Analysis Overview
SHA256
22036b195bcfd56d1aad6f96dfc048d7bbd42d8cea96fea62d8459cb19c679ee
Threat Level: Known bad
The file 22036b195bcfd56d1aad6f96dfc048d7bbd42d8cea96fea62d8459cb19c679ee was found to be: Known bad.
Malicious Activity Summary
XtremeRAT
Executes dropped EXE
UPX packed file
Checks computer location settings
Drops startup file
Loads dropped DLL
Adds Run key to start application
Suspicious use of SetThreadContext
Drops file in Windows directory
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Checks SCSI registry key(s)
Suspicious behavior: MapViewOfSection
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-11-23 17:43
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-11-23 17:43
Reported
2022-11-23 19:32
Platform
win7-20220901-en
Max time kernel
147s
Max time network
107s
Command Line
Signatures
XtremeRAT
Executes dropped EXE
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ID Detector.vbs | C:\Users\Admin\AppData\Local\Temp\22036b195bcfd56d1aad6f96dfc048d7bbd42d8cea96fea62d8459cb19c679ee.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\22036b195bcfd56d1aad6f96dfc048d7bbd42d8cea96fea62d8459cb19c679ee.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" | C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" | C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" | C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" | C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious use of SetThreadContext
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\InstallDir\Server.exe | C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe | N/A |
| File created | C:\Windows\InstallDir\Server.exe | C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe | N/A |
| File opened for modification | C:\Windows\InstallDir\Server.exe | C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe | N/A |
| File created | C:\Windows\InstallDir\Server.exe | C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\22036b195bcfd56d1aad6f96dfc048d7bbd42d8cea96fea62d8459cb19c679ee.exe
"C:\Users\Admin\AppData\Local\Temp\22036b195bcfd56d1aad6f96dfc048d7bbd42d8cea96fea62d8459cb19c679ee.exe"
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe
"C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe
"C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"
C:\Windows\SysWOW64\svchost.exe
svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Windows\InstallDir\Server.exe
"C:\Windows\InstallDir\Server.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Windows\InstallDir\Server.exe
"C:\Windows\InstallDir\Server.exe"
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe
"C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Windows\InstallDir\Server.exe
"C:\Windows\InstallDir\Server.exe"
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe
"C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"
C:\Windows\InstallDir\Server.exe
"C:\Windows\InstallDir\Server.exe"
C:\Windows\InstallDir\Server.exe
"C:\Windows\InstallDir\Server.exe"
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe
"C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Windows\InstallDir\Server.exe
"C:\Windows\InstallDir\Server.exe"
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe
"C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe
"C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe
"C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe
"C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe
"C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"
C:\Windows\InstallDir\Server.exe
"C:\Windows\InstallDir\Server.exe"
C:\Windows\InstallDir\Server.exe
"C:\Windows\InstallDir\Server.exe"
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe
"C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe
"C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"
C:\Windows\InstallDir\Server.exe
"C:\Windows\InstallDir\Server.exe"
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe
"C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe
"C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe
"C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe
"C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe
"C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe
"C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe
"C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe
"C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | frankbello.ddns.net | udp |
Files
memory/1900-54-0x00000000759F1000-0x00000000759F3000-memory.dmp
\Users\Admin\AppData\Roaming\ID Detector\detect.exe
| MD5 | 16ff27fe7916cb9b7153e9f86b21a172 |
| SHA1 | e2450ff3e03e2ecd16aaf657e0cd290657881099 |
| SHA256 | 22036b195bcfd56d1aad6f96dfc048d7bbd42d8cea96fea62d8459cb19c679ee |
| SHA512 | 143da9775bc6bdbacd2806d6bfe5d349ac27690098c13d7bb326e7144b8ad42c20b56e081fc62925aadd23982ed5d767ce32b2cfaf952fafb53ee3546bde63ff |
memory/948-56-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe
| MD5 | 16ff27fe7916cb9b7153e9f86b21a172 |
| SHA1 | e2450ff3e03e2ecd16aaf657e0cd290657881099 |
| SHA256 | 22036b195bcfd56d1aad6f96dfc048d7bbd42d8cea96fea62d8459cb19c679ee |
| SHA512 | 143da9775bc6bdbacd2806d6bfe5d349ac27690098c13d7bb326e7144b8ad42c20b56e081fc62925aadd23982ed5d767ce32b2cfaf952fafb53ee3546bde63ff |
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe
| MD5 | 16ff27fe7916cb9b7153e9f86b21a172 |
| SHA1 | e2450ff3e03e2ecd16aaf657e0cd290657881099 |
| SHA256 | 22036b195bcfd56d1aad6f96dfc048d7bbd42d8cea96fea62d8459cb19c679ee |
| SHA512 | 143da9775bc6bdbacd2806d6bfe5d349ac27690098c13d7bb326e7144b8ad42c20b56e081fc62925aadd23982ed5d767ce32b2cfaf952fafb53ee3546bde63ff |
memory/1620-59-0x0000000000408600-mapping.dmp
memory/1620-62-0x0000000000400000-0x000000000046F000-memory.dmp
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe
| MD5 | 16ff27fe7916cb9b7153e9f86b21a172 |
| SHA1 | e2450ff3e03e2ecd16aaf657e0cd290657881099 |
| SHA256 | 22036b195bcfd56d1aad6f96dfc048d7bbd42d8cea96fea62d8459cb19c679ee |
| SHA512 | 143da9775bc6bdbacd2806d6bfe5d349ac27690098c13d7bb326e7144b8ad42c20b56e081fc62925aadd23982ed5d767ce32b2cfaf952fafb53ee3546bde63ff |
memory/580-64-0x0000000000400000-0x000000000046F000-memory.dmp
memory/580-66-0x0000000000000000-mapping.dmp
C:\Windows\InstallDir\Server.exe
| MD5 | 16ff27fe7916cb9b7153e9f86b21a172 |
| SHA1 | e2450ff3e03e2ecd16aaf657e0cd290657881099 |
| SHA256 | 22036b195bcfd56d1aad6f96dfc048d7bbd42d8cea96fea62d8459cb19c679ee |
| SHA512 | 143da9775bc6bdbacd2806d6bfe5d349ac27690098c13d7bb326e7144b8ad42c20b56e081fc62925aadd23982ed5d767ce32b2cfaf952fafb53ee3546bde63ff |
memory/580-69-0x0000000000400000-0x000000000046F000-memory.dmp
\Windows\InstallDir\Server.exe
| MD5 | 16ff27fe7916cb9b7153e9f86b21a172 |
| SHA1 | e2450ff3e03e2ecd16aaf657e0cd290657881099 |
| SHA256 | 22036b195bcfd56d1aad6f96dfc048d7bbd42d8cea96fea62d8459cb19c679ee |
| SHA512 | 143da9775bc6bdbacd2806d6bfe5d349ac27690098c13d7bb326e7144b8ad42c20b56e081fc62925aadd23982ed5d767ce32b2cfaf952fafb53ee3546bde63ff |
memory/1812-71-0x0000000000000000-mapping.dmp
C:\Windows\InstallDir\Server.exe
| MD5 | 16ff27fe7916cb9b7153e9f86b21a172 |
| SHA1 | e2450ff3e03e2ecd16aaf657e0cd290657881099 |
| SHA256 | 22036b195bcfd56d1aad6f96dfc048d7bbd42d8cea96fea62d8459cb19c679ee |
| SHA512 | 143da9775bc6bdbacd2806d6bfe5d349ac27690098c13d7bb326e7144b8ad42c20b56e081fc62925aadd23982ed5d767ce32b2cfaf952fafb53ee3546bde63ff |
memory/1620-73-0x0000000000400000-0x000000000046F000-memory.dmp
memory/632-74-0x0000000000000000-mapping.dmp
C:\Windows\InstallDir\Server.exe
| MD5 | 16ff27fe7916cb9b7153e9f86b21a172 |
| SHA1 | e2450ff3e03e2ecd16aaf657e0cd290657881099 |
| SHA256 | 22036b195bcfd56d1aad6f96dfc048d7bbd42d8cea96fea62d8459cb19c679ee |
| SHA512 | 143da9775bc6bdbacd2806d6bfe5d349ac27690098c13d7bb326e7144b8ad42c20b56e081fc62925aadd23982ed5d767ce32b2cfaf952fafb53ee3546bde63ff |
memory/1324-77-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe
| MD5 | 16ff27fe7916cb9b7153e9f86b21a172 |
| SHA1 | e2450ff3e03e2ecd16aaf657e0cd290657881099 |
| SHA256 | 22036b195bcfd56d1aad6f96dfc048d7bbd42d8cea96fea62d8459cb19c679ee |
| SHA512 | 143da9775bc6bdbacd2806d6bfe5d349ac27690098c13d7bb326e7144b8ad42c20b56e081fc62925aadd23982ed5d767ce32b2cfaf952fafb53ee3546bde63ff |
memory/976-79-0x0000000000000000-mapping.dmp
C:\Windows\InstallDir\Server.exe
| MD5 | 16ff27fe7916cb9b7153e9f86b21a172 |
| SHA1 | e2450ff3e03e2ecd16aaf657e0cd290657881099 |
| SHA256 | 22036b195bcfd56d1aad6f96dfc048d7bbd42d8cea96fea62d8459cb19c679ee |
| SHA512 | 143da9775bc6bdbacd2806d6bfe5d349ac27690098c13d7bb326e7144b8ad42c20b56e081fc62925aadd23982ed5d767ce32b2cfaf952fafb53ee3546bde63ff |
memory/1508-82-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe
| MD5 | 16ff27fe7916cb9b7153e9f86b21a172 |
| SHA1 | e2450ff3e03e2ecd16aaf657e0cd290657881099 |
| SHA256 | 22036b195bcfd56d1aad6f96dfc048d7bbd42d8cea96fea62d8459cb19c679ee |
| SHA512 | 143da9775bc6bdbacd2806d6bfe5d349ac27690098c13d7bb326e7144b8ad42c20b56e081fc62925aadd23982ed5d767ce32b2cfaf952fafb53ee3546bde63ff |
memory/1280-84-0x0000000000000000-mapping.dmp
memory/1312-86-0x0000000000000000-mapping.dmp
C:\Windows\InstallDir\Server.exe
| MD5 | 16ff27fe7916cb9b7153e9f86b21a172 |
| SHA1 | e2450ff3e03e2ecd16aaf657e0cd290657881099 |
| SHA256 | 22036b195bcfd56d1aad6f96dfc048d7bbd42d8cea96fea62d8459cb19c679ee |
| SHA512 | 143da9775bc6bdbacd2806d6bfe5d349ac27690098c13d7bb326e7144b8ad42c20b56e081fc62925aadd23982ed5d767ce32b2cfaf952fafb53ee3546bde63ff |
C:\Windows\InstallDir\Server.exe
| MD5 | 16ff27fe7916cb9b7153e9f86b21a172 |
| SHA1 | e2450ff3e03e2ecd16aaf657e0cd290657881099 |
| SHA256 | 22036b195bcfd56d1aad6f96dfc048d7bbd42d8cea96fea62d8459cb19c679ee |
| SHA512 | 143da9775bc6bdbacd2806d6bfe5d349ac27690098c13d7bb326e7144b8ad42c20b56e081fc62925aadd23982ed5d767ce32b2cfaf952fafb53ee3546bde63ff |
memory/1620-88-0x0000000000400000-0x000000000046F000-memory.dmp
memory/1996-90-0x0000000000408600-mapping.dmp
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe
| MD5 | 16ff27fe7916cb9b7153e9f86b21a172 |
| SHA1 | e2450ff3e03e2ecd16aaf657e0cd290657881099 |
| SHA256 | 22036b195bcfd56d1aad6f96dfc048d7bbd42d8cea96fea62d8459cb19c679ee |
| SHA512 | 143da9775bc6bdbacd2806d6bfe5d349ac27690098c13d7bb326e7144b8ad42c20b56e081fc62925aadd23982ed5d767ce32b2cfaf952fafb53ee3546bde63ff |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\8kpNMgQSjuwa\8kpNMgQSjuwa.nfo
| MD5 | 7ee45a675a7ce144bdcc36d694c14738 |
| SHA1 | ef47bf4f0827a9b147dc6182beb6fc1a44d5d235 |
| SHA256 | d2c82a65011fd4789abc22198cd1cbcb1d085caec4d6703122fc0535eddd35e6 |
| SHA512 | 96041e29c354918173b1615291bf5d8883ad90044d293ae1f515aef8cadfe9b18ff6d370389fe59803fbacb61a14074bdf5cdb89b54bfc86510693d32ed642f2 |
memory/1996-94-0x0000000000400000-0x000000000046F000-memory.dmp
memory/1596-95-0x0000000000000000-mapping.dmp
C:\Windows\InstallDir\Server.exe
| MD5 | 16ff27fe7916cb9b7153e9f86b21a172 |
| SHA1 | e2450ff3e03e2ecd16aaf657e0cd290657881099 |
| SHA256 | 22036b195bcfd56d1aad6f96dfc048d7bbd42d8cea96fea62d8459cb19c679ee |
| SHA512 | 143da9775bc6bdbacd2806d6bfe5d349ac27690098c13d7bb326e7144b8ad42c20b56e081fc62925aadd23982ed5d767ce32b2cfaf952fafb53ee3546bde63ff |
memory/1608-98-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe
| MD5 | 16ff27fe7916cb9b7153e9f86b21a172 |
| SHA1 | e2450ff3e03e2ecd16aaf657e0cd290657881099 |
| SHA256 | 22036b195bcfd56d1aad6f96dfc048d7bbd42d8cea96fea62d8459cb19c679ee |
| SHA512 | 143da9775bc6bdbacd2806d6bfe5d349ac27690098c13d7bb326e7144b8ad42c20b56e081fc62925aadd23982ed5d767ce32b2cfaf952fafb53ee3546bde63ff |
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe
| MD5 | 16ff27fe7916cb9b7153e9f86b21a172 |
| SHA1 | e2450ff3e03e2ecd16aaf657e0cd290657881099 |
| SHA256 | 22036b195bcfd56d1aad6f96dfc048d7bbd42d8cea96fea62d8459cb19c679ee |
| SHA512 | 143da9775bc6bdbacd2806d6bfe5d349ac27690098c13d7bb326e7144b8ad42c20b56e081fc62925aadd23982ed5d767ce32b2cfaf952fafb53ee3546bde63ff |
memory/888-102-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe
| MD5 | 16ff27fe7916cb9b7153e9f86b21a172 |
| SHA1 | e2450ff3e03e2ecd16aaf657e0cd290657881099 |
| SHA256 | 22036b195bcfd56d1aad6f96dfc048d7bbd42d8cea96fea62d8459cb19c679ee |
| SHA512 | 143da9775bc6bdbacd2806d6bfe5d349ac27690098c13d7bb326e7144b8ad42c20b56e081fc62925aadd23982ed5d767ce32b2cfaf952fafb53ee3546bde63ff |
memory/468-103-0x0000000000408600-mapping.dmp
memory/468-107-0x0000000000400000-0x000000000046F000-memory.dmp
memory/1516-109-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe
| MD5 | 16ff27fe7916cb9b7153e9f86b21a172 |
| SHA1 | e2450ff3e03e2ecd16aaf657e0cd290657881099 |
| SHA256 | 22036b195bcfd56d1aad6f96dfc048d7bbd42d8cea96fea62d8459cb19c679ee |
| SHA512 | 143da9775bc6bdbacd2806d6bfe5d349ac27690098c13d7bb326e7144b8ad42c20b56e081fc62925aadd23982ed5d767ce32b2cfaf952fafb53ee3546bde63ff |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\8kpNMgQSjuwa\8kpNMgQSjuwa.svr
| MD5 | a0eaa79f7fc06363a4be2586faf870c4 |
| SHA1 | 4a917e5edeb6ef24d3254cc4736c51f3328819ac |
| SHA256 | 63d2efdbaadf9ab86413b83f868eefb6e1d0affc30081e3e2a10ea2605345ee3 |
| SHA512 | b79494de07f28cd64edccedf84a07fb4d7a791c04832c82d301846449f5fd138af0a7c9a0e0fc9f78c0302b4a9d0c9fcc63313370962c2ee622ecac525dec4b8 |
memory/324-112-0x0000000001610000-0x000000000171F000-memory.dmp
memory/324-113-0x0000000001610000-0x000000000171F000-memory.dmp
memory/324-116-0x0000000001610000-0x000000000171F000-memory.dmp
memory/324-120-0x0000000001610000-0x000000000171F000-memory.dmp
memory/1996-119-0x0000000000400000-0x000000000046F000-memory.dmp
memory/324-122-0x000000000171C930-mapping.dmp
memory/324-123-0x0000000001610000-0x000000000171F000-memory.dmp
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe
| MD5 | 16ff27fe7916cb9b7153e9f86b21a172 |
| SHA1 | e2450ff3e03e2ecd16aaf657e0cd290657881099 |
| SHA256 | 22036b195bcfd56d1aad6f96dfc048d7bbd42d8cea96fea62d8459cb19c679ee |
| SHA512 | 143da9775bc6bdbacd2806d6bfe5d349ac27690098c13d7bb326e7144b8ad42c20b56e081fc62925aadd23982ed5d767ce32b2cfaf952fafb53ee3546bde63ff |
memory/1872-125-0x0000000000000000-mapping.dmp
memory/1164-127-0x0000000000000000-mapping.dmp
C:\Windows\InstallDir\Server.exe
| MD5 | 16ff27fe7916cb9b7153e9f86b21a172 |
| SHA1 | e2450ff3e03e2ecd16aaf657e0cd290657881099 |
| SHA256 | 22036b195bcfd56d1aad6f96dfc048d7bbd42d8cea96fea62d8459cb19c679ee |
| SHA512 | 143da9775bc6bdbacd2806d6bfe5d349ac27690098c13d7bb326e7144b8ad42c20b56e081fc62925aadd23982ed5d767ce32b2cfaf952fafb53ee3546bde63ff |
memory/1728-130-0x0000000000000000-mapping.dmp
C:\Windows\InstallDir\Server.exe
| MD5 | 16ff27fe7916cb9b7153e9f86b21a172 |
| SHA1 | e2450ff3e03e2ecd16aaf657e0cd290657881099 |
| SHA256 | 22036b195bcfd56d1aad6f96dfc048d7bbd42d8cea96fea62d8459cb19c679ee |
| SHA512 | 143da9775bc6bdbacd2806d6bfe5d349ac27690098c13d7bb326e7144b8ad42c20b56e081fc62925aadd23982ed5d767ce32b2cfaf952fafb53ee3546bde63ff |
memory/324-132-0x0000000001610000-0x000000000171F000-memory.dmp
memory/324-133-0x0000000001610000-0x000000000171F000-memory.dmp
memory/324-134-0x0000000001610000-0x000000000171F000-memory.dmp
memory/324-135-0x00000000016C5000-0x000000000171D000-memory.dmp
memory/324-136-0x0000000001611000-0x00000000016C5000-memory.dmp
memory/1816-138-0x0000000000408600-mapping.dmp
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe
| MD5 | 16ff27fe7916cb9b7153e9f86b21a172 |
| SHA1 | e2450ff3e03e2ecd16aaf657e0cd290657881099 |
| SHA256 | 22036b195bcfd56d1aad6f96dfc048d7bbd42d8cea96fea62d8459cb19c679ee |
| SHA512 | 143da9775bc6bdbacd2806d6bfe5d349ac27690098c13d7bb326e7144b8ad42c20b56e081fc62925aadd23982ed5d767ce32b2cfaf952fafb53ee3546bde63ff |
memory/1456-142-0x0000000000408600-mapping.dmp
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe
| MD5 | 16ff27fe7916cb9b7153e9f86b21a172 |
| SHA1 | e2450ff3e03e2ecd16aaf657e0cd290657881099 |
| SHA256 | 22036b195bcfd56d1aad6f96dfc048d7bbd42d8cea96fea62d8459cb19c679ee |
| SHA512 | 143da9775bc6bdbacd2806d6bfe5d349ac27690098c13d7bb326e7144b8ad42c20b56e081fc62925aadd23982ed5d767ce32b2cfaf952fafb53ee3546bde63ff |
memory/1520-145-0x0000000000000000-mapping.dmp
C:\Windows\InstallDir\Server.exe
| MD5 | 16ff27fe7916cb9b7153e9f86b21a172 |
| SHA1 | e2450ff3e03e2ecd16aaf657e0cd290657881099 |
| SHA256 | 22036b195bcfd56d1aad6f96dfc048d7bbd42d8cea96fea62d8459cb19c679ee |
| SHA512 | 143da9775bc6bdbacd2806d6bfe5d349ac27690098c13d7bb326e7144b8ad42c20b56e081fc62925aadd23982ed5d767ce32b2cfaf952fafb53ee3546bde63ff |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\8kpNMgQSjuwa\8kpNMgQSjuwa.dat
| MD5 | 93e00066d099c0485cfffa1359246d26 |
| SHA1 | bc69a773f37b2f2071e25f755a66d47b871e5d98 |
| SHA256 | 3b271649a94ad5be4ef46ecbb6a4e7363e8498b7e69b751737bf30df2e0d1dde |
| SHA512 | d3dfe508cacae7d36f13908134b5b438b87429fcf93ccb060bcfa346c04633a99e9ca497297418c969537be1da2405171982794055dd0f52e59a82720d3b3d02 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\8kpNMgQSjuwa\8kpNMgQSjuwa.nfo
| MD5 | 7ee45a675a7ce144bdcc36d694c14738 |
| SHA1 | ef47bf4f0827a9b147dc6182beb6fc1a44d5d235 |
| SHA256 | d2c82a65011fd4789abc22198cd1cbcb1d085caec4d6703122fc0535eddd35e6 |
| SHA512 | 96041e29c354918173b1615291bf5d8883ad90044d293ae1f515aef8cadfe9b18ff6d370389fe59803fbacb61a14074bdf5cdb89b54bfc86510693d32ed642f2 |
memory/1816-149-0x0000000000400000-0x000000000046F000-memory.dmp
memory/1456-150-0x0000000000400000-0x000000000046F000-memory.dmp
memory/1816-152-0x0000000000400000-0x000000000046F000-memory.dmp
memory/1456-153-0x0000000000400000-0x000000000046F000-memory.dmp
memory/824-155-0x0000000000408600-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\8kpNMgQSjuwa\8kpNMgQSjuwa.nfo
| MD5 | 7ee45a675a7ce144bdcc36d694c14738 |
| SHA1 | ef47bf4f0827a9b147dc6182beb6fc1a44d5d235 |
| SHA256 | d2c82a65011fd4789abc22198cd1cbcb1d085caec4d6703122fc0535eddd35e6 |
| SHA512 | 96041e29c354918173b1615291bf5d8883ad90044d293ae1f515aef8cadfe9b18ff6d370389fe59803fbacb61a14074bdf5cdb89b54bfc86510693d32ed642f2 |
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe
| MD5 | 16ff27fe7916cb9b7153e9f86b21a172 |
| SHA1 | e2450ff3e03e2ecd16aaf657e0cd290657881099 |
| SHA256 | 22036b195bcfd56d1aad6f96dfc048d7bbd42d8cea96fea62d8459cb19c679ee |
| SHA512 | 143da9775bc6bdbacd2806d6bfe5d349ac27690098c13d7bb326e7144b8ad42c20b56e081fc62925aadd23982ed5d767ce32b2cfaf952fafb53ee3546bde63ff |
memory/824-158-0x0000000000400000-0x000000000046F000-memory.dmp
memory/824-159-0x0000000000400000-0x000000000046F000-memory.dmp
memory/1216-161-0x0000000000408600-mapping.dmp
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe
| MD5 | 16ff27fe7916cb9b7153e9f86b21a172 |
| SHA1 | e2450ff3e03e2ecd16aaf657e0cd290657881099 |
| SHA256 | 22036b195bcfd56d1aad6f96dfc048d7bbd42d8cea96fea62d8459cb19c679ee |
| SHA512 | 143da9775bc6bdbacd2806d6bfe5d349ac27690098c13d7bb326e7144b8ad42c20b56e081fc62925aadd23982ed5d767ce32b2cfaf952fafb53ee3546bde63ff |
memory/1216-164-0x0000000000400000-0x000000000046F000-memory.dmp
memory/1216-166-0x0000000000400000-0x000000000046F000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\8kpNMgQSjuwa\8kpNMgQSjuwa.nfo
| MD5 | 7ee45a675a7ce144bdcc36d694c14738 |
| SHA1 | ef47bf4f0827a9b147dc6182beb6fc1a44d5d235 |
| SHA256 | d2c82a65011fd4789abc22198cd1cbcb1d085caec4d6703122fc0535eddd35e6 |
| SHA512 | 96041e29c354918173b1615291bf5d8883ad90044d293ae1f515aef8cadfe9b18ff6d370389fe59803fbacb61a14074bdf5cdb89b54bfc86510693d32ed642f2 |
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe
| MD5 | 16ff27fe7916cb9b7153e9f86b21a172 |
| SHA1 | e2450ff3e03e2ecd16aaf657e0cd290657881099 |
| SHA256 | 22036b195bcfd56d1aad6f96dfc048d7bbd42d8cea96fea62d8459cb19c679ee |
| SHA512 | 143da9775bc6bdbacd2806d6bfe5d349ac27690098c13d7bb326e7144b8ad42c20b56e081fc62925aadd23982ed5d767ce32b2cfaf952fafb53ee3546bde63ff |
memory/976-168-0x0000000000000000-mapping.dmp
memory/1760-171-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe
| MD5 | 16ff27fe7916cb9b7153e9f86b21a172 |
| SHA1 | e2450ff3e03e2ecd16aaf657e0cd290657881099 |
| SHA256 | 22036b195bcfd56d1aad6f96dfc048d7bbd42d8cea96fea62d8459cb19c679ee |
| SHA512 | 143da9775bc6bdbacd2806d6bfe5d349ac27690098c13d7bb326e7144b8ad42c20b56e081fc62925aadd23982ed5d767ce32b2cfaf952fafb53ee3546bde63ff |
memory/324-173-0x00000000016C5000-0x000000000171D000-memory.dmp
memory/2020-175-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe
| MD5 | 16ff27fe7916cb9b7153e9f86b21a172 |
| SHA1 | e2450ff3e03e2ecd16aaf657e0cd290657881099 |
| SHA256 | 22036b195bcfd56d1aad6f96dfc048d7bbd42d8cea96fea62d8459cb19c679ee |
| SHA512 | 143da9775bc6bdbacd2806d6bfe5d349ac27690098c13d7bb326e7144b8ad42c20b56e081fc62925aadd23982ed5d767ce32b2cfaf952fafb53ee3546bde63ff |
memory/620-178-0x0000000000408600-mapping.dmp
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe
| MD5 | 16ff27fe7916cb9b7153e9f86b21a172 |
| SHA1 | e2450ff3e03e2ecd16aaf657e0cd290657881099 |
| SHA256 | 22036b195bcfd56d1aad6f96dfc048d7bbd42d8cea96fea62d8459cb19c679ee |
| SHA512 | 143da9775bc6bdbacd2806d6bfe5d349ac27690098c13d7bb326e7144b8ad42c20b56e081fc62925aadd23982ed5d767ce32b2cfaf952fafb53ee3546bde63ff |
memory/620-181-0x0000000000400000-0x000000000046F000-memory.dmp
memory/620-182-0x0000000000400000-0x000000000046F000-memory.dmp
memory/1468-184-0x0000000000408600-mapping.dmp
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe
| MD5 | 16ff27fe7916cb9b7153e9f86b21a172 |
| SHA1 | e2450ff3e03e2ecd16aaf657e0cd290657881099 |
| SHA256 | 22036b195bcfd56d1aad6f96dfc048d7bbd42d8cea96fea62d8459cb19c679ee |
| SHA512 | 143da9775bc6bdbacd2806d6bfe5d349ac27690098c13d7bb326e7144b8ad42c20b56e081fc62925aadd23982ed5d767ce32b2cfaf952fafb53ee3546bde63ff |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\8kpNMgQSjuwa\8kpNMgQSjuwa.nfo
| MD5 | 7ee45a675a7ce144bdcc36d694c14738 |
| SHA1 | ef47bf4f0827a9b147dc6182beb6fc1a44d5d235 |
| SHA256 | d2c82a65011fd4789abc22198cd1cbcb1d085caec4d6703122fc0535eddd35e6 |
| SHA512 | 96041e29c354918173b1615291bf5d8883ad90044d293ae1f515aef8cadfe9b18ff6d370389fe59803fbacb61a14074bdf5cdb89b54bfc86510693d32ed642f2 |
memory/1468-188-0x0000000000400000-0x000000000046F000-memory.dmp
memory/1668-190-0x0000000000408600-mapping.dmp
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe
| MD5 | 16ff27fe7916cb9b7153e9f86b21a172 |
| SHA1 | e2450ff3e03e2ecd16aaf657e0cd290657881099 |
| SHA256 | 22036b195bcfd56d1aad6f96dfc048d7bbd42d8cea96fea62d8459cb19c679ee |
| SHA512 | 143da9775bc6bdbacd2806d6bfe5d349ac27690098c13d7bb326e7144b8ad42c20b56e081fc62925aadd23982ed5d767ce32b2cfaf952fafb53ee3546bde63ff |
memory/1668-193-0x0000000000400000-0x000000000046F000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-11-23 17:43
Reported
2022-11-23 19:32
Platform
win10v2004-20220812-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
XtremeRAT
Executes dropped EXE
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ID Detector.vbs | C:\Users\Admin\AppData\Local\Temp\22036b195bcfd56d1aad6f96dfc048d7bbd42d8cea96fea62d8459cb19c679ee.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" | C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" | C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" | C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Server.exe" | C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe | N/A |
Suspicious use of SetThreadContext
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\InstallDir\Server.exe | C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe | N/A |
| File created | C:\Windows\InstallDir\Server.exe | C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe | N/A |
| File opened for modification | C:\Windows\InstallDir\Server.exe | C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe | N/A |
| File created | C:\Windows\InstallDir\Server.exe | C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\22036b195bcfd56d1aad6f96dfc048d7bbd42d8cea96fea62d8459cb19c679ee.exe
"C:\Users\Admin\AppData\Local\Temp\22036b195bcfd56d1aad6f96dfc048d7bbd42d8cea96fea62d8459cb19c679ee.exe"
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe
"C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe
"C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"
C:\Windows\SysWOW64\svchost.exe
svchost.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Windows\InstallDir\Server.exe
"C:\Windows\InstallDir\Server.exe"
C:\Windows\InstallDir\Server.exe
"C:\Windows\InstallDir\Server.exe"
C:\Windows\InstallDir\Server.exe
"C:\Windows\InstallDir\Server.exe"
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe
"C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe
"C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"
C:\Windows\InstallDir\Server.exe
"C:\Windows\InstallDir\Server.exe"
C:\Windows\InstallDir\Server.exe
"C:\Windows\InstallDir\Server.exe"
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe
"C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe
"C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
C:\Windows\InstallDir\Server.exe
"C:\Windows\InstallDir\Server.exe"
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe
"C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe
"C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe
"C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe
"C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe
"C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe
"C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe
"C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe
"C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 93.184.220.29:80 | tcp | |
| N/A | 8.238.23.254:80 | tcp | |
| N/A | 8.238.23.254:80 | tcp | |
| N/A | 51.116.253.170:443 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 8.8.8.8:53 | frankbello.ddns.net | udp |
| N/A | 93.184.220.29:80 | tcp | |
| N/A | 8.8.8.8:53 | frankbello.ddns.net | udp |
Files
memory/3440-132-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe
| MD5 | 16ff27fe7916cb9b7153e9f86b21a172 |
| SHA1 | e2450ff3e03e2ecd16aaf657e0cd290657881099 |
| SHA256 | 22036b195bcfd56d1aad6f96dfc048d7bbd42d8cea96fea62d8459cb19c679ee |
| SHA512 | 143da9775bc6bdbacd2806d6bfe5d349ac27690098c13d7bb326e7144b8ad42c20b56e081fc62925aadd23982ed5d767ce32b2cfaf952fafb53ee3546bde63ff |
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe
| MD5 | 16ff27fe7916cb9b7153e9f86b21a172 |
| SHA1 | e2450ff3e03e2ecd16aaf657e0cd290657881099 |
| SHA256 | 22036b195bcfd56d1aad6f96dfc048d7bbd42d8cea96fea62d8459cb19c679ee |
| SHA512 | 143da9775bc6bdbacd2806d6bfe5d349ac27690098c13d7bb326e7144b8ad42c20b56e081fc62925aadd23982ed5d767ce32b2cfaf952fafb53ee3546bde63ff |
memory/3096-135-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe
| MD5 | 16ff27fe7916cb9b7153e9f86b21a172 |
| SHA1 | e2450ff3e03e2ecd16aaf657e0cd290657881099 |
| SHA256 | 22036b195bcfd56d1aad6f96dfc048d7bbd42d8cea96fea62d8459cb19c679ee |
| SHA512 | 143da9775bc6bdbacd2806d6bfe5d349ac27690098c13d7bb326e7144b8ad42c20b56e081fc62925aadd23982ed5d767ce32b2cfaf952fafb53ee3546bde63ff |
memory/988-138-0x0000000000000000-mapping.dmp
memory/3096-137-0x0000000000400000-0x000000000046F000-memory.dmp
C:\Windows\InstallDir\Server.exe
| MD5 | 16ff27fe7916cb9b7153e9f86b21a172 |
| SHA1 | e2450ff3e03e2ecd16aaf657e0cd290657881099 |
| SHA256 | 22036b195bcfd56d1aad6f96dfc048d7bbd42d8cea96fea62d8459cb19c679ee |
| SHA512 | 143da9775bc6bdbacd2806d6bfe5d349ac27690098c13d7bb326e7144b8ad42c20b56e081fc62925aadd23982ed5d767ce32b2cfaf952fafb53ee3546bde63ff |
memory/988-140-0x0000000000400000-0x000000000046F000-memory.dmp
C:\Windows\InstallDir\Server.exe
| MD5 | 16ff27fe7916cb9b7153e9f86b21a172 |
| SHA1 | e2450ff3e03e2ecd16aaf657e0cd290657881099 |
| SHA256 | 22036b195bcfd56d1aad6f96dfc048d7bbd42d8cea96fea62d8459cb19c679ee |
| SHA512 | 143da9775bc6bdbacd2806d6bfe5d349ac27690098c13d7bb326e7144b8ad42c20b56e081fc62925aadd23982ed5d767ce32b2cfaf952fafb53ee3546bde63ff |
memory/4088-141-0x0000000000000000-mapping.dmp
memory/3096-143-0x0000000000400000-0x000000000046F000-memory.dmp
memory/3144-144-0x0000000000000000-mapping.dmp
C:\Windows\InstallDir\Server.exe
| MD5 | 16ff27fe7916cb9b7153e9f86b21a172 |
| SHA1 | e2450ff3e03e2ecd16aaf657e0cd290657881099 |
| SHA256 | 22036b195bcfd56d1aad6f96dfc048d7bbd42d8cea96fea62d8459cb19c679ee |
| SHA512 | 143da9775bc6bdbacd2806d6bfe5d349ac27690098c13d7bb326e7144b8ad42c20b56e081fc62925aadd23982ed5d767ce32b2cfaf952fafb53ee3546bde63ff |
memory/224-146-0x0000000000000000-mapping.dmp
C:\Windows\InstallDir\Server.exe
| MD5 | 16ff27fe7916cb9b7153e9f86b21a172 |
| SHA1 | e2450ff3e03e2ecd16aaf657e0cd290657881099 |
| SHA256 | 22036b195bcfd56d1aad6f96dfc048d7bbd42d8cea96fea62d8459cb19c679ee |
| SHA512 | 143da9775bc6bdbacd2806d6bfe5d349ac27690098c13d7bb326e7144b8ad42c20b56e081fc62925aadd23982ed5d767ce32b2cfaf952fafb53ee3546bde63ff |
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe
| MD5 | 16ff27fe7916cb9b7153e9f86b21a172 |
| SHA1 | e2450ff3e03e2ecd16aaf657e0cd290657881099 |
| SHA256 | 22036b195bcfd56d1aad6f96dfc048d7bbd42d8cea96fea62d8459cb19c679ee |
| SHA512 | 143da9775bc6bdbacd2806d6bfe5d349ac27690098c13d7bb326e7144b8ad42c20b56e081fc62925aadd23982ed5d767ce32b2cfaf952fafb53ee3546bde63ff |
memory/4192-148-0x0000000000000000-mapping.dmp
memory/3688-150-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe
| MD5 | 16ff27fe7916cb9b7153e9f86b21a172 |
| SHA1 | e2450ff3e03e2ecd16aaf657e0cd290657881099 |
| SHA256 | 22036b195bcfd56d1aad6f96dfc048d7bbd42d8cea96fea62d8459cb19c679ee |
| SHA512 | 143da9775bc6bdbacd2806d6bfe5d349ac27690098c13d7bb326e7144b8ad42c20b56e081fc62925aadd23982ed5d767ce32b2cfaf952fafb53ee3546bde63ff |
memory/4756-152-0x0000000000000000-mapping.dmp
C:\Windows\InstallDir\Server.exe
| MD5 | 16ff27fe7916cb9b7153e9f86b21a172 |
| SHA1 | e2450ff3e03e2ecd16aaf657e0cd290657881099 |
| SHA256 | 22036b195bcfd56d1aad6f96dfc048d7bbd42d8cea96fea62d8459cb19c679ee |
| SHA512 | 143da9775bc6bdbacd2806d6bfe5d349ac27690098c13d7bb326e7144b8ad42c20b56e081fc62925aadd23982ed5d767ce32b2cfaf952fafb53ee3546bde63ff |
memory/4704-154-0x0000000000000000-mapping.dmp
C:\Windows\InstallDir\Server.exe
| MD5 | 16ff27fe7916cb9b7153e9f86b21a172 |
| SHA1 | e2450ff3e03e2ecd16aaf657e0cd290657881099 |
| SHA256 | 22036b195bcfd56d1aad6f96dfc048d7bbd42d8cea96fea62d8459cb19c679ee |
| SHA512 | 143da9775bc6bdbacd2806d6bfe5d349ac27690098c13d7bb326e7144b8ad42c20b56e081fc62925aadd23982ed5d767ce32b2cfaf952fafb53ee3546bde63ff |
memory/3864-156-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe
| MD5 | 16ff27fe7916cb9b7153e9f86b21a172 |
| SHA1 | e2450ff3e03e2ecd16aaf657e0cd290657881099 |
| SHA256 | 22036b195bcfd56d1aad6f96dfc048d7bbd42d8cea96fea62d8459cb19c679ee |
| SHA512 | 143da9775bc6bdbacd2806d6bfe5d349ac27690098c13d7bb326e7144b8ad42c20b56e081fc62925aadd23982ed5d767ce32b2cfaf952fafb53ee3546bde63ff |
memory/3732-158-0x0000000000000000-mapping.dmp
memory/4128-159-0x0000000000000000-mapping.dmp
C:\Windows\InstallDir\Server.exe
| MD5 | 16ff27fe7916cb9b7153e9f86b21a172 |
| SHA1 | e2450ff3e03e2ecd16aaf657e0cd290657881099 |
| SHA256 | 22036b195bcfd56d1aad6f96dfc048d7bbd42d8cea96fea62d8459cb19c679ee |
| SHA512 | 143da9775bc6bdbacd2806d6bfe5d349ac27690098c13d7bb326e7144b8ad42c20b56e081fc62925aadd23982ed5d767ce32b2cfaf952fafb53ee3546bde63ff |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\8kpNMgQSjuwa\8kpNMgQSjuwa.nfo
| MD5 | 7ee45a675a7ce144bdcc36d694c14738 |
| SHA1 | ef47bf4f0827a9b147dc6182beb6fc1a44d5d235 |
| SHA256 | d2c82a65011fd4789abc22198cd1cbcb1d085caec4d6703122fc0535eddd35e6 |
| SHA512 | 96041e29c354918173b1615291bf5d8883ad90044d293ae1f515aef8cadfe9b18ff6d370389fe59803fbacb61a14074bdf5cdb89b54bfc86510693d32ed642f2 |
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe
| MD5 | 16ff27fe7916cb9b7153e9f86b21a172 |
| SHA1 | e2450ff3e03e2ecd16aaf657e0cd290657881099 |
| SHA256 | 22036b195bcfd56d1aad6f96dfc048d7bbd42d8cea96fea62d8459cb19c679ee |
| SHA512 | 143da9775bc6bdbacd2806d6bfe5d349ac27690098c13d7bb326e7144b8ad42c20b56e081fc62925aadd23982ed5d767ce32b2cfaf952fafb53ee3546bde63ff |
memory/3732-163-0x0000000000400000-0x000000000046F000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\8kpNMgQSjuwa\8kpNMgQSjuwa.svr
| MD5 | a0eaa79f7fc06363a4be2586faf870c4 |
| SHA1 | 4a917e5edeb6ef24d3254cc4736c51f3328819ac |
| SHA256 | 63d2efdbaadf9ab86413b83f868eefb6e1d0affc30081e3e2a10ea2605345ee3 |
| SHA512 | b79494de07f28cd64edccedf84a07fb4d7a791c04832c82d301846449f5fd138af0a7c9a0e0fc9f78c0302b4a9d0c9fcc63313370962c2ee622ecac525dec4b8 |
memory/3516-166-0x0000000001610000-0x000000000171F000-memory.dmp
memory/3516-165-0x0000000000000000-mapping.dmp
memory/3516-167-0x0000000001610000-0x000000000171F000-memory.dmp
memory/3516-168-0x0000000001610000-0x000000000171F000-memory.dmp
memory/3516-170-0x0000000001610000-0x000000000171F000-memory.dmp
memory/3516-171-0x0000000001610000-0x000000000171F000-memory.dmp
memory/3732-174-0x0000000000400000-0x000000000046F000-memory.dmp
memory/3516-173-0x0000000001610000-0x000000000171F000-memory.dmp
memory/3516-175-0x00000000016C5000-0x000000000171D000-memory.dmp
memory/3516-172-0x0000000001610000-0x000000000171F000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\8kpNMgQSjuwa\8kpNMgQSjuwa.nfo
| MD5 | 7ee45a675a7ce144bdcc36d694c14738 |
| SHA1 | ef47bf4f0827a9b147dc6182beb6fc1a44d5d235 |
| SHA256 | d2c82a65011fd4789abc22198cd1cbcb1d085caec4d6703122fc0535eddd35e6 |
| SHA512 | 96041e29c354918173b1615291bf5d8883ad90044d293ae1f515aef8cadfe9b18ff6d370389fe59803fbacb61a14074bdf5cdb89b54bfc86510693d32ed642f2 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\8kpNMgQSjuwa\8kpNMgQSjuwa.dat
| MD5 | 93e00066d099c0485cfffa1359246d26 |
| SHA1 | bc69a773f37b2f2071e25f755a66d47b871e5d98 |
| SHA256 | 3b271649a94ad5be4ef46ecbb6a4e7363e8498b7e69b751737bf30df2e0d1dde |
| SHA512 | d3dfe508cacae7d36f13908134b5b438b87429fcf93ccb060bcfa346c04633a99e9ca497297418c969537be1da2405171982794055dd0f52e59a82720d3b3d02 |
memory/3516-177-0x0000000001611000-0x00000000016C5000-memory.dmp
memory/3136-179-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe
| MD5 | 16ff27fe7916cb9b7153e9f86b21a172 |
| SHA1 | e2450ff3e03e2ecd16aaf657e0cd290657881099 |
| SHA256 | 22036b195bcfd56d1aad6f96dfc048d7bbd42d8cea96fea62d8459cb19c679ee |
| SHA512 | 143da9775bc6bdbacd2806d6bfe5d349ac27690098c13d7bb326e7144b8ad42c20b56e081fc62925aadd23982ed5d767ce32b2cfaf952fafb53ee3546bde63ff |
memory/3136-181-0x0000000000400000-0x000000000046F000-memory.dmp
memory/3648-182-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe
| MD5 | 16ff27fe7916cb9b7153e9f86b21a172 |
| SHA1 | e2450ff3e03e2ecd16aaf657e0cd290657881099 |
| SHA256 | 22036b195bcfd56d1aad6f96dfc048d7bbd42d8cea96fea62d8459cb19c679ee |
| SHA512 | 143da9775bc6bdbacd2806d6bfe5d349ac27690098c13d7bb326e7144b8ad42c20b56e081fc62925aadd23982ed5d767ce32b2cfaf952fafb53ee3546bde63ff |
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe
| MD5 | 16ff27fe7916cb9b7153e9f86b21a172 |
| SHA1 | e2450ff3e03e2ecd16aaf657e0cd290657881099 |
| SHA256 | 22036b195bcfd56d1aad6f96dfc048d7bbd42d8cea96fea62d8459cb19c679ee |
| SHA512 | 143da9775bc6bdbacd2806d6bfe5d349ac27690098c13d7bb326e7144b8ad42c20b56e081fc62925aadd23982ed5d767ce32b2cfaf952fafb53ee3546bde63ff |
memory/1288-184-0x0000000000000000-mapping.dmp
memory/3516-186-0x00000000016C5000-0x000000000171D000-memory.dmp
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe
| MD5 | 16ff27fe7916cb9b7153e9f86b21a172 |
| SHA1 | e2450ff3e03e2ecd16aaf657e0cd290657881099 |
| SHA256 | 22036b195bcfd56d1aad6f96dfc048d7bbd42d8cea96fea62d8459cb19c679ee |
| SHA512 | 143da9775bc6bdbacd2806d6bfe5d349ac27690098c13d7bb326e7144b8ad42c20b56e081fc62925aadd23982ed5d767ce32b2cfaf952fafb53ee3546bde63ff |
memory/1688-187-0x0000000000000000-mapping.dmp
memory/1136-189-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe
| MD5 | 16ff27fe7916cb9b7153e9f86b21a172 |
| SHA1 | e2450ff3e03e2ecd16aaf657e0cd290657881099 |
| SHA256 | 22036b195bcfd56d1aad6f96dfc048d7bbd42d8cea96fea62d8459cb19c679ee |
| SHA512 | 143da9775bc6bdbacd2806d6bfe5d349ac27690098c13d7bb326e7144b8ad42c20b56e081fc62925aadd23982ed5d767ce32b2cfaf952fafb53ee3546bde63ff |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\8kpNMgQSjuwa\8kpNMgQSjuwa.nfo
| MD5 | 7ee45a675a7ce144bdcc36d694c14738 |
| SHA1 | ef47bf4f0827a9b147dc6182beb6fc1a44d5d235 |
| SHA256 | d2c82a65011fd4789abc22198cd1cbcb1d085caec4d6703122fc0535eddd35e6 |
| SHA512 | 96041e29c354918173b1615291bf5d8883ad90044d293ae1f515aef8cadfe9b18ff6d370389fe59803fbacb61a14074bdf5cdb89b54bfc86510693d32ed642f2 |
memory/1688-192-0x0000000000400000-0x000000000046F000-memory.dmp
memory/3716-193-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe
| MD5 | 16ff27fe7916cb9b7153e9f86b21a172 |
| SHA1 | e2450ff3e03e2ecd16aaf657e0cd290657881099 |
| SHA256 | 22036b195bcfd56d1aad6f96dfc048d7bbd42d8cea96fea62d8459cb19c679ee |
| SHA512 | 143da9775bc6bdbacd2806d6bfe5d349ac27690098c13d7bb326e7144b8ad42c20b56e081fc62925aadd23982ed5d767ce32b2cfaf952fafb53ee3546bde63ff |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\8kpNMgQSjuwa\8kpNMgQSjuwa.nfo
| MD5 | 7ee45a675a7ce144bdcc36d694c14738 |
| SHA1 | ef47bf4f0827a9b147dc6182beb6fc1a44d5d235 |
| SHA256 | d2c82a65011fd4789abc22198cd1cbcb1d085caec4d6703122fc0535eddd35e6 |
| SHA512 | 96041e29c354918173b1615291bf5d8883ad90044d293ae1f515aef8cadfe9b18ff6d370389fe59803fbacb61a14074bdf5cdb89b54bfc86510693d32ed642f2 |
memory/3716-196-0x0000000000400000-0x000000000046F000-memory.dmp
memory/4372-197-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe
| MD5 | 16ff27fe7916cb9b7153e9f86b21a172 |
| SHA1 | e2450ff3e03e2ecd16aaf657e0cd290657881099 |
| SHA256 | 22036b195bcfd56d1aad6f96dfc048d7bbd42d8cea96fea62d8459cb19c679ee |
| SHA512 | 143da9775bc6bdbacd2806d6bfe5d349ac27690098c13d7bb326e7144b8ad42c20b56e081fc62925aadd23982ed5d767ce32b2cfaf952fafb53ee3546bde63ff |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\8kpNMgQSjuwa\8kpNMgQSjuwa.nfo
| MD5 | 7ee45a675a7ce144bdcc36d694c14738 |
| SHA1 | ef47bf4f0827a9b147dc6182beb6fc1a44d5d235 |
| SHA256 | d2c82a65011fd4789abc22198cd1cbcb1d085caec4d6703122fc0535eddd35e6 |
| SHA512 | 96041e29c354918173b1615291bf5d8883ad90044d293ae1f515aef8cadfe9b18ff6d370389fe59803fbacb61a14074bdf5cdb89b54bfc86510693d32ed642f2 |
memory/4372-200-0x0000000000400000-0x000000000046F000-memory.dmp
memory/4100-201-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe
| MD5 | 16ff27fe7916cb9b7153e9f86b21a172 |
| SHA1 | e2450ff3e03e2ecd16aaf657e0cd290657881099 |
| SHA256 | 22036b195bcfd56d1aad6f96dfc048d7bbd42d8cea96fea62d8459cb19c679ee |
| SHA512 | 143da9775bc6bdbacd2806d6bfe5d349ac27690098c13d7bb326e7144b8ad42c20b56e081fc62925aadd23982ed5d767ce32b2cfaf952fafb53ee3546bde63ff |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\8kpNMgQSjuwa\8kpNMgQSjuwa.nfo
| MD5 | 7ee45a675a7ce144bdcc36d694c14738 |
| SHA1 | ef47bf4f0827a9b147dc6182beb6fc1a44d5d235 |
| SHA256 | d2c82a65011fd4789abc22198cd1cbcb1d085caec4d6703122fc0535eddd35e6 |
| SHA512 | 96041e29c354918173b1615291bf5d8883ad90044d293ae1f515aef8cadfe9b18ff6d370389fe59803fbacb61a14074bdf5cdb89b54bfc86510693d32ed642f2 |
memory/4100-204-0x0000000000400000-0x000000000046F000-memory.dmp