xtremerat | f0681dc50e4fc46694f011936d37d95fae6a21ad3780452446c6c9b1d2dafc56

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25/01/2024, 06:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

73eae01801ae6766aef554a74b10cf0f.exe
Size

21KB
MD5

73eae01801ae6766aef554a74b10cf0f
SHA1

030c20b6e6dee94dbcf895ab61aa3bc389cd9488
SHA256

f0681dc50e4fc46694f011936d37d95fae6a21ad3780452446c6c9b1d2dafc56
SHA512

574faae9153e708a48ae161a8e65f8790fb6cf2313724278386130e573b6d125de85633c25bfde519d66a2201eadcf22812c92cbe00e12a409c31d1a4b4a28b8
SSDEEP

384:iIdmF+Ti213fEF9QZd/cBr5M/gOjkaS4s/1k5YiZNl+CpQ4s7X4pLR:iIsF81fG9QveLOYTe5YiUCpQfU

Score

10^/10

xtremerat persistence rat spyware upx

Malware Config

Extracted

Family

xtremerat

mpc1234.no-ip.org

Signatures

Detect XtremeRAT payload 64 IoCs

resource	yara_rule
behavioral1/memory/2420-9-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/3052-15-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/2116-19-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/2640-20-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/2548-26-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/2640-30-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/2548-32-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/2552-33-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/2552-36-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/1904-37-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/1904-44-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/1260-47-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/1440-49-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/1440-52-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/2368-54-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/3000-59-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/944-65-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/2368-64-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/3000-68-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/2236-71-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/892-72-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/944-76-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/2236-77-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/1636-80-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/892-79-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/2392-86-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/1636-89-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/1988-90-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/2392-94-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/1692-96-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/2172-99-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/2172-103-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/1988-105-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/1260-106-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/1692-109-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/2168-110-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/1260-114-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/880-115-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/2168-121-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/2980-122-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/1956-127-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/880-131-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/2824-132-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/2980-133-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/1856-136-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/1956-140-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/3000-145-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/2824-146-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/1856-149-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/740-152-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/1252-155-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/1692-158-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/800-159-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/1252-162-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/2312-170-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/3332-171-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/3124-174-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/3084-175-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/3420-180-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/3332-181-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/3620-183-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/3464-188-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/3724-187-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/3736-189-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat

Modifies WinLogon for persistence 2 TTPs 64 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\InstallDir\\Server.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\InstallDir\\Server.exe"	73eae01801ae6766aef554a74b10cf0f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\InstallDir\\Server.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\InstallDir\\Server.exe"	Server.exe

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat

Adds policy Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Server = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Server = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Server = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Server = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Server = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Server.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Server = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Server.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Server = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Server = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Server = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Server = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Server.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Server = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Server = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Server = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Server = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Server = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Server.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Server = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Server = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Server = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Server = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Server = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Server = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Server = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Server = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Server = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Server = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Server = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Server.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Server = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Server = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Server = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Server = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Server = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Server = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Server.exe

Modifies Installed Components in the registry 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{6O238J7T-4Q1I-547O-4HQ0-CJ85A07LQUF0}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6O238J7T-4Q1I-547O-4HQ0-CJ85A07LQUF0}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6O238J7T-4Q1I-547O-4HQ0-CJ85A07LQUF0}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6O238J7T-4Q1I-547O-4HQ0-CJ85A07LQUF0}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6O238J7T-4Q1I-547O-4HQ0-CJ85A07LQUF0}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6O238J7T-4Q1I-547O-4HQ0-CJ85A07LQUF0}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6O238J7T-4Q1I-547O-4HQ0-CJ85A07LQUF0}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{6O238J7T-4Q1I-547O-4HQ0-CJ85A07LQUF0}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{6O238J7T-4Q1I-547O-4HQ0-CJ85A07LQUF0}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6O238J7T-4Q1I-547O-4HQ0-CJ85A07LQUF0}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{6O238J7T-4Q1I-547O-4HQ0-CJ85A07LQUF0}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6O238J7T-4Q1I-547O-4HQ0-CJ85A07LQUF0}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{6O238J7T-4Q1I-547O-4HQ0-CJ85A07LQUF0}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6O238J7T-4Q1I-547O-4HQ0-CJ85A07LQUF0}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{6O238J7T-4Q1I-547O-4HQ0-CJ85A07LQUF0}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6O238J7T-4Q1I-547O-4HQ0-CJ85A07LQUF0}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6O238J7T-4Q1I-547O-4HQ0-CJ85A07LQUF0}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{6O238J7T-4Q1I-547O-4HQ0-CJ85A07LQUF0}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{6O238J7T-4Q1I-547O-4HQ0-CJ85A07LQUF0}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6O238J7T-4Q1I-547O-4HQ0-CJ85A07LQUF0}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6O238J7T-4Q1I-547O-4HQ0-CJ85A07LQUF0}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{6O238J7T-4Q1I-547O-4HQ0-CJ85A07LQUF0}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{6O238J7T-4Q1I-547O-4HQ0-CJ85A07LQUF0}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{6O238J7T-4Q1I-547O-4HQ0-CJ85A07LQUF0}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{6O238J7T-4Q1I-547O-4HQ0-CJ85A07LQUF0}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6O238J7T-4Q1I-547O-4HQ0-CJ85A07LQUF0}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6O238J7T-4Q1I-547O-4HQ0-CJ85A07LQUF0}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6O238J7T-4Q1I-547O-4HQ0-CJ85A07LQUF0}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{6O238J7T-4Q1I-547O-4HQ0-CJ85A07LQUF0}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{6O238J7T-4Q1I-547O-4HQ0-CJ85A07LQUF0}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{6O238J7T-4Q1I-547O-4HQ0-CJ85A07LQUF0}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{6O238J7T-4Q1I-547O-4HQ0-CJ85A07LQUF0}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{6O238J7T-4Q1I-547O-4HQ0-CJ85A07LQUF0}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6O238J7T-4Q1I-547O-4HQ0-CJ85A07LQUF0}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6O238J7T-4Q1I-547O-4HQ0-CJ85A07LQUF0}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{6O238J7T-4Q1I-547O-4HQ0-CJ85A07LQUF0}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{6O238J7T-4Q1I-547O-4HQ0-CJ85A07LQUF0}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6O238J7T-4Q1I-547O-4HQ0-CJ85A07LQUF0}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6O238J7T-4Q1I-547O-4HQ0-CJ85A07LQUF0}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6O238J7T-4Q1I-547O-4HQ0-CJ85A07LQUF0}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{6O238J7T-4Q1I-547O-4HQ0-CJ85A07LQUF0}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{6O238J7T-4Q1I-547O-4HQ0-CJ85A07LQUF0}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{6O238J7T-4Q1I-547O-4HQ0-CJ85A07LQUF0}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6O238J7T-4Q1I-547O-4HQ0-CJ85A07LQUF0}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{6O238J7T-4Q1I-547O-4HQ0-CJ85A07LQUF0}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6O238J7T-4Q1I-547O-4HQ0-CJ85A07LQUF0}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6O238J7T-4Q1I-547O-4HQ0-CJ85A07LQUF0}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6O238J7T-4Q1I-547O-4HQ0-CJ85A07LQUF0}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{6O238J7T-4Q1I-547O-4HQ0-CJ85A07LQUF0}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6O238J7T-4Q1I-547O-4HQ0-CJ85A07LQUF0}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{6O238J7T-4Q1I-547O-4HQ0-CJ85A07LQUF0}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{6O238J7T-4Q1I-547O-4HQ0-CJ85A07LQUF0}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{6O238J7T-4Q1I-547O-4HQ0-CJ85A07LQUF0}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6O238J7T-4Q1I-547O-4HQ0-CJ85A07LQUF0}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{6O238J7T-4Q1I-547O-4HQ0-CJ85A07LQUF0}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6O238J7T-4Q1I-547O-4HQ0-CJ85A07LQUF0}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6O238J7T-4Q1I-547O-4HQ0-CJ85A07LQUF0}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{6O238J7T-4Q1I-547O-4HQ0-CJ85A07LQUF0}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{6O238J7T-4Q1I-547O-4HQ0-CJ85A07LQUF0}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6O238J7T-4Q1I-547O-4HQ0-CJ85A07LQUF0}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6O238J7T-4Q1I-547O-4HQ0-CJ85A07LQUF0}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{6O238J7T-4Q1I-547O-4HQ0-CJ85A07LQUF0}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6O238J7T-4Q1I-547O-4HQ0-CJ85A07LQUF0}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{6O238J7T-4Q1I-547O-4HQ0-CJ85A07LQUF0}	Server.exe

Executes dropped EXE 64 IoCs

pid	Process
2116	Server.exe
2640	Server.exe
2548	Server.exe
2552	Server.exe
1904	Server.exe
1260	Server.exe
1440	Server.exe
2368	Server.exe
3000	Server.exe
944	Server.exe
2236	Server.exe
892	Server.exe
1636	Server.exe
2392	Server.exe
1988	Server.exe
1692	Server.exe
2172	Server.exe
1260	Server.exe
2168	Server.exe
880	Server.exe
2980	Server.exe
1956	Server.exe
2824	Server.exe
1856	Server.exe
740	Server.exe
3000	Server.exe
1692	Server.exe
800	Server.exe
1252	Server.exe
2312	Server.exe
3084	Server.exe
3124	Server.exe
3332	Server.exe
3420	Server.exe
3464	Server.exe
3620	Server.exe
3724	Server.exe
3736	Server.exe
3916	Server.exe
4012	Server.exe
4064	Server.exe
3368	Server.exe
3404	Server.exe
3704	Server.exe
3908	Server.exe
4040	Server.exe
3600	Server.exe
3764	Server.exe
3464	Server.exe
916	Server.exe
3928	Server.exe
4220	Server.exe
4300	Server.exe
4320	Server.exe
4552	Server.exe
4652	Server.exe
4720	Server.exe
4740	Server.exe
4924	Server.exe
4976	Server.exe
4208	Server.exe
3484	Server.exe
4312	Server.exe
4324	Server.exe

Loads dropped DLL 26 IoCs

pid	Process
3052	73eae01801ae6766aef554a74b10cf0f.exe
3052	73eae01801ae6766aef554a74b10cf0f.exe
2420	svchost.exe
2420	svchost.exe
2420	svchost.exe
2420	svchost.exe
2420	svchost.exe
2420	svchost.exe
2420	svchost.exe
2420	svchost.exe
2420	svchost.exe
2420	svchost.exe
2420	svchost.exe
2420	svchost.exe
2420	svchost.exe
2420	svchost.exe
2420	svchost.exe
2420	svchost.exe
2420	svchost.exe
2420	svchost.exe
2420	svchost.exe
2420	svchost.exe
2420	svchost.exe
2420	svchost.exe
2420	svchost.exe
2420	svchost.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3052-0-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/2420-9-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/files/0x0037000000015c83-10.dat	upx
behavioral1/memory/3052-12-0x0000000002FC0000-0x0000000002FD6000-memory.dmp	upx
behavioral1/memory/2116-16-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/3052-15-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/2116-19-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/2640-20-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/2548-26-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/2640-30-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/2548-32-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/2552-33-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/2552-36-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/1904-37-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/1260-42-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/1904-44-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/1260-47-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/1440-49-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/1440-52-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/2368-54-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/3000-59-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/944-65-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/2368-64-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/3000-68-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/2236-71-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/892-72-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/944-76-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/2236-77-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/1636-80-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/892-79-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/2392-86-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/2420-85-0x0000000003E10000-0x0000000003E26000-memory.dmp	upx
behavioral1/memory/1636-89-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/1988-90-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/2392-94-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/1692-96-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/2172-99-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/2172-103-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/1988-105-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/1260-106-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/1692-109-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/2168-110-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/1260-114-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/880-115-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/2168-121-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/2980-122-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/1956-127-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/880-131-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/2824-132-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/2980-133-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/1856-136-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/1956-140-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/3000-143-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/3000-145-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/2824-146-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/1856-149-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/740-152-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/1252-155-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/1692-158-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/800-159-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/1252-162-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/3124-166-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/2312-170-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/3332-171-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Server = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Server = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Server = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Server = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Server = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Server = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Server = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Server = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Server = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Server = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Server = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Server = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Server = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Server = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Server = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Server = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Server = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Server = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Server = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Server = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	73eae01801ae6766aef554a74b10cf0f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Server = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Server = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Server = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Server = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Server = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Server = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Server = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Server = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Server = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Server = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Server = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Server = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Server = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Server = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\InstallDir\	Server.exe
File opened for modification	C:\Windows\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\InstallDir\	Server.exe
File opened for modification	C:\Windows\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\InstallDir\	Server.exe
File opened for modification	C:\Windows\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\InstallDir\	Server.exe
File opened for modification	C:\Windows\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\InstallDir\	Server.exe
File opened for modification	C:\Windows\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\InstallDir\	Server.exe
File opened for modification	C:\Windows\InstallDir\	Server.exe
File opened for modification	C:\Windows\InstallDir\	Server.exe
File opened for modification	C:\Windows\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\InstallDir\	Server.exe
File opened for modification	C:\Windows\InstallDir\	Server.exe
File opened for modification	C:\Windows\InstallDir\	Server.exe
File opened for modification	C:\Windows\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\InstallDir\	Server.exe
File opened for modification	C:\Windows\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\InstallDir\	Server.exe
File opened for modification	C:\Windows\InstallDir\Server.exe	73eae01801ae6766aef554a74b10cf0f.exe
File opened for modification	C:\Windows\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\InstallDir\	Server.exe
File opened for modification	C:\Windows\InstallDir\	Server.exe
File opened for modification	C:\Windows\InstallDir\	Server.exe
File opened for modification	C:\Windows\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\InstallDir\	Server.exe
File opened for modification	C:\Windows\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\InstallDir\	Server.exe
File opened for modification	C:\Windows\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\InstallDir\	Server.exe
File opened for modification	C:\Windows\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\InstallDir\	Server.exe
File opened for modification	C:\Windows\InstallDir\	Server.exe
File created	C:\Windows\InstallDir\Server.exe	73eae01801ae6766aef554a74b10cf0f.exe
File opened for modification	C:\Windows\InstallDir\	Server.exe
File opened for modification	C:\Windows\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\InstallDir\	Server.exe
File opened for modification	C:\Windows\InstallDir\	Server.exe
File opened for modification	C:\Windows\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\InstallDir\	Server.exe
File opened for modification	C:\Windows\InstallDir\	Server.exe
File opened for modification	C:\Windows\InstallDir\Server.exe	Server.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3052 wrote to memory of 2420	3052	73eae01801ae6766aef554a74b10cf0f.exe	28
PID 3052 wrote to memory of 2420	3052	73eae01801ae6766aef554a74b10cf0f.exe	28
PID 3052 wrote to memory of 2420	3052	73eae01801ae6766aef554a74b10cf0f.exe	28
PID 3052 wrote to memory of 2420	3052	73eae01801ae6766aef554a74b10cf0f.exe	28
PID 3052 wrote to memory of 2420	3052	73eae01801ae6766aef554a74b10cf0f.exe	28
PID 3052 wrote to memory of 2672	3052	73eae01801ae6766aef554a74b10cf0f.exe	29
PID 3052 wrote to memory of 2672	3052	73eae01801ae6766aef554a74b10cf0f.exe	29
PID 3052 wrote to memory of 2672	3052	73eae01801ae6766aef554a74b10cf0f.exe	29
PID 3052 wrote to memory of 2672	3052	73eae01801ae6766aef554a74b10cf0f.exe	29
PID 3052 wrote to memory of 2672	3052	73eae01801ae6766aef554a74b10cf0f.exe	29
PID 3052 wrote to memory of 2712	3052	73eae01801ae6766aef554a74b10cf0f.exe	30
PID 3052 wrote to memory of 2712	3052	73eae01801ae6766aef554a74b10cf0f.exe	30
PID 3052 wrote to memory of 2712	3052	73eae01801ae6766aef554a74b10cf0f.exe	30
PID 3052 wrote to memory of 2712	3052	73eae01801ae6766aef554a74b10cf0f.exe	30
PID 3052 wrote to memory of 2712	3052	73eae01801ae6766aef554a74b10cf0f.exe	30
PID 3052 wrote to memory of 2784	3052	73eae01801ae6766aef554a74b10cf0f.exe	31
PID 3052 wrote to memory of 2784	3052	73eae01801ae6766aef554a74b10cf0f.exe	31
PID 3052 wrote to memory of 2784	3052	73eae01801ae6766aef554a74b10cf0f.exe	31
PID 3052 wrote to memory of 2784	3052	73eae01801ae6766aef554a74b10cf0f.exe	31
PID 3052 wrote to memory of 2784	3052	73eae01801ae6766aef554a74b10cf0f.exe	31
PID 3052 wrote to memory of 2764	3052	73eae01801ae6766aef554a74b10cf0f.exe	32
PID 3052 wrote to memory of 2764	3052	73eae01801ae6766aef554a74b10cf0f.exe	32
PID 3052 wrote to memory of 2764	3052	73eae01801ae6766aef554a74b10cf0f.exe	32
PID 3052 wrote to memory of 2764	3052	73eae01801ae6766aef554a74b10cf0f.exe	32
PID 3052 wrote to memory of 2764	3052	73eae01801ae6766aef554a74b10cf0f.exe	32
PID 3052 wrote to memory of 2792	3052	73eae01801ae6766aef554a74b10cf0f.exe	33
PID 3052 wrote to memory of 2792	3052	73eae01801ae6766aef554a74b10cf0f.exe	33
PID 3052 wrote to memory of 2792	3052	73eae01801ae6766aef554a74b10cf0f.exe	33
PID 3052 wrote to memory of 2792	3052	73eae01801ae6766aef554a74b10cf0f.exe	33
PID 3052 wrote to memory of 2792	3052	73eae01801ae6766aef554a74b10cf0f.exe	33
PID 3052 wrote to memory of 2848	3052	73eae01801ae6766aef554a74b10cf0f.exe	34
PID 3052 wrote to memory of 2848	3052	73eae01801ae6766aef554a74b10cf0f.exe	34
PID 3052 wrote to memory of 2848	3052	73eae01801ae6766aef554a74b10cf0f.exe	34
PID 3052 wrote to memory of 2848	3052	73eae01801ae6766aef554a74b10cf0f.exe	34
PID 3052 wrote to memory of 2848	3052	73eae01801ae6766aef554a74b10cf0f.exe	34
PID 3052 wrote to memory of 2768	3052	73eae01801ae6766aef554a74b10cf0f.exe	35
PID 3052 wrote to memory of 2768	3052	73eae01801ae6766aef554a74b10cf0f.exe	35
PID 3052 wrote to memory of 2768	3052	73eae01801ae6766aef554a74b10cf0f.exe	35
PID 3052 wrote to memory of 2768	3052	73eae01801ae6766aef554a74b10cf0f.exe	35
PID 3052 wrote to memory of 2768	3052	73eae01801ae6766aef554a74b10cf0f.exe	35
PID 3052 wrote to memory of 2992	3052	73eae01801ae6766aef554a74b10cf0f.exe	36
PID 3052 wrote to memory of 2992	3052	73eae01801ae6766aef554a74b10cf0f.exe	36
PID 3052 wrote to memory of 2992	3052	73eae01801ae6766aef554a74b10cf0f.exe	36
PID 3052 wrote to memory of 2992	3052	73eae01801ae6766aef554a74b10cf0f.exe	36
PID 3052 wrote to memory of 2116	3052	73eae01801ae6766aef554a74b10cf0f.exe	37
PID 3052 wrote to memory of 2116	3052	73eae01801ae6766aef554a74b10cf0f.exe	37
PID 3052 wrote to memory of 2116	3052	73eae01801ae6766aef554a74b10cf0f.exe	37
PID 3052 wrote to memory of 2116	3052	73eae01801ae6766aef554a74b10cf0f.exe	37
PID 2116 wrote to memory of 2812	2116	Server.exe	38
PID 2116 wrote to memory of 2812	2116	Server.exe	38
PID 2116 wrote to memory of 2812	2116	Server.exe	38
PID 2116 wrote to memory of 2812	2116	Server.exe	38
PID 2116 wrote to memory of 2812	2116	Server.exe	38
PID 2116 wrote to memory of 2924	2116	Server.exe	39
PID 2116 wrote to memory of 2924	2116	Server.exe	39
PID 2116 wrote to memory of 2924	2116	Server.exe	39
PID 2116 wrote to memory of 2924	2116	Server.exe	39
PID 2116 wrote to memory of 2924	2116	Server.exe	39
PID 2116 wrote to memory of 2084	2116	Server.exe	40
PID 2116 wrote to memory of 2084	2116	Server.exe	40
PID 2116 wrote to memory of 2084	2116	Server.exe	40
PID 2116 wrote to memory of 2084	2116	Server.exe	40
PID 2116 wrote to memory of 2084	2116	Server.exe	40
PID 2116 wrote to memory of 2728	2116	Server.exe	41

C:\Users\Admin\AppData\Local\Temp\73eae01801ae6766aef554a74b10cf0f.exe
"C:\Users\Admin\AppData\Local\Temp\73eae01801ae6766aef554a74b10cf0f.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3052
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  - Modifies WinLogon for persistence
  - Adds policy Run key to start application
  - Modifies Installed Components in the registry
  - Loads dropped DLL
  - Adds Run key to start application
  PID:2420
- - C:\Windows\InstallDir\Server.exe
    "C:\Windows\InstallDir\Server.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Adds policy Run key to start application
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Adds Run key to start application
    PID:2548
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2916
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2912
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2828
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2896
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2956
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2944
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2972
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3060
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      Modifies WinLogon for persistence
      Adds policy Run key to start application
      Executes dropped EXE
      PID:2552
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1976
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2004
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1556
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1592
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1992
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2188
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1648
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:308
    - - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        5⤵
        Adds policy Run key to start application
        Modifies Installed Components in the registry
        Executes dropped EXE
        
        PID:1904
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:760
- - C:\Windows\InstallDir\Server.exe
    "C:\Windows\InstallDir\Server.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    PID:1260
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2808
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2748
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1656
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1104
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1480
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1300
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:304
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:328
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      Modifies WinLogon for persistence
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      PID:1440
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1332
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:840
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2248
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2036
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:3008
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2340
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2212
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2220
    - - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        5⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Modifies Installed Components in the registry
        Executes dropped EXE
        
        PID:2368
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:828
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1804
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2352
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2436
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2464
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2968
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:688
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1788
      - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        6⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Executes dropped EXE
        Adds Run key to start application
        
        PID:944
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:1048
- - C:\Windows\InstallDir\Server.exe
    "C:\Windows\InstallDir\Server.exe"
    3⤵
    - Adds policy Run key to start application
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:3000
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:904
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2356
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2996
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1088
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1876
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1912
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1352
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:940
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      Executes dropped EXE
      PID:2236
- - C:\Windows\InstallDir\Server.exe
    "C:\Windows\InstallDir\Server.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Adds policy Run key to start application
    - Executes dropped EXE
    - Adds Run key to start application
    PID:892
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1792
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2280
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2008
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2380
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1848
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1780
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1620
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:836
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      Modifies WinLogon for persistence
      Adds policy Run key to start application
      Modifies Installed Components in the registry
      Executes dropped EXE
      PID:1636
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2052
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1920
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2860
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2696
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2068
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:856
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2636
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2616
    - - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        5⤵
        Adds policy Run key to start application
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1988
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2504
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1704
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1552
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:524
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1256
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:516
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:976
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1240
      - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        6⤵
        Adds policy Run key to start application
        Executes dropped EXE
        
        PID:1260
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:2156
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:1764
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:2472
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:564
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:1716
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:2368
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:2336
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:2376
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        7⤵
        Adds policy Run key to start application
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:880
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1932
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2124
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1644
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2132
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2820
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2840
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1544
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1020
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        8⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2824
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:2112
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:1032
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:1600
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:2100
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:3068
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:1944
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:1028
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:2604
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        9⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1692
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:1304
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2196
- - C:\Windows\InstallDir\Server.exe
    "C:\Windows\InstallDir\Server.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Adds policy Run key to start application
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Adds Run key to start application
    PID:2392
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:796
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2800
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2816
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3052
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2756
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2564
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2872
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2080
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Adds Run key to start application
      PID:1692
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1336
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1708
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2552
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:268
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2384
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1904
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1724
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1536
    - - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        5⤵
        Modifies WinLogon for persistence
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:2168
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1840
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1140
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3020
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1664
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1516
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:768
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1036
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1040
      - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        6⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2980
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:1580
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:3056
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:2088
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:2476
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:1616
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:1816
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:1396
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:2304
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        7⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:1856
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2180
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2260
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2168
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1964
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2884
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1500
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1752
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:900
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        8⤵
        Modifies WinLogon for persistence
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:800
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:804
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:1612
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:2536
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:1608
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:1640
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:2964
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:1936
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:1956
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        9⤵
        Adds policy Run key to start application
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2312
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2412
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3076
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3168
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3192
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3220
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3244
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3276
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3300
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        10⤵
        Modifies WinLogon for persistence
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:3332
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:3372
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:3412
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:3472
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:3516
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:3532
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:3552
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:3568
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:3588
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        11⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3620
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3656
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3680
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3716
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3812
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3828
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3848
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3864
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3884
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        12⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:3916
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:3952
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:3980
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:4020
- - C:\Windows\InstallDir\Server.exe
    "C:\Windows\InstallDir\Server.exe"
    3⤵
    - Executes dropped EXE
    PID:2172
- - C:\Windows\InstallDir\Server.exe
    "C:\Windows\InstallDir\Server.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    PID:1956
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2908
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1628
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2684
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2428
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:748
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2144
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1960
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1448
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      Modifies WinLogon for persistence
      Adds policy Run key to start application
      Modifies Installed Components in the registry
      Executes dropped EXE
      Adds Run key to start application
      PID:740
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1796
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1584
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1984
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2104
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1604
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1224
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:580
- - C:\Windows\InstallDir\Server.exe
    "C:\Windows\InstallDir\Server.exe"
    3⤵
    - Executes dropped EXE
    PID:3000
- - C:\Windows\InstallDir\Server.exe
    "C:\Windows\InstallDir\Server.exe"
    3⤵
    - Adds policy Run key to start application
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    PID:1252
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2364
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2024
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3000
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1320
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:984
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2444
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1440
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:824
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      Adds policy Run key to start application
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      PID:3084
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:3112
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:3176
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:3200
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:3228
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:3256
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:3284
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:3324
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:3388
    - - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        5⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3420
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3448
- - C:\Windows\InstallDir\Server.exe
    "C:\Windows\InstallDir\Server.exe"
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    PID:3124
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3156
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3184
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3208
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3236
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3264
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3292
- - C:\Windows\InstallDir\Server.exe
    "C:\Windows\InstallDir\Server.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Adds policy Run key to start application
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    PID:3464
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3496
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3524
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3544
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3560
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3580
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3612
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3672
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3688
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      Executes dropped EXE
      PID:3736
- - C:\Windows\InstallDir\Server.exe
    "C:\Windows\InstallDir\Server.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    PID:3724
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3772
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3820
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3836
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3856
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3872
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3896
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3968
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3988
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      Modifies WinLogon for persistence
      Modifies Installed Components in the registry
      Executes dropped EXE
      PID:4012
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:4052
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2072
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1476
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:3108
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:3144
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2152
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:3340
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2488
    - - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        5⤵
        Modifies WinLogon for persistence
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:3368
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3428
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3084
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3456
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3480
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3608
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3604
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3636
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3668
      - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        6⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:3704
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:3792
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:3924
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:3880
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:4028
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:3780
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:3976
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:3964
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:3916
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        7⤵
        Adds policy Run key to start application
        Modifies Installed Components in the registry
        Executes dropped EXE
        
        PID:4040
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4080
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3400
- - C:\Windows\InstallDir\Server.exe
    "C:\Windows\InstallDir\Server.exe"
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:4064
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2824
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2388
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3096
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3136
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3252
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3316
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3308
- - C:\Windows\InstallDir\Server.exe
    "C:\Windows\InstallDir\Server.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Adds policy Run key to start application
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:3404
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3488
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3424
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3628
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3352
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3332
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3576
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3748
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3788
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      Adds policy Run key to start application
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      PID:3908
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:3944
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:4004
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:3996
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:4032
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:4088
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:3940
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:3364
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:4068
    - - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        5⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:3600
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3088
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3844
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3808
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3932
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3800
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3468
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3408
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3620
      - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        6⤵
        Adds policy Run key to start application
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:3464
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:4040
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:4012
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:3764
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:2272
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:4108
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:4136
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:4160
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:4188
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        7⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:4220
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4248
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4292
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4388
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4416
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4440
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4468
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4492
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4520
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        8⤵
        Modifies WinLogon for persistence
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4552
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:4596
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:4644
- - C:\Windows\InstallDir\Server.exe
    "C:\Windows\InstallDir\Server.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Executes dropped EXE
    PID:3764
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2452
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3440
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3892
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3664
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1252
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:4060
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3384
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1132
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      Modifies WinLogon for persistence
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      PID:916
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:3396
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:3804
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:3124
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:4100
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:4128
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:4152
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:4180
- - C:\Windows\InstallDir\Server.exe
    "C:\Windows\InstallDir\Server.exe"
    3⤵
    - Adds policy Run key to start application
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    PID:3928
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3732
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2012
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:928
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:4116
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:4144
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:4168
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:4196
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:4264
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      Modifies WinLogon for persistence
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      PID:4300
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:4340
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:4396
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:4424
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:4448
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:4476
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:4500
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:4544
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:4612
    - - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        5⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:4652
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4704
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4788
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4808
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4824
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4844
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4864
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4884
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4900
      - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:4924
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:4960
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:4984
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:5028
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:5048
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:5064
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:5084
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:5100
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:3908
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:4208
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:912
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4276
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4528
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4568
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4516
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4328
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4624
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4696
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        8⤵
        Modifies WinLogon for persistence
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        
        PID:4324
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:4556
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:4880
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:4992
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:3128
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:4928
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:2984
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:5000
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:4376
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        9⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:4224
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4764
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3928
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4768
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4760
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4724
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4656
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3484
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:5012
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        10⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Modifies Installed Components in the registry
        Adds Run key to start application
        
        PID:5132
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:5176
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:5216
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:5280
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:5336
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:5364
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:5388
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:5416
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:5440
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        11⤵
        Adds policy Run key to start application
        Modifies Installed Components in the registry
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:5476
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:5516
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:5580
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:5624
- - C:\Windows\InstallDir\Server.exe
    "C:\Windows\InstallDir\Server.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    PID:4320
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:4380
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:4404
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:4432
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:4456
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:4484
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:4508
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:4576
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:4628
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      Adds policy Run key to start application
      Modifies Installed Components in the registry
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      PID:4720
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:4772
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:4796
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:4816
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:4832
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:4856
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:4872
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:4892
- - C:\Windows\InstallDir\Server.exe
    "C:\Windows\InstallDir\Server.exe"
    3⤵
    - Executes dropped EXE
    PID:4740
- - C:\Windows\InstallDir\Server.exe
    "C:\Windows\InstallDir\Server.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Adds Run key to start application
    PID:4976
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:5020
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:5040
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:5056
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:5076
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:5092
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:5112
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3508
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:4308
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      Modifies WinLogon for persistence
      Adds policy Run key to start application
      Modifies Installed Components in the registry
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      PID:3484
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:4288
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:4220
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:4588
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:4356
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:4676
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:4300
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:4660
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:4552
    - - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        5⤵
        Modifies WinLogon for persistence
        
        PID:4916
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4956
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5072
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4212
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4244
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5008
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4976
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4236
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4608
      - C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        6⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Drops file in Windows directory
        
        PID:4804
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:4604
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:4744
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:4968
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:4780
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:4692
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:4932
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:5124
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:5192
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        7⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:5228
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5260
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5288
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5348
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5372
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5400
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5424
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5468
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5528
        
        C:\Windows\InstallDir\Server.exe
        
        "C:\Windows\InstallDir\Server.exe"
        8⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Modifies Installed Components in the registry
        Adds Run key to start application
        
        PID:5552
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:5600
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:5636
- - C:\Windows\InstallDir\Server.exe
    "C:\Windows\InstallDir\Server.exe"
    3⤵
    - Executes dropped EXE
    PID:4312
- - C:\Windows\InstallDir\Server.exe
    "C:\Windows\InstallDir\Server.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Adds policy Run key to start application
    - Modifies Installed Components in the registry
    - Adds Run key to start application
    - Drops file in Windows directory
    PID:4752
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:4972
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:4948
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:4232
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:5004
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3652
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:4560
- - C:\Windows\InstallDir\Server.exe
    "C:\Windows\InstallDir\Server.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Adds Run key to start application
    - Drops file in Windows directory
    PID:4228
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:4364
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3744
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:4752
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:4360
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:4840
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:4740
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:5184
- - C:\Windows\InstallDir\Server.exe
    "C:\Windows\InstallDir\Server.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Adds policy Run key to start application
    - Drops file in Windows directory
    PID:5296
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:5328
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:5356
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:5380
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:5408
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:5432
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:5496
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:5568
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:5616
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      Adds policy Run key to start application
      Adds Run key to start application
      Drops file in Windows directory
      PID:5656
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:5692
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:5772
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:5788
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:5808
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:5828
- - C:\Windows\InstallDir\Server.exe
    "C:\Windows\InstallDir\Server.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Adds policy Run key to start application
    - Modifies Installed Components in the registry
    - Adds Run key to start application
    - Drops file in Windows directory
    PID:5708
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:5744
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:5780
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:5796
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:5816
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:5836
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:2672
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:2712
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:2784
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:2764
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:2792
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:2848
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:2768
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:2992
- C:\Windows\InstallDir\Server.exe
  "C:\Windows\InstallDir\Server.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2116
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2812
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2924
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2084
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2728
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2852
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:1740
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2560
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2580
- - C:\Windows\InstallDir\Server.exe
    "C:\Windows\InstallDir\Server.exe"
    3⤵
    - Adds policy Run key to start application
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    PID:2640
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\xdhgkK5.cfg

Filesize
1KB

MD5
cc18c1166a3620ac6738ff7d778d4ccf

SHA1
9e024396d7ce70e5305246e3a82fa0ef92cd7377

SHA256
9e8e42e63a55b5f20774eca2f74a9fcca3b746fdbc3104360d977bff1bd28d9d

SHA512
210dd3462d789060ec2214b5d08ec6476c474b4129be11e5ceebda1a3b14528e1a3f9260fe44cf853d604416649929fd32519e6fb746191f107d4a75fa7b0f2b

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
21KB

MD5
73eae01801ae6766aef554a74b10cf0f

SHA1
030c20b6e6dee94dbcf895ab61aa3bc389cd9488

SHA256
f0681dc50e4fc46694f011936d37d95fae6a21ad3780452446c6c9b1d2dafc56

SHA512
574faae9153e708a48ae161a8e65f8790fb6cf2313724278386130e573b6d125de85633c25bfde519d66a2201eadcf22812c92cbe00e12a409c31d1a4b4a28b8

Download Submit
memory/740-152-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/800-159-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/880-131-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/880-115-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/892-72-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/892-79-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/916-239-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/916-249-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/944-65-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/944-76-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/1252-162-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/1252-155-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/1260-114-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/1260-42-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/1260-106-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/1260-47-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/1440-52-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/1440-49-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/1636-89-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/1636-80-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/1692-96-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/1692-109-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/1692-158-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/1856-149-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/1856-136-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/1904-44-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/1904-37-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/1956-140-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/1956-127-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/1988-105-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/1988-90-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2116-16-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2116-19-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2168-110-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2168-121-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2172-99-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2172-103-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2236-77-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2236-71-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2312-170-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2368-54-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2368-64-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2392-86-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2392-94-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2420-7-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2420-186-0x0000000004500000-0x0000000004516000-memory.dmp

Filesize
88KB

Download
memory/2420-182-0x00000000041E0000-0x00000000041F6000-memory.dmp

Filesize
88KB

Download
memory/2420-9-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2420-85-0x0000000003E10000-0x0000000003E26000-memory.dmp

Filesize
88KB

Download
memory/2420-120-0x0000000003E10000-0x0000000003E26000-memory.dmp

Filesize
88KB

Download
memory/2420-126-0x00000000040A0000-0x00000000040B6000-memory.dmp

Filesize
88KB

Download
memory/2420-58-0x0000000002800000-0x0000000002816000-memory.dmp

Filesize
88KB

Download
memory/2420-196-0x0000000004380000-0x0000000004396000-memory.dmp

Filesize
88KB

Download
memory/2420-242-0x00000000048B0000-0x00000000048C6000-memory.dmp

Filesize
88KB

Download
memory/2420-254-0x00000000049F0000-0x0000000004A06000-memory.dmp

Filesize
88KB

Download
memory/2420-238-0x00000000046C0000-0x00000000046D6000-memory.dmp

Filesize
88KB

Download
memory/2420-48-0x0000000000910000-0x0000000000926000-memory.dmp

Filesize
88KB

Download
memory/2420-95-0x0000000002800000-0x0000000002816000-memory.dmp

Filesize
88KB

Download
memory/2420-169-0x0000000004190000-0x00000000041A6000-memory.dmp

Filesize
88KB

Download
memory/2420-259-0x00000000047E0000-0x00000000047F6000-memory.dmp

Filesize
88KB

Download
memory/2420-165-0x0000000004380000-0x0000000004396000-memory.dmp

Filesize
88KB

Download
memory/2420-214-0x0000000004500000-0x0000000004516000-memory.dmp

Filesize
88KB

Download
memory/2420-153-0x00000000040A0000-0x00000000040B6000-memory.dmp

Filesize
88KB

Download
memory/2420-154-0x00000000041E0000-0x00000000041F6000-memory.dmp

Filesize
88KB

Download
memory/2548-26-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2548-32-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2552-36-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2552-33-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2640-30-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2640-20-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2824-146-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2824-132-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2980-133-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2980-122-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/3000-143-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/3000-145-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/3000-59-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/3000-68-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/3052-15-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/3052-0-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/3052-12-0x0000000002FC0000-0x0000000002FD6000-memory.dmp

Filesize
88KB

Download
memory/3084-175-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/3124-174-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/3124-166-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/3332-171-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/3332-181-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/3368-213-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/3404-218-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/3420-180-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/3464-188-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/3464-233-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/3464-246-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/3600-234-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/3620-195-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/3620-183-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/3704-215-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/3704-222-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/3724-200-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/3724-187-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/3736-194-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/3736-189-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/3764-229-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/3764-237-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/3908-219-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/3908-226-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/3916-197-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/3916-206-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/3928-243-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/3928-250-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/4012-207-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/4012-201-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/4040-232-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/4040-223-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/4064-210-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/4220-258-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/4300-251-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/4300-263-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/4320-255-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/4320-267-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/4552-260-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/4552-272-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/4652-264-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/4652-274-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/4720-278-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/4740-271-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/4924-284-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/4976-288-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads