5a663aa0f80c9406d3dba7be077535af5bc885

memory/1148-157-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\pXFtxf.cfg

MD5 892fb7ae7b1a8c59133b27f958ccb550
SHA1 13a80dff0481d5aee88c51d2130186a0a9194932
SHA256 1678881e96078de557abfd5f5e5a18f468c625a255c2976bdc3251713ad7bfd8
SHA512 8538ecca79bec6269159cacff826e05752650174e6963c78aa0d29071d9fafaf31f17523d7b1b7596dedca11a691fdfa4f28c35b4a4593ef6b13a5c04bd9f884

C:\Windows\InstallDir\Server.exe

MD5 5244590f29e5fdf4267f60fe2a06ea90
SHA1 00ea26b62e1962ccd9a64ddec59d0700accadb6e
SHA256 1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4
SHA512 48f252a903222289520a594ee904fcf76ff7c3f70c2b733af02ef0f2bd430bca3f5934da4704de5c4d86d87e2e5a663aa0f80c9406d3dba7be077535af5bc885

memory/584-170-0x000000000170F3A0-mapping.dmp

memory/584-180-0x00000000016BB000-0x0000000001710000-memory.dmp

memory/536-181-0x0000000001611000-0x00000000016BB000-memory.dmp

memory/536-179-0x00000000016BB000-0x0000000001710000-memory.dmp

memory/536-182-0x00000000016BB000-0x0000000001710000-memory.dmp

memory/928-201-0x0000000000C88B20-mapping.dmp

C:\Windows\InstallDir\Server.exe

MD5 5244590f29e5fdf4267f60fe2a06ea90
SHA1 00ea26b62e1962ccd9a64ddec59d0700accadb6e
SHA256 1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4
SHA512 48f252a903222289520a594ee904fcf76ff7c3f70c2b733af02ef0f2bd430bca3f5934da4704de5c4d86d87e2e5a663aa0f80c9406d3dba7be077535af5bc885

memory/1756-223-0x0000000000C88B20-mapping.dmp

C:\Windows\InstallDir\Server.exe

MD5 5244590f29e5fdf4267f60fe2a06ea90
SHA1 00ea26b62e1962ccd9a64ddec59d0700accadb6e
SHA256 1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4
SHA512 48f252a903222289520a594ee904fcf76ff7c3f70c2b733af02ef0f2bd430bca3f5934da4704de5c4d86d87e2e5a663aa0f80c9406d3dba7be077535af5bc885

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\pXFtxf.cfg

MD5 892fb7ae7b1a8c59133b27f958ccb550
SHA1 13a80dff0481d5aee88c51d2130186a0a9194932
SHA256 1678881e96078de557abfd5f5e5a18f468c625a255c2976bdc3251713ad7bfd8
SHA512 8538ecca79bec6269159cacff826e05752650174e6963c78aa0d29071d9fafaf31f17523d7b1b7596dedca11a691fdfa4f28c35b4a4593ef6b13a5c04bd9f884

memory/584-228-0x00000000016BB000-0x0000000001710000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-11-23 20:27

Reported

2022-11-23 23:32

Platform

win10v2004-20220812-en

Max time kernel

151s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4.exe"

Signatures

Detect XtremeRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XtremeRAT

persistence spyware rat xtremerat

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{6X05Y61Y-KU8F-VAM6-OEN2-1T0Q20C4EGNI} C:\Users\Admin\AppData\Local\Temp\1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6X05Y61Y-KU8F-VAM6-OEN2-1T0Q20C4EGNI}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6X05Y61Y-KU8F-VAM6-OEN2-1T0Q20C4EGNI}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6X05Y61Y-KU8F-VAM6-OEN2-1T0Q20C4EGNI}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" C:\Windows\InstallDir\Server.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{6X05Y61Y-KU8F-VAM6-OEN2-1T0Q20C4EGNI} C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6X05Y61Y-KU8F-VAM6-OEN2-1T0Q20C4EGNI}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6X05Y61Y-KU8F-VAM6-OEN2-1T0Q20C4EGNI}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" C:\Users\Admin\AppData\Local\Temp\1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{6X05Y61Y-KU8F-VAM6-OEN2-1T0Q20C4EGNI} C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{6X05Y61Y-KU8F-VAM6-OEN2-1T0Q20C4EGNI} C:\Windows\InstallDir\Server.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{6X05Y61Y-KU8F-VAM6-OEN2-1T0Q20C4EGNI} C:\Windows\InstallDir\Server.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Local\Temp\1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Local\Temp\1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run C:\Windows\InstallDir\Server.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\InstallDir\Server.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run C:\Windows\InstallDir\Server.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\explorer.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe N/A
File opened for modification C:\Windows\InstallDir\ C:\Windows\InstallDir\Server.exe N/A
File opened for modification C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe N/A
File opened for modification C:\Windows\InstallDir\ C:\Windows\InstallDir\Server.exe N/A
File opened for modification C:\Windows\InstallDir\Server.exe C:\Users\Admin\AppData\Local\Temp\1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4.exe N/A
File created C:\Windows\InstallDir\Server.exe C:\Users\Admin\AppData\Local\Temp\1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4.exe N/A
File opened for modification C:\Windows\InstallDir\ C:\Users\Admin\AppData\Local\Temp\1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 C:\Windows\SysWOW64\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom C:\Windows\SysWOW64\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\SysWOW64\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 C:\Windows\SysWOW64\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom C:\Windows\SysWOW64\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 C:\Windows\SysWOW64\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags C:\Windows\SysWOW64\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom C:\Windows\SysWOW64\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\SysWOW64\explorer.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4772 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Local\Temp\1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4.exe C:\Users\Admin\AppData\Local\Temp\1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4.exe
PID 4772 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Local\Temp\1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4.exe C:\Users\Admin\AppData\Local\Temp\1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4.exe
PID 4772 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Local\Temp\1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4.exe C:\Users\Admin\AppData\Local\Temp\1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4.exe
PID 4772 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Local\Temp\1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4.exe C:\Users\Admin\AppData\Local\Temp\1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4.exe
PID 4772 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Local\Temp\1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4.exe C:\Users\Admin\AppData\Local\Temp\1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4.exe
PID 4772 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Local\Temp\1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4.exe C:\Users\Admin\AppData\Local\Temp\1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4.exe
PID 4772 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Local\Temp\1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4.exe C:\Users\Admin\AppData\Local\Temp\1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4.exe
PID 4772 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Local\Temp\1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4.exe C:\Users\Admin\AppData\Local\Temp\1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4.exe
PID 4772 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Local\Temp\1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4.exe C:\Users\Admin\AppData\Local\Temp\1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4.exe
PID 4772 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Local\Temp\1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4.exe C:\Users\Admin\AppData\Local\Temp\1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4.exe
PID 4772 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Local\Temp\1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4.exe C:\Users\Admin\AppData\Local\Temp\1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4.exe
PID 4772 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Local\Temp\1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4.exe C:\Users\Admin\AppData\Local\Temp\1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4.exe
PID 4772 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Local\Temp\1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4.exe C:\Users\Admin\AppData\Local\Temp\1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4.exe
PID 4752 wrote to memory of 4632 N/A C:\Users\Admin\AppData\Local\Temp\1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4.exe C:\Windows\SysWOW64\svchost.exe
PID 4752 wrote to memory of 4632 N/A C:\Users\Admin\AppData\Local\Temp\1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4.exe C:\Windows\SysWOW64\svchost.exe
PID 4752 wrote to memory of 4632 N/A C:\Users\Admin\AppData\Local\Temp\1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4.exe C:\Windows\SysWOW64\svchost.exe
PID 4752 wrote to memory of 4632 N/A C:\Users\Admin\AppData\Local\Temp\1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4.exe C:\Windows\SysWOW64\svchost.exe
PID 4752 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4752 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4752 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Local\Temp\1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4.exe C:\Windows\SysWOW64\explorer.exe
PID 4752 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Local\Temp\1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4.exe C:\Windows\SysWOW64\explorer.exe
PID 4752 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Local\Temp\1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4.exe C:\Windows\SysWOW64\explorer.exe
PID 4752 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Local\Temp\1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4.exe C:\Windows\SysWOW64\explorer.exe
PID 4124 wrote to memory of 784 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\InstallDir\Server.exe
PID 4632 wrote to memory of 2760 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\InstallDir\Server.exe
PID 4632 wrote to memory of 2760 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\InstallDir\Server.exe
PID 4632 wrote to memory of 2760 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\InstallDir\Server.exe
PID 4124 wrote to memory of 784 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\InstallDir\Server.exe
PID 4124 wrote to memory of 784 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\InstallDir\Server.exe
PID 4632 wrote to memory of 2152 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\InstallDir\Server.exe
PID 4632 wrote to memory of 2152 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\InstallDir\Server.exe
PID 4632 wrote to memory of 2152 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\InstallDir\Server.exe
PID 2760 wrote to memory of 3992 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 2760 wrote to memory of 3992 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 2760 wrote to memory of 3992 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 2760 wrote to memory of 3992 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 2760 wrote to memory of 3992 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 2760 wrote to memory of 3992 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 2760 wrote to memory of 3992 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 2760 wrote to memory of 3992 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 2760 wrote to memory of 3992 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 2760 wrote to memory of 3992 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 2760 wrote to memory of 3992 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 2760 wrote to memory of 3992 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 2760 wrote to memory of 3992 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 3992 wrote to memory of 3732 N/A C:\Windows\InstallDir\Server.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3992 wrote to memory of 3732 N/A C:\Windows\InstallDir\Server.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3992 wrote to memory of 1628 N/A C:\Windows\InstallDir\Server.exe C:\Windows\SysWOW64\explorer.exe
PID 3992 wrote to memory of 1628 N/A C:\Windows\InstallDir\Server.exe C:\Windows\SysWOW64\explorer.exe
PID 3992 wrote to memory of 1628 N/A C:\Windows\InstallDir\Server.exe C:\Windows\SysWOW64\explorer.exe
PID 784 wrote to memory of 4176 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 784 wrote to memory of 4176 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 784 wrote to memory of 4176 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 784 wrote to memory of 4176 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 784 wrote to memory of 4176 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 784 wrote to memory of 4176 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 784 wrote to memory of 4176 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 784 wrote to memory of 4176 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 784 wrote to memory of 4176 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 784 wrote to memory of 4176 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 784 wrote to memory of 4176 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 784 wrote to memory of 4176 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 784 wrote to memory of 4176 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 4176 wrote to memory of 3460 N/A C:\Windows\InstallDir\Server.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4.exe

"C:\Users\Admin\AppData\Local\Temp\1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4.exe"

C:\Users\Admin\AppData\Local\Temp\1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4.exe

C:\Users\Admin\AppData\Local\Temp\1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\InstallDir\Server.exe

"C:\Windows\InstallDir\Server.exe"

C:\Windows\InstallDir\Server.exe

"C:\Windows\InstallDir\Server.exe"

C:\Windows\InstallDir\Server.exe

"C:\Windows\InstallDir\Server.exe"

C:\Windows\InstallDir\Server.exe

C:\Windows\InstallDir\Server.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\InstallDir\Server.exe

C:\Windows\InstallDir\Server.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\InstallDir\Server.exe

"C:\Windows\InstallDir\Server.exe"

C:\Windows\InstallDir\Server.exe

C:\Windows\InstallDir\Server.exe

C:\Windows\InstallDir\Server.exe

C:\Windows\InstallDir\Server.exe

Network

Country Destination Domain Proto
N/A 93.184.220.29:80 tcp
N/A 93.184.220.29:80 tcp
N/A 95.101.78.82:80 tcp
N/A 104.80.225.205:443 tcp
N/A 8.8.8.8:53 hussienashraf2020.zapto.org udp
N/A 52.182.143.208:443 tcp
N/A 8.8.8.8:53 hussienashraf2020.zapto.org udp
N/A 8.8.8.8:53 hussienashraf2020.zapto.org udp
N/A 8.8.8.8:53 106.89.54.20.in-addr.arpa udp
N/A 8.8.8.8:53 hussienashraf2020.zapto.org udp
N/A 8.8.8.8:53 hussienashraf2020.zapto.org udp
N/A 8.248.5.254:80 tcp
N/A 8.248.5.254:80 tcp
N/A 8.8.8.8:53 hussienashraf2020.zapto.org udp
N/A 8.8.8.8:53 hussienashraf2020.zapto.org udp
N/A 8.8.8.8:53 hussienashraf2020.zapto.org udp
N/A 8.8.8.8:53 hussienashraf2020.zapto.org udp
N/A 8.8.8.8:53 hussienashraf2020.zapto.org udp
N/A 8.8.8.8:53 hussienashraf2020.zapto.org udp
N/A 8.8.8.8:53 hussienashraf2020.zapto.org udp
N/A 8.8.8.8:53 hussienashraf2020.zapto.org udp
N/A 8.8.8.8:53 hussienashraf2020.zapto.org udp
N/A 8.8.8.8:53 hussienashraf2020.zapto.org udp
N/A 8.8.8.8:53 hussienashraf2020.zapto.org udp
N/A 8.8.8.8:53 hussienashraf2020.zapto.org udp
N/A 8.8.8.8:53 hussienashraf2020.zapto.org udp
N/A 8.8.8.8:53 hussienashraf2020.zapto.org udp
N/A 8.8.8.8:53 hussienashraf2020.zapto.org udp
N/A 8.8.8.8:53 hussienashraf2020.zapto.org udp

Files

memory/4752-132-0x0000000000000000-mapping.dmp

memory/4752-133-0x0000000000C80000-0x0000000000CEE000-memory.dmp

memory/4752-134-0x0000000000C80000-0x0000000000CEE000-memory.dmp

memory/4752-136-0x0000000000C80000-0x0000000000CEE000-memory.dmp

memory/4752-138-0x0000000000C80000-0x0000000000CEE000-memory.dmp

memory/4752-139-0x0000000000C80000-0x0000000000CEE000-memory.dmp

memory/4752-140-0x0000000000C80000-0x0000000000CEE000-memory.dmp

memory/4752-142-0x0000000000C80000-0x0000000000CEE000-memory.dmp

memory/4632-143-0x0000000000000000-mapping.dmp

C:\Windows\InstallDir\Server.exe

MD5 5244590f29e5fdf4267f60fe2a06ea90
SHA1 00ea26b62e1962ccd9a64ddec59d0700accadb6e
SHA256 1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4
SHA512 48f252a903222289520a594ee904fcf76ff7c3f70c2b733af02ef0f2bd430bca3f5934da4704de5c4d86d87e2e5a663aa0f80c9406d3dba7be077535af5bc885

memory/4124-145-0x0000000000000000-mapping.dmp

memory/4752-146-0x0000000000C81000-0x0000000000C8A000-memory.dmp

memory/4632-147-0x0000000000C80000-0x0000000000CEE000-memory.dmp

memory/4124-148-0x0000000000C80000-0x0000000000CEE000-memory.dmp

memory/4124-149-0x0000000000C80000-0x0000000000CEE000-memory.dmp

memory/784-151-0x0000000000000000-mapping.dmp

C:\Windows\InstallDir\Server.exe

MD5 5244590f29e5fdf4267f60fe2a06ea90
SHA1 00ea26b62e1962ccd9a64ddec59d0700accadb6e
SHA256 1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4
SHA512 48f252a903222289520a594ee904fcf76ff7c3f70c2b733af02ef0f2bd430bca3f5934da4704de5c4d86d87e2e5a663aa0f80c9406d3dba7be077535af5bc885

memory/2760-150-0x0000000000000000-mapping.dmp

C:\Windows\InstallDir\Server.exe

MD5 5244590f29e5fdf4267f60fe2a06ea90
SHA1 00ea26b62e1962ccd9a64ddec59d0700accadb6e
SHA256 1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4
SHA512 48f252a903222289520a594ee904fcf76ff7c3f70c2b733af02ef0f2bd430bca3f5934da4704de5c4d86d87e2e5a663aa0f80c9406d3dba7be077535af5bc885

memory/2152-154-0x0000000000000000-mapping.dmp

C:\Windows\InstallDir\Server.exe

MD5 5244590f29e5fdf4267f60fe2a06ea90
SHA1 00ea26b62e1962ccd9a64ddec59d0700accadb6e
SHA256 1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4
SHA512 48f252a903222289520a594ee904fcf76ff7c3f70c2b733af02ef0f2bd430bca3f5934da4704de5c4d86d87e2e5a663aa0f80c9406d3dba7be077535af5bc885

memory/3992-156-0x0000000000000000-mapping.dmp

C:\Windows\InstallDir\Server.exe

MD5 5244590f29e5fdf4267f60fe2a06ea90
SHA1 00ea26b62e1962ccd9a64ddec59d0700accadb6e
SHA256 1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4
SHA512 48f252a903222289520a594ee904fcf76ff7c3f70c2b733af02ef0f2bd430bca3f5934da4704de5c4d86d87e2e5a663aa0f80c9406d3dba7be077535af5bc885

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\pXFtxf.cfg

MD5 892fb7ae7b1a8c59133b27f958ccb550
SHA1 13a80dff0481d5aee88c51d2130186a0a9194932
SHA256 1678881e96078de557abfd5f5e5a18f468c625a255c2976bdc3251713ad7bfd8
SHA512 8538ecca79bec6269159cacff826e05752650174e6963c78aa0d29071d9fafaf31f17523d7b1b7596dedca11a691fdfa4f28c35b4a4593ef6b13a5c04bd9f884

memory/4176-169-0x0000000000000000-mapping.dmp

C:\Windows\InstallDir\Server.exe

MD5 5244590f29e5fdf4267f60fe2a06ea90
SHA1 00ea26b62e1962ccd9a64ddec59d0700accadb6e
SHA256 1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4
SHA512 48f252a903222289520a594ee904fcf76ff7c3f70c2b733af02ef0f2bd430bca3f5934da4704de5c4d86d87e2e5a663aa0f80c9406d3dba7be077535af5bc885

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\pXFtxf.xtr

MD5 6426d400c96fb9ffef4eaa54f6647f4c
SHA1 70a37871aff432790b6adf7d3fc4eb929476e082
SHA256 98bba0cf4c57ecd35b227f45e4aa6dd50ef7cfb1160235cc14687c96eb09fa3c
SHA512 2c8b4d3ab066cbfca6cf0c8d89d5044152b5e3d7100249cbedd1c816e3a4a94efc8bc6b79c1dab4bdf96e3ce476d6caccf625cfbe0aff3bf5e7a29dfcfa948c5

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\pXFtxf.cfg

MD5 892fb7ae7b1a8c59133b27f958ccb550
SHA1 13a80dff0481d5aee88c51d2130186a0a9194932
SHA256 1678881e96078de557abfd5f5e5a18f468c625a255c2976bdc3251713ad7bfd8
SHA512 8538ecca79bec6269159cacff826e05752650174e6963c78aa0d29071d9fafaf31f17523d7b1b7596dedca11a691fdfa4f28c35b4a4593ef6b13a5c04bd9f884

memory/1628-183-0x0000000000000000-mapping.dmp

memory/1628-184-0x0000000001610000-0x0000000001712000-memory.dmp

memory/1628-185-0x0000000001610000-0x0000000001712000-memory.dmp

memory/1628-186-0x0000000001610000-0x0000000001712000-memory.dmp

memory/1628-188-0x0000000001610000-0x0000000001712000-memory.dmp

memory/4840-189-0x0000000000000000-mapping.dmp

memory/1628-190-0x0000000001610000-0x0000000001712000-memory.dmp

C:\Windows\InstallDir\Server.exe

MD5 5244590f29e5fdf4267f60fe2a06ea90
SHA1 00ea26b62e1962ccd9a64ddec59d0700accadb6e
SHA256 1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4
SHA512 48f252a903222289520a594ee904fcf76ff7c3f70c2b733af02ef0f2bd430bca3f5934da4704de5c4d86d87e2e5a663aa0f80c9406d3dba7be077535af5bc885

memory/1628-194-0x0000000001610000-0x0000000001712000-memory.dmp

memory/1628-193-0x0000000001610000-0x0000000001712000-memory.dmp

memory/748-191-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\pXFtxf.cfg

MD5 892fb7ae7b1a8c59133b27f958ccb550
SHA1 13a80dff0481d5aee88c51d2130186a0a9194932
SHA256 1678881e96078de557abfd5f5e5a18f468c625a255c2976bdc3251713ad7bfd8
SHA512 8538ecca79bec6269159cacff826e05752650174e6963c78aa0d29071d9fafaf31f17523d7b1b7596dedca11a691fdfa4f28c35b4a4593ef6b13a5c04bd9f884

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\pXFtxf.dat

MD5 84cad01fdb44ae58dbe6c3973dcd87f5
SHA1 4700b42849fb35be323774820bf1bc8019d26c80
SHA256 8b1f194be530240c18bf0b1ee0d038e750fab8b24c6bd25c864297e5ebb41fa6
SHA512 6e10d3ec4724c1aca9ff3f6a26292ba80065d18e8e9395f1474c0a298008f25e312e2f7024e7d10aab3264764e69a25553cc20afd23090f83921d20e42b989ab

memory/4840-205-0x00000000016BB000-0x0000000001710000-memory.dmp

memory/4840-206-0x0000000001611000-0x00000000016BB000-memory.dmp

memory/1628-207-0x00000000016BB000-0x0000000001710000-memory.dmp

memory/1016-208-0x0000000000000000-mapping.dmp

C:\Windows\InstallDir\Server.exe

MD5 5244590f29e5fdf4267f60fe2a06ea90
SHA1 00ea26b62e1962ccd9a64ddec59d0700accadb6e
SHA256 1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4
SHA512 48f252a903222289520a594ee904fcf76ff7c3f70c2b733af02ef0f2bd430bca3f5934da4704de5c4d86d87e2e5a663aa0f80c9406d3dba7be077535af5bc885

memory/3344-220-0x0000000000000000-mapping.dmp

C:\Windows\InstallDir\Server.exe

MD5 5244590f29e5fdf4267f60fe2a06ea90
SHA1 00ea26b62e1962ccd9a64ddec59d0700accadb6e
SHA256 1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4
SHA512 48f252a903222289520a594ee904fcf76ff7c3f70c2b733af02ef0f2bd430bca3f5934da4704de5c4d86d87e2e5a663aa0f80c9406d3dba7be077535af5bc885

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\pXFtxf.cfg

MD5 892fb7ae7b1a8c59133b27f958ccb550
SHA1 13a80dff0481d5aee88c51d2130186a0a9194932
SHA256 1678881e96078de557abfd5f5e5a18f468c625a255c2976bdc3251713ad7bfd8
SHA512 8538ecca79bec6269159cacff826e05752650174e6963c78aa0d29071d9fafaf31f17523d7b1b7596dedca11a691fdfa4f28c35b4a4593ef6b13a5c04bd9f884

memory/1628-233-0x00000000016BB000-0x0000000001710000-memory.dmp