Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
27-02-2024 08:24
Behavioral task
behavioral1
Sample
a8b06620e9629037953a3a5bc07a0b60.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
a8b06620e9629037953a3a5bc07a0b60.exe
Resource
win10v2004-20240226-en
General
-
Target
a8b06620e9629037953a3a5bc07a0b60.exe
-
Size
45KB
-
MD5
a8b06620e9629037953a3a5bc07a0b60
-
SHA1
08c35cd4abf5e0945182079e24ec190d97225775
-
SHA256
c01c3e39933ccfedaf1d766903232ada996f71ee79187a2cb420219000c97d21
-
SHA512
042cfac252c4ceb55b9b7e5fb7f23d5686c4b3aeca68b2b093a3dce78d29f89f66745e685a9cefdb07db1dcf69a2daaa4286af185a2f9cc6040d3cbc5c0b9b50
-
SSDEEP
768:DBr+tjFKsusi02s2VzfoFTrS75YAU074/uhXtYCpP0zo3rI:tyRQsiNVzwFfS75YAU08mhX5co7I
Malware Config
Extracted
xtremerat
wesam.no-ip.org
slator.com
Signatures
-
Detect XtremeRAT payload 64 IoCs
Processes:
resource yara_rule behavioral2/memory/4044-6-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral2/memory/4044-8-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral2/memory/4088-9-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral2/memory/3176-10-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral2/memory/4088-12-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral2/memory/3176-13-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral2/memory/800-14-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral2/memory/1772-15-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral2/memory/800-16-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat C:\Windows\InstallDir\Server.exe family_xtremerat behavioral2/memory/1772-41-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral2/memory/1464-49-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral2/memory/2220-53-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral2/memory/1688-54-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral2/memory/2220-55-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral2/memory/3164-56-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral2/memory/1688-57-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral2/memory/4192-58-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral2/memory/3164-59-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral2/memory/864-60-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral2/memory/4192-61-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral2/memory/864-62-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral2/memory/368-63-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral2/memory/368-65-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral2/memory/1124-66-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral2/memory/4268-70-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral2/memory/1384-72-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral2/memory/4268-73-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral2/memory/4912-74-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral2/memory/1384-75-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral2/memory/1956-76-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral2/memory/4912-77-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral2/memory/1956-78-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral2/memory/4444-79-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral2/memory/4436-80-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral2/memory/4444-81-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral2/memory/4436-83-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral2/memory/3328-84-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral2/memory/2428-88-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral2/memory/4816-89-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral2/memory/2428-90-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral2/memory/1348-91-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral2/memory/4816-92-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral2/memory/1348-93-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral2/memory/232-94-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral2/memory/3820-95-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral2/memory/232-96-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral2/memory/116-98-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral2/memory/3820-99-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral2/memory/680-103-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral2/memory/3444-104-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral2/memory/680-105-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral2/memory/1768-106-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral2/memory/3444-107-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral2/memory/3208-108-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral2/memory/1768-109-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral2/memory/4196-110-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral2/memory/3208-111-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral2/memory/116-112-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral2/memory/4196-113-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral2/memory/116-114-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral2/memory/4680-116-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral2/memory/392-120-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral2/memory/392-121-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat -
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Modifies Installed Components in the registry 2 TTPs 16 IoCs
Processes:
a8b06620e9629037953a3a5bc07a0b60.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} a8b06620e9629037953a3a5bc07a0b60.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" a8b06620e9629037953a3a5bc07a0b60.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" Server.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" Server.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" Server.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} Server.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} Server.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} Server.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" Server.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" Server.exe -
Checks computer location settings 2 TTPs 7 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Server.exeServer.exeServer.exeServer.exeServer.exeServer.exea8b06620e9629037953a3a5bc07a0b60.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation Server.exe Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation Server.exe Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation Server.exe Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation Server.exe Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation Server.exe Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation Server.exe Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation a8b06620e9629037953a3a5bc07a0b60.exe -
Executes dropped EXE 7 IoCs
Processes:
Server.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exepid process 1124 Server.exe 3328 Server.exe 116 Server.exe 4680 Server.exe 4400 Server.exe 5396 Server.exe 6052 Server.exe -
Adds Run key to start application 2 TTPs 16 IoCs
Processes:
Server.exeServer.exeServer.exeServer.exea8b06620e9629037953a3a5bc07a0b60.exeServer.exeServer.exeServer.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" a8b06620e9629037953a3a5bc07a0b60.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" a8b06620e9629037953a3a5bc07a0b60.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" Server.exe -
Drops file in Windows directory 17 IoCs
Processes:
Server.exeServer.exea8b06620e9629037953a3a5bc07a0b60.exeServer.exeServer.exeServer.exeServer.exeServer.exedescription ioc process File opened for modification C:\Windows\InstallDir\ Server.exe File opened for modification C:\Windows\InstallDir\Server.exe Server.exe File opened for modification C:\Windows\InstallDir\ Server.exe File created C:\Windows\InstallDir\Server.exe a8b06620e9629037953a3a5bc07a0b60.exe File opened for modification C:\Windows\InstallDir\Server.exe Server.exe File opened for modification C:\Windows\InstallDir\Server.exe Server.exe File opened for modification C:\Windows\InstallDir\Server.exe Server.exe File opened for modification C:\Windows\InstallDir\Server.exe Server.exe File opened for modification C:\Windows\InstallDir\ Server.exe File opened for modification C:\Windows\InstallDir\Server.exe a8b06620e9629037953a3a5bc07a0b60.exe File opened for modification C:\Windows\InstallDir\ a8b06620e9629037953a3a5bc07a0b60.exe File opened for modification C:\Windows\InstallDir\Server.exe Server.exe File opened for modification C:\Windows\InstallDir\Server.exe Server.exe File opened for modification C:\Windows\InstallDir\ Server.exe File opened for modification C:\Windows\InstallDir\ Server.exe File opened for modification C:\Windows\InstallDir\ Server.exe File opened for modification C:\Windows\InstallDir\ Server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 7 IoCs
Processes:
Server.exeServer.exeServer.exea8b06620e9629037953a3a5bc07a0b60.exeServer.exeServer.exeServer.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ a8b06620e9629037953a3a5bc07a0b60.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Server.exe -
Suspicious behavior: SetClipboardViewer 46 IoCs
Processes:
explorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeServer.exepid process 4088 explorer.exe 3176 explorer.exe 800 explorer.exe 1772 explorer.exe 2220 explorer.exe 1688 explorer.exe 3164 explorer.exe 4192 explorer.exe 864 explorer.exe 368 explorer.exe 4268 explorer.exe 1384 explorer.exe 4912 explorer.exe 1956 explorer.exe 4444 explorer.exe 4436 explorer.exe 2428 explorer.exe 4816 explorer.exe 1348 explorer.exe 232 explorer.exe 3820 explorer.exe 680 explorer.exe 3444 explorer.exe 1768 explorer.exe 3208 explorer.exe 4196 explorer.exe 116 explorer.exe 392 explorer.exe 2640 explorer.exe 5136 explorer.exe 5216 explorer.exe 5280 explorer.exe 5460 explorer.exe 5584 explorer.exe 5672 explorer.exe 5740 explorer.exe 5808 explorer.exe 5872 explorer.exe 5940 explorer.exe 6124 explorer.exe 5184 explorer.exe 4484 explorer.exe 3956 explorer.exe 5344 explorer.exe 5508 explorer.exe 6052 Server.exe -
Suspicious use of SetWindowsHookEx 47 IoCs
Processes:
explorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeServer.exepid process 4044 explorer.exe 4088 explorer.exe 3176 explorer.exe 800 explorer.exe 1772 explorer.exe 2220 explorer.exe 1688 explorer.exe 3164 explorer.exe 4192 explorer.exe 864 explorer.exe 368 explorer.exe 4268 explorer.exe 1384 explorer.exe 4912 explorer.exe 1956 explorer.exe 4444 explorer.exe 4436 explorer.exe 2428 explorer.exe 4816 explorer.exe 1348 explorer.exe 232 explorer.exe 3820 explorer.exe 680 explorer.exe 3444 explorer.exe 1768 explorer.exe 3208 explorer.exe 4196 explorer.exe 116 explorer.exe 392 explorer.exe 2640 explorer.exe 5136 explorer.exe 5216 explorer.exe 5280 explorer.exe 5460 explorer.exe 5584 explorer.exe 5672 explorer.exe 5740 explorer.exe 5808 explorer.exe 5872 explorer.exe 5940 explorer.exe 6124 explorer.exe 5184 explorer.exe 4484 explorer.exe 3956 explorer.exe 5344 explorer.exe 5508 explorer.exe 6052 Server.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
a8b06620e9629037953a3a5bc07a0b60.exeServer.exedescription pid process target process PID 1464 wrote to memory of 4976 1464 a8b06620e9629037953a3a5bc07a0b60.exe msedge.exe PID 1464 wrote to memory of 4976 1464 a8b06620e9629037953a3a5bc07a0b60.exe msedge.exe PID 1464 wrote to memory of 4044 1464 a8b06620e9629037953a3a5bc07a0b60.exe explorer.exe PID 1464 wrote to memory of 4044 1464 a8b06620e9629037953a3a5bc07a0b60.exe explorer.exe PID 1464 wrote to memory of 4044 1464 a8b06620e9629037953a3a5bc07a0b60.exe explorer.exe PID 1464 wrote to memory of 4044 1464 a8b06620e9629037953a3a5bc07a0b60.exe explorer.exe PID 1464 wrote to memory of 412 1464 a8b06620e9629037953a3a5bc07a0b60.exe msedge.exe PID 1464 wrote to memory of 412 1464 a8b06620e9629037953a3a5bc07a0b60.exe msedge.exe PID 1464 wrote to memory of 2528 1464 a8b06620e9629037953a3a5bc07a0b60.exe explorer.exe PID 1464 wrote to memory of 2528 1464 a8b06620e9629037953a3a5bc07a0b60.exe explorer.exe PID 1464 wrote to memory of 2528 1464 a8b06620e9629037953a3a5bc07a0b60.exe explorer.exe PID 1464 wrote to memory of 2636 1464 a8b06620e9629037953a3a5bc07a0b60.exe msedge.exe PID 1464 wrote to memory of 2636 1464 a8b06620e9629037953a3a5bc07a0b60.exe msedge.exe PID 1464 wrote to memory of 4080 1464 a8b06620e9629037953a3a5bc07a0b60.exe explorer.exe PID 1464 wrote to memory of 4080 1464 a8b06620e9629037953a3a5bc07a0b60.exe explorer.exe PID 1464 wrote to memory of 4080 1464 a8b06620e9629037953a3a5bc07a0b60.exe explorer.exe PID 1464 wrote to memory of 2960 1464 a8b06620e9629037953a3a5bc07a0b60.exe msedge.exe PID 1464 wrote to memory of 2960 1464 a8b06620e9629037953a3a5bc07a0b60.exe msedge.exe PID 1464 wrote to memory of 4088 1464 a8b06620e9629037953a3a5bc07a0b60.exe explorer.exe PID 1464 wrote to memory of 4088 1464 a8b06620e9629037953a3a5bc07a0b60.exe explorer.exe PID 1464 wrote to memory of 4088 1464 a8b06620e9629037953a3a5bc07a0b60.exe explorer.exe PID 1464 wrote to memory of 4088 1464 a8b06620e9629037953a3a5bc07a0b60.exe explorer.exe PID 1464 wrote to memory of 1528 1464 a8b06620e9629037953a3a5bc07a0b60.exe msedge.exe PID 1464 wrote to memory of 1528 1464 a8b06620e9629037953a3a5bc07a0b60.exe msedge.exe PID 1464 wrote to memory of 3176 1464 a8b06620e9629037953a3a5bc07a0b60.exe explorer.exe PID 1464 wrote to memory of 3176 1464 a8b06620e9629037953a3a5bc07a0b60.exe explorer.exe PID 1464 wrote to memory of 3176 1464 a8b06620e9629037953a3a5bc07a0b60.exe explorer.exe PID 1464 wrote to memory of 3176 1464 a8b06620e9629037953a3a5bc07a0b60.exe explorer.exe PID 1464 wrote to memory of 3208 1464 a8b06620e9629037953a3a5bc07a0b60.exe msedge.exe PID 1464 wrote to memory of 3208 1464 a8b06620e9629037953a3a5bc07a0b60.exe msedge.exe PID 1464 wrote to memory of 3220 1464 a8b06620e9629037953a3a5bc07a0b60.exe explorer.exe PID 1464 wrote to memory of 3220 1464 a8b06620e9629037953a3a5bc07a0b60.exe explorer.exe PID 1464 wrote to memory of 3220 1464 a8b06620e9629037953a3a5bc07a0b60.exe explorer.exe PID 1464 wrote to memory of 528 1464 a8b06620e9629037953a3a5bc07a0b60.exe msedge.exe PID 1464 wrote to memory of 528 1464 a8b06620e9629037953a3a5bc07a0b60.exe msedge.exe PID 1464 wrote to memory of 4172 1464 a8b06620e9629037953a3a5bc07a0b60.exe explorer.exe PID 1464 wrote to memory of 4172 1464 a8b06620e9629037953a3a5bc07a0b60.exe explorer.exe PID 1464 wrote to memory of 4172 1464 a8b06620e9629037953a3a5bc07a0b60.exe explorer.exe PID 1464 wrote to memory of 2036 1464 a8b06620e9629037953a3a5bc07a0b60.exe msedge.exe PID 1464 wrote to memory of 2036 1464 a8b06620e9629037953a3a5bc07a0b60.exe msedge.exe PID 1464 wrote to memory of 800 1464 a8b06620e9629037953a3a5bc07a0b60.exe explorer.exe PID 1464 wrote to memory of 800 1464 a8b06620e9629037953a3a5bc07a0b60.exe explorer.exe PID 1464 wrote to memory of 800 1464 a8b06620e9629037953a3a5bc07a0b60.exe explorer.exe PID 1464 wrote to memory of 800 1464 a8b06620e9629037953a3a5bc07a0b60.exe explorer.exe PID 1464 wrote to memory of 2428 1464 a8b06620e9629037953a3a5bc07a0b60.exe msedge.exe PID 1464 wrote to memory of 2428 1464 a8b06620e9629037953a3a5bc07a0b60.exe msedge.exe PID 1464 wrote to memory of 1772 1464 a8b06620e9629037953a3a5bc07a0b60.exe explorer.exe PID 1464 wrote to memory of 1772 1464 a8b06620e9629037953a3a5bc07a0b60.exe explorer.exe PID 1464 wrote to memory of 1772 1464 a8b06620e9629037953a3a5bc07a0b60.exe explorer.exe PID 1464 wrote to memory of 1772 1464 a8b06620e9629037953a3a5bc07a0b60.exe explorer.exe PID 1464 wrote to memory of 1716 1464 a8b06620e9629037953a3a5bc07a0b60.exe msedge.exe PID 1464 wrote to memory of 1716 1464 a8b06620e9629037953a3a5bc07a0b60.exe msedge.exe PID 1464 wrote to memory of 5008 1464 a8b06620e9629037953a3a5bc07a0b60.exe explorer.exe PID 1464 wrote to memory of 5008 1464 a8b06620e9629037953a3a5bc07a0b60.exe explorer.exe PID 1464 wrote to memory of 5008 1464 a8b06620e9629037953a3a5bc07a0b60.exe explorer.exe PID 1464 wrote to memory of 1124 1464 a8b06620e9629037953a3a5bc07a0b60.exe Server.exe PID 1464 wrote to memory of 1124 1464 a8b06620e9629037953a3a5bc07a0b60.exe Server.exe PID 1464 wrote to memory of 1124 1464 a8b06620e9629037953a3a5bc07a0b60.exe Server.exe PID 1124 wrote to memory of 1876 1124 Server.exe msedge.exe PID 1124 wrote to memory of 1876 1124 Server.exe msedge.exe PID 1124 wrote to memory of 2220 1124 Server.exe explorer.exe PID 1124 wrote to memory of 2220 1124 Server.exe explorer.exe PID 1124 wrote to memory of 2220 1124 Server.exe explorer.exe PID 1124 wrote to memory of 2220 1124 Server.exe explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe"C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe"1⤵
- Modifies Installed Components in the registry
- Checks computer location settings
- Adds Run key to start application
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1464 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"2⤵PID:4976
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe2⤵
- Suspicious use of SetWindowsHookEx
PID:4044 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"2⤵PID:412
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe2⤵PID:2528
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"2⤵PID:2636
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe2⤵PID:4080
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"2⤵PID:2960
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe2⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
PID:4088 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"2⤵PID:1528
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe2⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
PID:3176 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"2⤵PID:3208
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe2⤵PID:3220
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe2⤵PID:4172
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"2⤵PID:528
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"2⤵PID:2036
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe2⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
PID:800 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"2⤵PID:2428
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe2⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
PID:1772 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"2⤵PID:1716
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe2⤵PID:5008
-
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"2⤵
- Modifies Installed Components in the registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1124 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵PID:1876
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
PID:2220 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵PID:532
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
PID:1688 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵PID:3040
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
PID:3164 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵PID:464
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
PID:4192 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵PID:1756
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
PID:864 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵PID:3468
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵PID:2072
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵PID:4196
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵PID:3340
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵PID:4824
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
PID:368 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵PID:4900
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵PID:3356
-
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"3⤵
- Modifies Installed Components in the registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Modifies registry class
PID:3328 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"4⤵PID:4060
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
PID:4268 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"4⤵PID:4984
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
PID:1384 -
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
PID:4912 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"4⤵PID:5004
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"4⤵PID:2640
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
PID:1956 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"4⤵PID:432
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:2152
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"4⤵PID:2056
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:4588
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"4⤵PID:4600
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
PID:4444 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"4⤵PID:4032
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
PID:4436 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"4⤵PID:3756
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:1152
-
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"4⤵
- Modifies Installed Components in the registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Modifies registry class
PID:116 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"5⤵PID:2960
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe5⤵PID:3208
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"5⤵PID:528
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe5⤵PID:4172
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"5⤵PID:2036
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe5⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
PID:2428 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"5⤵PID:4580
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe5⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
PID:4816 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"5⤵PID:752
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe5⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
PID:1348 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"5⤵PID:3204
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe5⤵PID:532
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe5⤵PID:3716
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"5⤵PID:3592
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"5⤵PID:2284
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe5⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
PID:232 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"5⤵PID:2164
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe5⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
PID:3820 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"5⤵PID:2988
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe5⤵PID:548
-
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"5⤵
- Modifies Installed Components in the registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Modifies registry class
PID:4680 -
C:\Windows\SysWOW64\explorer.exeexplorer.exe6⤵PID:2788
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:3956
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:4812
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe6⤵PID:2468
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:1324
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe6⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
PID:680 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:2888
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe6⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
PID:3444 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:3596
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe6⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
PID:1768 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:1752
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe6⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
PID:3208 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:5032
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe6⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
PID:4196 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:4388
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe6⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
PID:116 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:4544
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe6⤵PID:4084
-
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"6⤵
- Modifies Installed Components in the registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Modifies registry class
PID:4400 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"7⤵PID:4980
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe7⤵PID:2264
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"7⤵PID:2788
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe7⤵PID:3956
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"7⤵PID:3756
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe7⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
PID:392 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"7⤵PID:3596
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe7⤵PID:1752
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"7⤵PID:4680
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe7⤵PID:4528
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"7⤵PID:2388
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe7⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
PID:2640 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"7⤵PID:5128
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe7⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
PID:5136 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"7⤵PID:5208
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe7⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
PID:5216 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"7⤵PID:5272
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe7⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
PID:5280 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"7⤵PID:5340
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe7⤵PID:5348
-
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"7⤵
- Modifies Installed Components in the registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Modifies registry class
PID:5396 -
C:\Windows\SysWOW64\explorer.exeexplorer.exe8⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
PID:5460 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:5452
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe8⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
PID:5584 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:5576
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:5664
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe8⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
PID:5672 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:5732
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe8⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
PID:5740 -
C:\Windows\SysWOW64\explorer.exeexplorer.exe8⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
PID:5808 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:5800
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:5864
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe8⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
PID:5872 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:5932
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe8⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
PID:5940 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:6000
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe8⤵PID:6008
-
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
PID:6052 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"9⤵PID:6116
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe9⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
PID:6124 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"9⤵PID:5164
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe9⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
PID:5184 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"9⤵PID:4760
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe9⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
PID:4484 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"9⤵PID:2152
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe9⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
PID:3956 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"9⤵PID:5276
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe9⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
PID:5344 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"9⤵PID:5484
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe9⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
PID:5508 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"9⤵PID:5556
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe9⤵PID:5488
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"9⤵PID:3556
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe9⤵PID:5764
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe9⤵PID:5832
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"9⤵PID:5776
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD56b447dc1c41b9b841b80a632a157cda8
SHA10c9090b7af7ff19feb8febee5d4d211fd2a3363c
SHA2560ddbdc07f350b4d91b59583838b5f4c6201c09870d580478c7bd9bfeb85cf27d
SHA51210e77a4aa507956aff1b3637e28dff532bf2ead0b93aaf5101898dfbca9e185020bbfa2b9125b70f86beb544bf81dae2776a6bc7222ac7268197c043fe88a0d5
-
Filesize
2B
MD584cad01fdb44ae58dbe6c3973dcd87f5
SHA14700b42849fb35be323774820bf1bc8019d26c80
SHA2568b1f194be530240c18bf0b1ee0d038e750fab8b24c6bd25c864297e5ebb41fa6
SHA5126e10d3ec4724c1aca9ff3f6a26292ba80065d18e8e9395f1474c0a298008f25e312e2f7024e7d10aab3264764e69a25553cc20afd23090f83921d20e42b989ab
-
Filesize
45KB
MD5a8b06620e9629037953a3a5bc07a0b60
SHA108c35cd4abf5e0945182079e24ec190d97225775
SHA256c01c3e39933ccfedaf1d766903232ada996f71ee79187a2cb420219000c97d21
SHA512042cfac252c4ceb55b9b7e5fb7f23d5686c4b3aeca68b2b093a3dce78d29f89f66745e685a9cefdb07db1dcf69a2daaa4286af185a2f9cc6040d3cbc5c0b9b50
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e