Analysis
-
max time kernel
82s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
27-02-2024 08:24
Behavioral task
behavioral1
Sample
a8b06620e9629037953a3a5bc07a0b60.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
a8b06620e9629037953a3a5bc07a0b60.exe
Resource
win10v2004-20240226-en
General
-
Target
a8b06620e9629037953a3a5bc07a0b60.exe
-
Size
45KB
-
MD5
a8b06620e9629037953a3a5bc07a0b60
-
SHA1
08c35cd4abf5e0945182079e24ec190d97225775
-
SHA256
c01c3e39933ccfedaf1d766903232ada996f71ee79187a2cb420219000c97d21
-
SHA512
042cfac252c4ceb55b9b7e5fb7f23d5686c4b3aeca68b2b093a3dce78d29f89f66745e685a9cefdb07db1dcf69a2daaa4286af185a2f9cc6040d3cbc5c0b9b50
-
SSDEEP
768:DBr+tjFKsusi02s2VzfoFTrS75YAU074/uhXtYCpP0zo3rI:tyRQsiNVzwFfS75YAU08mhX5co7I
Malware Config
Extracted
xtremerat
wesam.no-ip.org
slator.com
Signatures
-
Detect XtremeRAT payload 64 IoCs
Processes:
resource yara_rule behavioral1/memory/2540-8-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral1/memory/2744-11-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral1/memory/2540-13-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral1/memory/2560-16-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral1/memory/2744-18-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral1/memory/1784-21-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral1/memory/2560-22-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral1/memory/2492-25-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral1/memory/1784-26-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral1/memory/1968-29-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral1/memory/2492-30-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral1/memory/2728-33-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral1/memory/1968-34-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral1/memory/2728-35-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat C:\Windows\InstallDir\Server.exe family_xtremerat behavioral1/memory/2956-44-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral1/memory/792-49-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral1/memory/2716-52-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral1/memory/792-53-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral1/memory/1376-56-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral1/memory/2716-57-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral1/memory/2332-60-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral1/memory/1376-61-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral1/memory/3004-64-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral1/memory/2332-65-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral1/memory/1296-68-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral1/memory/3004-69-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral1/memory/1936-72-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral1/memory/1296-73-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral1/memory/1936-74-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral1/memory/1684-76-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral1/memory/2384-81-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral1/memory/2360-84-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral1/memory/1704-89-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral1/memory/2320-94-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral1/memory/3016-99-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral1/memory/2812-104-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral1/memory/2544-109-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral1/memory/1156-118-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral1/memory/3040-122-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral1/memory/2352-127-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral1/memory/2384-132-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral1/memory/2788-133-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral1/memory/2360-138-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral1/memory/2764-139-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral1/memory/1704-144-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral1/memory/2392-145-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral1/memory/2320-150-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral1/memory/2736-151-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral1/memory/3016-161-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral1/memory/3228-162-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral1/memory/2812-166-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral1/memory/3316-167-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral1/memory/2544-172-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral1/memory/3384-173-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral1/memory/1156-178-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral1/memory/3496-179-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral1/memory/3040-184-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral1/memory/3544-185-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral1/memory/3656-191-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral1/memory/2352-190-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral1/memory/2788-196-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral1/memory/3796-197-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral1/memory/2764-206-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat -
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Modifies Installed Components in the registry 2 TTPs 34 IoCs
Processes:
Server.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeexplorer.exeServer.exeServer.exeServer.exea8b06620e9629037953a3a5bc07a0b60.exeServer.exeServer.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" Server.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} Server.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" Server.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" Server.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" explorer.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} Server.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} Server.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} Server.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} Server.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" Server.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" Server.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" Server.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} a8b06620e9629037953a3a5bc07a0b60.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" a8b06620e9629037953a3a5bc07a0b60.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" Server.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" Server.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} Server.exe -
Executes dropped EXE 16 IoCs
Processes:
Server.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeexplorer.exeServer.exepid process 1684 Server.exe 2104 Server.exe 1104 Server.exe 3180 Server.exe 3912 Server.exe 2880 Server.exe 4592 Server.exe 4628 Server.exe 5452 Server.exe 5268 Server.exe 6268 Server.exe 7052 Server.exe 7028 Server.exe 7676 Server.exe 7700 explorer.exe 8548 Server.exe -
Loads dropped DLL 2 IoCs
Processes:
a8b06620e9629037953a3a5bc07a0b60.exepid process 2956 a8b06620e9629037953a3a5bc07a0b60.exe 2956 a8b06620e9629037953a3a5bc07a0b60.exe -
Adds Run key to start application 2 TTPs 34 IoCs
Processes:
a8b06620e9629037953a3a5bc07a0b60.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeexplorer.exeServer.exeServer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" a8b06620e9629037953a3a5bc07a0b60.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" a8b06620e9629037953a3a5bc07a0b60.exe Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" explorer.exe -
Drops file in Windows directory 35 IoCs
Processes:
explorer.exea8b06620e9629037953a3a5bc07a0b60.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exedescription ioc process File opened for modification C:\Windows\InstallDir\ explorer.exe File created C:\Windows\InstallDir\Server.exe a8b06620e9629037953a3a5bc07a0b60.exe File opened for modification C:\Windows\InstallDir\Server.exe Server.exe File opened for modification C:\Windows\InstallDir\ Server.exe File opened for modification C:\Windows\InstallDir\Server.exe Server.exe File opened for modification C:\Windows\InstallDir\ Server.exe File opened for modification C:\Windows\InstallDir\ Server.exe File opened for modification C:\Windows\InstallDir\ Server.exe File opened for modification C:\Windows\InstallDir\Server.exe Server.exe File opened for modification C:\Windows\InstallDir\Server.exe Server.exe File opened for modification C:\Windows\InstallDir\ Server.exe File opened for modification C:\Windows\InstallDir\ Server.exe File opened for modification C:\Windows\InstallDir\Server.exe Server.exe File opened for modification C:\Windows\InstallDir\ Server.exe File opened for modification C:\Windows\InstallDir\Server.exe Server.exe File opened for modification C:\Windows\InstallDir\Server.exe Server.exe File opened for modification C:\Windows\InstallDir\Server.exe Server.exe File opened for modification C:\Windows\InstallDir\ Server.exe File opened for modification C:\Windows\InstallDir\ Server.exe File opened for modification C:\Windows\InstallDir\Server.exe Server.exe File opened for modification C:\Windows\InstallDir\ Server.exe File opened for modification C:\Windows\InstallDir\Server.exe explorer.exe File opened for modification C:\Windows\InstallDir\Server.exe a8b06620e9629037953a3a5bc07a0b60.exe File opened for modification C:\Windows\InstallDir\ a8b06620e9629037953a3a5bc07a0b60.exe File opened for modification C:\Windows\InstallDir\ Server.exe File opened for modification C:\Windows\InstallDir\ Server.exe File opened for modification C:\Windows\InstallDir\Server.exe Server.exe File opened for modification C:\Windows\InstallDir\ Server.exe File opened for modification C:\Windows\InstallDir\Server.exe Server.exe File opened for modification C:\Windows\InstallDir\Server.exe Server.exe File opened for modification C:\Windows\InstallDir\ Server.exe File opened for modification C:\Windows\InstallDir\Server.exe Server.exe File opened for modification C:\Windows\InstallDir\Server.exe Server.exe File opened for modification C:\Windows\InstallDir\Server.exe Server.exe File opened for modification C:\Windows\InstallDir\ Server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: SetClipboardViewer 64 IoCs
Processes:
explorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exepid process 2744 explorer.exe 2560 explorer.exe 1784 explorer.exe 2492 explorer.exe 1968 explorer.exe 2728 explorer.exe 792 explorer.exe 2716 explorer.exe 1376 explorer.exe 2332 explorer.exe 3004 explorer.exe 1296 explorer.exe 1936 explorer.exe 2384 explorer.exe 2360 explorer.exe 1704 explorer.exe 2320 explorer.exe 3016 explorer.exe 2812 explorer.exe 2544 explorer.exe 1156 explorer.exe 3040 explorer.exe 2352 explorer.exe 2788 explorer.exe 2764 explorer.exe 2392 explorer.exe 2736 explorer.exe 3228 explorer.exe 3316 explorer.exe 3384 explorer.exe 3496 explorer.exe 3544 explorer.exe 3656 explorer.exe 3796 explorer.exe 3952 explorer.exe 4052 explorer.exe 3176 explorer.exe 3160 explorer.exe 3420 explorer.exe 3720 explorer.exe 3308 explorer.exe 1200 explorer.exe 3300 explorer.exe 3912 explorer.exe 3328 explorer.exe 4256 explorer.exe 4368 explorer.exe 4468 explorer.exe 4640 explorer.exe 4740 explorer.exe 4824 explorer.exe 4924 explorer.exe 5020 explorer.exe 4116 explorer.exe 4476 explorer.exe 4768 explorer.exe 5080 explorer.exe 4624 explorer.exe 4576 explorer.exe 4288 explorer.exe 5188 explorer.exe 5312 explorer.exe 5508 explorer.exe 5600 explorer.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
Processes:
explorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exepid process 2540 explorer.exe 2744 explorer.exe 2560 explorer.exe 1784 explorer.exe 2492 explorer.exe 1968 explorer.exe 2728 explorer.exe 792 explorer.exe 2716 explorer.exe 1376 explorer.exe 2332 explorer.exe 3004 explorer.exe 1296 explorer.exe 1936 explorer.exe 2384 explorer.exe 2360 explorer.exe 1704 explorer.exe 2320 explorer.exe 3016 explorer.exe 2812 explorer.exe 2544 explorer.exe 1156 explorer.exe 3040 explorer.exe 2352 explorer.exe 2788 explorer.exe 2764 explorer.exe 2392 explorer.exe 2736 explorer.exe 3228 explorer.exe 3316 explorer.exe 3384 explorer.exe 3496 explorer.exe 3544 explorer.exe 3656 explorer.exe 3796 explorer.exe 3952 explorer.exe 4052 explorer.exe 3176 explorer.exe 3160 explorer.exe 3420 explorer.exe 3720 explorer.exe 3308 explorer.exe 1200 explorer.exe 3300 explorer.exe 3912 explorer.exe 3328 explorer.exe 4256 explorer.exe 4368 explorer.exe 4468 explorer.exe 4640 explorer.exe 4740 explorer.exe 4824 explorer.exe 4924 explorer.exe 5020 explorer.exe 4116 explorer.exe 4476 explorer.exe 4768 explorer.exe 5080 explorer.exe 4624 explorer.exe 4576 explorer.exe 4288 explorer.exe 5188 explorer.exe 5312 explorer.exe 5508 explorer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
a8b06620e9629037953a3a5bc07a0b60.exedescription pid process target process PID 2956 wrote to memory of 2060 2956 a8b06620e9629037953a3a5bc07a0b60.exe iexplore.exe PID 2956 wrote to memory of 2060 2956 a8b06620e9629037953a3a5bc07a0b60.exe iexplore.exe PID 2956 wrote to memory of 2060 2956 a8b06620e9629037953a3a5bc07a0b60.exe iexplore.exe PID 2956 wrote to memory of 2060 2956 a8b06620e9629037953a3a5bc07a0b60.exe iexplore.exe PID 2956 wrote to memory of 2540 2956 a8b06620e9629037953a3a5bc07a0b60.exe explorer.exe PID 2956 wrote to memory of 2540 2956 a8b06620e9629037953a3a5bc07a0b60.exe explorer.exe PID 2956 wrote to memory of 2540 2956 a8b06620e9629037953a3a5bc07a0b60.exe explorer.exe PID 2956 wrote to memory of 2540 2956 a8b06620e9629037953a3a5bc07a0b60.exe explorer.exe PID 2956 wrote to memory of 2540 2956 a8b06620e9629037953a3a5bc07a0b60.exe explorer.exe PID 2956 wrote to memory of 2676 2956 a8b06620e9629037953a3a5bc07a0b60.exe iexplore.exe PID 2956 wrote to memory of 2676 2956 a8b06620e9629037953a3a5bc07a0b60.exe iexplore.exe PID 2956 wrote to memory of 2676 2956 a8b06620e9629037953a3a5bc07a0b60.exe iexplore.exe PID 2956 wrote to memory of 2676 2956 a8b06620e9629037953a3a5bc07a0b60.exe iexplore.exe PID 2956 wrote to memory of 2744 2956 a8b06620e9629037953a3a5bc07a0b60.exe explorer.exe PID 2956 wrote to memory of 2744 2956 a8b06620e9629037953a3a5bc07a0b60.exe explorer.exe PID 2956 wrote to memory of 2744 2956 a8b06620e9629037953a3a5bc07a0b60.exe explorer.exe PID 2956 wrote to memory of 2744 2956 a8b06620e9629037953a3a5bc07a0b60.exe explorer.exe PID 2956 wrote to memory of 2744 2956 a8b06620e9629037953a3a5bc07a0b60.exe explorer.exe PID 2956 wrote to memory of 2544 2956 a8b06620e9629037953a3a5bc07a0b60.exe iexplore.exe PID 2956 wrote to memory of 2544 2956 a8b06620e9629037953a3a5bc07a0b60.exe iexplore.exe PID 2956 wrote to memory of 2544 2956 a8b06620e9629037953a3a5bc07a0b60.exe iexplore.exe PID 2956 wrote to memory of 2544 2956 a8b06620e9629037953a3a5bc07a0b60.exe iexplore.exe PID 2956 wrote to memory of 2560 2956 a8b06620e9629037953a3a5bc07a0b60.exe explorer.exe PID 2956 wrote to memory of 2560 2956 a8b06620e9629037953a3a5bc07a0b60.exe explorer.exe PID 2956 wrote to memory of 2560 2956 a8b06620e9629037953a3a5bc07a0b60.exe explorer.exe PID 2956 wrote to memory of 2560 2956 a8b06620e9629037953a3a5bc07a0b60.exe explorer.exe PID 2956 wrote to memory of 2560 2956 a8b06620e9629037953a3a5bc07a0b60.exe explorer.exe PID 2956 wrote to memory of 2464 2956 a8b06620e9629037953a3a5bc07a0b60.exe iexplore.exe PID 2956 wrote to memory of 2464 2956 a8b06620e9629037953a3a5bc07a0b60.exe iexplore.exe PID 2956 wrote to memory of 2464 2956 a8b06620e9629037953a3a5bc07a0b60.exe iexplore.exe PID 2956 wrote to memory of 2464 2956 a8b06620e9629037953a3a5bc07a0b60.exe iexplore.exe PID 2956 wrote to memory of 1784 2956 a8b06620e9629037953a3a5bc07a0b60.exe explorer.exe PID 2956 wrote to memory of 1784 2956 a8b06620e9629037953a3a5bc07a0b60.exe explorer.exe PID 2956 wrote to memory of 1784 2956 a8b06620e9629037953a3a5bc07a0b60.exe explorer.exe PID 2956 wrote to memory of 1784 2956 a8b06620e9629037953a3a5bc07a0b60.exe explorer.exe PID 2956 wrote to memory of 1784 2956 a8b06620e9629037953a3a5bc07a0b60.exe explorer.exe PID 2956 wrote to memory of 2472 2956 a8b06620e9629037953a3a5bc07a0b60.exe iexplore.exe PID 2956 wrote to memory of 2472 2956 a8b06620e9629037953a3a5bc07a0b60.exe iexplore.exe PID 2956 wrote to memory of 2472 2956 a8b06620e9629037953a3a5bc07a0b60.exe iexplore.exe PID 2956 wrote to memory of 2472 2956 a8b06620e9629037953a3a5bc07a0b60.exe iexplore.exe PID 2956 wrote to memory of 2492 2956 a8b06620e9629037953a3a5bc07a0b60.exe explorer.exe PID 2956 wrote to memory of 2492 2956 a8b06620e9629037953a3a5bc07a0b60.exe explorer.exe PID 2956 wrote to memory of 2492 2956 a8b06620e9629037953a3a5bc07a0b60.exe explorer.exe PID 2956 wrote to memory of 2492 2956 a8b06620e9629037953a3a5bc07a0b60.exe explorer.exe PID 2956 wrote to memory of 2492 2956 a8b06620e9629037953a3a5bc07a0b60.exe explorer.exe PID 2956 wrote to memory of 2424 2956 a8b06620e9629037953a3a5bc07a0b60.exe iexplore.exe PID 2956 wrote to memory of 2424 2956 a8b06620e9629037953a3a5bc07a0b60.exe iexplore.exe PID 2956 wrote to memory of 2424 2956 a8b06620e9629037953a3a5bc07a0b60.exe iexplore.exe PID 2956 wrote to memory of 2424 2956 a8b06620e9629037953a3a5bc07a0b60.exe iexplore.exe PID 2956 wrote to memory of 1968 2956 a8b06620e9629037953a3a5bc07a0b60.exe explorer.exe PID 2956 wrote to memory of 1968 2956 a8b06620e9629037953a3a5bc07a0b60.exe explorer.exe PID 2956 wrote to memory of 1968 2956 a8b06620e9629037953a3a5bc07a0b60.exe explorer.exe PID 2956 wrote to memory of 1968 2956 a8b06620e9629037953a3a5bc07a0b60.exe explorer.exe PID 2956 wrote to memory of 1968 2956 a8b06620e9629037953a3a5bc07a0b60.exe explorer.exe PID 2956 wrote to memory of 1192 2956 a8b06620e9629037953a3a5bc07a0b60.exe iexplore.exe PID 2956 wrote to memory of 1192 2956 a8b06620e9629037953a3a5bc07a0b60.exe iexplore.exe PID 2956 wrote to memory of 1192 2956 a8b06620e9629037953a3a5bc07a0b60.exe iexplore.exe PID 2956 wrote to memory of 1192 2956 a8b06620e9629037953a3a5bc07a0b60.exe iexplore.exe PID 2956 wrote to memory of 2728 2956 a8b06620e9629037953a3a5bc07a0b60.exe explorer.exe PID 2956 wrote to memory of 2728 2956 a8b06620e9629037953a3a5bc07a0b60.exe explorer.exe PID 2956 wrote to memory of 2728 2956 a8b06620e9629037953a3a5bc07a0b60.exe explorer.exe PID 2956 wrote to memory of 2728 2956 a8b06620e9629037953a3a5bc07a0b60.exe explorer.exe PID 2956 wrote to memory of 2728 2956 a8b06620e9629037953a3a5bc07a0b60.exe explorer.exe PID 2956 wrote to memory of 1652 2956 a8b06620e9629037953a3a5bc07a0b60.exe iexplore.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe"C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe"1⤵
- Modifies Installed Components in the registry
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"2⤵PID:2060
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe2⤵
- Suspicious use of SetWindowsHookEx
PID:2540 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"2⤵PID:2676
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe2⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
PID:2744 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"2⤵PID:2544
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe2⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
PID:2560 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"2⤵PID:2464
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe2⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
PID:1784 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"2⤵PID:2472
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe2⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
PID:2492 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"2⤵PID:2424
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe2⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
PID:1968 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"2⤵PID:1192
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe2⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
PID:2728 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"2⤵PID:1652
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe2⤵PID:880
-
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
PID:1684 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵PID:604
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
PID:792 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵PID:740
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
PID:2716 -
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
PID:1376 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵PID:1328
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵PID:2272
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
PID:2332 -
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
PID:3004 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵PID:2860
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵PID:1808
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
PID:1296 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵PID:1040
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
PID:1936 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵PID:1232
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵PID:956
-
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
PID:2104 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵PID:2260
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
PID:2384 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵PID:2364
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
PID:2360 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵PID:2880
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
PID:1704 -
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
PID:2320 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵PID:2404
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
PID:3016 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵PID:2664
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵PID:1388
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
PID:2812 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵PID:2060
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
PID:2544 -
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:328
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵PID:2528
-
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
PID:1104 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵PID:1204
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe5⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
PID:1156 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵PID:1752
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe5⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
PID:3040 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵PID:1996
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe5⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
PID:2352 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵PID:2148
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe5⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
PID:2788 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵PID:2880
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe5⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
PID:2764 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵PID:2884
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe5⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
PID:2392 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵PID:1080
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe5⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
PID:2736 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵PID:3112
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe5⤵PID:3120
-
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
PID:3180 -
C:\Windows\SysWOW64\explorer.exeexplorer.exe6⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
PID:3228 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:3220
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:3308
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe6⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
PID:3316 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:3376
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe6⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
PID:3384 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:3480
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe6⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
PID:3496 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:3536
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe6⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
PID:3544 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:3648
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe6⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
PID:3656 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:3788
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe6⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
PID:3796 -
C:\Windows\SysWOW64\explorer.exeexplorer.exe6⤵PID:3864
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:3856
-
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
PID:3912 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"7⤵PID:3944
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe7⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
PID:3952 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"7⤵PID:4044
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe7⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
PID:4052 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"7⤵PID:1372
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe7⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
PID:3176 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"7⤵PID:3112
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe7⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
PID:3160 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"7⤵PID:3284
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe7⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
PID:3420 -
C:\Windows\SysWOW64\explorer.exeexplorer.exe7⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
PID:3720 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"7⤵PID:3708
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"7⤵PID:3220
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe7⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
PID:3308 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"7⤵PID:4028
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe7⤵PID:4036
-
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
PID:2880 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:3588
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe8⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
PID:1200 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:3960
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe8⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
PID:3300 -
C:\Windows\SysWOW64\explorer.exeexplorer.exe8⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
PID:3912 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:1204
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:3944
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe8⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
PID:3328 -
C:\Windows\SysWOW64\explorer.exeexplorer.exe8⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
PID:4256 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:4248
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:4360
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe8⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
PID:4368 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:4460
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe8⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
PID:4468 -
C:\Windows\SysWOW64\explorer.exeexplorer.exe8⤵PID:4564
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:4556
-
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
PID:4592 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"9⤵PID:4632
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe9⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
PID:4640 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"9⤵PID:4732
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe9⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
PID:4740 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"9⤵PID:4812
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe9⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
PID:4824 -
C:\Windows\SysWOW64\explorer.exeexplorer.exe9⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
PID:4924 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"9⤵PID:4916
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe9⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
PID:5020 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"9⤵PID:5012
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe9⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
PID:4116 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"9⤵PID:5112
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"9⤵PID:4396
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe9⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
PID:4476 -
C:\Windows\SysWOW64\explorer.exeexplorer.exe9⤵PID:4460
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"9⤵PID:4360
-
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
PID:4628 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:4764
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe10⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
PID:4768 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:5068
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe10⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
PID:5080 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:4636
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe10⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
PID:4624 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:4412
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe10⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
PID:4576 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:4360
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe10⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
PID:4288 -
C:\Windows\SysWOW64\explorer.exeexplorer.exe10⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
PID:5188 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:5180
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:5304
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe10⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
PID:5312 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:5376
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe10⤵PID:5392
-
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
PID:5452 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"11⤵PID:5500
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe11⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
PID:5508 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"11⤵PID:5592
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe11⤵
- Suspicious behavior: SetClipboardViewer
PID:5600 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"11⤵PID:5688
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe11⤵PID:5696
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"11⤵PID:5760
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe11⤵PID:5768
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe11⤵PID:5860
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"11⤵PID:5852
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"11⤵PID:5948
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe11⤵PID:5956
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"11⤵PID:6036
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe11⤵PID:6044
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"11⤵PID:6140
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe11⤵PID:5152
-
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
PID:5268 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"12⤵PID:4684
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe12⤵PID:4616
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe12⤵PID:5460
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"12⤵PID:4652
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe12⤵PID:5620
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"12⤵PID:5608
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"12⤵PID:5908
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe12⤵PID:5916
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe12⤵PID:5856
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"12⤵PID:5688
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"12⤵PID:5812
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe12⤵PID:5820
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"12⤵PID:5200
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe12⤵PID:6148
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe12⤵PID:6196
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"12⤵PID:6188
-
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
PID:6268 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"13⤵PID:6300
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe13⤵PID:6308
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"13⤵PID:6396
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe13⤵PID:6404
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"13⤵PID:6468
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe13⤵PID:6476
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"13⤵PID:6572
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe13⤵PID:6584
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"13⤵PID:6692
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe13⤵PID:6700
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe13⤵PID:6784
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"13⤵PID:6776
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"13⤵PID:6896
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe13⤵PID:6904
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"13⤵PID:6976
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe13⤵PID:6984
-
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"13⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
PID:7052 -
C:\Windows\SysWOW64\explorer.exeexplorer.exe14⤵PID:7116
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"14⤵PID:7108
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"14⤵PID:6156
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe14⤵PID:6168
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe14⤵PID:5912
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"14⤵PID:4652
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"14⤵PID:6324
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe14⤵PID:6336
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe14⤵PID:6816
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"14⤵PID:6744
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"14⤵PID:7072
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe14⤵PID:6288
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe14⤵PID:7160
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"14⤵PID:7148
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe14⤵PID:6620
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"14⤵PID:6280
-
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"14⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
PID:7028 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"15⤵PID:2032
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe15⤵PID:2832
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"15⤵PID:7156
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe15⤵PID:5572
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"15⤵PID:6692
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe15⤵PID:584
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"15⤵PID:7248
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe15⤵PID:7256
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"15⤵PID:7344
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe15⤵PID:7352
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"15⤵PID:7416
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe15⤵PID:7428
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"15⤵PID:7520
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe15⤵PID:7528
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"15⤵PID:7628
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe15⤵PID:7636
-
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"15⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
PID:7676 -
C:\Windows\SysWOW64\explorer.exeexplorer.exe16⤵PID:7724
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"16⤵PID:7716
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"16⤵PID:7816
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe16⤵PID:7824
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe16⤵PID:7912
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"16⤵PID:7904
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"16⤵PID:8004
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe16⤵PID:8012
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"16⤵PID:8116
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe16⤵PID:8124
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe16⤵PID:8176
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"16⤵PID:8168
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe16⤵PID:7452
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"16⤵PID:7288
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe16⤵PID:5280
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"16⤵PID:2032
-
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"16⤵PID:7700
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"17⤵PID:7856
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe17⤵PID:7864
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"17⤵PID:8188
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe17⤵PID:7292
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"17⤵PID:7764
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe17⤵PID:7756
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"17⤵PID:7844
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe17⤵PID:7872
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"17⤵PID:7840
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe17⤵PID:1828
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"17⤵PID:8260
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe17⤵PID:8268
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"17⤵PID:8408
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe17⤵PID:8416
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"17⤵PID:8488
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe17⤵PID:8496
-
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"17⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
PID:8548 -
C:\Windows\SysWOW64\explorer.exeexplorer.exe18⤵PID:8584
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"18⤵PID:8576
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe18⤵PID:8676
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"18⤵PID:8668
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe18⤵PID:8776
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"18⤵PID:8768
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"18⤵PID:8840
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe18⤵PID:8848
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"18⤵PID:8928
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe18⤵PID:8936
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"18⤵PID:9028
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe18⤵PID:9036
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe18⤵PID:9132
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"18⤵PID:9124
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"18⤵PID:8204
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe18⤵PID:8224
-
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"18⤵PID:2936
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"19⤵PID:8464
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe19⤵PID:8560
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"19⤵PID:8532
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe19⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
PID:7700 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"19⤵PID:8800
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe19⤵PID:2024
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe19⤵PID:9072
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"19⤵PID:8896
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"19⤵PID:8844
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe19⤵PID:8932
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"19⤵PID:8600
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe19⤵PID:8620
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"19⤵PID:8324
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe19⤵PID:8552
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"19⤵PID:9232
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe19⤵PID:9240
-
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"19⤵PID:9276
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe20⤵PID:9316
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"20⤵PID:9308
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe20⤵PID:9420
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"20⤵PID:9412
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"20⤵PID:9516
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe20⤵PID:9524
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe20⤵PID:9568
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"20⤵PID:9560
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe20⤵PID:9688
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"20⤵PID:9680
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"20⤵PID:9796
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe20⤵PID:9804
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe20⤵PID:9932
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"20⤵PID:9924
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"20⤵PID:10024
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe20⤵PID:10032
-
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"20⤵PID:10064
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"21⤵PID:10096
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe21⤵PID:10104
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"21⤵PID:10212
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe21⤵PID:10220
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"21⤵PID:8532
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe21⤵PID:8804
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"21⤵PID:8648
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe21⤵PID:9428
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"21⤵PID:9732
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe21⤵PID:9748
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"21⤵PID:1680
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe21⤵PID:9300
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"21⤵PID:9276
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe21⤵PID:10120
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"21⤵PID:9852
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe21⤵PID:9964
-
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"21⤵PID:948
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"22⤵PID:9284
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe22⤵PID:3968
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"22⤵PID:10076
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe22⤵PID:10088
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"22⤵PID:10064
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe22⤵PID:4452
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"22⤵PID:10324
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe22⤵PID:10332
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"22⤵PID:10368
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe22⤵PID:10376
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"22⤵PID:10464
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe22⤵PID:10472
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"22⤵PID:10552
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe22⤵PID:10560
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"22⤵PID:10684
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe22⤵PID:10692
-
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"22⤵PID:10728
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe23⤵PID:10776
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"23⤵PID:10768
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"23⤵PID:10908
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe23⤵PID:10916
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"23⤵PID:11008
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe23⤵PID:11016
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"23⤵PID:11080
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe23⤵PID:11088
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"23⤵PID:11160
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe23⤵PID:11176
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"23⤵PID:11260
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe23⤵PID:9492
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"23⤵PID:10528
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe23⤵PID:10536
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"23⤵PID:10076
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe23⤵PID:10328
-
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"23⤵PID:10708
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"24⤵PID:10200
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe24⤵PID:10928
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe24⤵PID:11236
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"24⤵PID:10072
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe24⤵PID:9580
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"24⤵PID:10548
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe24⤵PID:10248
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"24⤵PID:11164
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe24⤵PID:10628
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"24⤵PID:10388
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe24⤵PID:11028
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"24⤵PID:11008
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"24⤵PID:11316
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe24⤵PID:11332
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"24⤵PID:11452
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe24⤵PID:11460
-
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"24⤵PID:11516
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"25⤵PID:11548
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe25⤵PID:11556
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"25⤵PID:11652
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe25⤵PID:11660
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"25⤵PID:11744
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe25⤵PID:11752
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"25⤵PID:11840
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe25⤵PID:11852
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"25⤵PID:11924
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe25⤵PID:11932
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"25⤵PID:12016
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe25⤵PID:12024
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"25⤵PID:12116
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe25⤵PID:12124
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"25⤵PID:12212
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe25⤵PID:12220
-
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"25⤵PID:12272
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"26⤵PID:11388
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe26⤵PID:11404
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"26⤵PID:11540
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe26⤵PID:11576
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe26⤵PID:11764
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"26⤵PID:6112
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"26⤵PID:12064
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe26⤵PID:10260
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"26⤵PID:11564
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe26⤵PID:12256
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"26⤵PID:11520
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe26⤵PID:11328
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe26⤵PID:11680
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"26⤵PID:6212
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe26⤵PID:12280
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"26⤵PID:12216
-
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"26⤵PID:12312
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"27⤵PID:12348
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe27⤵PID:12356
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"27⤵PID:12456
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe27⤵PID:12464
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe27⤵PID:12548
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"27⤵PID:12540
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"27⤵PID:12640
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe27⤵PID:12648
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"27⤵PID:12736
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe27⤵PID:12744
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"27⤵PID:12816
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe27⤵PID:12832
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"27⤵PID:12932
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe27⤵PID:12944
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe27⤵PID:13032
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"27⤵PID:13024
-
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"27⤵PID:13092
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"28⤵PID:13156
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe28⤵PID:13164
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"28⤵PID:13232
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe28⤵PID:13240
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"28⤵PID:2888
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe28⤵PID:12320
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"28⤵PID:12344
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe28⤵PID:12384
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"28⤵PID:12584
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe28⤵PID:12596
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"28⤵PID:12792
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe28⤵PID:12804
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"28⤵PID:12640
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe28⤵PID:12736
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe28⤵PID:13212
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"28⤵PID:13196
-
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"28⤵PID:11388
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"29⤵PID:11520
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe29⤵PID:13284
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"29⤵PID:1660
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe29⤵PID:13100
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"29⤵PID:12592
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe29⤵PID:11940
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"29⤵PID:11628
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe29⤵PID:6928
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"29⤵PID:13344
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe29⤵PID:13352
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"29⤵PID:13400
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe29⤵PID:13408
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"29⤵PID:13500
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe29⤵PID:13512
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe29⤵PID:13608
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"29⤵PID:13600
-
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"29⤵PID:13672
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe30⤵PID:13724
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"30⤵PID:13716
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe30⤵PID:13812
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"30⤵PID:13804
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"30⤵PID:13868
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe30⤵PID:13876
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe30⤵PID:13980
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"30⤵PID:13972
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe30⤵PID:14124
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"30⤵PID:14116
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"30⤵PID:14156
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe30⤵PID:14168
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe30⤵PID:14296
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"30⤵PID:14288
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"30⤵PID:12940
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe30⤵PID:13548
-
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"30⤵PID:13436
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"31⤵PID:13656
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe31⤵PID:13664
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"31⤵PID:13788
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe31⤵PID:7272
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"31⤵PID:14152
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe31⤵PID:14180
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"31⤵PID:13868
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe31⤵PID:13972
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"31⤵PID:13680
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe31⤵PID:6776
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD56b447dc1c41b9b841b80a632a157cda8
SHA10c9090b7af7ff19feb8febee5d4d211fd2a3363c
SHA2560ddbdc07f350b4d91b59583838b5f4c6201c09870d580478c7bd9bfeb85cf27d
SHA51210e77a4aa507956aff1b3637e28dff532bf2ead0b93aaf5101898dfbca9e185020bbfa2b9125b70f86beb544bf81dae2776a6bc7222ac7268197c043fe88a0d5
-
Filesize
2B
MD584cad01fdb44ae58dbe6c3973dcd87f5
SHA14700b42849fb35be323774820bf1bc8019d26c80
SHA2568b1f194be530240c18bf0b1ee0d038e750fab8b24c6bd25c864297e5ebb41fa6
SHA5126e10d3ec4724c1aca9ff3f6a26292ba80065d18e8e9395f1474c0a298008f25e312e2f7024e7d10aab3264764e69a25553cc20afd23090f83921d20e42b989ab
-
Filesize
45KB
MD5a8b06620e9629037953a3a5bc07a0b60
SHA108c35cd4abf5e0945182079e24ec190d97225775
SHA256c01c3e39933ccfedaf1d766903232ada996f71ee79187a2cb420219000c97d21
SHA512042cfac252c4ceb55b9b7e5fb7f23d5686c4b3aeca68b2b093a3dce78d29f89f66745e685a9cefdb07db1dcf69a2daaa4286af185a2f9cc6040d3cbc5c0b9b50
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e