xtremerat | eca97d7269a904a9671c828c7264407fa91d54aef414e07287aa148171104f9c

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
01/01/2024, 10:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

41b804087a2da74fa613efd66fa8edcb.exe
Size

40KB
MD5

41b804087a2da74fa613efd66fa8edcb
SHA1

0701226e6636d7317afb8889594d1e877627e592
SHA256

eca97d7269a904a9671c828c7264407fa91d54aef414e07287aa148171104f9c
SHA512

8dceef9644807103809362955e84d7ff95b1d1d08c0f14f066477c872c0b900570db57b2eab8bf2207c5d1459d0a1b248f29f649f5a80010e608475bf1091f61
SSDEEP

768:NE9hYh7Nq2Ozhiow2Gkm6Bc3/9fzNBwIldgbzosd:Nu2hzOlw2GkmX3BBldg/ok

Score

10^/10

xtremerat persistence rat spyware

Malware Config

Signatures

Detect XtremeRAT payload 16 IoCs

resource	yara_rule
behavioral1/memory/2672-7-0x0000000000C80000-0x0000000000C92000-memory.dmp	family_xtremerat
behavioral1/memory/2332-47-0x0000000000C80000-0x0000000000C92000-memory.dmp	family_xtremerat
behavioral1/memory/2996-57-0x0000000000C80000-0x0000000000C92000-memory.dmp	family_xtremerat
behavioral1/memory/1312-241-0x0000000000C80000-0x0000000000C92000-memory.dmp	family_xtremerat
behavioral1/files/0x002f000000015d58-240.dat	family_xtremerat
behavioral1/memory/2600-250-0x0000000000C80000-0x0000000000C92000-memory.dmp	family_xtremerat
behavioral1/memory/1624-299-0x0000000000C80000-0x0000000000C92000-memory.dmp	family_xtremerat
behavioral1/memory/2336-386-0x0000000000C80000-0x0000000000C92000-memory.dmp	family_xtremerat
behavioral1/memory/2176-395-0x0000000000C80000-0x0000000000C92000-memory.dmp	family_xtremerat
behavioral1/memory/1324-435-0x0000000000C80000-0x0000000000C92000-memory.dmp	family_xtremerat
behavioral1/memory/2376-443-0x0000000000C80000-0x0000000000C92000-memory.dmp	family_xtremerat
behavioral1/memory/2344-491-0x0000000000C80000-0x0000000000C92000-memory.dmp	family_xtremerat
behavioral1/memory/2012-531-0x0000000000C80000-0x0000000000C92000-memory.dmp	family_xtremerat
behavioral1/memory/2088-580-0x0000000000C80000-0x0000000000C92000-memory.dmp	family_xtremerat
behavioral1/memory/2568-588-0x0000000000C80000-0x0000000000C92000-memory.dmp	family_xtremerat
behavioral1/memory/532-639-0x0000000000C80000-0x0000000000C92000-memory.dmp	family_xtremerat

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat

Manipulates Digital Signatures 1 TTPs 13 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
Key deleted	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	41b804087a2da74fa613efd66fa8edcb.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	41b804087a2da74fa613efd66fa8edcb.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\CTLs	41b804087a2da74fa613efd66fa8edcb.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\CRLs	41b804087a2da74fa613efd66fa8edcb.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Policies\Microsoft\SystemCertificates\trust	41b804087a2da74fa613efd66fa8edcb.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\Certificates	41b804087a2da74fa613efd66fa8edcb.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher	41b804087a2da74fa613efd66fa8edcb.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	41b804087a2da74fa613efd66fa8edcb.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	41b804087a2da74fa613efd66fa8edcb.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	41b804087a2da74fa613efd66fa8edcb.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	41b804087a2da74fa613efd66fa8edcb.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	41b804087a2da74fa613efd66fa8edcb.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	41b804087a2da74fa613efd66fa8edcb.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	41b804087a2da74fa613efd66fa8edcb.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run	41b804087a2da74fa613efd66fa8edcb.exe

Modifies registry class 47 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\Local Settings	41b804087a2da74fa613efd66fa8edcb.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\7-Zip.bz2\shell\open\command	41b804087a2da74fa613efd66fa8edcb.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\7-Zip.7z\shell	41b804087a2da74fa613efd66fa8edcb.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\Local Settings\Software	41b804087a2da74fa613efd66fa8edcb.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\FirefoxPDF-308046B0AF4A39CB\shell	41b804087a2da74fa613efd66fa8edcb.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\FirefoxPDF-308046B0AF4A39CB	41b804087a2da74fa613efd66fa8edcb.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\7-Zip.tgz\shell	41b804087a2da74fa613efd66fa8edcb.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\7-Zip.rar\shell\open	41b804087a2da74fa613efd66fa8edcb.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\7-Zip.gz\shell	41b804087a2da74fa613efd66fa8edcb.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\7-Zip.gz	41b804087a2da74fa613efd66fa8edcb.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\7-Zip.bz2\shell\open	41b804087a2da74fa613efd66fa8edcb.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify	41b804087a2da74fa613efd66fa8edcb.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\7-Zip.7z\shell\open\command	41b804087a2da74fa613efd66fa8edcb.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\7-Zip.tar\shell\open\command	41b804087a2da74fa613efd66fa8edcb.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\7-Zip.rar\shell	41b804087a2da74fa613efd66fa8edcb.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\7-Zip.bz2	41b804087a2da74fa613efd66fa8edcb.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\7-Zip.7z	41b804087a2da74fa613efd66fa8edcb.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\Local Settings\Software\Microsoft\Windows	41b804087a2da74fa613efd66fa8edcb.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\JavaPlugin.10802\CLSID	41b804087a2da74fa613efd66fa8edcb.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\FirefoxPDF-308046B0AF4A39CB\DefaultIcon	41b804087a2da74fa613efd66fa8edcb.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\7-Zip.tgz	41b804087a2da74fa613efd66fa8edcb.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\7-Zip.rar	41b804087a2da74fa613efd66fa8edcb.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\7-Zip.gz\shell\open\command	41b804087a2da74fa613efd66fa8edcb.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\7-Zip.bzip2\shell\open\command	41b804087a2da74fa613efd66fa8edcb.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\Local Settings\Software\Microsoft	41b804087a2da74fa613efd66fa8edcb.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\FirefoxPDF-308046B0AF4A39CB\shell\open\command	41b804087a2da74fa613efd66fa8edcb.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\FirefoxPDF-308046B0AF4A39CB\shell\open	41b804087a2da74fa613efd66fa8edcb.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\7-Zip.rar\shell\open\command	41b804087a2da74fa613efd66fa8edcb.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\7-Zip.bzip2\shell\open	41b804087a2da74fa613efd66fa8edcb.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\FirefoxPDF-308046B0AF4A39CB\shell\open\ddeexec	41b804087a2da74fa613efd66fa8edcb.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\JavaPlugin.10802	41b804087a2da74fa613efd66fa8edcb.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\7-Zip.tgz\shell\open\command	41b804087a2da74fa613efd66fa8edcb.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\7-Zip.bz2\shell	41b804087a2da74fa613efd66fa8edcb.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	41b804087a2da74fa613efd66fa8edcb.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	41b804087a2da74fa613efd66fa8edcb.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\SyncMgr	41b804087a2da74fa613efd66fa8edcb.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion	41b804087a2da74fa613efd66fa8edcb.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\7-Zip.tar\shell	41b804087a2da74fa613efd66fa8edcb.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\7-Zip.gz\shell\open	41b804087a2da74fa613efd66fa8edcb.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\7-Zip.bzip2	41b804087a2da74fa613efd66fa8edcb.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\7-Zip.7z\shell\open	41b804087a2da74fa613efd66fa8edcb.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache	41b804087a2da74fa613efd66fa8edcb.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\7-Zip.tgz\shell\open	41b804087a2da74fa613efd66fa8edcb.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\7-Zip.tar\shell\open	41b804087a2da74fa613efd66fa8edcb.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\7-Zip.tar	41b804087a2da74fa613efd66fa8edcb.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\7-Zip.bzip2\shell	41b804087a2da74fa613efd66fa8edcb.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\Local Settings\MuiCache	41b804087a2da74fa613efd66fa8edcb.exe

C:\Users\Admin\AppData\Local\Temp\41b804087a2da74fa613efd66fa8edcb.exe
"C:\Users\Admin\AppData\Local\Temp\41b804087a2da74fa613efd66fa8edcb.exe"
1⤵
- Manipulates Digital Signatures
- Adds Run key to start application
- Modifies registry class
PID:2332
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  PID:2672
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:2712
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:2768
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:2900
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:2912
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:2716
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:2708
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:2696
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:2340
- C:\Windows\SysWOW64\InstallDir\Server.exe
  "C:\Windows\system32\InstallDir\Server.exe"
  2⤵
  PID:2596
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:676
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:1752
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:1360
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2616
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2552
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2848
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2856
- - C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
    "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
    3⤵
    PID:2024
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:776
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1252
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2096
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:384
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:404
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1692
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2368
  - - C:\Windows\SysWOW64\InstallDir\Server.exe
      "C:\Windows\system32\InstallDir\Server.exe"
      4⤵
      PID:596
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1896
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1560
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2532
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1148
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:912
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1588
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1016
    - - C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        5⤵
        
        PID:1312
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2304
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1652
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1808
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1736
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:816
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1688
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1376
      - C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\system32\InstallDir\Server.exe"
        6⤵
        
        PID:1540
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:2860
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:2184
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:2524
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:2172
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:2700
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:2772
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:2736
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        7⤵
        
        PID:2984
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1812
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1792
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1804
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1796
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2008
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2152
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\system32\InstallDir\Server.exe"
        8⤵
        
        PID:2336
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:2116
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:2508
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:544
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:1592
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:2420
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:2016
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:2920
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        9⤵
        
        PID:1324
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:1320
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:1860
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:1852
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:924
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2076
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:1716
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\system32\InstallDir\Server.exe"
        10⤵
        
        PID:2044
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:2560
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:2580
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:2640
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:2744
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:2852
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:240
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:2816
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        11⤵
        
        PID:2012
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:1480
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:2968
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3000
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3032
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:2980
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:2252
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\system32\InstallDir\Server.exe"
        12⤵
        
        PID:2088
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:856
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:580
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:852
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:1996
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:556
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:1500
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:2100
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        13⤵
        
        PID:2176
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:2408
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:2976
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:2020
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:2540
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:2136
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:2832
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\system32\InstallDir\Server.exe"
        14⤵
        
        PID:2452
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:840
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:2404
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:2092
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:1612
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:2544
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:2484
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:1212
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        15⤵
        
        PID:1512
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:1312
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:1324
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:1216
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:2500
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:2088
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:328
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:2588
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\InstallDir\Server.exe
        
        "C:\Windows\system32\InstallDir\Server.exe"
        16⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        17⤵
        
        PID:2416
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:2124
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:2568
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:2644
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:688
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:1596
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:652
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:848
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:2188
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
        17⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        18⤵
        
        PID:2328
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:2248
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:2452
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:2352
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:956
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:1876
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:1836
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:1472

C:\Windows\SysWOW64\svchost.exe
svchost.exe
1⤵
PID:2996

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:1020

C:\Windows\SysWOW64\svchost.exe
svchost.exe
1⤵
PID:1596

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:2380

C:\Windows\SysWOW64\svchost.exe
svchost.exe
1⤵
PID:2908

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:2956

C:\Windows\SysWOW64\svchost.exe
svchost.exe
1⤵
PID:1856

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:2424

C:\Windows\SysWOW64\svchost.exe
svchost.exe
1⤵
PID:2600

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:2884

C:\Windows\SysWOW64\svchost.exe
svchost.exe
1⤵
PID:1624

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:2128

C:\Windows\SysWOW64\svchost.exe
svchost.exe
1⤵
PID:2212

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:324

C:\Windows\SysWOW64\svchost.exe
svchost.exe
1⤵
PID:2176
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  PID:2568
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:2488

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:2904

C:\Windows\SysWOW64\svchost.exe
svchost.exe
1⤵
PID:2376

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:1800

C:\Windows\SysWOW64\svchost.exe
svchost.exe
1⤵
PID:2344

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:2244

C:\Windows\SysWOW64\svchost.exe
svchost.exe
1⤵
PID:952

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:344

C:\Windows\SysWOW64\svchost.exe
svchost.exe
1⤵
PID:532

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:1704

C:\Windows\SysWOW64\svchost.exe
svchost.exe
1⤵
PID:1980

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:3620

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:3608

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:3584

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:3568

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:3200
- C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
  "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
  2⤵
  PID:3512
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:3364
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:3352
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:3344
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:3332
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:3324
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:3312
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:3304
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:3284
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  PID:3260

C:\Windows\SysWOW64\svchost.exe
svchost.exe
1⤵
PID:3264

C:\Windows\SysWOW64\InstallDir\Server.exe
"C:\Windows\system32\InstallDir\Server.exe"
1⤵
PID:3484
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:3640
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:3712
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:3716
- C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
  "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
  2⤵
  PID:3856
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:3896
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:3936
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:4020
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:4028
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:4040
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:4048
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:4060
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:4068
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:4080
- - C:\Windows\SysWOW64\InstallDir\Server.exe
    "C:\Windows\system32\InstallDir\Server.exe"
    3⤵
    PID:3196
  - - C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      4⤵
      PID:3396

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:3244

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:1208
- C:\Windows\SysWOW64\InstallDir\Server.exe
  "C:\Windows\system32\InstallDir\Server.exe"
  2⤵
  PID:3200
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:2336
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:2320
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:948
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:1464
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:2064
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:1436
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:2916
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:288
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  PID:936

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:1540

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:1112

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:3228

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:1308

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:2808

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:3208

C:\Windows\SysWOW64\svchost.exe
svchost.exe
1⤵
PID:3172

C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
"C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
1⤵
PID:3116

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:3988

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:3980

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:3968

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:3960

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:3948

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:3940

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:3928

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:3912

C:\Windows\SysWOW64\svchost.exe
svchost.exe
1⤵
PID:3888

C:\Windows\SysWOW64\InstallDir\Server.exe
"C:\Windows\system32\InstallDir\Server.exe"
1⤵
PID:3828

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:3672

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:3664

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:3652

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:3644

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:3632

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:3624

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:3612

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:3596

C:\Windows\SysWOW64\svchost.exe
svchost.exe
1⤵
PID:3572

C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
"C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
1⤵
PID:1208

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:2120
- C:\Windows\SysWOW64\InstallDir\Server.exe
  "C:\Windows\system32\InstallDir\Server.exe"
  2⤵
  PID:1436
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:1532
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:2836
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:2996
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:452
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:2940
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:2060
- - C:\Windows\SysWOW64\InstallDir\Server.exe
    "C:\Windows\system32\InstallDir\Server.exe"
    3⤵
    PID:1604
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:1620
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2868
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2824
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2704
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2592
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2004
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2596
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:1872
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:2896
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:2412
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:488
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  PID:764

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:2260

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:2052

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:1152

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:1424

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:2276

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:1568

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:2740

C:\Windows\SysWOW64\svchost.exe
svchost.exe
1⤵
PID:1436
- C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
  "C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
  2⤵
  PID:1584
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:1780
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:1724
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:2620
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:2880
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:2384
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:2656
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:1728
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:2332
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  PID:2336

C:\Windows\SysWOW64\InstallDir\Server.exe
"C:\Windows\system32\InstallDir\Server.exe"
1⤵
PID:2364

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:2228

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:3052

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:908

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:2672

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:2752

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:2724

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:1512

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:2272

C:\Windows\SysWOW64\svchost.exe
svchost.exe
1⤵
PID:2260

C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
"C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
1⤵
PID:2120

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:2496

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:2292

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:360

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:2512

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:1980

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:996

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:2204

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:2648

C:\Windows\SysWOW64\svchost.exe
svchost.exe
1⤵
PID:1008

C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe
"C:\Users\Admin\AppData\Roaming\InstallDir\Server.exe"
1⤵
PID:2060

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:2360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Y3Tr&lMG#.cfg

Filesize
1KB

MD5
26d236424d30e9999b59d0fb7398d100

SHA1
e31bbdffe7637d050819088a46f6eb20368cf90c

SHA256
1fc92235b9ee7ebde9b17e9f358be87097e0e73f3b8bf48b10645d6527607e3b

SHA512
56cd591f2eb19c6045d42a46eecd56ffb1a22ee7a225a7a9d338e86741635aaed820b8e792fd548bfe9a15392417f14fbaa474b821259ff38a4dab01c73509f7

Download Submit
C:\Windows\SysWOW64\InstallDir\Server.exe

Filesize
40KB

MD5
41b804087a2da74fa613efd66fa8edcb

SHA1
0701226e6636d7317afb8889594d1e877627e592

SHA256
eca97d7269a904a9671c828c7264407fa91d54aef414e07287aa148171104f9c

SHA512
8dceef9644807103809362955e84d7ff95b1d1d08c0f14f066477c872c0b900570db57b2eab8bf2207c5d1459d0a1b248f29f649f5a80010e608475bf1091f61

Download Submit
memory/532-639-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download
memory/596-193-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download
memory/764-960-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download
memory/936-1142-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download
memory/952-541-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download
memory/1008-915-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download
memory/1312-241-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download
memory/1324-435-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download
memory/1436-1097-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download
memory/1540-289-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download
memory/1596-105-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download
memory/1624-299-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download
memory/1856-201-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download
memory/1980-687-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download
memory/2012-531-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download
memory/2024-145-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download
memory/2044-482-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download
memory/2088-580-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download
memory/2176-395-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download
memory/2212-347-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download
memory/2260-1051-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download
memory/2328-778-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download
memory/2332-47-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download
memory/2336-386-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download
memory/2336-1006-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download
memory/2344-491-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download
memory/2376-443-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download
memory/2416-733-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download
memory/2568-588-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download
memory/2596-97-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download
memory/2600-250-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download
memory/2672-5-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download
memory/2672-7-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download
memory/2896-869-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download
memory/2908-154-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download
memory/2984-339-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download
memory/2996-57-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download
memory/3172-1324-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download
memory/3260-1188-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download
memory/3264-1370-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download
memory/3396-1461-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download
memory/3572-1233-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download
memory/3888-1279-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download
memory/3896-1415-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads