xtremerat | b9515848ce8e78a2880f638e6681a83b5829b38cd47d1d1b2597ea02122d7328

Analysis

max time kernel
151s
max time network
47s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
01/12/2022, 09:03

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b9515848ce8e78a2880f638e6681a83b5829b38cd47d1d1b2597ea02122d7328.exe
Size

117KB
MD5

3b77048ba1a9cccce18316769a308ff3
SHA1

8d0e49e2f2eb58bc90180015766e9082b63e322f
SHA256

b9515848ce8e78a2880f638e6681a83b5829b38cd47d1d1b2597ea02122d7328
SHA512

b43741e24b8b72eb5ccd82758fbf05eab8777e4e5d2165cb0891881c17fa36eb0b212619e8c1f769937341a49b16b94593ae63e9d2f3eb3b1512db5443192407
SSDEEP

3072:BYO2omzJeP4teP4Wot50zfJ8aGeb3p1Nfj:BYFzZlWJ5b3pHfj

Score

10^/10

xtremerat persistence rat spyware

Malware Config

Signatures

Detect XtremeRAT payload 17 IoCs

resource	yara_rule
behavioral1/memory/1384-56-0x0000000000C80000-0x0000000000CB6000-memory.dmp	family_xtremerat
behavioral1/memory/1384-58-0x0000000000C80000-0x0000000000CB6000-memory.dmp	family_xtremerat
behavioral1/memory/1380-62-0x0000000000C80000-0x0000000000CB6000-memory.dmp	family_xtremerat
behavioral1/memory/1380-64-0x0000000000C80000-0x0000000000CB6000-memory.dmp	family_xtremerat
behavioral1/memory/1324-67-0x0000000000C80000-0x0000000000CB6000-memory.dmp	family_xtremerat
behavioral1/memory/1324-69-0x0000000000C80000-0x0000000000CB6000-memory.dmp	family_xtremerat
behavioral1/memory/1028-73-0x0000000000C80000-0x0000000000CB6000-memory.dmp	family_xtremerat
behavioral1/memory/1028-75-0x0000000000C80000-0x0000000000CB6000-memory.dmp	family_xtremerat
behavioral1/memory/836-79-0x0000000000C80000-0x0000000000CB6000-memory.dmp	family_xtremerat
behavioral1/memory/836-81-0x0000000000C80000-0x0000000000CB6000-memory.dmp	family_xtremerat
behavioral1/memory/1708-84-0x0000000000C80000-0x0000000000CB6000-memory.dmp	family_xtremerat
behavioral1/memory/1708-87-0x0000000000C80000-0x0000000000CB6000-memory.dmp	family_xtremerat
behavioral1/memory/1776-90-0x0000000000C80000-0x0000000000CB6000-memory.dmp	family_xtremerat
behavioral1/memory/1776-92-0x0000000000C80000-0x0000000000CB6000-memory.dmp	family_xtremerat
behavioral1/memory/1508-95-0x0000000000C80000-0x0000000000CB6000-memory.dmp	family_xtremerat
behavioral1/memory/1508-98-0x0000000000C80000-0x0000000000CB6000-memory.dmp	family_xtremerat
behavioral1/memory/436-101-0x0000000000C80000-0x0000000000CB6000-memory.dmp	family_xtremerat

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1384 wrote to memory of 1072	1384	b9515848ce8e78a2880f638e6681a83b5829b38cd47d1d1b2597ea02122d7328.exe	28
PID 1384 wrote to memory of 1072	1384	b9515848ce8e78a2880f638e6681a83b5829b38cd47d1d1b2597ea02122d7328.exe	28
PID 1384 wrote to memory of 1072	1384	b9515848ce8e78a2880f638e6681a83b5829b38cd47d1d1b2597ea02122d7328.exe	28
PID 1384 wrote to memory of 1072	1384	b9515848ce8e78a2880f638e6681a83b5829b38cd47d1d1b2597ea02122d7328.exe	28
PID 1384 wrote to memory of 1072	1384	b9515848ce8e78a2880f638e6681a83b5829b38cd47d1d1b2597ea02122d7328.exe	28
PID 1384 wrote to memory of 840	1384	b9515848ce8e78a2880f638e6681a83b5829b38cd47d1d1b2597ea02122d7328.exe	29
PID 1384 wrote to memory of 840	1384	b9515848ce8e78a2880f638e6681a83b5829b38cd47d1d1b2597ea02122d7328.exe	29
PID 1384 wrote to memory of 840	1384	b9515848ce8e78a2880f638e6681a83b5829b38cd47d1d1b2597ea02122d7328.exe	29
PID 1384 wrote to memory of 840	1384	b9515848ce8e78a2880f638e6681a83b5829b38cd47d1d1b2597ea02122d7328.exe	29
PID 1384 wrote to memory of 840	1384	b9515848ce8e78a2880f638e6681a83b5829b38cd47d1d1b2597ea02122d7328.exe	29
PID 1384 wrote to memory of 1772	1384	b9515848ce8e78a2880f638e6681a83b5829b38cd47d1d1b2597ea02122d7328.exe	30
PID 1384 wrote to memory of 1772	1384	b9515848ce8e78a2880f638e6681a83b5829b38cd47d1d1b2597ea02122d7328.exe	30
PID 1384 wrote to memory of 1772	1384	b9515848ce8e78a2880f638e6681a83b5829b38cd47d1d1b2597ea02122d7328.exe	30
PID 1384 wrote to memory of 1772	1384	b9515848ce8e78a2880f638e6681a83b5829b38cd47d1d1b2597ea02122d7328.exe	30
PID 1384 wrote to memory of 1772	1384	b9515848ce8e78a2880f638e6681a83b5829b38cd47d1d1b2597ea02122d7328.exe	30
PID 1384 wrote to memory of 2016	1384	b9515848ce8e78a2880f638e6681a83b5829b38cd47d1d1b2597ea02122d7328.exe	31
PID 1384 wrote to memory of 2016	1384	b9515848ce8e78a2880f638e6681a83b5829b38cd47d1d1b2597ea02122d7328.exe	31
PID 1384 wrote to memory of 2016	1384	b9515848ce8e78a2880f638e6681a83b5829b38cd47d1d1b2597ea02122d7328.exe	31
PID 1384 wrote to memory of 2016	1384	b9515848ce8e78a2880f638e6681a83b5829b38cd47d1d1b2597ea02122d7328.exe	31
PID 1384 wrote to memory of 2016	1384	b9515848ce8e78a2880f638e6681a83b5829b38cd47d1d1b2597ea02122d7328.exe	31
PID 1384 wrote to memory of 2028	1384	b9515848ce8e78a2880f638e6681a83b5829b38cd47d1d1b2597ea02122d7328.exe	32
PID 1384 wrote to memory of 2028	1384	b9515848ce8e78a2880f638e6681a83b5829b38cd47d1d1b2597ea02122d7328.exe	32
PID 1384 wrote to memory of 2028	1384	b9515848ce8e78a2880f638e6681a83b5829b38cd47d1d1b2597ea02122d7328.exe	32
PID 1384 wrote to memory of 2028	1384	b9515848ce8e78a2880f638e6681a83b5829b38cd47d1d1b2597ea02122d7328.exe	32
PID 1384 wrote to memory of 2028	1384	b9515848ce8e78a2880f638e6681a83b5829b38cd47d1d1b2597ea02122d7328.exe	32
PID 1384 wrote to memory of 2032	1384	b9515848ce8e78a2880f638e6681a83b5829b38cd47d1d1b2597ea02122d7328.exe	33
PID 1384 wrote to memory of 2032	1384	b9515848ce8e78a2880f638e6681a83b5829b38cd47d1d1b2597ea02122d7328.exe	33
PID 1384 wrote to memory of 2032	1384	b9515848ce8e78a2880f638e6681a83b5829b38cd47d1d1b2597ea02122d7328.exe	33
PID 1384 wrote to memory of 2032	1384	b9515848ce8e78a2880f638e6681a83b5829b38cd47d1d1b2597ea02122d7328.exe	33
PID 1384 wrote to memory of 2032	1384	b9515848ce8e78a2880f638e6681a83b5829b38cd47d1d1b2597ea02122d7328.exe	33
PID 1384 wrote to memory of 2012	1384	b9515848ce8e78a2880f638e6681a83b5829b38cd47d1d1b2597ea02122d7328.exe	34
PID 1384 wrote to memory of 2012	1384	b9515848ce8e78a2880f638e6681a83b5829b38cd47d1d1b2597ea02122d7328.exe	34
PID 1384 wrote to memory of 2012	1384	b9515848ce8e78a2880f638e6681a83b5829b38cd47d1d1b2597ea02122d7328.exe	34
PID 1384 wrote to memory of 2012	1384	b9515848ce8e78a2880f638e6681a83b5829b38cd47d1d1b2597ea02122d7328.exe	34
PID 1384 wrote to memory of 2012	1384	b9515848ce8e78a2880f638e6681a83b5829b38cd47d1d1b2597ea02122d7328.exe	34
PID 1384 wrote to memory of 1716	1384	b9515848ce8e78a2880f638e6681a83b5829b38cd47d1d1b2597ea02122d7328.exe	35
PID 1384 wrote to memory of 1716	1384	b9515848ce8e78a2880f638e6681a83b5829b38cd47d1d1b2597ea02122d7328.exe	35
PID 1384 wrote to memory of 1716	1384	b9515848ce8e78a2880f638e6681a83b5829b38cd47d1d1b2597ea02122d7328.exe	35
PID 1384 wrote to memory of 1716	1384	b9515848ce8e78a2880f638e6681a83b5829b38cd47d1d1b2597ea02122d7328.exe	35
PID 1384 wrote to memory of 1380	1384	b9515848ce8e78a2880f638e6681a83b5829b38cd47d1d1b2597ea02122d7328.exe	36
PID 1384 wrote to memory of 1380	1384	b9515848ce8e78a2880f638e6681a83b5829b38cd47d1d1b2597ea02122d7328.exe	36
PID 1384 wrote to memory of 1380	1384	b9515848ce8e78a2880f638e6681a83b5829b38cd47d1d1b2597ea02122d7328.exe	36
PID 1384 wrote to memory of 1380	1384	b9515848ce8e78a2880f638e6681a83b5829b38cd47d1d1b2597ea02122d7328.exe	36
PID 1380 wrote to memory of 1912	1380	b9515848ce8e78a2880f638e6681a83b5829b38cd47d1d1b2597ea02122d7328.exe	37
PID 1380 wrote to memory of 1912	1380	b9515848ce8e78a2880f638e6681a83b5829b38cd47d1d1b2597ea02122d7328.exe	37
PID 1380 wrote to memory of 1912	1380	b9515848ce8e78a2880f638e6681a83b5829b38cd47d1d1b2597ea02122d7328.exe	37
PID 1380 wrote to memory of 1912	1380	b9515848ce8e78a2880f638e6681a83b5829b38cd47d1d1b2597ea02122d7328.exe	37
PID 1380 wrote to memory of 1912	1380	b9515848ce8e78a2880f638e6681a83b5829b38cd47d1d1b2597ea02122d7328.exe	37
PID 1380 wrote to memory of 864	1380	b9515848ce8e78a2880f638e6681a83b5829b38cd47d1d1b2597ea02122d7328.exe	38
PID 1380 wrote to memory of 864	1380	b9515848ce8e78a2880f638e6681a83b5829b38cd47d1d1b2597ea02122d7328.exe	38
PID 1380 wrote to memory of 864	1380	b9515848ce8e78a2880f638e6681a83b5829b38cd47d1d1b2597ea02122d7328.exe	38
PID 1380 wrote to memory of 864	1380	b9515848ce8e78a2880f638e6681a83b5829b38cd47d1d1b2597ea02122d7328.exe	38
PID 1380 wrote to memory of 864	1380	b9515848ce8e78a2880f638e6681a83b5829b38cd47d1d1b2597ea02122d7328.exe	38
PID 1380 wrote to memory of 1820	1380	b9515848ce8e78a2880f638e6681a83b5829b38cd47d1d1b2597ea02122d7328.exe	39
PID 1380 wrote to memory of 1820	1380	b9515848ce8e78a2880f638e6681a83b5829b38cd47d1d1b2597ea02122d7328.exe	39
PID 1380 wrote to memory of 1820	1380	b9515848ce8e78a2880f638e6681a83b5829b38cd47d1d1b2597ea02122d7328.exe	39
PID 1380 wrote to memory of 1820	1380	b9515848ce8e78a2880f638e6681a83b5829b38cd47d1d1b2597ea02122d7328.exe	39
PID 1380 wrote to memory of 1820	1380	b9515848ce8e78a2880f638e6681a83b5829b38cd47d1d1b2597ea02122d7328.exe	39
PID 1380 wrote to memory of 1120	1380	b9515848ce8e78a2880f638e6681a83b5829b38cd47d1d1b2597ea02122d7328.exe	40
PID 1380 wrote to memory of 1120	1380	b9515848ce8e78a2880f638e6681a83b5829b38cd47d1d1b2597ea02122d7328.exe	40
PID 1380 wrote to memory of 1120	1380	b9515848ce8e78a2880f638e6681a83b5829b38cd47d1d1b2597ea02122d7328.exe	40
PID 1380 wrote to memory of 1120	1380	b9515848ce8e78a2880f638e6681a83b5829b38cd47d1d1b2597ea02122d7328.exe	40
PID 1380 wrote to memory of 1120	1380	b9515848ce8e78a2880f638e6681a83b5829b38cd47d1d1b2597ea02122d7328.exe	40
PID 1380 wrote to memory of 472	1380	b9515848ce8e78a2880f638e6681a83b5829b38cd47d1d1b2597ea02122d7328.exe	41

C:\Users\Admin\AppData\Local\Temp\b9515848ce8e78a2880f638e6681a83b5829b38cd47d1d1b2597ea02122d7328.exe
"C:\Users\Admin\AppData\Local\Temp\b9515848ce8e78a2880f638e6681a83b5829b38cd47d1d1b2597ea02122d7328.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1384
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:1072
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:840
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:1772
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:2016
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:2028
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:2032
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:2012
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:1716
- C:\Users\Admin\AppData\Local\Temp\b9515848ce8e78a2880f638e6681a83b5829b38cd47d1d1b2597ea02122d7328.exe
  "C:\Users\Admin\AppData\Local\Temp\b9515848ce8e78a2880f638e6681a83b5829b38cd47d1d1b2597ea02122d7328.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1380
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:1912
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:864
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:1820
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:1120
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:472
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:268
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:304
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:1080
- - C:\Users\Admin\AppData\Local\Temp\b9515848ce8e78a2880f638e6681a83b5829b38cd47d1d1b2597ea02122d7328.exe
    "C:\Users\Admin\AppData\Local\Temp\b9515848ce8e78a2880f638e6681a83b5829b38cd47d1d1b2597ea02122d7328.exe"
    3⤵
    PID:1324
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1796
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1696
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1888
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1064
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:784
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:628
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1656
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:952
  - - C:\Users\Admin\AppData\Local\Temp\b9515848ce8e78a2880f638e6681a83b5829b38cd47d1d1b2597ea02122d7328.exe
      "C:\Users\Admin\AppData\Local\Temp\b9515848ce8e78a2880f638e6681a83b5829b38cd47d1d1b2597ea02122d7328.exe"
      4⤵
      PID:1028
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1916
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1428
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1212
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1496
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1520
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1684
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:316
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1636
    - - C:\Users\Admin\AppData\Local\Temp\b9515848ce8e78a2880f638e6681a83b5829b38cd47d1d1b2597ea02122d7328.exe
        
        "C:\Users\Admin\AppData\Local\Temp\b9515848ce8e78a2880f638e6681a83b5829b38cd47d1d1b2597ea02122d7328.exe"
        5⤵
        
        PID:836
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1128
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1512
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:856
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1440
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1084
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1700
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1548
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1328
      - C:\Users\Admin\AppData\Local\Temp\b9515848ce8e78a2880f638e6681a83b5829b38cd47d1d1b2597ea02122d7328.exe
        
        "C:\Users\Admin\AppData\Local\Temp\b9515848ce8e78a2880f638e6681a83b5829b38cd47d1d1b2597ea02122d7328.exe"
        6⤵
        
        PID:1708
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:1624
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:1596
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:1880
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:1876
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:996
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:1604
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:1224
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:1168
        
        C:\Users\Admin\AppData\Local\Temp\b9515848ce8e78a2880f638e6681a83b5829b38cd47d1d1b2597ea02122d7328.exe
        
        "C:\Users\Admin\AppData\Local\Temp\b9515848ce8e78a2880f638e6681a83b5829b38cd47d1d1b2597ea02122d7328.exe"
        7⤵
        
        PID:1776
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1360
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1320
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1552
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:300
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1324
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1752
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1972
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1644
        
        C:\Users\Admin\AppData\Local\Temp\b9515848ce8e78a2880f638e6681a83b5829b38cd47d1d1b2597ea02122d7328.exe
        
        "C:\Users\Admin\AppData\Local\Temp\b9515848ce8e78a2880f638e6681a83b5829b38cd47d1d1b2597ea02122d7328.exe"
        8⤵
        
        PID:1508
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:1332
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:1492
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:1164
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:976
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:1764
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:836
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:1744
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:1004
        
        C:\Users\Admin\AppData\Local\Temp\b9515848ce8e78a2880f638e6681a83b5829b38cd47d1d1b2597ea02122d7328.exe
        
        "C:\Users\Admin\AppData\Local\Temp\b9515848ce8e78a2880f638e6681a83b5829b38cd47d1d1b2597ea02122d7328.exe"
        9⤵
        
        PID:436
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:1188
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:1204
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2008
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:1988
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:1592
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:1184
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:1732

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\((Mutex)).cfg

Filesize
1KB

MD5
b1de13e7cec5641fb5c3e506362a3ec9

SHA1
1f6db665c74f0e2b7192aefb3f52ef2feeb2fd27

SHA256
aa44523367a49cd1813c297cf29ed77336ad69e00351653f6f71c1b1cadf102f

SHA512
09f0488db4e514169f3a16391ca159f4d054d66dfec18f39df1404c31877c701dc6d52cd470a8b73c4fa8569a396155ec163fbbbf802807f3adfa77b086ed3a4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\((Mutex)).cfg

Filesize
1KB

MD5
b1de13e7cec5641fb5c3e506362a3ec9

SHA1
1f6db665c74f0e2b7192aefb3f52ef2feeb2fd27

SHA256
aa44523367a49cd1813c297cf29ed77336ad69e00351653f6f71c1b1cadf102f

SHA512
09f0488db4e514169f3a16391ca159f4d054d66dfec18f39df1404c31877c701dc6d52cd470a8b73c4fa8569a396155ec163fbbbf802807f3adfa77b086ed3a4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\((Mutex)).cfg

Filesize
1KB

MD5
b1de13e7cec5641fb5c3e506362a3ec9

SHA1
1f6db665c74f0e2b7192aefb3f52ef2feeb2fd27

SHA256
aa44523367a49cd1813c297cf29ed77336ad69e00351653f6f71c1b1cadf102f

SHA512
09f0488db4e514169f3a16391ca159f4d054d66dfec18f39df1404c31877c701dc6d52cd470a8b73c4fa8569a396155ec163fbbbf802807f3adfa77b086ed3a4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\((Mutex)).cfg

Filesize
1KB

MD5
b1de13e7cec5641fb5c3e506362a3ec9

SHA1
1f6db665c74f0e2b7192aefb3f52ef2feeb2fd27

SHA256
aa44523367a49cd1813c297cf29ed77336ad69e00351653f6f71c1b1cadf102f

SHA512
09f0488db4e514169f3a16391ca159f4d054d66dfec18f39df1404c31877c701dc6d52cd470a8b73c4fa8569a396155ec163fbbbf802807f3adfa77b086ed3a4

Download Submit
memory/436-101-0x0000000000C80000-0x0000000000CB6000-memory.dmp

Filesize
216KB

Download
memory/436-99-0x0000000000C80000-0x0000000000CB6000-memory.dmp

Filesize
216KB

Download
memory/836-79-0x0000000000C80000-0x0000000000CB6000-memory.dmp

Filesize
216KB

Download
memory/836-77-0x0000000000C80000-0x0000000000CB6000-memory.dmp

Filesize
216KB

Download
memory/836-76-0x0000000000C80000-0x0000000000CB6000-memory.dmp

Filesize
216KB

Download
memory/836-81-0x0000000000C80000-0x0000000000CB6000-memory.dmp

Filesize
216KB

Download
memory/1028-73-0x0000000000C80000-0x0000000000CB6000-memory.dmp

Filesize
216KB

Download
memory/1028-75-0x0000000000C80000-0x0000000000CB6000-memory.dmp

Filesize
216KB

Download
memory/1028-70-0x0000000000C80000-0x0000000000CB6000-memory.dmp

Filesize
216KB

Download
memory/1324-65-0x0000000000C80000-0x0000000000CB6000-memory.dmp

Filesize
216KB

Download
memory/1324-67-0x0000000000C80000-0x0000000000CB6000-memory.dmp

Filesize
216KB

Download
memory/1324-69-0x0000000000C80000-0x0000000000CB6000-memory.dmp

Filesize
216KB

Download
memory/1380-62-0x0000000000C80000-0x0000000000CB6000-memory.dmp

Filesize
216KB

Download
memory/1380-64-0x0000000000C80000-0x0000000000CB6000-memory.dmp

Filesize
216KB

Download
memory/1380-59-0x0000000000C80000-0x0000000000CB6000-memory.dmp

Filesize
216KB

Download
memory/1384-55-0x0000000076DC1000-0x0000000076DC3000-memory.dmp

Filesize
8KB

Download
memory/1384-54-0x0000000000C80000-0x0000000000CB6000-memory.dmp

Filesize
216KB

Download
memory/1384-56-0x0000000000C80000-0x0000000000CB6000-memory.dmp

Filesize
216KB

Download
memory/1384-58-0x0000000000C80000-0x0000000000CB6000-memory.dmp

Filesize
216KB

Download
memory/1508-98-0x0000000000C80000-0x0000000000CB6000-memory.dmp

Filesize
216KB

Download
memory/1508-93-0x0000000000C80000-0x0000000000CB6000-memory.dmp

Filesize
216KB

Download
memory/1508-95-0x0000000000C80000-0x0000000000CB6000-memory.dmp

Filesize
216KB

Download
memory/1708-84-0x0000000000C80000-0x0000000000CB6000-memory.dmp

Filesize
216KB

Download
memory/1708-82-0x0000000000C80000-0x0000000000CB6000-memory.dmp

Filesize
216KB

Download
memory/1708-87-0x0000000000C80000-0x0000000000CB6000-memory.dmp

Filesize
216KB

Download
memory/1776-92-0x0000000000C80000-0x0000000000CB6000-memory.dmp

Filesize
216KB

Download
memory/1776-90-0x0000000000C80000-0x0000000000CB6000-memory.dmp

Filesize
216KB

Download
memory/1776-88-0x0000000000C80000-0x0000000000CB6000-memory.dmp

Filesize
216KB

Download