Analysis
-
max time kernel
128s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
23/11/2022, 16:19
Static task
static1
Behavioral task
behavioral1
Sample
a43acc6005dbb3c814ccf02fb274f13c4d2d12ec527d2e49d3dc4f03ec564197.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
a43acc6005dbb3c814ccf02fb274f13c4d2d12ec527d2e49d3dc4f03ec564197.exe
Resource
win10v2004-20220901-en
General
-
Target
a43acc6005dbb3c814ccf02fb274f13c4d2d12ec527d2e49d3dc4f03ec564197.exe
-
Size
551KB
-
MD5
658505421a3b0daa80bbabccba357c88
-
SHA1
e5c9d02f969e2d45839cb9f383011fb371145db6
-
SHA256
a43acc6005dbb3c814ccf02fb274f13c4d2d12ec527d2e49d3dc4f03ec564197
-
SHA512
e827c277f2263f9fc3ebd6a2fa0fdf3c6a1b4b932d501e1bb46f2826c6f974931b6608152c83f4baff12acc898e64d16ec6dbbc85359171d30890a1725ff88b2
-
SSDEEP
12288:fRShMV7171nRajU0hjQg0YtMziqLReGHTZSPyruRQPYW9IfdlL0hKM:pF17dm23dziqLVSPyruR7Lg
Malware Config
Signatures
-
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Executes dropped EXE 3 IoCs
pid Process 4468 appinit.exe 4976 appinit.exe 3356 appinit.exe -
resource yara_rule behavioral2/memory/3708-191-0x0000000001610000-0x000000000171F000-memory.dmp upx behavioral2/memory/3708-192-0x0000000001610000-0x000000000171F000-memory.dmp upx behavioral2/memory/3708-193-0x0000000001610000-0x000000000171F000-memory.dmp upx behavioral2/memory/3708-195-0x0000000001610000-0x000000000171F000-memory.dmp upx behavioral2/memory/3708-196-0x0000000001610000-0x000000000171F000-memory.dmp upx behavioral2/memory/3708-197-0x0000000001610000-0x000000000171F000-memory.dmp upx behavioral2/memory/3708-198-0x0000000001610000-0x000000000171F000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation a43acc6005dbb3c814ccf02fb274f13c4d2d12ec527d2e49d3dc4f03ec564197.exe -
Loads dropped DLL 14 IoCs
pid Process 5064 a43acc6005dbb3c814ccf02fb274f13c4d2d12ec527d2e49d3dc4f03ec564197.exe 5064 a43acc6005dbb3c814ccf02fb274f13c4d2d12ec527d2e49d3dc4f03ec564197.exe 5064 a43acc6005dbb3c814ccf02fb274f13c4d2d12ec527d2e49d3dc4f03ec564197.exe 5064 a43acc6005dbb3c814ccf02fb274f13c4d2d12ec527d2e49d3dc4f03ec564197.exe 5064 a43acc6005dbb3c814ccf02fb274f13c4d2d12ec527d2e49d3dc4f03ec564197.exe 5064 a43acc6005dbb3c814ccf02fb274f13c4d2d12ec527d2e49d3dc4f03ec564197.exe 5064 a43acc6005dbb3c814ccf02fb274f13c4d2d12ec527d2e49d3dc4f03ec564197.exe 4468 appinit.exe 4468 appinit.exe 4468 appinit.exe 4468 appinit.exe 4468 appinit.exe 4468 appinit.exe 4468 appinit.exe -
Adds Run key to start application 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\{4253-8547-5555-85}\\appinit.exe" a43acc6005dbb3c814ccf02fb274f13c4d2d12ec527d2e49d3dc4f03ec564197.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\{4253-8547-5555-85}\\appinit.exe" a43acc6005dbb3c814ccf02fb274f13c4d2d12ec527d2e49d3dc4f03ec564197.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run appinit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\{4253-8547-5555-85}\\appinit.exe" appinit.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\{4253-8547-5555-85}\\appinit.exe" appinit.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run a43acc6005dbb3c814ccf02fb274f13c4d2d12ec527d2e49d3dc4f03ec564197.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run a43acc6005dbb3c814ccf02fb274f13c4d2d12ec527d2e49d3dc4f03ec564197.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run appinit.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\{4253-8547-5555-85}\\appinit.exe" explorer.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\{4253-8547-5555-85}\\appinit.exe" explorer.exe -
Suspicious use of SetThreadContext 5 IoCs
description pid Process procid_target PID 5064 set thread context of 4892 5064 a43acc6005dbb3c814ccf02fb274f13c4d2d12ec527d2e49d3dc4f03ec564197.exe 82 PID 4892 set thread context of 4456 4892 a43acc6005dbb3c814ccf02fb274f13c4d2d12ec527d2e49d3dc4f03ec564197.exe 84 PID 4468 set thread context of 4976 4468 appinit.exe 124 PID 4976 set thread context of 3356 4976 appinit.exe 125 PID 3356 set thread context of 3708 3356 appinit.exe 127 -
Drops file in Windows directory 5 IoCs
description ioc Process File created C:\Windows\{4253-8547-5555-85}\appinit.exe a43acc6005dbb3c814ccf02fb274f13c4d2d12ec527d2e49d3dc4f03ec564197.exe File opened for modification C:\Windows\{4253-8547-5555-85}\ a43acc6005dbb3c814ccf02fb274f13c4d2d12ec527d2e49d3dc4f03ec564197.exe File opened for modification C:\Windows\{4253-8547-5555-85}\appinit.exe appinit.exe File opened for modification C:\Windows\{4253-8547-5555-85}\ appinit.exe File opened for modification C:\Windows\{4253-8547-5555-85}\appinit.exe a43acc6005dbb3c814ccf02fb274f13c4d2d12ec527d2e49d3dc4f03ec564197.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NSIS installer 8 IoCs
resource yara_rule behavioral2/files/0x0001000000022e05-159.dat nsis_installer_1 behavioral2/files/0x0001000000022e05-159.dat nsis_installer_2 behavioral2/files/0x0001000000022e05-160.dat nsis_installer_1 behavioral2/files/0x0001000000022e05-160.dat nsis_installer_2 behavioral2/files/0x0001000000022e05-174.dat nsis_installer_1 behavioral2/files/0x0001000000022e05-174.dat nsis_installer_2 behavioral2/files/0x0001000000022e05-184.dat nsis_installer_1 behavioral2/files/0x0001000000022e05-184.dat nsis_installer_2 -
Checks SCSI registry key(s) 3 TTPs 8 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags explorer.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ a43acc6005dbb3c814ccf02fb274f13c4d2d12ec527d2e49d3dc4f03ec564197.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3708 explorer.exe 3708 explorer.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4456 a43acc6005dbb3c814ccf02fb274f13c4d2d12ec527d2e49d3dc4f03ec564197.exe 3708 explorer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5064 wrote to memory of 4892 5064 a43acc6005dbb3c814ccf02fb274f13c4d2d12ec527d2e49d3dc4f03ec564197.exe 82 PID 5064 wrote to memory of 4892 5064 a43acc6005dbb3c814ccf02fb274f13c4d2d12ec527d2e49d3dc4f03ec564197.exe 82 PID 5064 wrote to memory of 4892 5064 a43acc6005dbb3c814ccf02fb274f13c4d2d12ec527d2e49d3dc4f03ec564197.exe 82 PID 5064 wrote to memory of 4892 5064 a43acc6005dbb3c814ccf02fb274f13c4d2d12ec527d2e49d3dc4f03ec564197.exe 82 PID 5064 wrote to memory of 4892 5064 a43acc6005dbb3c814ccf02fb274f13c4d2d12ec527d2e49d3dc4f03ec564197.exe 82 PID 5064 wrote to memory of 4892 5064 a43acc6005dbb3c814ccf02fb274f13c4d2d12ec527d2e49d3dc4f03ec564197.exe 82 PID 5064 wrote to memory of 4892 5064 a43acc6005dbb3c814ccf02fb274f13c4d2d12ec527d2e49d3dc4f03ec564197.exe 82 PID 5064 wrote to memory of 4892 5064 a43acc6005dbb3c814ccf02fb274f13c4d2d12ec527d2e49d3dc4f03ec564197.exe 82 PID 5064 wrote to memory of 4892 5064 a43acc6005dbb3c814ccf02fb274f13c4d2d12ec527d2e49d3dc4f03ec564197.exe 82 PID 4892 wrote to memory of 4456 4892 a43acc6005dbb3c814ccf02fb274f13c4d2d12ec527d2e49d3dc4f03ec564197.exe 84 PID 4892 wrote to memory of 4456 4892 a43acc6005dbb3c814ccf02fb274f13c4d2d12ec527d2e49d3dc4f03ec564197.exe 84 PID 4892 wrote to memory of 4456 4892 a43acc6005dbb3c814ccf02fb274f13c4d2d12ec527d2e49d3dc4f03ec564197.exe 84 PID 4892 wrote to memory of 4456 4892 a43acc6005dbb3c814ccf02fb274f13c4d2d12ec527d2e49d3dc4f03ec564197.exe 84 PID 4892 wrote to memory of 4456 4892 a43acc6005dbb3c814ccf02fb274f13c4d2d12ec527d2e49d3dc4f03ec564197.exe 84 PID 4892 wrote to memory of 4456 4892 a43acc6005dbb3c814ccf02fb274f13c4d2d12ec527d2e49d3dc4f03ec564197.exe 84 PID 4892 wrote to memory of 4456 4892 a43acc6005dbb3c814ccf02fb274f13c4d2d12ec527d2e49d3dc4f03ec564197.exe 84 PID 4892 wrote to memory of 4456 4892 a43acc6005dbb3c814ccf02fb274f13c4d2d12ec527d2e49d3dc4f03ec564197.exe 84 PID 4892 wrote to memory of 4456 4892 a43acc6005dbb3c814ccf02fb274f13c4d2d12ec527d2e49d3dc4f03ec564197.exe 84 PID 4892 wrote to memory of 4456 4892 a43acc6005dbb3c814ccf02fb274f13c4d2d12ec527d2e49d3dc4f03ec564197.exe 84 PID 4892 wrote to memory of 4456 4892 a43acc6005dbb3c814ccf02fb274f13c4d2d12ec527d2e49d3dc4f03ec564197.exe 84 PID 4892 wrote to memory of 4456 4892 a43acc6005dbb3c814ccf02fb274f13c4d2d12ec527d2e49d3dc4f03ec564197.exe 84 PID 4892 wrote to memory of 4456 4892 a43acc6005dbb3c814ccf02fb274f13c4d2d12ec527d2e49d3dc4f03ec564197.exe 84 PID 4456 wrote to memory of 4156 4456 a43acc6005dbb3c814ccf02fb274f13c4d2d12ec527d2e49d3dc4f03ec564197.exe 87 PID 4456 wrote to memory of 4156 4456 a43acc6005dbb3c814ccf02fb274f13c4d2d12ec527d2e49d3dc4f03ec564197.exe 87 PID 4456 wrote to memory of 4196 4456 a43acc6005dbb3c814ccf02fb274f13c4d2d12ec527d2e49d3dc4f03ec564197.exe 88 PID 4456 wrote to memory of 4196 4456 a43acc6005dbb3c814ccf02fb274f13c4d2d12ec527d2e49d3dc4f03ec564197.exe 88 PID 4456 wrote to memory of 4196 4456 a43acc6005dbb3c814ccf02fb274f13c4d2d12ec527d2e49d3dc4f03ec564197.exe 88 PID 4456 wrote to memory of 5092 4456 a43acc6005dbb3c814ccf02fb274f13c4d2d12ec527d2e49d3dc4f03ec564197.exe 89 PID 4456 wrote to memory of 5092 4456 a43acc6005dbb3c814ccf02fb274f13c4d2d12ec527d2e49d3dc4f03ec564197.exe 89 PID 4456 wrote to memory of 444 4456 a43acc6005dbb3c814ccf02fb274f13c4d2d12ec527d2e49d3dc4f03ec564197.exe 90 PID 4456 wrote to memory of 444 4456 a43acc6005dbb3c814ccf02fb274f13c4d2d12ec527d2e49d3dc4f03ec564197.exe 90 PID 4456 wrote to memory of 444 4456 a43acc6005dbb3c814ccf02fb274f13c4d2d12ec527d2e49d3dc4f03ec564197.exe 90 PID 4456 wrote to memory of 4796 4456 a43acc6005dbb3c814ccf02fb274f13c4d2d12ec527d2e49d3dc4f03ec564197.exe 91 PID 4456 wrote to memory of 4796 4456 a43acc6005dbb3c814ccf02fb274f13c4d2d12ec527d2e49d3dc4f03ec564197.exe 91 PID 4456 wrote to memory of 3432 4456 a43acc6005dbb3c814ccf02fb274f13c4d2d12ec527d2e49d3dc4f03ec564197.exe 92 PID 4456 wrote to memory of 3432 4456 a43acc6005dbb3c814ccf02fb274f13c4d2d12ec527d2e49d3dc4f03ec564197.exe 92 PID 4456 wrote to memory of 3432 4456 a43acc6005dbb3c814ccf02fb274f13c4d2d12ec527d2e49d3dc4f03ec564197.exe 92 PID 4456 wrote to memory of 2072 4456 a43acc6005dbb3c814ccf02fb274f13c4d2d12ec527d2e49d3dc4f03ec564197.exe 93 PID 4456 wrote to memory of 2072 4456 a43acc6005dbb3c814ccf02fb274f13c4d2d12ec527d2e49d3dc4f03ec564197.exe 93 PID 4456 wrote to memory of 5016 4456 a43acc6005dbb3c814ccf02fb274f13c4d2d12ec527d2e49d3dc4f03ec564197.exe 94 PID 4456 wrote to memory of 5016 4456 a43acc6005dbb3c814ccf02fb274f13c4d2d12ec527d2e49d3dc4f03ec564197.exe 94 PID 4456 wrote to memory of 5016 4456 a43acc6005dbb3c814ccf02fb274f13c4d2d12ec527d2e49d3dc4f03ec564197.exe 94 PID 4456 wrote to memory of 4720 4456 a43acc6005dbb3c814ccf02fb274f13c4d2d12ec527d2e49d3dc4f03ec564197.exe 95 PID 4456 wrote to memory of 4720 4456 a43acc6005dbb3c814ccf02fb274f13c4d2d12ec527d2e49d3dc4f03ec564197.exe 95 PID 4456 wrote to memory of 4772 4456 a43acc6005dbb3c814ccf02fb274f13c4d2d12ec527d2e49d3dc4f03ec564197.exe 96 PID 4456 wrote to memory of 4772 4456 a43acc6005dbb3c814ccf02fb274f13c4d2d12ec527d2e49d3dc4f03ec564197.exe 96 PID 4456 wrote to memory of 4772 4456 a43acc6005dbb3c814ccf02fb274f13c4d2d12ec527d2e49d3dc4f03ec564197.exe 96 PID 4456 wrote to memory of 2032 4456 a43acc6005dbb3c814ccf02fb274f13c4d2d12ec527d2e49d3dc4f03ec564197.exe 97 PID 4456 wrote to memory of 2032 4456 a43acc6005dbb3c814ccf02fb274f13c4d2d12ec527d2e49d3dc4f03ec564197.exe 97 PID 4456 wrote to memory of 396 4456 a43acc6005dbb3c814ccf02fb274f13c4d2d12ec527d2e49d3dc4f03ec564197.exe 99 PID 4456 wrote to memory of 396 4456 a43acc6005dbb3c814ccf02fb274f13c4d2d12ec527d2e49d3dc4f03ec564197.exe 99 PID 4456 wrote to memory of 396 4456 a43acc6005dbb3c814ccf02fb274f13c4d2d12ec527d2e49d3dc4f03ec564197.exe 99 PID 4456 wrote to memory of 2644 4456 a43acc6005dbb3c814ccf02fb274f13c4d2d12ec527d2e49d3dc4f03ec564197.exe 100 PID 4456 wrote to memory of 2644 4456 a43acc6005dbb3c814ccf02fb274f13c4d2d12ec527d2e49d3dc4f03ec564197.exe 100 PID 4456 wrote to memory of 3496 4456 a43acc6005dbb3c814ccf02fb274f13c4d2d12ec527d2e49d3dc4f03ec564197.exe 101 PID 4456 wrote to memory of 3496 4456 a43acc6005dbb3c814ccf02fb274f13c4d2d12ec527d2e49d3dc4f03ec564197.exe 101 PID 4456 wrote to memory of 3496 4456 a43acc6005dbb3c814ccf02fb274f13c4d2d12ec527d2e49d3dc4f03ec564197.exe 101 PID 4456 wrote to memory of 4232 4456 a43acc6005dbb3c814ccf02fb274f13c4d2d12ec527d2e49d3dc4f03ec564197.exe 102 PID 4456 wrote to memory of 4232 4456 a43acc6005dbb3c814ccf02fb274f13c4d2d12ec527d2e49d3dc4f03ec564197.exe 102 PID 4456 wrote to memory of 3452 4456 a43acc6005dbb3c814ccf02fb274f13c4d2d12ec527d2e49d3dc4f03ec564197.exe 103 PID 4456 wrote to memory of 3452 4456 a43acc6005dbb3c814ccf02fb274f13c4d2d12ec527d2e49d3dc4f03ec564197.exe 103 PID 4456 wrote to memory of 3452 4456 a43acc6005dbb3c814ccf02fb274f13c4d2d12ec527d2e49d3dc4f03ec564197.exe 103 PID 4456 wrote to memory of 1512 4456 a43acc6005dbb3c814ccf02fb274f13c4d2d12ec527d2e49d3dc4f03ec564197.exe 104 PID 4456 wrote to memory of 1512 4456 a43acc6005dbb3c814ccf02fb274f13c4d2d12ec527d2e49d3dc4f03ec564197.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\a43acc6005dbb3c814ccf02fb274f13c4d2d12ec527d2e49d3dc4f03ec564197.exe"C:\Users\Admin\AppData\Local\Temp\a43acc6005dbb3c814ccf02fb274f13c4d2d12ec527d2e49d3dc4f03ec564197.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5064 -
C:\Users\Admin\AppData\Local\Temp\a43acc6005dbb3c814ccf02fb274f13c4d2d12ec527d2e49d3dc4f03ec564197.exe"C:\Users\Admin\AppData\Local\Temp\a43acc6005dbb3c814ccf02fb274f13c4d2d12ec527d2e49d3dc4f03ec564197.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4892 -
C:\Users\Admin\AppData\Local\Temp\a43acc6005dbb3c814ccf02fb274f13c4d2d12ec527d2e49d3dc4f03ec564197.exe"C:\Users\Admin\AppData\Local\Temp\a43acc6005dbb3c814ccf02fb274f13c4d2d12ec527d2e49d3dc4f03ec564197.exe"3⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4456 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"4⤵PID:4156
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:4196
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"4⤵PID:5092
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:444
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"4⤵PID:4796
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:3432
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"4⤵PID:2072
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:5016
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"4⤵PID:4720
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:4772
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"4⤵PID:2032
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:396
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"4⤵PID:2644
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:3496
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"4⤵PID:4232
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:3452
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"4⤵PID:1512
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:3492
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"4⤵PID:4180
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:4224
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"4⤵PID:372
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:4340
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"4⤵PID:4308
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:720
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"4⤵PID:2244
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:176
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:204
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"4⤵PID:216
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:1504
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"4⤵PID:1088
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"4⤵PID:1584
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:1720
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"4⤵PID:1508
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:944
-
-
C:\Windows\{4253-8547-5555-85}\appinit.exe"C:\Windows\{4253-8547-5555-85}\appinit.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:4468 -
C:\Windows\{4253-8547-5555-85}\appinit.exe"C:\Windows\{4253-8547-5555-85}\appinit.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4976 -
C:\Windows\{4253-8547-5555-85}\appinit.exe"C:\Windows\{4253-8547-5555-85}\appinit.exe"6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3356 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"7⤵PID:764
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe7⤵
- Adds Run key to start application
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3708
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
405KB
MD522a37d152b71e4fa447edd8800e6d1b9
SHA1168d54c5c44b5e52c01c6f33dedb75fa0bf40258
SHA2563880edec5b7d1c006c81328ce8d3a8f5a50e196ecc6eb727bc514dc5eed5eb79
SHA512c93f557224424594c774ea0255cb516fe93bcf2d5b2c7267c8dc5771c5e4e57b9383ab4494cdefd5a4387101ad11833c0ccf89ad880eb5e9772bb9250c8eaf87
-
Filesize
405KB
MD522a37d152b71e4fa447edd8800e6d1b9
SHA1168d54c5c44b5e52c01c6f33dedb75fa0bf40258
SHA2563880edec5b7d1c006c81328ce8d3a8f5a50e196ecc6eb727bc514dc5eed5eb79
SHA512c93f557224424594c774ea0255cb516fe93bcf2d5b2c7267c8dc5771c5e4e57b9383ab4494cdefd5a4387101ad11833c0ccf89ad880eb5e9772bb9250c8eaf87
-
Filesize
3KB
MD57a51dabda89cf024928b3db35b64dbcb
SHA18f67ffa8b652c312d97a18b3a4faf73205d754b3
SHA25612ab414b11a73f75d8ed8db8f9e0ec4ae45a0b991806481c79870489b1cf8910
SHA51231690080a13c99460c6c81583d9e9edc633324d3c0d47737c1084df334a43b9beeb07ce33d40e49a50d4a0b56b3d21f2be96b9dc69f2a5962e3a46da78c59b98
-
Filesize
3KB
MD57a51dabda89cf024928b3db35b64dbcb
SHA18f67ffa8b652c312d97a18b3a4faf73205d754b3
SHA25612ab414b11a73f75d8ed8db8f9e0ec4ae45a0b991806481c79870489b1cf8910
SHA51231690080a13c99460c6c81583d9e9edc633324d3c0d47737c1084df334a43b9beeb07ce33d40e49a50d4a0b56b3d21f2be96b9dc69f2a5962e3a46da78c59b98
-
Filesize
3KB
MD57a51dabda89cf024928b3db35b64dbcb
SHA18f67ffa8b652c312d97a18b3a4faf73205d754b3
SHA25612ab414b11a73f75d8ed8db8f9e0ec4ae45a0b991806481c79870489b1cf8910
SHA51231690080a13c99460c6c81583d9e9edc633324d3c0d47737c1084df334a43b9beeb07ce33d40e49a50d4a0b56b3d21f2be96b9dc69f2a5962e3a46da78c59b98
-
Filesize
3KB
MD57a51dabda89cf024928b3db35b64dbcb
SHA18f67ffa8b652c312d97a18b3a4faf73205d754b3
SHA25612ab414b11a73f75d8ed8db8f9e0ec4ae45a0b991806481c79870489b1cf8910
SHA51231690080a13c99460c6c81583d9e9edc633324d3c0d47737c1084df334a43b9beeb07ce33d40e49a50d4a0b56b3d21f2be96b9dc69f2a5962e3a46da78c59b98
-
Filesize
3KB
MD57a51dabda89cf024928b3db35b64dbcb
SHA18f67ffa8b652c312d97a18b3a4faf73205d754b3
SHA25612ab414b11a73f75d8ed8db8f9e0ec4ae45a0b991806481c79870489b1cf8910
SHA51231690080a13c99460c6c81583d9e9edc633324d3c0d47737c1084df334a43b9beeb07ce33d40e49a50d4a0b56b3d21f2be96b9dc69f2a5962e3a46da78c59b98
-
Filesize
3KB
MD57a51dabda89cf024928b3db35b64dbcb
SHA18f67ffa8b652c312d97a18b3a4faf73205d754b3
SHA25612ab414b11a73f75d8ed8db8f9e0ec4ae45a0b991806481c79870489b1cf8910
SHA51231690080a13c99460c6c81583d9e9edc633324d3c0d47737c1084df334a43b9beeb07ce33d40e49a50d4a0b56b3d21f2be96b9dc69f2a5962e3a46da78c59b98
-
Filesize
144KB
MD5d7a2116aff97e66b0fba13562ffb1424
SHA12a56668153c66d98e17668f256086fb9e8b884df
SHA256224b9837ead5d2173f53bab279be8d1d9015677937040bd0bae220ddf8fc43e6
SHA512f80999d92a0c49bb87bc32b9d43104315c96cf951f4397bd9bbab5239658acf1eb10a1702b7f667a20bd584dc232b8e9f015088f09341427dc0d6a0fc078d67a
-
Filesize
144KB
MD5d7a2116aff97e66b0fba13562ffb1424
SHA12a56668153c66d98e17668f256086fb9e8b884df
SHA256224b9837ead5d2173f53bab279be8d1d9015677937040bd0bae220ddf8fc43e6
SHA512f80999d92a0c49bb87bc32b9d43104315c96cf951f4397bd9bbab5239658acf1eb10a1702b7f667a20bd584dc232b8e9f015088f09341427dc0d6a0fc078d67a
-
Filesize
144KB
MD5d7a2116aff97e66b0fba13562ffb1424
SHA12a56668153c66d98e17668f256086fb9e8b884df
SHA256224b9837ead5d2173f53bab279be8d1d9015677937040bd0bae220ddf8fc43e6
SHA512f80999d92a0c49bb87bc32b9d43104315c96cf951f4397bd9bbab5239658acf1eb10a1702b7f667a20bd584dc232b8e9f015088f09341427dc0d6a0fc078d67a
-
Filesize
144KB
MD5d7a2116aff97e66b0fba13562ffb1424
SHA12a56668153c66d98e17668f256086fb9e8b884df
SHA256224b9837ead5d2173f53bab279be8d1d9015677937040bd0bae220ddf8fc43e6
SHA512f80999d92a0c49bb87bc32b9d43104315c96cf951f4397bd9bbab5239658acf1eb10a1702b7f667a20bd584dc232b8e9f015088f09341427dc0d6a0fc078d67a
-
Filesize
144KB
MD5d7a2116aff97e66b0fba13562ffb1424
SHA12a56668153c66d98e17668f256086fb9e8b884df
SHA256224b9837ead5d2173f53bab279be8d1d9015677937040bd0bae220ddf8fc43e6
SHA512f80999d92a0c49bb87bc32b9d43104315c96cf951f4397bd9bbab5239658acf1eb10a1702b7f667a20bd584dc232b8e9f015088f09341427dc0d6a0fc078d67a
-
Filesize
144KB
MD5d7a2116aff97e66b0fba13562ffb1424
SHA12a56668153c66d98e17668f256086fb9e8b884df
SHA256224b9837ead5d2173f53bab279be8d1d9015677937040bd0bae220ddf8fc43e6
SHA512f80999d92a0c49bb87bc32b9d43104315c96cf951f4397bd9bbab5239658acf1eb10a1702b7f667a20bd584dc232b8e9f015088f09341427dc0d6a0fc078d67a
-
Filesize
11KB
MD5a436db0c473a087eb61ff5c53c34ba27
SHA165ea67e424e75f5065132b539c8b2eda88aa0506
SHA25675ed40311875312617d6711baed0be29fcaee71031ca27a8d308a72b15a51e49
SHA512908f46a855480af6eacb2fb64de0e60b1e04bbb10b23992e2cf38a4cbebdcd7d3928c4c022d7ad9f7479265a8f426b93eef580afec95570e654c360d62f5e08d
-
Filesize
11KB
MD5a436db0c473a087eb61ff5c53c34ba27
SHA165ea67e424e75f5065132b539c8b2eda88aa0506
SHA25675ed40311875312617d6711baed0be29fcaee71031ca27a8d308a72b15a51e49
SHA512908f46a855480af6eacb2fb64de0e60b1e04bbb10b23992e2cf38a4cbebdcd7d3928c4c022d7ad9f7479265a8f426b93eef580afec95570e654c360d62f5e08d
-
Filesize
3KB
MD57a6b59094bd7d39a0ba7fa2db1f5fc5b
SHA1ac09191eeeff5f7f4430f1101022517d7ecff1b3
SHA2569a1cedbe8ce52ed3aba22e8dacafe54a6e710d98cc4b1e791370462fd3c91fa5
SHA512f8104c8c16bc0713972204d2840aa7f7efe645452c0265a378e74f8f34a2497fdb1e8190721d73a3a341fdd4f5bc51321fefdeba2ff7375a3677ec9d721562b5
-
Filesize
3KB
MD57a6b59094bd7d39a0ba7fa2db1f5fc5b
SHA1ac09191eeeff5f7f4430f1101022517d7ecff1b3
SHA2569a1cedbe8ce52ed3aba22e8dacafe54a6e710d98cc4b1e791370462fd3c91fa5
SHA512f8104c8c16bc0713972204d2840aa7f7efe645452c0265a378e74f8f34a2497fdb1e8190721d73a3a341fdd4f5bc51321fefdeba2ff7375a3677ec9d721562b5
-
Filesize
3KB
MD57a6b59094bd7d39a0ba7fa2db1f5fc5b
SHA1ac09191eeeff5f7f4430f1101022517d7ecff1b3
SHA2569a1cedbe8ce52ed3aba22e8dacafe54a6e710d98cc4b1e791370462fd3c91fa5
SHA512f8104c8c16bc0713972204d2840aa7f7efe645452c0265a378e74f8f34a2497fdb1e8190721d73a3a341fdd4f5bc51321fefdeba2ff7375a3677ec9d721562b5
-
Filesize
3KB
MD57a6b59094bd7d39a0ba7fa2db1f5fc5b
SHA1ac09191eeeff5f7f4430f1101022517d7ecff1b3
SHA2569a1cedbe8ce52ed3aba22e8dacafe54a6e710d98cc4b1e791370462fd3c91fa5
SHA512f8104c8c16bc0713972204d2840aa7f7efe645452c0265a378e74f8f34a2497fdb1e8190721d73a3a341fdd4f5bc51321fefdeba2ff7375a3677ec9d721562b5
-
Filesize
3KB
MD57a6b59094bd7d39a0ba7fa2db1f5fc5b
SHA1ac09191eeeff5f7f4430f1101022517d7ecff1b3
SHA2569a1cedbe8ce52ed3aba22e8dacafe54a6e710d98cc4b1e791370462fd3c91fa5
SHA512f8104c8c16bc0713972204d2840aa7f7efe645452c0265a378e74f8f34a2497fdb1e8190721d73a3a341fdd4f5bc51321fefdeba2ff7375a3677ec9d721562b5
-
Filesize
3KB
MD57a6b59094bd7d39a0ba7fa2db1f5fc5b
SHA1ac09191eeeff5f7f4430f1101022517d7ecff1b3
SHA2569a1cedbe8ce52ed3aba22e8dacafe54a6e710d98cc4b1e791370462fd3c91fa5
SHA512f8104c8c16bc0713972204d2840aa7f7efe645452c0265a378e74f8f34a2497fdb1e8190721d73a3a341fdd4f5bc51321fefdeba2ff7375a3677ec9d721562b5
-
Filesize
2B
MD593e00066d099c0485cfffa1359246d26
SHA1bc69a773f37b2f2071e25f755a66d47b871e5d98
SHA2563b271649a94ad5be4ef46ecbb6a4e7363e8498b7e69b751737bf30df2e0d1dde
SHA512d3dfe508cacae7d36f13908134b5b438b87429fcf93ccb060bcfa346c04633a99e9ca497297418c969537be1da2405171982794055dd0f52e59a82720d3b3d02
-
Filesize
3KB
MD575e9691c5c918766f38c2ac3903e3d2b
SHA1d98e4b14421a27efb50613ac59d6af69a242cfbd
SHA256d93fa93c884cd36cba2d9e41c7df36f466067c9f838d2340ea3114640669bdfd
SHA512ca60d7f9760287a458fb6fb29ac713ba567d6549058e4b324d1d2969c5c3239e2f06a41ce21ec74161e3ee694f84ff3cb7b8203947fbc9a23e7d17dba0292415
-
Filesize
3KB
MD575e9691c5c918766f38c2ac3903e3d2b
SHA1d98e4b14421a27efb50613ac59d6af69a242cfbd
SHA256d93fa93c884cd36cba2d9e41c7df36f466067c9f838d2340ea3114640669bdfd
SHA512ca60d7f9760287a458fb6fb29ac713ba567d6549058e4b324d1d2969c5c3239e2f06a41ce21ec74161e3ee694f84ff3cb7b8203947fbc9a23e7d17dba0292415
-
Filesize
356KB
MD5a0eaa79f7fc06363a4be2586faf870c4
SHA14a917e5edeb6ef24d3254cc4736c51f3328819ac
SHA25663d2efdbaadf9ab86413b83f868eefb6e1d0affc30081e3e2a10ea2605345ee3
SHA512b79494de07f28cd64edccedf84a07fb4d7a791c04832c82d301846449f5fd138af0a7c9a0e0fc9f78c0302b4a9d0c9fcc63313370962c2ee622ecac525dec4b8
-
Filesize
551KB
MD5658505421a3b0daa80bbabccba357c88
SHA1e5c9d02f969e2d45839cb9f383011fb371145db6
SHA256a43acc6005dbb3c814ccf02fb274f13c4d2d12ec527d2e49d3dc4f03ec564197
SHA512e827c277f2263f9fc3ebd6a2fa0fdf3c6a1b4b932d501e1bb46f2826c6f974931b6608152c83f4baff12acc898e64d16ec6dbbc85359171d30890a1725ff88b2
-
Filesize
551KB
MD5658505421a3b0daa80bbabccba357c88
SHA1e5c9d02f969e2d45839cb9f383011fb371145db6
SHA256a43acc6005dbb3c814ccf02fb274f13c4d2d12ec527d2e49d3dc4f03ec564197
SHA512e827c277f2263f9fc3ebd6a2fa0fdf3c6a1b4b932d501e1bb46f2826c6f974931b6608152c83f4baff12acc898e64d16ec6dbbc85359171d30890a1725ff88b2
-
Filesize
551KB
MD5658505421a3b0daa80bbabccba357c88
SHA1e5c9d02f969e2d45839cb9f383011fb371145db6
SHA256a43acc6005dbb3c814ccf02fb274f13c4d2d12ec527d2e49d3dc4f03ec564197
SHA512e827c277f2263f9fc3ebd6a2fa0fdf3c6a1b4b932d501e1bb46f2826c6f974931b6608152c83f4baff12acc898e64d16ec6dbbc85359171d30890a1725ff88b2
-
Filesize
551KB
MD5658505421a3b0daa80bbabccba357c88
SHA1e5c9d02f969e2d45839cb9f383011fb371145db6
SHA256a43acc6005dbb3c814ccf02fb274f13c4d2d12ec527d2e49d3dc4f03ec564197
SHA512e827c277f2263f9fc3ebd6a2fa0fdf3c6a1b4b932d501e1bb46f2826c6f974931b6608152c83f4baff12acc898e64d16ec6dbbc85359171d30890a1725ff88b2