Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
23/11/2022, 17:43
Static task
static1
Behavioral task
behavioral1
Sample
22036b195bcfd56d1aad6f96dfc048d7bbd42d8cea96fea62d8459cb19c679ee.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
22036b195bcfd56d1aad6f96dfc048d7bbd42d8cea96fea62d8459cb19c679ee.exe
Resource
win10v2004-20220812-en
General
-
Target
22036b195bcfd56d1aad6f96dfc048d7bbd42d8cea96fea62d8459cb19c679ee.exe
-
Size
770KB
-
MD5
16ff27fe7916cb9b7153e9f86b21a172
-
SHA1
e2450ff3e03e2ecd16aaf657e0cd290657881099
-
SHA256
22036b195bcfd56d1aad6f96dfc048d7bbd42d8cea96fea62d8459cb19c679ee
-
SHA512
143da9775bc6bdbacd2806d6bfe5d349ac27690098c13d7bb326e7144b8ad42c20b56e081fc62925aadd23982ed5d767ce32b2cfaf952fafb53ee3546bde63ff
-
SSDEEP
12288:t3aXFMuMnXwLWzJLV1vwbBHacbi8juWBth6eudKXYzJMmeA4eDyzLbi9:8XN8AqJrvwl20iDEY9LeAEHU
Malware Config
Signatures
-
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Executes dropped EXE 20 IoCs
pid Process 3440 detect.exe 3096 detect.exe 4088 Server.exe 3144 Server.exe 224 Server.exe 4192 detect.exe 3688 detect.exe 4756 Server.exe 4704 Server.exe 3864 detect.exe 3732 detect.exe 4128 Server.exe 3136 detect.exe 3648 detect.exe 1288 detect.exe 1688 detect.exe 1136 detect.exe 3716 detect.exe 4372 detect.exe 4100 detect.exe -
resource yara_rule behavioral2/memory/3516-166-0x0000000001610000-0x000000000171F000-memory.dmp upx behavioral2/memory/3516-167-0x0000000001610000-0x000000000171F000-memory.dmp upx behavioral2/memory/3516-168-0x0000000001610000-0x000000000171F000-memory.dmp upx behavioral2/memory/3516-170-0x0000000001610000-0x000000000171F000-memory.dmp upx behavioral2/memory/3516-171-0x0000000001610000-0x000000000171F000-memory.dmp upx behavioral2/memory/3516-173-0x0000000001610000-0x000000000171F000-memory.dmp upx behavioral2/memory/3516-172-0x0000000001610000-0x000000000171F000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation detect.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ID Detector.vbs 22036b195bcfd56d1aad6f96dfc048d7bbd42d8cea96fea62d8459cb19c679ee.exe -
Adds Run key to start application 2 TTPs 16 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" detect.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run detect.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" detect.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" detect.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run detect.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" explorer.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run detect.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run detect.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run explorer.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" detect.exe -
Suspicious use of SetThreadContext 8 IoCs
description pid Process procid_target PID 3440 set thread context of 3096 3440 detect.exe 81 PID 4192 set thread context of 3732 4192 detect.exe 126 PID 3732 set thread context of 3516 3732 detect.exe 127 PID 3688 set thread context of 3136 3688 detect.exe 130 PID 3864 set thread context of 1688 3864 detect.exe 133 PID 3648 set thread context of 3716 3648 detect.exe 135 PID 1288 set thread context of 4372 1288 detect.exe 136 PID 1136 set thread context of 4100 1136 detect.exe 140 -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\InstallDir\Server.exe detect.exe File created C:\Windows\InstallDir\Server.exe detect.exe File opened for modification C:\Windows\InstallDir\Server.exe detect.exe File created C:\Windows\InstallDir\Server.exe detect.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 8 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 explorer.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3516 explorer.exe 3516 explorer.exe -
Suspicious behavior: MapViewOfSection 14 IoCs
pid Process 3440 detect.exe 3440 detect.exe 4192 detect.exe 4192 detect.exe 3688 detect.exe 3688 detect.exe 3864 detect.exe 3864 detect.exe 3648 detect.exe 3648 detect.exe 1288 detect.exe 1288 detect.exe 1136 detect.exe 1136 detect.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3096 detect.exe 3516 explorer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4820 wrote to memory of 3440 4820 22036b195bcfd56d1aad6f96dfc048d7bbd42d8cea96fea62d8459cb19c679ee.exe 80 PID 4820 wrote to memory of 3440 4820 22036b195bcfd56d1aad6f96dfc048d7bbd42d8cea96fea62d8459cb19c679ee.exe 80 PID 4820 wrote to memory of 3440 4820 22036b195bcfd56d1aad6f96dfc048d7bbd42d8cea96fea62d8459cb19c679ee.exe 80 PID 3440 wrote to memory of 3096 3440 detect.exe 81 PID 3440 wrote to memory of 3096 3440 detect.exe 81 PID 3440 wrote to memory of 3096 3440 detect.exe 81 PID 3096 wrote to memory of 988 3096 detect.exe 82 PID 3096 wrote to memory of 988 3096 detect.exe 82 PID 3096 wrote to memory of 988 3096 detect.exe 82 PID 3096 wrote to memory of 988 3096 detect.exe 82 PID 3096 wrote to memory of 3592 3096 detect.exe 83 PID 3096 wrote to memory of 3592 3096 detect.exe 83 PID 3096 wrote to memory of 4744 3096 detect.exe 84 PID 3096 wrote to memory of 4744 3096 detect.exe 84 PID 3096 wrote to memory of 4744 3096 detect.exe 84 PID 3096 wrote to memory of 1716 3096 detect.exe 85 PID 3096 wrote to memory of 1716 3096 detect.exe 85 PID 3096 wrote to memory of 2072 3096 detect.exe 86 PID 3096 wrote to memory of 2072 3096 detect.exe 86 PID 3096 wrote to memory of 2072 3096 detect.exe 86 PID 3096 wrote to memory of 4340 3096 detect.exe 87 PID 3096 wrote to memory of 4340 3096 detect.exe 87 PID 3096 wrote to memory of 4276 3096 detect.exe 88 PID 3096 wrote to memory of 4276 3096 detect.exe 88 PID 3096 wrote to memory of 4276 3096 detect.exe 88 PID 3096 wrote to memory of 4288 3096 detect.exe 89 PID 3096 wrote to memory of 4288 3096 detect.exe 89 PID 3096 wrote to memory of 5088 3096 detect.exe 90 PID 3096 wrote to memory of 5088 3096 detect.exe 90 PID 3096 wrote to memory of 5088 3096 detect.exe 90 PID 3096 wrote to memory of 4248 3096 detect.exe 91 PID 3096 wrote to memory of 4248 3096 detect.exe 91 PID 3096 wrote to memory of 4260 3096 detect.exe 92 PID 3096 wrote to memory of 4260 3096 detect.exe 92 PID 3096 wrote to memory of 4260 3096 detect.exe 92 PID 3096 wrote to memory of 5116 3096 detect.exe 93 PID 3096 wrote to memory of 5116 3096 detect.exe 93 PID 3096 wrote to memory of 4168 3096 detect.exe 94 PID 3096 wrote to memory of 4168 3096 detect.exe 94 PID 3096 wrote to memory of 4168 3096 detect.exe 94 PID 3096 wrote to memory of 4296 3096 detect.exe 95 PID 3096 wrote to memory of 4296 3096 detect.exe 95 PID 3096 wrote to memory of 5060 3096 detect.exe 96 PID 3096 wrote to memory of 5060 3096 detect.exe 96 PID 3096 wrote to memory of 5060 3096 detect.exe 96 PID 3096 wrote to memory of 4392 3096 detect.exe 97 PID 3096 wrote to memory of 4392 3096 detect.exe 97 PID 3096 wrote to memory of 5028 3096 detect.exe 98 PID 3096 wrote to memory of 5028 3096 detect.exe 98 PID 3096 wrote to memory of 5028 3096 detect.exe 98 PID 3096 wrote to memory of 1792 3096 detect.exe 99 PID 3096 wrote to memory of 1792 3096 detect.exe 99 PID 3096 wrote to memory of 4152 3096 detect.exe 100 PID 3096 wrote to memory of 4152 3096 detect.exe 100 PID 3096 wrote to memory of 4152 3096 detect.exe 100 PID 3096 wrote to memory of 4052 3096 detect.exe 101 PID 3096 wrote to memory of 4052 3096 detect.exe 101 PID 3096 wrote to memory of 5068 3096 detect.exe 102 PID 3096 wrote to memory of 5068 3096 detect.exe 102 PID 3096 wrote to memory of 5068 3096 detect.exe 102 PID 3096 wrote to memory of 2152 3096 detect.exe 103 PID 3096 wrote to memory of 2152 3096 detect.exe 103 PID 3096 wrote to memory of 2872 3096 detect.exe 104 PID 3096 wrote to memory of 2872 3096 detect.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\22036b195bcfd56d1aad6f96dfc048d7bbd42d8cea96fea62d8459cb19c679ee.exe"C:\Users\Admin\AppData\Local\Temp\22036b195bcfd56d1aad6f96dfc048d7bbd42d8cea96fea62d8459cb19c679ee.exe"1⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:4820 -
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3440 -
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3096 -
C:\Windows\SysWOW64\svchost.exesvchost.exe4⤵
- Adds Run key to start application
PID:988 -
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"5⤵
- Executes dropped EXE
PID:3144 -
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:3688 -
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"7⤵
- Executes dropped EXE
PID:3136
-
-
-
-
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"5⤵
- Executes dropped EXE
PID:224 -
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:3864 -
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"7⤵
- Executes dropped EXE
PID:1688
-
-
-
-
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"5⤵
- Executes dropped EXE
PID:4756 -
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:3648 -
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"7⤵
- Executes dropped EXE
PID:3716
-
-
-
-
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"5⤵
- Executes dropped EXE
PID:4704 -
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:1288 -
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"7⤵
- Executes dropped EXE
PID:4372
-
-
-
-
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"5⤵
- Executes dropped EXE
PID:4128 -
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:1136 -
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"7⤵
- Executes dropped EXE
PID:4100
-
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"4⤵PID:3592
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:4744
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"4⤵PID:1716
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:2072
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"4⤵PID:4340
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:4276
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"4⤵PID:4288
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:5088
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"4⤵PID:4248
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:4260
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"4⤵PID:5116
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:4168
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"4⤵PID:4296
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:5060
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"4⤵PID:4392
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:5028
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"4⤵PID:1792
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:4152
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"4⤵PID:4052
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:5068
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"4⤵PID:2152
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:2872
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"4⤵PID:3480
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:1204
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"4⤵PID:1512
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:1188
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"4⤵PID:2568
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:4252
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"4⤵PID:3784
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:1220
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"4⤵PID:2628
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:2744
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"4⤵PID:4576
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:1960
-
-
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"4⤵
- Executes dropped EXE
PID:4088 -
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:4192 -
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3732 -
C:\Windows\SysWOW64\explorer.exeexplorer.exe7⤵
- Adds Run key to start application
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3516
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"7⤵PID:3488
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
770KB
MD516ff27fe7916cb9b7153e9f86b21a172
SHA1e2450ff3e03e2ecd16aaf657e0cd290657881099
SHA25622036b195bcfd56d1aad6f96dfc048d7bbd42d8cea96fea62d8459cb19c679ee
SHA512143da9775bc6bdbacd2806d6bfe5d349ac27690098c13d7bb326e7144b8ad42c20b56e081fc62925aadd23982ed5d767ce32b2cfaf952fafb53ee3546bde63ff
-
Filesize
770KB
MD516ff27fe7916cb9b7153e9f86b21a172
SHA1e2450ff3e03e2ecd16aaf657e0cd290657881099
SHA25622036b195bcfd56d1aad6f96dfc048d7bbd42d8cea96fea62d8459cb19c679ee
SHA512143da9775bc6bdbacd2806d6bfe5d349ac27690098c13d7bb326e7144b8ad42c20b56e081fc62925aadd23982ed5d767ce32b2cfaf952fafb53ee3546bde63ff
-
Filesize
770KB
MD516ff27fe7916cb9b7153e9f86b21a172
SHA1e2450ff3e03e2ecd16aaf657e0cd290657881099
SHA25622036b195bcfd56d1aad6f96dfc048d7bbd42d8cea96fea62d8459cb19c679ee
SHA512143da9775bc6bdbacd2806d6bfe5d349ac27690098c13d7bb326e7144b8ad42c20b56e081fc62925aadd23982ed5d767ce32b2cfaf952fafb53ee3546bde63ff
-
Filesize
770KB
MD516ff27fe7916cb9b7153e9f86b21a172
SHA1e2450ff3e03e2ecd16aaf657e0cd290657881099
SHA25622036b195bcfd56d1aad6f96dfc048d7bbd42d8cea96fea62d8459cb19c679ee
SHA512143da9775bc6bdbacd2806d6bfe5d349ac27690098c13d7bb326e7144b8ad42c20b56e081fc62925aadd23982ed5d767ce32b2cfaf952fafb53ee3546bde63ff
-
Filesize
770KB
MD516ff27fe7916cb9b7153e9f86b21a172
SHA1e2450ff3e03e2ecd16aaf657e0cd290657881099
SHA25622036b195bcfd56d1aad6f96dfc048d7bbd42d8cea96fea62d8459cb19c679ee
SHA512143da9775bc6bdbacd2806d6bfe5d349ac27690098c13d7bb326e7144b8ad42c20b56e081fc62925aadd23982ed5d767ce32b2cfaf952fafb53ee3546bde63ff
-
Filesize
770KB
MD516ff27fe7916cb9b7153e9f86b21a172
SHA1e2450ff3e03e2ecd16aaf657e0cd290657881099
SHA25622036b195bcfd56d1aad6f96dfc048d7bbd42d8cea96fea62d8459cb19c679ee
SHA512143da9775bc6bdbacd2806d6bfe5d349ac27690098c13d7bb326e7144b8ad42c20b56e081fc62925aadd23982ed5d767ce32b2cfaf952fafb53ee3546bde63ff
-
Filesize
770KB
MD516ff27fe7916cb9b7153e9f86b21a172
SHA1e2450ff3e03e2ecd16aaf657e0cd290657881099
SHA25622036b195bcfd56d1aad6f96dfc048d7bbd42d8cea96fea62d8459cb19c679ee
SHA512143da9775bc6bdbacd2806d6bfe5d349ac27690098c13d7bb326e7144b8ad42c20b56e081fc62925aadd23982ed5d767ce32b2cfaf952fafb53ee3546bde63ff
-
Filesize
770KB
MD516ff27fe7916cb9b7153e9f86b21a172
SHA1e2450ff3e03e2ecd16aaf657e0cd290657881099
SHA25622036b195bcfd56d1aad6f96dfc048d7bbd42d8cea96fea62d8459cb19c679ee
SHA512143da9775bc6bdbacd2806d6bfe5d349ac27690098c13d7bb326e7144b8ad42c20b56e081fc62925aadd23982ed5d767ce32b2cfaf952fafb53ee3546bde63ff
-
Filesize
770KB
MD516ff27fe7916cb9b7153e9f86b21a172
SHA1e2450ff3e03e2ecd16aaf657e0cd290657881099
SHA25622036b195bcfd56d1aad6f96dfc048d7bbd42d8cea96fea62d8459cb19c679ee
SHA512143da9775bc6bdbacd2806d6bfe5d349ac27690098c13d7bb326e7144b8ad42c20b56e081fc62925aadd23982ed5d767ce32b2cfaf952fafb53ee3546bde63ff
-
Filesize
770KB
MD516ff27fe7916cb9b7153e9f86b21a172
SHA1e2450ff3e03e2ecd16aaf657e0cd290657881099
SHA25622036b195bcfd56d1aad6f96dfc048d7bbd42d8cea96fea62d8459cb19c679ee
SHA512143da9775bc6bdbacd2806d6bfe5d349ac27690098c13d7bb326e7144b8ad42c20b56e081fc62925aadd23982ed5d767ce32b2cfaf952fafb53ee3546bde63ff
-
Filesize
770KB
MD516ff27fe7916cb9b7153e9f86b21a172
SHA1e2450ff3e03e2ecd16aaf657e0cd290657881099
SHA25622036b195bcfd56d1aad6f96dfc048d7bbd42d8cea96fea62d8459cb19c679ee
SHA512143da9775bc6bdbacd2806d6bfe5d349ac27690098c13d7bb326e7144b8ad42c20b56e081fc62925aadd23982ed5d767ce32b2cfaf952fafb53ee3546bde63ff
-
Filesize
770KB
MD516ff27fe7916cb9b7153e9f86b21a172
SHA1e2450ff3e03e2ecd16aaf657e0cd290657881099
SHA25622036b195bcfd56d1aad6f96dfc048d7bbd42d8cea96fea62d8459cb19c679ee
SHA512143da9775bc6bdbacd2806d6bfe5d349ac27690098c13d7bb326e7144b8ad42c20b56e081fc62925aadd23982ed5d767ce32b2cfaf952fafb53ee3546bde63ff
-
Filesize
770KB
MD516ff27fe7916cb9b7153e9f86b21a172
SHA1e2450ff3e03e2ecd16aaf657e0cd290657881099
SHA25622036b195bcfd56d1aad6f96dfc048d7bbd42d8cea96fea62d8459cb19c679ee
SHA512143da9775bc6bdbacd2806d6bfe5d349ac27690098c13d7bb326e7144b8ad42c20b56e081fc62925aadd23982ed5d767ce32b2cfaf952fafb53ee3546bde63ff
-
Filesize
770KB
MD516ff27fe7916cb9b7153e9f86b21a172
SHA1e2450ff3e03e2ecd16aaf657e0cd290657881099
SHA25622036b195bcfd56d1aad6f96dfc048d7bbd42d8cea96fea62d8459cb19c679ee
SHA512143da9775bc6bdbacd2806d6bfe5d349ac27690098c13d7bb326e7144b8ad42c20b56e081fc62925aadd23982ed5d767ce32b2cfaf952fafb53ee3546bde63ff
-
Filesize
770KB
MD516ff27fe7916cb9b7153e9f86b21a172
SHA1e2450ff3e03e2ecd16aaf657e0cd290657881099
SHA25622036b195bcfd56d1aad6f96dfc048d7bbd42d8cea96fea62d8459cb19c679ee
SHA512143da9775bc6bdbacd2806d6bfe5d349ac27690098c13d7bb326e7144b8ad42c20b56e081fc62925aadd23982ed5d767ce32b2cfaf952fafb53ee3546bde63ff
-
Filesize
2B
MD593e00066d099c0485cfffa1359246d26
SHA1bc69a773f37b2f2071e25f755a66d47b871e5d98
SHA2563b271649a94ad5be4ef46ecbb6a4e7363e8498b7e69b751737bf30df2e0d1dde
SHA512d3dfe508cacae7d36f13908134b5b438b87429fcf93ccb060bcfa346c04633a99e9ca497297418c969537be1da2405171982794055dd0f52e59a82720d3b3d02
-
Filesize
3KB
MD57ee45a675a7ce144bdcc36d694c14738
SHA1ef47bf4f0827a9b147dc6182beb6fc1a44d5d235
SHA256d2c82a65011fd4789abc22198cd1cbcb1d085caec4d6703122fc0535eddd35e6
SHA51296041e29c354918173b1615291bf5d8883ad90044d293ae1f515aef8cadfe9b18ff6d370389fe59803fbacb61a14074bdf5cdb89b54bfc86510693d32ed642f2
-
Filesize
3KB
MD57ee45a675a7ce144bdcc36d694c14738
SHA1ef47bf4f0827a9b147dc6182beb6fc1a44d5d235
SHA256d2c82a65011fd4789abc22198cd1cbcb1d085caec4d6703122fc0535eddd35e6
SHA51296041e29c354918173b1615291bf5d8883ad90044d293ae1f515aef8cadfe9b18ff6d370389fe59803fbacb61a14074bdf5cdb89b54bfc86510693d32ed642f2
-
Filesize
3KB
MD57ee45a675a7ce144bdcc36d694c14738
SHA1ef47bf4f0827a9b147dc6182beb6fc1a44d5d235
SHA256d2c82a65011fd4789abc22198cd1cbcb1d085caec4d6703122fc0535eddd35e6
SHA51296041e29c354918173b1615291bf5d8883ad90044d293ae1f515aef8cadfe9b18ff6d370389fe59803fbacb61a14074bdf5cdb89b54bfc86510693d32ed642f2
-
Filesize
3KB
MD57ee45a675a7ce144bdcc36d694c14738
SHA1ef47bf4f0827a9b147dc6182beb6fc1a44d5d235
SHA256d2c82a65011fd4789abc22198cd1cbcb1d085caec4d6703122fc0535eddd35e6
SHA51296041e29c354918173b1615291bf5d8883ad90044d293ae1f515aef8cadfe9b18ff6d370389fe59803fbacb61a14074bdf5cdb89b54bfc86510693d32ed642f2
-
Filesize
3KB
MD57ee45a675a7ce144bdcc36d694c14738
SHA1ef47bf4f0827a9b147dc6182beb6fc1a44d5d235
SHA256d2c82a65011fd4789abc22198cd1cbcb1d085caec4d6703122fc0535eddd35e6
SHA51296041e29c354918173b1615291bf5d8883ad90044d293ae1f515aef8cadfe9b18ff6d370389fe59803fbacb61a14074bdf5cdb89b54bfc86510693d32ed642f2
-
Filesize
3KB
MD57ee45a675a7ce144bdcc36d694c14738
SHA1ef47bf4f0827a9b147dc6182beb6fc1a44d5d235
SHA256d2c82a65011fd4789abc22198cd1cbcb1d085caec4d6703122fc0535eddd35e6
SHA51296041e29c354918173b1615291bf5d8883ad90044d293ae1f515aef8cadfe9b18ff6d370389fe59803fbacb61a14074bdf5cdb89b54bfc86510693d32ed642f2
-
Filesize
356KB
MD5a0eaa79f7fc06363a4be2586faf870c4
SHA14a917e5edeb6ef24d3254cc4736c51f3328819ac
SHA25663d2efdbaadf9ab86413b83f868eefb6e1d0affc30081e3e2a10ea2605345ee3
SHA512b79494de07f28cd64edccedf84a07fb4d7a791c04832c82d301846449f5fd138af0a7c9a0e0fc9f78c0302b4a9d0c9fcc63313370962c2ee622ecac525dec4b8
-
Filesize
770KB
MD516ff27fe7916cb9b7153e9f86b21a172
SHA1e2450ff3e03e2ecd16aaf657e0cd290657881099
SHA25622036b195bcfd56d1aad6f96dfc048d7bbd42d8cea96fea62d8459cb19c679ee
SHA512143da9775bc6bdbacd2806d6bfe5d349ac27690098c13d7bb326e7144b8ad42c20b56e081fc62925aadd23982ed5d767ce32b2cfaf952fafb53ee3546bde63ff
-
Filesize
770KB
MD516ff27fe7916cb9b7153e9f86b21a172
SHA1e2450ff3e03e2ecd16aaf657e0cd290657881099
SHA25622036b195bcfd56d1aad6f96dfc048d7bbd42d8cea96fea62d8459cb19c679ee
SHA512143da9775bc6bdbacd2806d6bfe5d349ac27690098c13d7bb326e7144b8ad42c20b56e081fc62925aadd23982ed5d767ce32b2cfaf952fafb53ee3546bde63ff
-
Filesize
770KB
MD516ff27fe7916cb9b7153e9f86b21a172
SHA1e2450ff3e03e2ecd16aaf657e0cd290657881099
SHA25622036b195bcfd56d1aad6f96dfc048d7bbd42d8cea96fea62d8459cb19c679ee
SHA512143da9775bc6bdbacd2806d6bfe5d349ac27690098c13d7bb326e7144b8ad42c20b56e081fc62925aadd23982ed5d767ce32b2cfaf952fafb53ee3546bde63ff
-
Filesize
770KB
MD516ff27fe7916cb9b7153e9f86b21a172
SHA1e2450ff3e03e2ecd16aaf657e0cd290657881099
SHA25622036b195bcfd56d1aad6f96dfc048d7bbd42d8cea96fea62d8459cb19c679ee
SHA512143da9775bc6bdbacd2806d6bfe5d349ac27690098c13d7bb326e7144b8ad42c20b56e081fc62925aadd23982ed5d767ce32b2cfaf952fafb53ee3546bde63ff
-
Filesize
770KB
MD516ff27fe7916cb9b7153e9f86b21a172
SHA1e2450ff3e03e2ecd16aaf657e0cd290657881099
SHA25622036b195bcfd56d1aad6f96dfc048d7bbd42d8cea96fea62d8459cb19c679ee
SHA512143da9775bc6bdbacd2806d6bfe5d349ac27690098c13d7bb326e7144b8ad42c20b56e081fc62925aadd23982ed5d767ce32b2cfaf952fafb53ee3546bde63ff
-
Filesize
770KB
MD516ff27fe7916cb9b7153e9f86b21a172
SHA1e2450ff3e03e2ecd16aaf657e0cd290657881099
SHA25622036b195bcfd56d1aad6f96dfc048d7bbd42d8cea96fea62d8459cb19c679ee
SHA512143da9775bc6bdbacd2806d6bfe5d349ac27690098c13d7bb326e7144b8ad42c20b56e081fc62925aadd23982ed5d767ce32b2cfaf952fafb53ee3546bde63ff
-
Filesize
770KB
MD516ff27fe7916cb9b7153e9f86b21a172
SHA1e2450ff3e03e2ecd16aaf657e0cd290657881099
SHA25622036b195bcfd56d1aad6f96dfc048d7bbd42d8cea96fea62d8459cb19c679ee
SHA512143da9775bc6bdbacd2806d6bfe5d349ac27690098c13d7bb326e7144b8ad42c20b56e081fc62925aadd23982ed5d767ce32b2cfaf952fafb53ee3546bde63ff