xtremerat | 0b30c86d1ed315370a7bc285fbd4a93f910c993a77e3d2f47cc800f81c9875cb

Analysis

max time kernel
184s
max time network
146s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26/12/2023, 16:46 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7dca5b27a7a6ad3e8a5d910c3798c8f2.exe
Size

88KB
MD5

7dca5b27a7a6ad3e8a5d910c3798c8f2
SHA1

b7da4adde00099a854b893b20059cd4a358d49dc
SHA256

0b30c86d1ed315370a7bc285fbd4a93f910c993a77e3d2f47cc800f81c9875cb
SHA512

602685a0db0efe40a0b45421bd45c82302869b8391c61309a0b4ac0a1756f6f2832c4fee6219b11b6e1af89298f636f3f2c5f3bcfc00a7c0014b52be65f4d0dc
SSDEEP

1536:SIF3NPZ+Ta57cE/EmJ2Dy80iUV51efTfmZkEsAPTaabPApa+f3md:nNReaJF/cy1CeZ9uazwaYK

Score

10^/10

xtremerat persistence rat spyware

Malware Config

Extracted

Family

xtremerat

fmrabod.no-ip.info

mrabod55.no-ip.info

Signatures

Detect XtremeRAT payload 48 IoCs

resource	yara_rule
behavioral1/memory/3040-6-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/3040-7-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/3040-8-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/3040-9-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/3040-10-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/3040-13-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/3040-14-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/3040-15-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/3040-17-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/3040-24-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/3040-29-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/1828-51-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/1828-56-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/2344-73-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/2344-76-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/1520-93-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/1520-97-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/1988-113-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/1988-116-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/1720-133-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/1720-137-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/2692-154-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/2692-157-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/1536-174-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/1536-178-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/2908-195-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/2908-200-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/2476-217-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/2476-220-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/1980-237-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/1980-241-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/2112-258-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/2112-263-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/2664-280-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/2664-283-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/1696-299-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/1696-304-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/3000-319-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/3000-322-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/2028-338-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/2028-342-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/1976-358-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/1976-363-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/1400-380-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/1400-386-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/324-403-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/324-408-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/2668-424-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat

Modifies Installed Components in the registry 2 TTPs 40 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	7dca5b27a7a6ad3e8a5d910c3798c8f2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	7dca5b27a7a6ad3e8a5d910c3798c8f2.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe

Executes dropped EXE 38 IoCs

pid	Process
2916	Server.exe
1828	Server.exe
552	Server.exe
2344	Server.exe
2932	Server.exe
1520	Server.exe
1644	Server.exe
1988	Server.exe
2540	Server.exe
1720	Server.exe
1860	Server.exe
2692	Server.exe
2644	Server.exe
1536	Server.exe
1688	Server.exe
2908	Server.exe
1248	Server.exe
2476	Server.exe
1316	Server.exe
1980	Server.exe
716	Server.exe
2112	Server.exe
2540	Server.exe
2664	Server.exe
3036	Server.exe
1696	Server.exe
2652	Server.exe
3000	Server.exe
2792	Server.exe
2028	Server.exe
1268	Server.exe
1976	Server.exe
2680	Server.exe
1400	Server.exe
1096	Server.exe
324	Server.exe
2228	Server.exe
2668	Server.exe

Loads dropped DLL 3 IoCs

pid	Process
3040	7dca5b27a7a6ad3e8a5d910c3798c8f2.exe
3040	7dca5b27a7a6ad3e8a5d910c3798c8f2.exe
2916	Server.exe

Adds Run key to start application 2 TTPs 40 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	7dca5b27a7a6ad3e8a5d910c3798c8f2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	7dca5b27a7a6ad3e8a5d910c3798c8f2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe

Suspicious use of SetThreadContext 20 IoCs

description	pid	Process	procid_target
PID 3068 set thread context of 3040	3068	7dca5b27a7a6ad3e8a5d910c3798c8f2.exe	29
PID 2916 set thread context of 1828	2916	Server.exe	39
PID 552 set thread context of 2344	552	Server.exe	49
PID 2932 set thread context of 1520	2932	Server.exe	59
PID 1644 set thread context of 1988	1644	Server.exe	69
PID 2540 set thread context of 1720	2540	Server.exe	79
PID 1860 set thread context of 2692	1860	Server.exe	89
PID 2644 set thread context of 1536	2644	Server.exe	99
PID 1688 set thread context of 2908	1688	Server.exe	109
PID 1248 set thread context of 2476	1248	Server.exe	119
PID 1316 set thread context of 1980	1316	Server.exe	129
PID 716 set thread context of 2112	716	Server.exe	139
PID 2540 set thread context of 2664	2540	Server.exe	149
PID 3036 set thread context of 1696	3036	Server.exe	159
PID 2652 set thread context of 3000	2652	Server.exe	169
PID 2792 set thread context of 2028	2792	Server.exe	179
PID 1268 set thread context of 1976	1268	Server.exe	189
PID 2680 set thread context of 1400	2680	Server.exe	199
PID 1096 set thread context of 324	1096	Server.exe	209
PID 2228 set thread context of 2668	2228	Server.exe	219

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\InstallDir\Server.exe	7dca5b27a7a6ad3e8a5d910c3798c8f2.exe
File created	C:\Windows\InstallDir\Server.exe	7dca5b27a7a6ad3e8a5d910c3798c8f2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 20 IoCs

pid	Process
3068	7dca5b27a7a6ad3e8a5d910c3798c8f2.exe
2916	Server.exe
552	Server.exe
2932	Server.exe
1644	Server.exe
2540	Server.exe
1860	Server.exe
2644	Server.exe
1688	Server.exe
1248	Server.exe
1316	Server.exe
716	Server.exe
2540	Server.exe
3036	Server.exe
2652	Server.exe
2792	Server.exe
1268	Server.exe
2680	Server.exe
1096	Server.exe
2228	Server.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3068 wrote to memory of 3040	3068	7dca5b27a7a6ad3e8a5d910c3798c8f2.exe	29
PID 3068 wrote to memory of 3040	3068	7dca5b27a7a6ad3e8a5d910c3798c8f2.exe	29
PID 3068 wrote to memory of 3040	3068	7dca5b27a7a6ad3e8a5d910c3798c8f2.exe	29
PID 3068 wrote to memory of 3040	3068	7dca5b27a7a6ad3e8a5d910c3798c8f2.exe	29
PID 3068 wrote to memory of 3040	3068	7dca5b27a7a6ad3e8a5d910c3798c8f2.exe	29
PID 3068 wrote to memory of 3040	3068	7dca5b27a7a6ad3e8a5d910c3798c8f2.exe	29
PID 3068 wrote to memory of 3040	3068	7dca5b27a7a6ad3e8a5d910c3798c8f2.exe	29
PID 3068 wrote to memory of 3040	3068	7dca5b27a7a6ad3e8a5d910c3798c8f2.exe	29
PID 3068 wrote to memory of 3040	3068	7dca5b27a7a6ad3e8a5d910c3798c8f2.exe	29
PID 3068 wrote to memory of 3040	3068	7dca5b27a7a6ad3e8a5d910c3798c8f2.exe	29
PID 3068 wrote to memory of 3040	3068	7dca5b27a7a6ad3e8a5d910c3798c8f2.exe	29
PID 3068 wrote to memory of 3040	3068	7dca5b27a7a6ad3e8a5d910c3798c8f2.exe	29
PID 3040 wrote to memory of 580	3040	7dca5b27a7a6ad3e8a5d910c3798c8f2.exe	30
PID 3040 wrote to memory of 580	3040	7dca5b27a7a6ad3e8a5d910c3798c8f2.exe	30
PID 3040 wrote to memory of 580	3040	7dca5b27a7a6ad3e8a5d910c3798c8f2.exe	30
PID 3040 wrote to memory of 580	3040	7dca5b27a7a6ad3e8a5d910c3798c8f2.exe	30
PID 3040 wrote to memory of 580	3040	7dca5b27a7a6ad3e8a5d910c3798c8f2.exe	30
PID 3040 wrote to memory of 1556	3040	7dca5b27a7a6ad3e8a5d910c3798c8f2.exe	31
PID 3040 wrote to memory of 1556	3040	7dca5b27a7a6ad3e8a5d910c3798c8f2.exe	31
PID 3040 wrote to memory of 1556	3040	7dca5b27a7a6ad3e8a5d910c3798c8f2.exe	31
PID 3040 wrote to memory of 1556	3040	7dca5b27a7a6ad3e8a5d910c3798c8f2.exe	31
PID 3040 wrote to memory of 1556	3040	7dca5b27a7a6ad3e8a5d910c3798c8f2.exe	31
PID 3040 wrote to memory of 1120	3040	7dca5b27a7a6ad3e8a5d910c3798c8f2.exe	32
PID 3040 wrote to memory of 1120	3040	7dca5b27a7a6ad3e8a5d910c3798c8f2.exe	32
PID 3040 wrote to memory of 1120	3040	7dca5b27a7a6ad3e8a5d910c3798c8f2.exe	32
PID 3040 wrote to memory of 1120	3040	7dca5b27a7a6ad3e8a5d910c3798c8f2.exe	32
PID 3040 wrote to memory of 1120	3040	7dca5b27a7a6ad3e8a5d910c3798c8f2.exe	32
PID 3040 wrote to memory of 980	3040	7dca5b27a7a6ad3e8a5d910c3798c8f2.exe	33
PID 3040 wrote to memory of 980	3040	7dca5b27a7a6ad3e8a5d910c3798c8f2.exe	33
PID 3040 wrote to memory of 980	3040	7dca5b27a7a6ad3e8a5d910c3798c8f2.exe	33
PID 3040 wrote to memory of 980	3040	7dca5b27a7a6ad3e8a5d910c3798c8f2.exe	33
PID 3040 wrote to memory of 980	3040	7dca5b27a7a6ad3e8a5d910c3798c8f2.exe	33
PID 3040 wrote to memory of 2864	3040	7dca5b27a7a6ad3e8a5d910c3798c8f2.exe	34
PID 3040 wrote to memory of 2864	3040	7dca5b27a7a6ad3e8a5d910c3798c8f2.exe	34
PID 3040 wrote to memory of 2864	3040	7dca5b27a7a6ad3e8a5d910c3798c8f2.exe	34
PID 3040 wrote to memory of 2864	3040	7dca5b27a7a6ad3e8a5d910c3798c8f2.exe	34
PID 3040 wrote to memory of 2864	3040	7dca5b27a7a6ad3e8a5d910c3798c8f2.exe	34
PID 3040 wrote to memory of 2888	3040	7dca5b27a7a6ad3e8a5d910c3798c8f2.exe	35
PID 3040 wrote to memory of 2888	3040	7dca5b27a7a6ad3e8a5d910c3798c8f2.exe	35
PID 3040 wrote to memory of 2888	3040	7dca5b27a7a6ad3e8a5d910c3798c8f2.exe	35
PID 3040 wrote to memory of 2888	3040	7dca5b27a7a6ad3e8a5d910c3798c8f2.exe	35
PID 3040 wrote to memory of 2888	3040	7dca5b27a7a6ad3e8a5d910c3798c8f2.exe	35
PID 3040 wrote to memory of 2912	3040	7dca5b27a7a6ad3e8a5d910c3798c8f2.exe	36
PID 3040 wrote to memory of 2912	3040	7dca5b27a7a6ad3e8a5d910c3798c8f2.exe	36
PID 3040 wrote to memory of 2912	3040	7dca5b27a7a6ad3e8a5d910c3798c8f2.exe	36
PID 3040 wrote to memory of 2912	3040	7dca5b27a7a6ad3e8a5d910c3798c8f2.exe	36
PID 3040 wrote to memory of 2912	3040	7dca5b27a7a6ad3e8a5d910c3798c8f2.exe	36
PID 3040 wrote to memory of 2892	3040	7dca5b27a7a6ad3e8a5d910c3798c8f2.exe	37
PID 3040 wrote to memory of 2892	3040	7dca5b27a7a6ad3e8a5d910c3798c8f2.exe	37
PID 3040 wrote to memory of 2892	3040	7dca5b27a7a6ad3e8a5d910c3798c8f2.exe	37
PID 3040 wrote to memory of 2892	3040	7dca5b27a7a6ad3e8a5d910c3798c8f2.exe	37
PID 3040 wrote to memory of 2916	3040	7dca5b27a7a6ad3e8a5d910c3798c8f2.exe	38
PID 3040 wrote to memory of 2916	3040	7dca5b27a7a6ad3e8a5d910c3798c8f2.exe	38
PID 3040 wrote to memory of 2916	3040	7dca5b27a7a6ad3e8a5d910c3798c8f2.exe	38
PID 3040 wrote to memory of 2916	3040	7dca5b27a7a6ad3e8a5d910c3798c8f2.exe	38
PID 2916 wrote to memory of 1828	2916	Server.exe	39
PID 2916 wrote to memory of 1828	2916	Server.exe	39
PID 2916 wrote to memory of 1828	2916	Server.exe	39
PID 2916 wrote to memory of 1828	2916	Server.exe	39
PID 2916 wrote to memory of 1828	2916	Server.exe	39
PID 2916 wrote to memory of 1828	2916	Server.exe	39
PID 2916 wrote to memory of 1828	2916	Server.exe	39
PID 2916 wrote to memory of 1828	2916	Server.exe	39
PID 2916 wrote to memory of 1828	2916	Server.exe	39

C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe
"C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3068
- C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe
  C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe
  2⤵
  - Modifies Installed Components in the registry
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:3040
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:580
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:1556
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:1120
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:980
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2864
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2888
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2912
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2892
- - C:\Windows\InstallDir\Server.exe
    "C:\Windows\InstallDir\Server.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2916
  - - C:\Windows\InstallDir\Server.exe
      C:\Windows\InstallDir\Server.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Adds Run key to start application
      PID:1828
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1780
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:776
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1284
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:112
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:368
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2376
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:392
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1680
    - - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:552
      - C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2344
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:1932
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:1460
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:2404
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:2424
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:2968
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:2976
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:1856
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:1104
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2932
        
        C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1520
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:1360
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:1348
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:2820
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:1000
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:1772
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:2308
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:1712
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:956
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1644
        
        C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1988
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:1732
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:1768
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:1884
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:2104
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:2956
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:1488
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:1156
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:1636
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2540
        
        C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1720
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:2256
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:2940
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:2720
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:2724
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:2836
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:1912
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:1844
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:2024
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1860
        
        C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        14⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2692
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:2740
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:1700
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:2180
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:2688
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:2572
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:2576
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:2584
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:2604
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2644
        
        C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        16⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1536
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:592
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:800
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:636
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:2656
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:3048
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:2840
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:2784
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:2848
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1688
        
        C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        18⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2908
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        19⤵
        
        PID:844
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        19⤵
        
        PID:3004
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        19⤵
        
        PID:696
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        19⤵
        
        PID:3044
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        19⤵
        
        PID:1292
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        19⤵
        
        PID:3040
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        19⤵
        
        PID:2216
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        19⤵
        
        PID:1664
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1248
        
        C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        20⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2476
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        21⤵
        
        PID:2220
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        21⤵
        
        PID:2200
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        21⤵
        
        PID:2632
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        21⤵
        
        PID:1336
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        21⤵
        
        PID:2052
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        21⤵
        
        PID:1572
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        21⤵
        
        PID:1548
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        21⤵
        
        PID:2280
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1316
        
        C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        22⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1980
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:2252
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:1744
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:440
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:2212
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:1032
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:1500
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:2332
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:1672
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:716
        
        C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        24⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2112
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        25⤵
        
        PID:588
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        25⤵
        
        PID:2208
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        25⤵
        
        PID:1988
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        25⤵
        
        PID:1208
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        25⤵
        
        PID:1440
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        25⤵
        
        PID:1704
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        25⤵
        
        PID:2192
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        25⤵
        
        PID:1416
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2540
        
        C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        26⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2664
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        27⤵
        
        PID:1752
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        27⤵
        
        PID:2224
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        27⤵
        
        PID:2512
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        27⤵
        
        PID:2732
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        27⤵
        
        PID:2672
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        27⤵
        
        PID:1608
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        27⤵
        
        PID:1596
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        27⤵
        
        PID:2744
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3036
        
        C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        28⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1696
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        29⤵
        
        PID:1552
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        29⤵
        
        PID:596
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        29⤵
        
        PID:2788
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        29⤵
        
        PID:2904
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        29⤵
        
        PID:1296
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        29⤵
        
        PID:2340
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        29⤵
        
        PID:2144
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        29⤵
        
        PID:2432
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2652
        
        C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        30⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        
        PID:3000
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        31⤵
        
        PID:1808
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        31⤵
        
        PID:2548
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        31⤵
        
        PID:2924
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        31⤵
        
        PID:2916
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        31⤵
        
        PID:1632
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        31⤵
        
        PID:1204
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        31⤵
        
        PID:2396
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        31⤵
        
        PID:772
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2792
        
        C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        32⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2028
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        33⤵
        
        PID:1020
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        33⤵
        
        PID:2412
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        33⤵
        
        PID:2056
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        33⤵
        
        PID:2932
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        33⤵
        
        PID:2248
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        33⤵
        
        PID:828
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        33⤵
        
        PID:1520
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        33⤵
        
        PID:1992
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1268
        
        C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        34⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1976
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        35⤵
        
        PID:1928
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        35⤵
        
        PID:2684
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        35⤵
        
        PID:2072
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        35⤵
        
        PID:2804
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        35⤵
        
        PID:2296
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        35⤵
        
        PID:3024
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        35⤵
        
        PID:2952
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        35⤵
        
        PID:2540
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2680
        
        C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        36⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1400
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        37⤵
        
        PID:3036
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        37⤵
        
        PID:1952
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        37⤵
        
        PID:2156
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        37⤵
        
        PID:1008
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        37⤵
        
        PID:1724
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        37⤵
        
        PID:600
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        37⤵
        
        PID:2816
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        37⤵
        
        PID:1508
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1096
        
        C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        38⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        
        PID:324
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        39⤵
        
        PID:292
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        39⤵
        
        PID:552
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        39⤵
        
        PID:2752
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        39⤵
        
        PID:2964
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        39⤵
        
        PID:2792
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        39⤵
        
        PID:2152
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        39⤵
        
        PID:2036
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        39⤵
        
        PID:2116
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2228
        
        C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        40⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2668
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        41⤵
        
        PID:1300
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        41⤵
        
        PID:1984
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        41⤵
        
        PID:2488
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        41⤵
        
        PID:2112
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        41⤵
        
        PID:616
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        41⤵
        
        PID:1004
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        41⤵
        
        PID:3064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\((Mutex)).cfg

Filesize
1KB

MD5
09862db99820c2609b7d06907a2b9510

SHA1
544d7bc29c2849ad9c562efc40155864c0b321e7

SHA256
05da3a977fc5d2929051fc28d61e6178fcb1a51dfb6c8a9e819ce53fe8c67788

SHA512
174145799bd57782d6ec309da8006b4f3a215573db1825ffbf3242939c013233aa07f43eca0f521bae548e0f6ab5bf6adcdc31e918e9532184301f7c0b0d4bc4

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
18KB

MD5
f60d315da503351409ee8b8910f8c9ea

SHA1
b53e375e0ad6e81087c155961703b63622cf0368

SHA256
4eb85d1ee54dae33c20effed8ae06ea5d8d8771c73568bea750ce65625534d82

SHA512
921bb5b60a02dfe092c90954da70986ed5f42a2d926535590d25f7d80cd32b4faf588324ce6defe63672e3941bf09049c806abab3e125382477f2c77bc11ba7f

Download Submit
\Windows\InstallDir\Server.exe

Filesize
88KB

MD5
7dca5b27a7a6ad3e8a5d910c3798c8f2

SHA1
b7da4adde00099a854b893b20059cd4a358d49dc

SHA256
0b30c86d1ed315370a7bc285fbd4a93f910c993a77e3d2f47cc800f81c9875cb

SHA512
602685a0db0efe40a0b45421bd45c82302869b8391c61309a0b4ac0a1756f6f2832c4fee6219b11b6e1af89298f636f3f2c5f3bcfc00a7c0014b52be65f4d0dc

Download Submit
memory/324-408-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/324-403-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/552-71-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/716-244-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1096-401-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1248-215-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1268-359-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1316-235-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1400-380-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/1400-386-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/1520-93-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/1520-97-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/1536-178-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/1536-174-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/1688-193-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1696-299-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/1696-304-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/1720-137-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/1720-133-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/1828-51-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/1828-56-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/1860-153-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1976-358-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/1976-363-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/1980-237-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/1980-241-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/1988-113-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/1988-116-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/2028-342-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/2028-338-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/2112-258-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/2112-263-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/2344-76-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/2344-73-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/2476-217-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/2476-220-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/2540-277-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2540-131-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2644-172-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2664-280-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/2664-283-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/2668-424-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/2680-381-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2692-157-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/2692-154-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/2908-195-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/2908-200-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/2916-50-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2916-32-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2932-90-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3000-322-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/3000-319-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/3040-29-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/3040-9-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/3040-15-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/3040-14-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/3040-30-0x0000000002810000-0x0000000002818000-memory.dmp

Filesize
32KB

Download
memory/3040-17-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/3040-13-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/3040-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3040-10-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/3040-4-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/3040-8-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/3040-7-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/3040-24-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/3040-6-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/3040-5-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/3068-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3068-3-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3068-16-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.