Malware Analysis Report

2025-06-16 01:06

Sample ID 231226-vaevzseeb7
Target 7dca5b27a7a6ad3e8a5d910c3798c8f2
SHA256 0b30c86d1ed315370a7bc285fbd4a93f910c993a77e3d2f47cc800f81c9875cb
Tags
xtremerat persistence rat spyware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0b30c86d1ed315370a7bc285fbd4a93f910c993a77e3d2f47cc800f81c9875cb

Threat Level: Known bad

The file 7dca5b27a7a6ad3e8a5d910c3798c8f2 was found to be: Known bad.

Malicious Activity Summary

xtremerat persistence rat spyware

Detect XtremeRAT payload

XtremeRAT

Modifies Installed Components in the registry

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-26 16:46

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-26 16:46

Reported

2024-01-06 21:15

Platform

win7-20231215-en

Max time kernel

184s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe"

Signatures

Detect XtremeRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XtremeRAT

persistence spyware rat xtremerat

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" C:\Windows\InstallDir\Server.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\InstallDir\Server.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\InstallDir\Server.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" C:\Windows\InstallDir\Server.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\InstallDir\Server.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\InstallDir\Server.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\InstallDir\Server.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\InstallDir\Server.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\InstallDir\Server.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\InstallDir\Server.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" C:\Windows\InstallDir\Server.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" C:\Windows\InstallDir\Server.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" C:\Windows\InstallDir\Server.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" C:\Windows\InstallDir\Server.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" C:\Windows\InstallDir\Server.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" C:\Windows\InstallDir\Server.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\InstallDir\Server.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\InstallDir\Server.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" C:\Windows\InstallDir\Server.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" C:\Windows\InstallDir\Server.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\InstallDir\Server.exe N/A
N/A N/A C:\Windows\InstallDir\Server.exe N/A
N/A N/A C:\Windows\InstallDir\Server.exe N/A
N/A N/A C:\Windows\InstallDir\Server.exe N/A
N/A N/A C:\Windows\InstallDir\Server.exe N/A
N/A N/A C:\Windows\InstallDir\Server.exe N/A
N/A N/A C:\Windows\InstallDir\Server.exe N/A
N/A N/A C:\Windows\InstallDir\Server.exe N/A
N/A N/A C:\Windows\InstallDir\Server.exe N/A
N/A N/A C:\Windows\InstallDir\Server.exe N/A
N/A N/A C:\Windows\InstallDir\Server.exe N/A
N/A N/A C:\Windows\InstallDir\Server.exe N/A
N/A N/A C:\Windows\InstallDir\Server.exe N/A
N/A N/A C:\Windows\InstallDir\Server.exe N/A
N/A N/A C:\Windows\InstallDir\Server.exe N/A
N/A N/A C:\Windows\InstallDir\Server.exe N/A
N/A N/A C:\Windows\InstallDir\Server.exe N/A
N/A N/A C:\Windows\InstallDir\Server.exe N/A
N/A N/A C:\Windows\InstallDir\Server.exe N/A
N/A N/A C:\Windows\InstallDir\Server.exe N/A
N/A N/A C:\Windows\InstallDir\Server.exe N/A
N/A N/A C:\Windows\InstallDir\Server.exe N/A
N/A N/A C:\Windows\InstallDir\Server.exe N/A
N/A N/A C:\Windows\InstallDir\Server.exe N/A
N/A N/A C:\Windows\InstallDir\Server.exe N/A
N/A N/A C:\Windows\InstallDir\Server.exe N/A
N/A N/A C:\Windows\InstallDir\Server.exe N/A
N/A N/A C:\Windows\InstallDir\Server.exe N/A
N/A N/A C:\Windows\InstallDir\Server.exe N/A
N/A N/A C:\Windows\InstallDir\Server.exe N/A
N/A N/A C:\Windows\InstallDir\Server.exe N/A
N/A N/A C:\Windows\InstallDir\Server.exe N/A
N/A N/A C:\Windows\InstallDir\Server.exe N/A
N/A N/A C:\Windows\InstallDir\Server.exe N/A
N/A N/A C:\Windows\InstallDir\Server.exe N/A
N/A N/A C:\Windows\InstallDir\Server.exe N/A
N/A N/A C:\Windows\InstallDir\Server.exe N/A
N/A N/A C:\Windows\InstallDir\Server.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3068 set thread context of 3040 N/A C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe
PID 2916 set thread context of 1828 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 552 set thread context of 2344 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 2932 set thread context of 1520 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 1644 set thread context of 1988 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 2540 set thread context of 1720 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 1860 set thread context of 2692 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 2644 set thread context of 1536 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 1688 set thread context of 2908 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 1248 set thread context of 2476 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 1316 set thread context of 1980 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 716 set thread context of 2112 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 2540 set thread context of 2664 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 3036 set thread context of 1696 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 2652 set thread context of 3000 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 2792 set thread context of 2028 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 1268 set thread context of 1976 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 2680 set thread context of 1400 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 1096 set thread context of 324 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 2228 set thread context of 2668 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\InstallDir\Server.exe C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe N/A
File created C:\Windows\InstallDir\Server.exe C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3068 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe
PID 3068 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe
PID 3068 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe
PID 3068 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe
PID 3068 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe
PID 3068 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe
PID 3068 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe
PID 3068 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe
PID 3068 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe
PID 3068 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe
PID 3068 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe
PID 3068 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe
PID 3040 wrote to memory of 580 N/A C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3040 wrote to memory of 580 N/A C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3040 wrote to memory of 580 N/A C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3040 wrote to memory of 580 N/A C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3040 wrote to memory of 580 N/A C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3040 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3040 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3040 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3040 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3040 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3040 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3040 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3040 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3040 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3040 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3040 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3040 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3040 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3040 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3040 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3040 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3040 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3040 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3040 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3040 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3040 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3040 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3040 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3040 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3040 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3040 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3040 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3040 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3040 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3040 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3040 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3040 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3040 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3040 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3040 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe C:\Windows\InstallDir\Server.exe
PID 3040 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe C:\Windows\InstallDir\Server.exe
PID 3040 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe C:\Windows\InstallDir\Server.exe
PID 3040 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe C:\Windows\InstallDir\Server.exe
PID 2916 wrote to memory of 1828 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 2916 wrote to memory of 1828 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 2916 wrote to memory of 1828 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 2916 wrote to memory of 1828 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 2916 wrote to memory of 1828 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 2916 wrote to memory of 1828 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 2916 wrote to memory of 1828 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 2916 wrote to memory of 1828 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 2916 wrote to memory of 1828 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe

"C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe"

C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe

C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\InstallDir\Server.exe

"C:\Windows\InstallDir\Server.exe"

C:\Windows\InstallDir\Server.exe

C:\Windows\InstallDir\Server.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\InstallDir\Server.exe

"C:\Windows\InstallDir\Server.exe"

C:\Windows\InstallDir\Server.exe

C:\Windows\InstallDir\Server.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\InstallDir\Server.exe

"C:\Windows\InstallDir\Server.exe"

C:\Windows\InstallDir\Server.exe

C:\Windows\InstallDir\Server.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\InstallDir\Server.exe

"C:\Windows\InstallDir\Server.exe"

C:\Windows\InstallDir\Server.exe

C:\Windows\InstallDir\Server.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\InstallDir\Server.exe

"C:\Windows\InstallDir\Server.exe"

C:\Windows\InstallDir\Server.exe

C:\Windows\InstallDir\Server.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\InstallDir\Server.exe

"C:\Windows\InstallDir\Server.exe"

C:\Windows\InstallDir\Server.exe

C:\Windows\InstallDir\Server.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\InstallDir\Server.exe

"C:\Windows\InstallDir\Server.exe"

C:\Windows\InstallDir\Server.exe

C:\Windows\InstallDir\Server.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\InstallDir\Server.exe

"C:\Windows\InstallDir\Server.exe"

C:\Windows\InstallDir\Server.exe

C:\Windows\InstallDir\Server.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\InstallDir\Server.exe

"C:\Windows\InstallDir\Server.exe"

C:\Windows\InstallDir\Server.exe

C:\Windows\InstallDir\Server.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\InstallDir\Server.exe

"C:\Windows\InstallDir\Server.exe"

C:\Windows\InstallDir\Server.exe

C:\Windows\InstallDir\Server.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\InstallDir\Server.exe

"C:\Windows\InstallDir\Server.exe"

C:\Windows\InstallDir\Server.exe

C:\Windows\InstallDir\Server.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\InstallDir\Server.exe

"C:\Windows\InstallDir\Server.exe"

C:\Windows\InstallDir\Server.exe

C:\Windows\InstallDir\Server.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\InstallDir\Server.exe

"C:\Windows\InstallDir\Server.exe"

C:\Windows\InstallDir\Server.exe

C:\Windows\InstallDir\Server.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\InstallDir\Server.exe

"C:\Windows\InstallDir\Server.exe"

C:\Windows\InstallDir\Server.exe

C:\Windows\InstallDir\Server.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\InstallDir\Server.exe

"C:\Windows\InstallDir\Server.exe"

C:\Windows\InstallDir\Server.exe

C:\Windows\InstallDir\Server.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\InstallDir\Server.exe

"C:\Windows\InstallDir\Server.exe"

C:\Windows\InstallDir\Server.exe

C:\Windows\InstallDir\Server.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\InstallDir\Server.exe

"C:\Windows\InstallDir\Server.exe"

C:\Windows\InstallDir\Server.exe

C:\Windows\InstallDir\Server.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\InstallDir\Server.exe

"C:\Windows\InstallDir\Server.exe"

C:\Windows\InstallDir\Server.exe

C:\Windows\InstallDir\Server.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\InstallDir\Server.exe

"C:\Windows\InstallDir\Server.exe"

C:\Windows\InstallDir\Server.exe

C:\Windows\InstallDir\Server.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

Network

N/A

Files

memory/3068-0-0x0000000000400000-0x0000000000408000-memory.dmp

memory/3068-3-0x0000000000400000-0x0000000000408000-memory.dmp

memory/3040-4-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/3040-5-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/3040-6-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/3040-7-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/3040-8-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/3040-9-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/3040-10-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/3040-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/3040-13-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/3040-14-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/3040-15-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/3068-16-0x0000000000400000-0x0000000000408000-memory.dmp

memory/3040-17-0x0000000000C80000-0x0000000000C93000-memory.dmp

\Windows\InstallDir\Server.exe

MD5 7dca5b27a7a6ad3e8a5d910c3798c8f2
SHA1 b7da4adde00099a854b893b20059cd4a358d49dc
SHA256 0b30c86d1ed315370a7bc285fbd4a93f910c993a77e3d2f47cc800f81c9875cb
SHA512 602685a0db0efe40a0b45421bd45c82302869b8391c61309a0b4ac0a1756f6f2832c4fee6219b11b6e1af89298f636f3f2c5f3bcfc00a7c0014b52be65f4d0dc

memory/3040-24-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/2916-32-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Windows\InstallDir\Server.exe

MD5 f60d315da503351409ee8b8910f8c9ea
SHA1 b53e375e0ad6e81087c155961703b63622cf0368
SHA256 4eb85d1ee54dae33c20effed8ae06ea5d8d8771c73568bea750ce65625534d82
SHA512 921bb5b60a02dfe092c90954da70986ed5f42a2d926535590d25f7d80cd32b4faf588324ce6defe63672e3941bf09049c806abab3e125382477f2c77bc11ba7f

memory/3040-30-0x0000000002810000-0x0000000002818000-memory.dmp

memory/3040-29-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/2916-50-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1828-51-0x0000000000C80000-0x0000000000C93000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\((Mutex)).cfg

MD5 09862db99820c2609b7d06907a2b9510
SHA1 544d7bc29c2849ad9c562efc40155864c0b321e7
SHA256 05da3a977fc5d2929051fc28d61e6178fcb1a51dfb6c8a9e819ce53fe8c67788
SHA512 174145799bd57782d6ec309da8006b4f3a215573db1825ffbf3242939c013233aa07f43eca0f521bae548e0f6ab5bf6adcdc31e918e9532184301f7c0b0d4bc4

memory/1828-56-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/552-71-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2344-73-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/2344-76-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/2932-90-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1520-93-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/1520-97-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/1988-113-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/1988-116-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/2540-131-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1720-133-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/1720-137-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/1860-153-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2692-154-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/2692-157-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/2644-172-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1536-174-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/1536-178-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/1688-193-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2908-195-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/2908-200-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/1248-215-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2476-217-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/2476-220-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/1316-235-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1980-237-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/1980-241-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/716-244-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2112-258-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/2112-263-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/2540-277-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2664-280-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/2664-283-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/1696-299-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/1696-304-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/3000-319-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/3000-322-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/2028-338-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/2028-342-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/1976-358-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/1268-359-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1976-363-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/1400-380-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/2680-381-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1400-386-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/1096-401-0x0000000000400000-0x0000000000408000-memory.dmp

memory/324-403-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/324-408-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/2668-424-0x0000000000C80000-0x0000000000C93000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-26 16:46

Reported

2024-01-06 21:14

Platform

win10v2004-20231215-en

Max time kernel

162s

Max time network

170s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe"

Signatures

Detect XtremeRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XtremeRAT

persistence spyware rat xtremerat

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\InstallDir\Server.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" C:\Windows\InstallDir\Server.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" C:\Windows\InstallDir\Server.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\InstallDir\Server.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" C:\Windows\InstallDir\Server.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" C:\Windows\InstallDir\Server.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" C:\Windows\InstallDir\Server.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\InstallDir\Server.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" C:\Windows\InstallDir\Server.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" C:\Windows\InstallDir\Server.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\InstallDir\Server.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" C:\Windows\InstallDir\Server.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\InstallDir\Server.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" C:\Windows\InstallDir\Server.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\InstallDir\Server.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\InstallDir\Server.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\InstallDir\Server.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" C:\Windows\InstallDir\Server.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\InstallDir\Server.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" C:\Windows\InstallDir\Server.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation C:\Windows\InstallDir\Server.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation C:\Windows\InstallDir\Server.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation C:\Windows\InstallDir\Server.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation C:\Windows\InstallDir\Server.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation C:\Windows\InstallDir\Server.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation C:\Windows\InstallDir\Server.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation C:\Windows\InstallDir\Server.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation C:\Windows\InstallDir\Server.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation C:\Windows\InstallDir\Server.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation C:\Windows\InstallDir\Server.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation C:\Windows\InstallDir\Server.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation C:\Windows\InstallDir\Server.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation C:\Windows\InstallDir\Server.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation C:\Windows\InstallDir\Server.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation C:\Windows\InstallDir\Server.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation C:\Windows\InstallDir\Server.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation C:\Windows\InstallDir\Server.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation C:\Windows\InstallDir\Server.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\InstallDir\Server.exe N/A
N/A N/A C:\Windows\InstallDir\Server.exe N/A
N/A N/A C:\Windows\InstallDir\Server.exe N/A
N/A N/A C:\Windows\InstallDir\Server.exe N/A
N/A N/A C:\Windows\InstallDir\Server.exe N/A
N/A N/A C:\Windows\InstallDir\Server.exe N/A
N/A N/A C:\Windows\InstallDir\Server.exe N/A
N/A N/A C:\Windows\InstallDir\Server.exe N/A
N/A N/A C:\Windows\InstallDir\Server.exe N/A
N/A N/A C:\Windows\InstallDir\Server.exe N/A
N/A N/A C:\Windows\InstallDir\Server.exe N/A
N/A N/A C:\Windows\InstallDir\Server.exe N/A
N/A N/A C:\Windows\InstallDir\Server.exe N/A
N/A N/A C:\Windows\InstallDir\Server.exe N/A
N/A N/A C:\Windows\InstallDir\Server.exe N/A
N/A N/A C:\Windows\InstallDir\Server.exe N/A
N/A N/A C:\Windows\InstallDir\Server.exe N/A
N/A N/A C:\Windows\InstallDir\Server.exe N/A
N/A N/A C:\Windows\InstallDir\Server.exe N/A
N/A N/A C:\Windows\InstallDir\Server.exe N/A
N/A N/A C:\Windows\InstallDir\Server.exe N/A
N/A N/A C:\Windows\InstallDir\Server.exe N/A
N/A N/A C:\Windows\InstallDir\Server.exe N/A
N/A N/A C:\Windows\InstallDir\Server.exe N/A
N/A N/A C:\Windows\InstallDir\Server.exe N/A
N/A N/A C:\Windows\InstallDir\Server.exe N/A
N/A N/A C:\Windows\InstallDir\Server.exe N/A
N/A N/A C:\Windows\InstallDir\Server.exe N/A
N/A N/A C:\Windows\InstallDir\Server.exe N/A
N/A N/A C:\Windows\InstallDir\Server.exe N/A
N/A N/A C:\Windows\InstallDir\Server.exe N/A
N/A N/A C:\Windows\InstallDir\Server.exe N/A
N/A N/A C:\Windows\InstallDir\Server.exe N/A
N/A N/A C:\Windows\InstallDir\Server.exe N/A
N/A N/A C:\Windows\InstallDir\Server.exe N/A
N/A N/A C:\Windows\InstallDir\Server.exe N/A
N/A N/A C:\Windows\InstallDir\Server.exe N/A
N/A N/A C:\Windows\InstallDir\Server.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1984 set thread context of 3260 N/A C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe
PID 2276 set thread context of 5020 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 3824 set thread context of 4952 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 4412 set thread context of 2492 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 4080 set thread context of 2272 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 972 set thread context of 4288 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 1308 set thread context of 2304 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 5052 set thread context of 4876 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 2336 set thread context of 2036 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 5040 set thread context of 1500 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 840 set thread context of 1116 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 4220 set thread context of 564 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 404 set thread context of 1092 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 1308 set thread context of 4392 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 4084 set thread context of 672 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 3092 set thread context of 2544 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 5092 set thread context of 2852 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 1476 set thread context of 2256 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 3448 set thread context of 4328 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 1476 set thread context of 1284 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\InstallDir\Server.exe C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe N/A
File opened for modification C:\Windows\InstallDir\Server.exe C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1984 wrote to memory of 3260 N/A C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe
PID 1984 wrote to memory of 3260 N/A C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe
PID 1984 wrote to memory of 3260 N/A C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe
PID 1984 wrote to memory of 3260 N/A C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe
PID 1984 wrote to memory of 3260 N/A C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe
PID 1984 wrote to memory of 3260 N/A C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe
PID 1984 wrote to memory of 3260 N/A C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe
PID 1984 wrote to memory of 3260 N/A C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe
PID 1984 wrote to memory of 3260 N/A C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe
PID 1984 wrote to memory of 3260 N/A C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe
PID 1984 wrote to memory of 3260 N/A C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe
PID 1984 wrote to memory of 3260 N/A C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe
PID 1984 wrote to memory of 3260 N/A C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe
PID 3260 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3260 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3260 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3260 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3260 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3260 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3260 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3260 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3260 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3260 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3260 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3260 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3260 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3260 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3260 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3260 wrote to memory of 3832 N/A C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3260 wrote to memory of 3832 N/A C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3260 wrote to memory of 3832 N/A C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3260 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3260 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3260 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3260 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3260 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3260 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe C:\Windows\InstallDir\Server.exe
PID 3260 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe C:\Windows\InstallDir\Server.exe
PID 3260 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe C:\Windows\InstallDir\Server.exe
PID 2276 wrote to memory of 5020 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 2276 wrote to memory of 5020 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 2276 wrote to memory of 5020 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 2276 wrote to memory of 5020 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 2276 wrote to memory of 5020 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 2276 wrote to memory of 5020 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 2276 wrote to memory of 5020 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 2276 wrote to memory of 5020 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 2276 wrote to memory of 5020 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 2276 wrote to memory of 5020 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 2276 wrote to memory of 5020 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 2276 wrote to memory of 5020 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 2276 wrote to memory of 5020 N/A C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe
PID 5020 wrote to memory of 5008 N/A C:\Windows\InstallDir\Server.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5020 wrote to memory of 5008 N/A C:\Windows\InstallDir\Server.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5020 wrote to memory of 5008 N/A C:\Windows\InstallDir\Server.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5020 wrote to memory of 1976 N/A C:\Windows\InstallDir\Server.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5020 wrote to memory of 1976 N/A C:\Windows\InstallDir\Server.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5020 wrote to memory of 1976 N/A C:\Windows\InstallDir\Server.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5020 wrote to memory of 3544 N/A C:\Windows\InstallDir\Server.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5020 wrote to memory of 3544 N/A C:\Windows\InstallDir\Server.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5020 wrote to memory of 3544 N/A C:\Windows\InstallDir\Server.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5020 wrote to memory of 4448 N/A C:\Windows\InstallDir\Server.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5020 wrote to memory of 4448 N/A C:\Windows\InstallDir\Server.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5020 wrote to memory of 4448 N/A C:\Windows\InstallDir\Server.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe

"C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe"

C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe

C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\InstallDir\Server.exe

"C:\Windows\InstallDir\Server.exe"

C:\Windows\InstallDir\Server.exe

C:\Windows\InstallDir\Server.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\InstallDir\Server.exe

"C:\Windows\InstallDir\Server.exe"

C:\Windows\InstallDir\Server.exe

C:\Windows\InstallDir\Server.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\InstallDir\Server.exe

"C:\Windows\InstallDir\Server.exe"

C:\Windows\InstallDir\Server.exe

C:\Windows\InstallDir\Server.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\InstallDir\Server.exe

"C:\Windows\InstallDir\Server.exe"

C:\Windows\InstallDir\Server.exe

C:\Windows\InstallDir\Server.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\InstallDir\Server.exe

"C:\Windows\InstallDir\Server.exe"

C:\Windows\InstallDir\Server.exe

C:\Windows\InstallDir\Server.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\InstallDir\Server.exe

"C:\Windows\InstallDir\Server.exe"

C:\Windows\InstallDir\Server.exe

C:\Windows\InstallDir\Server.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\InstallDir\Server.exe

"C:\Windows\InstallDir\Server.exe"

C:\Windows\InstallDir\Server.exe

C:\Windows\InstallDir\Server.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\InstallDir\Server.exe

"C:\Windows\InstallDir\Server.exe"

C:\Windows\InstallDir\Server.exe

C:\Windows\InstallDir\Server.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\InstallDir\Server.exe

"C:\Windows\InstallDir\Server.exe"

C:\Windows\InstallDir\Server.exe

C:\Windows\InstallDir\Server.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\InstallDir\Server.exe

"C:\Windows\InstallDir\Server.exe"

C:\Windows\InstallDir\Server.exe

C:\Windows\InstallDir\Server.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\InstallDir\Server.exe

"C:\Windows\InstallDir\Server.exe"

C:\Windows\InstallDir\Server.exe

C:\Windows\InstallDir\Server.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\InstallDir\Server.exe

"C:\Windows\InstallDir\Server.exe"

C:\Windows\InstallDir\Server.exe

C:\Windows\InstallDir\Server.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\InstallDir\Server.exe

"C:\Windows\InstallDir\Server.exe"

C:\Windows\InstallDir\Server.exe

C:\Windows\InstallDir\Server.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\InstallDir\Server.exe

"C:\Windows\InstallDir\Server.exe"

C:\Windows\InstallDir\Server.exe

C:\Windows\InstallDir\Server.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\InstallDir\Server.exe

"C:\Windows\InstallDir\Server.exe"

C:\Windows\InstallDir\Server.exe

C:\Windows\InstallDir\Server.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\InstallDir\Server.exe

"C:\Windows\InstallDir\Server.exe"

C:\Windows\InstallDir\Server.exe

C:\Windows\InstallDir\Server.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\InstallDir\Server.exe

"C:\Windows\InstallDir\Server.exe"

C:\Windows\InstallDir\Server.exe

C:\Windows\InstallDir\Server.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\InstallDir\Server.exe

"C:\Windows\InstallDir\Server.exe"

C:\Windows\InstallDir\Server.exe

C:\Windows\InstallDir\Server.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\InstallDir\Server.exe

"C:\Windows\InstallDir\Server.exe"

C:\Windows\InstallDir\Server.exe

C:\Windows\InstallDir\Server.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 18.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 201.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 167.109.18.2.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 28.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 175.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 206.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 63.141.182.52.in-addr.arpa udp

Files

memory/1984-0-0x0000000000400000-0x0000000000408000-memory.dmp

memory/3260-3-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/3260-4-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/1984-5-0x0000000000400000-0x0000000000408000-memory.dmp

memory/3260-6-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/3260-7-0x0000000000C80000-0x0000000000C93000-memory.dmp

C:\Windows\InstallDir\Server.exe

MD5 7dca5b27a7a6ad3e8a5d910c3798c8f2
SHA1 b7da4adde00099a854b893b20059cd4a358d49dc
SHA256 0b30c86d1ed315370a7bc285fbd4a93f910c993a77e3d2f47cc800f81c9875cb
SHA512 602685a0db0efe40a0b45421bd45c82302869b8391c61309a0b4ac0a1756f6f2832c4fee6219b11b6e1af89298f636f3f2c5f3bcfc00a7c0014b52be65f4d0dc

memory/3260-18-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/2276-28-0x0000000000400000-0x0000000000408000-memory.dmp

memory/5020-29-0x0000000000C80000-0x0000000000C93000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\((Mutex)).cfg

MD5 09862db99820c2609b7d06907a2b9510
SHA1 544d7bc29c2849ad9c562efc40155864c0b321e7
SHA256 05da3a977fc5d2929051fc28d61e6178fcb1a51dfb6c8a9e819ce53fe8c67788
SHA512 174145799bd57782d6ec309da8006b4f3a215573db1825ffbf3242939c013233aa07f43eca0f521bae548e0f6ab5bf6adcdc31e918e9532184301f7c0b0d4bc4

memory/3260-33-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/3824-35-0x0000000000400000-0x0000000000408000-memory.dmp

memory/4952-42-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/3824-41-0x0000000000400000-0x0000000000408000-memory.dmp

memory/4952-43-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/4952-48-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/4412-54-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2492-55-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/5020-56-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/2492-57-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/2492-62-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/2272-68-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/4080-69-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2272-70-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/2272-75-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/972-82-0x0000000000400000-0x0000000000408000-memory.dmp

memory/4288-81-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/4288-83-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/4288-88-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/1308-95-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2304-96-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/2304-101-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/5052-107-0x0000000000400000-0x0000000000408000-memory.dmp

memory/4876-109-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/4876-114-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/2336-121-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2036-122-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/2036-127-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/5040-133-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1500-135-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/1500-140-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/840-146-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1116-147-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/1116-148-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/1116-153-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/564-160-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/4220-159-0x0000000000400000-0x0000000000408000-memory.dmp

memory/564-161-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/564-166-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/404-172-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1092-174-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/1092-179-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/1308-185-0x0000000000400000-0x0000000000408000-memory.dmp

memory/4392-187-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/4392-193-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/672-198-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/4084-199-0x0000000000400000-0x0000000000408000-memory.dmp

memory/672-200-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/672-205-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/3092-211-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2544-213-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/2544-218-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/5092-225-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2852-226-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/2852-231-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/1476-237-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2256-239-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/2256-244-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/3448-251-0x0000000000400000-0x0000000000408000-memory.dmp

memory/4328-252-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/4328-257-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/1476-264-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1284-263-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/1284-265-0x0000000000C80000-0x0000000000C93000-memory.dmp