Analysis
-
max time kernel
150s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
28-01-2024 19:19
Static task
static1
Behavioral task
behavioral1
Sample
7dca5b27a7a6ad3e8a5d910c3798c8f2.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
7dca5b27a7a6ad3e8a5d910c3798c8f2.exe
Resource
win10v2004-20231222-en
General
-
Target
7dca5b27a7a6ad3e8a5d910c3798c8f2.exe
-
Size
88KB
-
MD5
7dca5b27a7a6ad3e8a5d910c3798c8f2
-
SHA1
b7da4adde00099a854b893b20059cd4a358d49dc
-
SHA256
0b30c86d1ed315370a7bc285fbd4a93f910c993a77e3d2f47cc800f81c9875cb
-
SHA512
602685a0db0efe40a0b45421bd45c82302869b8391c61309a0b4ac0a1756f6f2832c4fee6219b11b6e1af89298f636f3f2c5f3bcfc00a7c0014b52be65f4d0dc
-
SSDEEP
1536:SIF3NPZ+Ta57cE/EmJ2Dy80iUV51efTfmZkEsAPTaabPApa+f3md:nNReaJF/cy1CeZ9uazwaYK
Malware Config
Extracted
xtremerat
fmrabod.no-ip.info
mrabod55.no-ip.info
Signatures
-
Detect XtremeRAT payload 52 IoCs
resource yara_rule behavioral1/memory/2812-5-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral1/memory/2812-6-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral1/memory/2812-7-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral1/memory/2812-8-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral1/memory/2812-9-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral1/memory/2812-12-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral1/memory/2812-13-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral1/memory/2812-15-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral1/memory/2812-16-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral1/memory/2812-27-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral1/memory/2700-49-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral1/memory/2700-52-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral1/memory/2548-69-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral1/memory/2548-73-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral1/memory/2240-91-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral1/memory/2240-93-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral1/memory/1192-111-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral1/memory/1192-114-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral1/memory/2428-131-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral1/memory/2428-133-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral1/memory/548-151-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral1/memory/548-155-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral1/memory/1100-173-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral1/memory/1100-175-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral1/memory/2184-193-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral1/memory/2184-197-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral1/memory/2496-214-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral1/memory/2496-219-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral1/memory/1084-235-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral1/memory/1084-237-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral1/memory/2328-254-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral1/memory/2328-258-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral1/memory/1428-275-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral1/memory/1428-277-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral1/memory/864-295-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral1/memory/864-298-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral1/memory/528-316-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral1/memory/528-319-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral1/memory/1096-335-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral1/memory/1096-338-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral1/memory/2324-356-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral1/memory/2324-358-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral1/memory/1748-376-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral1/memory/1748-380-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral1/memory/2580-396-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral1/memory/2580-398-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral1/memory/2428-416-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral1/memory/2428-419-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral1/memory/3036-436-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral1/memory/3036-438-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral1/memory/2752-455-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral1/memory/2752-458-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat -
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Modifies Installed Components in the registry 2 TTPs 62 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" Server.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} Server.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" Server.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" Server.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} 7dca5b27a7a6ad3e8a5d910c3798c8f2.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" Server.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} Server.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" Server.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" Server.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} Server.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} Server.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} Server.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} Server.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} Server.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} Server.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} Server.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" Server.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" 7dca5b27a7a6ad3e8a5d910c3798c8f2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" Server.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} Server.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" Server.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" Server.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} Server.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" Server.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} Server.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} Server.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" Server.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" Server.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" Server.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} Server.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" Server.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} Server.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} Server.exe -
Executes dropped EXE 60 IoCs
pid Process 2904 Server.exe 2700 Server.exe 804 Server.exe 2548 Server.exe 1316 Server.exe 2240 Server.exe 1516 Server.exe 1192 Server.exe 2132 Server.exe 2428 Server.exe 1756 Server.exe 548 Server.exe 2292 Server.exe 1100 Server.exe 2820 Server.exe 2184 Server.exe 2620 Server.exe 2496 Server.exe 1740 Server.exe 1084 Server.exe 2244 Server.exe 2328 Server.exe 2264 Server.exe 1428 Server.exe 2340 Server.exe 864 Server.exe 2000 Server.exe 528 Server.exe 1316 Server.exe 1096 Server.exe 628 Server.exe 2324 Server.exe 2804 Server.exe 1748 Server.exe 1864 Server.exe 2580 Server.exe 1280 Server.exe 2428 Server.exe 2824 Server.exe 3036 Server.exe 2580 Server.exe 2752 Server.exe 2512 Server.exe 2340 Server.exe 1744 Server.exe 2744 Server.exe 1644 Server.exe 2752 Server.exe 2860 Server.exe 1200 Server.exe 3124 Server.exe 3144 Server.exe 3304 Server.exe 3324 Server.exe 3488 Server.exe 3508 Server.exe 3668 Server.exe 3688 Server.exe 3848 Server.exe 3872 Server.exe -
Loads dropped DLL 3 IoCs
pid Process 2812 7dca5b27a7a6ad3e8a5d910c3798c8f2.exe 2812 7dca5b27a7a6ad3e8a5d910c3798c8f2.exe 2904 Server.exe -
Adds Run key to start application 2 TTPs 62 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" 7dca5b27a7a6ad3e8a5d910c3798c8f2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" 7dca5b27a7a6ad3e8a5d910c3798c8f2.exe Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" Server.exe -
Suspicious use of SetThreadContext 31 IoCs
description pid Process procid_target PID 2480 set thread context of 2812 2480 7dca5b27a7a6ad3e8a5d910c3798c8f2.exe 28 PID 2904 set thread context of 2700 2904 Server.exe 38 PID 804 set thread context of 2548 804 Server.exe 48 PID 1316 set thread context of 2240 1316 Server.exe 58 PID 1516 set thread context of 1192 1516 Server.exe 68 PID 2132 set thread context of 2428 2132 Server.exe 78 PID 1756 set thread context of 548 1756 Server.exe 88 PID 2292 set thread context of 1100 2292 Server.exe 98 PID 2820 set thread context of 2184 2820 Server.exe 110 PID 2620 set thread context of 2496 2620 Server.exe 120 PID 1740 set thread context of 1084 1740 Server.exe 130 PID 2244 set thread context of 2328 2244 Server.exe 140 PID 2264 set thread context of 1428 2264 Server.exe 150 PID 2340 set thread context of 864 2340 Server.exe 160 PID 2000 set thread context of 528 2000 Server.exe 170 PID 1316 set thread context of 1096 1316 Server.exe 180 PID 628 set thread context of 2324 628 Server.exe 190 PID 2804 set thread context of 1748 2804 Server.exe 200 PID 1864 set thread context of 2580 1864 Server.exe 210 PID 1280 set thread context of 2428 1280 Server.exe 220 PID 2824 set thread context of 3036 2824 Server.exe 230 PID 2580 set thread context of 2752 2580 Server.exe 240 PID 2512 set thread context of 2340 2512 Server.exe 250 PID 1744 set thread context of 2744 1744 Server.exe 260 PID 1644 set thread context of 2752 1644 Server.exe 270 PID 2860 set thread context of 1200 2860 Server.exe 280 PID 3124 set thread context of 3144 3124 Server.exe 290 PID 3304 set thread context of 3324 3304 Server.exe 300 PID 3488 set thread context of 3508 3488 Server.exe 310 PID 3668 set thread context of 3688 3668 Server.exe 320 PID 3848 set thread context of 3872 3848 Server.exe 330 -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\InstallDir\Server.exe 7dca5b27a7a6ad3e8a5d910c3798c8f2.exe File created C:\Windows\InstallDir\Server.exe 7dca5b27a7a6ad3e8a5d910c3798c8f2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of SetWindowsHookEx 31 IoCs
pid Process 2480 7dca5b27a7a6ad3e8a5d910c3798c8f2.exe 2904 Server.exe 804 Server.exe 1316 Server.exe 1516 Server.exe 2132 Server.exe 1756 Server.exe 2292 Server.exe 2820 Server.exe 2620 Server.exe 1740 Server.exe 2244 Server.exe 2264 Server.exe 2340 Server.exe 2000 Server.exe 1316 Server.exe 628 Server.exe 2804 Server.exe 1864 Server.exe 1280 Server.exe 2824 Server.exe 2580 Server.exe 2512 Server.exe 1744 Server.exe 1644 Server.exe 2860 Server.exe 3124 Server.exe 3304 Server.exe 3488 Server.exe 3668 Server.exe 3848 Server.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2480 wrote to memory of 2812 2480 7dca5b27a7a6ad3e8a5d910c3798c8f2.exe 28 PID 2480 wrote to memory of 2812 2480 7dca5b27a7a6ad3e8a5d910c3798c8f2.exe 28 PID 2480 wrote to memory of 2812 2480 7dca5b27a7a6ad3e8a5d910c3798c8f2.exe 28 PID 2480 wrote to memory of 2812 2480 7dca5b27a7a6ad3e8a5d910c3798c8f2.exe 28 PID 2480 wrote to memory of 2812 2480 7dca5b27a7a6ad3e8a5d910c3798c8f2.exe 28 PID 2480 wrote to memory of 2812 2480 7dca5b27a7a6ad3e8a5d910c3798c8f2.exe 28 PID 2480 wrote to memory of 2812 2480 7dca5b27a7a6ad3e8a5d910c3798c8f2.exe 28 PID 2480 wrote to memory of 2812 2480 7dca5b27a7a6ad3e8a5d910c3798c8f2.exe 28 PID 2480 wrote to memory of 2812 2480 7dca5b27a7a6ad3e8a5d910c3798c8f2.exe 28 PID 2480 wrote to memory of 2812 2480 7dca5b27a7a6ad3e8a5d910c3798c8f2.exe 28 PID 2480 wrote to memory of 2812 2480 7dca5b27a7a6ad3e8a5d910c3798c8f2.exe 28 PID 2480 wrote to memory of 2812 2480 7dca5b27a7a6ad3e8a5d910c3798c8f2.exe 28 PID 2812 wrote to memory of 2832 2812 7dca5b27a7a6ad3e8a5d910c3798c8f2.exe 29 PID 2812 wrote to memory of 2832 2812 7dca5b27a7a6ad3e8a5d910c3798c8f2.exe 29 PID 2812 wrote to memory of 2832 2812 7dca5b27a7a6ad3e8a5d910c3798c8f2.exe 29 PID 2812 wrote to memory of 2832 2812 7dca5b27a7a6ad3e8a5d910c3798c8f2.exe 29 PID 2812 wrote to memory of 2832 2812 7dca5b27a7a6ad3e8a5d910c3798c8f2.exe 29 PID 2812 wrote to memory of 2920 2812 7dca5b27a7a6ad3e8a5d910c3798c8f2.exe 30 PID 2812 wrote to memory of 2920 2812 7dca5b27a7a6ad3e8a5d910c3798c8f2.exe 30 PID 2812 wrote to memory of 2920 2812 7dca5b27a7a6ad3e8a5d910c3798c8f2.exe 30 PID 2812 wrote to memory of 2920 2812 7dca5b27a7a6ad3e8a5d910c3798c8f2.exe 30 PID 2812 wrote to memory of 2920 2812 7dca5b27a7a6ad3e8a5d910c3798c8f2.exe 30 PID 2812 wrote to memory of 2716 2812 7dca5b27a7a6ad3e8a5d910c3798c8f2.exe 31 PID 2812 wrote to memory of 2716 2812 7dca5b27a7a6ad3e8a5d910c3798c8f2.exe 31 PID 2812 wrote to memory of 2716 2812 7dca5b27a7a6ad3e8a5d910c3798c8f2.exe 31 PID 2812 wrote to memory of 2716 2812 7dca5b27a7a6ad3e8a5d910c3798c8f2.exe 31 PID 2812 wrote to memory of 2716 2812 7dca5b27a7a6ad3e8a5d910c3798c8f2.exe 31 PID 2812 wrote to memory of 2460 2812 7dca5b27a7a6ad3e8a5d910c3798c8f2.exe 32 PID 2812 wrote to memory of 2460 2812 7dca5b27a7a6ad3e8a5d910c3798c8f2.exe 32 PID 2812 wrote to memory of 2460 2812 7dca5b27a7a6ad3e8a5d910c3798c8f2.exe 32 PID 2812 wrote to memory of 2460 2812 7dca5b27a7a6ad3e8a5d910c3798c8f2.exe 32 PID 2812 wrote to memory of 2460 2812 7dca5b27a7a6ad3e8a5d910c3798c8f2.exe 32 PID 2812 wrote to memory of 2688 2812 7dca5b27a7a6ad3e8a5d910c3798c8f2.exe 33 PID 2812 wrote to memory of 2688 2812 7dca5b27a7a6ad3e8a5d910c3798c8f2.exe 33 PID 2812 wrote to memory of 2688 2812 7dca5b27a7a6ad3e8a5d910c3798c8f2.exe 33 PID 2812 wrote to memory of 2688 2812 7dca5b27a7a6ad3e8a5d910c3798c8f2.exe 33 PID 2812 wrote to memory of 2688 2812 7dca5b27a7a6ad3e8a5d910c3798c8f2.exe 33 PID 2812 wrote to memory of 2780 2812 7dca5b27a7a6ad3e8a5d910c3798c8f2.exe 34 PID 2812 wrote to memory of 2780 2812 7dca5b27a7a6ad3e8a5d910c3798c8f2.exe 34 PID 2812 wrote to memory of 2780 2812 7dca5b27a7a6ad3e8a5d910c3798c8f2.exe 34 PID 2812 wrote to memory of 2780 2812 7dca5b27a7a6ad3e8a5d910c3798c8f2.exe 34 PID 2812 wrote to memory of 2780 2812 7dca5b27a7a6ad3e8a5d910c3798c8f2.exe 34 PID 2812 wrote to memory of 2772 2812 7dca5b27a7a6ad3e8a5d910c3798c8f2.exe 35 PID 2812 wrote to memory of 2772 2812 7dca5b27a7a6ad3e8a5d910c3798c8f2.exe 35 PID 2812 wrote to memory of 2772 2812 7dca5b27a7a6ad3e8a5d910c3798c8f2.exe 35 PID 2812 wrote to memory of 2772 2812 7dca5b27a7a6ad3e8a5d910c3798c8f2.exe 35 PID 2812 wrote to memory of 2772 2812 7dca5b27a7a6ad3e8a5d910c3798c8f2.exe 35 PID 2812 wrote to memory of 2696 2812 7dca5b27a7a6ad3e8a5d910c3798c8f2.exe 36 PID 2812 wrote to memory of 2696 2812 7dca5b27a7a6ad3e8a5d910c3798c8f2.exe 36 PID 2812 wrote to memory of 2696 2812 7dca5b27a7a6ad3e8a5d910c3798c8f2.exe 36 PID 2812 wrote to memory of 2696 2812 7dca5b27a7a6ad3e8a5d910c3798c8f2.exe 36 PID 2812 wrote to memory of 2904 2812 7dca5b27a7a6ad3e8a5d910c3798c8f2.exe 37 PID 2812 wrote to memory of 2904 2812 7dca5b27a7a6ad3e8a5d910c3798c8f2.exe 37 PID 2812 wrote to memory of 2904 2812 7dca5b27a7a6ad3e8a5d910c3798c8f2.exe 37 PID 2812 wrote to memory of 2904 2812 7dca5b27a7a6ad3e8a5d910c3798c8f2.exe 37 PID 2904 wrote to memory of 2700 2904 Server.exe 38 PID 2904 wrote to memory of 2700 2904 Server.exe 38 PID 2904 wrote to memory of 2700 2904 Server.exe 38 PID 2904 wrote to memory of 2700 2904 Server.exe 38 PID 2904 wrote to memory of 2700 2904 Server.exe 38 PID 2904 wrote to memory of 2700 2904 Server.exe 38 PID 2904 wrote to memory of 2700 2904 Server.exe 38 PID 2904 wrote to memory of 2700 2904 Server.exe 38 PID 2904 wrote to memory of 2700 2904 Server.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe"C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exeC:\Users\Admin\AppData\Local\Temp\7dca5b27a7a6ad3e8a5d910c3798c8f2.exe2⤵
- Modifies Installed Components in the registry
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵PID:2832
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵PID:2920
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵PID:2716
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵PID:2460
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵PID:2688
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵PID:2780
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵PID:2772
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵PID:2696
-
-
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\InstallDir\Server.exeC:\Windows\InstallDir\Server.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
PID:2700 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵PID:2640
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵PID:2988
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵PID:3032
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵PID:2520
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵PID:2544
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵PID:1560
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵PID:1612
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵PID:324
-
-
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:804 -
C:\Windows\InstallDir\Server.exeC:\Windows\InstallDir\Server.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
PID:2548 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"7⤵PID:2864
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"7⤵PID:296
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"7⤵PID:868
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"7⤵PID:1664
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"7⤵PID:2504
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"7⤵PID:1968
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"7⤵PID:2024
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"7⤵PID:1728
-
-
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1316 -
C:\Windows\InstallDir\Server.exeC:\Windows\InstallDir\Server.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
PID:2240 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"9⤵PID:2180
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"9⤵PID:1480
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"9⤵PID:1472
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"9⤵PID:1636
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"9⤵PID:1116
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"9⤵PID:2152
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"9⤵PID:1532
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"9⤵PID:1496
-
-
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1516 -
C:\Windows\InstallDir\Server.exeC:\Windows\InstallDir\Server.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
PID:1192 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"11⤵PID:2464
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"11⤵PID:2308
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"11⤵PID:2444
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"11⤵PID:2336
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"11⤵PID:2936
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"11⤵PID:3000
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"11⤵PID:2360
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"11⤵PID:2892
-
-
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2132 -
C:\Windows\InstallDir\Server.exeC:\Windows\InstallDir\Server.exe12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
PID:2428 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"13⤵PID:1584
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"13⤵PID:544
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"13⤵PID:396
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"13⤵PID:2408
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"13⤵PID:2384
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"13⤵PID:2380
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"13⤵PID:1928
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"13⤵PID:2108
-
-
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1756 -
C:\Windows\InstallDir\Server.exeC:\Windows\InstallDir\Server.exe14⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
PID:548 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"15⤵PID:2940
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"15⤵PID:2160
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"15⤵PID:304
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"15⤵PID:900
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"15⤵PID:596
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"15⤵PID:1732
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"15⤵PID:3064
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"15⤵PID:2220
-
-
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2292 -
C:\Windows\InstallDir\Server.exeC:\Windows\InstallDir\Server.exe16⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
PID:1100 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"17⤵PID:2164
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"17⤵PID:2536
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"17⤵PID:2012
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"17⤵PID:2704
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"17⤵PID:3052
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"17⤵PID:2708
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"17⤵PID:2480
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"17⤵PID:2784
-
-
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"17⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2820 -
C:\Windows\InstallDir\Server.exeC:\Windows\InstallDir\Server.exe18⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
PID:2184 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"19⤵PID:2868
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"19⤵PID:2188
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"19⤵PID:2728
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"19⤵PID:2616
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"19⤵PID:2208
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"19⤵PID:2556
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"19⤵PID:2680
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"19⤵PID:2604
-
-
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2620 -
C:\Windows\InstallDir\Server.exeC:\Windows\InstallDir\Server.exe20⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
PID:2496 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"21⤵PID:1344
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"21⤵PID:2816
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"21⤵PID:2840
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"21⤵PID:2600
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"21⤵PID:1080
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"21⤵PID:1708
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"21⤵PID:2768
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"21⤵PID:1412
-
-
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"21⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1740 -
C:\Windows\InstallDir\Server.exeC:\Windows\InstallDir\Server.exe22⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
PID:1084 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"23⤵PID:1924
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"23⤵PID:1712
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"23⤵PID:2240
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"23⤵PID:1156
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"23⤵PID:1368
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"23⤵PID:1716
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"23⤵PID:2004
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"23⤵PID:1212
-
-
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"23⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2244 -
C:\Windows\InstallDir\Server.exeC:\Windows\InstallDir\Server.exe24⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
PID:2328 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"25⤵PID:824
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"25⤵PID:1892
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"25⤵PID:2344
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"25⤵PID:2252
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"25⤵PID:2296
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"25⤵PID:2140
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"25⤵PID:1784
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"25⤵PID:1916
-
-
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"25⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2264 -
C:\Windows\InstallDir\Server.exeC:\Windows\InstallDir\Server.exe26⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
PID:1428 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"27⤵PID:892
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"27⤵PID:820
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"27⤵PID:2364
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"27⤵PID:1992
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"27⤵PID:1676
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"27⤵PID:1620
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"27⤵PID:1988
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"27⤵PID:1204
-
-
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"27⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2340 -
C:\Windows\InstallDir\Server.exeC:\Windows\InstallDir\Server.exe28⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
PID:864 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"29⤵PID:2596
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"29⤵PID:2796
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"29⤵PID:2812
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"29⤵PID:2848
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"29⤵PID:2588
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"29⤵PID:2828
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"29⤵PID:3028
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"29⤵PID:1652
-
-
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"29⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2000 -
C:\Windows\InstallDir\Server.exeC:\Windows\InstallDir\Server.exe30⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
PID:528 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"31⤵PID:3068
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"31⤵PID:3056
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"31⤵PID:1972
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"31⤵PID:1588
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"31⤵PID:764
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"31⤵PID:2204
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"31⤵PID:1776
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"31⤵PID:1640
-
-
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"31⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1316 -
C:\Windows\InstallDir\Server.exeC:\Windows\InstallDir\Server.exe32⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
PID:1096 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"33⤵PID:1084
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"33⤵PID:2456
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"33⤵PID:2440
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"33⤵PID:1192
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"33⤵PID:2136
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"33⤵PID:2244
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"33⤵PID:2312
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"33⤵PID:2452
-
-
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"33⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:628 -
C:\Windows\InstallDir\Server.exeC:\Windows\InstallDir\Server.exe34⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
PID:2324 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"35⤵PID:2044
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"35⤵PID:1364
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"35⤵PID:2156
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"35⤵PID:1180
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"35⤵PID:2476
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"35⤵PID:2412
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"35⤵PID:1124
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"35⤵PID:1956
-
-
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"35⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2804 -
C:\Windows\InstallDir\Server.exeC:\Windows\InstallDir\Server.exe36⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
PID:1748 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"37⤵PID:1964
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"37⤵PID:1568
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"37⤵PID:864
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"37⤵PID:2624
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"37⤵PID:2576
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"37⤵PID:1104
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"37⤵PID:2636
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"37⤵PID:2844
-
-
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"37⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1864 -
C:\Windows\InstallDir\Server.exeC:\Windows\InstallDir\Server.exe38⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
PID:2580 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"39⤵PID:2176
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"39⤵PID:1936
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"39⤵PID:1552
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"39⤵PID:2500
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"39⤵PID:852
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"39⤵PID:832
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"39⤵PID:1516
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"39⤵PID:2300
-
-
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"39⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1280 -
C:\Windows\InstallDir\Server.exeC:\Windows\InstallDir\Server.exe40⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
PID:2428 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"41⤵PID:2264
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"41⤵PID:3020
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"41⤵PID:744
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"41⤵PID:876
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"41⤵PID:736
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"41⤵PID:2200
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"41⤵PID:1696
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"41⤵PID:2072
-
-
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"41⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2824 -
C:\Windows\InstallDir\Server.exeC:\Windows\InstallDir\Server.exe42⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
PID:3036 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"43⤵PID:1760
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"43⤵PID:1680
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"43⤵PID:2000
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"43⤵PID:1400
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"43⤵PID:1608
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"43⤵PID:1876
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"43⤵PID:240
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"43⤵PID:1580
-
-
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"43⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2580 -
C:\Windows\InstallDir\Server.exeC:\Windows\InstallDir\Server.exe44⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
PID:2752 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"45⤵PID:1148
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"45⤵PID:1172
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"45⤵PID:1648
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"45⤵PID:1188
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"45⤵PID:2276
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"45⤵PID:2804
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"45⤵PID:2352
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"45⤵PID:2316
-
-
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"45⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2512 -
C:\Windows\InstallDir\Server.exeC:\Windows\InstallDir\Server.exe46⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
PID:2340 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"47⤵PID:1520
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"47⤵PID:1740
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"47⤵PID:276
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"47⤵PID:940
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"47⤵PID:1272
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"47⤵PID:1196
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"47⤵PID:2332
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"47⤵PID:1756
-
-
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"47⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1744 -
C:\Windows\InstallDir\Server.exeC:\Windows\InstallDir\Server.exe48⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
PID:2744 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"49⤵PID:616
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"49⤵PID:2512
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"49⤵PID:912
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"49⤵PID:924
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"49⤵PID:2388
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"49⤵PID:2660
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"49⤵PID:1604
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"49⤵PID:692
-
-
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"49⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1644 -
C:\Windows\InstallDir\Server.exeC:\Windows\InstallDir\Server.exe50⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
PID:2752 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"51⤵PID:1660
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"51⤵PID:2968
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"51⤵PID:2800
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"51⤵PID:2824
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"51⤵PID:1744
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"51⤵PID:532
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"51⤵PID:1704
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"51⤵PID:628
-
-
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"51⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2860 -
C:\Windows\InstallDir\Server.exeC:\Windows\InstallDir\Server.exe52⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
PID:1200 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"53⤵PID:528
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"53⤵PID:2008
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"53⤵PID:2744
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"53⤵PID:916
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"53⤵PID:3084
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"53⤵PID:3092
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"53⤵PID:3104
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"53⤵PID:3112
-
-
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"53⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3124 -
C:\Windows\InstallDir\Server.exeC:\Windows\InstallDir\Server.exe54⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
PID:3144 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"55⤵PID:3216
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"55⤵PID:3232
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"55⤵PID:3240
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"55⤵PID:3252
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"55⤵PID:3260
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"55⤵PID:3272
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"55⤵PID:3280
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"55⤵PID:3292
-
-
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"55⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3304 -
C:\Windows\InstallDir\Server.exeC:\Windows\InstallDir\Server.exe56⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
PID:3324 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"57⤵PID:3400
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"57⤵PID:3416
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"57⤵PID:3424
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"57⤵PID:3436
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"57⤵PID:3444
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"57⤵PID:3456
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"57⤵PID:3464
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"57⤵PID:3476
-
-
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"57⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3488 -
C:\Windows\InstallDir\Server.exeC:\Windows\InstallDir\Server.exe58⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
PID:3508 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"59⤵PID:3580
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"59⤵PID:3596
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"59⤵PID:3604
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"59⤵PID:3616
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"59⤵PID:3624
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"59⤵PID:3636
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"59⤵PID:3644
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"59⤵PID:3656
-
-
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"59⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3668 -
C:\Windows\InstallDir\Server.exeC:\Windows\InstallDir\Server.exe60⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
PID:3688 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"61⤵PID:3760
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"61⤵PID:3776
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"61⤵PID:3784
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"61⤵PID:3796
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"61⤵PID:3804
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"61⤵PID:3816
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"61⤵PID:3824
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"61⤵PID:3836
-
-
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"61⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3848 -
C:\Windows\InstallDir\Server.exeC:\Windows\InstallDir\Server.exe62⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
PID:3872 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"63⤵PID:3948
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"63⤵PID:3964
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"63⤵PID:3972
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"63⤵PID:3984
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"63⤵PID:3992
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD509862db99820c2609b7d06907a2b9510
SHA1544d7bc29c2849ad9c562efc40155864c0b321e7
SHA25605da3a977fc5d2929051fc28d61e6178fcb1a51dfb6c8a9e819ce53fe8c67788
SHA512174145799bd57782d6ec309da8006b4f3a215573db1825ffbf3242939c013233aa07f43eca0f521bae548e0f6ab5bf6adcdc31e918e9532184301f7c0b0d4bc4
-
Filesize
88KB
MD57dca5b27a7a6ad3e8a5d910c3798c8f2
SHA1b7da4adde00099a854b893b20059cd4a358d49dc
SHA2560b30c86d1ed315370a7bc285fbd4a93f910c993a77e3d2f47cc800f81c9875cb
SHA512602685a0db0efe40a0b45421bd45c82302869b8391c61309a0b4ac0a1756f6f2832c4fee6219b11b6e1af89298f636f3f2c5f3bcfc00a7c0014b52be65f4d0dc