Analysis Overview
SHA256
92641a786645e7c451acc415138c387cea9ca1df85013356c148d635b25545a3
Threat Level: Known bad
The file 92641a786645e7c451acc415138c387cea9ca1df85013356c148d635b25545a3 was found to be: Known bad.
Malicious Activity Summary
XtremeRAT
UPX packed file
Executes dropped EXE
Drops startup file
Checks computer location settings
Loads dropped DLL
Adds Run key to start application
Suspicious use of SetThreadContext
Drops file in Windows directory
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Checks SCSI registry key(s)
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-11-23 15:44
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-11-23 15:44
Reported
2022-11-23 17:00
Platform
win7-20220812-en
Max time kernel
101s
Max time network
47s
Command Line
Signatures
XtremeRAT
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe | N/A |
| N/A | N/A | C:\Windows\InstallDir\Server.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ID Detector.vbs | C:\Users\Admin\AppData\Local\Temp\92641a786645e7c451acc415138c387cea9ca1df85013356c148d635b25545a3.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\92641a786645e7c451acc415138c387cea9ca1df85013356c148d635b25545a3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" | C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" | C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" | C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" | C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2040 set thread context of 1724 | N/A | C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe | C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe |
| PID 1256 set thread context of 1668 | N/A | C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe | C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe |
| PID 1668 set thread context of 1056 | N/A | C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe | C:\Windows\SysWOW64\explorer.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\InstallDir\Server.exe | C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe | N/A |
| File opened for modification | C:\Windows\InstallDir\Server.exe | C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe | N/A |
| File opened for modification | C:\Windows\InstallDir\Server.exe | C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\92641a786645e7c451acc415138c387cea9ca1df85013356c148d635b25545a3.exe
"C:\Users\Admin\AppData\Local\Temp\92641a786645e7c451acc415138c387cea9ca1df85013356c148d635b25545a3.exe"
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe
"C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe
"C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Windows\InstallDir\Server.exe
"C:\Windows\InstallDir\Server.exe"
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe
"C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe
"C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
Network
Files
memory/1908-54-0x00000000762F1000-0x00000000762F3000-memory.dmp
\Users\Admin\AppData\Roaming\ID Detector\detect.exe
| MD5 | f2ba6a3638618fe779291c758d5a420f |
| SHA1 | 4954b28960bce6e21c2fb32d14368d2c99b2e607 |
| SHA256 | 92641a786645e7c451acc415138c387cea9ca1df85013356c148d635b25545a3 |
| SHA512 | b569baac33c5f6383826e571b971e707377ec2b13543b8e86acba74dec50565751e597f9714592c8199cecb881b65d87a3a6d53cd09d2601abc466aaf9846fb3 |
memory/2040-56-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe
| MD5 | f2ba6a3638618fe779291c758d5a420f |
| SHA1 | 4954b28960bce6e21c2fb32d14368d2c99b2e607 |
| SHA256 | 92641a786645e7c451acc415138c387cea9ca1df85013356c148d635b25545a3 |
| SHA512 | b569baac33c5f6383826e571b971e707377ec2b13543b8e86acba74dec50565751e597f9714592c8199cecb881b65d87a3a6d53cd09d2601abc466aaf9846fb3 |
memory/1724-59-0x0000000000408600-mapping.dmp
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe
| MD5 | f2ba6a3638618fe779291c758d5a420f |
| SHA1 | 4954b28960bce6e21c2fb32d14368d2c99b2e607 |
| SHA256 | 92641a786645e7c451acc415138c387cea9ca1df85013356c148d635b25545a3 |
| SHA512 | b569baac33c5f6383826e571b971e707377ec2b13543b8e86acba74dec50565751e597f9714592c8199cecb881b65d87a3a6d53cd09d2601abc466aaf9846fb3 |
memory/1724-62-0x0000000000400000-0x000000000046F000-memory.dmp
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe
| MD5 | f2ba6a3638618fe779291c758d5a420f |
| SHA1 | 4954b28960bce6e21c2fb32d14368d2c99b2e607 |
| SHA256 | 92641a786645e7c451acc415138c387cea9ca1df85013356c148d635b25545a3 |
| SHA512 | b569baac33c5f6383826e571b971e707377ec2b13543b8e86acba74dec50565751e597f9714592c8199cecb881b65d87a3a6d53cd09d2601abc466aaf9846fb3 |
memory/1724-64-0x0000000000400000-0x000000000046F000-memory.dmp
\Windows\InstallDir\Server.exe
| MD5 | f2ba6a3638618fe779291c758d5a420f |
| SHA1 | 4954b28960bce6e21c2fb32d14368d2c99b2e607 |
| SHA256 | 92641a786645e7c451acc415138c387cea9ca1df85013356c148d635b25545a3 |
| SHA512 | b569baac33c5f6383826e571b971e707377ec2b13543b8e86acba74dec50565751e597f9714592c8199cecb881b65d87a3a6d53cd09d2601abc466aaf9846fb3 |
memory/552-66-0x0000000000000000-mapping.dmp
C:\Windows\InstallDir\Server.exe
| MD5 | f2ba6a3638618fe779291c758d5a420f |
| SHA1 | 4954b28960bce6e21c2fb32d14368d2c99b2e607 |
| SHA256 | 92641a786645e7c451acc415138c387cea9ca1df85013356c148d635b25545a3 |
| SHA512 | b569baac33c5f6383826e571b971e707377ec2b13543b8e86acba74dec50565751e597f9714592c8199cecb881b65d87a3a6d53cd09d2601abc466aaf9846fb3 |
memory/1724-68-0x0000000000400000-0x000000000046F000-memory.dmp
memory/1256-70-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe
| MD5 | f2ba6a3638618fe779291c758d5a420f |
| SHA1 | 4954b28960bce6e21c2fb32d14368d2c99b2e607 |
| SHA256 | 92641a786645e7c451acc415138c387cea9ca1df85013356c148d635b25545a3 |
| SHA512 | b569baac33c5f6383826e571b971e707377ec2b13543b8e86acba74dec50565751e597f9714592c8199cecb881b65d87a3a6d53cd09d2601abc466aaf9846fb3 |
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe
| MD5 | f2ba6a3638618fe779291c758d5a420f |
| SHA1 | 4954b28960bce6e21c2fb32d14368d2c99b2e607 |
| SHA256 | 92641a786645e7c451acc415138c387cea9ca1df85013356c148d635b25545a3 |
| SHA512 | b569baac33c5f6383826e571b971e707377ec2b13543b8e86acba74dec50565751e597f9714592c8199cecb881b65d87a3a6d53cd09d2601abc466aaf9846fb3 |
memory/1668-73-0x0000000000408600-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\1ULEQXM4f\1ULEQXM4f.nfo
| MD5 | 7e8d31bd5bbe6f9842518617837f405e |
| SHA1 | 40647a3d29156586a8b97d534af7c94b2ed06664 |
| SHA256 | 70681abf0e35fe3f85414f9236ea3407dc36d6fe9cc29bb4fda93f50a1b7b20f |
| SHA512 | 5a85df64d4e14d222ab3816345d8a10cc17e82006cb076830de7538c43ab290ac8905db1334088fd62077435bd49ecbcd5dcf9fe798953f9275697bcee5db826 |
C:\Windows\InstallDir\Server.exe
| MD5 | 2482e898d35d6a86b27d386072ead320 |
| SHA1 | d041fbae66e5bf6f72952e8159fcbaf8a9a00ca1 |
| SHA256 | 658112fdc646c70c7153f4bd089bf3010231171c4ee8e3a03713e1d8379bd389 |
| SHA512 | d14558abfd6dfc2cc019abca99c6e0fa4c6ea82762c8dbf9c0b00aada19a823fa0eacec28601fe457552e30b7446dc5a9e4828e714bec3c3026c108966dd8f1f |
memory/1668-78-0x0000000000400000-0x000000000046F000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\1ULEQXM4f\1ULEQXM4f.svr
| MD5 | ad69242f4bf9548496051bd95ac05e1e |
| SHA1 | 913292f6b83adf41337fd50201ad341500abc8b0 |
| SHA256 | 2663fdfe0fe4c37532f919282d035579bf84a895be5971982437cffbd41bdb1b |
| SHA512 | 09bed3adc8427e4aeec4e32dfd0640da71d2839b62973e4bae94f0965c5836028511295d99be878af388789fc020117972c3cf51d5a2ef1899aeb9d43c2fd94e |
memory/1056-80-0x0000000001610000-0x0000000001720000-memory.dmp
memory/1056-81-0x0000000001610000-0x0000000001720000-memory.dmp
memory/1056-84-0x0000000001610000-0x0000000001720000-memory.dmp
memory/1056-87-0x0000000001610000-0x0000000001720000-memory.dmp
memory/1056-90-0x0000000001610000-0x0000000001720000-memory.dmp
memory/1056-89-0x000000000171D0D0-mapping.dmp
memory/1056-92-0x0000000001610000-0x0000000001720000-memory.dmp
memory/1056-93-0x0000000001610000-0x0000000001720000-memory.dmp
memory/1056-94-0x0000000001610000-0x0000000001720000-memory.dmp
memory/1056-95-0x00000000016C5000-0x000000000171E000-memory.dmp
memory/1056-96-0x0000000001611000-0x00000000016C5000-memory.dmp
memory/1668-97-0x0000000000400000-0x000000000046F000-memory.dmp
memory/1056-98-0x00000000016C5000-0x000000000171E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-11-23 15:44
Reported
2022-11-23 17:01
Platform
win10v2004-20221111-en
Max time kernel
167s
Max time network
199s
Command Line
Signatures
XtremeRAT
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe | N/A |
| N/A | N/A | C:\Windows\InstallDir\Server.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ID Detector.vbs | C:\Users\Admin\AppData\Local\Temp\92641a786645e7c451acc415138c387cea9ca1df85013356c148d635b25545a3.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" | C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" | C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" | C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" | C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3616 set thread context of 2076 | N/A | C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe | C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe |
| PID 4824 set thread context of 2168 | N/A | C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe | C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe |
| PID 2168 set thread context of 3884 | N/A | C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe | C:\Windows\SysWOW64\explorer.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\InstallDir\Server.exe | C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe | N/A |
| File created | C:\Windows\InstallDir\Server.exe | C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe | N/A |
| File opened for modification | C:\Windows\InstallDir\Server.exe | C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\92641a786645e7c451acc415138c387cea9ca1df85013356c148d635b25545a3.exe
"C:\Users\Admin\AppData\Local\Temp\92641a786645e7c451acc415138c387cea9ca1df85013356c148d635b25545a3.exe"
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe
"C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe
"C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Windows\InstallDir\Server.exe
"C:\Windows\InstallDir\Server.exe"
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe
"C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe
"C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| N/A | 8.248.5.254:80 | tcp | |
| N/A | 20.189.173.12:443 | tcp | |
| N/A | 93.184.220.29:80 | tcp | |
| N/A | 8.238.21.126:80 | tcp | |
| N/A | 8.238.21.126:80 | tcp | |
| N/A | 8.238.21.126:80 | tcp | |
| N/A | 8.238.21.126:80 | tcp | |
| N/A | 8.253.208.120:80 | tcp | |
| N/A | 104.80.225.205:443 | tcp | |
| N/A | 52.242.97.97:443 | tcp | |
| N/A | 8.238.21.126:80 | tcp | |
| N/A | 8.8.8.8:53 | 96.108.152.52.in-addr.arpa | udp |
| N/A | 8.8.8.8:53 | 2.8.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.4.0.c.0.0.3.0.1.3.0.6.2.ip6.arpa | udp |
| N/A | 8.8.8.8:53 | asuu.ddns.net | udp |
Files
memory/3616-132-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe
| MD5 | f2ba6a3638618fe779291c758d5a420f |
| SHA1 | 4954b28960bce6e21c2fb32d14368d2c99b2e607 |
| SHA256 | 92641a786645e7c451acc415138c387cea9ca1df85013356c148d635b25545a3 |
| SHA512 | b569baac33c5f6383826e571b971e707377ec2b13543b8e86acba74dec50565751e597f9714592c8199cecb881b65d87a3a6d53cd09d2601abc466aaf9846fb3 |
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe
| MD5 | f2ba6a3638618fe779291c758d5a420f |
| SHA1 | 4954b28960bce6e21c2fb32d14368d2c99b2e607 |
| SHA256 | 92641a786645e7c451acc415138c387cea9ca1df85013356c148d635b25545a3 |
| SHA512 | b569baac33c5f6383826e571b971e707377ec2b13543b8e86acba74dec50565751e597f9714592c8199cecb881b65d87a3a6d53cd09d2601abc466aaf9846fb3 |
memory/2076-135-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe
| MD5 | f2ba6a3638618fe779291c758d5a420f |
| SHA1 | 4954b28960bce6e21c2fb32d14368d2c99b2e607 |
| SHA256 | 92641a786645e7c451acc415138c387cea9ca1df85013356c148d635b25545a3 |
| SHA512 | b569baac33c5f6383826e571b971e707377ec2b13543b8e86acba74dec50565751e597f9714592c8199cecb881b65d87a3a6d53cd09d2601abc466aaf9846fb3 |
memory/2076-137-0x0000000000400000-0x000000000046F000-memory.dmp
memory/2076-138-0x0000000000400000-0x000000000046F000-memory.dmp
C:\Windows\InstallDir\Server.exe
| MD5 | f2ba6a3638618fe779291c758d5a420f |
| SHA1 | 4954b28960bce6e21c2fb32d14368d2c99b2e607 |
| SHA256 | 92641a786645e7c451acc415138c387cea9ca1df85013356c148d635b25545a3 |
| SHA512 | b569baac33c5f6383826e571b971e707377ec2b13543b8e86acba74dec50565751e597f9714592c8199cecb881b65d87a3a6d53cd09d2601abc466aaf9846fb3 |
memory/1908-139-0x0000000000000000-mapping.dmp
C:\Windows\InstallDir\Server.exe
| MD5 | f2ba6a3638618fe779291c758d5a420f |
| SHA1 | 4954b28960bce6e21c2fb32d14368d2c99b2e607 |
| SHA256 | 92641a786645e7c451acc415138c387cea9ca1df85013356c148d635b25545a3 |
| SHA512 | b569baac33c5f6383826e571b971e707377ec2b13543b8e86acba74dec50565751e597f9714592c8199cecb881b65d87a3a6d53cd09d2601abc466aaf9846fb3 |
memory/2076-142-0x0000000000400000-0x000000000046F000-memory.dmp
memory/4824-143-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe
| MD5 | f2ba6a3638618fe779291c758d5a420f |
| SHA1 | 4954b28960bce6e21c2fb32d14368d2c99b2e607 |
| SHA256 | 92641a786645e7c451acc415138c387cea9ca1df85013356c148d635b25545a3 |
| SHA512 | b569baac33c5f6383826e571b971e707377ec2b13543b8e86acba74dec50565751e597f9714592c8199cecb881b65d87a3a6d53cd09d2601abc466aaf9846fb3 |
memory/2168-145-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe
| MD5 | f2ba6a3638618fe779291c758d5a420f |
| SHA1 | 4954b28960bce6e21c2fb32d14368d2c99b2e607 |
| SHA256 | 92641a786645e7c451acc415138c387cea9ca1df85013356c148d635b25545a3 |
| SHA512 | b569baac33c5f6383826e571b971e707377ec2b13543b8e86acba74dec50565751e597f9714592c8199cecb881b65d87a3a6d53cd09d2601abc466aaf9846fb3 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\1ULEQXM4f\1ULEQXM4f.nfo
| MD5 | 7e8d31bd5bbe6f9842518617837f405e |
| SHA1 | 40647a3d29156586a8b97d534af7c94b2ed06664 |
| SHA256 | 70681abf0e35fe3f85414f9236ea3407dc36d6fe9cc29bb4fda93f50a1b7b20f |
| SHA512 | 5a85df64d4e14d222ab3816345d8a10cc17e82006cb076830de7538c43ab290ac8905db1334088fd62077435bd49ecbcd5dcf9fe798953f9275697bcee5db826 |
memory/2168-148-0x0000000000400000-0x000000000046F000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\1ULEQXM4f\1ULEQXM4f.svr
| MD5 | ad69242f4bf9548496051bd95ac05e1e |
| SHA1 | 913292f6b83adf41337fd50201ad341500abc8b0 |
| SHA256 | 2663fdfe0fe4c37532f919282d035579bf84a895be5971982437cffbd41bdb1b |
| SHA512 | 09bed3adc8427e4aeec4e32dfd0640da71d2839b62973e4bae94f0965c5836028511295d99be878af388789fc020117972c3cf51d5a2ef1899aeb9d43c2fd94e |
memory/3884-150-0x0000000000000000-mapping.dmp
memory/3884-151-0x0000000001610000-0x0000000001720000-memory.dmp
memory/3884-153-0x0000000001610000-0x0000000001720000-memory.dmp
memory/3884-152-0x0000000001610000-0x0000000001720000-memory.dmp
memory/3884-155-0x0000000001610000-0x0000000001720000-memory.dmp
memory/2168-156-0x0000000000400000-0x000000000046F000-memory.dmp
memory/3884-157-0x0000000001610000-0x0000000001720000-memory.dmp
memory/3884-158-0x0000000001610000-0x0000000001720000-memory.dmp
memory/3884-159-0x0000000001610000-0x0000000001720000-memory.dmp
memory/3884-160-0x00000000016C5000-0x000000000171E000-memory.dmp
memory/3884-161-0x0000000001611000-0x00000000016C5000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\1ULEQXM4f\1ULEQXM4f.nfo
| MD5 | 7e8d31bd5bbe6f9842518617837f405e |
| SHA1 | 40647a3d29156586a8b97d534af7c94b2ed06664 |
| SHA256 | 70681abf0e35fe3f85414f9236ea3407dc36d6fe9cc29bb4fda93f50a1b7b20f |
| SHA512 | 5a85df64d4e14d222ab3816345d8a10cc17e82006cb076830de7538c43ab290ac8905db1334088fd62077435bd49ecbcd5dcf9fe798953f9275697bcee5db826 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\1ULEQXM4f\1ULEQXM4f.dat
| MD5 | 93e00066d099c0485cfffa1359246d26 |
| SHA1 | bc69a773f37b2f2071e25f755a66d47b871e5d98 |
| SHA256 | 3b271649a94ad5be4ef46ecbb6a4e7363e8498b7e69b751737bf30df2e0d1dde |
| SHA512 | d3dfe508cacae7d36f13908134b5b438b87429fcf93ccb060bcfa346c04633a99e9ca497297418c969537be1da2405171982794055dd0f52e59a82720d3b3d02 |