xtremerat | 9761bdcf74e704ce41edbc8aca50f1cd9ca7173ac701732ab2a6ce502a4c7f18

Analysis

max time kernel
163s
max time network
193s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
05/12/2022, 11:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9761bdcf74e704ce41edbc8aca50f1cd9ca7173ac701732ab2a6ce502a4c7f18.exe
Size

401KB
MD5

e3ae1c8453baf65007b473efb93371a9
SHA1

3706c2e85ab4530c5a6053e404dfd79d2b73cf9a
SHA256

9761bdcf74e704ce41edbc8aca50f1cd9ca7173ac701732ab2a6ce502a4c7f18
SHA512

ad6d5a6569142c37827fcbe57c3798f8bed437c7db688d1488c0a5d3d162fb2eb65d21c2d26265b81e84b695a8ecad03e2a75226e2f2779d3aafe7214f234427
SSDEEP

6144:GFC3m6jvWuAFvJeSUih1xW6PbYOary8fnVW5GJZ2tNYLj8MfsfH6x:GFGWBviU1x43ryuVzYKj86sfHU

Score

10^/10

xtremerat persistence rat spyware

Malware Config

Signatures

Detect XtremeRAT payload 32 IoCs

resource	yara_rule
behavioral2/memory/3208-135-0x0000000000000000-mapping.dmp	family_xtremerat
behavioral2/memory/3208-136-0x0000000000C80000-0x0000000000C92000-memory.dmp	family_xtremerat
behavioral2/memory/3208-137-0x0000000000C80000-0x0000000000C92000-memory.dmp	family_xtremerat
behavioral2/memory/3208-138-0x0000000000C80000-0x0000000000C92000-memory.dmp	family_xtremerat
behavioral2/memory/3208-140-0x0000000000C80000-0x0000000000C92000-memory.dmp	family_xtremerat
behavioral2/memory/2640-142-0x0000000000000000-mapping.dmp	family_xtremerat
behavioral2/memory/3208-149-0x0000000000C80000-0x0000000000C92000-memory.dmp	family_xtremerat
behavioral2/memory/1704-154-0x0000000000000000-mapping.dmp	family_xtremerat
behavioral2/memory/2200-153-0x0000000000000000-mapping.dmp	family_xtremerat
behavioral2/memory/1704-167-0x0000000000C80000-0x0000000000C92000-memory.dmp	family_xtremerat
behavioral2/memory/2200-168-0x0000000000C80000-0x0000000000C92000-memory.dmp	family_xtremerat
behavioral2/memory/2200-171-0x0000000000C80000-0x0000000000C92000-memory.dmp	family_xtremerat
behavioral2/memory/1704-175-0x0000000000C80000-0x0000000000C92000-memory.dmp	family_xtremerat
behavioral2/memory/4784-184-0x0000000000000000-mapping.dmp	family_xtremerat
behavioral2/memory/1688-185-0x0000000000000000-mapping.dmp	family_xtremerat
behavioral2/memory/4784-200-0x0000000000C80000-0x0000000000C92000-memory.dmp	family_xtremerat
behavioral2/memory/4784-195-0x0000000000C80000-0x0000000000C92000-memory.dmp	family_xtremerat
behavioral2/memory/3136-190-0x0000000000000000-mapping.dmp	family_xtremerat
behavioral2/memory/3136-207-0x0000000000C80000-0x0000000000C92000-memory.dmp	family_xtremerat
behavioral2/memory/1688-208-0x0000000000C80000-0x0000000000C92000-memory.dmp	family_xtremerat
behavioral2/memory/4784-209-0x0000000000C80000-0x0000000000C92000-memory.dmp	family_xtremerat
behavioral2/memory/3136-215-0x0000000000C80000-0x0000000000C92000-memory.dmp	family_xtremerat
behavioral2/memory/1688-218-0x0000000000C80000-0x0000000000C92000-memory.dmp	family_xtremerat
behavioral2/memory/1308-227-0x0000000000000000-mapping.dmp	family_xtremerat
behavioral2/memory/1592-229-0x0000000000000000-mapping.dmp	family_xtremerat
behavioral2/memory/3140-230-0x0000000000000000-mapping.dmp	family_xtremerat
behavioral2/memory/1592-248-0x0000000000C80000-0x0000000000C92000-memory.dmp	family_xtremerat
behavioral2/memory/1308-249-0x0000000000C80000-0x0000000000C92000-memory.dmp	family_xtremerat
behavioral2/memory/3140-250-0x0000000000C80000-0x0000000000C92000-memory.dmp	family_xtremerat
behavioral2/memory/1308-251-0x0000000000C80000-0x0000000000C92000-memory.dmp	family_xtremerat
behavioral2/memory/1592-252-0x0000000000C80000-0x0000000000C92000-memory.dmp	family_xtremerat
behavioral2/memory/3140-253-0x0000000000C80000-0x0000000000C92000-memory.dmp	family_xtremerat

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat

Executes dropped EXE 16 IoCs

pid	Process
5028	Server.exe
5000	Server.exe
2200	Server.exe
1704	Server.exe
4400	Server.exe
4420	Server.exe
1012	Server.exe
4784	Server.exe
1688	Server.exe
3136	Server.exe
2940	Server.exe
2032	Server.exe
3184	Server.exe
1308	Server.exe
3140	Server.exe
1592	Server.exe

Modifies Installed Components in the registry 2 TTPs 20 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	9761bdcf74e704ce41edbc8aca50f1cd9ca7173ac701732ab2a6ce502a4c7f18.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	9761bdcf74e704ce41edbc8aca50f1cd9ca7173ac701732ab2a6ce502a4c7f18.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe"	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	Server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	9761bdcf74e704ce41edbc8aca50f1cd9ca7173ac701732ab2a6ce502a4c7f18.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	Server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	Server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	Server.exe

Adds Run key to start application 2 TTPs 40 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Run	9761bdcf74e704ce41edbc8aca50f1cd9ca7173ac701732ab2a6ce502a4c7f18.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	9761bdcf74e704ce41edbc8aca50f1cd9ca7173ac701732ab2a6ce502a4c7f18.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Run	Server.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	Server.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	9761bdcf74e704ce41edbc8aca50f1cd9ca7173ac701732ab2a6ce502a4c7f18.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Run	Server.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Run	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	Server.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	Server.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Run	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Run	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Run	Server.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	Server.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Run	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	9761bdcf74e704ce41edbc8aca50f1cd9ca7173ac701732ab2a6ce502a4c7f18.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Run	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe

Suspicious use of SetThreadContext 9 IoCs

description	pid	Process	procid_target
PID 3808 set thread context of 3208	3808	9761bdcf74e704ce41edbc8aca50f1cd9ca7173ac701732ab2a6ce502a4c7f18.exe	82
PID 5000 set thread context of 2200	5000	Server.exe	98
PID 5028 set thread context of 1704	5028	Server.exe	99
PID 4420 set thread context of 4784	4420	Server.exe	120
PID 4400 set thread context of 1688	4400	Server.exe	119
PID 1012 set thread context of 3136	1012	Server.exe	121
PID 3184 set thread context of 1308	3184	Server.exe	144
PID 2940 set thread context of 3140	2940	Server.exe	146
PID 2032 set thread context of 1592	2032	Server.exe	145

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\InstallDir\Server.exe	9761bdcf74e704ce41edbc8aca50f1cd9ca7173ac701732ab2a6ce502a4c7f18.exe
File created	C:\Windows\InstallDir\Server.exe	9761bdcf74e704ce41edbc8aca50f1cd9ca7173ac701732ab2a6ce502a4c7f18.exe
File opened for modification	C:\Windows\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\InstallDir\Server.exe	Server.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 33 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	9761bdcf74e704ce41edbc8aca50f1cd9ca7173ac701732ab2a6ce502a4c7f18.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	9761bdcf74e704ce41edbc8aca50f1cd9ca7173ac701732ab2a6ce502a4c7f18.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	9761bdcf74e704ce41edbc8aca50f1cd9ca7173ac701732ab2a6ce502a4c7f18.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	9761bdcf74e704ce41edbc8aca50f1cd9ca7173ac701732ab2a6ce502a4c7f18.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
3808	9761bdcf74e704ce41edbc8aca50f1cd9ca7173ac701732ab2a6ce502a4c7f18.exe
5000	Server.exe
5028	Server.exe
4420	Server.exe
4400	Server.exe
1012	Server.exe
2940	Server.exe
3184	Server.exe
2032	Server.exe
3140	Server.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3808 wrote to memory of 3208	3808	9761bdcf74e704ce41edbc8aca50f1cd9ca7173ac701732ab2a6ce502a4c7f18.exe	82
PID 3808 wrote to memory of 3208	3808	9761bdcf74e704ce41edbc8aca50f1cd9ca7173ac701732ab2a6ce502a4c7f18.exe	82
PID 3808 wrote to memory of 3208	3808	9761bdcf74e704ce41edbc8aca50f1cd9ca7173ac701732ab2a6ce502a4c7f18.exe	82
PID 3808 wrote to memory of 3208	3808	9761bdcf74e704ce41edbc8aca50f1cd9ca7173ac701732ab2a6ce502a4c7f18.exe	82
PID 3808 wrote to memory of 3208	3808	9761bdcf74e704ce41edbc8aca50f1cd9ca7173ac701732ab2a6ce502a4c7f18.exe	82
PID 3808 wrote to memory of 3208	3808	9761bdcf74e704ce41edbc8aca50f1cd9ca7173ac701732ab2a6ce502a4c7f18.exe	82
PID 3808 wrote to memory of 3208	3808	9761bdcf74e704ce41edbc8aca50f1cd9ca7173ac701732ab2a6ce502a4c7f18.exe	82
PID 3808 wrote to memory of 3208	3808	9761bdcf74e704ce41edbc8aca50f1cd9ca7173ac701732ab2a6ce502a4c7f18.exe	82
PID 3808 wrote to memory of 3208	3808	9761bdcf74e704ce41edbc8aca50f1cd9ca7173ac701732ab2a6ce502a4c7f18.exe	82
PID 3808 wrote to memory of 3208	3808	9761bdcf74e704ce41edbc8aca50f1cd9ca7173ac701732ab2a6ce502a4c7f18.exe	82
PID 3808 wrote to memory of 3208	3808	9761bdcf74e704ce41edbc8aca50f1cd9ca7173ac701732ab2a6ce502a4c7f18.exe	82
PID 3808 wrote to memory of 3208	3808	9761bdcf74e704ce41edbc8aca50f1cd9ca7173ac701732ab2a6ce502a4c7f18.exe	82
PID 3808 wrote to memory of 3208	3808	9761bdcf74e704ce41edbc8aca50f1cd9ca7173ac701732ab2a6ce502a4c7f18.exe	82
PID 3208 wrote to memory of 2640	3208	9761bdcf74e704ce41edbc8aca50f1cd9ca7173ac701732ab2a6ce502a4c7f18.exe	83
PID 3208 wrote to memory of 2640	3208	9761bdcf74e704ce41edbc8aca50f1cd9ca7173ac701732ab2a6ce502a4c7f18.exe	83
PID 3208 wrote to memory of 2640	3208	9761bdcf74e704ce41edbc8aca50f1cd9ca7173ac701732ab2a6ce502a4c7f18.exe	83
PID 3208 wrote to memory of 2640	3208	9761bdcf74e704ce41edbc8aca50f1cd9ca7173ac701732ab2a6ce502a4c7f18.exe	83
PID 3208 wrote to memory of 1264	3208	9761bdcf74e704ce41edbc8aca50f1cd9ca7173ac701732ab2a6ce502a4c7f18.exe	86
PID 3208 wrote to memory of 1264	3208	9761bdcf74e704ce41edbc8aca50f1cd9ca7173ac701732ab2a6ce502a4c7f18.exe	86
PID 3208 wrote to memory of 1264	3208	9761bdcf74e704ce41edbc8aca50f1cd9ca7173ac701732ab2a6ce502a4c7f18.exe	86
PID 3208 wrote to memory of 3652	3208	9761bdcf74e704ce41edbc8aca50f1cd9ca7173ac701732ab2a6ce502a4c7f18.exe	87
PID 3208 wrote to memory of 3652	3208	9761bdcf74e704ce41edbc8aca50f1cd9ca7173ac701732ab2a6ce502a4c7f18.exe	87
PID 3208 wrote to memory of 3652	3208	9761bdcf74e704ce41edbc8aca50f1cd9ca7173ac701732ab2a6ce502a4c7f18.exe	87
PID 3208 wrote to memory of 3624	3208	9761bdcf74e704ce41edbc8aca50f1cd9ca7173ac701732ab2a6ce502a4c7f18.exe	88
PID 3208 wrote to memory of 3624	3208	9761bdcf74e704ce41edbc8aca50f1cd9ca7173ac701732ab2a6ce502a4c7f18.exe	88
PID 3208 wrote to memory of 3624	3208	9761bdcf74e704ce41edbc8aca50f1cd9ca7173ac701732ab2a6ce502a4c7f18.exe	88
PID 3208 wrote to memory of 2920	3208	9761bdcf74e704ce41edbc8aca50f1cd9ca7173ac701732ab2a6ce502a4c7f18.exe	89
PID 3208 wrote to memory of 2920	3208	9761bdcf74e704ce41edbc8aca50f1cd9ca7173ac701732ab2a6ce502a4c7f18.exe	89
PID 3208 wrote to memory of 2920	3208	9761bdcf74e704ce41edbc8aca50f1cd9ca7173ac701732ab2a6ce502a4c7f18.exe	89
PID 3208 wrote to memory of 5040	3208	9761bdcf74e704ce41edbc8aca50f1cd9ca7173ac701732ab2a6ce502a4c7f18.exe	90
PID 3208 wrote to memory of 5040	3208	9761bdcf74e704ce41edbc8aca50f1cd9ca7173ac701732ab2a6ce502a4c7f18.exe	90
PID 3208 wrote to memory of 5040	3208	9761bdcf74e704ce41edbc8aca50f1cd9ca7173ac701732ab2a6ce502a4c7f18.exe	90
PID 3208 wrote to memory of 4412	3208	9761bdcf74e704ce41edbc8aca50f1cd9ca7173ac701732ab2a6ce502a4c7f18.exe	91
PID 3208 wrote to memory of 4412	3208	9761bdcf74e704ce41edbc8aca50f1cd9ca7173ac701732ab2a6ce502a4c7f18.exe	91
PID 3208 wrote to memory of 4412	3208	9761bdcf74e704ce41edbc8aca50f1cd9ca7173ac701732ab2a6ce502a4c7f18.exe	91
PID 3208 wrote to memory of 4304	3208	9761bdcf74e704ce41edbc8aca50f1cd9ca7173ac701732ab2a6ce502a4c7f18.exe	92
PID 3208 wrote to memory of 4304	3208	9761bdcf74e704ce41edbc8aca50f1cd9ca7173ac701732ab2a6ce502a4c7f18.exe	92
PID 3208 wrote to memory of 4304	3208	9761bdcf74e704ce41edbc8aca50f1cd9ca7173ac701732ab2a6ce502a4c7f18.exe	92
PID 3208 wrote to memory of 1652	3208	9761bdcf74e704ce41edbc8aca50f1cd9ca7173ac701732ab2a6ce502a4c7f18.exe	93
PID 3208 wrote to memory of 1652	3208	9761bdcf74e704ce41edbc8aca50f1cd9ca7173ac701732ab2a6ce502a4c7f18.exe	93
PID 2640 wrote to memory of 5028	2640	svchost.exe	96
PID 2640 wrote to memory of 5028	2640	svchost.exe	96
PID 2640 wrote to memory of 5028	2640	svchost.exe	96
PID 3208 wrote to memory of 5000	3208	9761bdcf74e704ce41edbc8aca50f1cd9ca7173ac701732ab2a6ce502a4c7f18.exe	97
PID 3208 wrote to memory of 5000	3208	9761bdcf74e704ce41edbc8aca50f1cd9ca7173ac701732ab2a6ce502a4c7f18.exe	97
PID 3208 wrote to memory of 5000	3208	9761bdcf74e704ce41edbc8aca50f1cd9ca7173ac701732ab2a6ce502a4c7f18.exe	97
PID 5000 wrote to memory of 2200	5000	Server.exe	98
PID 5000 wrote to memory of 2200	5000	Server.exe	98
PID 5000 wrote to memory of 2200	5000	Server.exe	98
PID 5000 wrote to memory of 2200	5000	Server.exe	98
PID 5000 wrote to memory of 2200	5000	Server.exe	98
PID 5000 wrote to memory of 2200	5000	Server.exe	98
PID 5000 wrote to memory of 2200	5000	Server.exe	98
PID 5000 wrote to memory of 2200	5000	Server.exe	98
PID 5000 wrote to memory of 2200	5000	Server.exe	98
PID 5000 wrote to memory of 2200	5000	Server.exe	98
PID 5000 wrote to memory of 2200	5000	Server.exe	98
PID 5000 wrote to memory of 2200	5000	Server.exe	98
PID 5028 wrote to memory of 1704	5028	Server.exe	99
PID 5028 wrote to memory of 1704	5028	Server.exe	99
PID 5028 wrote to memory of 1704	5028	Server.exe	99
PID 5028 wrote to memory of 1704	5028	Server.exe	99
PID 5028 wrote to memory of 1704	5028	Server.exe	99
PID 5028 wrote to memory of 1704	5028	Server.exe	99

C:\Users\Admin\AppData\Local\Temp\9761bdcf74e704ce41edbc8aca50f1cd9ca7173ac701732ab2a6ce502a4c7f18.exe
"C:\Users\Admin\AppData\Local\Temp\9761bdcf74e704ce41edbc8aca50f1cd9ca7173ac701732ab2a6ce502a4c7f18.exe"
1⤵
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3808
- C:\Users\Admin\AppData\Local\Temp\9761bdcf74e704ce41edbc8aca50f1cd9ca7173ac701732ab2a6ce502a4c7f18.exe
  "C:\Users\Admin\AppData\Local\Temp\9761bdcf74e704ce41edbc8aca50f1cd9ca7173ac701732ab2a6ce502a4c7f18.exe"
  2⤵
  - Modifies Installed Components in the registry
  - Checks computer location settings
  - Adds Run key to start application
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3208
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - Modifies Installed Components in the registry
    - Adds Run key to start application
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2640
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Modifies registry class
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:5028
    - - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        5⤵
        Executes dropped EXE
        Modifies Installed Components in the registry
        Checks computer location settings
        Adds Run key to start application
        Drops file in Windows directory
        Modifies registry class
        
        PID:1704
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:1192
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:2712
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:3032
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:3232
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4344
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:3380
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5096
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:1796
      - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:4420
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        7⤵
        Executes dropped EXE
        Modifies Installed Components in the registry
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:4784
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:3464
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:2536
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Modifies registry class
      Suspicious use of SetWindowsHookEx
      PID:1012
    - - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        5⤵
        Executes dropped EXE
        Modifies Installed Components in the registry
        Checks computer location settings
        Adds Run key to start application
        Drops file in Windows directory
        Modifies registry class
        
        PID:3136
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4952
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4104
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:2128
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4788
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:2332
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:1872
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4164
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:1656
      - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:2032
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        7⤵
        Executes dropped EXE
        Modifies Installed Components in the registry
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:1592
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:2808
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Modifies registry class
      Suspicious use of SetWindowsHookEx
      PID:2940
    - - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        5⤵
        Executes dropped EXE
        Modifies Installed Components in the registry
        Adds Run key to start application
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:3140
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:1264
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:3652
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:3624
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:2920
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:5040
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:4412
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:4304
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:1652
- - C:\Windows\InstallDir\Server.exe
    "C:\Windows\InstallDir\Server.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:5000
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      Executes dropped EXE
      Modifies Installed Components in the registry
      Checks computer location settings
      Adds Run key to start application
      Drops file in Windows directory
      Modifies registry class
      PID:2200
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:932
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:904
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:3132
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:816
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:2160
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:1604
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:2204
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:4024
    - - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:4400
      - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        6⤵
        Executes dropped EXE
        Modifies Installed Components in the registry
        Checks computer location settings
        Adds Run key to start application
        Drops file in Windows directory
        Modifies registry class
        
        PID:1688
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:1148
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:4848
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:1172
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:4084
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:1972
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:4380
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:4032
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:1732
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:3184
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        8⤵
        Executes dropped EXE
        Modifies Installed Components in the registry
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:1308
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:4696

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\((Mutex)).cfg

Filesize
1KB

MD5
0468d395e88014480a2dd516251c054e

SHA1
6e557e58171ef90b658dae0a1c646cca9909bc94

SHA256
eca064b2de63ba4741b8e3e2c7b0616b04c5cd383d83149bbf91c9359be8f67b

SHA512
2b31c47402db4aa9df38a39efd7238852ccee3e1b2dbd9c1254a9ec8d9c126cbc462aa9dd1e0731532a45de060354f3cb862d4b3f6a8ab6e68e52737ce9eda09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\((Mutex)).cfg

Filesize
1KB

MD5
0468d395e88014480a2dd516251c054e

SHA1
6e557e58171ef90b658dae0a1c646cca9909bc94

SHA256
eca064b2de63ba4741b8e3e2c7b0616b04c5cd383d83149bbf91c9359be8f67b

SHA512
2b31c47402db4aa9df38a39efd7238852ccee3e1b2dbd9c1254a9ec8d9c126cbc462aa9dd1e0731532a45de060354f3cb862d4b3f6a8ab6e68e52737ce9eda09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\((Mutex)).cfg

Filesize
1KB

MD5
0468d395e88014480a2dd516251c054e

SHA1
6e557e58171ef90b658dae0a1c646cca9909bc94

SHA256
eca064b2de63ba4741b8e3e2c7b0616b04c5cd383d83149bbf91c9359be8f67b

SHA512
2b31c47402db4aa9df38a39efd7238852ccee3e1b2dbd9c1254a9ec8d9c126cbc462aa9dd1e0731532a45de060354f3cb862d4b3f6a8ab6e68e52737ce9eda09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\((Mutex)).cfg

Filesize
1KB

MD5
0468d395e88014480a2dd516251c054e

SHA1
6e557e58171ef90b658dae0a1c646cca9909bc94

SHA256
eca064b2de63ba4741b8e3e2c7b0616b04c5cd383d83149bbf91c9359be8f67b

SHA512
2b31c47402db4aa9df38a39efd7238852ccee3e1b2dbd9c1254a9ec8d9c126cbc462aa9dd1e0731532a45de060354f3cb862d4b3f6a8ab6e68e52737ce9eda09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\((Mutex)).cfg

Filesize
1KB

MD5
0468d395e88014480a2dd516251c054e

SHA1
6e557e58171ef90b658dae0a1c646cca9909bc94

SHA256
eca064b2de63ba4741b8e3e2c7b0616b04c5cd383d83149bbf91c9359be8f67b

SHA512
2b31c47402db4aa9df38a39efd7238852ccee3e1b2dbd9c1254a9ec8d9c126cbc462aa9dd1e0731532a45de060354f3cb862d4b3f6a8ab6e68e52737ce9eda09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\((Mutex)).cfg

Filesize
1KB

MD5
0468d395e88014480a2dd516251c054e

SHA1
6e557e58171ef90b658dae0a1c646cca9909bc94

SHA256
eca064b2de63ba4741b8e3e2c7b0616b04c5cd383d83149bbf91c9359be8f67b

SHA512
2b31c47402db4aa9df38a39efd7238852ccee3e1b2dbd9c1254a9ec8d9c126cbc462aa9dd1e0731532a45de060354f3cb862d4b3f6a8ab6e68e52737ce9eda09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\((Mutex)).cfg

Filesize
1KB

MD5
0468d395e88014480a2dd516251c054e

SHA1
6e557e58171ef90b658dae0a1c646cca9909bc94

SHA256
eca064b2de63ba4741b8e3e2c7b0616b04c5cd383d83149bbf91c9359be8f67b

SHA512
2b31c47402db4aa9df38a39efd7238852ccee3e1b2dbd9c1254a9ec8d9c126cbc462aa9dd1e0731532a45de060354f3cb862d4b3f6a8ab6e68e52737ce9eda09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\((Mutex)).cfg

Filesize
1KB

MD5
0468d395e88014480a2dd516251c054e

SHA1
6e557e58171ef90b658dae0a1c646cca9909bc94

SHA256
eca064b2de63ba4741b8e3e2c7b0616b04c5cd383d83149bbf91c9359be8f67b

SHA512
2b31c47402db4aa9df38a39efd7238852ccee3e1b2dbd9c1254a9ec8d9c126cbc462aa9dd1e0731532a45de060354f3cb862d4b3f6a8ab6e68e52737ce9eda09

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
401KB

MD5
e3ae1c8453baf65007b473efb93371a9

SHA1
3706c2e85ab4530c5a6053e404dfd79d2b73cf9a

SHA256
9761bdcf74e704ce41edbc8aca50f1cd9ca7173ac701732ab2a6ce502a4c7f18

SHA512
ad6d5a6569142c37827fcbe57c3798f8bed437c7db688d1488c0a5d3d162fb2eb65d21c2d26265b81e84b695a8ecad03e2a75226e2f2779d3aafe7214f234427

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
401KB

MD5
e3ae1c8453baf65007b473efb93371a9

SHA1
3706c2e85ab4530c5a6053e404dfd79d2b73cf9a

SHA256
9761bdcf74e704ce41edbc8aca50f1cd9ca7173ac701732ab2a6ce502a4c7f18

SHA512
ad6d5a6569142c37827fcbe57c3798f8bed437c7db688d1488c0a5d3d162fb2eb65d21c2d26265b81e84b695a8ecad03e2a75226e2f2779d3aafe7214f234427

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
401KB

MD5
e3ae1c8453baf65007b473efb93371a9

SHA1
3706c2e85ab4530c5a6053e404dfd79d2b73cf9a

SHA256
9761bdcf74e704ce41edbc8aca50f1cd9ca7173ac701732ab2a6ce502a4c7f18

SHA512
ad6d5a6569142c37827fcbe57c3798f8bed437c7db688d1488c0a5d3d162fb2eb65d21c2d26265b81e84b695a8ecad03e2a75226e2f2779d3aafe7214f234427

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
401KB

MD5
e3ae1c8453baf65007b473efb93371a9

SHA1
3706c2e85ab4530c5a6053e404dfd79d2b73cf9a

SHA256
9761bdcf74e704ce41edbc8aca50f1cd9ca7173ac701732ab2a6ce502a4c7f18

SHA512
ad6d5a6569142c37827fcbe57c3798f8bed437c7db688d1488c0a5d3d162fb2eb65d21c2d26265b81e84b695a8ecad03e2a75226e2f2779d3aafe7214f234427

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
401KB

MD5
e3ae1c8453baf65007b473efb93371a9

SHA1
3706c2e85ab4530c5a6053e404dfd79d2b73cf9a

SHA256
9761bdcf74e704ce41edbc8aca50f1cd9ca7173ac701732ab2a6ce502a4c7f18

SHA512
ad6d5a6569142c37827fcbe57c3798f8bed437c7db688d1488c0a5d3d162fb2eb65d21c2d26265b81e84b695a8ecad03e2a75226e2f2779d3aafe7214f234427

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
401KB

MD5
e3ae1c8453baf65007b473efb93371a9

SHA1
3706c2e85ab4530c5a6053e404dfd79d2b73cf9a

SHA256
9761bdcf74e704ce41edbc8aca50f1cd9ca7173ac701732ab2a6ce502a4c7f18

SHA512
ad6d5a6569142c37827fcbe57c3798f8bed437c7db688d1488c0a5d3d162fb2eb65d21c2d26265b81e84b695a8ecad03e2a75226e2f2779d3aafe7214f234427

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
401KB

MD5
e3ae1c8453baf65007b473efb93371a9

SHA1
3706c2e85ab4530c5a6053e404dfd79d2b73cf9a

SHA256
9761bdcf74e704ce41edbc8aca50f1cd9ca7173ac701732ab2a6ce502a4c7f18

SHA512
ad6d5a6569142c37827fcbe57c3798f8bed437c7db688d1488c0a5d3d162fb2eb65d21c2d26265b81e84b695a8ecad03e2a75226e2f2779d3aafe7214f234427

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
401KB

MD5
e3ae1c8453baf65007b473efb93371a9

SHA1
3706c2e85ab4530c5a6053e404dfd79d2b73cf9a

SHA256
9761bdcf74e704ce41edbc8aca50f1cd9ca7173ac701732ab2a6ce502a4c7f18

SHA512
ad6d5a6569142c37827fcbe57c3798f8bed437c7db688d1488c0a5d3d162fb2eb65d21c2d26265b81e84b695a8ecad03e2a75226e2f2779d3aafe7214f234427

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
401KB

MD5
e3ae1c8453baf65007b473efb93371a9

SHA1
3706c2e85ab4530c5a6053e404dfd79d2b73cf9a

SHA256
9761bdcf74e704ce41edbc8aca50f1cd9ca7173ac701732ab2a6ce502a4c7f18

SHA512
ad6d5a6569142c37827fcbe57c3798f8bed437c7db688d1488c0a5d3d162fb2eb65d21c2d26265b81e84b695a8ecad03e2a75226e2f2779d3aafe7214f234427

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
401KB

MD5
e3ae1c8453baf65007b473efb93371a9

SHA1
3706c2e85ab4530c5a6053e404dfd79d2b73cf9a

SHA256
9761bdcf74e704ce41edbc8aca50f1cd9ca7173ac701732ab2a6ce502a4c7f18

SHA512
ad6d5a6569142c37827fcbe57c3798f8bed437c7db688d1488c0a5d3d162fb2eb65d21c2d26265b81e84b695a8ecad03e2a75226e2f2779d3aafe7214f234427

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
401KB

MD5
e3ae1c8453baf65007b473efb93371a9

SHA1
3706c2e85ab4530c5a6053e404dfd79d2b73cf9a

SHA256
9761bdcf74e704ce41edbc8aca50f1cd9ca7173ac701732ab2a6ce502a4c7f18

SHA512
ad6d5a6569142c37827fcbe57c3798f8bed437c7db688d1488c0a5d3d162fb2eb65d21c2d26265b81e84b695a8ecad03e2a75226e2f2779d3aafe7214f234427

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
401KB

MD5
e3ae1c8453baf65007b473efb93371a9

SHA1
3706c2e85ab4530c5a6053e404dfd79d2b73cf9a

SHA256
9761bdcf74e704ce41edbc8aca50f1cd9ca7173ac701732ab2a6ce502a4c7f18

SHA512
ad6d5a6569142c37827fcbe57c3798f8bed437c7db688d1488c0a5d3d162fb2eb65d21c2d26265b81e84b695a8ecad03e2a75226e2f2779d3aafe7214f234427

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
401KB

MD5
e3ae1c8453baf65007b473efb93371a9

SHA1
3706c2e85ab4530c5a6053e404dfd79d2b73cf9a

SHA256
9761bdcf74e704ce41edbc8aca50f1cd9ca7173ac701732ab2a6ce502a4c7f18

SHA512
ad6d5a6569142c37827fcbe57c3798f8bed437c7db688d1488c0a5d3d162fb2eb65d21c2d26265b81e84b695a8ecad03e2a75226e2f2779d3aafe7214f234427

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
401KB

MD5
e3ae1c8453baf65007b473efb93371a9

SHA1
3706c2e85ab4530c5a6053e404dfd79d2b73cf9a

SHA256
9761bdcf74e704ce41edbc8aca50f1cd9ca7173ac701732ab2a6ce502a4c7f18

SHA512
ad6d5a6569142c37827fcbe57c3798f8bed437c7db688d1488c0a5d3d162fb2eb65d21c2d26265b81e84b695a8ecad03e2a75226e2f2779d3aafe7214f234427

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
401KB

MD5
e3ae1c8453baf65007b473efb93371a9

SHA1
3706c2e85ab4530c5a6053e404dfd79d2b73cf9a

SHA256
9761bdcf74e704ce41edbc8aca50f1cd9ca7173ac701732ab2a6ce502a4c7f18

SHA512
ad6d5a6569142c37827fcbe57c3798f8bed437c7db688d1488c0a5d3d162fb2eb65d21c2d26265b81e84b695a8ecad03e2a75226e2f2779d3aafe7214f234427

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
401KB

MD5
e3ae1c8453baf65007b473efb93371a9

SHA1
3706c2e85ab4530c5a6053e404dfd79d2b73cf9a

SHA256
9761bdcf74e704ce41edbc8aca50f1cd9ca7173ac701732ab2a6ce502a4c7f18

SHA512
ad6d5a6569142c37827fcbe57c3798f8bed437c7db688d1488c0a5d3d162fb2eb65d21c2d26265b81e84b695a8ecad03e2a75226e2f2779d3aafe7214f234427

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
401KB

MD5
e3ae1c8453baf65007b473efb93371a9

SHA1
3706c2e85ab4530c5a6053e404dfd79d2b73cf9a

SHA256
9761bdcf74e704ce41edbc8aca50f1cd9ca7173ac701732ab2a6ce502a4c7f18

SHA512
ad6d5a6569142c37827fcbe57c3798f8bed437c7db688d1488c0a5d3d162fb2eb65d21c2d26265b81e84b695a8ecad03e2a75226e2f2779d3aafe7214f234427

Download Submit
memory/1012-204-0x0000000000400000-0x000000000054F000-memory.dmp

Filesize
1.3MB

Download
memory/1012-193-0x0000000000400000-0x000000000054F000-memory.dmp

Filesize
1.3MB

Download
memory/1308-251-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download
memory/1308-249-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download
memory/1592-248-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download
memory/1592-252-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download
memory/1688-218-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download
memory/1688-208-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download
memory/1704-175-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download
memory/1704-167-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download
memory/2032-244-0x0000000000400000-0x000000000054F000-memory.dmp

Filesize
1.3MB

Download
memory/2032-226-0x0000000000400000-0x000000000054F000-memory.dmp

Filesize
1.3MB

Download
memory/2200-168-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download
memory/2200-171-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download
memory/2940-212-0x0000000000400000-0x000000000054F000-memory.dmp

Filesize
1.3MB

Download
memory/2940-243-0x0000000000400000-0x000000000054F000-memory.dmp

Filesize
1.3MB

Download
memory/3136-207-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download
memory/3136-215-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download
memory/3140-250-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download
memory/3140-253-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download
memory/3184-242-0x0000000000400000-0x000000000054F000-memory.dmp

Filesize
1.3MB

Download
memory/3184-225-0x0000000000400000-0x000000000054F000-memory.dmp

Filesize
1.3MB

Download
memory/3208-141-0x0000000000400000-0x000000000054F000-memory.dmp

Filesize
1.3MB

Download
memory/3208-140-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download
memory/3208-136-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download
memory/3208-137-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download
memory/3208-138-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download
memory/3208-149-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download
memory/3808-139-0x0000000000400000-0x000000000054F000-memory.dmp

Filesize
1.3MB

Download
memory/3808-132-0x0000000000400000-0x000000000054F000-memory.dmp

Filesize
1.3MB

Download
memory/4400-202-0x0000000000400000-0x000000000054F000-memory.dmp

Filesize
1.3MB

Download
memory/4400-172-0x0000000000400000-0x000000000054F000-memory.dmp

Filesize
1.3MB

Download
memory/4420-197-0x0000000000400000-0x000000000054F000-memory.dmp

Filesize
1.3MB

Download
memory/4784-209-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download
memory/4784-195-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download
memory/4784-200-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download
memory/5000-163-0x0000000000400000-0x000000000054F000-memory.dmp

Filesize
1.3MB

Download
memory/5028-164-0x0000000000400000-0x000000000054F000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads