modiloader | c7a61d3780094119f150f899c92f2b11b9e93863a754ff950ea68eab5954c7bb

Analysis

max time kernel
151s
max time network
139s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
01-12-2022 17:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c7a61d3780094119f150f899c92f2b11b9e93863a754ff950ea68eab5954c7bb.exe
Size

812KB
MD5

546e75ebe70aa7c62bb6461b0cad53cd
SHA1

7e1f3640e77d8184cb7d5930559050bcd5bca9de
SHA256

c7a61d3780094119f150f899c92f2b11b9e93863a754ff950ea68eab5954c7bb
SHA512

e12645c315394216d65b28535db3dbd3f3ad496771a2fa3d48c86e651d265e5deff4d915cb9233eaf0d50054146b502d55f53a7ebcb81cce11833ad224a627e0
SSDEEP

12288:4YknjLp+BNoLE126lU1tMGjYIFW4+zyZGumGgTtrDJrPsfL4oTO27uqULG1R:4Ykjl+r+8lUCpeZM3BDhPC5u/G

Score

10^/10

modiloader evasion persistence trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modifies security service 2 TTPs 1 IoCs
evasion

Modify Registry
T1112

Modify Existing Service
T1031

Processes:

ckhost.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "3" ckhost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "3"	ckhost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

bxpTXK8W.exequukeo.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	bxpTXK8W.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	quukeo.exe

ModiLoader Second Stage 9 IoCs

Processes:

resource	yara_rule
behavioral1/memory/884-65-0x0000000000400000-0x0000000000516000-memory.dmp	modiloader_stage2
behavioral1/memory/884-69-0x0000000000400000-0x0000000000516000-memory.dmp	modiloader_stage2
\Users\Admin\akhost.exe	modiloader_stage2
\Users\Admin\akhost.exe	modiloader_stage2
C:\Users\Admin\akhost.exe	modiloader_stage2
\Users\Admin\bkhost.exe	modiloader_stage2
\Users\Admin\bkhost.exe	modiloader_stage2
C:\Users\Admin\bkhost.exe	modiloader_stage2
behavioral1/memory/824-110-0x00000000002EE000-0x0000000000334000-memory.dmp	modiloader_stage2

Disables taskbar notifications via registry modification
evasion
Executes dropped EXE 8 IoCs

Processes:

bxpTXK8W.exequukeo.exeakhost.exebkhost.execkhost.exedkhost.exeekhost.exe1FB2.tmp

pid process

1152 bxpTXK8W.exe
1540 quukeo.exe
1484 akhost.exe
1984 bkhost.exe
824 ckhost.exe
1896 dkhost.exe
1756 ekhost.exe
1580 1FB2.tmp

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/884-55-0x0000000000400000-0x0000000000516000-memory.dmp	upx
behavioral1/memory/884-57-0x0000000000400000-0x0000000000516000-memory.dmp	upx
behavioral1/memory/884-59-0x0000000000400000-0x0000000000516000-memory.dmp	upx
behavioral1/memory/884-63-0x0000000000400000-0x0000000000516000-memory.dmp	upx
behavioral1/memory/884-64-0x0000000000400000-0x0000000000516000-memory.dmp	upx
behavioral1/memory/884-65-0x0000000000400000-0x0000000000516000-memory.dmp	upx
behavioral1/memory/884-69-0x0000000000400000-0x0000000000516000-memory.dmp	upx
behavioral1/memory/824-103-0x0000000000400000-0x000000000046B000-memory.dmp	upx

Loads dropped DLL 16 IoCs

Processes:

c7a61d3780094119f150f899c92f2b11b9e93863a754ff950ea68eab5954c7bb.exebxpTXK8W.execkhost.exe

pid	process
884	c7a61d3780094119f150f899c92f2b11b9e93863a754ff950ea68eab5954c7bb.exe
884	c7a61d3780094119f150f899c92f2b11b9e93863a754ff950ea68eab5954c7bb.exe
1152	bxpTXK8W.exe
1152	bxpTXK8W.exe
884	c7a61d3780094119f150f899c92f2b11b9e93863a754ff950ea68eab5954c7bb.exe
884	c7a61d3780094119f150f899c92f2b11b9e93863a754ff950ea68eab5954c7bb.exe
884	c7a61d3780094119f150f899c92f2b11b9e93863a754ff950ea68eab5954c7bb.exe
884	c7a61d3780094119f150f899c92f2b11b9e93863a754ff950ea68eab5954c7bb.exe
884	c7a61d3780094119f150f899c92f2b11b9e93863a754ff950ea68eab5954c7bb.exe
884	c7a61d3780094119f150f899c92f2b11b9e93863a754ff950ea68eab5954c7bb.exe
884	c7a61d3780094119f150f899c92f2b11b9e93863a754ff950ea68eab5954c7bb.exe
884	c7a61d3780094119f150f899c92f2b11b9e93863a754ff950ea68eab5954c7bb.exe
884	c7a61d3780094119f150f899c92f2b11b9e93863a754ff950ea68eab5954c7bb.exe
884	c7a61d3780094119f150f899c92f2b11b9e93863a754ff950ea68eab5954c7bb.exe
824	ckhost.exe
824	ckhost.exe

Adds Run key to start application 2 TTPs 47 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

quukeo.execkhost.exebxpTXK8W.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\quukeo = "C:\\Users\\Admin\\quukeo.exe /i"	quukeo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\quukeo = "C:\\Users\\Admin\\quukeo.exe /m"	quukeo.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\	quukeo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\quukeo = "C:\\Users\\Admin\\quukeo.exe /f"	quukeo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\quukeo = "C:\\Users\\Admin\\quukeo.exe /g"	quukeo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\quukeo = "C:\\Users\\Admin\\quukeo.exe /y"	quukeo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\quukeo = "C:\\Users\\Admin\\quukeo.exe /s"	quukeo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\quukeo = "C:\\Users\\Admin\\quukeo.exe /t"	quukeo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\quukeo = "C:\\Users\\Admin\\quukeo.exe /x"	quukeo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\quukeo = "C:\\Users\\Admin\\quukeo.exe /S"	quukeo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\quukeo = "C:\\Users\\Admin\\quukeo.exe /K"	quukeo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\quukeo = "C:\\Users\\Admin\\quukeo.exe /J"	quukeo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\quukeo = "C:\\Users\\Admin\\quukeo.exe /Y"	quukeo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\quukeo = "C:\\Users\\Admin\\quukeo.exe /F"	quukeo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\quukeo = "C:\\Users\\Admin\\quukeo.exe /b"	quukeo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\quukeo = "C:\\Users\\Admin\\quukeo.exe /V"	quukeo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\quukeo = "C:\\Users\\Admin\\quukeo.exe /Z"	quukeo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\quukeo = "C:\\Users\\Admin\\quukeo.exe /L"	quukeo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\quukeo = "C:\\Users\\Admin\\quukeo.exe /R"	quukeo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\quukeo = "C:\\Users\\Admin\\quukeo.exe /o"	quukeo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\quukeo = "C:\\Users\\Admin\\quukeo.exe /d"	quukeo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\quukeo = "C:\\Users\\Admin\\quukeo.exe /w"	quukeo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\quukeo = "C:\\Users\\Admin\\quukeo.exe /n"	quukeo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\quukeo = "C:\\Users\\Admin\\quukeo.exe /Q"	quukeo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\quukeo = "C:\\Users\\Admin\\quukeo.exe /M"	quukeo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\quukeo = "C:\\Users\\Admin\\quukeo.exe /a"	quukeo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\quukeo = "C:\\Users\\Admin\\quukeo.exe /z"	quukeo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\quukeo = "C:\\Users\\Admin\\quukeo.exe /r"	quukeo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\quukeo = "C:\\Users\\Admin\\quukeo.exe /H"	quukeo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\quukeo = "C:\\Users\\Admin\\quukeo.exe /P"	quukeo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\quukeo = "C:\\Users\\Admin\\quukeo.exe /B"	quukeo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\quukeo = "C:\\Users\\Admin\\quukeo.exe /T"	quukeo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\quukeo = "C:\\Users\\Admin\\quukeo.exe /X"	quukeo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\quukeo = "C:\\Users\\Admin\\quukeo.exe /p"	quukeo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\quukeo = "C:\\Users\\Admin\\quukeo.exe /e"	quukeo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\quukeo = "C:\\Users\\Admin\\quukeo.exe /C"	quukeo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\A2A.exe = "C:\\Program Files (x86)\\LP\\6C6E\\A2A.exe"	ckhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\quukeo = "C:\\Users\\Admin\\quukeo.exe /h"	quukeo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\quukeo = "C:\\Users\\Admin\\quukeo.exe /j"	quukeo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\quukeo = "C:\\Users\\Admin\\quukeo.exe /v"	quukeo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\quukeo = "C:\\Users\\Admin\\quukeo.exe /O"	quukeo.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\	bxpTXK8W.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\quukeo = "C:\\Users\\Admin\\quukeo.exe /B"	bxpTXK8W.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\quukeo = "C:\\Users\\Admin\\quukeo.exe /G"	quukeo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\quukeo = "C:\\Users\\Admin\\quukeo.exe /u"	quukeo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\quukeo = "C:\\Users\\Admin\\quukeo.exe /c"	quukeo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\quukeo = "C:\\Users\\Admin\\quukeo.exe /N"	quukeo.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

c7a61d3780094119f150f899c92f2b11b9e93863a754ff950ea68eab5954c7bb.exe

description	pid	process	target process
PID 1632 set thread context of 884	1632	c7a61d3780094119f150f899c92f2b11b9e93863a754ff950ea68eab5954c7bb.exe	c7a61d3780094119f150f899c92f2b11b9e93863a754ff950ea68eab5954c7bb.exe

Drops file in Program Files directory 3 IoCs

Processes:

ckhost.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\LP\6C6E\1FB2.tmp	ckhost.exe
File created	C:\Program Files (x86)\LP\6C6E\A2A.exe	ckhost.exe
File opened for modification	C:\Program Files (x86)\LP\6C6E\A2A.exe	ckhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

964 tasklist.exe

pid	process
964	tasklist.exe

Modifies registry class 5 IoCs

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

bxpTXK8W.exequukeo.execkhost.exe

pid	process
1152	bxpTXK8W.exe
1152	bxpTXK8W.exe
1540	quukeo.exe
1540	quukeo.exe
1540	quukeo.exe
1540	quukeo.exe
1540	quukeo.exe
1540	quukeo.exe
1540	quukeo.exe
1540	quukeo.exe
1540	quukeo.exe
1540	quukeo.exe
1540	quukeo.exe
1540	quukeo.exe
1540	quukeo.exe
1540	quukeo.exe
1540	quukeo.exe
1540	quukeo.exe
1540	quukeo.exe
1540	quukeo.exe
1540	quukeo.exe
1540	quukeo.exe
1540	quukeo.exe
1540	quukeo.exe
1540	quukeo.exe
1540	quukeo.exe
1540	quukeo.exe
1540	quukeo.exe
1540	quukeo.exe
1540	quukeo.exe
1540	quukeo.exe
1540	quukeo.exe
1540	quukeo.exe
1540	quukeo.exe
1540	quukeo.exe
1540	quukeo.exe
1540	quukeo.exe
1540	quukeo.exe
1540	quukeo.exe
824	ckhost.exe
824	ckhost.exe
824	ckhost.exe
824	ckhost.exe
824	ckhost.exe
824	ckhost.exe
1540	quukeo.exe
1540	quukeo.exe
1540	quukeo.exe
1540	quukeo.exe
1540	quukeo.exe
1540	quukeo.exe
1540	quukeo.exe
1540	quukeo.exe
1540	quukeo.exe
1540	quukeo.exe
1540	quukeo.exe
1540	quukeo.exe
1540	quukeo.exe
1540	quukeo.exe
1540	quukeo.exe
1540	quukeo.exe
1540	quukeo.exe
824	ckhost.exe
824	ckhost.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

Processes:

tasklist.exemsiexec.exeexplorer.exeAUDIODG.EXE

description	pid	process
Token: SeDebugPrivilege	964	tasklist.exe
Token: SeRestorePrivilege	1348	msiexec.exe
Token: SeTakeOwnershipPrivilege	1348	msiexec.exe
Token: SeSecurityPrivilege	1348	msiexec.exe
Token: SeShutdownPrivilege	836	explorer.exe
Token: SeShutdownPrivilege	836	explorer.exe
Token: SeShutdownPrivilege	836	explorer.exe
Token: SeShutdownPrivilege	836	explorer.exe
Token: SeShutdownPrivilege	836	explorer.exe
Token: SeShutdownPrivilege	836	explorer.exe
Token: SeShutdownPrivilege	836	explorer.exe
Token: SeShutdownPrivilege	836	explorer.exe
Token: SeShutdownPrivilege	836	explorer.exe
Token: SeShutdownPrivilege	836	explorer.exe
Token: 33	1444	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1444	AUDIODG.EXE
Token: 33	1444	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1444	AUDIODG.EXE
Token: SeShutdownPrivilege	836	explorer.exe
Token: SeShutdownPrivilege	836	explorer.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

explorer.exe

pid	process
836	explorer.exe
836	explorer.exe
836	explorer.exe
836	explorer.exe
836	explorer.exe
836	explorer.exe
836	explorer.exe
836	explorer.exe
836	explorer.exe
836	explorer.exe
836	explorer.exe
836	explorer.exe
836	explorer.exe
836	explorer.exe
836	explorer.exe
836	explorer.exe
836	explorer.exe
836	explorer.exe
836	explorer.exe
836	explorer.exe
836	explorer.exe
836	explorer.exe
836	explorer.exe
836	explorer.exe
836	explorer.exe

Suspicious use of SendNotifyMessage 17 IoCs

Processes:

explorer.exe

pid	process
836	explorer.exe
836	explorer.exe
836	explorer.exe
836	explorer.exe
836	explorer.exe
836	explorer.exe
836	explorer.exe
836	explorer.exe
836	explorer.exe
836	explorer.exe
836	explorer.exe
836	explorer.exe
836	explorer.exe
836	explorer.exe
836	explorer.exe
836	explorer.exe
836	explorer.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

c7a61d3780094119f150f899c92f2b11b9e93863a754ff950ea68eab5954c7bb.exebxpTXK8W.exequukeo.exeekhost.exe

pid process

884 c7a61d3780094119f150f899c92f2b11b9e93863a754ff950ea68eab5954c7bb.exe
1152 bxpTXK8W.exe
1540 quukeo.exe
1756 ekhost.exe

Suspicious use of WriteProcessMemory 48 IoCs

Processes:

c7a61d3780094119f150f899c92f2b11b9e93863a754ff950ea68eab5954c7bb.exec7a61d3780094119f150f899c92f2b11b9e93863a754ff950ea68eab5954c7bb.exebxpTXK8W.execmd.execkhost.exe

description	pid	process	target process
PID 1632 wrote to memory of 884	1632	c7a61d3780094119f150f899c92f2b11b9e93863a754ff950ea68eab5954c7bb.exe	c7a61d3780094119f150f899c92f2b11b9e93863a754ff950ea68eab5954c7bb.exe
PID 1632 wrote to memory of 884	1632	c7a61d3780094119f150f899c92f2b11b9e93863a754ff950ea68eab5954c7bb.exe	c7a61d3780094119f150f899c92f2b11b9e93863a754ff950ea68eab5954c7bb.exe
PID 1632 wrote to memory of 884	1632	c7a61d3780094119f150f899c92f2b11b9e93863a754ff950ea68eab5954c7bb.exe	c7a61d3780094119f150f899c92f2b11b9e93863a754ff950ea68eab5954c7bb.exe
PID 1632 wrote to memory of 884	1632	c7a61d3780094119f150f899c92f2b11b9e93863a754ff950ea68eab5954c7bb.exe	c7a61d3780094119f150f899c92f2b11b9e93863a754ff950ea68eab5954c7bb.exe
PID 1632 wrote to memory of 884	1632	c7a61d3780094119f150f899c92f2b11b9e93863a754ff950ea68eab5954c7bb.exe	c7a61d3780094119f150f899c92f2b11b9e93863a754ff950ea68eab5954c7bb.exe
PID 1632 wrote to memory of 884	1632	c7a61d3780094119f150f899c92f2b11b9e93863a754ff950ea68eab5954c7bb.exe	c7a61d3780094119f150f899c92f2b11b9e93863a754ff950ea68eab5954c7bb.exe
PID 1632 wrote to memory of 884	1632	c7a61d3780094119f150f899c92f2b11b9e93863a754ff950ea68eab5954c7bb.exe	c7a61d3780094119f150f899c92f2b11b9e93863a754ff950ea68eab5954c7bb.exe
PID 1632 wrote to memory of 884	1632	c7a61d3780094119f150f899c92f2b11b9e93863a754ff950ea68eab5954c7bb.exe	c7a61d3780094119f150f899c92f2b11b9e93863a754ff950ea68eab5954c7bb.exe
PID 884 wrote to memory of 1152	884	c7a61d3780094119f150f899c92f2b11b9e93863a754ff950ea68eab5954c7bb.exe	bxpTXK8W.exe
PID 884 wrote to memory of 1152	884	c7a61d3780094119f150f899c92f2b11b9e93863a754ff950ea68eab5954c7bb.exe	bxpTXK8W.exe
PID 884 wrote to memory of 1152	884	c7a61d3780094119f150f899c92f2b11b9e93863a754ff950ea68eab5954c7bb.exe	bxpTXK8W.exe
PID 884 wrote to memory of 1152	884	c7a61d3780094119f150f899c92f2b11b9e93863a754ff950ea68eab5954c7bb.exe	bxpTXK8W.exe
PID 1152 wrote to memory of 1540	1152	bxpTXK8W.exe	quukeo.exe
PID 1152 wrote to memory of 1540	1152	bxpTXK8W.exe	quukeo.exe
PID 1152 wrote to memory of 1540	1152	bxpTXK8W.exe	quukeo.exe
PID 1152 wrote to memory of 1540	1152	bxpTXK8W.exe	quukeo.exe
PID 1152 wrote to memory of 560	1152	bxpTXK8W.exe	cmd.exe
PID 1152 wrote to memory of 560	1152	bxpTXK8W.exe	cmd.exe
PID 1152 wrote to memory of 560	1152	bxpTXK8W.exe	cmd.exe
PID 1152 wrote to memory of 560	1152	bxpTXK8W.exe	cmd.exe
PID 560 wrote to memory of 964	560	cmd.exe	tasklist.exe
PID 560 wrote to memory of 964	560	cmd.exe	tasklist.exe
PID 560 wrote to memory of 964	560	cmd.exe	tasklist.exe
PID 560 wrote to memory of 964	560	cmd.exe	tasklist.exe
PID 884 wrote to memory of 1484	884	c7a61d3780094119f150f899c92f2b11b9e93863a754ff950ea68eab5954c7bb.exe	akhost.exe
PID 884 wrote to memory of 1484	884	c7a61d3780094119f150f899c92f2b11b9e93863a754ff950ea68eab5954c7bb.exe	akhost.exe
PID 884 wrote to memory of 1484	884	c7a61d3780094119f150f899c92f2b11b9e93863a754ff950ea68eab5954c7bb.exe	akhost.exe
PID 884 wrote to memory of 1484	884	c7a61d3780094119f150f899c92f2b11b9e93863a754ff950ea68eab5954c7bb.exe	akhost.exe
PID 884 wrote to memory of 1984	884	c7a61d3780094119f150f899c92f2b11b9e93863a754ff950ea68eab5954c7bb.exe	bkhost.exe
PID 884 wrote to memory of 1984	884	c7a61d3780094119f150f899c92f2b11b9e93863a754ff950ea68eab5954c7bb.exe	bkhost.exe
PID 884 wrote to memory of 1984	884	c7a61d3780094119f150f899c92f2b11b9e93863a754ff950ea68eab5954c7bb.exe	bkhost.exe
PID 884 wrote to memory of 1984	884	c7a61d3780094119f150f899c92f2b11b9e93863a754ff950ea68eab5954c7bb.exe	bkhost.exe
PID 884 wrote to memory of 824	884	c7a61d3780094119f150f899c92f2b11b9e93863a754ff950ea68eab5954c7bb.exe	ckhost.exe
PID 884 wrote to memory of 824	884	c7a61d3780094119f150f899c92f2b11b9e93863a754ff950ea68eab5954c7bb.exe	ckhost.exe
PID 884 wrote to memory of 824	884	c7a61d3780094119f150f899c92f2b11b9e93863a754ff950ea68eab5954c7bb.exe	ckhost.exe
PID 884 wrote to memory of 824	884	c7a61d3780094119f150f899c92f2b11b9e93863a754ff950ea68eab5954c7bb.exe	ckhost.exe
PID 884 wrote to memory of 1896	884	c7a61d3780094119f150f899c92f2b11b9e93863a754ff950ea68eab5954c7bb.exe	dkhost.exe
PID 884 wrote to memory of 1896	884	c7a61d3780094119f150f899c92f2b11b9e93863a754ff950ea68eab5954c7bb.exe	dkhost.exe
PID 884 wrote to memory of 1896	884	c7a61d3780094119f150f899c92f2b11b9e93863a754ff950ea68eab5954c7bb.exe	dkhost.exe
PID 884 wrote to memory of 1896	884	c7a61d3780094119f150f899c92f2b11b9e93863a754ff950ea68eab5954c7bb.exe	dkhost.exe
PID 884 wrote to memory of 1756	884	c7a61d3780094119f150f899c92f2b11b9e93863a754ff950ea68eab5954c7bb.exe	ekhost.exe
PID 884 wrote to memory of 1756	884	c7a61d3780094119f150f899c92f2b11b9e93863a754ff950ea68eab5954c7bb.exe	ekhost.exe
PID 884 wrote to memory of 1756	884	c7a61d3780094119f150f899c92f2b11b9e93863a754ff950ea68eab5954c7bb.exe	ekhost.exe
PID 884 wrote to memory of 1756	884	c7a61d3780094119f150f899c92f2b11b9e93863a754ff950ea68eab5954c7bb.exe	ekhost.exe
PID 824 wrote to memory of 1580	824	ckhost.exe	1FB2.tmp
PID 824 wrote to memory of 1580	824	ckhost.exe	1FB2.tmp
PID 824 wrote to memory of 1580	824	ckhost.exe	1FB2.tmp
PID 824 wrote to memory of 1580	824	ckhost.exe	1FB2.tmp

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

ckhost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	ckhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	ckhost.exe

C:\Users\Admin\AppData\Local\Temp\c7a61d3780094119f150f899c92f2b11b9e93863a754ff950ea68eab5954c7bb.exe
"C:\Users\Admin\AppData\Local\Temp\c7a61d3780094119f150f899c92f2b11b9e93863a754ff950ea68eab5954c7bb.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1632

C:\Users\Admin\AppData\Local\Temp\c7a61d3780094119f150f899c92f2b11b9e93863a754ff950ea68eab5954c7bb.exe
c7a61d3780094119f150f899c92f2b11b9e93863a754ff950ea68eab5954c7bb.exe
2⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:884

C:\Users\Admin\bxpTXK8W.exe
C:\Users\Admin\bxpTXK8W.exe
3⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1152

C:\Users\Admin\quukeo.exe
"C:\Users\Admin\quukeo.exe"
4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1540

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c tasklist&&del bxpTXK8W.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:560

C:\Windows\SysWOW64\tasklist.exe
tasklist
5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:964

C:\Users\Admin\akhost.exe
C:\Users\Admin\akhost.exe
3⤵
- Executes dropped EXE
PID:1484

C:\Users\Admin\bkhost.exe
C:\Users\Admin\bkhost.exe
3⤵
- Executes dropped EXE
PID:1984

C:\Users\Admin\ckhost.exe
C:\Users\Admin\ckhost.exe
3⤵
- Modifies security service
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:824

C:\Program Files (x86)\LP\6C6E\1FB2.tmp
"C:\Program Files (x86)\LP\6C6E\1FB2.tmp"
4⤵
- Executes dropped EXE
PID:1580

C:\Users\Admin\dkhost.exe
C:\Users\Admin\dkhost.exe
3⤵
- Executes dropped EXE
PID:1896

C:\Users\Admin\ekhost.exe
C:\Users\Admin\ekhost.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1756

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1348

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:836

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x590
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1444

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Hidden Files and Directories

T1158

Credential Access

Discovery

System Information Discovery

T1082

Process Discovery

T1057

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\LP\6C6E\1FB2.tmp
Filesize
99KB

MD5
1e68864c3deefd4a81f2f505740f09fc

SHA1
8a12dea68e9924e27bed3076674ddd5e9448c443

SHA256
a25f10f13be9dc44c25c88c0834ffce455e0e7ad0d7e4a32c825120c3a5dc1bf

SHA512
60c98b7a8dfaba961363edbac2d58996b246b5a2e472b064173fa501ab06e3b800449e5020252450e73f13e1a59c704e10d778ee972396a19389217b0f0b4bce

Download Submit
C:\Users\Admin\akhost.exe
Filesize
229KB

MD5
2c895814249b3630f5ef87aef065a6d2

SHA1
785a02f3a3c958fb2f3fa7ce26860b65da34939d

SHA256
cc6377f8d451bd5ceb97d95409b74c9589f86edd47fead3db05e3a3dbfc6204a

SHA512
14e786deb9917c57dbdb6468a5b6b05ef0aacaa5a9efc962bac691648c1059c99537a85f9bd65013bb2765ebcbd1fa97027c6f2069ae2e1cc901d4247c7f404c

Download Submit
C:\Users\Admin\bkhost.exe
Filesize
122KB

MD5
6adba45c3cd86e3e4179c2489adc3ed0

SHA1
c856828981816a028d9948d4e90e83779ba00cc6

SHA256
e1432e8564f1a32df65a2cb433d4968e2109fef1508ad150a89e7c31227d3de8

SHA512
13404f5c2a311bc87e96d550674c9a7c6fda0f7808db1b901747d4e7a2e4c76bea268e38a17d3206ae419144981a060d29f916f676e586cc4376ad81717de672

Download Submit
C:\Users\Admin\bxpTXK8W.exe
Filesize
184KB

MD5
2261c2411c6e581bf496a0be8d46c6d8

SHA1
79e709807dff36c8d9936db05c0adcce54a1a290

SHA256
20e4fb3c4086c725feafdd50d8c8e405b20f6a9b868422455ca0b9cd007eb418

SHA512
622f86d976e9c140b29a1b29c21ac26415acab2762bac6d429123cb73af002377a0ecc62afaea0ef06dea689ebb6e70a1c7251186a260eae279cc8587622cefd

Download Submit
C:\Users\Admin\bxpTXK8W.exe
Filesize
184KB

MD5
2261c2411c6e581bf496a0be8d46c6d8

SHA1
79e709807dff36c8d9936db05c0adcce54a1a290

SHA256
20e4fb3c4086c725feafdd50d8c8e405b20f6a9b868422455ca0b9cd007eb418

SHA512
622f86d976e9c140b29a1b29c21ac26415acab2762bac6d429123cb73af002377a0ecc62afaea0ef06dea689ebb6e70a1c7251186a260eae279cc8587622cefd

Download Submit
C:\Users\Admin\ckhost.exe
Filesize
279KB

MD5
b4004c548fec0ae0f7264b509b95e4d8

SHA1
6142664dc2b3ce927fecb96fa18a1dbc5219ae8f

SHA256
3f4aae3b2ec5b1d842841e76a963f26b471ed15e9933c40d48469a48ed04ee56

SHA512
750223d1cf30812b4c9dba9f21893f2ce34b717c17da2befe47f13e8d623c5098f5133053cb1a909da5e4ebc07b68979e72fa8f36c26c6c191665b213e838d90

Download Submit
C:\Users\Admin\ckhost.exe
Filesize
279KB

MD5
b4004c548fec0ae0f7264b509b95e4d8

SHA1
6142664dc2b3ce927fecb96fa18a1dbc5219ae8f

SHA256
3f4aae3b2ec5b1d842841e76a963f26b471ed15e9933c40d48469a48ed04ee56

SHA512
750223d1cf30812b4c9dba9f21893f2ce34b717c17da2befe47f13e8d623c5098f5133053cb1a909da5e4ebc07b68979e72fa8f36c26c6c191665b213e838d90

Download Submit
C:\Users\Admin\dkhost.exe
Filesize
240KB

MD5
0a67782f34b335fe42be835ad4542124

SHA1
c1838a364f27ed7b8a463edefeabf8d762d1f149

SHA256
4f1d17a99aaf1719a96778e06edb417de118672ad3b0193a3fd2706a8e6f699c

SHA512
4dd56baf20ad532e7c1933d83889c649ffe4069a23dde43486c32105c0df67ebc8f670cb54c13a902105d38f5efea06c3a7f6481aec49c4af1b40bc8cfa7b086

Download Submit
C:\Users\Admin\ekhost.exe
Filesize
32KB

MD5
49e105d54bf4201e39ef974f9e5c24dc

SHA1
70737f6e75e250cfa335f8ef10be4b934f6fa1af

SHA256
a7d86eb136f345db624f4ddc577b61a2bb54f24c6b83a1de66dbdc167f3bb119

SHA512
7b9c210b69535ffca2280bd54b88bb2644e39fb1db487fbf8d83ea420c6db7d05b2373bef172a07b3090139e29110c593b09151e39ff6358d1fc62c0e91783fe

Download Submit
C:\Users\Admin\quukeo.exe
Filesize
184KB

MD5
c83f1df2d06a6ed98ee18a6884ac306d

SHA1
d6e43803bd0fc3893bd4e27d9188b6580d63f27a

SHA256
7728ec7cd79b659ed08314fcfc7a9dc7ee767f664ca24f764d82905d0e41f600

SHA512
010db1e4b22ef55f03a276fca01d0e2db0484f47b083a8bea0eb9e01cd50e1fcbd3ba5bfe9625dfcbd065159eb95ab0d153bc1262049e87eee25dfec9d5dab42

Download Submit
C:\Users\Admin\quukeo.exe
Filesize
184KB

MD5
c83f1df2d06a6ed98ee18a6884ac306d

SHA1
d6e43803bd0fc3893bd4e27d9188b6580d63f27a

SHA256
7728ec7cd79b659ed08314fcfc7a9dc7ee767f664ca24f764d82905d0e41f600

SHA512
010db1e4b22ef55f03a276fca01d0e2db0484f47b083a8bea0eb9e01cd50e1fcbd3ba5bfe9625dfcbd065159eb95ab0d153bc1262049e87eee25dfec9d5dab42

Download Submit
\Program Files (x86)\LP\6C6E\1FB2.tmp
Filesize
99KB

MD5
1e68864c3deefd4a81f2f505740f09fc

SHA1
8a12dea68e9924e27bed3076674ddd5e9448c443

SHA256
a25f10f13be9dc44c25c88c0834ffce455e0e7ad0d7e4a32c825120c3a5dc1bf

SHA512
60c98b7a8dfaba961363edbac2d58996b246b5a2e472b064173fa501ab06e3b800449e5020252450e73f13e1a59c704e10d778ee972396a19389217b0f0b4bce

Download Submit
\Program Files (x86)\LP\6C6E\1FB2.tmp
Filesize
99KB

MD5
1e68864c3deefd4a81f2f505740f09fc

SHA1
8a12dea68e9924e27bed3076674ddd5e9448c443

SHA256
a25f10f13be9dc44c25c88c0834ffce455e0e7ad0d7e4a32c825120c3a5dc1bf

SHA512
60c98b7a8dfaba961363edbac2d58996b246b5a2e472b064173fa501ab06e3b800449e5020252450e73f13e1a59c704e10d778ee972396a19389217b0f0b4bce

Download Submit
\Users\Admin\akhost.exe
Filesize
229KB

MD5
2c895814249b3630f5ef87aef065a6d2

SHA1
785a02f3a3c958fb2f3fa7ce26860b65da34939d

SHA256
cc6377f8d451bd5ceb97d95409b74c9589f86edd47fead3db05e3a3dbfc6204a

SHA512
14e786deb9917c57dbdb6468a5b6b05ef0aacaa5a9efc962bac691648c1059c99537a85f9bd65013bb2765ebcbd1fa97027c6f2069ae2e1cc901d4247c7f404c

Download Submit
\Users\Admin\akhost.exe
Filesize
229KB

MD5
2c895814249b3630f5ef87aef065a6d2

SHA1
785a02f3a3c958fb2f3fa7ce26860b65da34939d

SHA256
cc6377f8d451bd5ceb97d95409b74c9589f86edd47fead3db05e3a3dbfc6204a

SHA512
14e786deb9917c57dbdb6468a5b6b05ef0aacaa5a9efc962bac691648c1059c99537a85f9bd65013bb2765ebcbd1fa97027c6f2069ae2e1cc901d4247c7f404c

Download Submit
\Users\Admin\bkhost.exe
Filesize
122KB

MD5
6adba45c3cd86e3e4179c2489adc3ed0

SHA1
c856828981816a028d9948d4e90e83779ba00cc6

SHA256
e1432e8564f1a32df65a2cb433d4968e2109fef1508ad150a89e7c31227d3de8

SHA512
13404f5c2a311bc87e96d550674c9a7c6fda0f7808db1b901747d4e7a2e4c76bea268e38a17d3206ae419144981a060d29f916f676e586cc4376ad81717de672

Download Submit
\Users\Admin\bkhost.exe
Filesize
122KB

MD5
6adba45c3cd86e3e4179c2489adc3ed0

SHA1
c856828981816a028d9948d4e90e83779ba00cc6

SHA256
e1432e8564f1a32df65a2cb433d4968e2109fef1508ad150a89e7c31227d3de8

SHA512
13404f5c2a311bc87e96d550674c9a7c6fda0f7808db1b901747d4e7a2e4c76bea268e38a17d3206ae419144981a060d29f916f676e586cc4376ad81717de672

Download Submit
\Users\Admin\bxpTXK8W.exe
Filesize
184KB

MD5
2261c2411c6e581bf496a0be8d46c6d8

SHA1
79e709807dff36c8d9936db05c0adcce54a1a290

SHA256
20e4fb3c4086c725feafdd50d8c8e405b20f6a9b868422455ca0b9cd007eb418

SHA512
622f86d976e9c140b29a1b29c21ac26415acab2762bac6d429123cb73af002377a0ecc62afaea0ef06dea689ebb6e70a1c7251186a260eae279cc8587622cefd

Download Submit
\Users\Admin\bxpTXK8W.exe
Filesize
184KB

MD5
2261c2411c6e581bf496a0be8d46c6d8

SHA1
79e709807dff36c8d9936db05c0adcce54a1a290

SHA256
20e4fb3c4086c725feafdd50d8c8e405b20f6a9b868422455ca0b9cd007eb418

SHA512
622f86d976e9c140b29a1b29c21ac26415acab2762bac6d429123cb73af002377a0ecc62afaea0ef06dea689ebb6e70a1c7251186a260eae279cc8587622cefd

Download Submit
\Users\Admin\ckhost.exe
Filesize
279KB

MD5
b4004c548fec0ae0f7264b509b95e4d8

SHA1
6142664dc2b3ce927fecb96fa18a1dbc5219ae8f

SHA256
3f4aae3b2ec5b1d842841e76a963f26b471ed15e9933c40d48469a48ed04ee56

SHA512
750223d1cf30812b4c9dba9f21893f2ce34b717c17da2befe47f13e8d623c5098f5133053cb1a909da5e4ebc07b68979e72fa8f36c26c6c191665b213e838d90

Download Submit
\Users\Admin\ckhost.exe
Filesize
279KB

MD5
b4004c548fec0ae0f7264b509b95e4d8

SHA1
6142664dc2b3ce927fecb96fa18a1dbc5219ae8f

SHA256
3f4aae3b2ec5b1d842841e76a963f26b471ed15e9933c40d48469a48ed04ee56

SHA512
750223d1cf30812b4c9dba9f21893f2ce34b717c17da2befe47f13e8d623c5098f5133053cb1a909da5e4ebc07b68979e72fa8f36c26c6c191665b213e838d90

Download Submit
\Users\Admin\dkhost.exe
Filesize
240KB

MD5
0a67782f34b335fe42be835ad4542124

SHA1
c1838a364f27ed7b8a463edefeabf8d762d1f149

SHA256
4f1d17a99aaf1719a96778e06edb417de118672ad3b0193a3fd2706a8e6f699c

SHA512
4dd56baf20ad532e7c1933d83889c649ffe4069a23dde43486c32105c0df67ebc8f670cb54c13a902105d38f5efea06c3a7f6481aec49c4af1b40bc8cfa7b086

Download Submit
\Users\Admin\dkhost.exe
Filesize
240KB

MD5
0a67782f34b335fe42be835ad4542124

SHA1
c1838a364f27ed7b8a463edefeabf8d762d1f149

SHA256
4f1d17a99aaf1719a96778e06edb417de118672ad3b0193a3fd2706a8e6f699c

SHA512
4dd56baf20ad532e7c1933d83889c649ffe4069a23dde43486c32105c0df67ebc8f670cb54c13a902105d38f5efea06c3a7f6481aec49c4af1b40bc8cfa7b086

Download Submit
\Users\Admin\ekhost.exe
Filesize
32KB

MD5
49e105d54bf4201e39ef974f9e5c24dc

SHA1
70737f6e75e250cfa335f8ef10be4b934f6fa1af

SHA256
a7d86eb136f345db624f4ddc577b61a2bb54f24c6b83a1de66dbdc167f3bb119

SHA512
7b9c210b69535ffca2280bd54b88bb2644e39fb1db487fbf8d83ea420c6db7d05b2373bef172a07b3090139e29110c593b09151e39ff6358d1fc62c0e91783fe

Download Submit
\Users\Admin\ekhost.exe
Filesize
32KB

MD5
49e105d54bf4201e39ef974f9e5c24dc

SHA1
70737f6e75e250cfa335f8ef10be4b934f6fa1af

SHA256
a7d86eb136f345db624f4ddc577b61a2bb54f24c6b83a1de66dbdc167f3bb119

SHA512
7b9c210b69535ffca2280bd54b88bb2644e39fb1db487fbf8d83ea420c6db7d05b2373bef172a07b3090139e29110c593b09151e39ff6358d1fc62c0e91783fe

Download Submit
\Users\Admin\quukeo.exe
Filesize
184KB

MD5
c83f1df2d06a6ed98ee18a6884ac306d

SHA1
d6e43803bd0fc3893bd4e27d9188b6580d63f27a

SHA256
7728ec7cd79b659ed08314fcfc7a9dc7ee767f664ca24f764d82905d0e41f600

SHA512
010db1e4b22ef55f03a276fca01d0e2db0484f47b083a8bea0eb9e01cd50e1fcbd3ba5bfe9625dfcbd065159eb95ab0d153bc1262049e87eee25dfec9d5dab42

Download Submit
\Users\Admin\quukeo.exe
Filesize
184KB

MD5
c83f1df2d06a6ed98ee18a6884ac306d

SHA1
d6e43803bd0fc3893bd4e27d9188b6580d63f27a

SHA256
7728ec7cd79b659ed08314fcfc7a9dc7ee767f664ca24f764d82905d0e41f600

SHA512
010db1e4b22ef55f03a276fca01d0e2db0484f47b083a8bea0eb9e01cd50e1fcbd3ba5bfe9625dfcbd065159eb95ab0d153bc1262049e87eee25dfec9d5dab42

Download Submit
memory/560-86-0x0000000000000000-mapping.dmp

Download
memory/824-103-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/824-99-0x0000000000000000-mapping.dmp

Download
memory/824-110-0x00000000002EE000-0x0000000000334000-memory.dmp

Filesize
280KB

Download
memory/824-104-0x00000000002EE000-0x0000000000334000-memory.dmp

Filesize
280KB

Download
memory/824-102-0x00000000002EE000-0x0000000000334000-memory.dmp

Filesize
280KB

Download
memory/884-61-0x00000000005141C0-mapping.dmp

Download
memory/884-57-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/884-69-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/884-55-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/884-65-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/884-54-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/884-64-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/884-59-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/884-63-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/884-68-0x0000000075DF1000-0x0000000075DF3000-memory.dmp

Filesize
8KB

Download
memory/964-87-0x0000000000000000-mapping.dmp

Download
memory/1152-72-0x0000000000000000-mapping.dmp

Download
memory/1348-109-0x000007FEFC201000-0x000007FEFC203000-memory.dmp

Filesize
8KB

Download
memory/1484-90-0x0000000000000000-mapping.dmp

Download
memory/1540-80-0x0000000000000000-mapping.dmp

Download
memory/1580-122-0x0000000000000000-mapping.dmp

Download
memory/1580-124-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1580-125-0x00000000004C0000-0x00000000004CF000-memory.dmp

Filesize
60KB

Download
memory/1756-115-0x0000000000000000-mapping.dmp

Download
memory/1896-107-0x0000000000000000-mapping.dmp

Download
memory/1984-95-0x0000000000000000-mapping.dmp

Download