Analysis
-
max time kernel
147s -
max time network
107s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
23/11/2022, 17:43
Static task
static1
Behavioral task
behavioral1
Sample
22036b195bcfd56d1aad6f96dfc048d7bbd42d8cea96fea62d8459cb19c679ee.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
22036b195bcfd56d1aad6f96dfc048d7bbd42d8cea96fea62d8459cb19c679ee.exe
Resource
win10v2004-20220812-en
General
-
Target
22036b195bcfd56d1aad6f96dfc048d7bbd42d8cea96fea62d8459cb19c679ee.exe
-
Size
770KB
-
MD5
16ff27fe7916cb9b7153e9f86b21a172
-
SHA1
e2450ff3e03e2ecd16aaf657e0cd290657881099
-
SHA256
22036b195bcfd56d1aad6f96dfc048d7bbd42d8cea96fea62d8459cb19c679ee
-
SHA512
143da9775bc6bdbacd2806d6bfe5d349ac27690098c13d7bb326e7144b8ad42c20b56e081fc62925aadd23982ed5d767ce32b2cfaf952fafb53ee3546bde63ff
-
SSDEEP
12288:t3aXFMuMnXwLWzJLV1vwbBHacbi8juWBth6eudKXYzJMmeA4eDyzLbi9:8XN8AqJrvwl20iDEY9LeAEHU
Malware Config
Signatures
-
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Executes dropped EXE 29 IoCs
pid Process 948 detect.exe 1620 detect.exe 1812 Server.exe 632 Server.exe 1324 detect.exe 976 Server.exe 1508 detect.exe 1280 Server.exe 1312 Server.exe 1996 detect.exe 1596 Server.exe 1608 detect.exe 468 detect.exe 888 detect.exe 1516 detect.exe 1872 detect.exe 1164 Server.exe 1728 Server.exe 1816 detect.exe 1456 detect.exe 1520 Server.exe 824 detect.exe 1216 detect.exe 976 detect.exe 1760 detect.exe 2020 detect.exe 620 detect.exe 1468 detect.exe 1668 detect.exe -
resource yara_rule behavioral1/memory/324-113-0x0000000001610000-0x000000000171F000-memory.dmp upx behavioral1/memory/324-116-0x0000000001610000-0x000000000171F000-memory.dmp upx behavioral1/memory/324-120-0x0000000001610000-0x000000000171F000-memory.dmp upx behavioral1/memory/324-123-0x0000000001610000-0x000000000171F000-memory.dmp upx behavioral1/memory/324-132-0x0000000001610000-0x000000000171F000-memory.dmp upx behavioral1/memory/324-133-0x0000000001610000-0x000000000171F000-memory.dmp upx behavioral1/memory/324-134-0x0000000001610000-0x000000000171F000-memory.dmp upx -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ID Detector.vbs 22036b195bcfd56d1aad6f96dfc048d7bbd42d8cea96fea62d8459cb19c679ee.exe -
Loads dropped DLL 2 IoCs
pid Process 1900 22036b195bcfd56d1aad6f96dfc048d7bbd42d8cea96fea62d8459cb19c679ee.exe 580 svchost.exe -
Adds Run key to start application 2 TTPs 16 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" detect.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run detect.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run detect.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run detect.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" explorer.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" detect.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" detect.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" detect.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run detect.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run explorer.exe -
Suspicious use of SetThreadContext 11 IoCs
description pid Process procid_target PID 948 set thread context of 1620 948 detect.exe 28 PID 1324 set thread context of 1996 1324 detect.exe 71 PID 1508 set thread context of 468 1508 detect.exe 77 PID 1996 set thread context of 324 1996 detect.exe 73 PID 1608 set thread context of 1816 1608 detect.exe 83 PID 1516 set thread context of 1456 1516 detect.exe 84 PID 888 set thread context of 824 888 detect.exe 86 PID 1872 set thread context of 1216 1872 detect.exe 87 PID 976 set thread context of 620 976 detect.exe 91 PID 1760 set thread context of 1468 1760 detect.exe 92 PID 2020 set thread context of 1668 2020 detect.exe 93 -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\InstallDir\Server.exe detect.exe File created C:\Windows\InstallDir\Server.exe detect.exe File opened for modification C:\Windows\InstallDir\Server.exe detect.exe File created C:\Windows\InstallDir\Server.exe detect.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 324 explorer.exe -
Suspicious behavior: MapViewOfSection 20 IoCs
pid Process 948 detect.exe 948 detect.exe 1324 detect.exe 1324 detect.exe 1508 detect.exe 1508 detect.exe 1608 detect.exe 1608 detect.exe 1516 detect.exe 1516 detect.exe 888 detect.exe 888 detect.exe 1872 detect.exe 1872 detect.exe 976 detect.exe 976 detect.exe 1760 detect.exe 1760 detect.exe 2020 detect.exe 2020 detect.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1620 detect.exe 324 explorer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1900 wrote to memory of 948 1900 22036b195bcfd56d1aad6f96dfc048d7bbd42d8cea96fea62d8459cb19c679ee.exe 27 PID 1900 wrote to memory of 948 1900 22036b195bcfd56d1aad6f96dfc048d7bbd42d8cea96fea62d8459cb19c679ee.exe 27 PID 1900 wrote to memory of 948 1900 22036b195bcfd56d1aad6f96dfc048d7bbd42d8cea96fea62d8459cb19c679ee.exe 27 PID 1900 wrote to memory of 948 1900 22036b195bcfd56d1aad6f96dfc048d7bbd42d8cea96fea62d8459cb19c679ee.exe 27 PID 948 wrote to memory of 1620 948 detect.exe 28 PID 948 wrote to memory of 1620 948 detect.exe 28 PID 948 wrote to memory of 1620 948 detect.exe 28 PID 948 wrote to memory of 1620 948 detect.exe 28 PID 1620 wrote to memory of 580 1620 detect.exe 29 PID 1620 wrote to memory of 580 1620 detect.exe 29 PID 1620 wrote to memory of 580 1620 detect.exe 29 PID 1620 wrote to memory of 580 1620 detect.exe 29 PID 1620 wrote to memory of 580 1620 detect.exe 29 PID 1620 wrote to memory of 1684 1620 detect.exe 30 PID 1620 wrote to memory of 1684 1620 detect.exe 30 PID 1620 wrote to memory of 1684 1620 detect.exe 30 PID 1620 wrote to memory of 1684 1620 detect.exe 30 PID 1620 wrote to memory of 1872 1620 detect.exe 31 PID 1620 wrote to memory of 1872 1620 detect.exe 31 PID 1620 wrote to memory of 1872 1620 detect.exe 31 PID 1620 wrote to memory of 1872 1620 detect.exe 31 PID 1620 wrote to memory of 1132 1620 detect.exe 32 PID 1620 wrote to memory of 1132 1620 detect.exe 32 PID 1620 wrote to memory of 1132 1620 detect.exe 32 PID 1620 wrote to memory of 1132 1620 detect.exe 32 PID 1620 wrote to memory of 1164 1620 detect.exe 33 PID 1620 wrote to memory of 1164 1620 detect.exe 33 PID 1620 wrote to memory of 1164 1620 detect.exe 33 PID 1620 wrote to memory of 1164 1620 detect.exe 33 PID 1620 wrote to memory of 520 1620 detect.exe 34 PID 1620 wrote to memory of 520 1620 detect.exe 34 PID 1620 wrote to memory of 520 1620 detect.exe 34 PID 1620 wrote to memory of 520 1620 detect.exe 34 PID 1620 wrote to memory of 1696 1620 detect.exe 35 PID 1620 wrote to memory of 1696 1620 detect.exe 35 PID 1620 wrote to memory of 1696 1620 detect.exe 35 PID 1620 wrote to memory of 1696 1620 detect.exe 35 PID 1620 wrote to memory of 1700 1620 detect.exe 36 PID 1620 wrote to memory of 1700 1620 detect.exe 36 PID 1620 wrote to memory of 1700 1620 detect.exe 36 PID 1620 wrote to memory of 1700 1620 detect.exe 36 PID 1620 wrote to memory of 568 1620 detect.exe 37 PID 1620 wrote to memory of 568 1620 detect.exe 37 PID 1620 wrote to memory of 568 1620 detect.exe 37 PID 1620 wrote to memory of 568 1620 detect.exe 37 PID 1620 wrote to memory of 1580 1620 detect.exe 38 PID 1620 wrote to memory of 1580 1620 detect.exe 38 PID 1620 wrote to memory of 1580 1620 detect.exe 38 PID 1620 wrote to memory of 1580 1620 detect.exe 38 PID 1620 wrote to memory of 1532 1620 detect.exe 39 PID 1620 wrote to memory of 1532 1620 detect.exe 39 PID 1620 wrote to memory of 1532 1620 detect.exe 39 PID 1620 wrote to memory of 1532 1620 detect.exe 39 PID 1620 wrote to memory of 1368 1620 detect.exe 40 PID 1620 wrote to memory of 1368 1620 detect.exe 40 PID 1620 wrote to memory of 1368 1620 detect.exe 40 PID 1620 wrote to memory of 1368 1620 detect.exe 40 PID 1620 wrote to memory of 1816 1620 detect.exe 41 PID 1620 wrote to memory of 1816 1620 detect.exe 41 PID 1620 wrote to memory of 1816 1620 detect.exe 41 PID 1620 wrote to memory of 1816 1620 detect.exe 41 PID 1620 wrote to memory of 884 1620 detect.exe 42 PID 1620 wrote to memory of 884 1620 detect.exe 42 PID 1620 wrote to memory of 884 1620 detect.exe 42
Processes
-
C:\Users\Admin\AppData\Local\Temp\22036b195bcfd56d1aad6f96dfc048d7bbd42d8cea96fea62d8459cb19c679ee.exe"C:\Users\Admin\AppData\Local\Temp\22036b195bcfd56d1aad6f96dfc048d7bbd42d8cea96fea62d8459cb19c679ee.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1900 -
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:948 -
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\SysWOW64\svchost.exesvchost.exe4⤵
- Loads dropped DLL
- Adds Run key to start application
PID:580 -
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"5⤵
- Executes dropped EXE
PID:1812 -
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:1324 -
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"7⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1996 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:1952
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe8⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:324
-
-
-
-
-
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"5⤵
- Executes dropped EXE
PID:632 -
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:1508 -
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"7⤵
- Executes dropped EXE
PID:468
-
-
-
-
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"5⤵
- Executes dropped EXE
PID:976 -
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:1608 -
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"7⤵
- Executes dropped EXE
PID:1816
-
-
-
-
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"5⤵
- Executes dropped EXE
PID:1312 -
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:1516 -
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"7⤵
- Executes dropped EXE
PID:1456
-
-
-
-
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"5⤵
- Executes dropped EXE
PID:1596 -
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:1872 -
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"7⤵
- Executes dropped EXE
PID:1216
-
-
-
-
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"5⤵
- Executes dropped EXE
PID:1164 -
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:1760 -
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"7⤵
- Executes dropped EXE
PID:1468
-
-
-
-
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"5⤵
- Executes dropped EXE
PID:1728 -
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:976 -
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"7⤵
- Executes dropped EXE
PID:620
-
-
-
-
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"5⤵
- Executes dropped EXE
PID:1520 -
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:2020 -
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"7⤵
- Executes dropped EXE
PID:1668
-
-
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵PID:1684
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:1872
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵PID:1132
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:1164
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵PID:520
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:1696
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵PID:1700
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:568
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵PID:1580
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:1532
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵PID:1368
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:1816
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵PID:884
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:2040
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:576
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵PID:1456
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵PID:764
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:1492
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵PID:1520
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:1292
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:856
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵PID:1204
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵PID:1960
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:1968
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:1964
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵PID:1720
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:588
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵PID:1884
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:1184
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵PID:1716
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵PID:2032
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:1632
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:1172
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵PID:1664
-
-
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"4⤵
- Executes dropped EXE
PID:1280 -
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:888 -
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"6⤵
- Executes dropped EXE
PID:824
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
770KB
MD516ff27fe7916cb9b7153e9f86b21a172
SHA1e2450ff3e03e2ecd16aaf657e0cd290657881099
SHA25622036b195bcfd56d1aad6f96dfc048d7bbd42d8cea96fea62d8459cb19c679ee
SHA512143da9775bc6bdbacd2806d6bfe5d349ac27690098c13d7bb326e7144b8ad42c20b56e081fc62925aadd23982ed5d767ce32b2cfaf952fafb53ee3546bde63ff
-
Filesize
770KB
MD516ff27fe7916cb9b7153e9f86b21a172
SHA1e2450ff3e03e2ecd16aaf657e0cd290657881099
SHA25622036b195bcfd56d1aad6f96dfc048d7bbd42d8cea96fea62d8459cb19c679ee
SHA512143da9775bc6bdbacd2806d6bfe5d349ac27690098c13d7bb326e7144b8ad42c20b56e081fc62925aadd23982ed5d767ce32b2cfaf952fafb53ee3546bde63ff
-
Filesize
770KB
MD516ff27fe7916cb9b7153e9f86b21a172
SHA1e2450ff3e03e2ecd16aaf657e0cd290657881099
SHA25622036b195bcfd56d1aad6f96dfc048d7bbd42d8cea96fea62d8459cb19c679ee
SHA512143da9775bc6bdbacd2806d6bfe5d349ac27690098c13d7bb326e7144b8ad42c20b56e081fc62925aadd23982ed5d767ce32b2cfaf952fafb53ee3546bde63ff
-
Filesize
770KB
MD516ff27fe7916cb9b7153e9f86b21a172
SHA1e2450ff3e03e2ecd16aaf657e0cd290657881099
SHA25622036b195bcfd56d1aad6f96dfc048d7bbd42d8cea96fea62d8459cb19c679ee
SHA512143da9775bc6bdbacd2806d6bfe5d349ac27690098c13d7bb326e7144b8ad42c20b56e081fc62925aadd23982ed5d767ce32b2cfaf952fafb53ee3546bde63ff
-
Filesize
770KB
MD516ff27fe7916cb9b7153e9f86b21a172
SHA1e2450ff3e03e2ecd16aaf657e0cd290657881099
SHA25622036b195bcfd56d1aad6f96dfc048d7bbd42d8cea96fea62d8459cb19c679ee
SHA512143da9775bc6bdbacd2806d6bfe5d349ac27690098c13d7bb326e7144b8ad42c20b56e081fc62925aadd23982ed5d767ce32b2cfaf952fafb53ee3546bde63ff
-
Filesize
770KB
MD516ff27fe7916cb9b7153e9f86b21a172
SHA1e2450ff3e03e2ecd16aaf657e0cd290657881099
SHA25622036b195bcfd56d1aad6f96dfc048d7bbd42d8cea96fea62d8459cb19c679ee
SHA512143da9775bc6bdbacd2806d6bfe5d349ac27690098c13d7bb326e7144b8ad42c20b56e081fc62925aadd23982ed5d767ce32b2cfaf952fafb53ee3546bde63ff
-
Filesize
770KB
MD516ff27fe7916cb9b7153e9f86b21a172
SHA1e2450ff3e03e2ecd16aaf657e0cd290657881099
SHA25622036b195bcfd56d1aad6f96dfc048d7bbd42d8cea96fea62d8459cb19c679ee
SHA512143da9775bc6bdbacd2806d6bfe5d349ac27690098c13d7bb326e7144b8ad42c20b56e081fc62925aadd23982ed5d767ce32b2cfaf952fafb53ee3546bde63ff
-
Filesize
770KB
MD516ff27fe7916cb9b7153e9f86b21a172
SHA1e2450ff3e03e2ecd16aaf657e0cd290657881099
SHA25622036b195bcfd56d1aad6f96dfc048d7bbd42d8cea96fea62d8459cb19c679ee
SHA512143da9775bc6bdbacd2806d6bfe5d349ac27690098c13d7bb326e7144b8ad42c20b56e081fc62925aadd23982ed5d767ce32b2cfaf952fafb53ee3546bde63ff
-
Filesize
770KB
MD516ff27fe7916cb9b7153e9f86b21a172
SHA1e2450ff3e03e2ecd16aaf657e0cd290657881099
SHA25622036b195bcfd56d1aad6f96dfc048d7bbd42d8cea96fea62d8459cb19c679ee
SHA512143da9775bc6bdbacd2806d6bfe5d349ac27690098c13d7bb326e7144b8ad42c20b56e081fc62925aadd23982ed5d767ce32b2cfaf952fafb53ee3546bde63ff
-
Filesize
770KB
MD516ff27fe7916cb9b7153e9f86b21a172
SHA1e2450ff3e03e2ecd16aaf657e0cd290657881099
SHA25622036b195bcfd56d1aad6f96dfc048d7bbd42d8cea96fea62d8459cb19c679ee
SHA512143da9775bc6bdbacd2806d6bfe5d349ac27690098c13d7bb326e7144b8ad42c20b56e081fc62925aadd23982ed5d767ce32b2cfaf952fafb53ee3546bde63ff
-
Filesize
770KB
MD516ff27fe7916cb9b7153e9f86b21a172
SHA1e2450ff3e03e2ecd16aaf657e0cd290657881099
SHA25622036b195bcfd56d1aad6f96dfc048d7bbd42d8cea96fea62d8459cb19c679ee
SHA512143da9775bc6bdbacd2806d6bfe5d349ac27690098c13d7bb326e7144b8ad42c20b56e081fc62925aadd23982ed5d767ce32b2cfaf952fafb53ee3546bde63ff
-
Filesize
770KB
MD516ff27fe7916cb9b7153e9f86b21a172
SHA1e2450ff3e03e2ecd16aaf657e0cd290657881099
SHA25622036b195bcfd56d1aad6f96dfc048d7bbd42d8cea96fea62d8459cb19c679ee
SHA512143da9775bc6bdbacd2806d6bfe5d349ac27690098c13d7bb326e7144b8ad42c20b56e081fc62925aadd23982ed5d767ce32b2cfaf952fafb53ee3546bde63ff
-
Filesize
770KB
MD516ff27fe7916cb9b7153e9f86b21a172
SHA1e2450ff3e03e2ecd16aaf657e0cd290657881099
SHA25622036b195bcfd56d1aad6f96dfc048d7bbd42d8cea96fea62d8459cb19c679ee
SHA512143da9775bc6bdbacd2806d6bfe5d349ac27690098c13d7bb326e7144b8ad42c20b56e081fc62925aadd23982ed5d767ce32b2cfaf952fafb53ee3546bde63ff
-
Filesize
770KB
MD516ff27fe7916cb9b7153e9f86b21a172
SHA1e2450ff3e03e2ecd16aaf657e0cd290657881099
SHA25622036b195bcfd56d1aad6f96dfc048d7bbd42d8cea96fea62d8459cb19c679ee
SHA512143da9775bc6bdbacd2806d6bfe5d349ac27690098c13d7bb326e7144b8ad42c20b56e081fc62925aadd23982ed5d767ce32b2cfaf952fafb53ee3546bde63ff
-
Filesize
770KB
MD516ff27fe7916cb9b7153e9f86b21a172
SHA1e2450ff3e03e2ecd16aaf657e0cd290657881099
SHA25622036b195bcfd56d1aad6f96dfc048d7bbd42d8cea96fea62d8459cb19c679ee
SHA512143da9775bc6bdbacd2806d6bfe5d349ac27690098c13d7bb326e7144b8ad42c20b56e081fc62925aadd23982ed5d767ce32b2cfaf952fafb53ee3546bde63ff
-
Filesize
770KB
MD516ff27fe7916cb9b7153e9f86b21a172
SHA1e2450ff3e03e2ecd16aaf657e0cd290657881099
SHA25622036b195bcfd56d1aad6f96dfc048d7bbd42d8cea96fea62d8459cb19c679ee
SHA512143da9775bc6bdbacd2806d6bfe5d349ac27690098c13d7bb326e7144b8ad42c20b56e081fc62925aadd23982ed5d767ce32b2cfaf952fafb53ee3546bde63ff
-
Filesize
770KB
MD516ff27fe7916cb9b7153e9f86b21a172
SHA1e2450ff3e03e2ecd16aaf657e0cd290657881099
SHA25622036b195bcfd56d1aad6f96dfc048d7bbd42d8cea96fea62d8459cb19c679ee
SHA512143da9775bc6bdbacd2806d6bfe5d349ac27690098c13d7bb326e7144b8ad42c20b56e081fc62925aadd23982ed5d767ce32b2cfaf952fafb53ee3546bde63ff
-
Filesize
770KB
MD516ff27fe7916cb9b7153e9f86b21a172
SHA1e2450ff3e03e2ecd16aaf657e0cd290657881099
SHA25622036b195bcfd56d1aad6f96dfc048d7bbd42d8cea96fea62d8459cb19c679ee
SHA512143da9775bc6bdbacd2806d6bfe5d349ac27690098c13d7bb326e7144b8ad42c20b56e081fc62925aadd23982ed5d767ce32b2cfaf952fafb53ee3546bde63ff
-
Filesize
770KB
MD516ff27fe7916cb9b7153e9f86b21a172
SHA1e2450ff3e03e2ecd16aaf657e0cd290657881099
SHA25622036b195bcfd56d1aad6f96dfc048d7bbd42d8cea96fea62d8459cb19c679ee
SHA512143da9775bc6bdbacd2806d6bfe5d349ac27690098c13d7bb326e7144b8ad42c20b56e081fc62925aadd23982ed5d767ce32b2cfaf952fafb53ee3546bde63ff
-
Filesize
770KB
MD516ff27fe7916cb9b7153e9f86b21a172
SHA1e2450ff3e03e2ecd16aaf657e0cd290657881099
SHA25622036b195bcfd56d1aad6f96dfc048d7bbd42d8cea96fea62d8459cb19c679ee
SHA512143da9775bc6bdbacd2806d6bfe5d349ac27690098c13d7bb326e7144b8ad42c20b56e081fc62925aadd23982ed5d767ce32b2cfaf952fafb53ee3546bde63ff
-
Filesize
770KB
MD516ff27fe7916cb9b7153e9f86b21a172
SHA1e2450ff3e03e2ecd16aaf657e0cd290657881099
SHA25622036b195bcfd56d1aad6f96dfc048d7bbd42d8cea96fea62d8459cb19c679ee
SHA512143da9775bc6bdbacd2806d6bfe5d349ac27690098c13d7bb326e7144b8ad42c20b56e081fc62925aadd23982ed5d767ce32b2cfaf952fafb53ee3546bde63ff
-
Filesize
2B
MD593e00066d099c0485cfffa1359246d26
SHA1bc69a773f37b2f2071e25f755a66d47b871e5d98
SHA2563b271649a94ad5be4ef46ecbb6a4e7363e8498b7e69b751737bf30df2e0d1dde
SHA512d3dfe508cacae7d36f13908134b5b438b87429fcf93ccb060bcfa346c04633a99e9ca497297418c969537be1da2405171982794055dd0f52e59a82720d3b3d02
-
Filesize
3KB
MD57ee45a675a7ce144bdcc36d694c14738
SHA1ef47bf4f0827a9b147dc6182beb6fc1a44d5d235
SHA256d2c82a65011fd4789abc22198cd1cbcb1d085caec4d6703122fc0535eddd35e6
SHA51296041e29c354918173b1615291bf5d8883ad90044d293ae1f515aef8cadfe9b18ff6d370389fe59803fbacb61a14074bdf5cdb89b54bfc86510693d32ed642f2
-
Filesize
3KB
MD57ee45a675a7ce144bdcc36d694c14738
SHA1ef47bf4f0827a9b147dc6182beb6fc1a44d5d235
SHA256d2c82a65011fd4789abc22198cd1cbcb1d085caec4d6703122fc0535eddd35e6
SHA51296041e29c354918173b1615291bf5d8883ad90044d293ae1f515aef8cadfe9b18ff6d370389fe59803fbacb61a14074bdf5cdb89b54bfc86510693d32ed642f2
-
Filesize
3KB
MD57ee45a675a7ce144bdcc36d694c14738
SHA1ef47bf4f0827a9b147dc6182beb6fc1a44d5d235
SHA256d2c82a65011fd4789abc22198cd1cbcb1d085caec4d6703122fc0535eddd35e6
SHA51296041e29c354918173b1615291bf5d8883ad90044d293ae1f515aef8cadfe9b18ff6d370389fe59803fbacb61a14074bdf5cdb89b54bfc86510693d32ed642f2
-
Filesize
3KB
MD57ee45a675a7ce144bdcc36d694c14738
SHA1ef47bf4f0827a9b147dc6182beb6fc1a44d5d235
SHA256d2c82a65011fd4789abc22198cd1cbcb1d085caec4d6703122fc0535eddd35e6
SHA51296041e29c354918173b1615291bf5d8883ad90044d293ae1f515aef8cadfe9b18ff6d370389fe59803fbacb61a14074bdf5cdb89b54bfc86510693d32ed642f2
-
Filesize
3KB
MD57ee45a675a7ce144bdcc36d694c14738
SHA1ef47bf4f0827a9b147dc6182beb6fc1a44d5d235
SHA256d2c82a65011fd4789abc22198cd1cbcb1d085caec4d6703122fc0535eddd35e6
SHA51296041e29c354918173b1615291bf5d8883ad90044d293ae1f515aef8cadfe9b18ff6d370389fe59803fbacb61a14074bdf5cdb89b54bfc86510693d32ed642f2
-
Filesize
356KB
MD5a0eaa79f7fc06363a4be2586faf870c4
SHA14a917e5edeb6ef24d3254cc4736c51f3328819ac
SHA25663d2efdbaadf9ab86413b83f868eefb6e1d0affc30081e3e2a10ea2605345ee3
SHA512b79494de07f28cd64edccedf84a07fb4d7a791c04832c82d301846449f5fd138af0a7c9a0e0fc9f78c0302b4a9d0c9fcc63313370962c2ee622ecac525dec4b8
-
Filesize
770KB
MD516ff27fe7916cb9b7153e9f86b21a172
SHA1e2450ff3e03e2ecd16aaf657e0cd290657881099
SHA25622036b195bcfd56d1aad6f96dfc048d7bbd42d8cea96fea62d8459cb19c679ee
SHA512143da9775bc6bdbacd2806d6bfe5d349ac27690098c13d7bb326e7144b8ad42c20b56e081fc62925aadd23982ed5d767ce32b2cfaf952fafb53ee3546bde63ff
-
Filesize
770KB
MD516ff27fe7916cb9b7153e9f86b21a172
SHA1e2450ff3e03e2ecd16aaf657e0cd290657881099
SHA25622036b195bcfd56d1aad6f96dfc048d7bbd42d8cea96fea62d8459cb19c679ee
SHA512143da9775bc6bdbacd2806d6bfe5d349ac27690098c13d7bb326e7144b8ad42c20b56e081fc62925aadd23982ed5d767ce32b2cfaf952fafb53ee3546bde63ff
-
Filesize
770KB
MD516ff27fe7916cb9b7153e9f86b21a172
SHA1e2450ff3e03e2ecd16aaf657e0cd290657881099
SHA25622036b195bcfd56d1aad6f96dfc048d7bbd42d8cea96fea62d8459cb19c679ee
SHA512143da9775bc6bdbacd2806d6bfe5d349ac27690098c13d7bb326e7144b8ad42c20b56e081fc62925aadd23982ed5d767ce32b2cfaf952fafb53ee3546bde63ff
-
Filesize
770KB
MD516ff27fe7916cb9b7153e9f86b21a172
SHA1e2450ff3e03e2ecd16aaf657e0cd290657881099
SHA25622036b195bcfd56d1aad6f96dfc048d7bbd42d8cea96fea62d8459cb19c679ee
SHA512143da9775bc6bdbacd2806d6bfe5d349ac27690098c13d7bb326e7144b8ad42c20b56e081fc62925aadd23982ed5d767ce32b2cfaf952fafb53ee3546bde63ff
-
Filesize
770KB
MD516ff27fe7916cb9b7153e9f86b21a172
SHA1e2450ff3e03e2ecd16aaf657e0cd290657881099
SHA25622036b195bcfd56d1aad6f96dfc048d7bbd42d8cea96fea62d8459cb19c679ee
SHA512143da9775bc6bdbacd2806d6bfe5d349ac27690098c13d7bb326e7144b8ad42c20b56e081fc62925aadd23982ed5d767ce32b2cfaf952fafb53ee3546bde63ff
-
Filesize
770KB
MD516ff27fe7916cb9b7153e9f86b21a172
SHA1e2450ff3e03e2ecd16aaf657e0cd290657881099
SHA25622036b195bcfd56d1aad6f96dfc048d7bbd42d8cea96fea62d8459cb19c679ee
SHA512143da9775bc6bdbacd2806d6bfe5d349ac27690098c13d7bb326e7144b8ad42c20b56e081fc62925aadd23982ed5d767ce32b2cfaf952fafb53ee3546bde63ff
-
Filesize
770KB
MD516ff27fe7916cb9b7153e9f86b21a172
SHA1e2450ff3e03e2ecd16aaf657e0cd290657881099
SHA25622036b195bcfd56d1aad6f96dfc048d7bbd42d8cea96fea62d8459cb19c679ee
SHA512143da9775bc6bdbacd2806d6bfe5d349ac27690098c13d7bb326e7144b8ad42c20b56e081fc62925aadd23982ed5d767ce32b2cfaf952fafb53ee3546bde63ff
-
Filesize
770KB
MD516ff27fe7916cb9b7153e9f86b21a172
SHA1e2450ff3e03e2ecd16aaf657e0cd290657881099
SHA25622036b195bcfd56d1aad6f96dfc048d7bbd42d8cea96fea62d8459cb19c679ee
SHA512143da9775bc6bdbacd2806d6bfe5d349ac27690098c13d7bb326e7144b8ad42c20b56e081fc62925aadd23982ed5d767ce32b2cfaf952fafb53ee3546bde63ff
-
Filesize
770KB
MD516ff27fe7916cb9b7153e9f86b21a172
SHA1e2450ff3e03e2ecd16aaf657e0cd290657881099
SHA25622036b195bcfd56d1aad6f96dfc048d7bbd42d8cea96fea62d8459cb19c679ee
SHA512143da9775bc6bdbacd2806d6bfe5d349ac27690098c13d7bb326e7144b8ad42c20b56e081fc62925aadd23982ed5d767ce32b2cfaf952fafb53ee3546bde63ff
-
Filesize
770KB
MD516ff27fe7916cb9b7153e9f86b21a172
SHA1e2450ff3e03e2ecd16aaf657e0cd290657881099
SHA25622036b195bcfd56d1aad6f96dfc048d7bbd42d8cea96fea62d8459cb19c679ee
SHA512143da9775bc6bdbacd2806d6bfe5d349ac27690098c13d7bb326e7144b8ad42c20b56e081fc62925aadd23982ed5d767ce32b2cfaf952fafb53ee3546bde63ff
-
Filesize
770KB
MD516ff27fe7916cb9b7153e9f86b21a172
SHA1e2450ff3e03e2ecd16aaf657e0cd290657881099
SHA25622036b195bcfd56d1aad6f96dfc048d7bbd42d8cea96fea62d8459cb19c679ee
SHA512143da9775bc6bdbacd2806d6bfe5d349ac27690098c13d7bb326e7144b8ad42c20b56e081fc62925aadd23982ed5d767ce32b2cfaf952fafb53ee3546bde63ff
-
Filesize
770KB
MD516ff27fe7916cb9b7153e9f86b21a172
SHA1e2450ff3e03e2ecd16aaf657e0cd290657881099
SHA25622036b195bcfd56d1aad6f96dfc048d7bbd42d8cea96fea62d8459cb19c679ee
SHA512143da9775bc6bdbacd2806d6bfe5d349ac27690098c13d7bb326e7144b8ad42c20b56e081fc62925aadd23982ed5d767ce32b2cfaf952fafb53ee3546bde63ff