xtremerat | 3a7fb45b49e026f5c517c5ea2dd99e40926e0fc9fd26b35053670461a52f3754

Analysis

max time kernel
151s
max time network
48s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
03/12/2022, 18:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3a7fb45b49e026f5c517c5ea2dd99e40926e0fc9fd26b35053670461a52f3754.exe
Size

156KB
MD5

7b2f715c1c3da8cfed84c2bff35676d9
SHA1

2b6d2a5b6110e6900b191123f940487040a770aa
SHA256

3a7fb45b49e026f5c517c5ea2dd99e40926e0fc9fd26b35053670461a52f3754
SHA512

683f776c7f821ccbd98f7ab117c19e6b174b46fd098f96465b6375013c1d6a0c495c958a38446c05c537835fbc6d2b96f255ddbfaf728175be4b50c480f9f52d
SSDEEP

3072:DXgnMZMAht0Nht4pr9NJWqrkuBIH4ax+9gnUhPSNNyWcHzYqPL0BbNNQ8:sCMOpLIqNBgPCTHzYjBb3z

Score

10^/10

xtremerat persistence rat spyware upx

Malware Config

Extracted

Family

xtremerat

sucamilla.no-ip.org

Signatures

Detect XtremeRAT payload 35 IoCs

resource	yara_rule
behavioral1/memory/1312-66-0x0000000013140000-0x000000001315F000-memory.dmp	family_xtremerat
behavioral1/memory/1312-67-0x0000000013140000-0x000000001315F000-memory.dmp	family_xtremerat
behavioral1/memory/292-71-0x0000000000000000-mapping.dmp	family_xtremerat
behavioral1/memory/292-74-0x0000000013140000-0x000000001315F000-memory.dmp	family_xtremerat
behavioral1/memory/1004-96-0x0000000013140000-0x000000001315F000-memory.dmp	family_xtremerat
behavioral1/memory/1312-97-0x0000000013140000-0x000000001315F000-memory.dmp	family_xtremerat
behavioral1/memory/292-115-0x00000000026B0000-0x00000000026D1000-memory.dmp	family_xtremerat
behavioral1/memory/2024-116-0x0000000013140000-0x000000001315F000-memory.dmp	family_xtremerat
behavioral1/memory/1692-136-0x0000000013140000-0x000000001315F000-memory.dmp	family_xtremerat
behavioral1/memory/1004-137-0x0000000013140000-0x000000001315F000-memory.dmp	family_xtremerat
behavioral1/memory/368-156-0x0000000013140000-0x000000001315F000-memory.dmp	family_xtremerat
behavioral1/memory/2024-157-0x0000000013140000-0x000000001315F000-memory.dmp	family_xtremerat
behavioral1/memory/1540-176-0x0000000013140000-0x000000001315F000-memory.dmp	family_xtremerat
behavioral1/memory/1692-178-0x0000000013140000-0x000000001315F000-memory.dmp	family_xtremerat
behavioral1/memory/292-196-0x00000000028F0000-0x0000000002911000-memory.dmp	family_xtremerat
behavioral1/memory/616-197-0x0000000013140000-0x000000001315F000-memory.dmp	family_xtremerat
behavioral1/memory/368-198-0x0000000013140000-0x000000001315F000-memory.dmp	family_xtremerat
behavioral1/memory/1844-217-0x0000000013140000-0x000000001315F000-memory.dmp	family_xtremerat
behavioral1/memory/1540-219-0x0000000013140000-0x000000001315F000-memory.dmp	family_xtremerat
behavioral1/memory/292-220-0x0000000003E00000-0x0000000003E21000-memory.dmp	family_xtremerat
behavioral1/memory/2012-239-0x0000000013140000-0x000000001315F000-memory.dmp	family_xtremerat
behavioral1/memory/616-240-0x0000000013140000-0x000000001315F000-memory.dmp	family_xtremerat
behavioral1/memory/1372-259-0x0000000013140000-0x000000001315F000-memory.dmp	family_xtremerat
behavioral1/memory/1844-261-0x0000000013140000-0x000000001315F000-memory.dmp	family_xtremerat
behavioral1/memory/2128-281-0x0000000013140000-0x000000001315F000-memory.dmp	family_xtremerat
behavioral1/memory/2012-282-0x0000000013140000-0x000000001315F000-memory.dmp	family_xtremerat
behavioral1/memory/2300-301-0x0000000013140000-0x000000001315F000-memory.dmp	family_xtremerat
behavioral1/memory/1372-303-0x0000000013140000-0x000000001315F000-memory.dmp	family_xtremerat
behavioral1/memory/2476-322-0x0000000013140000-0x000000001315F000-memory.dmp	family_xtremerat
behavioral1/memory/2128-324-0x0000000013140000-0x000000001315F000-memory.dmp	family_xtremerat
behavioral1/memory/2656-344-0x0000000013140000-0x000000001315F000-memory.dmp	family_xtremerat
behavioral1/memory/2300-345-0x0000000013140000-0x000000001315F000-memory.dmp	family_xtremerat
behavioral1/memory/2828-363-0x0000000013140000-0x000000001315F000-memory.dmp	family_xtremerat
behavioral1/memory/2476-365-0x0000000013140000-0x000000001315F000-memory.dmp	family_xtremerat
behavioral1/memory/3004-383-0x0000000013140000-0x000000001315F000-memory.dmp	family_xtremerat

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat

Executes dropped EXE 46 IoCs

pid	Process
1524	Server.exe
1004	Server.exe
1972	Server.exe
2024	Server.exe
1812	Server.exe
1692	Server.exe
1588	Server.exe
368	Server.exe
972	Server.exe
1540	Server.exe
1032	Server.exe
616	Server.exe
972	Server.exe
1844	Server.exe
1020	Server.exe
2012	Server.exe
1176	Server.exe
1372	Server.exe
2092	Server.exe
2128	Server.exe
2272	Server.exe
2300	Server.exe
2448	Server.exe
2476	Server.exe
2628	Server.exe
2656	Server.exe
2800	Server.exe
2828	Server.exe
2976	Server.exe
3004	Server.exe
2152	Server.exe
2160	Server.exe
1372	Server.exe
2488	Server.exe
2632	Server.exe
2708	Server.exe
2540	Server.exe
848	Server.exe
1668	Server.exe
952	Server.exe
2544	Server.exe
3060	Server.exe
3012	Server.exe
2480	Server.exe
2708	Server.exe
2688	Server.exe

Modifies Installed Components in the registry 2 TTPs 50 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{228F4T86-Y18M-EL02-7R15-W523M71525T7}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{228F4T86-Y18M-EL02-7R15-W523M71525T7}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{228F4T86-Y18M-EL02-7R15-W523M71525T7}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{228F4T86-Y18M-EL02-7R15-W523M71525T7}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{228F4T86-Y18M-EL02-7R15-W523M71525T7}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{228F4T86-Y18M-EL02-7R15-W523M71525T7}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{228F4T86-Y18M-EL02-7R15-W523M71525T7}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{228F4T86-Y18M-EL02-7R15-W523M71525T7}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{228F4T86-Y18M-EL02-7R15-W523M71525T7}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{228F4T86-Y18M-EL02-7R15-W523M71525T7}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{228F4T86-Y18M-EL02-7R15-W523M71525T7}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{228F4T86-Y18M-EL02-7R15-W523M71525T7}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{228F4T86-Y18M-EL02-7R15-W523M71525T7}\StubPath = "C:\\Windows\\InstallDir\\Server.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{228F4T86-Y18M-EL02-7R15-W523M71525T7}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{228F4T86-Y18M-EL02-7R15-W523M71525T7}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{228F4T86-Y18M-EL02-7R15-W523M71525T7}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{228F4T86-Y18M-EL02-7R15-W523M71525T7}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{228F4T86-Y18M-EL02-7R15-W523M71525T7}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{228F4T86-Y18M-EL02-7R15-W523M71525T7}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{228F4T86-Y18M-EL02-7R15-W523M71525T7}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{228F4T86-Y18M-EL02-7R15-W523M71525T7}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{228F4T86-Y18M-EL02-7R15-W523M71525T7}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{228F4T86-Y18M-EL02-7R15-W523M71525T7}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{228F4T86-Y18M-EL02-7R15-W523M71525T7}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{228F4T86-Y18M-EL02-7R15-W523M71525T7}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{228F4T86-Y18M-EL02-7R15-W523M71525T7}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{228F4T86-Y18M-EL02-7R15-W523M71525T7}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{228F4T86-Y18M-EL02-7R15-W523M71525T7}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{228F4T86-Y18M-EL02-7R15-W523M71525T7}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{228F4T86-Y18M-EL02-7R15-W523M71525T7}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{228F4T86-Y18M-EL02-7R15-W523M71525T7}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{228F4T86-Y18M-EL02-7R15-W523M71525T7}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{228F4T86-Y18M-EL02-7R15-W523M71525T7}	3a7fb45b49e026f5c517c5ea2dd99e40926e0fc9fd26b35053670461a52f3754.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{228F4T86-Y18M-EL02-7R15-W523M71525T7}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	3a7fb45b49e026f5c517c5ea2dd99e40926e0fc9fd26b35053670461a52f3754.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{228F4T86-Y18M-EL02-7R15-W523M71525T7}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{228F4T86-Y18M-EL02-7R15-W523M71525T7}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{228F4T86-Y18M-EL02-7R15-W523M71525T7}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{228F4T86-Y18M-EL02-7R15-W523M71525T7}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{228F4T86-Y18M-EL02-7R15-W523M71525T7}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{228F4T86-Y18M-EL02-7R15-W523M71525T7}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{228F4T86-Y18M-EL02-7R15-W523M71525T7}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{228F4T86-Y18M-EL02-7R15-W523M71525T7}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{228F4T86-Y18M-EL02-7R15-W523M71525T7}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{228F4T86-Y18M-EL02-7R15-W523M71525T7}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{228F4T86-Y18M-EL02-7R15-W523M71525T7}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{228F4T86-Y18M-EL02-7R15-W523M71525T7}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{228F4T86-Y18M-EL02-7R15-W523M71525T7}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{228F4T86-Y18M-EL02-7R15-W523M71525T7}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{228F4T86-Y18M-EL02-7R15-W523M71525T7}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{228F4T86-Y18M-EL02-7R15-W523M71525T7}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe

UPX packed file 37 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1312-57-0x0000000013140000-0x000000001315F000-memory.dmp	upx
behavioral1/memory/1312-59-0x0000000013140000-0x000000001315F000-memory.dmp	upx
behavioral1/memory/1312-60-0x0000000013140000-0x000000001315F000-memory.dmp	upx
behavioral1/memory/1312-65-0x0000000013140000-0x000000001315F000-memory.dmp	upx
behavioral1/memory/1312-66-0x0000000013140000-0x000000001315F000-memory.dmp	upx
behavioral1/memory/1312-67-0x0000000013140000-0x000000001315F000-memory.dmp	upx
behavioral1/memory/292-74-0x0000000013140000-0x000000001315F000-memory.dmp	upx
behavioral1/memory/1004-96-0x0000000013140000-0x000000001315F000-memory.dmp	upx
behavioral1/memory/1312-97-0x0000000013140000-0x000000001315F000-memory.dmp	upx
behavioral1/memory/292-115-0x00000000026B0000-0x00000000026D1000-memory.dmp	upx
behavioral1/memory/2024-116-0x0000000013140000-0x000000001315F000-memory.dmp	upx
behavioral1/memory/1692-136-0x0000000013140000-0x000000001315F000-memory.dmp	upx
behavioral1/memory/1004-137-0x0000000013140000-0x000000001315F000-memory.dmp	upx
behavioral1/memory/368-156-0x0000000013140000-0x000000001315F000-memory.dmp	upx
behavioral1/memory/2024-157-0x0000000013140000-0x000000001315F000-memory.dmp	upx
behavioral1/memory/1540-176-0x0000000013140000-0x000000001315F000-memory.dmp	upx
behavioral1/memory/1692-178-0x0000000013140000-0x000000001315F000-memory.dmp	upx
behavioral1/memory/616-197-0x0000000013140000-0x000000001315F000-memory.dmp	upx
behavioral1/memory/368-198-0x0000000013140000-0x000000001315F000-memory.dmp	upx
behavioral1/memory/1844-217-0x0000000013140000-0x000000001315F000-memory.dmp	upx
behavioral1/memory/1540-219-0x0000000013140000-0x000000001315F000-memory.dmp	upx
behavioral1/memory/292-220-0x0000000003E00000-0x0000000003E21000-memory.dmp	upx
behavioral1/memory/2012-239-0x0000000013140000-0x000000001315F000-memory.dmp	upx
behavioral1/memory/616-240-0x0000000013140000-0x000000001315F000-memory.dmp	upx
behavioral1/memory/1372-259-0x0000000013140000-0x000000001315F000-memory.dmp	upx
behavioral1/memory/1844-261-0x0000000013140000-0x000000001315F000-memory.dmp	upx
behavioral1/memory/2128-281-0x0000000013140000-0x000000001315F000-memory.dmp	upx
behavioral1/memory/2012-282-0x0000000013140000-0x000000001315F000-memory.dmp	upx
behavioral1/memory/2300-301-0x0000000013140000-0x000000001315F000-memory.dmp	upx
behavioral1/memory/1372-303-0x0000000013140000-0x000000001315F000-memory.dmp	upx
behavioral1/memory/2476-322-0x0000000013140000-0x000000001315F000-memory.dmp	upx
behavioral1/memory/2128-324-0x0000000013140000-0x000000001315F000-memory.dmp	upx
behavioral1/memory/2656-344-0x0000000013140000-0x000000001315F000-memory.dmp	upx
behavioral1/memory/2300-345-0x0000000013140000-0x000000001315F000-memory.dmp	upx
behavioral1/memory/2828-363-0x0000000013140000-0x000000001315F000-memory.dmp	upx
behavioral1/memory/2476-365-0x0000000013140000-0x000000001315F000-memory.dmp	upx
behavioral1/memory/3004-383-0x0000000013140000-0x000000001315F000-memory.dmp	upx

Loads dropped DLL 24 IoCs

pid	Process
292	svchost.exe
292	svchost.exe
292	svchost.exe
292	svchost.exe
292	svchost.exe
292	svchost.exe
292	svchost.exe
292	svchost.exe
292	svchost.exe
292	svchost.exe
292	svchost.exe
292	svchost.exe
292	svchost.exe
292	svchost.exe
292	svchost.exe
292	svchost.exe
292	svchost.exe
292	svchost.exe
292	svchost.exe
292	svchost.exe
292	svchost.exe
292	svchost.exe
292	svchost.exe
292	svchost.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\microsoft = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\microsoft = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\microsoft = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\microsoft = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\microsoft = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\microsoft = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\microsoft = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\microsoft = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\microsoft = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\microsoft = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\microsoft = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\microsoft = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\microsoft = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\microsoft = "C:\\Windows\\InstallDir\\Server.exe"	3a7fb45b49e026f5c517c5ea2dd99e40926e0fc9fd26b35053670461a52f3754.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	Server.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\microsoft = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\microsoft = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\microsoft = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\microsoft = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	Server.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\microsoft = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\microsoft = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\microsoft = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\microsoft = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\microsoft = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\microsoft = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\microsoft = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	3a7fb45b49e026f5c517c5ea2dd99e40926e0fc9fd26b35053670461a52f3754.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\microsoft = "C:\\Windows\\InstallDir\\Server.exe"	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	Server.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\microsoft = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\microsoft = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\microsoft = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\microsoft = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\microsoft = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\microsoft = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\microsoft = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	Server.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	Server.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\microsoft = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	Server.exe

Drops file in System32 directory 24 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\	Server.exe
File created	C:\Windows\SysWOW64\	3a7fb45b49e026f5c517c5ea2dd99e40926e0fc9fd26b35053670461a52f3754.exe
File created	C:\Windows\SysWOW64\	Server.exe
File created	C:\Windows\SysWOW64\	Server.exe
File created	C:\Windows\SysWOW64\	Server.exe
File created	C:\Windows\SysWOW64\	Server.exe
File created	C:\Windows\SysWOW64\	Server.exe
File created	C:\Windows\SysWOW64\	Server.exe
File created	C:\Windows\SysWOW64\	Server.exe
File created	C:\Windows\SysWOW64\	Server.exe
File created	C:\Windows\SysWOW64\	Server.exe
File created	C:\Windows\SysWOW64\	Server.exe
File created	C:\Windows\SysWOW64\	Server.exe
File created	C:\Windows\SysWOW64\	Server.exe
File created	C:\Windows\SysWOW64\	Server.exe
File created	C:\Windows\SysWOW64\	Server.exe
File created	C:\Windows\SysWOW64\	Server.exe
File created	C:\Windows\SysWOW64\	Server.exe
File created	C:\Windows\SysWOW64\	Server.exe
File created	C:\Windows\SysWOW64\	Server.exe
File created	C:\Windows\SysWOW64\	Server.exe
File created	C:\Windows\SysWOW64\	Server.exe
File created	C:\Windows\SysWOW64\	Server.exe
File created	C:\Windows\SysWOW64\	Server.exe

Suspicious use of SetThreadContext 24 IoCs

description	pid	Process	procid_target
PID 1712 set thread context of 1312	1712	3a7fb45b49e026f5c517c5ea2dd99e40926e0fc9fd26b35053670461a52f3754.exe	27
PID 1524 set thread context of 1004	1524	Server.exe	36
PID 1972 set thread context of 2024	1972	Server.exe	43
PID 1812 set thread context of 1692	1812	Server.exe	51
PID 1588 set thread context of 368	1588	Server.exe	61
PID 972 set thread context of 1540	972	Server.exe	71
PID 1032 set thread context of 616	1032	Server.exe	81
PID 972 set thread context of 1844	972	Server.exe	91
PID 1020 set thread context of 2012	1020	Server.exe	101
PID 1176 set thread context of 1372	1176	Server.exe	111
PID 2092 set thread context of 2128	2092	Server.exe	121
PID 2272 set thread context of 2300	2272	Server.exe	131
PID 2448 set thread context of 2476	2448	Server.exe	141
PID 2628 set thread context of 2656	2628	Server.exe	151
PID 2800 set thread context of 2828	2800	Server.exe	161
PID 2976 set thread context of 3004	2976	Server.exe	171
PID 2152 set thread context of 2160	2152	Server.exe	181
PID 1372 set thread context of 2488	1372	Server.exe	191
PID 2632 set thread context of 2708	2632	Server.exe	201
PID 2540 set thread context of 848	2540	Server.exe	211
PID 1668 set thread context of 952	1668	Server.exe	221
PID 2544 set thread context of 3060	2544	Server.exe	231
PID 3012 set thread context of 2480	3012	Server.exe	241
PID 2708 set thread context of 2688	2708	Server.exe	251

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\InstallDir\	Server.exe
File opened for modification	C:\Windows\InstallDir\	Server.exe
File opened for modification	C:\Windows\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\InstallDir\Server.exe	3a7fb45b49e026f5c517c5ea2dd99e40926e0fc9fd26b35053670461a52f3754.exe
File opened for modification	C:\Windows\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\InstallDir\	Server.exe
File opened for modification	C:\Windows\InstallDir\	Server.exe
File opened for modification	C:\Windows\InstallDir\Server.exe	Server.exe
File created	C:\Windows\InstallDir\Server.exe	3a7fb45b49e026f5c517c5ea2dd99e40926e0fc9fd26b35053670461a52f3754.exe
File opened for modification	C:\Windows\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\InstallDir\	Server.exe
File opened for modification	C:\Windows\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\InstallDir\	3a7fb45b49e026f5c517c5ea2dd99e40926e0fc9fd26b35053670461a52f3754.exe
File opened for modification	C:\Windows\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\InstallDir\	Server.exe
File opened for modification	C:\Windows\InstallDir\	Server.exe
File opened for modification	C:\Windows\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\InstallDir\	Server.exe
File opened for modification	C:\Windows\InstallDir\	Server.exe
File opened for modification	C:\Windows\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\InstallDir\	Server.exe
File opened for modification	C:\Windows\InstallDir\	Server.exe
File opened for modification	C:\Windows\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\InstallDir\	Server.exe
File opened for modification	C:\Windows\InstallDir\	Server.exe
File opened for modification	C:\Windows\InstallDir\	Server.exe
File opened for modification	C:\Windows\InstallDir\	Server.exe
File opened for modification	C:\Windows\InstallDir\	Server.exe
File opened for modification	C:\Windows\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\InstallDir\	Server.exe
File opened for modification	C:\Windows\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\InstallDir\	Server.exe
File opened for modification	C:\Windows\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\InstallDir\	Server.exe
File opened for modification	C:\Windows\InstallDir\	Server.exe
File opened for modification	C:\Windows\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\InstallDir\	Server.exe
File opened for modification	C:\Windows\InstallDir\	Server.exe
File opened for modification	C:\Windows\InstallDir\Server.exe	Server.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 24 IoCs

pid	Process
1712	3a7fb45b49e026f5c517c5ea2dd99e40926e0fc9fd26b35053670461a52f3754.exe
1524	Server.exe
1972	Server.exe
1812	Server.exe
1588	Server.exe
972	Server.exe
1032	Server.exe
972	Server.exe
1020	Server.exe
1176	Server.exe
2092	Server.exe
2272	Server.exe
2448	Server.exe
2628	Server.exe
2800	Server.exe
2976	Server.exe
2152	Server.exe
1372	Server.exe
2632	Server.exe
2540	Server.exe
1668	Server.exe
2544	Server.exe
3012	Server.exe
2708	Server.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1712 wrote to memory of 1312	1712	3a7fb45b49e026f5c517c5ea2dd99e40926e0fc9fd26b35053670461a52f3754.exe	27
PID 1712 wrote to memory of 1312	1712	3a7fb45b49e026f5c517c5ea2dd99e40926e0fc9fd26b35053670461a52f3754.exe	27
PID 1712 wrote to memory of 1312	1712	3a7fb45b49e026f5c517c5ea2dd99e40926e0fc9fd26b35053670461a52f3754.exe	27
PID 1712 wrote to memory of 1312	1712	3a7fb45b49e026f5c517c5ea2dd99e40926e0fc9fd26b35053670461a52f3754.exe	27
PID 1712 wrote to memory of 1312	1712	3a7fb45b49e026f5c517c5ea2dd99e40926e0fc9fd26b35053670461a52f3754.exe	27
PID 1712 wrote to memory of 1312	1712	3a7fb45b49e026f5c517c5ea2dd99e40926e0fc9fd26b35053670461a52f3754.exe	27
PID 1712 wrote to memory of 1312	1712	3a7fb45b49e026f5c517c5ea2dd99e40926e0fc9fd26b35053670461a52f3754.exe	27
PID 1712 wrote to memory of 1312	1712	3a7fb45b49e026f5c517c5ea2dd99e40926e0fc9fd26b35053670461a52f3754.exe	27
PID 1312 wrote to memory of 292	1312	3a7fb45b49e026f5c517c5ea2dd99e40926e0fc9fd26b35053670461a52f3754.exe	28
PID 1312 wrote to memory of 292	1312	3a7fb45b49e026f5c517c5ea2dd99e40926e0fc9fd26b35053670461a52f3754.exe	28
PID 1312 wrote to memory of 292	1312	3a7fb45b49e026f5c517c5ea2dd99e40926e0fc9fd26b35053670461a52f3754.exe	28
PID 1312 wrote to memory of 292	1312	3a7fb45b49e026f5c517c5ea2dd99e40926e0fc9fd26b35053670461a52f3754.exe	28
PID 1312 wrote to memory of 292	1312	3a7fb45b49e026f5c517c5ea2dd99e40926e0fc9fd26b35053670461a52f3754.exe	28
PID 1312 wrote to memory of 1756	1312	3a7fb45b49e026f5c517c5ea2dd99e40926e0fc9fd26b35053670461a52f3754.exe	29
PID 1312 wrote to memory of 1756	1312	3a7fb45b49e026f5c517c5ea2dd99e40926e0fc9fd26b35053670461a52f3754.exe	29
PID 1312 wrote to memory of 1756	1312	3a7fb45b49e026f5c517c5ea2dd99e40926e0fc9fd26b35053670461a52f3754.exe	29
PID 1312 wrote to memory of 1756	1312	3a7fb45b49e026f5c517c5ea2dd99e40926e0fc9fd26b35053670461a52f3754.exe	29
PID 1312 wrote to memory of 1756	1312	3a7fb45b49e026f5c517c5ea2dd99e40926e0fc9fd26b35053670461a52f3754.exe	29
PID 1312 wrote to memory of 1940	1312	3a7fb45b49e026f5c517c5ea2dd99e40926e0fc9fd26b35053670461a52f3754.exe	30
PID 1312 wrote to memory of 1940	1312	3a7fb45b49e026f5c517c5ea2dd99e40926e0fc9fd26b35053670461a52f3754.exe	30
PID 1312 wrote to memory of 1940	1312	3a7fb45b49e026f5c517c5ea2dd99e40926e0fc9fd26b35053670461a52f3754.exe	30
PID 1312 wrote to memory of 1940	1312	3a7fb45b49e026f5c517c5ea2dd99e40926e0fc9fd26b35053670461a52f3754.exe	30
PID 1312 wrote to memory of 1940	1312	3a7fb45b49e026f5c517c5ea2dd99e40926e0fc9fd26b35053670461a52f3754.exe	30
PID 1312 wrote to memory of 1304	1312	3a7fb45b49e026f5c517c5ea2dd99e40926e0fc9fd26b35053670461a52f3754.exe	31
PID 1312 wrote to memory of 1304	1312	3a7fb45b49e026f5c517c5ea2dd99e40926e0fc9fd26b35053670461a52f3754.exe	31
PID 1312 wrote to memory of 1304	1312	3a7fb45b49e026f5c517c5ea2dd99e40926e0fc9fd26b35053670461a52f3754.exe	31
PID 1312 wrote to memory of 1304	1312	3a7fb45b49e026f5c517c5ea2dd99e40926e0fc9fd26b35053670461a52f3754.exe	31
PID 1312 wrote to memory of 1304	1312	3a7fb45b49e026f5c517c5ea2dd99e40926e0fc9fd26b35053670461a52f3754.exe	31
PID 1312 wrote to memory of 1788	1312	3a7fb45b49e026f5c517c5ea2dd99e40926e0fc9fd26b35053670461a52f3754.exe	32
PID 1312 wrote to memory of 1788	1312	3a7fb45b49e026f5c517c5ea2dd99e40926e0fc9fd26b35053670461a52f3754.exe	32
PID 1312 wrote to memory of 1788	1312	3a7fb45b49e026f5c517c5ea2dd99e40926e0fc9fd26b35053670461a52f3754.exe	32
PID 1312 wrote to memory of 1788	1312	3a7fb45b49e026f5c517c5ea2dd99e40926e0fc9fd26b35053670461a52f3754.exe	32
PID 1312 wrote to memory of 1788	1312	3a7fb45b49e026f5c517c5ea2dd99e40926e0fc9fd26b35053670461a52f3754.exe	32
PID 1312 wrote to memory of 396	1312	3a7fb45b49e026f5c517c5ea2dd99e40926e0fc9fd26b35053670461a52f3754.exe	33
PID 1312 wrote to memory of 396	1312	3a7fb45b49e026f5c517c5ea2dd99e40926e0fc9fd26b35053670461a52f3754.exe	33
PID 1312 wrote to memory of 396	1312	3a7fb45b49e026f5c517c5ea2dd99e40926e0fc9fd26b35053670461a52f3754.exe	33
PID 1312 wrote to memory of 396	1312	3a7fb45b49e026f5c517c5ea2dd99e40926e0fc9fd26b35053670461a52f3754.exe	33
PID 1312 wrote to memory of 396	1312	3a7fb45b49e026f5c517c5ea2dd99e40926e0fc9fd26b35053670461a52f3754.exe	33
PID 1312 wrote to memory of 1080	1312	3a7fb45b49e026f5c517c5ea2dd99e40926e0fc9fd26b35053670461a52f3754.exe	34
PID 1312 wrote to memory of 1080	1312	3a7fb45b49e026f5c517c5ea2dd99e40926e0fc9fd26b35053670461a52f3754.exe	34
PID 1312 wrote to memory of 1080	1312	3a7fb45b49e026f5c517c5ea2dd99e40926e0fc9fd26b35053670461a52f3754.exe	34
PID 1312 wrote to memory of 1080	1312	3a7fb45b49e026f5c517c5ea2dd99e40926e0fc9fd26b35053670461a52f3754.exe	34
PID 1312 wrote to memory of 1080	1312	3a7fb45b49e026f5c517c5ea2dd99e40926e0fc9fd26b35053670461a52f3754.exe	34
PID 292 wrote to memory of 1524	292	svchost.exe	35
PID 292 wrote to memory of 1524	292	svchost.exe	35
PID 292 wrote to memory of 1524	292	svchost.exe	35
PID 292 wrote to memory of 1524	292	svchost.exe	35
PID 1524 wrote to memory of 1004	1524	Server.exe	36
PID 1524 wrote to memory of 1004	1524	Server.exe	36
PID 1524 wrote to memory of 1004	1524	Server.exe	36
PID 1524 wrote to memory of 1004	1524	Server.exe	36
PID 1524 wrote to memory of 1004	1524	Server.exe	36
PID 1524 wrote to memory of 1004	1524	Server.exe	36
PID 1524 wrote to memory of 1004	1524	Server.exe	36
PID 1524 wrote to memory of 1004	1524	Server.exe	36
PID 1312 wrote to memory of 1612	1312	3a7fb45b49e026f5c517c5ea2dd99e40926e0fc9fd26b35053670461a52f3754.exe	37
PID 1312 wrote to memory of 1612	1312	3a7fb45b49e026f5c517c5ea2dd99e40926e0fc9fd26b35053670461a52f3754.exe	37
PID 1312 wrote to memory of 1612	1312	3a7fb45b49e026f5c517c5ea2dd99e40926e0fc9fd26b35053670461a52f3754.exe	37
PID 1312 wrote to memory of 1612	1312	3a7fb45b49e026f5c517c5ea2dd99e40926e0fc9fd26b35053670461a52f3754.exe	37
PID 1004 wrote to memory of 788	1004	Server.exe	38
PID 1004 wrote to memory of 788	1004	Server.exe	38
PID 1004 wrote to memory of 788	1004	Server.exe	38
PID 1004 wrote to memory of 788	1004	Server.exe	38
PID 1312 wrote to memory of 1612	1312	3a7fb45b49e026f5c517c5ea2dd99e40926e0fc9fd26b35053670461a52f3754.exe	37

C:\Users\Admin\AppData\Local\Temp\3a7fb45b49e026f5c517c5ea2dd99e40926e0fc9fd26b35053670461a52f3754.exe
"C:\Users\Admin\AppData\Local\Temp\3a7fb45b49e026f5c517c5ea2dd99e40926e0fc9fd26b35053670461a52f3754.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1712
- C:\Users\Admin\AppData\Local\Temp\3a7fb45b49e026f5c517c5ea2dd99e40926e0fc9fd26b35053670461a52f3754.exe
  2⤵
  - Modifies Installed Components in the registry
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1312
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - Modifies Installed Components in the registry
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:292
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1524
    - - C:\Windows\InstallDir\Server.exe
        
        5⤵
        Executes dropped EXE
        Modifies Installed Components in the registry
        Adds Run key to start application
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:1004
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:788
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1060
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1968
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1040
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1108
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1100
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:112
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:552
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      PID:1972
    - - C:\Windows\InstallDir\Server.exe
        
        5⤵
        Executes dropped EXE
        Modifies Installed Components in the registry
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:2024
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:876
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1528
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1048
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:804
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1764
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1684
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:372
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:760
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      PID:1812
    - - C:\Windows\InstallDir\Server.exe
        
        5⤵
        Executes dropped EXE
        Modifies Installed Components in the registry
        Adds Run key to start application
        
        PID:1692
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1160
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:544
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1592
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1264
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:432
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1956
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1812
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:912
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      PID:1588
    - - C:\Windows\InstallDir\Server.exe
        
        5⤵
        Executes dropped EXE
        Modifies Installed Components in the registry
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:368
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:692
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1632
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1312
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1440
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1580
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:948
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2024
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:960
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      PID:972
    - - C:\Windows\InstallDir\Server.exe
        
        5⤵
        Executes dropped EXE
        Modifies Installed Components in the registry
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:1540
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1704
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:928
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1712
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1288
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1460
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1972
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1604
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:600
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      PID:1032
    - - C:\Windows\InstallDir\Server.exe
        
        5⤵
        Executes dropped EXE
        Modifies Installed Components in the registry
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:616
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1368
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1572
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1652
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:984
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1848
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1456
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2036
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:904
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      PID:972
    - - C:\Windows\InstallDir\Server.exe
        
        5⤵
        Executes dropped EXE
        Modifies Installed Components in the registry
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:1844
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1700
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1300
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1996
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1524
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1004
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1120
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1692
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2064
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      PID:1020
    - - C:\Windows\InstallDir\Server.exe
        
        5⤵
        Executes dropped EXE
        Modifies Installed Components in the registry
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:2012
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1172
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1640
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1896
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2004
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2056
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2084
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2212
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2240
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      PID:1176
    - - C:\Windows\InstallDir\Server.exe
        
        5⤵
        Executes dropped EXE
        Modifies Installed Components in the registry
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:1372
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1148
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:616
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2076
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2204
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2232
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2260
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2396
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2420
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      PID:2092
    - - C:\Windows\InstallDir\Server.exe
        
        5⤵
        Executes dropped EXE
        Modifies Installed Components in the registry
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:2128
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2196
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2224
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2252
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2388
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2412
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2440
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2572
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2596
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      PID:2272
    - - C:\Windows\InstallDir\Server.exe
        
        5⤵
        Executes dropped EXE
        Modifies Installed Components in the registry
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:2300
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2380
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2404
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2432
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2564
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2588
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2616
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2748
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2772
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      PID:2448
    - - C:\Windows\InstallDir\Server.exe
        
        5⤵
        Executes dropped EXE
        Modifies Installed Components in the registry
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:2476
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2548
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2580
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2608
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2740
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2764
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2792
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2920
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2944
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      PID:2628
    - - C:\Windows\InstallDir\Server.exe
        
        5⤵
        Executes dropped EXE
        Modifies Installed Components in the registry
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:2656
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2724
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2756
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2784
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2912
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2936
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2964
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1844
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2108
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      PID:2800
    - - C:\Windows\InstallDir\Server.exe
        
        5⤵
        Executes dropped EXE
        Modifies Installed Components in the registry
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:2828
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2896
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2928
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2956
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1032
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2100
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2144
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2340
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2356
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      PID:2976
    - - C:\Windows\InstallDir\Server.exe
        
        5⤵
        Executes dropped EXE
        Modifies Installed Components in the registry
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:3004
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1664
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1760
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2120
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2336
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2352
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:924
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2604
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2636
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      PID:2152
    - - C:\Windows\InstallDir\Server.exe
        
        5⤵
        Executes dropped EXE
        Modifies Installed Components in the registry
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:2160
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2324
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2348
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1176
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2184
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2652
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2676
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2800
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2856
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      PID:1372
    - - C:\Windows\InstallDir\Server.exe
        
        5⤵
        Executes dropped EXE
        Modifies Installed Components in the registry
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:2488
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2188
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2624
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2668
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2852
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2876
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2556
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2716
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2168
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      PID:2632
    - - C:\Windows\InstallDir\Server.exe
        
        5⤵
        Executes dropped EXE
        Modifies Installed Components in the registry
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:2708
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2836
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2868
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2892
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1672
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2656
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2220
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2500
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2428
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      PID:2540
    - - C:\Windows\InstallDir\Server.exe
        
        5⤵
        Executes dropped EXE
        Modifies Installed Components in the registry
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:848
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3056
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2712
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2096
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2468
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2516
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2504
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2308
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2952
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      PID:1668
    - - C:\Windows\InstallDir\Server.exe
        
        5⤵
        Executes dropped EXE
        Modifies Installed Components in the registry
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:952
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2472
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2512
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2524
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2848
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2180
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3000
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2012
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2284
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      PID:2544
    - - C:\Windows\InstallDir\Server.exe
        
        5⤵
        Executes dropped EXE
        Modifies Installed Components in the registry
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:3060
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2364
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2884
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2988
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2152
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2908
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1372
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3028
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2532
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      PID:3012
    - - C:\Windows\InstallDir\Server.exe
        
        5⤵
        Executes dropped EXE
        Modifies Installed Components in the registry
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:2480
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2292
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2320
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2808
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:848
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3048
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      PID:2708
    - - C:\Windows\InstallDir\Server.exe
        
        5⤵
        Executes dropped EXE
        Modifies Installed Components in the registry
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:2688
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1376
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3044
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:1756
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:1940
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:1304
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:1788
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:396
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:1080
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:1612
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2000

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\[email protected]

Filesize
1KB

MD5
01a01093343cab2866159c9f22a681ab

SHA1
c1fb01267a0994a40bae9b773e36f662a0ffd556

SHA256
73042a6624035274e6fd5ce4fbc01fe3419b769e854d29299caa566f5913def1

SHA512
1de6fd749c1b2f690390bc21ccff99f230db18925472d479aaa7ca23a222c40375e465bd19e05a70950e5982ef0a94e6c6e2d16f9f35f535ca31829b84fdfd80

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\[email protected]

Filesize
1KB

MD5
01a01093343cab2866159c9f22a681ab

SHA1
c1fb01267a0994a40bae9b773e36f662a0ffd556

SHA256
73042a6624035274e6fd5ce4fbc01fe3419b769e854d29299caa566f5913def1

SHA512
1de6fd749c1b2f690390bc21ccff99f230db18925472d479aaa7ca23a222c40375e465bd19e05a70950e5982ef0a94e6c6e2d16f9f35f535ca31829b84fdfd80

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\[email protected]

Filesize
1KB

MD5
01a01093343cab2866159c9f22a681ab

SHA1
c1fb01267a0994a40bae9b773e36f662a0ffd556

SHA256
73042a6624035274e6fd5ce4fbc01fe3419b769e854d29299caa566f5913def1

SHA512
1de6fd749c1b2f690390bc21ccff99f230db18925472d479aaa7ca23a222c40375e465bd19e05a70950e5982ef0a94e6c6e2d16f9f35f535ca31829b84fdfd80

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\[email protected]

Filesize
1KB

MD5
01a01093343cab2866159c9f22a681ab

SHA1
c1fb01267a0994a40bae9b773e36f662a0ffd556

SHA256
73042a6624035274e6fd5ce4fbc01fe3419b769e854d29299caa566f5913def1

SHA512
1de6fd749c1b2f690390bc21ccff99f230db18925472d479aaa7ca23a222c40375e465bd19e05a70950e5982ef0a94e6c6e2d16f9f35f535ca31829b84fdfd80

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\[email protected]

Filesize
1KB

MD5
01a01093343cab2866159c9f22a681ab

SHA1
c1fb01267a0994a40bae9b773e36f662a0ffd556

SHA256
73042a6624035274e6fd5ce4fbc01fe3419b769e854d29299caa566f5913def1

SHA512
1de6fd749c1b2f690390bc21ccff99f230db18925472d479aaa7ca23a222c40375e465bd19e05a70950e5982ef0a94e6c6e2d16f9f35f535ca31829b84fdfd80

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\[email protected]

Filesize
1KB

MD5
01a01093343cab2866159c9f22a681ab

SHA1
c1fb01267a0994a40bae9b773e36f662a0ffd556

SHA256
73042a6624035274e6fd5ce4fbc01fe3419b769e854d29299caa566f5913def1

SHA512
1de6fd749c1b2f690390bc21ccff99f230db18925472d479aaa7ca23a222c40375e465bd19e05a70950e5982ef0a94e6c6e2d16f9f35f535ca31829b84fdfd80

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\[email protected]

Filesize
1KB

MD5
01a01093343cab2866159c9f22a681ab

SHA1
c1fb01267a0994a40bae9b773e36f662a0ffd556

SHA256
73042a6624035274e6fd5ce4fbc01fe3419b769e854d29299caa566f5913def1

SHA512
1de6fd749c1b2f690390bc21ccff99f230db18925472d479aaa7ca23a222c40375e465bd19e05a70950e5982ef0a94e6c6e2d16f9f35f535ca31829b84fdfd80

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\[email protected]

Filesize
1KB

MD5
01a01093343cab2866159c9f22a681ab

SHA1
c1fb01267a0994a40bae9b773e36f662a0ffd556

SHA256
73042a6624035274e6fd5ce4fbc01fe3419b769e854d29299caa566f5913def1

SHA512
1de6fd749c1b2f690390bc21ccff99f230db18925472d479aaa7ca23a222c40375e465bd19e05a70950e5982ef0a94e6c6e2d16f9f35f535ca31829b84fdfd80

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\[email protected]

Filesize
1KB

MD5
01a01093343cab2866159c9f22a681ab

SHA1
c1fb01267a0994a40bae9b773e36f662a0ffd556

SHA256
73042a6624035274e6fd5ce4fbc01fe3419b769e854d29299caa566f5913def1

SHA512
1de6fd749c1b2f690390bc21ccff99f230db18925472d479aaa7ca23a222c40375e465bd19e05a70950e5982ef0a94e6c6e2d16f9f35f535ca31829b84fdfd80

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\[email protected]

Filesize
1KB

MD5
01a01093343cab2866159c9f22a681ab

SHA1
c1fb01267a0994a40bae9b773e36f662a0ffd556

SHA256
73042a6624035274e6fd5ce4fbc01fe3419b769e854d29299caa566f5913def1

SHA512
1de6fd749c1b2f690390bc21ccff99f230db18925472d479aaa7ca23a222c40375e465bd19e05a70950e5982ef0a94e6c6e2d16f9f35f535ca31829b84fdfd80

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
156KB

MD5
7b2f715c1c3da8cfed84c2bff35676d9

SHA1
2b6d2a5b6110e6900b191123f940487040a770aa

SHA256
3a7fb45b49e026f5c517c5ea2dd99e40926e0fc9fd26b35053670461a52f3754

SHA512
683f776c7f821ccbd98f7ab117c19e6b174b46fd098f96465b6375013c1d6a0c495c958a38446c05c537835fbc6d2b96f255ddbfaf728175be4b50c480f9f52d

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
156KB

MD5
7b2f715c1c3da8cfed84c2bff35676d9

SHA1
2b6d2a5b6110e6900b191123f940487040a770aa

SHA256
3a7fb45b49e026f5c517c5ea2dd99e40926e0fc9fd26b35053670461a52f3754

SHA512
683f776c7f821ccbd98f7ab117c19e6b174b46fd098f96465b6375013c1d6a0c495c958a38446c05c537835fbc6d2b96f255ddbfaf728175be4b50c480f9f52d

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
156KB

MD5
7b2f715c1c3da8cfed84c2bff35676d9

SHA1
2b6d2a5b6110e6900b191123f940487040a770aa

SHA256
3a7fb45b49e026f5c517c5ea2dd99e40926e0fc9fd26b35053670461a52f3754

SHA512
683f776c7f821ccbd98f7ab117c19e6b174b46fd098f96465b6375013c1d6a0c495c958a38446c05c537835fbc6d2b96f255ddbfaf728175be4b50c480f9f52d

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
156KB

MD5
7b2f715c1c3da8cfed84c2bff35676d9

SHA1
2b6d2a5b6110e6900b191123f940487040a770aa

SHA256
3a7fb45b49e026f5c517c5ea2dd99e40926e0fc9fd26b35053670461a52f3754

SHA512
683f776c7f821ccbd98f7ab117c19e6b174b46fd098f96465b6375013c1d6a0c495c958a38446c05c537835fbc6d2b96f255ddbfaf728175be4b50c480f9f52d

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
156KB

MD5
7b2f715c1c3da8cfed84c2bff35676d9

SHA1
2b6d2a5b6110e6900b191123f940487040a770aa

SHA256
3a7fb45b49e026f5c517c5ea2dd99e40926e0fc9fd26b35053670461a52f3754

SHA512
683f776c7f821ccbd98f7ab117c19e6b174b46fd098f96465b6375013c1d6a0c495c958a38446c05c537835fbc6d2b96f255ddbfaf728175be4b50c480f9f52d

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
156KB

MD5
7b2f715c1c3da8cfed84c2bff35676d9

SHA1
2b6d2a5b6110e6900b191123f940487040a770aa

SHA256
3a7fb45b49e026f5c517c5ea2dd99e40926e0fc9fd26b35053670461a52f3754

SHA512
683f776c7f821ccbd98f7ab117c19e6b174b46fd098f96465b6375013c1d6a0c495c958a38446c05c537835fbc6d2b96f255ddbfaf728175be4b50c480f9f52d

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
156KB

MD5
7b2f715c1c3da8cfed84c2bff35676d9

SHA1
2b6d2a5b6110e6900b191123f940487040a770aa

SHA256
3a7fb45b49e026f5c517c5ea2dd99e40926e0fc9fd26b35053670461a52f3754

SHA512
683f776c7f821ccbd98f7ab117c19e6b174b46fd098f96465b6375013c1d6a0c495c958a38446c05c537835fbc6d2b96f255ddbfaf728175be4b50c480f9f52d

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
156KB

MD5
7b2f715c1c3da8cfed84c2bff35676d9

SHA1
2b6d2a5b6110e6900b191123f940487040a770aa

SHA256
3a7fb45b49e026f5c517c5ea2dd99e40926e0fc9fd26b35053670461a52f3754

SHA512
683f776c7f821ccbd98f7ab117c19e6b174b46fd098f96465b6375013c1d6a0c495c958a38446c05c537835fbc6d2b96f255ddbfaf728175be4b50c480f9f52d

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
156KB

MD5
7b2f715c1c3da8cfed84c2bff35676d9

SHA1
2b6d2a5b6110e6900b191123f940487040a770aa

SHA256
3a7fb45b49e026f5c517c5ea2dd99e40926e0fc9fd26b35053670461a52f3754

SHA512
683f776c7f821ccbd98f7ab117c19e6b174b46fd098f96465b6375013c1d6a0c495c958a38446c05c537835fbc6d2b96f255ddbfaf728175be4b50c480f9f52d

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
156KB

MD5
7b2f715c1c3da8cfed84c2bff35676d9

SHA1
2b6d2a5b6110e6900b191123f940487040a770aa

SHA256
3a7fb45b49e026f5c517c5ea2dd99e40926e0fc9fd26b35053670461a52f3754

SHA512
683f776c7f821ccbd98f7ab117c19e6b174b46fd098f96465b6375013c1d6a0c495c958a38446c05c537835fbc6d2b96f255ddbfaf728175be4b50c480f9f52d

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
156KB

MD5
7b2f715c1c3da8cfed84c2bff35676d9

SHA1
2b6d2a5b6110e6900b191123f940487040a770aa

SHA256
3a7fb45b49e026f5c517c5ea2dd99e40926e0fc9fd26b35053670461a52f3754

SHA512
683f776c7f821ccbd98f7ab117c19e6b174b46fd098f96465b6375013c1d6a0c495c958a38446c05c537835fbc6d2b96f255ddbfaf728175be4b50c480f9f52d

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
156KB

MD5
7b2f715c1c3da8cfed84c2bff35676d9

SHA1
2b6d2a5b6110e6900b191123f940487040a770aa

SHA256
3a7fb45b49e026f5c517c5ea2dd99e40926e0fc9fd26b35053670461a52f3754

SHA512
683f776c7f821ccbd98f7ab117c19e6b174b46fd098f96465b6375013c1d6a0c495c958a38446c05c537835fbc6d2b96f255ddbfaf728175be4b50c480f9f52d

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
156KB

MD5
7b2f715c1c3da8cfed84c2bff35676d9

SHA1
2b6d2a5b6110e6900b191123f940487040a770aa

SHA256
3a7fb45b49e026f5c517c5ea2dd99e40926e0fc9fd26b35053670461a52f3754

SHA512
683f776c7f821ccbd98f7ab117c19e6b174b46fd098f96465b6375013c1d6a0c495c958a38446c05c537835fbc6d2b96f255ddbfaf728175be4b50c480f9f52d

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
156KB

MD5
7b2f715c1c3da8cfed84c2bff35676d9

SHA1
2b6d2a5b6110e6900b191123f940487040a770aa

SHA256
3a7fb45b49e026f5c517c5ea2dd99e40926e0fc9fd26b35053670461a52f3754

SHA512
683f776c7f821ccbd98f7ab117c19e6b174b46fd098f96465b6375013c1d6a0c495c958a38446c05c537835fbc6d2b96f255ddbfaf728175be4b50c480f9f52d

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
156KB

MD5
7b2f715c1c3da8cfed84c2bff35676d9

SHA1
2b6d2a5b6110e6900b191123f940487040a770aa

SHA256
3a7fb45b49e026f5c517c5ea2dd99e40926e0fc9fd26b35053670461a52f3754

SHA512
683f776c7f821ccbd98f7ab117c19e6b174b46fd098f96465b6375013c1d6a0c495c958a38446c05c537835fbc6d2b96f255ddbfaf728175be4b50c480f9f52d

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
156KB

MD5
7b2f715c1c3da8cfed84c2bff35676d9

SHA1
2b6d2a5b6110e6900b191123f940487040a770aa

SHA256
3a7fb45b49e026f5c517c5ea2dd99e40926e0fc9fd26b35053670461a52f3754

SHA512
683f776c7f821ccbd98f7ab117c19e6b174b46fd098f96465b6375013c1d6a0c495c958a38446c05c537835fbc6d2b96f255ddbfaf728175be4b50c480f9f52d

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
156KB

MD5
7b2f715c1c3da8cfed84c2bff35676d9

SHA1
2b6d2a5b6110e6900b191123f940487040a770aa

SHA256
3a7fb45b49e026f5c517c5ea2dd99e40926e0fc9fd26b35053670461a52f3754

SHA512
683f776c7f821ccbd98f7ab117c19e6b174b46fd098f96465b6375013c1d6a0c495c958a38446c05c537835fbc6d2b96f255ddbfaf728175be4b50c480f9f52d

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
156KB

MD5
7b2f715c1c3da8cfed84c2bff35676d9

SHA1
2b6d2a5b6110e6900b191123f940487040a770aa

SHA256
3a7fb45b49e026f5c517c5ea2dd99e40926e0fc9fd26b35053670461a52f3754

SHA512
683f776c7f821ccbd98f7ab117c19e6b174b46fd098f96465b6375013c1d6a0c495c958a38446c05c537835fbc6d2b96f255ddbfaf728175be4b50c480f9f52d

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
156KB

MD5
7b2f715c1c3da8cfed84c2bff35676d9

SHA1
2b6d2a5b6110e6900b191123f940487040a770aa

SHA256
3a7fb45b49e026f5c517c5ea2dd99e40926e0fc9fd26b35053670461a52f3754

SHA512
683f776c7f821ccbd98f7ab117c19e6b174b46fd098f96465b6375013c1d6a0c495c958a38446c05c537835fbc6d2b96f255ddbfaf728175be4b50c480f9f52d

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
156KB

MD5
7b2f715c1c3da8cfed84c2bff35676d9

SHA1
2b6d2a5b6110e6900b191123f940487040a770aa

SHA256
3a7fb45b49e026f5c517c5ea2dd99e40926e0fc9fd26b35053670461a52f3754

SHA512
683f776c7f821ccbd98f7ab117c19e6b174b46fd098f96465b6375013c1d6a0c495c958a38446c05c537835fbc6d2b96f255ddbfaf728175be4b50c480f9f52d

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
156KB

MD5
7b2f715c1c3da8cfed84c2bff35676d9

SHA1
2b6d2a5b6110e6900b191123f940487040a770aa

SHA256
3a7fb45b49e026f5c517c5ea2dd99e40926e0fc9fd26b35053670461a52f3754

SHA512
683f776c7f821ccbd98f7ab117c19e6b174b46fd098f96465b6375013c1d6a0c495c958a38446c05c537835fbc6d2b96f255ddbfaf728175be4b50c480f9f52d

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
156KB

MD5
7b2f715c1c3da8cfed84c2bff35676d9

SHA1
2b6d2a5b6110e6900b191123f940487040a770aa

SHA256
3a7fb45b49e026f5c517c5ea2dd99e40926e0fc9fd26b35053670461a52f3754

SHA512
683f776c7f821ccbd98f7ab117c19e6b174b46fd098f96465b6375013c1d6a0c495c958a38446c05c537835fbc6d2b96f255ddbfaf728175be4b50c480f9f52d

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
156KB

MD5
7b2f715c1c3da8cfed84c2bff35676d9

SHA1
2b6d2a5b6110e6900b191123f940487040a770aa

SHA256
3a7fb45b49e026f5c517c5ea2dd99e40926e0fc9fd26b35053670461a52f3754

SHA512
683f776c7f821ccbd98f7ab117c19e6b174b46fd098f96465b6375013c1d6a0c495c958a38446c05c537835fbc6d2b96f255ddbfaf728175be4b50c480f9f52d

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
156KB

MD5
7b2f715c1c3da8cfed84c2bff35676d9

SHA1
2b6d2a5b6110e6900b191123f940487040a770aa

SHA256
3a7fb45b49e026f5c517c5ea2dd99e40926e0fc9fd26b35053670461a52f3754

SHA512
683f776c7f821ccbd98f7ab117c19e6b174b46fd098f96465b6375013c1d6a0c495c958a38446c05c537835fbc6d2b96f255ddbfaf728175be4b50c480f9f52d

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
156KB

MD5
7b2f715c1c3da8cfed84c2bff35676d9

SHA1
2b6d2a5b6110e6900b191123f940487040a770aa

SHA256
3a7fb45b49e026f5c517c5ea2dd99e40926e0fc9fd26b35053670461a52f3754

SHA512
683f776c7f821ccbd98f7ab117c19e6b174b46fd098f96465b6375013c1d6a0c495c958a38446c05c537835fbc6d2b96f255ddbfaf728175be4b50c480f9f52d

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
156KB

MD5
7b2f715c1c3da8cfed84c2bff35676d9

SHA1
2b6d2a5b6110e6900b191123f940487040a770aa

SHA256
3a7fb45b49e026f5c517c5ea2dd99e40926e0fc9fd26b35053670461a52f3754

SHA512
683f776c7f821ccbd98f7ab117c19e6b174b46fd098f96465b6375013c1d6a0c495c958a38446c05c537835fbc6d2b96f255ddbfaf728175be4b50c480f9f52d

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
156KB

MD5
7b2f715c1c3da8cfed84c2bff35676d9

SHA1
2b6d2a5b6110e6900b191123f940487040a770aa

SHA256
3a7fb45b49e026f5c517c5ea2dd99e40926e0fc9fd26b35053670461a52f3754

SHA512
683f776c7f821ccbd98f7ab117c19e6b174b46fd098f96465b6375013c1d6a0c495c958a38446c05c537835fbc6d2b96f255ddbfaf728175be4b50c480f9f52d

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
156KB

MD5
7b2f715c1c3da8cfed84c2bff35676d9

SHA1
2b6d2a5b6110e6900b191123f940487040a770aa

SHA256
3a7fb45b49e026f5c517c5ea2dd99e40926e0fc9fd26b35053670461a52f3754

SHA512
683f776c7f821ccbd98f7ab117c19e6b174b46fd098f96465b6375013c1d6a0c495c958a38446c05c537835fbc6d2b96f255ddbfaf728175be4b50c480f9f52d

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
156KB

MD5
7b2f715c1c3da8cfed84c2bff35676d9

SHA1
2b6d2a5b6110e6900b191123f940487040a770aa

SHA256
3a7fb45b49e026f5c517c5ea2dd99e40926e0fc9fd26b35053670461a52f3754

SHA512
683f776c7f821ccbd98f7ab117c19e6b174b46fd098f96465b6375013c1d6a0c495c958a38446c05c537835fbc6d2b96f255ddbfaf728175be4b50c480f9f52d

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
156KB

MD5
7b2f715c1c3da8cfed84c2bff35676d9

SHA1
2b6d2a5b6110e6900b191123f940487040a770aa

SHA256
3a7fb45b49e026f5c517c5ea2dd99e40926e0fc9fd26b35053670461a52f3754

SHA512
683f776c7f821ccbd98f7ab117c19e6b174b46fd098f96465b6375013c1d6a0c495c958a38446c05c537835fbc6d2b96f255ddbfaf728175be4b50c480f9f52d

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
156KB

MD5
7b2f715c1c3da8cfed84c2bff35676d9

SHA1
2b6d2a5b6110e6900b191123f940487040a770aa

SHA256
3a7fb45b49e026f5c517c5ea2dd99e40926e0fc9fd26b35053670461a52f3754

SHA512
683f776c7f821ccbd98f7ab117c19e6b174b46fd098f96465b6375013c1d6a0c495c958a38446c05c537835fbc6d2b96f255ddbfaf728175be4b50c480f9f52d

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
156KB

MD5
7b2f715c1c3da8cfed84c2bff35676d9

SHA1
2b6d2a5b6110e6900b191123f940487040a770aa

SHA256
3a7fb45b49e026f5c517c5ea2dd99e40926e0fc9fd26b35053670461a52f3754

SHA512
683f776c7f821ccbd98f7ab117c19e6b174b46fd098f96465b6375013c1d6a0c495c958a38446c05c537835fbc6d2b96f255ddbfaf728175be4b50c480f9f52d

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
156KB

MD5
7b2f715c1c3da8cfed84c2bff35676d9

SHA1
2b6d2a5b6110e6900b191123f940487040a770aa

SHA256
3a7fb45b49e026f5c517c5ea2dd99e40926e0fc9fd26b35053670461a52f3754

SHA512
683f776c7f821ccbd98f7ab117c19e6b174b46fd098f96465b6375013c1d6a0c495c958a38446c05c537835fbc6d2b96f255ddbfaf728175be4b50c480f9f52d

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
156KB

MD5
7b2f715c1c3da8cfed84c2bff35676d9

SHA1
2b6d2a5b6110e6900b191123f940487040a770aa

SHA256
3a7fb45b49e026f5c517c5ea2dd99e40926e0fc9fd26b35053670461a52f3754

SHA512
683f776c7f821ccbd98f7ab117c19e6b174b46fd098f96465b6375013c1d6a0c495c958a38446c05c537835fbc6d2b96f255ddbfaf728175be4b50c480f9f52d

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
156KB

MD5
7b2f715c1c3da8cfed84c2bff35676d9

SHA1
2b6d2a5b6110e6900b191123f940487040a770aa

SHA256
3a7fb45b49e026f5c517c5ea2dd99e40926e0fc9fd26b35053670461a52f3754

SHA512
683f776c7f821ccbd98f7ab117c19e6b174b46fd098f96465b6375013c1d6a0c495c958a38446c05c537835fbc6d2b96f255ddbfaf728175be4b50c480f9f52d

Download Submit
\Windows\InstallDir\Server.exe

Filesize
156KB

MD5
7b2f715c1c3da8cfed84c2bff35676d9

SHA1
2b6d2a5b6110e6900b191123f940487040a770aa

SHA256
3a7fb45b49e026f5c517c5ea2dd99e40926e0fc9fd26b35053670461a52f3754

SHA512
683f776c7f821ccbd98f7ab117c19e6b174b46fd098f96465b6375013c1d6a0c495c958a38446c05c537835fbc6d2b96f255ddbfaf728175be4b50c480f9f52d

Download Submit
\Windows\InstallDir\Server.exe

Filesize
156KB

MD5
7b2f715c1c3da8cfed84c2bff35676d9

SHA1
2b6d2a5b6110e6900b191123f940487040a770aa

SHA256
3a7fb45b49e026f5c517c5ea2dd99e40926e0fc9fd26b35053670461a52f3754

SHA512
683f776c7f821ccbd98f7ab117c19e6b174b46fd098f96465b6375013c1d6a0c495c958a38446c05c537835fbc6d2b96f255ddbfaf728175be4b50c480f9f52d

Download Submit
\Windows\InstallDir\Server.exe

Filesize
156KB

MD5
7b2f715c1c3da8cfed84c2bff35676d9

SHA1
2b6d2a5b6110e6900b191123f940487040a770aa

SHA256
3a7fb45b49e026f5c517c5ea2dd99e40926e0fc9fd26b35053670461a52f3754

SHA512
683f776c7f821ccbd98f7ab117c19e6b174b46fd098f96465b6375013c1d6a0c495c958a38446c05c537835fbc6d2b96f255ddbfaf728175be4b50c480f9f52d

Download Submit
\Windows\InstallDir\Server.exe

Filesize
156KB

MD5
7b2f715c1c3da8cfed84c2bff35676d9

SHA1
2b6d2a5b6110e6900b191123f940487040a770aa

SHA256
3a7fb45b49e026f5c517c5ea2dd99e40926e0fc9fd26b35053670461a52f3754

SHA512
683f776c7f821ccbd98f7ab117c19e6b174b46fd098f96465b6375013c1d6a0c495c958a38446c05c537835fbc6d2b96f255ddbfaf728175be4b50c480f9f52d

Download Submit
\Windows\InstallDir\Server.exe

Filesize
156KB

MD5
7b2f715c1c3da8cfed84c2bff35676d9

SHA1
2b6d2a5b6110e6900b191123f940487040a770aa

SHA256
3a7fb45b49e026f5c517c5ea2dd99e40926e0fc9fd26b35053670461a52f3754

SHA512
683f776c7f821ccbd98f7ab117c19e6b174b46fd098f96465b6375013c1d6a0c495c958a38446c05c537835fbc6d2b96f255ddbfaf728175be4b50c480f9f52d

Download Submit
\Windows\InstallDir\Server.exe

Filesize
156KB

MD5
7b2f715c1c3da8cfed84c2bff35676d9

SHA1
2b6d2a5b6110e6900b191123f940487040a770aa

SHA256
3a7fb45b49e026f5c517c5ea2dd99e40926e0fc9fd26b35053670461a52f3754

SHA512
683f776c7f821ccbd98f7ab117c19e6b174b46fd098f96465b6375013c1d6a0c495c958a38446c05c537835fbc6d2b96f255ddbfaf728175be4b50c480f9f52d

Download Submit
\Windows\InstallDir\Server.exe

Filesize
156KB

MD5
7b2f715c1c3da8cfed84c2bff35676d9

SHA1
2b6d2a5b6110e6900b191123f940487040a770aa

SHA256
3a7fb45b49e026f5c517c5ea2dd99e40926e0fc9fd26b35053670461a52f3754

SHA512
683f776c7f821ccbd98f7ab117c19e6b174b46fd098f96465b6375013c1d6a0c495c958a38446c05c537835fbc6d2b96f255ddbfaf728175be4b50c480f9f52d

Download Submit
\Windows\InstallDir\Server.exe

Filesize
156KB

MD5
7b2f715c1c3da8cfed84c2bff35676d9

SHA1
2b6d2a5b6110e6900b191123f940487040a770aa

SHA256
3a7fb45b49e026f5c517c5ea2dd99e40926e0fc9fd26b35053670461a52f3754

SHA512
683f776c7f821ccbd98f7ab117c19e6b174b46fd098f96465b6375013c1d6a0c495c958a38446c05c537835fbc6d2b96f255ddbfaf728175be4b50c480f9f52d

Download Submit
\Windows\InstallDir\Server.exe

Filesize
156KB

MD5
7b2f715c1c3da8cfed84c2bff35676d9

SHA1
2b6d2a5b6110e6900b191123f940487040a770aa

SHA256
3a7fb45b49e026f5c517c5ea2dd99e40926e0fc9fd26b35053670461a52f3754

SHA512
683f776c7f821ccbd98f7ab117c19e6b174b46fd098f96465b6375013c1d6a0c495c958a38446c05c537835fbc6d2b96f255ddbfaf728175be4b50c480f9f52d

Download Submit
\Windows\InstallDir\Server.exe

Filesize
156KB

MD5
7b2f715c1c3da8cfed84c2bff35676d9

SHA1
2b6d2a5b6110e6900b191123f940487040a770aa

SHA256
3a7fb45b49e026f5c517c5ea2dd99e40926e0fc9fd26b35053670461a52f3754

SHA512
683f776c7f821ccbd98f7ab117c19e6b174b46fd098f96465b6375013c1d6a0c495c958a38446c05c537835fbc6d2b96f255ddbfaf728175be4b50c480f9f52d

Download Submit
\Windows\InstallDir\Server.exe

Filesize
156KB

MD5
7b2f715c1c3da8cfed84c2bff35676d9

SHA1
2b6d2a5b6110e6900b191123f940487040a770aa

SHA256
3a7fb45b49e026f5c517c5ea2dd99e40926e0fc9fd26b35053670461a52f3754

SHA512
683f776c7f821ccbd98f7ab117c19e6b174b46fd098f96465b6375013c1d6a0c495c958a38446c05c537835fbc6d2b96f255ddbfaf728175be4b50c480f9f52d

Download Submit
\Windows\InstallDir\Server.exe

Filesize
156KB

MD5
7b2f715c1c3da8cfed84c2bff35676d9

SHA1
2b6d2a5b6110e6900b191123f940487040a770aa

SHA256
3a7fb45b49e026f5c517c5ea2dd99e40926e0fc9fd26b35053670461a52f3754

SHA512
683f776c7f821ccbd98f7ab117c19e6b174b46fd098f96465b6375013c1d6a0c495c958a38446c05c537835fbc6d2b96f255ddbfaf728175be4b50c480f9f52d

Download Submit
\Windows\InstallDir\Server.exe

Filesize
156KB

MD5
7b2f715c1c3da8cfed84c2bff35676d9

SHA1
2b6d2a5b6110e6900b191123f940487040a770aa

SHA256
3a7fb45b49e026f5c517c5ea2dd99e40926e0fc9fd26b35053670461a52f3754

SHA512
683f776c7f821ccbd98f7ab117c19e6b174b46fd098f96465b6375013c1d6a0c495c958a38446c05c537835fbc6d2b96f255ddbfaf728175be4b50c480f9f52d

Download Submit
\Windows\InstallDir\Server.exe

Filesize
156KB

MD5
7b2f715c1c3da8cfed84c2bff35676d9

SHA1
2b6d2a5b6110e6900b191123f940487040a770aa

SHA256
3a7fb45b49e026f5c517c5ea2dd99e40926e0fc9fd26b35053670461a52f3754

SHA512
683f776c7f821ccbd98f7ab117c19e6b174b46fd098f96465b6375013c1d6a0c495c958a38446c05c537835fbc6d2b96f255ddbfaf728175be4b50c480f9f52d

Download Submit
\Windows\InstallDir\Server.exe

Filesize
156KB

MD5
7b2f715c1c3da8cfed84c2bff35676d9

SHA1
2b6d2a5b6110e6900b191123f940487040a770aa

SHA256
3a7fb45b49e026f5c517c5ea2dd99e40926e0fc9fd26b35053670461a52f3754

SHA512
683f776c7f821ccbd98f7ab117c19e6b174b46fd098f96465b6375013c1d6a0c495c958a38446c05c537835fbc6d2b96f255ddbfaf728175be4b50c480f9f52d

Download Submit
\Windows\InstallDir\Server.exe

Filesize
156KB

MD5
7b2f715c1c3da8cfed84c2bff35676d9

SHA1
2b6d2a5b6110e6900b191123f940487040a770aa

SHA256
3a7fb45b49e026f5c517c5ea2dd99e40926e0fc9fd26b35053670461a52f3754

SHA512
683f776c7f821ccbd98f7ab117c19e6b174b46fd098f96465b6375013c1d6a0c495c958a38446c05c537835fbc6d2b96f255ddbfaf728175be4b50c480f9f52d

Download Submit
\Windows\InstallDir\Server.exe

Filesize
156KB

MD5
7b2f715c1c3da8cfed84c2bff35676d9

SHA1
2b6d2a5b6110e6900b191123f940487040a770aa

SHA256
3a7fb45b49e026f5c517c5ea2dd99e40926e0fc9fd26b35053670461a52f3754

SHA512
683f776c7f821ccbd98f7ab117c19e6b174b46fd098f96465b6375013c1d6a0c495c958a38446c05c537835fbc6d2b96f255ddbfaf728175be4b50c480f9f52d

Download Submit
\Windows\InstallDir\Server.exe

Filesize
156KB

MD5
7b2f715c1c3da8cfed84c2bff35676d9

SHA1
2b6d2a5b6110e6900b191123f940487040a770aa

SHA256
3a7fb45b49e026f5c517c5ea2dd99e40926e0fc9fd26b35053670461a52f3754

SHA512
683f776c7f821ccbd98f7ab117c19e6b174b46fd098f96465b6375013c1d6a0c495c958a38446c05c537835fbc6d2b96f255ddbfaf728175be4b50c480f9f52d

Download Submit
\Windows\InstallDir\Server.exe

Filesize
156KB

MD5
7b2f715c1c3da8cfed84c2bff35676d9

SHA1
2b6d2a5b6110e6900b191123f940487040a770aa

SHA256
3a7fb45b49e026f5c517c5ea2dd99e40926e0fc9fd26b35053670461a52f3754

SHA512
683f776c7f821ccbd98f7ab117c19e6b174b46fd098f96465b6375013c1d6a0c495c958a38446c05c537835fbc6d2b96f255ddbfaf728175be4b50c480f9f52d

Download Submit
memory/292-94-0x00000000024B0000-0x00000000024D1000-memory.dmp

Filesize
132KB

Download
memory/292-343-0x00000000044D0000-0x00000000044F1000-memory.dmp

Filesize
132KB

Download
memory/292-175-0x00000000026B0000-0x00000000026D1000-memory.dmp

Filesize
132KB

Download
memory/292-155-0x00000000029C0000-0x00000000029E1000-memory.dmp

Filesize
132KB

Download
memory/292-196-0x00000000028F0000-0x0000000002911000-memory.dmp

Filesize
132KB

Download
memory/292-265-0x0000000003FC0000-0x0000000003FE1000-memory.dmp

Filesize
132KB

Download
memory/292-74-0x0000000013140000-0x000000001315F000-memory.dmp

Filesize
124KB

Download
memory/292-154-0x00000000024B0000-0x00000000024D1000-memory.dmp

Filesize
132KB

Download
memory/292-238-0x0000000004090000-0x00000000040B1000-memory.dmp

Filesize
132KB

Download
memory/292-320-0x00000000041A0000-0x00000000041C1000-memory.dmp

Filesize
132KB

Download
memory/292-321-0x00000000043E0000-0x0000000004401000-memory.dmp

Filesize
132KB

Download
memory/292-135-0x00000000028F0000-0x0000000002911000-memory.dmp

Filesize
132KB

Download
memory/292-325-0x0000000004130000-0x0000000004151000-memory.dmp

Filesize
132KB

Download
memory/292-216-0x00000000029C0000-0x00000000029E1000-memory.dmp

Filesize
132KB

Download
memory/292-258-0x00000000041A0000-0x00000000041C1000-memory.dmp

Filesize
132KB

Download
memory/292-115-0x00000000026B0000-0x00000000026D1000-memory.dmp

Filesize
132KB

Download
memory/292-257-0x0000000003EA0000-0x0000000003EC1000-memory.dmp

Filesize
132KB

Download
memory/292-220-0x0000000003E00000-0x0000000003E21000-memory.dmp

Filesize
132KB

Download
memory/292-300-0x0000000004090000-0x00000000040B1000-memory.dmp

Filesize
132KB

Download
memory/292-362-0x0000000004390000-0x00000000043B1000-memory.dmp

Filesize
132KB

Download
memory/292-95-0x00000000024B0000-0x00000000024D1000-memory.dmp

Filesize
132KB

Download
memory/368-198-0x0000000013140000-0x000000001315F000-memory.dmp

Filesize
124KB

Download
memory/368-156-0x0000000013140000-0x000000001315F000-memory.dmp

Filesize
124KB

Download
memory/616-240-0x0000000013140000-0x000000001315F000-memory.dmp

Filesize
124KB

Download
memory/616-197-0x0000000013140000-0x000000001315F000-memory.dmp

Filesize
124KB

Download
memory/972-171-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/972-214-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1004-137-0x0000000013140000-0x000000001315F000-memory.dmp

Filesize
124KB

Download
memory/1004-96-0x0000000013140000-0x000000001315F000-memory.dmp

Filesize
124KB

Download
memory/1020-235-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1032-192-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1312-66-0x0000000013140000-0x000000001315F000-memory.dmp

Filesize
124KB

Download
memory/1312-64-0x00000000765B1000-0x00000000765B3000-memory.dmp

Filesize
8KB

Download
memory/1312-56-0x0000000013140000-0x000000001315F000-memory.dmp

Filesize
124KB

Download
memory/1312-68-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1312-57-0x0000000013140000-0x000000001315F000-memory.dmp

Filesize
124KB

Download
memory/1312-59-0x0000000013140000-0x000000001315F000-memory.dmp

Filesize
124KB

Download
memory/1312-60-0x0000000013140000-0x000000001315F000-memory.dmp

Filesize
124KB

Download
memory/1312-97-0x0000000013140000-0x000000001315F000-memory.dmp

Filesize
124KB

Download
memory/1312-67-0x0000000013140000-0x000000001315F000-memory.dmp

Filesize
124KB

Download
memory/1312-65-0x0000000013140000-0x000000001315F000-memory.dmp

Filesize
124KB

Download
memory/1372-303-0x0000000013140000-0x000000001315F000-memory.dmp

Filesize
124KB

Download
memory/1372-259-0x0000000013140000-0x000000001315F000-memory.dmp

Filesize
124KB

Download
memory/1524-89-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1540-219-0x0000000013140000-0x000000001315F000-memory.dmp

Filesize
124KB

Download
memory/1540-176-0x0000000013140000-0x000000001315F000-memory.dmp

Filesize
124KB

Download
memory/1692-178-0x0000000013140000-0x000000001315F000-memory.dmp

Filesize
124KB

Download
memory/1692-136-0x0000000013140000-0x000000001315F000-memory.dmp

Filesize
124KB

Download
memory/1712-62-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1812-130-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1844-217-0x0000000013140000-0x000000001315F000-memory.dmp

Filesize
124KB

Download
memory/1844-261-0x0000000013140000-0x000000001315F000-memory.dmp

Filesize
124KB

Download
memory/1972-112-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2012-282-0x0000000013140000-0x000000001315F000-memory.dmp

Filesize
124KB

Download
memory/2012-239-0x0000000013140000-0x000000001315F000-memory.dmp

Filesize
124KB

Download
memory/2024-157-0x0000000013140000-0x000000001315F000-memory.dmp

Filesize
124KB

Download
memory/2024-116-0x0000000013140000-0x000000001315F000-memory.dmp

Filesize
124KB

Download
memory/2092-267-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2092-279-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2128-281-0x0000000013140000-0x000000001315F000-memory.dmp

Filesize
124KB

Download
memory/2128-324-0x0000000013140000-0x000000001315F000-memory.dmp

Filesize
124KB

Download
memory/2272-297-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2300-345-0x0000000013140000-0x000000001315F000-memory.dmp

Filesize
124KB

Download
memory/2300-301-0x0000000013140000-0x000000001315F000-memory.dmp

Filesize
124KB

Download
memory/2476-322-0x0000000013140000-0x000000001315F000-memory.dmp

Filesize
124KB

Download
memory/2476-365-0x0000000013140000-0x000000001315F000-memory.dmp

Filesize
124KB

Download
memory/2628-339-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2656-344-0x0000000013140000-0x000000001315F000-memory.dmp

Filesize
124KB

Download
memory/2828-363-0x0000000013140000-0x000000001315F000-memory.dmp

Filesize
124KB

Download
memory/2976-381-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3004-383-0x0000000013140000-0x000000001315F000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads