xtremerat | 8ecd0fa35ce6fedf338b77e994e5baf2af02b99b26c0b231dd93dac4159a479c

Analysis

max time kernel
163s
max time network
30s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
01-12-2022 12:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8ecd0fa35ce6fedf338b77e994e5baf2af02b99b26c0b231dd93dac4159a479c.exe
Size

20KB
MD5

1b18182b593858a7caaea157a605917c
SHA1

8a7520c8ec6ac58402b4ae644dc80e662210fe79
SHA256

8ecd0fa35ce6fedf338b77e994e5baf2af02b99b26c0b231dd93dac4159a479c
SHA512

18d5d1380e737e6861d6b38a723070ded2f8ac772ebc2ea5262a6cbb213797569052702cff2919eff4466bee02dcb20c38bf0c571c90992cf5a9f0b498b329b4
SSDEEP

384:WnD2eetIgFttzfA8WFRGlm/L5wp2ZDvDqVJMoz7x4vRbFUvWLR:A2PtxFt9m7GSL5UVJtz7x2bqY

Score

10^/10

xtremerat persistence rat spyware upx

Malware Config

Signatures

Detect XtremeRAT payload 19 IoCs

resource	yara_rule
behavioral1/memory/1996-55-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/1996-56-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/1996-62-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/764-65-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/764-68-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/300-71-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/300-74-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/1732-76-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/1732-80-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/1832-82-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/1832-85-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/944-88-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/944-91-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/2032-93-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/2032-96-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/1332-101-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/1592-104-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/1592-107-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/1036-110-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat

Executes dropped EXE 9 IoCs

pid	Process
764	Server.exe
300	Server.exe
1732	Server.exe
1832	Server.exe
944	Server.exe
2032	Server.exe
1332	Server.exe
1592	Server.exe
1036	Server.exe

Modifies Installed Components in the registry 2 TTPs 20 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	8ecd0fa35ce6fedf338b77e994e5baf2af02b99b26c0b231dd93dac4159a479c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	8ecd0fa35ce6fedf338b77e994e5baf2af02b99b26c0b231dd93dac4159a479c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe

UPX packed file 33 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1996-55-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/1996-56-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/files/0x0007000000014ef4-57.dat	upx
behavioral1/memory/1996-58-0x00000000030F0000-0x0000000003106000-memory.dmp	upx
behavioral1/files/0x0007000000014ef4-59.dat	upx
behavioral1/files/0x0007000000014ef4-61.dat	upx
behavioral1/memory/1996-62-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/764-65-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/files/0x0007000000014ef4-66.dat	upx
behavioral1/files/0x0007000000014ef4-69.dat	upx
behavioral1/memory/764-68-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/300-71-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/300-74-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/files/0x0007000000014ef4-73.dat	upx
behavioral1/memory/1732-76-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/files/0x0007000000014ef4-79.dat	upx
behavioral1/memory/1732-80-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/1832-82-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/files/0x0007000000014ef4-84.dat	upx
behavioral1/memory/1832-85-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/944-88-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/944-91-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/files/0x0007000000014ef4-90.dat	upx
behavioral1/memory/2032-93-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/2032-96-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/files/0x0007000000014ef4-95.dat	upx
behavioral1/memory/1332-98-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/files/0x0007000000014ef4-102.dat	upx
behavioral1/memory/1332-101-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/1592-104-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/1592-107-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/files/0x0007000000014ef4-106.dat	upx
behavioral1/memory/1036-110-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx

Loads dropped DLL 2 IoCs

pid	Process
1996	8ecd0fa35ce6fedf338b77e994e5baf2af02b99b26c0b231dd93dac4159a479c.exe
1996	8ecd0fa35ce6fedf338b77e994e5baf2af02b99b26c0b231dd93dac4159a479c.exe

Adds Run key to start application 2 TTPs 40 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	Server.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run	Server.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run	8ecd0fa35ce6fedf338b77e994e5baf2af02b99b26c0b231dd93dac4159a479c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	8ecd0fa35ce6fedf338b77e994e5baf2af02b99b26c0b231dd93dac4159a479c.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	8ecd0fa35ce6fedf338b77e994e5baf2af02b99b26c0b231dd93dac4159a479c.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	Server.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	Server.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	8ecd0fa35ce6fedf338b77e994e5baf2af02b99b26c0b231dd93dac4159a479c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe"	Server.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run	Server.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1996 wrote to memory of 1644	1996	8ecd0fa35ce6fedf338b77e994e5baf2af02b99b26c0b231dd93dac4159a479c.exe	27
PID 1996 wrote to memory of 1644	1996	8ecd0fa35ce6fedf338b77e994e5baf2af02b99b26c0b231dd93dac4159a479c.exe	27
PID 1996 wrote to memory of 1644	1996	8ecd0fa35ce6fedf338b77e994e5baf2af02b99b26c0b231dd93dac4159a479c.exe	27
PID 1996 wrote to memory of 1644	1996	8ecd0fa35ce6fedf338b77e994e5baf2af02b99b26c0b231dd93dac4159a479c.exe	27
PID 1996 wrote to memory of 1644	1996	8ecd0fa35ce6fedf338b77e994e5baf2af02b99b26c0b231dd93dac4159a479c.exe	27
PID 1996 wrote to memory of 1056	1996	8ecd0fa35ce6fedf338b77e994e5baf2af02b99b26c0b231dd93dac4159a479c.exe	28
PID 1996 wrote to memory of 1056	1996	8ecd0fa35ce6fedf338b77e994e5baf2af02b99b26c0b231dd93dac4159a479c.exe	28
PID 1996 wrote to memory of 1056	1996	8ecd0fa35ce6fedf338b77e994e5baf2af02b99b26c0b231dd93dac4159a479c.exe	28
PID 1996 wrote to memory of 1056	1996	8ecd0fa35ce6fedf338b77e994e5baf2af02b99b26c0b231dd93dac4159a479c.exe	28
PID 1996 wrote to memory of 1056	1996	8ecd0fa35ce6fedf338b77e994e5baf2af02b99b26c0b231dd93dac4159a479c.exe	28
PID 1996 wrote to memory of 1296	1996	8ecd0fa35ce6fedf338b77e994e5baf2af02b99b26c0b231dd93dac4159a479c.exe	29
PID 1996 wrote to memory of 1296	1996	8ecd0fa35ce6fedf338b77e994e5baf2af02b99b26c0b231dd93dac4159a479c.exe	29
PID 1996 wrote to memory of 1296	1996	8ecd0fa35ce6fedf338b77e994e5baf2af02b99b26c0b231dd93dac4159a479c.exe	29
PID 1996 wrote to memory of 1296	1996	8ecd0fa35ce6fedf338b77e994e5baf2af02b99b26c0b231dd93dac4159a479c.exe	29
PID 1996 wrote to memory of 1296	1996	8ecd0fa35ce6fedf338b77e994e5baf2af02b99b26c0b231dd93dac4159a479c.exe	29
PID 1996 wrote to memory of 1504	1996	8ecd0fa35ce6fedf338b77e994e5baf2af02b99b26c0b231dd93dac4159a479c.exe	30
PID 1996 wrote to memory of 1504	1996	8ecd0fa35ce6fedf338b77e994e5baf2af02b99b26c0b231dd93dac4159a479c.exe	30
PID 1996 wrote to memory of 1504	1996	8ecd0fa35ce6fedf338b77e994e5baf2af02b99b26c0b231dd93dac4159a479c.exe	30
PID 1996 wrote to memory of 1504	1996	8ecd0fa35ce6fedf338b77e994e5baf2af02b99b26c0b231dd93dac4159a479c.exe	30
PID 1996 wrote to memory of 1504	1996	8ecd0fa35ce6fedf338b77e994e5baf2af02b99b26c0b231dd93dac4159a479c.exe	30
PID 1996 wrote to memory of 1500	1996	8ecd0fa35ce6fedf338b77e994e5baf2af02b99b26c0b231dd93dac4159a479c.exe	31
PID 1996 wrote to memory of 1500	1996	8ecd0fa35ce6fedf338b77e994e5baf2af02b99b26c0b231dd93dac4159a479c.exe	31
PID 1996 wrote to memory of 1500	1996	8ecd0fa35ce6fedf338b77e994e5baf2af02b99b26c0b231dd93dac4159a479c.exe	31
PID 1996 wrote to memory of 1500	1996	8ecd0fa35ce6fedf338b77e994e5baf2af02b99b26c0b231dd93dac4159a479c.exe	31
PID 1996 wrote to memory of 1500	1996	8ecd0fa35ce6fedf338b77e994e5baf2af02b99b26c0b231dd93dac4159a479c.exe	31
PID 1996 wrote to memory of 1492	1996	8ecd0fa35ce6fedf338b77e994e5baf2af02b99b26c0b231dd93dac4159a479c.exe	32
PID 1996 wrote to memory of 1492	1996	8ecd0fa35ce6fedf338b77e994e5baf2af02b99b26c0b231dd93dac4159a479c.exe	32
PID 1996 wrote to memory of 1492	1996	8ecd0fa35ce6fedf338b77e994e5baf2af02b99b26c0b231dd93dac4159a479c.exe	32
PID 1996 wrote to memory of 1492	1996	8ecd0fa35ce6fedf338b77e994e5baf2af02b99b26c0b231dd93dac4159a479c.exe	32
PID 1996 wrote to memory of 1492	1996	8ecd0fa35ce6fedf338b77e994e5baf2af02b99b26c0b231dd93dac4159a479c.exe	32
PID 1996 wrote to memory of 864	1996	8ecd0fa35ce6fedf338b77e994e5baf2af02b99b26c0b231dd93dac4159a479c.exe	33
PID 1996 wrote to memory of 864	1996	8ecd0fa35ce6fedf338b77e994e5baf2af02b99b26c0b231dd93dac4159a479c.exe	33
PID 1996 wrote to memory of 864	1996	8ecd0fa35ce6fedf338b77e994e5baf2af02b99b26c0b231dd93dac4159a479c.exe	33
PID 1996 wrote to memory of 864	1996	8ecd0fa35ce6fedf338b77e994e5baf2af02b99b26c0b231dd93dac4159a479c.exe	33
PID 1996 wrote to memory of 864	1996	8ecd0fa35ce6fedf338b77e994e5baf2af02b99b26c0b231dd93dac4159a479c.exe	33
PID 1996 wrote to memory of 580	1996	8ecd0fa35ce6fedf338b77e994e5baf2af02b99b26c0b231dd93dac4159a479c.exe	34
PID 1996 wrote to memory of 580	1996	8ecd0fa35ce6fedf338b77e994e5baf2af02b99b26c0b231dd93dac4159a479c.exe	34
PID 1996 wrote to memory of 580	1996	8ecd0fa35ce6fedf338b77e994e5baf2af02b99b26c0b231dd93dac4159a479c.exe	34
PID 1996 wrote to memory of 580	1996	8ecd0fa35ce6fedf338b77e994e5baf2af02b99b26c0b231dd93dac4159a479c.exe	34
PID 1996 wrote to memory of 764	1996	8ecd0fa35ce6fedf338b77e994e5baf2af02b99b26c0b231dd93dac4159a479c.exe	35
PID 1996 wrote to memory of 764	1996	8ecd0fa35ce6fedf338b77e994e5baf2af02b99b26c0b231dd93dac4159a479c.exe	35
PID 1996 wrote to memory of 764	1996	8ecd0fa35ce6fedf338b77e994e5baf2af02b99b26c0b231dd93dac4159a479c.exe	35
PID 1996 wrote to memory of 764	1996	8ecd0fa35ce6fedf338b77e994e5baf2af02b99b26c0b231dd93dac4159a479c.exe	35
PID 764 wrote to memory of 1976	764	Server.exe	36
PID 764 wrote to memory of 1976	764	Server.exe	36
PID 764 wrote to memory of 1976	764	Server.exe	36
PID 764 wrote to memory of 1976	764	Server.exe	36
PID 764 wrote to memory of 1976	764	Server.exe	36
PID 764 wrote to memory of 328	764	Server.exe	37
PID 764 wrote to memory of 328	764	Server.exe	37
PID 764 wrote to memory of 328	764	Server.exe	37
PID 764 wrote to memory of 328	764	Server.exe	37
PID 764 wrote to memory of 328	764	Server.exe	37
PID 764 wrote to memory of 1752	764	Server.exe	38
PID 764 wrote to memory of 1752	764	Server.exe	38
PID 764 wrote to memory of 1752	764	Server.exe	38
PID 764 wrote to memory of 1752	764	Server.exe	38
PID 764 wrote to memory of 1752	764	Server.exe	38
PID 764 wrote to memory of 828	764	Server.exe	39
PID 764 wrote to memory of 828	764	Server.exe	39
PID 764 wrote to memory of 828	764	Server.exe	39
PID 764 wrote to memory of 828	764	Server.exe	39
PID 764 wrote to memory of 828	764	Server.exe	39
PID 764 wrote to memory of 1816	764	Server.exe	40

C:\Users\Admin\AppData\Local\Temp\8ecd0fa35ce6fedf338b77e994e5baf2af02b99b26c0b231dd93dac4159a479c.exe
"C:\Users\Admin\AppData\Local\Temp\8ecd0fa35ce6fedf338b77e994e5baf2af02b99b26c0b231dd93dac4159a479c.exe"
1⤵
- Modifies Installed Components in the registry
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1996
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:1644
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:1056
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:1296
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:1504
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:1500
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:1492
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:864
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:580
- C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
  "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
  2⤵
  - Executes dropped EXE
  - Modifies Installed Components in the registry
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:764
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:1976
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:328
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:1752
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:828
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:1816
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:692
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:1276
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:1340
- - C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
    "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
    3⤵
    - Executes dropped EXE
    - Modifies Installed Components in the registry
    - Adds Run key to start application
    PID:300
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:976
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1900
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1456
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:832
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1244
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1112
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1876
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1292
  - - C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
      "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
      4⤵
      Executes dropped EXE
      Modifies Installed Components in the registry
      Adds Run key to start application
      PID:1732
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:840
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1796
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1788
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1164
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1364
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1936
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1448
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1312
    - - C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        5⤵
        Executes dropped EXE
        Modifies Installed Components in the registry
        Adds Run key to start application
        
        PID:1832
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1512
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:628
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:964
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1652
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1380
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1300
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1844
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2028
      - C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        6⤵
        Executes dropped EXE
        Modifies Installed Components in the registry
        Adds Run key to start application
        
        PID:944
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:836
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:1628
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:1724
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:1836
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:1316
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:1368
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:684
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:1580
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        7⤵
        Executes dropped EXE
        Modifies Installed Components in the registry
        Adds Run key to start application
        
        PID:2032
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:776
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1992
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:860
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1780
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1880
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:764
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1324
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1328
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        8⤵
        Executes dropped EXE
        Modifies Installed Components in the registry
        Adds Run key to start application
        
        PID:1332
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:668
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:1156
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:1964
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:1800
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:1708
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:1444
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:892
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:1744
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        9⤵
        Executes dropped EXE
        Modifies Installed Components in the registry
        Adds Run key to start application
        
        PID:1592
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:276
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:1760
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:1396
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:1952
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2032
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:924
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:604
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:1092
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        10⤵
        Executes dropped EXE
        Modifies Installed Components in the registry
        Adds Run key to start application
        
        PID:1036
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:2000
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:944
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:300

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe

Filesize
20KB

MD5
1b18182b593858a7caaea157a605917c

SHA1
8a7520c8ec6ac58402b4ae644dc80e662210fe79

SHA256
8ecd0fa35ce6fedf338b77e994e5baf2af02b99b26c0b231dd93dac4159a479c

SHA512
18d5d1380e737e6861d6b38a723070ded2f8ac772ebc2ea5262a6cbb213797569052702cff2919eff4466bee02dcb20c38bf0c571c90992cf5a9f0b498b329b4

Download Submit
C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe

Filesize
20KB

MD5
1b18182b593858a7caaea157a605917c

SHA1
8a7520c8ec6ac58402b4ae644dc80e662210fe79

SHA256
8ecd0fa35ce6fedf338b77e994e5baf2af02b99b26c0b231dd93dac4159a479c

SHA512
18d5d1380e737e6861d6b38a723070ded2f8ac772ebc2ea5262a6cbb213797569052702cff2919eff4466bee02dcb20c38bf0c571c90992cf5a9f0b498b329b4

Download Submit
C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe

Filesize
20KB

MD5
1b18182b593858a7caaea157a605917c

SHA1
8a7520c8ec6ac58402b4ae644dc80e662210fe79

SHA256
8ecd0fa35ce6fedf338b77e994e5baf2af02b99b26c0b231dd93dac4159a479c

SHA512
18d5d1380e737e6861d6b38a723070ded2f8ac772ebc2ea5262a6cbb213797569052702cff2919eff4466bee02dcb20c38bf0c571c90992cf5a9f0b498b329b4

Download Submit
C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe

Filesize
20KB

MD5
1b18182b593858a7caaea157a605917c

SHA1
8a7520c8ec6ac58402b4ae644dc80e662210fe79

SHA256
8ecd0fa35ce6fedf338b77e994e5baf2af02b99b26c0b231dd93dac4159a479c

SHA512
18d5d1380e737e6861d6b38a723070ded2f8ac772ebc2ea5262a6cbb213797569052702cff2919eff4466bee02dcb20c38bf0c571c90992cf5a9f0b498b329b4

Download Submit
C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe

Filesize
20KB

MD5
1b18182b593858a7caaea157a605917c

SHA1
8a7520c8ec6ac58402b4ae644dc80e662210fe79

SHA256
8ecd0fa35ce6fedf338b77e994e5baf2af02b99b26c0b231dd93dac4159a479c

SHA512
18d5d1380e737e6861d6b38a723070ded2f8ac772ebc2ea5262a6cbb213797569052702cff2919eff4466bee02dcb20c38bf0c571c90992cf5a9f0b498b329b4

Download Submit
C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe

Filesize
20KB

MD5
1b18182b593858a7caaea157a605917c

SHA1
8a7520c8ec6ac58402b4ae644dc80e662210fe79

SHA256
8ecd0fa35ce6fedf338b77e994e5baf2af02b99b26c0b231dd93dac4159a479c

SHA512
18d5d1380e737e6861d6b38a723070ded2f8ac772ebc2ea5262a6cbb213797569052702cff2919eff4466bee02dcb20c38bf0c571c90992cf5a9f0b498b329b4

Download Submit
C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe

Filesize
20KB

MD5
1b18182b593858a7caaea157a605917c

SHA1
8a7520c8ec6ac58402b4ae644dc80e662210fe79

SHA256
8ecd0fa35ce6fedf338b77e994e5baf2af02b99b26c0b231dd93dac4159a479c

SHA512
18d5d1380e737e6861d6b38a723070ded2f8ac772ebc2ea5262a6cbb213797569052702cff2919eff4466bee02dcb20c38bf0c571c90992cf5a9f0b498b329b4

Download Submit
C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe

Filesize
20KB

MD5
1b18182b593858a7caaea157a605917c

SHA1
8a7520c8ec6ac58402b4ae644dc80e662210fe79

SHA256
8ecd0fa35ce6fedf338b77e994e5baf2af02b99b26c0b231dd93dac4159a479c

SHA512
18d5d1380e737e6861d6b38a723070ded2f8ac772ebc2ea5262a6cbb213797569052702cff2919eff4466bee02dcb20c38bf0c571c90992cf5a9f0b498b329b4

Download Submit
C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe

Filesize
20KB

MD5
1b18182b593858a7caaea157a605917c

SHA1
8a7520c8ec6ac58402b4ae644dc80e662210fe79

SHA256
8ecd0fa35ce6fedf338b77e994e5baf2af02b99b26c0b231dd93dac4159a479c

SHA512
18d5d1380e737e6861d6b38a723070ded2f8ac772ebc2ea5262a6cbb213797569052702cff2919eff4466bee02dcb20c38bf0c571c90992cf5a9f0b498b329b4

Download Submit
C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe

Filesize
20KB

MD5
1b18182b593858a7caaea157a605917c

SHA1
8a7520c8ec6ac58402b4ae644dc80e662210fe79

SHA256
8ecd0fa35ce6fedf338b77e994e5baf2af02b99b26c0b231dd93dac4159a479c

SHA512
18d5d1380e737e6861d6b38a723070ded2f8ac772ebc2ea5262a6cbb213797569052702cff2919eff4466bee02dcb20c38bf0c571c90992cf5a9f0b498b329b4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\5X7oS.cfg

Filesize
1KB

MD5
8c38210f5d9902fcc19f259fd356ae98

SHA1
6ada95a218292bfe659e53097d96107e53290c16

SHA256
63be4a64a4bb82aa9a7cb68826cf5d7d5d9469906b00d8b51c598e5ccd1d7600

SHA512
9e11ff823a87fc75998f2baf7cc117468cb7b0739323c542169c21fa870a61bed629b4004b808892418f9e6fbf169190c7f01d521633ba0d485b22a9d9d7bec0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\5X7oS.cfg

Filesize
1KB

MD5
8c38210f5d9902fcc19f259fd356ae98

SHA1
6ada95a218292bfe659e53097d96107e53290c16

SHA256
63be4a64a4bb82aa9a7cb68826cf5d7d5d9469906b00d8b51c598e5ccd1d7600

SHA512
9e11ff823a87fc75998f2baf7cc117468cb7b0739323c542169c21fa870a61bed629b4004b808892418f9e6fbf169190c7f01d521633ba0d485b22a9d9d7bec0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\5X7oS.cfg

Filesize
1KB

MD5
8c38210f5d9902fcc19f259fd356ae98

SHA1
6ada95a218292bfe659e53097d96107e53290c16

SHA256
63be4a64a4bb82aa9a7cb68826cf5d7d5d9469906b00d8b51c598e5ccd1d7600

SHA512
9e11ff823a87fc75998f2baf7cc117468cb7b0739323c542169c21fa870a61bed629b4004b808892418f9e6fbf169190c7f01d521633ba0d485b22a9d9d7bec0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\5X7oS.cfg

Filesize
1KB

MD5
8c38210f5d9902fcc19f259fd356ae98

SHA1
6ada95a218292bfe659e53097d96107e53290c16

SHA256
63be4a64a4bb82aa9a7cb68826cf5d7d5d9469906b00d8b51c598e5ccd1d7600

SHA512
9e11ff823a87fc75998f2baf7cc117468cb7b0739323c542169c21fa870a61bed629b4004b808892418f9e6fbf169190c7f01d521633ba0d485b22a9d9d7bec0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\5X7oS.cfg

Filesize
1KB

MD5
8c38210f5d9902fcc19f259fd356ae98

SHA1
6ada95a218292bfe659e53097d96107e53290c16

SHA256
63be4a64a4bb82aa9a7cb68826cf5d7d5d9469906b00d8b51c598e5ccd1d7600

SHA512
9e11ff823a87fc75998f2baf7cc117468cb7b0739323c542169c21fa870a61bed629b4004b808892418f9e6fbf169190c7f01d521633ba0d485b22a9d9d7bec0

Download Submit
\Users\Admin\AppData\Roaming\InstallDir\Server.exe

Filesize
20KB

MD5
1b18182b593858a7caaea157a605917c

SHA1
8a7520c8ec6ac58402b4ae644dc80e662210fe79

SHA256
8ecd0fa35ce6fedf338b77e994e5baf2af02b99b26c0b231dd93dac4159a479c

SHA512
18d5d1380e737e6861d6b38a723070ded2f8ac772ebc2ea5262a6cbb213797569052702cff2919eff4466bee02dcb20c38bf0c571c90992cf5a9f0b498b329b4

Download Submit
\Users\Admin\AppData\Roaming\InstallDir\Server.exe

Filesize
20KB

MD5
1b18182b593858a7caaea157a605917c

SHA1
8a7520c8ec6ac58402b4ae644dc80e662210fe79

SHA256
8ecd0fa35ce6fedf338b77e994e5baf2af02b99b26c0b231dd93dac4159a479c

SHA512
18d5d1380e737e6861d6b38a723070ded2f8ac772ebc2ea5262a6cbb213797569052702cff2919eff4466bee02dcb20c38bf0c571c90992cf5a9f0b498b329b4

Download Submit
memory/300-74-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/300-71-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/764-68-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/764-65-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/944-91-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/944-88-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/1036-110-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/1332-98-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/1332-101-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/1592-107-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/1592-104-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/1732-80-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/1732-76-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/1832-85-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/1832-82-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/1996-56-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/1996-54-0x0000000075D61000-0x0000000075D63000-memory.dmp

Filesize
8KB

Download
memory/1996-55-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/1996-58-0x00000000030F0000-0x0000000003106000-memory.dmp

Filesize
88KB

Download
memory/1996-62-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2032-96-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2032-93-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads