gh0strat | 0a47563600d2017344126b79fea405aa00e66b2cc5efe6b39c05f02c275e8f07

Analysis

max time kernel
107s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
05-04-2023 11:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0a47563600d2017344126b79fea405aa00e66b2cc5efe6b39c05f02c275e8f07.exe
Size

1.2MB
MD5

f360dc3dd3689f6f616424f975c9a66b
SHA1

d29b8903c81e15fb2a2adf82d34a82d296e4a81a
SHA256

0a47563600d2017344126b79fea405aa00e66b2cc5efe6b39c05f02c275e8f07
SHA512

1136fc23a4b4f698757614a3a0acfafe3b4e0489dd5cecf80b443ac0497429d6c2549051702adfb9b83d6f8b1be841fda0d4529972d6e6de62b2a9d8ad9f3f97
SSDEEP

24576:HovxCwgMBqHO5ZdYXOp0nQrXctTfK+d+MrTXowFlw57XYBwJtie:WIwgMEuy+inDfp3/XoCw57XYBwKe

Score

10^/10

gh0strat purplefox persistence rat rootkit trojan upx vmprotect

Malware Config

Signatures

Detect PurpleFox Rootkit 9 IoCs

Detect PurpleFox Rootkit.

rootkit

Processes:

resource	yara_rule
behavioral2/memory/5012-159-0x0000000010000000-0x00000000101BA000-memory.dmp	purplefox_rootkit
behavioral2/memory/5012-158-0x0000000010000000-0x00000000101BA000-memory.dmp	purplefox_rootkit
behavioral2/memory/4980-170-0x0000000010000000-0x00000000101BA000-memory.dmp	purplefox_rootkit
behavioral2/memory/4980-171-0x0000000010000000-0x00000000101BA000-memory.dmp	purplefox_rootkit
behavioral2/memory/900-177-0x0000000010000000-0x00000000101BA000-memory.dmp	purplefox_rootkit
behavioral2/memory/900-179-0x0000000010000000-0x00000000101BA000-memory.dmp	purplefox_rootkit
behavioral2/memory/900-185-0x0000000010000000-0x00000000101BA000-memory.dmp	purplefox_rootkit
behavioral2/memory/900-187-0x0000000010000000-0x00000000101BA000-memory.dmp	purplefox_rootkit
behavioral2/memory/900-191-0x0000000010000000-0x00000000101BA000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 10 IoCs

Processes:

resource	yara_rule
C:\Windows\SysWOW64\240553328.txt	family_gh0strat
behavioral2/memory/5012-159-0x0000000010000000-0x00000000101BA000-memory.dmp	family_gh0strat
behavioral2/memory/5012-158-0x0000000010000000-0x00000000101BA000-memory.dmp	family_gh0strat
behavioral2/memory/4980-170-0x0000000010000000-0x00000000101BA000-memory.dmp	family_gh0strat
behavioral2/memory/4980-171-0x0000000010000000-0x00000000101BA000-memory.dmp	family_gh0strat
behavioral2/memory/900-177-0x0000000010000000-0x00000000101BA000-memory.dmp	family_gh0strat
behavioral2/memory/900-179-0x0000000010000000-0x00000000101BA000-memory.dmp	family_gh0strat
behavioral2/memory/900-185-0x0000000010000000-0x00000000101BA000-memory.dmp	family_gh0strat
behavioral2/memory/900-187-0x0000000010000000-0x00000000101BA000-memory.dmp	family_gh0strat
behavioral2/memory/900-191-0x0000000010000000-0x00000000101BA000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox
Drops file in Drivers directory 1 IoCs

Processes:

Ghiya.exe

description ioc process

File created C:\Windows\system32\drivers\QAssist.sys Ghiya.exe
Sets service image path in registry 2 TTPs 1 IoCs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Processes:

Ghiya.exe

description ioc process

Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" Ghiya.exe

description	ioc	process
File created	C:\Windows\system32\drivers\QAssist.sys	Ghiya.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys"	Ghiya.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

0a47563600d2017344126b79fea405aa00e66b2cc5efe6b39c05f02c275e8f07.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	0a47563600d2017344126b79fea405aa00e66b2cc5efe6b39c05f02c275e8f07.exe

Drops startup file 1 IoCs

Processes:

0a47563600d2017344126b79fea405aa00e66b2cc5efe6b39c05f02c275e8f07.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\win.lnk	0a47563600d2017344126b79fea405aa00e66b2cc5efe6b39c05f02c275e8f07.exe

Executes dropped EXE 5 IoCs

Processes:

AK47.exeAK47.exeAK74.exeGhiya.exeGhiya.exe

pid process

1864 AK47.exe
1332 AK47.exe
5012 AK74.exe
4980 Ghiya.exe
900 Ghiya.exe
Loads dropped DLL 1 IoCs

Processes:

AK47.exe

pid process

1332 AK47.exe

pid	process
1864	AK47.exe
1332	AK47.exe
5012	AK74.exe
4980	Ghiya.exe
900	Ghiya.exe

pid	process
1332	AK47.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/5012-156-0x0000000010000000-0x00000000101BA000-memory.dmp	upx
behavioral2/memory/5012-159-0x0000000010000000-0x00000000101BA000-memory.dmp	upx
behavioral2/memory/5012-158-0x0000000010000000-0x00000000101BA000-memory.dmp	upx
behavioral2/memory/4980-168-0x0000000010000000-0x00000000101BA000-memory.dmp	upx
behavioral2/memory/4980-170-0x0000000010000000-0x00000000101BA000-memory.dmp	upx
behavioral2/memory/4980-171-0x0000000010000000-0x00000000101BA000-memory.dmp	upx
behavioral2/memory/900-175-0x0000000010000000-0x00000000101BA000-memory.dmp	upx
behavioral2/memory/900-177-0x0000000010000000-0x00000000101BA000-memory.dmp	upx
behavioral2/memory/900-179-0x0000000010000000-0x00000000101BA000-memory.dmp	upx
behavioral2/memory/900-185-0x0000000010000000-0x00000000101BA000-memory.dmp	upx
behavioral2/memory/900-187-0x0000000010000000-0x00000000101BA000-memory.dmp	upx
behavioral2/memory/900-191-0x0000000010000000-0x00000000101BA000-memory.dmp	upx

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral2/memory/2128-133-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral2/memory/2128-134-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe	vmprotect
behavioral2/memory/2128-193-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

0a47563600d2017344126b79fea405aa00e66b2cc5efe6b39c05f02c275e8f07.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\360safo = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\svchcst.exe"	0a47563600d2017344126b79fea405aa00e66b2cc5efe6b39c05f02c275e8f07.exe

Drops file in System32 directory 3 IoCs

Processes:

AK74.exeAK47.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Ghiya.exe	AK74.exe
File opened for modification	C:\Windows\SysWOW64\Ghiya.exe	AK74.exe
File created	C:\Windows\SysWOW64\240553328.txt	AK47.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2376 1332 WerFault.exe AK47.exe

pid	pid_target	process	target process
2376	1332	WerFault.exe	AK47.exe

Modifies registry class 1 IoCs

Processes:

0a47563600d2017344126b79fea405aa00e66b2cc5efe6b39c05f02c275e8f07.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings	0a47563600d2017344126b79fea405aa00e66b2cc5efe6b39c05f02c275e8f07.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

448 PING.EXE

pid	process
448	PING.EXE

Suspicious behavior: EnumeratesProcesses 52 IoCs

Processes:

0a47563600d2017344126b79fea405aa00e66b2cc5efe6b39c05f02c275e8f07.exe

pid	process
2128	0a47563600d2017344126b79fea405aa00e66b2cc5efe6b39c05f02c275e8f07.exe
2128	0a47563600d2017344126b79fea405aa00e66b2cc5efe6b39c05f02c275e8f07.exe
2128	0a47563600d2017344126b79fea405aa00e66b2cc5efe6b39c05f02c275e8f07.exe
2128	0a47563600d2017344126b79fea405aa00e66b2cc5efe6b39c05f02c275e8f07.exe
2128	0a47563600d2017344126b79fea405aa00e66b2cc5efe6b39c05f02c275e8f07.exe
2128	0a47563600d2017344126b79fea405aa00e66b2cc5efe6b39c05f02c275e8f07.exe
2128	0a47563600d2017344126b79fea405aa00e66b2cc5efe6b39c05f02c275e8f07.exe
2128	0a47563600d2017344126b79fea405aa00e66b2cc5efe6b39c05f02c275e8f07.exe
2128	0a47563600d2017344126b79fea405aa00e66b2cc5efe6b39c05f02c275e8f07.exe
2128	0a47563600d2017344126b79fea405aa00e66b2cc5efe6b39c05f02c275e8f07.exe
2128	0a47563600d2017344126b79fea405aa00e66b2cc5efe6b39c05f02c275e8f07.exe
2128	0a47563600d2017344126b79fea405aa00e66b2cc5efe6b39c05f02c275e8f07.exe
2128	0a47563600d2017344126b79fea405aa00e66b2cc5efe6b39c05f02c275e8f07.exe
2128	0a47563600d2017344126b79fea405aa00e66b2cc5efe6b39c05f02c275e8f07.exe
2128	0a47563600d2017344126b79fea405aa00e66b2cc5efe6b39c05f02c275e8f07.exe
2128	0a47563600d2017344126b79fea405aa00e66b2cc5efe6b39c05f02c275e8f07.exe
2128	0a47563600d2017344126b79fea405aa00e66b2cc5efe6b39c05f02c275e8f07.exe
2128	0a47563600d2017344126b79fea405aa00e66b2cc5efe6b39c05f02c275e8f07.exe
2128	0a47563600d2017344126b79fea405aa00e66b2cc5efe6b39c05f02c275e8f07.exe
2128	0a47563600d2017344126b79fea405aa00e66b2cc5efe6b39c05f02c275e8f07.exe
2128	0a47563600d2017344126b79fea405aa00e66b2cc5efe6b39c05f02c275e8f07.exe
2128	0a47563600d2017344126b79fea405aa00e66b2cc5efe6b39c05f02c275e8f07.exe
2128	0a47563600d2017344126b79fea405aa00e66b2cc5efe6b39c05f02c275e8f07.exe
2128	0a47563600d2017344126b79fea405aa00e66b2cc5efe6b39c05f02c275e8f07.exe
2128	0a47563600d2017344126b79fea405aa00e66b2cc5efe6b39c05f02c275e8f07.exe
2128	0a47563600d2017344126b79fea405aa00e66b2cc5efe6b39c05f02c275e8f07.exe
2128	0a47563600d2017344126b79fea405aa00e66b2cc5efe6b39c05f02c275e8f07.exe
2128	0a47563600d2017344126b79fea405aa00e66b2cc5efe6b39c05f02c275e8f07.exe
2128	0a47563600d2017344126b79fea405aa00e66b2cc5efe6b39c05f02c275e8f07.exe
2128	0a47563600d2017344126b79fea405aa00e66b2cc5efe6b39c05f02c275e8f07.exe
2128	0a47563600d2017344126b79fea405aa00e66b2cc5efe6b39c05f02c275e8f07.exe
2128	0a47563600d2017344126b79fea405aa00e66b2cc5efe6b39c05f02c275e8f07.exe
2128	0a47563600d2017344126b79fea405aa00e66b2cc5efe6b39c05f02c275e8f07.exe
2128	0a47563600d2017344126b79fea405aa00e66b2cc5efe6b39c05f02c275e8f07.exe
2128	0a47563600d2017344126b79fea405aa00e66b2cc5efe6b39c05f02c275e8f07.exe
2128	0a47563600d2017344126b79fea405aa00e66b2cc5efe6b39c05f02c275e8f07.exe
2128	0a47563600d2017344126b79fea405aa00e66b2cc5efe6b39c05f02c275e8f07.exe
2128	0a47563600d2017344126b79fea405aa00e66b2cc5efe6b39c05f02c275e8f07.exe
2128	0a47563600d2017344126b79fea405aa00e66b2cc5efe6b39c05f02c275e8f07.exe
2128	0a47563600d2017344126b79fea405aa00e66b2cc5efe6b39c05f02c275e8f07.exe
2128	0a47563600d2017344126b79fea405aa00e66b2cc5efe6b39c05f02c275e8f07.exe
2128	0a47563600d2017344126b79fea405aa00e66b2cc5efe6b39c05f02c275e8f07.exe
2128	0a47563600d2017344126b79fea405aa00e66b2cc5efe6b39c05f02c275e8f07.exe
2128	0a47563600d2017344126b79fea405aa00e66b2cc5efe6b39c05f02c275e8f07.exe
2128	0a47563600d2017344126b79fea405aa00e66b2cc5efe6b39c05f02c275e8f07.exe
2128	0a47563600d2017344126b79fea405aa00e66b2cc5efe6b39c05f02c275e8f07.exe
2128	0a47563600d2017344126b79fea405aa00e66b2cc5efe6b39c05f02c275e8f07.exe
2128	0a47563600d2017344126b79fea405aa00e66b2cc5efe6b39c05f02c275e8f07.exe
2128	0a47563600d2017344126b79fea405aa00e66b2cc5efe6b39c05f02c275e8f07.exe
2128	0a47563600d2017344126b79fea405aa00e66b2cc5efe6b39c05f02c275e8f07.exe
2128	0a47563600d2017344126b79fea405aa00e66b2cc5efe6b39c05f02c275e8f07.exe
2128	0a47563600d2017344126b79fea405aa00e66b2cc5efe6b39c05f02c275e8f07.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

Ghiya.exe

pid process

900 Ghiya.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

0a47563600d2017344126b79fea405aa00e66b2cc5efe6b39c05f02c275e8f07.exe

pid process

2128 0a47563600d2017344126b79fea405aa00e66b2cc5efe6b39c05f02c275e8f07.exe

pid	process
900	Ghiya.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

AK74.exeGhiya.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	5012	AK74.exe
Token: SeLoadDriverPrivilege	900	Ghiya.exe
Token: 33	900	Ghiya.exe
Token: SeIncBasePriorityPrivilege	900	Ghiya.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

0a47563600d2017344126b79fea405aa00e66b2cc5efe6b39c05f02c275e8f07.exe

pid	process
2128	0a47563600d2017344126b79fea405aa00e66b2cc5efe6b39c05f02c275e8f07.exe
2128	0a47563600d2017344126b79fea405aa00e66b2cc5efe6b39c05f02c275e8f07.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

0a47563600d2017344126b79fea405aa00e66b2cc5efe6b39c05f02c275e8f07.exeAK74.exeGhiya.execmd.exe

description	pid	process	target process
PID 2128 wrote to memory of 1864	2128	0a47563600d2017344126b79fea405aa00e66b2cc5efe6b39c05f02c275e8f07.exe	AK47.exe
PID 2128 wrote to memory of 1864	2128	0a47563600d2017344126b79fea405aa00e66b2cc5efe6b39c05f02c275e8f07.exe	AK47.exe
PID 2128 wrote to memory of 1864	2128	0a47563600d2017344126b79fea405aa00e66b2cc5efe6b39c05f02c275e8f07.exe	AK47.exe
PID 2128 wrote to memory of 1332	2128	0a47563600d2017344126b79fea405aa00e66b2cc5efe6b39c05f02c275e8f07.exe	AK47.exe
PID 2128 wrote to memory of 1332	2128	0a47563600d2017344126b79fea405aa00e66b2cc5efe6b39c05f02c275e8f07.exe	AK47.exe
PID 2128 wrote to memory of 1332	2128	0a47563600d2017344126b79fea405aa00e66b2cc5efe6b39c05f02c275e8f07.exe	AK47.exe
PID 2128 wrote to memory of 5012	2128	0a47563600d2017344126b79fea405aa00e66b2cc5efe6b39c05f02c275e8f07.exe	AK74.exe
PID 2128 wrote to memory of 5012	2128	0a47563600d2017344126b79fea405aa00e66b2cc5efe6b39c05f02c275e8f07.exe	AK74.exe
PID 2128 wrote to memory of 5012	2128	0a47563600d2017344126b79fea405aa00e66b2cc5efe6b39c05f02c275e8f07.exe	AK74.exe
PID 5012 wrote to memory of 4360	5012	AK74.exe	cmd.exe
PID 5012 wrote to memory of 4360	5012	AK74.exe	cmd.exe
PID 5012 wrote to memory of 4360	5012	AK74.exe	cmd.exe
PID 4980 wrote to memory of 900	4980	Ghiya.exe	Ghiya.exe
PID 4980 wrote to memory of 900	4980	Ghiya.exe	Ghiya.exe
PID 4980 wrote to memory of 900	4980	Ghiya.exe	Ghiya.exe
PID 2128 wrote to memory of 2344	2128	0a47563600d2017344126b79fea405aa00e66b2cc5efe6b39c05f02c275e8f07.exe	WScript.exe
PID 2128 wrote to memory of 2344	2128	0a47563600d2017344126b79fea405aa00e66b2cc5efe6b39c05f02c275e8f07.exe	WScript.exe
PID 2128 wrote to memory of 2344	2128	0a47563600d2017344126b79fea405aa00e66b2cc5efe6b39c05f02c275e8f07.exe	WScript.exe
PID 4360 wrote to memory of 448	4360	cmd.exe	PING.EXE
PID 4360 wrote to memory of 448	4360	cmd.exe	PING.EXE
PID 4360 wrote to memory of 448	4360	cmd.exe	PING.EXE
PID 2128 wrote to memory of 3484	2128	0a47563600d2017344126b79fea405aa00e66b2cc5efe6b39c05f02c275e8f07.exe	WScript.exe
PID 2128 wrote to memory of 3484	2128	0a47563600d2017344126b79fea405aa00e66b2cc5efe6b39c05f02c275e8f07.exe	WScript.exe
PID 2128 wrote to memory of 3484	2128	0a47563600d2017344126b79fea405aa00e66b2cc5efe6b39c05f02c275e8f07.exe	WScript.exe

C:\Users\Admin\AppData\Local\Temp\0a47563600d2017344126b79fea405aa00e66b2cc5efe6b39c05f02c275e8f07.exe
"C:\Users\Admin\AppData\Local\Temp\0a47563600d2017344126b79fea405aa00e66b2cc5efe6b39c05f02c275e8f07.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2128

C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
2⤵
- Executes dropped EXE
PID:1864

C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1332 -s 436
3⤵
- Program crash
PID:2376

C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5012

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
3⤵
- Suspicious use of WriteProcessMemory
PID:4360

C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
4⤵
- Runs ping.exe
PID:448

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
2⤵
PID:2344

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
2⤵
PID:3484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1332 -ip 1332
1⤵
PID:2228

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4980

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:900

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AK47.exe
Filesize
91KB

MD5
423eb994ed553294f8a6813619b8da87

SHA1
eca6a16ccd13adcfc27bc1041ddef97ec8081255

SHA256
050b4f2d5ae8eaecd414318dc8e222a56f169626da6ca8feb7edd78e8b1f0218

SHA512
fab0a9af8031c242c486de373df7277c8b0e39f7a0c9c2ac2e385dbd3ea67be16e91b128287634f76131e5264149ab1b452cd21df4c4895e8c4efc8d8cf99095

Download Submit
C:\Users\Admin\AppData\Local\Temp\AK47.exe
Filesize
91KB

MD5
423eb994ed553294f8a6813619b8da87

SHA1
eca6a16ccd13adcfc27bc1041ddef97ec8081255

SHA256
050b4f2d5ae8eaecd414318dc8e222a56f169626da6ca8feb7edd78e8b1f0218

SHA512
fab0a9af8031c242c486de373df7277c8b0e39f7a0c9c2ac2e385dbd3ea67be16e91b128287634f76131e5264149ab1b452cd21df4c4895e8c4efc8d8cf99095

Download Submit
C:\Users\Admin\AppData\Local\Temp\AK47.exe
Filesize
91KB

MD5
423eb994ed553294f8a6813619b8da87

SHA1
eca6a16ccd13adcfc27bc1041ddef97ec8081255

SHA256
050b4f2d5ae8eaecd414318dc8e222a56f169626da6ca8feb7edd78e8b1f0218

SHA512
fab0a9af8031c242c486de373df7277c8b0e39f7a0c9c2ac2e385dbd3ea67be16e91b128287634f76131e5264149ab1b452cd21df4c4895e8c4efc8d8cf99095

Download Submit
C:\Users\Admin\AppData\Local\Temp\AK47.exe
Filesize
91KB

MD5
423eb994ed553294f8a6813619b8da87

SHA1
eca6a16ccd13adcfc27bc1041ddef97ec8081255

SHA256
050b4f2d5ae8eaecd414318dc8e222a56f169626da6ca8feb7edd78e8b1f0218

SHA512
fab0a9af8031c242c486de373df7277c8b0e39f7a0c9c2ac2e385dbd3ea67be16e91b128287634f76131e5264149ab1b452cd21df4c4895e8c4efc8d8cf99095

Download Submit
C:\Users\Admin\AppData\Local\Temp\AK74.exe
Filesize
400KB

MD5
b0998aa7d5071d33daa5b60b9c3c9735

SHA1
9365a1ff0c6de244d6f36c8d84072cc916665d3c

SHA256
3080b6bb456564899b0d99d4131bd6a0b284d31f7d80ef773e4872d94048d49a

SHA512
308c13cda9fea39b980ae686f44afd9090e9cb8970fffc4436320e0d09a31aee5e656914e0121fe888098a14c52749716fa04980396fd6ac70a88c11cbb6b850

Download Submit
C:\Users\Admin\AppData\Local\Temp\AK74.exe
Filesize
400KB

MD5
b0998aa7d5071d33daa5b60b9c3c9735

SHA1
9365a1ff0c6de244d6f36c8d84072cc916665d3c

SHA256
3080b6bb456564899b0d99d4131bd6a0b284d31f7d80ef773e4872d94048d49a

SHA512
308c13cda9fea39b980ae686f44afd9090e9cb8970fffc4436320e0d09a31aee5e656914e0121fe888098a14c52749716fa04980396fd6ac70a88c11cbb6b850

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini
Filesize
92B

MD5
29ce53e2a4a446614ccc8d64d346bde4

SHA1
39a7aa5cc1124842aa0c25abb16ea94452125cbe

SHA256
56225be6838bc6e93ea215891eacf28844ae27a9f8b2b29bf19d3a8c2b1f58df

SHA512
b2c5a2708c427171a5715801f8ea733ffe88d73aaaaf59c5c752ea32cbe7aae8526cc26eabe84ad5043174c0c69b1d6b15a9fb125c15accfac3462d5d08a0faa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
Filesize
753B

MD5
ea1a4517413d69fa2f396130bf1d0d08

SHA1
684bec7ae366eaac95e9da898e9c835c9185b825

SHA256
6002907770003b8ccb5d66fb25b6dae00d5b4e0538d54e2d2c723bc19c62bd6e

SHA512
9de4edbe67e27bba827fda7725b9d72eef060bc59066a941a471c80c0b1154b26a4817574ce86cb75aec62a05928bf644ab7a47e926ea38634201792cab3fe1a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
Filesize
1.2MB

MD5
b5de6173fc512a871b7397952d2faf4a

SHA1
7a40a8846122e8e085389936368cdf3a0c46dcc5

SHA256
472556aaa15ac746b4e3b0f5cb38e4a3ce6b682f0b16787c68235786dc65b344

SHA512
dfb00661b09554d192ae4131e38b9aaf1cfeaf58143a9df24a2bbe4c875cb140bda500a838d392a427761e2340a3a948b9fbbd1a30e1b664b2150ba9495375ca

Download Submit
C:\Windows\SysWOW64\240553328.txt
Filesize
49KB

MD5
52c430496e2ae7e002937e4d04a862a1

SHA1
6ce26bfb48686781774d731eeaeb450ed4a40ada

SHA256
d8b4ebac9487032331f483a45c220c8618c6e7ce028949ab6b07b73137b4159c

SHA512
a7a6e8d378821bd0c848cd0c482dbb72ff0ee7911a5e2b609496ff412f1058b56ef3ccf3c7bdcfe84129fab756b73f03228859539bcd1eaff7801a68fd7b89df

Download Submit
C:\Windows\SysWOW64\Ghiya.exe
Filesize
400KB

MD5
b0998aa7d5071d33daa5b60b9c3c9735

SHA1
9365a1ff0c6de244d6f36c8d84072cc916665d3c

SHA256
3080b6bb456564899b0d99d4131bd6a0b284d31f7d80ef773e4872d94048d49a

SHA512
308c13cda9fea39b980ae686f44afd9090e9cb8970fffc4436320e0d09a31aee5e656914e0121fe888098a14c52749716fa04980396fd6ac70a88c11cbb6b850

Download Submit
C:\Windows\SysWOW64\Ghiya.exe
Filesize
400KB

MD5
b0998aa7d5071d33daa5b60b9c3c9735

SHA1
9365a1ff0c6de244d6f36c8d84072cc916665d3c

SHA256
3080b6bb456564899b0d99d4131bd6a0b284d31f7d80ef773e4872d94048d49a

SHA512
308c13cda9fea39b980ae686f44afd9090e9cb8970fffc4436320e0d09a31aee5e656914e0121fe888098a14c52749716fa04980396fd6ac70a88c11cbb6b850

Download Submit
C:\Windows\SysWOW64\Ghiya.exe
Filesize
400KB

MD5
b0998aa7d5071d33daa5b60b9c3c9735

SHA1
9365a1ff0c6de244d6f36c8d84072cc916665d3c

SHA256
3080b6bb456564899b0d99d4131bd6a0b284d31f7d80ef773e4872d94048d49a

SHA512
308c13cda9fea39b980ae686f44afd9090e9cb8970fffc4436320e0d09a31aee5e656914e0121fe888098a14c52749716fa04980396fd6ac70a88c11cbb6b850

Download Submit
memory/900-185-0x0000000010000000-0x00000000101BA000-memory.dmp

Filesize
1.7MB

Download
memory/900-191-0x0000000010000000-0x00000000101BA000-memory.dmp

Filesize
1.7MB

Download
memory/900-187-0x0000000010000000-0x00000000101BA000-memory.dmp

Filesize
1.7MB

Download
memory/900-175-0x0000000010000000-0x00000000101BA000-memory.dmp

Filesize
1.7MB

Download
memory/900-177-0x0000000010000000-0x00000000101BA000-memory.dmp

Filesize
1.7MB

Download
memory/900-179-0x0000000010000000-0x00000000101BA000-memory.dmp

Filesize
1.7MB

Download
memory/2128-134-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/2128-193-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/2128-133-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/4980-171-0x0000000010000000-0x00000000101BA000-memory.dmp

Filesize
1.7MB

Download
memory/4980-170-0x0000000010000000-0x00000000101BA000-memory.dmp

Filesize
1.7MB

Download
memory/4980-168-0x0000000010000000-0x00000000101BA000-memory.dmp

Filesize
1.7MB

Download
memory/5012-159-0x0000000010000000-0x00000000101BA000-memory.dmp

Filesize
1.7MB

Download
memory/5012-156-0x0000000010000000-0x00000000101BA000-memory.dmp

Filesize
1.7MB

Download
memory/5012-158-0x0000000010000000-0x00000000101BA000-memory.dmp

Filesize
1.7MB

Download