Analysis
-
max time kernel
151s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
25-11-2022 12:20
Static task
static1
Behavioral task
behavioral1
Sample
97318f25aaa9a0464d241bc2ecd45d5244926892296b8fa9a27b56f9092fa81d.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
97318f25aaa9a0464d241bc2ecd45d5244926892296b8fa9a27b56f9092fa81d.exe
Resource
win10v2004-20220812-en
General
-
Target
97318f25aaa9a0464d241bc2ecd45d5244926892296b8fa9a27b56f9092fa81d.exe
-
Size
4.5MB
-
MD5
69198511f4cc27c6670f61757caa32e5
-
SHA1
8a8ad67be1c8e70a3674cff39ae9883e1cf8c6aa
-
SHA256
97318f25aaa9a0464d241bc2ecd45d5244926892296b8fa9a27b56f9092fa81d
-
SHA512
353a91d6500da1221c3693d35ed35b919e8486ba96e09c87c121680ffba83f6aaea61ac2e13c4bf32faec68b433e54bb56a78d16977b93e2425c9bdea78f8947
-
SSDEEP
98304:ZdnVheNMO1AiE8fHmdgZYEMyHC/FZnwoP5zfgA8Zw4X++bPC:/Hg1o8fGdgeHnLKZZwYba
Malware Config
Extracted
darkcomet
Bot
chotilnw.no-ip.biz:83
DC_MUTEX-YVG7SYP
-
InstallPath
Microsoft\Microsoft\svchost.exe
-
gencode
hqGgcnPMuE8E
-
install
true
-
offline_keylogger
true
-
password
1100801319215a
-
persistence
true
-
reg_key
Windows Update
Extracted
cybergate
v3.4.2.2
Bot
chotilnw.no-ip.biz:81
JMBJ1877RR46DI
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
Microsoft
-
install_file
svchost.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
1100801319215a
-
regkey_hkcu
Windows Update
-
regkey_hklm
Windows Update
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
4811.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Microsoft\\Microsoft\\svchost.exe" 4811.exe -
ModiLoader Second Stage 9 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\1068\1068.exe modiloader_stage2 \Users\Admin\AppData\Local\Temp\1068\1068.exe modiloader_stage2 C:\Users\Admin\AppData\Local\Temp\1068\1068.exe modiloader_stage2 \Users\Admin\AppData\Local\Temp\1068\1068.exe modiloader_stage2 \Users\Admin\AppData\Local\Temp\1068\1068.exe modiloader_stage2 C:\Users\Admin\AppData\Local\Temp\1068\1068.exe modiloader_stage2 \Users\Admin\AppData\Roaming\svchost.exe modiloader_stage2 \Users\Admin\AppData\Roaming\svchost.exe modiloader_stage2 C:\Users\Admin\AppData\Roaming\svchost.exe modiloader_stage2 -
Adds policy Run key to start application 2 TTPs 4 IoCs
Processes:
6023.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 6023.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Windows Update = "C:\\Windows\\system32\\Microsoft\\svchost.exe" 6023.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 6023.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Windows Update = "C:\\Windows\\system32\\Microsoft\\svchost.exe" 6023.exe -
Executes dropped EXE 14 IoCs
Processes:
6572.exeBOT CG.EXEBOT DC.EXEBOT MD.EXEBOT IPK.EXEPERX UPDATED.EXE1068.exesvchost.exe1711.exe4811.exe6023.exesvchost.exesvchost.exesvchost.exepid process 844 6572.exe 1940 BOT CG.EXE 1676 BOT DC.EXE 1808 BOT MD.EXE 772 BOT IPK.EXE 1192 PERX UPDATED.EXE 1812 1068.exe 1472 svchost.exe 856 1711.exe 1412 4811.exe 2020 6023.exe 112 svchost.exe 2028 svchost.exe 2032 svchost.exe -
Modifies Installed Components in the registry 2 TTPs 4 IoCs
Processes:
6023.exeexplorer.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{DI6UG5MY-3QC4-1M0N-OL55-0KQ28NI5UC1O} 6023.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DI6UG5MY-3QC4-1M0N-OL55-0KQ28NI5UC1O}\StubPath = "C:\\Windows\\system32\\Microsoft\\svchost.exe Restart" 6023.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{DI6UG5MY-3QC4-1M0N-OL55-0KQ28NI5UC1O} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DI6UG5MY-3QC4-1M0N-OL55-0KQ28NI5UC1O}\StubPath = "C:\\Windows\\system32\\Microsoft\\svchost.exe" explorer.exe -
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\6572\6572.exe upx \Users\Admin\AppData\Local\Temp\6572\6572.exe upx \Users\Admin\AppData\Local\Temp\6572\6572.exe upx \Users\Admin\AppData\Local\Temp\6572\6572.exe upx C:\Users\Admin\AppData\Local\Temp\6572\6572.exe upx behavioral1/memory/844-87-0x0000000000D00000-0x00000000011FE000-memory.dmp upx \Users\Admin\AppData\Local\Temp\4811\4811.exe upx \Users\Admin\AppData\Local\Temp\4811\4811.exe upx \Users\Admin\AppData\Local\Temp\4811\4811.exe upx \Users\Admin\AppData\Local\Temp\4811\4811.exe upx \Users\Admin\AppData\Local\Temp\4811\4811.exe upx C:\Users\Admin\AppData\Local\Temp\4811\4811.exe upx behavioral1/memory/1412-122-0x0000000000400000-0x00000000004B7000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\4811\4811.exe upx \Windows\SysWOW64\Microsoft\Microsoft\svchost.exe upx \Windows\SysWOW64\Microsoft\Microsoft\svchost.exe upx C:\Windows\SysWOW64\Microsoft\Microsoft\svchost.exe upx C:\Windows\SysWOW64\Microsoft\Microsoft\svchost.exe upx behavioral1/memory/2028-147-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2020-151-0x0000000010410000-0x0000000010480000-memory.dmp upx behavioral1/memory/1412-160-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2020-161-0x0000000010480000-0x00000000104F0000-memory.dmp upx behavioral1/memory/1672-166-0x0000000010480000-0x00000000104F0000-memory.dmp upx behavioral1/memory/1672-167-0x0000000010480000-0x00000000104F0000-memory.dmp upx behavioral1/memory/2020-171-0x00000000104F0000-0x0000000010560000-memory.dmp upx behavioral1/memory/2020-178-0x0000000010560000-0x00000000105D0000-memory.dmp upx behavioral1/memory/980-183-0x0000000010560000-0x00000000105D0000-memory.dmp upx behavioral1/memory/980-184-0x0000000010560000-0x00000000105D0000-memory.dmp upx behavioral1/memory/2028-191-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/1672-192-0x0000000010480000-0x00000000104F0000-memory.dmp upx behavioral1/memory/980-193-0x0000000010560000-0x00000000105D0000-memory.dmp upx -
Loads dropped DLL 35 IoCs
Processes:
97318f25aaa9a0464d241bc2ecd45d5244926892296b8fa9a27b56f9092fa81d.exe6572.exeBOT IPK.EXE1068.exeBOT MD.EXEBOT DC.EXEBOT CG.EXE1711.exe4811.exe6023.exepid process 1500 97318f25aaa9a0464d241bc2ecd45d5244926892296b8fa9a27b56f9092fa81d.exe 1500 97318f25aaa9a0464d241bc2ecd45d5244926892296b8fa9a27b56f9092fa81d.exe 1500 97318f25aaa9a0464d241bc2ecd45d5244926892296b8fa9a27b56f9092fa81d.exe 1500 97318f25aaa9a0464d241bc2ecd45d5244926892296b8fa9a27b56f9092fa81d.exe 844 6572.exe 844 6572.exe 844 6572.exe 844 6572.exe 844 6572.exe 772 BOT IPK.EXE 772 BOT IPK.EXE 772 BOT IPK.EXE 772 BOT IPK.EXE 1812 1068.exe 1812 1068.exe 1808 BOT MD.EXE 1808 BOT MD.EXE 1808 BOT MD.EXE 1808 BOT MD.EXE 1676 BOT DC.EXE 1676 BOT DC.EXE 1676 BOT DC.EXE 1676 BOT DC.EXE 1676 BOT DC.EXE 1940 BOT CG.EXE 1940 BOT CG.EXE 1940 BOT CG.EXE 1940 BOT CG.EXE 856 1711.exe 856 1711.exe 856 1711.exe 1412 4811.exe 1412 4811.exe 2020 6023.exe 2020 6023.exe -
Adds Run key to start application 2 TTPs 11 IoCs
Processes:
svchost.exe6023.exeexplorer.exesvchost.exe4811.exesvchost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Windows\\system32\\Microsoft\\Microsoft\\svchost.exe" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Windows\\system32\\Microsoft\\svchost.exe" 6023.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\svchost.exe" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Windows\\system32\\Microsoft\\Microsoft\\svchost.exe" 4811.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run 6023.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run 6023.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Windows\\system32\\Microsoft\\svchost.exe" 6023.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Windows\\system32\\Microsoft\\svchost.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AdobeART = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe" svchost.exe -
AutoIT Executable 14 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\BOT CG.EXE autoit_exe C:\Users\Admin\AppData\Local\Temp\BOT CG.EXE autoit_exe \Users\Admin\AppData\Local\Temp\BOT DC.EXE autoit_exe C:\Users\Admin\AppData\Local\Temp\BOT CG.EXE autoit_exe C:\Users\Admin\AppData\Local\Temp\BOT DC.EXE autoit_exe C:\Users\Admin\AppData\Local\Temp\BOT DC.EXE autoit_exe \Users\Admin\AppData\Local\Temp\BOT IPK.EXE autoit_exe C:\Users\Admin\AppData\Local\Temp\BOT MD.EXE autoit_exe \Users\Admin\AppData\Local\Temp\BOT MD.EXE autoit_exe C:\Users\Admin\AppData\Local\Temp\BOT IPK.EXE autoit_exe C:\Users\Admin\AppData\Local\Temp\BOT MD.EXE autoit_exe behavioral1/memory/844-87-0x0000000000D00000-0x00000000011FE000-memory.dmp autoit_exe C:\Users\Admin\AppData\Local\Temp\BOT IPK.EXE autoit_exe behavioral1/memory/1500-88-0x000000000A120000-0x000000000A61E000-memory.dmp autoit_exe -
Drops file in System32 directory 8 IoCs
Processes:
4811.exe6023.exeexplorer.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Microsoft\Microsoft\svchost.exe 4811.exe File opened for modification C:\Windows\SysWOW64\Microsoft\Microsoft\ 4811.exe File created C:\Windows\SysWOW64\Microsoft\svchost.exe 6023.exe File opened for modification C:\Windows\SysWOW64\Microsoft\svchost.exe 6023.exe File opened for modification C:\Windows\SysWOW64\Microsoft\ 6023.exe File opened for modification C:\Windows\SysWOW64\Microsoft\svchost.exe explorer.exe File opened for modification C:\Windows\SysWOW64\Microsoft\ explorer.exe File created C:\Windows\SysWOW64\Microsoft\Microsoft\svchost.exe 4811.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
6023.exesvchost.exepid process 2020 6023.exe 2032 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
svchost.exepid process 2028 svchost.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
4811.exesvchost.exeexplorer.exedescription pid process Token: SeIncreaseQuotaPrivilege 1412 4811.exe Token: SeSecurityPrivilege 1412 4811.exe Token: SeTakeOwnershipPrivilege 1412 4811.exe Token: SeLoadDriverPrivilege 1412 4811.exe Token: SeSystemProfilePrivilege 1412 4811.exe Token: SeSystemtimePrivilege 1412 4811.exe Token: SeProfSingleProcessPrivilege 1412 4811.exe Token: SeIncBasePriorityPrivilege 1412 4811.exe Token: SeCreatePagefilePrivilege 1412 4811.exe Token: SeBackupPrivilege 1412 4811.exe Token: SeRestorePrivilege 1412 4811.exe Token: SeShutdownPrivilege 1412 4811.exe Token: SeDebugPrivilege 1412 4811.exe Token: SeSystemEnvironmentPrivilege 1412 4811.exe Token: SeChangeNotifyPrivilege 1412 4811.exe Token: SeRemoteShutdownPrivilege 1412 4811.exe Token: SeUndockPrivilege 1412 4811.exe Token: SeManageVolumePrivilege 1412 4811.exe Token: SeImpersonatePrivilege 1412 4811.exe Token: SeCreateGlobalPrivilege 1412 4811.exe Token: 33 1412 4811.exe Token: 34 1412 4811.exe Token: 35 1412 4811.exe Token: SeIncreaseQuotaPrivilege 2028 svchost.exe Token: SeSecurityPrivilege 2028 svchost.exe Token: SeTakeOwnershipPrivilege 2028 svchost.exe Token: SeLoadDriverPrivilege 2028 svchost.exe Token: SeSystemProfilePrivilege 2028 svchost.exe Token: SeSystemtimePrivilege 2028 svchost.exe Token: SeProfSingleProcessPrivilege 2028 svchost.exe Token: SeIncBasePriorityPrivilege 2028 svchost.exe Token: SeCreatePagefilePrivilege 2028 svchost.exe Token: SeBackupPrivilege 2028 svchost.exe Token: SeRestorePrivilege 2028 svchost.exe Token: SeShutdownPrivilege 2028 svchost.exe Token: SeDebugPrivilege 2028 svchost.exe Token: SeSystemEnvironmentPrivilege 2028 svchost.exe Token: SeChangeNotifyPrivilege 2028 svchost.exe Token: SeRemoteShutdownPrivilege 2028 svchost.exe Token: SeUndockPrivilege 2028 svchost.exe Token: SeManageVolumePrivilege 2028 svchost.exe Token: SeImpersonatePrivilege 2028 svchost.exe Token: SeCreateGlobalPrivilege 2028 svchost.exe Token: 33 2028 svchost.exe Token: 34 2028 svchost.exe Token: 35 2028 svchost.exe Token: SeDebugPrivilege 980 explorer.exe Token: SeDebugPrivilege 980 explorer.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
6023.exepid process 2020 6023.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
svchost.exepid process 2028 svchost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
97318f25aaa9a0464d241bc2ecd45d5244926892296b8fa9a27b56f9092fa81d.exe6572.exeBOT IPK.EXE1068.exeBOT MD.EXEBOT DC.EXEBOT CG.EXE4811.exedescription pid process target process PID 1500 wrote to memory of 844 1500 97318f25aaa9a0464d241bc2ecd45d5244926892296b8fa9a27b56f9092fa81d.exe 6572.exe PID 1500 wrote to memory of 844 1500 97318f25aaa9a0464d241bc2ecd45d5244926892296b8fa9a27b56f9092fa81d.exe 6572.exe PID 1500 wrote to memory of 844 1500 97318f25aaa9a0464d241bc2ecd45d5244926892296b8fa9a27b56f9092fa81d.exe 6572.exe PID 1500 wrote to memory of 844 1500 97318f25aaa9a0464d241bc2ecd45d5244926892296b8fa9a27b56f9092fa81d.exe 6572.exe PID 844 wrote to memory of 1940 844 6572.exe BOT CG.EXE PID 844 wrote to memory of 1940 844 6572.exe BOT CG.EXE PID 844 wrote to memory of 1940 844 6572.exe BOT CG.EXE PID 844 wrote to memory of 1940 844 6572.exe BOT CG.EXE PID 844 wrote to memory of 1676 844 6572.exe BOT DC.EXE PID 844 wrote to memory of 1676 844 6572.exe BOT DC.EXE PID 844 wrote to memory of 1676 844 6572.exe BOT DC.EXE PID 844 wrote to memory of 1676 844 6572.exe BOT DC.EXE PID 844 wrote to memory of 772 844 6572.exe BOT IPK.EXE PID 844 wrote to memory of 772 844 6572.exe BOT IPK.EXE PID 844 wrote to memory of 772 844 6572.exe BOT IPK.EXE PID 844 wrote to memory of 772 844 6572.exe BOT IPK.EXE PID 844 wrote to memory of 1808 844 6572.exe BOT MD.EXE PID 844 wrote to memory of 1808 844 6572.exe BOT MD.EXE PID 844 wrote to memory of 1808 844 6572.exe BOT MD.EXE PID 844 wrote to memory of 1808 844 6572.exe BOT MD.EXE PID 844 wrote to memory of 1192 844 6572.exe PERX UPDATED.EXE PID 844 wrote to memory of 1192 844 6572.exe PERX UPDATED.EXE PID 844 wrote to memory of 1192 844 6572.exe PERX UPDATED.EXE PID 844 wrote to memory of 1192 844 6572.exe PERX UPDATED.EXE PID 844 wrote to memory of 1192 844 6572.exe PERX UPDATED.EXE PID 844 wrote to memory of 1192 844 6572.exe PERX UPDATED.EXE PID 844 wrote to memory of 1192 844 6572.exe PERX UPDATED.EXE PID 772 wrote to memory of 1812 772 BOT IPK.EXE 1068.exe PID 772 wrote to memory of 1812 772 BOT IPK.EXE 1068.exe PID 772 wrote to memory of 1812 772 BOT IPK.EXE 1068.exe PID 772 wrote to memory of 1812 772 BOT IPK.EXE 1068.exe PID 1812 wrote to memory of 1472 1812 1068.exe svchost.exe PID 1812 wrote to memory of 1472 1812 1068.exe svchost.exe PID 1812 wrote to memory of 1472 1812 1068.exe svchost.exe PID 1812 wrote to memory of 1472 1812 1068.exe svchost.exe PID 1808 wrote to memory of 856 1808 BOT MD.EXE 1711.exe PID 1808 wrote to memory of 856 1808 BOT MD.EXE 1711.exe PID 1808 wrote to memory of 856 1808 BOT MD.EXE 1711.exe PID 1808 wrote to memory of 856 1808 BOT MD.EXE 1711.exe PID 1676 wrote to memory of 1412 1676 BOT DC.EXE 4811.exe PID 1676 wrote to memory of 1412 1676 BOT DC.EXE 4811.exe PID 1676 wrote to memory of 1412 1676 BOT DC.EXE 4811.exe PID 1676 wrote to memory of 1412 1676 BOT DC.EXE 4811.exe PID 1940 wrote to memory of 2020 1940 BOT CG.EXE 6023.exe PID 1940 wrote to memory of 2020 1940 BOT CG.EXE 6023.exe PID 1940 wrote to memory of 2020 1940 BOT CG.EXE 6023.exe PID 1940 wrote to memory of 2020 1940 BOT CG.EXE 6023.exe PID 1412 wrote to memory of 2000 1412 4811.exe notepad.exe PID 1412 wrote to memory of 2000 1412 4811.exe notepad.exe PID 1412 wrote to memory of 2000 1412 4811.exe notepad.exe PID 1412 wrote to memory of 2000 1412 4811.exe notepad.exe PID 1412 wrote to memory of 2000 1412 4811.exe notepad.exe PID 1412 wrote to memory of 2000 1412 4811.exe notepad.exe PID 1412 wrote to memory of 2000 1412 4811.exe notepad.exe PID 1412 wrote to memory of 2000 1412 4811.exe notepad.exe PID 1412 wrote to memory of 2000 1412 4811.exe notepad.exe PID 1412 wrote to memory of 2000 1412 4811.exe notepad.exe PID 1412 wrote to memory of 2000 1412 4811.exe notepad.exe PID 1412 wrote to memory of 2000 1412 4811.exe notepad.exe PID 1412 wrote to memory of 2000 1412 4811.exe notepad.exe PID 1412 wrote to memory of 2000 1412 4811.exe notepad.exe PID 1412 wrote to memory of 2000 1412 4811.exe notepad.exe PID 1412 wrote to memory of 2000 1412 4811.exe notepad.exe PID 1412 wrote to memory of 2000 1412 4811.exe notepad.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\97318f25aaa9a0464d241bc2ecd45d5244926892296b8fa9a27b56f9092fa81d.exe"C:\Users\Admin\AppData\Local\Temp\97318f25aaa9a0464d241bc2ecd45d5244926892296b8fa9a27b56f9092fa81d.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\6572\6572.exe"C:\Users\Admin\AppData\Local\Temp\6572\6572.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\BOT CG.EXE"C:\Users\Admin\AppData\Local\Temp\BOT CG.EXE"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\6023\6023.exe"C:\Users\Admin\AppData\Local\Temp\6023\6023.exe"5⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Modifies Installed Components in the registry
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe6⤵
- Modifies Installed Components in the registry
- Adds Run key to start application
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe6⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Microsoft\svchost.exe"C:\Windows\system32\Microsoft\svchost.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\BOT DC.EXE"C:\Users\Admin\AppData\Local\Temp\BOT DC.EXE"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\4811\4811.exe"C:\Users\Admin\AppData\Local\Temp\4811\4811.exe"5⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exenotepad6⤵
-
C:\Windows\SysWOW64\Microsoft\Microsoft\svchost.exe"C:\Windows\system32\Microsoft\Microsoft\svchost.exe"6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\notepad.exenotepad7⤵
-
C:\Users\Admin\AppData\Local\Temp\BOT IPK.EXE"C:\Users\Admin\AppData\Local\Temp\BOT IPK.EXE"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1068\1068.exe"C:\Users\Admin\AppData\Local\Temp\1068\1068.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"6⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\BOT MD.EXE"C:\Users\Admin\AppData\Local\Temp\BOT MD.EXE"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1711\1711.exe"C:\Users\Admin\AppData\Local\Temp\1711\1711.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"6⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\PERX UPDATED.EXE"C:\Users\Admin\AppData\Local\Temp\PERX UPDATED.EXE"4⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\1068\1068.exeFilesize
36KB
MD571862d539820b6e844743c3c14b812f2
SHA1c291d986e7c0a90dfac1985734b2b838e0ac1ba8
SHA256c5289942ba78b0c71ae0871ad6bb58ba31f02b3735446ae4a3a3ed4085b5b69f
SHA5128aa415cbcdd7cc9794aba7bdafd4cadf81ce53be48f189f4d45eedf800096add6a7553f3ab24dda9ae34b9ed54200056d9cf6116efc84c8145b0d374c076a046
-
C:\Users\Admin\AppData\Local\Temp\1068\1068.exeFilesize
36KB
MD571862d539820b6e844743c3c14b812f2
SHA1c291d986e7c0a90dfac1985734b2b838e0ac1ba8
SHA256c5289942ba78b0c71ae0871ad6bb58ba31f02b3735446ae4a3a3ed4085b5b69f
SHA5128aa415cbcdd7cc9794aba7bdafd4cadf81ce53be48f189f4d45eedf800096add6a7553f3ab24dda9ae34b9ed54200056d9cf6116efc84c8145b0d374c076a046
-
C:\Users\Admin\AppData\Local\Temp\1711\1711.exeFilesize
141KB
MD5e48a136cdfab0086b19ec4eaa312ce0a
SHA16254300e31e20a22b4919755967cd98d4eebc6f2
SHA256bdc09a398818b3ef63cd01d3614dc912a47958466d16e6336603f63f6145b8ed
SHA512113a978c56e85439e4e257209a16c38a201608fb94f001e3eb3028f6947b216f6b32afb4e76c7326156ab98d05a9e22ce4951326c435a45cceb6ea1dd5e5ac07
-
C:\Users\Admin\AppData\Local\Temp\1711\1711.exeFilesize
141KB
MD5e48a136cdfab0086b19ec4eaa312ce0a
SHA16254300e31e20a22b4919755967cd98d4eebc6f2
SHA256bdc09a398818b3ef63cd01d3614dc912a47958466d16e6336603f63f6145b8ed
SHA512113a978c56e85439e4e257209a16c38a201608fb94f001e3eb3028f6947b216f6b32afb4e76c7326156ab98d05a9e22ce4951326c435a45cceb6ea1dd5e5ac07
-
C:\Users\Admin\AppData\Local\Temp\4811\4811.exeFilesize
251KB
MD584b289aaeca9df588da3cb4e2c8c0df7
SHA18e187626bba2657a924e0bab5d6b93cad6642e83
SHA25614a5a0056beabf61d6ee2ca388ff6e6e5951dd37bda6f950a9a401537058ae76
SHA5121e2bf9dc9e1d5607bc79d9b24fc1a73a495e9650ee65eaf3e5db4b68f32566e52bad0a3322bbf7536ddc22d91eee98fc4652fbee9b483f1b2a932d2c4926c843
-
C:\Users\Admin\AppData\Local\Temp\4811\4811.exeFilesize
251KB
MD584b289aaeca9df588da3cb4e2c8c0df7
SHA18e187626bba2657a924e0bab5d6b93cad6642e83
SHA25614a5a0056beabf61d6ee2ca388ff6e6e5951dd37bda6f950a9a401537058ae76
SHA5121e2bf9dc9e1d5607bc79d9b24fc1a73a495e9650ee65eaf3e5db4b68f32566e52bad0a3322bbf7536ddc22d91eee98fc4652fbee9b483f1b2a932d2c4926c843
-
C:\Users\Admin\AppData\Local\Temp\6023\6023.exeFilesize
428KB
MD55266a01b55e2dd48a1ffa29e0c0db337
SHA1cd10900e1d1164b27d71bedf953a365bfa113254
SHA25666f02439f48786ce79927acd6b15a37862950eb1f49c57903bdd85ddfe808133
SHA51283b5abb65a17fdf096edd9d496104b4813fa65f61744a1d69b5a47f3d7e5c8f56099328c3aeda6d135687e210b9f84da4b89bfa928edb56a8dca138a602f0319
-
C:\Users\Admin\AppData\Local\Temp\6023\6023.exeFilesize
428KB
MD55266a01b55e2dd48a1ffa29e0c0db337
SHA1cd10900e1d1164b27d71bedf953a365bfa113254
SHA25666f02439f48786ce79927acd6b15a37862950eb1f49c57903bdd85ddfe808133
SHA51283b5abb65a17fdf096edd9d496104b4813fa65f61744a1d69b5a47f3d7e5c8f56099328c3aeda6d135687e210b9f84da4b89bfa928edb56a8dca138a602f0319
-
C:\Users\Admin\AppData\Local\Temp\6572\6572.exeFilesize
2.0MB
MD557496fd195ddc8c2b71e5350a52c7883
SHA1aaecf75593281b80de21bdbccb5b9b68b69cf14c
SHA2567ee3083d23dfe6ae5897ed15059323952a724056974f344f37a5a9d10444e798
SHA51241917b2c398cf83016b331f73b8f35fea5abfdd0c63dc9017d75c9401ae644c4c264ba8106aba8de1893c02784c1176cc68e2126d21e97c5d506145442d84c33
-
C:\Users\Admin\AppData\Local\Temp\Admin2.txtFilesize
385KB
MD5204107650c4d55dffd9d2bee78345a9a
SHA13a18430e339376408c449f28936678f09e903e4a
SHA256f5f1e591d08f47b267da2e7c61c82bef06cbb233899d80949cdf0663538b721c
SHA512a3fc2b53a1d69f5055be92ef14b9eef543c0ac0230127d56c483465e68aef12549c510f2521ad2e924c0a63cbc0dd9f44c9a92573eb109eeb805f67f24cede01
-
C:\Users\Admin\AppData\Local\Temp\BOT CG.EXEFilesize
1.5MB
MD5b87cb82351c228f2613a73037782a1e0
SHA1120029c4a33f6ea2ce7309704451c537c70d2052
SHA256341cab72e5448a26aa5ffa3da9b17254688c43e595e32710c815c2aa12bfb0e6
SHA5128be6abf65bec2016ac45778382249e808e2855f9261a0ec05f14f5da537b37b233d076bf4b4711f1d1becd5196bc22772bce2df65b2c159dd778916cf94824cb
-
C:\Users\Admin\AppData\Local\Temp\BOT CG.EXEFilesize
1.5MB
MD5b87cb82351c228f2613a73037782a1e0
SHA1120029c4a33f6ea2ce7309704451c537c70d2052
SHA256341cab72e5448a26aa5ffa3da9b17254688c43e595e32710c815c2aa12bfb0e6
SHA5128be6abf65bec2016ac45778382249e808e2855f9261a0ec05f14f5da537b37b233d076bf4b4711f1d1becd5196bc22772bce2df65b2c159dd778916cf94824cb
-
C:\Users\Admin\AppData\Local\Temp\BOT DC.EXEFilesize
1.3MB
MD5a5ed82ea60f9b5dd29f6d8e375a09b11
SHA16427aef33e82e330cd64fcd31517a57d6dd13c39
SHA2563383ccd6b7a8b5bfc9c0ec4e241a02627444bc11f36967581cd407fb1489e785
SHA5126392d0990e89309318c7b286350faec073a02d921250f7d5ce2ebc068d722ad951d6a853fd29b1c861aff97cbc6fb0b573fb883f2334fd7dcdf7ee701dac8c12
-
C:\Users\Admin\AppData\Local\Temp\BOT DC.EXEFilesize
1.3MB
MD5a5ed82ea60f9b5dd29f6d8e375a09b11
SHA16427aef33e82e330cd64fcd31517a57d6dd13c39
SHA2563383ccd6b7a8b5bfc9c0ec4e241a02627444bc11f36967581cd407fb1489e785
SHA5126392d0990e89309318c7b286350faec073a02d921250f7d5ce2ebc068d722ad951d6a853fd29b1c861aff97cbc6fb0b573fb883f2334fd7dcdf7ee701dac8c12
-
C:\Users\Admin\AppData\Local\Temp\BOT IPK.EXEFilesize
894KB
MD5bafbad9ae37bff4842733ddf2cd8dc60
SHA1096e10c3fdf4c13309480608482650b79943c794
SHA2567a092f8a206b05aa6d224d804d3f296aebb8fd010ea8f72f8f5990b994d5978e
SHA51296aad5a2f485219a74100ef7e43479467b120a4391d7b80ce7e888039b57473240e3ec4ea8cbfc4b456e4e6da1be110c917b574443fbf25bc54877c98d5818a6
-
C:\Users\Admin\AppData\Local\Temp\BOT IPK.EXEFilesize
894KB
MD5bafbad9ae37bff4842733ddf2cd8dc60
SHA1096e10c3fdf4c13309480608482650b79943c794
SHA2567a092f8a206b05aa6d224d804d3f296aebb8fd010ea8f72f8f5990b994d5978e
SHA51296aad5a2f485219a74100ef7e43479467b120a4391d7b80ce7e888039b57473240e3ec4ea8cbfc4b456e4e6da1be110c917b574443fbf25bc54877c98d5818a6
-
C:\Users\Admin\AppData\Local\Temp\BOT MD.EXEFilesize
1.0MB
MD5015f387a76fe9ca8385328e94cc4334e
SHA1a6d09677f1c9cb97eacc3705bdd1714976035f1e
SHA256329c2a640272393e9d24d07cdcf254522329ea8f817443c82fa8461d46290946
SHA5127e58e770a9ea2802d30d0b835454c354bce00717e1bca3b38969ac3c42d40f20f53c5b93bf31028a08ae0145e5a6d543f5bcd0f203cf6c75aa603807c33d00b9
-
C:\Users\Admin\AppData\Local\Temp\BOT MD.EXEFilesize
1.0MB
MD5015f387a76fe9ca8385328e94cc4334e
SHA1a6d09677f1c9cb97eacc3705bdd1714976035f1e
SHA256329c2a640272393e9d24d07cdcf254522329ea8f817443c82fa8461d46290946
SHA5127e58e770a9ea2802d30d0b835454c354bce00717e1bca3b38969ac3c42d40f20f53c5b93bf31028a08ae0145e5a6d543f5bcd0f203cf6c75aa603807c33d00b9
-
C:\Users\Admin\AppData\Local\Temp\PERX UPDATED.EXEFilesize
233KB
MD58c4adab323fa75d5aede1abf3e366226
SHA110ffb2983f15ab01d7594a63391de3f734d62982
SHA256efbf5fbeb95dbc2bcb9c49ddb506d83d61c1faea4ebadb323fd3bf8348f02368
SHA5126cb4cad588c24d627ddf214c3b8650043706cde3fcbdd4da1ac97f189613e35902bb1fe9d6f46bfaaef7526d378144c6c3273181db2e025652728ba76cc26463
-
C:\Users\Admin\AppData\Local\Temp\PERX UPDATED.EXEFilesize
233KB
MD58c4adab323fa75d5aede1abf3e366226
SHA110ffb2983f15ab01d7594a63391de3f734d62982
SHA256efbf5fbeb95dbc2bcb9c49ddb506d83d61c1faea4ebadb323fd3bf8348f02368
SHA5126cb4cad588c24d627ddf214c3b8650043706cde3fcbdd4da1ac97f189613e35902bb1fe9d6f46bfaaef7526d378144c6c3273181db2e025652728ba76cc26463
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exeFilesize
141KB
MD5e48a136cdfab0086b19ec4eaa312ce0a
SHA16254300e31e20a22b4919755967cd98d4eebc6f2
SHA256bdc09a398818b3ef63cd01d3614dc912a47958466d16e6336603f63f6145b8ed
SHA512113a978c56e85439e4e257209a16c38a201608fb94f001e3eb3028f6947b216f6b32afb4e76c7326156ab98d05a9e22ce4951326c435a45cceb6ea1dd5e5ac07
-
C:\Users\Admin\AppData\Roaming\svchost.exeFilesize
36KB
MD571862d539820b6e844743c3c14b812f2
SHA1c291d986e7c0a90dfac1985734b2b838e0ac1ba8
SHA256c5289942ba78b0c71ae0871ad6bb58ba31f02b3735446ae4a3a3ed4085b5b69f
SHA5128aa415cbcdd7cc9794aba7bdafd4cadf81ce53be48f189f4d45eedf800096add6a7553f3ab24dda9ae34b9ed54200056d9cf6116efc84c8145b0d374c076a046
-
C:\Windows\SysWOW64\Microsoft\Microsoft\svchost.exeFilesize
251KB
MD584b289aaeca9df588da3cb4e2c8c0df7
SHA18e187626bba2657a924e0bab5d6b93cad6642e83
SHA25614a5a0056beabf61d6ee2ca388ff6e6e5951dd37bda6f950a9a401537058ae76
SHA5121e2bf9dc9e1d5607bc79d9b24fc1a73a495e9650ee65eaf3e5db4b68f32566e52bad0a3322bbf7536ddc22d91eee98fc4652fbee9b483f1b2a932d2c4926c843
-
C:\Windows\SysWOW64\Microsoft\Microsoft\svchost.exeFilesize
251KB
MD584b289aaeca9df588da3cb4e2c8c0df7
SHA18e187626bba2657a924e0bab5d6b93cad6642e83
SHA25614a5a0056beabf61d6ee2ca388ff6e6e5951dd37bda6f950a9a401537058ae76
SHA5121e2bf9dc9e1d5607bc79d9b24fc1a73a495e9650ee65eaf3e5db4b68f32566e52bad0a3322bbf7536ddc22d91eee98fc4652fbee9b483f1b2a932d2c4926c843
-
C:\Windows\SysWOW64\Microsoft\svchost.exeFilesize
428KB
MD55266a01b55e2dd48a1ffa29e0c0db337
SHA1cd10900e1d1164b27d71bedf953a365bfa113254
SHA25666f02439f48786ce79927acd6b15a37862950eb1f49c57903bdd85ddfe808133
SHA51283b5abb65a17fdf096edd9d496104b4813fa65f61744a1d69b5a47f3d7e5c8f56099328c3aeda6d135687e210b9f84da4b89bfa928edb56a8dca138a602f0319
-
C:\Windows\SysWOW64\Microsoft\svchost.exeFilesize
428KB
MD55266a01b55e2dd48a1ffa29e0c0db337
SHA1cd10900e1d1164b27d71bedf953a365bfa113254
SHA25666f02439f48786ce79927acd6b15a37862950eb1f49c57903bdd85ddfe808133
SHA51283b5abb65a17fdf096edd9d496104b4813fa65f61744a1d69b5a47f3d7e5c8f56099328c3aeda6d135687e210b9f84da4b89bfa928edb56a8dca138a602f0319
-
\Users\Admin\AppData\Local\Temp\1068\1068.exeFilesize
36KB
MD571862d539820b6e844743c3c14b812f2
SHA1c291d986e7c0a90dfac1985734b2b838e0ac1ba8
SHA256c5289942ba78b0c71ae0871ad6bb58ba31f02b3735446ae4a3a3ed4085b5b69f
SHA5128aa415cbcdd7cc9794aba7bdafd4cadf81ce53be48f189f4d45eedf800096add6a7553f3ab24dda9ae34b9ed54200056d9cf6116efc84c8145b0d374c076a046
-
\Users\Admin\AppData\Local\Temp\1068\1068.exeFilesize
36KB
MD571862d539820b6e844743c3c14b812f2
SHA1c291d986e7c0a90dfac1985734b2b838e0ac1ba8
SHA256c5289942ba78b0c71ae0871ad6bb58ba31f02b3735446ae4a3a3ed4085b5b69f
SHA5128aa415cbcdd7cc9794aba7bdafd4cadf81ce53be48f189f4d45eedf800096add6a7553f3ab24dda9ae34b9ed54200056d9cf6116efc84c8145b0d374c076a046
-
\Users\Admin\AppData\Local\Temp\1068\1068.exeFilesize
36KB
MD571862d539820b6e844743c3c14b812f2
SHA1c291d986e7c0a90dfac1985734b2b838e0ac1ba8
SHA256c5289942ba78b0c71ae0871ad6bb58ba31f02b3735446ae4a3a3ed4085b5b69f
SHA5128aa415cbcdd7cc9794aba7bdafd4cadf81ce53be48f189f4d45eedf800096add6a7553f3ab24dda9ae34b9ed54200056d9cf6116efc84c8145b0d374c076a046
-
\Users\Admin\AppData\Local\Temp\1068\1068.exeFilesize
36KB
MD571862d539820b6e844743c3c14b812f2
SHA1c291d986e7c0a90dfac1985734b2b838e0ac1ba8
SHA256c5289942ba78b0c71ae0871ad6bb58ba31f02b3735446ae4a3a3ed4085b5b69f
SHA5128aa415cbcdd7cc9794aba7bdafd4cadf81ce53be48f189f4d45eedf800096add6a7553f3ab24dda9ae34b9ed54200056d9cf6116efc84c8145b0d374c076a046
-
\Users\Admin\AppData\Local\Temp\1711\1711.exeFilesize
141KB
MD5e48a136cdfab0086b19ec4eaa312ce0a
SHA16254300e31e20a22b4919755967cd98d4eebc6f2
SHA256bdc09a398818b3ef63cd01d3614dc912a47958466d16e6336603f63f6145b8ed
SHA512113a978c56e85439e4e257209a16c38a201608fb94f001e3eb3028f6947b216f6b32afb4e76c7326156ab98d05a9e22ce4951326c435a45cceb6ea1dd5e5ac07
-
\Users\Admin\AppData\Local\Temp\1711\1711.exeFilesize
141KB
MD5e48a136cdfab0086b19ec4eaa312ce0a
SHA16254300e31e20a22b4919755967cd98d4eebc6f2
SHA256bdc09a398818b3ef63cd01d3614dc912a47958466d16e6336603f63f6145b8ed
SHA512113a978c56e85439e4e257209a16c38a201608fb94f001e3eb3028f6947b216f6b32afb4e76c7326156ab98d05a9e22ce4951326c435a45cceb6ea1dd5e5ac07
-
\Users\Admin\AppData\Local\Temp\1711\1711.exeFilesize
141KB
MD5e48a136cdfab0086b19ec4eaa312ce0a
SHA16254300e31e20a22b4919755967cd98d4eebc6f2
SHA256bdc09a398818b3ef63cd01d3614dc912a47958466d16e6336603f63f6145b8ed
SHA512113a978c56e85439e4e257209a16c38a201608fb94f001e3eb3028f6947b216f6b32afb4e76c7326156ab98d05a9e22ce4951326c435a45cceb6ea1dd5e5ac07
-
\Users\Admin\AppData\Local\Temp\1711\1711.exeFilesize
141KB
MD5e48a136cdfab0086b19ec4eaa312ce0a
SHA16254300e31e20a22b4919755967cd98d4eebc6f2
SHA256bdc09a398818b3ef63cd01d3614dc912a47958466d16e6336603f63f6145b8ed
SHA512113a978c56e85439e4e257209a16c38a201608fb94f001e3eb3028f6947b216f6b32afb4e76c7326156ab98d05a9e22ce4951326c435a45cceb6ea1dd5e5ac07
-
\Users\Admin\AppData\Local\Temp\1711\1711.exeFilesize
141KB
MD5e48a136cdfab0086b19ec4eaa312ce0a
SHA16254300e31e20a22b4919755967cd98d4eebc6f2
SHA256bdc09a398818b3ef63cd01d3614dc912a47958466d16e6336603f63f6145b8ed
SHA512113a978c56e85439e4e257209a16c38a201608fb94f001e3eb3028f6947b216f6b32afb4e76c7326156ab98d05a9e22ce4951326c435a45cceb6ea1dd5e5ac07
-
\Users\Admin\AppData\Local\Temp\4811\4811.exeFilesize
251KB
MD584b289aaeca9df588da3cb4e2c8c0df7
SHA18e187626bba2657a924e0bab5d6b93cad6642e83
SHA25614a5a0056beabf61d6ee2ca388ff6e6e5951dd37bda6f950a9a401537058ae76
SHA5121e2bf9dc9e1d5607bc79d9b24fc1a73a495e9650ee65eaf3e5db4b68f32566e52bad0a3322bbf7536ddc22d91eee98fc4652fbee9b483f1b2a932d2c4926c843
-
\Users\Admin\AppData\Local\Temp\4811\4811.exeFilesize
251KB
MD584b289aaeca9df588da3cb4e2c8c0df7
SHA18e187626bba2657a924e0bab5d6b93cad6642e83
SHA25614a5a0056beabf61d6ee2ca388ff6e6e5951dd37bda6f950a9a401537058ae76
SHA5121e2bf9dc9e1d5607bc79d9b24fc1a73a495e9650ee65eaf3e5db4b68f32566e52bad0a3322bbf7536ddc22d91eee98fc4652fbee9b483f1b2a932d2c4926c843
-
\Users\Admin\AppData\Local\Temp\4811\4811.exeFilesize
251KB
MD584b289aaeca9df588da3cb4e2c8c0df7
SHA18e187626bba2657a924e0bab5d6b93cad6642e83
SHA25614a5a0056beabf61d6ee2ca388ff6e6e5951dd37bda6f950a9a401537058ae76
SHA5121e2bf9dc9e1d5607bc79d9b24fc1a73a495e9650ee65eaf3e5db4b68f32566e52bad0a3322bbf7536ddc22d91eee98fc4652fbee9b483f1b2a932d2c4926c843
-
\Users\Admin\AppData\Local\Temp\4811\4811.exeFilesize
251KB
MD584b289aaeca9df588da3cb4e2c8c0df7
SHA18e187626bba2657a924e0bab5d6b93cad6642e83
SHA25614a5a0056beabf61d6ee2ca388ff6e6e5951dd37bda6f950a9a401537058ae76
SHA5121e2bf9dc9e1d5607bc79d9b24fc1a73a495e9650ee65eaf3e5db4b68f32566e52bad0a3322bbf7536ddc22d91eee98fc4652fbee9b483f1b2a932d2c4926c843
-
\Users\Admin\AppData\Local\Temp\4811\4811.exeFilesize
251KB
MD584b289aaeca9df588da3cb4e2c8c0df7
SHA18e187626bba2657a924e0bab5d6b93cad6642e83
SHA25614a5a0056beabf61d6ee2ca388ff6e6e5951dd37bda6f950a9a401537058ae76
SHA5121e2bf9dc9e1d5607bc79d9b24fc1a73a495e9650ee65eaf3e5db4b68f32566e52bad0a3322bbf7536ddc22d91eee98fc4652fbee9b483f1b2a932d2c4926c843
-
\Users\Admin\AppData\Local\Temp\6023\6023.exeFilesize
428KB
MD55266a01b55e2dd48a1ffa29e0c0db337
SHA1cd10900e1d1164b27d71bedf953a365bfa113254
SHA25666f02439f48786ce79927acd6b15a37862950eb1f49c57903bdd85ddfe808133
SHA51283b5abb65a17fdf096edd9d496104b4813fa65f61744a1d69b5a47f3d7e5c8f56099328c3aeda6d135687e210b9f84da4b89bfa928edb56a8dca138a602f0319
-
\Users\Admin\AppData\Local\Temp\6023\6023.exeFilesize
428KB
MD55266a01b55e2dd48a1ffa29e0c0db337
SHA1cd10900e1d1164b27d71bedf953a365bfa113254
SHA25666f02439f48786ce79927acd6b15a37862950eb1f49c57903bdd85ddfe808133
SHA51283b5abb65a17fdf096edd9d496104b4813fa65f61744a1d69b5a47f3d7e5c8f56099328c3aeda6d135687e210b9f84da4b89bfa928edb56a8dca138a602f0319
-
\Users\Admin\AppData\Local\Temp\6023\6023.exeFilesize
428KB
MD55266a01b55e2dd48a1ffa29e0c0db337
SHA1cd10900e1d1164b27d71bedf953a365bfa113254
SHA25666f02439f48786ce79927acd6b15a37862950eb1f49c57903bdd85ddfe808133
SHA51283b5abb65a17fdf096edd9d496104b4813fa65f61744a1d69b5a47f3d7e5c8f56099328c3aeda6d135687e210b9f84da4b89bfa928edb56a8dca138a602f0319
-
\Users\Admin\AppData\Local\Temp\6023\6023.exeFilesize
428KB
MD55266a01b55e2dd48a1ffa29e0c0db337
SHA1cd10900e1d1164b27d71bedf953a365bfa113254
SHA25666f02439f48786ce79927acd6b15a37862950eb1f49c57903bdd85ddfe808133
SHA51283b5abb65a17fdf096edd9d496104b4813fa65f61744a1d69b5a47f3d7e5c8f56099328c3aeda6d135687e210b9f84da4b89bfa928edb56a8dca138a602f0319
-
\Users\Admin\AppData\Local\Temp\6572\6572.exeFilesize
2.0MB
MD557496fd195ddc8c2b71e5350a52c7883
SHA1aaecf75593281b80de21bdbccb5b9b68b69cf14c
SHA2567ee3083d23dfe6ae5897ed15059323952a724056974f344f37a5a9d10444e798
SHA51241917b2c398cf83016b331f73b8f35fea5abfdd0c63dc9017d75c9401ae644c4c264ba8106aba8de1893c02784c1176cc68e2126d21e97c5d506145442d84c33
-
\Users\Admin\AppData\Local\Temp\6572\6572.exeFilesize
2.0MB
MD557496fd195ddc8c2b71e5350a52c7883
SHA1aaecf75593281b80de21bdbccb5b9b68b69cf14c
SHA2567ee3083d23dfe6ae5897ed15059323952a724056974f344f37a5a9d10444e798
SHA51241917b2c398cf83016b331f73b8f35fea5abfdd0c63dc9017d75c9401ae644c4c264ba8106aba8de1893c02784c1176cc68e2126d21e97c5d506145442d84c33
-
\Users\Admin\AppData\Local\Temp\6572\6572.exeFilesize
2.0MB
MD557496fd195ddc8c2b71e5350a52c7883
SHA1aaecf75593281b80de21bdbccb5b9b68b69cf14c
SHA2567ee3083d23dfe6ae5897ed15059323952a724056974f344f37a5a9d10444e798
SHA51241917b2c398cf83016b331f73b8f35fea5abfdd0c63dc9017d75c9401ae644c4c264ba8106aba8de1893c02784c1176cc68e2126d21e97c5d506145442d84c33
-
\Users\Admin\AppData\Local\Temp\6572\6572.exeFilesize
2.0MB
MD557496fd195ddc8c2b71e5350a52c7883
SHA1aaecf75593281b80de21bdbccb5b9b68b69cf14c
SHA2567ee3083d23dfe6ae5897ed15059323952a724056974f344f37a5a9d10444e798
SHA51241917b2c398cf83016b331f73b8f35fea5abfdd0c63dc9017d75c9401ae644c4c264ba8106aba8de1893c02784c1176cc68e2126d21e97c5d506145442d84c33
-
\Users\Admin\AppData\Local\Temp\BOT CG.EXEFilesize
1.5MB
MD5b87cb82351c228f2613a73037782a1e0
SHA1120029c4a33f6ea2ce7309704451c537c70d2052
SHA256341cab72e5448a26aa5ffa3da9b17254688c43e595e32710c815c2aa12bfb0e6
SHA5128be6abf65bec2016ac45778382249e808e2855f9261a0ec05f14f5da537b37b233d076bf4b4711f1d1becd5196bc22772bce2df65b2c159dd778916cf94824cb
-
\Users\Admin\AppData\Local\Temp\BOT DC.EXEFilesize
1.3MB
MD5a5ed82ea60f9b5dd29f6d8e375a09b11
SHA16427aef33e82e330cd64fcd31517a57d6dd13c39
SHA2563383ccd6b7a8b5bfc9c0ec4e241a02627444bc11f36967581cd407fb1489e785
SHA5126392d0990e89309318c7b286350faec073a02d921250f7d5ce2ebc068d722ad951d6a853fd29b1c861aff97cbc6fb0b573fb883f2334fd7dcdf7ee701dac8c12
-
\Users\Admin\AppData\Local\Temp\BOT IPK.EXEFilesize
894KB
MD5bafbad9ae37bff4842733ddf2cd8dc60
SHA1096e10c3fdf4c13309480608482650b79943c794
SHA2567a092f8a206b05aa6d224d804d3f296aebb8fd010ea8f72f8f5990b994d5978e
SHA51296aad5a2f485219a74100ef7e43479467b120a4391d7b80ce7e888039b57473240e3ec4ea8cbfc4b456e4e6da1be110c917b574443fbf25bc54877c98d5818a6
-
\Users\Admin\AppData\Local\Temp\BOT MD.EXEFilesize
1.0MB
MD5015f387a76fe9ca8385328e94cc4334e
SHA1a6d09677f1c9cb97eacc3705bdd1714976035f1e
SHA256329c2a640272393e9d24d07cdcf254522329ea8f817443c82fa8461d46290946
SHA5127e58e770a9ea2802d30d0b835454c354bce00717e1bca3b38969ac3c42d40f20f53c5b93bf31028a08ae0145e5a6d543f5bcd0f203cf6c75aa603807c33d00b9
-
\Users\Admin\AppData\Local\Temp\PERX UPDATED.EXEFilesize
233KB
MD58c4adab323fa75d5aede1abf3e366226
SHA110ffb2983f15ab01d7594a63391de3f734d62982
SHA256efbf5fbeb95dbc2bcb9c49ddb506d83d61c1faea4ebadb323fd3bf8348f02368
SHA5126cb4cad588c24d627ddf214c3b8650043706cde3fcbdd4da1ac97f189613e35902bb1fe9d6f46bfaaef7526d378144c6c3273181db2e025652728ba76cc26463
-
\Users\Admin\AppData\Roaming\Microsoft\svchost.exeFilesize
141KB
MD5e48a136cdfab0086b19ec4eaa312ce0a
SHA16254300e31e20a22b4919755967cd98d4eebc6f2
SHA256bdc09a398818b3ef63cd01d3614dc912a47958466d16e6336603f63f6145b8ed
SHA512113a978c56e85439e4e257209a16c38a201608fb94f001e3eb3028f6947b216f6b32afb4e76c7326156ab98d05a9e22ce4951326c435a45cceb6ea1dd5e5ac07
-
\Users\Admin\AppData\Roaming\Microsoft\svchost.exeFilesize
141KB
MD5e48a136cdfab0086b19ec4eaa312ce0a
SHA16254300e31e20a22b4919755967cd98d4eebc6f2
SHA256bdc09a398818b3ef63cd01d3614dc912a47958466d16e6336603f63f6145b8ed
SHA512113a978c56e85439e4e257209a16c38a201608fb94f001e3eb3028f6947b216f6b32afb4e76c7326156ab98d05a9e22ce4951326c435a45cceb6ea1dd5e5ac07
-
\Users\Admin\AppData\Roaming\svchost.exeFilesize
36KB
MD571862d539820b6e844743c3c14b812f2
SHA1c291d986e7c0a90dfac1985734b2b838e0ac1ba8
SHA256c5289942ba78b0c71ae0871ad6bb58ba31f02b3735446ae4a3a3ed4085b5b69f
SHA5128aa415cbcdd7cc9794aba7bdafd4cadf81ce53be48f189f4d45eedf800096add6a7553f3ab24dda9ae34b9ed54200056d9cf6116efc84c8145b0d374c076a046
-
\Users\Admin\AppData\Roaming\svchost.exeFilesize
36KB
MD571862d539820b6e844743c3c14b812f2
SHA1c291d986e7c0a90dfac1985734b2b838e0ac1ba8
SHA256c5289942ba78b0c71ae0871ad6bb58ba31f02b3735446ae4a3a3ed4085b5b69f
SHA5128aa415cbcdd7cc9794aba7bdafd4cadf81ce53be48f189f4d45eedf800096add6a7553f3ab24dda9ae34b9ed54200056d9cf6116efc84c8145b0d374c076a046
-
\Windows\SysWOW64\Microsoft\Microsoft\svchost.exeFilesize
251KB
MD584b289aaeca9df588da3cb4e2c8c0df7
SHA18e187626bba2657a924e0bab5d6b93cad6642e83
SHA25614a5a0056beabf61d6ee2ca388ff6e6e5951dd37bda6f950a9a401537058ae76
SHA5121e2bf9dc9e1d5607bc79d9b24fc1a73a495e9650ee65eaf3e5db4b68f32566e52bad0a3322bbf7536ddc22d91eee98fc4652fbee9b483f1b2a932d2c4926c843
-
\Windows\SysWOW64\Microsoft\Microsoft\svchost.exeFilesize
251KB
MD584b289aaeca9df588da3cb4e2c8c0df7
SHA18e187626bba2657a924e0bab5d6b93cad6642e83
SHA25614a5a0056beabf61d6ee2ca388ff6e6e5951dd37bda6f950a9a401537058ae76
SHA5121e2bf9dc9e1d5607bc79d9b24fc1a73a495e9650ee65eaf3e5db4b68f32566e52bad0a3322bbf7536ddc22d91eee98fc4652fbee9b483f1b2a932d2c4926c843
-
\Windows\SysWOW64\Microsoft\svchost.exeFilesize
428KB
MD55266a01b55e2dd48a1ffa29e0c0db337
SHA1cd10900e1d1164b27d71bedf953a365bfa113254
SHA25666f02439f48786ce79927acd6b15a37862950eb1f49c57903bdd85ddfe808133
SHA51283b5abb65a17fdf096edd9d496104b4813fa65f61744a1d69b5a47f3d7e5c8f56099328c3aeda6d135687e210b9f84da4b89bfa928edb56a8dca138a602f0319
-
\Windows\SysWOW64\Microsoft\svchost.exeFilesize
428KB
MD55266a01b55e2dd48a1ffa29e0c0db337
SHA1cd10900e1d1164b27d71bedf953a365bfa113254
SHA25666f02439f48786ce79927acd6b15a37862950eb1f49c57903bdd85ddfe808133
SHA51283b5abb65a17fdf096edd9d496104b4813fa65f61744a1d69b5a47f3d7e5c8f56099328c3aeda6d135687e210b9f84da4b89bfa928edb56a8dca138a602f0319
-
memory/112-136-0x0000000000000000-mapping.dmp
-
memory/772-74-0x0000000000000000-mapping.dmp
-
memory/844-60-0x0000000000000000-mapping.dmp
-
memory/844-87-0x0000000000D00000-0x00000000011FE000-memory.dmpFilesize
5.0MB
-
memory/856-106-0x0000000000000000-mapping.dmp
-
memory/980-175-0x0000000000000000-mapping.dmp
-
memory/980-193-0x0000000010560000-0x00000000105D0000-memory.dmpFilesize
448KB
-
memory/980-183-0x0000000010560000-0x00000000105D0000-memory.dmpFilesize
448KB
-
memory/980-184-0x0000000010560000-0x00000000105D0000-memory.dmpFilesize
448KB
-
memory/1080-145-0x0000000000000000-mapping.dmp
-
memory/1192-190-0x0000000005025000-0x0000000005036000-memory.dmpFilesize
68KB
-
memory/1192-82-0x0000000000000000-mapping.dmp
-
memory/1192-110-0x0000000000AE0000-0x0000000000B22000-memory.dmpFilesize
264KB
-
memory/1344-154-0x0000000010410000-0x0000000010480000-memory.dmpFilesize
448KB
-
memory/1412-116-0x0000000000000000-mapping.dmp
-
memory/1412-148-0x0000000003940000-0x00000000039F7000-memory.dmpFilesize
732KB
-
memory/1412-122-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/1412-160-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/1472-99-0x0000000000000000-mapping.dmp
-
memory/1500-59-0x000000000A120000-0x000000000A61E000-memory.dmpFilesize
5.0MB
-
memory/1500-88-0x000000000A120000-0x000000000A61E000-memory.dmpFilesize
5.0MB
-
memory/1500-54-0x0000000075D71000-0x0000000075D73000-memory.dmpFilesize
8KB
-
memory/1672-166-0x0000000010480000-0x00000000104F0000-memory.dmpFilesize
448KB
-
memory/1672-192-0x0000000010480000-0x00000000104F0000-memory.dmpFilesize
448KB
-
memory/1672-157-0x0000000000000000-mapping.dmp
-
memory/1672-159-0x000000006EBF1000-0x000000006EBF3000-memory.dmpFilesize
8KB
-
memory/1672-167-0x0000000010480000-0x00000000104F0000-memory.dmpFilesize
448KB
-
memory/1676-69-0x0000000000000000-mapping.dmp
-
memory/1676-121-0x0000000002B40000-0x0000000002BF7000-memory.dmpFilesize
732KB
-
memory/1676-119-0x0000000002B40000-0x0000000002BF7000-memory.dmpFilesize
732KB
-
memory/1676-120-0x0000000002B40000-0x0000000002BF7000-memory.dmpFilesize
732KB
-
memory/1808-76-0x0000000000000000-mapping.dmp
-
memory/1812-93-0x0000000000000000-mapping.dmp
-
memory/1940-64-0x0000000000000000-mapping.dmp
-
memory/2000-131-0x0000000000000000-mapping.dmp
-
memory/2020-178-0x0000000010560000-0x00000000105D0000-memory.dmpFilesize
448KB
-
memory/2020-171-0x00000000104F0000-0x0000000010560000-memory.dmpFilesize
448KB
-
memory/2020-151-0x0000000010410000-0x0000000010480000-memory.dmpFilesize
448KB
-
memory/2020-127-0x0000000000000000-mapping.dmp
-
memory/2020-161-0x0000000010480000-0x00000000104F0000-memory.dmpFilesize
448KB
-
memory/2028-140-0x0000000000000000-mapping.dmp
-
memory/2028-191-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/2028-147-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/2032-187-0x0000000000000000-mapping.dmp