resource	yara_rule
behavioral2/memory/3260-3-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral2/memory/3260-4-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral2/memory/3260-6-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral2/memory/3260-7-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral2/memory/3260-18-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral2/memory/5020-29-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral2/memory/3260-33-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral2/memory/4952-42-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral2/memory/4952-43-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral2/memory/4952-48-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral2/memory/2492-55-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral2/memory/5020-56-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral2/memory/2492-57-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral2/memory/2492-62-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral2/memory/2272-68-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral2/memory/2272-70-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral2/memory/2272-75-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral2/memory/4288-81-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral2/memory/4288-83-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral2/memory/4288-88-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral2/memory/2304-96-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral2/memory/2304-101-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral2/memory/4876-109-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral2/memory/4876-114-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral2/memory/2036-122-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral2/memory/2036-127-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral2/memory/1500-135-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral2/memory/1500-140-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral2/memory/1116-147-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral2/memory/1116-148-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral2/memory/1116-153-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral2/memory/564-160-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral2/memory/564-161-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral2/memory/564-166-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral2/memory/1092-174-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral2/memory/1092-179-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral2/memory/4392-187-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral2/memory/4392-193-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral2/memory/672-198-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral2/memory/672-200-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral2/memory/672-205-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral2/memory/2544-213-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral2/memory/2544-218-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral2/memory/2852-226-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral2/memory/2852-231-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral2/memory/2256-239-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral2/memory/2256-244-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral2/memory/4328-252-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral2/memory/4328-257-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral2/memory/1284-263-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral2/memory/1284-265-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	7dca5b27a7a6ad3e8a5d910c3798c8f2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	7dca5b27a7a6ad3e8a5d910c3798c8f2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	Server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	Server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	Server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	Server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	Server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	Server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	Server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	Server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	Server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	Server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	Server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	Server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	Server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	7dca5b27a7a6ad3e8a5d910c3798c8f2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	Server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	Server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	Server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	Server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	Server.exe

pid	Process
2276	Server.exe
5020	Server.exe
3824	Server.exe
4952	Server.exe
4412	Server.exe
2492	Server.exe
4080	Server.exe
2272	Server.exe
972	Server.exe
4288	Server.exe
1308	Server.exe
2304	Server.exe
5052	Server.exe
4876	Server.exe
2336	Server.exe
2036	Server.exe
5040	Server.exe
1500	Server.exe
840	Server.exe
1116	Server.exe
4220	Server.exe
564	Server.exe
404	Server.exe
1092	Server.exe
1308	Server.exe
4392	Server.exe
4084	Server.exe
672	Server.exe
3092	Server.exe
2544	Server.exe
5092	Server.exe
2852	Server.exe
1476	Server.exe
2256	Server.exe
3448	Server.exe
4328	Server.exe
1476	Server.exe
1284	Server.exe

description	pid	Process	procid_target
PID 1984 set thread context of 3260	1984	7dca5b27a7a6ad3e8a5d910c3798c8f2.exe	93
PID 2276 set thread context of 5020	2276	Server.exe	108
PID 3824 set thread context of 4952	3824	Server.exe	118
PID 4412 set thread context of 2492	4412	Server.exe	128
PID 4080 set thread context of 2272	4080	Server.exe	141
PID 972 set thread context of 4288	972	Server.exe	153
PID 1308 set thread context of 2304	1308	Server.exe	164
PID 5052 set thread context of 4876	5052	Server.exe	174
PID 2336 set thread context of 2036	2336	Server.exe	185
PID 5040 set thread context of 1500	5040	Server.exe	195
PID 840 set thread context of 1116	840	Server.exe	205
PID 4220 set thread context of 564	4220	Server.exe	215
PID 404 set thread context of 1092	404	Server.exe	225
PID 1308 set thread context of 4392	1308	Server.exe	235
PID 4084 set thread context of 672	4084	Server.exe	245
PID 3092 set thread context of 2544	3092	Server.exe	258
PID 5092 set thread context of 2852	5092	Server.exe	268
PID 1476 set thread context of 2256	1476	Server.exe	278
PID 3448 set thread context of 4328	3448	Server.exe	288
PID 1476 set thread context of 1284	1476	Server.exe	298

description	ioc	Process
File created	C:\Windows\InstallDir\Server.exe	7dca5b27a7a6ad3e8a5d910c3798c8f2.exe
File opened for modification	C:\Windows\InstallDir\Server.exe	7dca5b27a7a6ad3e8a5d910c3798c8f2.exe

description	pid	Process	procid_target
PID 1984 wrote to memory of 3260	1984	7dca5b27a7a6ad3e8a5d910c3798c8f2.exe	93
PID 1984 wrote to memory of 3260	1984	7dca5b27a7a6ad3e8a5d910c3798c8f2.exe	93
PID 1984 wrote to memory of 3260	1984	7dca5b27a7a6ad3e8a5d910c3798c8f2.exe	93
PID 1984 wrote to memory of 3260	1984	7dca5b27a7a6ad3e8a5d910c3798c8f2.exe	93
PID 1984 wrote to memory of 3260	1984	7dca5b27a7a6ad3e8a5d910c3798c8f2.exe	93
PID 1984 wrote to memory of 3260	1984	7dca5b27a7a6ad3e8a5d910c3798c8f2.exe	93
PID 1984 wrote to memory of 3260	1984	7dca5b27a7a6ad3e8a5d910c3798c8f2.exe	93
PID 1984 wrote to memory of 3260	1984	7dca5b27a7a6ad3e8a5d910c3798c8f2.exe	93
PID 1984 wrote to memory of 3260	1984	7dca5b27a7a6ad3e8a5d910c3798c8f2.exe	93
PID 1984 wrote to memory of 3260	1984	7dca5b27a7a6ad3e8a5d910c3798c8f2.exe	93
PID 1984 wrote to memory of 3260	1984	7dca5b27a7a6ad3e8a5d910c3798c8f2.exe	93
PID 1984 wrote to memory of 3260	1984	7dca5b27a7a6ad3e8a5d910c3798c8f2.exe	93
PID 1984 wrote to memory of 3260	1984	7dca5b27a7a6ad3e8a5d910c3798c8f2.exe	93
PID 3260 wrote to memory of 3624	3260	7dca5b27a7a6ad3e8a5d910c3798c8f2.exe	98
PID 3260 wrote to memory of 3624	3260	7dca5b27a7a6ad3e8a5d910c3798c8f2.exe	98
PID 3260 wrote to memory of 3624	3260	7dca5b27a7a6ad3e8a5d910c3798c8f2.exe	98
PID 3260 wrote to memory of 2224	3260	7dca5b27a7a6ad3e8a5d910c3798c8f2.exe	99
PID 3260 wrote to memory of 2224	3260	7dca5b27a7a6ad3e8a5d910c3798c8f2.exe	99
PID 3260 wrote to memory of 2224	3260	7dca5b27a7a6ad3e8a5d910c3798c8f2.exe	99
PID 3260 wrote to memory of 1064	3260	7dca5b27a7a6ad3e8a5d910c3798c8f2.exe	100
PID 3260 wrote to memory of 1064	3260	7dca5b27a7a6ad3e8a5d910c3798c8f2.exe	100
PID 3260 wrote to memory of 1064	3260	7dca5b27a7a6ad3e8a5d910c3798c8f2.exe	100
PID 3260 wrote to memory of 2108	3260	7dca5b27a7a6ad3e8a5d910c3798c8f2.exe	101
PID 3260 wrote to memory of 2108	3260	7dca5b27a7a6ad3e8a5d910c3798c8f2.exe	101
PID 3260 wrote to memory of 2108	3260	7dca5b27a7a6ad3e8a5d910c3798c8f2.exe	101
PID 3260 wrote to memory of 5032	3260	7dca5b27a7a6ad3e8a5d910c3798c8f2.exe	102
PID 3260 wrote to memory of 5032	3260	7dca5b27a7a6ad3e8a5d910c3798c8f2.exe	102
PID 3260 wrote to memory of 5032	3260	7dca5b27a7a6ad3e8a5d910c3798c8f2.exe	102
PID 3260 wrote to memory of 3832	3260	7dca5b27a7a6ad3e8a5d910c3798c8f2.exe	103
PID 3260 wrote to memory of 3832	3260	7dca5b27a7a6ad3e8a5d910c3798c8f2.exe	103
PID 3260 wrote to memory of 3832	3260	7dca5b27a7a6ad3e8a5d910c3798c8f2.exe	103
PID 3260 wrote to memory of 2368	3260	7dca5b27a7a6ad3e8a5d910c3798c8f2.exe	104
PID 3260 wrote to memory of 2368	3260	7dca5b27a7a6ad3e8a5d910c3798c8f2.exe	104
PID 3260 wrote to memory of 2368	3260	7dca5b27a7a6ad3e8a5d910c3798c8f2.exe	104
PID 3260 wrote to memory of 3440	3260	7dca5b27a7a6ad3e8a5d910c3798c8f2.exe	105
PID 3260 wrote to memory of 3440	3260	7dca5b27a7a6ad3e8a5d910c3798c8f2.exe	105
PID 3260 wrote to memory of 2276	3260	7dca5b27a7a6ad3e8a5d910c3798c8f2.exe	107
PID 3260 wrote to memory of 2276	3260	7dca5b27a7a6ad3e8a5d910c3798c8f2.exe	107
PID 3260 wrote to memory of 2276	3260	7dca5b27a7a6ad3e8a5d910c3798c8f2.exe	107
PID 2276 wrote to memory of 5020	2276	Server.exe	108
PID 2276 wrote to memory of 5020	2276	Server.exe	108
PID 2276 wrote to memory of 5020	2276	Server.exe	108
PID 2276 wrote to memory of 5020	2276	Server.exe	108
PID 2276 wrote to memory of 5020	2276	Server.exe	108
PID 2276 wrote to memory of 5020	2276	Server.exe	108
PID 2276 wrote to memory of 5020	2276	Server.exe	108
PID 2276 wrote to memory of 5020	2276	Server.exe	108
PID 2276 wrote to memory of 5020	2276	Server.exe	108
PID 2276 wrote to memory of 5020	2276	Server.exe	108
PID 2276 wrote to memory of 5020	2276	Server.exe	108
PID 2276 wrote to memory of 5020	2276	Server.exe	108
PID 2276 wrote to memory of 5020	2276	Server.exe	108
PID 5020 wrote to memory of 5008	5020	Server.exe	109
PID 5020 wrote to memory of 5008	5020	Server.exe	109
PID 5020 wrote to memory of 5008	5020	Server.exe	109
PID 5020 wrote to memory of 1976	5020	Server.exe	110
PID 5020 wrote to memory of 1976	5020	Server.exe	110
PID 5020 wrote to memory of 1976	5020	Server.exe	110
PID 5020 wrote to memory of 3544	5020	Server.exe	111
PID 5020 wrote to memory of 3544	5020	Server.exe	111
PID 5020 wrote to memory of 3544	5020	Server.exe	111
PID 5020 wrote to memory of 4448	5020	Server.exe	112
PID 5020 wrote to memory of 4448	5020	Server.exe	112
PID 5020 wrote to memory of 4448	5020	Server.exe	112

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.