Analysis
-
max time kernel
60s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
01/10/2023, 13:42
Behavioral task
behavioral1
Sample
d3557d117f370c036a0d7077fd5b05f4_JC.exe
Resource
win7-20230831-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
d3557d117f370c036a0d7077fd5b05f4_JC.exe
Resource
win10v2004-20230915-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
d3557d117f370c036a0d7077fd5b05f4_JC.exe
-
Size
60KB
-
MD5
d3557d117f370c036a0d7077fd5b05f4
-
SHA1
6920be03da740a9cff1f974552ca7496c162634b
-
SHA256
9768b6f246789c699eb41016446c4ef1350c080661b68d359a18b2a234dcdbe1
-
SHA512
f5b4f7050f6877f4579cab8f1446897be7ff8f630800271f385002e2eaae33347922654e7fca67ad937b870578d425d1944a9416a59f5d48c5c09d768df58758
-
SSDEEP
768:jMcnFXakkGtWrA9HOdTaXXA+uYx7IXd562Re9tW5q:jMMkGUA5OdTaXX176BZq
Score
7/10
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
pid Process 1352 skybot.exe 1384 skybot.exe 4852 skybot.exe 2100 skybot.exe 2820 skybot.exe 3008 skybot.exe 4144 skybot.exe 3548 skybot.exe 1652 skybot.exe 1684 skybot.exe 4628 skybot.exe 4772 skybot.exe 3940 skybot.exe 2768 skybot.exe 420 skybot.exe 1836 skybot.exe 2460 skybot.exe 2836 skybot.exe 3212 skybot.exe 1344 skybot.exe 4464 skybot.exe 2312 skybot.exe 2524 skybot.exe 3340 skybot.exe 4220 skybot.exe 4308 skybot.exe 2016 skybot.exe 1812 skybot.exe 4820 skybot.exe 4832 skybot.exe 2756 skybot.exe 860 skybot.exe 1880 skybot.exe 4768 skybot.exe 4300 skybot.exe 2908 skybot.exe 1820 skybot.exe 2036 skybot.exe 3928 skybot.exe 3492 skybot.exe 4524 skybot.exe 1384 skybot.exe 4852 skybot.exe 3036 skybot.exe 4860 skybot.exe 2184 skybot.exe 976 skybot.exe 3296 skybot.exe 3244 skybot.exe 2120 skybot.exe 3844 skybot.exe 236 skybot.exe 4336 skybot.exe 2360 skybot.exe 2404 skybot.exe 3788 skybot.exe 3424 skybot.exe 2144 skybot.exe 1412 skybot.exe 3348 skybot.exe 5100 skybot.exe 2500 skybot.exe 4968 skybot.exe 4544 skybot.exe -
resource yara_rule behavioral2/memory/4792-0-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral2/files/0x00060000000230b4-5.dat upx behavioral2/memory/1352-6-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral2/files/0x00060000000230b4-7.dat upx behavioral2/memory/4792-8-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral2/files/0x00060000000230b4-9.dat upx behavioral2/memory/1352-10-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral2/files/0x00060000000230b4-11.dat upx behavioral2/memory/1384-12-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral2/files/0x00060000000230b4-13.dat upx behavioral2/memory/4852-14-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral2/files/0x00060000000230b4-15.dat upx behavioral2/memory/2100-16-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral2/files/0x00060000000230b4-17.dat upx behavioral2/memory/2820-18-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral2/files/0x00060000000230b4-19.dat upx behavioral2/memory/3008-20-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral2/files/0x00060000000230b4-21.dat upx behavioral2/memory/3548-23-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral2/memory/4144-22-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral2/files/0x00060000000230b4-24.dat upx behavioral2/memory/3548-25-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral2/files/0x00060000000230b4-26.dat upx behavioral2/memory/1652-27-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral2/files/0x00060000000230b4-28.dat upx behavioral2/memory/1684-29-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral2/files/0x00060000000230b4-30.dat upx behavioral2/memory/4772-32-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral2/files/0x00060000000230b4-34.dat upx behavioral2/memory/3940-33-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral2/files/0x00060000000230b4-31.dat upx behavioral2/memory/3940-35-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral2/files/0x00060000000230b4-36.dat upx behavioral2/memory/2768-37-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral2/memory/420-39-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral2/memory/1836-40-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral2/files/0x00060000000230b4-38.dat upx behavioral2/memory/1836-42-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral2/files/0x00060000000230b4-41.dat upx behavioral2/memory/2460-43-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral2/files/0x00060000000230b4-44.dat upx behavioral2/files/0x00060000000230b4-45.dat upx behavioral2/memory/2836-46-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral2/files/0x00060000000230b4-47.dat upx behavioral2/memory/1344-49-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral2/memory/3212-48-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral2/files/0x00060000000230b4-50.dat upx behavioral2/memory/1344-51-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral2/files/0x00060000000230b4-52.dat upx behavioral2/memory/4464-53-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral2/files/0x00060000000230b4-54.dat upx behavioral2/memory/2312-55-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral2/files/0x00060000000230b4-56.dat upx behavioral2/memory/2524-57-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral2/files/0x00060000000230b4-58.dat upx behavioral2/memory/4220-59-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral2/memory/3340-60-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral2/files/0x00060000000230b4-61.dat upx behavioral2/files/0x00060000000230b4-62.dat upx behavioral2/memory/4308-63-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral2/files/0x00060000000230b4-64.dat upx behavioral2/memory/2016-65-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral2/files/0x00060000000230b4-66.dat upx behavioral2/memory/1812-67-0x0000000000400000-0x0000000000410000-memory.dmp upx -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WINDOWS SYSTEM = "\\skybot.exe" skybot.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WINDOWS SYSTEM = "\\skybot.exe" skybot.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WINDOWS SYSTEM = "\\skybot.exe" skybot.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WINDOWS SYSTEM = "\\skybot.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WINDOWS SYSTEM = "\\skybot.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WINDOWS SYSTEM = "\\skybot.exe" skybot.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WINDOWS SYSTEM = "\\skybot.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WINDOWS SYSTEM = "\\skybot.exe" skybot.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WINDOWS SYSTEM = "\\skybot.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WINDOWS SYSTEM = "\\skybot.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WINDOWS SYSTEM = "\\skybot.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WINDOWS SYSTEM = "\\skybot.exe" skybot.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WINDOWS SYSTEM = "\\skybot.exe" skybot.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WINDOWS SYSTEM = "\\skybot.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WINDOWS SYSTEM = "\\skybot.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WINDOWS SYSTEM = "\\skybot.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WINDOWS SYSTEM = "\\skybot.exe" skybot.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WINDOWS SYSTEM = "\\skybot.exe" skybot.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WINDOWS SYSTEM = "\\skybot.exe" skybot.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WINDOWS SYSTEM = "\\skybot.exe" skybot.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WINDOWS SYSTEM = "\\skybot.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WINDOWS SYSTEM = "\\skybot.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WINDOWS SYSTEM = "\\skybot.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WINDOWS SYSTEM = "\\skybot.exe" skybot.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WINDOWS SYSTEM = "\\skybot.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WINDOWS SYSTEM = "\\skybot.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WINDOWS SYSTEM = "\\skybot.exe" skybot.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WINDOWS SYSTEM = "\\skybot.exe" skybot.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WINDOWS SYSTEM = "skybot.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WINDOWS SYSTEM = "\\skybot.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WINDOWS SYSTEM = "\\skybot.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WINDOWS SYSTEM = "\\skybot.exe" skybot.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WINDOWS SYSTEM = "\\skybot.exe" skybot.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WINDOWS SYSTEM = "\\skybot.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WINDOWS SYSTEM = "\\skybot.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WINDOWS SYSTEM = "\\skybot.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WINDOWS SYSTEM = "\\skybot.exe" skybot.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WINDOWS SYSTEM = "\\skybot.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WINDOWS SYSTEM = "\\skybot.exe" skybot.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WINDOWS SYSTEM = "\\skybot.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WINDOWS SYSTEM = "\\skybot.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WINDOWS SYSTEM = "\\skybot.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WINDOWS SYSTEM = "\\skybot.exe" skybot.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WINDOWS SYSTEM = "\\skybot.exe" skybot.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WINDOWS SYSTEM = "\\skybot.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WINDOWS SYSTEM = "\\skybot.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WINDOWS SYSTEM = "\\skybot.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WINDOWS SYSTEM = "\\skybot.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WINDOWS SYSTEM = "\\skybot.exe" skybot.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WINDOWS SYSTEM = "\\skybot.exe" skybot.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WINDOWS SYSTEM = "\\skybot.exe" skybot.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WINDOWS SYSTEM = "\\skybot.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WINDOWS SYSTEM = "\\skybot.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WINDOWS SYSTEM = "\\skybot.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WINDOWS SYSTEM = "\\skybot.exe" skybot.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WINDOWS SYSTEM = "\\skybot.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WINDOWS SYSTEM = "\\skybot.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WINDOWS SYSTEM = "\\skybot.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WINDOWS SYSTEM = "\\skybot.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WINDOWS SYSTEM = "\\skybot.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WINDOWS SYSTEM = "\\skybot.exe" skybot.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WINDOWS SYSTEM = "\\skybot.exe" skybot.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WINDOWS SYSTEM = "\\skybot.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WINDOWS SYSTEM = "skybot.exe" Process not Found -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\skybot.exe skybot.exe File created C:\Windows\SysWOW64\skybot.exe Process not Found File created C:\Windows\SysWOW64\skybot.exe Process not Found File created C:\Windows\SysWOW64\skybot.exe Process not Found File created C:\Windows\SysWOW64\skybot.exe Process not Found File created C:\Windows\SysWOW64\skybot.exe Process not Found File created C:\Windows\SysWOW64\skybot.exe skybot.exe File created C:\Windows\SysWOW64\skybot.exe skybot.exe File created C:\Windows\SysWOW64\skybot.exe skybot.exe File created C:\Windows\SysWOW64\skybot.exe skybot.exe File created C:\Windows\SysWOW64\skybot.exe Process not Found File created C:\Windows\SysWOW64\skybot.exe Process not Found File created C:\Windows\SysWOW64\skybot.exe Process not Found File created C:\Windows\SysWOW64\skybot.exe skybot.exe File created C:\Windows\SysWOW64\skybot.exe skybot.exe File created C:\Windows\SysWOW64\skybot.exe skybot.exe File created C:\Windows\SysWOW64\skybot.exe skybot.exe File created C:\Windows\SysWOW64\skybot.exe skybot.exe File created C:\Windows\SysWOW64\skybot.exe skybot.exe File created C:\Windows\SysWOW64\skybot.exe Process not Found File created C:\Windows\SysWOW64\skybot.exe Process not Found File created C:\Windows\SysWOW64\skybot.exe skybot.exe File created C:\Windows\SysWOW64\skybot.exe skybot.exe File created C:\Windows\SysWOW64\skybot.exe Process not Found File created C:\Windows\SysWOW64\skybot.exe Process not Found File created C:\Windows\SysWOW64\skybot.exe Process not Found File created C:\Windows\SysWOW64\skybot.exe Process not Found File created C:\Windows\SysWOW64\skybot.exe Process not Found File created C:\Windows\SysWOW64\skybot.exe skybot.exe File created C:\Windows\SysWOW64\skybot.exe skybot.exe File created C:\Windows\SysWOW64\skybot.exe Process not Found File created C:\Windows\SysWOW64\skybot.exe Process not Found File created C:\Windows\SysWOW64\skybot.exe skybot.exe File created C:\Windows\SysWOW64\skybot.exe skybot.exe File created C:\Windows\SysWOW64\skybot.exe skybot.exe File created C:\Windows\SysWOW64\skybot.exe skybot.exe File created C:\Windows\SysWOW64\skybot.exe Process not Found File created C:\Windows\SysWOW64\skybot.exe Process not Found File created C:\Windows\SysWOW64\skybot.exe skybot.exe File created C:\Windows\SysWOW64\skybot.exe skybot.exe File created C:\Windows\SysWOW64\skybot.exe Process not Found File created C:\Windows\SysWOW64\skybot.exe Process not Found File created C:\Windows\SysWOW64\skybot.exe Process not Found File created C:\Windows\SysWOW64\skybot.exe Process not Found File created C:\Windows\SysWOW64\skybot.exe Process not Found File created C:\Windows\SysWOW64\skybot.exe Process not Found File created C:\Windows\SysWOW64\skybot.exe skybot.exe File created C:\Windows\SysWOW64\skybot.exe skybot.exe File created C:\Windows\SysWOW64\skybot.exe Process not Found File created C:\Windows\SysWOW64\skybot.exe Process not Found File created C:\Windows\SysWOW64\skybot.exe Process not Found File created C:\Windows\SysWOW64\skybot.exe Process not Found File created C:\Windows\SysWOW64\skybot.exe Process not Found File created C:\Windows\SysWOW64\skybot.exe Process not Found File created C:\Windows\SysWOW64\skybot.exe Process not Found File created C:\Windows\SysWOW64\skybot.exe Process not Found File created C:\Windows\SysWOW64\skybot.exe Process not Found File created C:\Windows\SysWOW64\skybot.exe Process not Found File created C:\Windows\SysWOW64\skybot.exe Process not Found File created C:\Windows\SysWOW64\skybot.exe skybot.exe File created C:\Windows\SysWOW64\skybot.exe Process not Found File created C:\Windows\SysWOW64\skybot.exe skybot.exe File created C:\Windows\SysWOW64\skybot.exe Process not Found File created C:\Windows\SysWOW64\skybot.exe Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4792 wrote to memory of 1352 4792 d3557d117f370c036a0d7077fd5b05f4_JC.exe 86 PID 4792 wrote to memory of 1352 4792 d3557d117f370c036a0d7077fd5b05f4_JC.exe 86 PID 4792 wrote to memory of 1352 4792 d3557d117f370c036a0d7077fd5b05f4_JC.exe 86 PID 1352 wrote to memory of 1384 1352 skybot.exe 87 PID 1352 wrote to memory of 1384 1352 skybot.exe 87 PID 1352 wrote to memory of 1384 1352 skybot.exe 87 PID 1384 wrote to memory of 4852 1384 skybot.exe 89 PID 1384 wrote to memory of 4852 1384 skybot.exe 89 PID 1384 wrote to memory of 4852 1384 skybot.exe 89 PID 4852 wrote to memory of 2100 4852 skybot.exe 90 PID 4852 wrote to memory of 2100 4852 skybot.exe 90 PID 4852 wrote to memory of 2100 4852 skybot.exe 90 PID 2100 wrote to memory of 2820 2100 skybot.exe 91 PID 2100 wrote to memory of 2820 2100 skybot.exe 91 PID 2100 wrote to memory of 2820 2100 skybot.exe 91 PID 2820 wrote to memory of 3008 2820 skybot.exe 92 PID 2820 wrote to memory of 3008 2820 skybot.exe 92 PID 2820 wrote to memory of 3008 2820 skybot.exe 92 PID 3008 wrote to memory of 4144 3008 skybot.exe 93 PID 3008 wrote to memory of 4144 3008 skybot.exe 93 PID 3008 wrote to memory of 4144 3008 skybot.exe 93 PID 4144 wrote to memory of 3548 4144 skybot.exe 94 PID 4144 wrote to memory of 3548 4144 skybot.exe 94 PID 4144 wrote to memory of 3548 4144 skybot.exe 94 PID 3548 wrote to memory of 1652 3548 skybot.exe 95 PID 3548 wrote to memory of 1652 3548 skybot.exe 95 PID 3548 wrote to memory of 1652 3548 skybot.exe 95 PID 1652 wrote to memory of 1684 1652 skybot.exe 96 PID 1652 wrote to memory of 1684 1652 skybot.exe 96 PID 1652 wrote to memory of 1684 1652 skybot.exe 96 PID 1684 wrote to memory of 4628 1684 skybot.exe 97 PID 1684 wrote to memory of 4628 1684 skybot.exe 97 PID 1684 wrote to memory of 4628 1684 skybot.exe 97 PID 4628 wrote to memory of 4772 4628 skybot.exe 98 PID 4628 wrote to memory of 4772 4628 skybot.exe 98 PID 4628 wrote to memory of 4772 4628 skybot.exe 98 PID 4772 wrote to memory of 3940 4772 skybot.exe 99 PID 4772 wrote to memory of 3940 4772 skybot.exe 99 PID 4772 wrote to memory of 3940 4772 skybot.exe 99 PID 3940 wrote to memory of 2768 3940 skybot.exe 100 PID 3940 wrote to memory of 2768 3940 skybot.exe 100 PID 3940 wrote to memory of 2768 3940 skybot.exe 100 PID 2768 wrote to memory of 420 2768 skybot.exe 101 PID 2768 wrote to memory of 420 2768 skybot.exe 101 PID 2768 wrote to memory of 420 2768 skybot.exe 101 PID 420 wrote to memory of 1836 420 skybot.exe 102 PID 420 wrote to memory of 1836 420 skybot.exe 102 PID 420 wrote to memory of 1836 420 skybot.exe 102 PID 1836 wrote to memory of 2460 1836 skybot.exe 103 PID 1836 wrote to memory of 2460 1836 skybot.exe 103 PID 1836 wrote to memory of 2460 1836 skybot.exe 103 PID 2460 wrote to memory of 2836 2460 skybot.exe 104 PID 2460 wrote to memory of 2836 2460 skybot.exe 104 PID 2460 wrote to memory of 2836 2460 skybot.exe 104 PID 2836 wrote to memory of 3212 2836 skybot.exe 105 PID 2836 wrote to memory of 3212 2836 skybot.exe 105 PID 2836 wrote to memory of 3212 2836 skybot.exe 105 PID 3212 wrote to memory of 1344 3212 skybot.exe 106 PID 3212 wrote to memory of 1344 3212 skybot.exe 106 PID 3212 wrote to memory of 1344 3212 skybot.exe 106 PID 1344 wrote to memory of 4464 1344 skybot.exe 107 PID 1344 wrote to memory of 4464 1344 skybot.exe 107 PID 1344 wrote to memory of 4464 1344 skybot.exe 107 PID 4464 wrote to memory of 2312 4464 skybot.exe 109
Processes
-
C:\Users\Admin\AppData\Local\Temp\d3557d117f370c036a0d7077fd5b05f4_JC.exe"C:\Users\Admin\AppData\Local\Temp\d3557d117f370c036a0d7077fd5b05f4_JC.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4792 -
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1352 -
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1384 -
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4852 -
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4144 -
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe9⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3548 -
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe11⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4628 -
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4772 -
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3940 -
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe16⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:420 -
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1836 -
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3212 -
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1344 -
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe22⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4464 -
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe23⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2312 -
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe24⤵
- Executes dropped EXE
PID:2524 -
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe25⤵PID:3340
-
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe26⤵PID:4220
-
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe27⤵
- Executes dropped EXE
PID:4308 -
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe28⤵
- Executes dropped EXE
PID:2016 -
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe29⤵
- Executes dropped EXE
PID:1812 -
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe30⤵PID:4820
-
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe31⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:4832 -
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe32⤵PID:2756
-
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe33⤵
- Executes dropped EXE
PID:860 -
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe34⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1880 -
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe35⤵
- Executes dropped EXE
PID:4768 -
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe36⤵
- Executes dropped EXE
PID:4300 -
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe37⤵
- Executes dropped EXE
PID:2908 -
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe38⤵PID:1820
-
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe39⤵
- Executes dropped EXE
PID:2036 -
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe40⤵
- Executes dropped EXE
PID:3928 -
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe41⤵
- Executes dropped EXE
PID:3492 -
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe42⤵PID:4524
-
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe43⤵PID:1384
-
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe44⤵
- Executes dropped EXE
PID:4852 -
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe45⤵PID:3036
-
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe46⤵PID:4860
-
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe47⤵
- Executes dropped EXE
PID:2184 -
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe48⤵
- Executes dropped EXE
PID:976 -
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe49⤵
- Executes dropped EXE
PID:3296 -
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe50⤵
- Executes dropped EXE
PID:3244 -
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe51⤵PID:2120
-
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe52⤵
- Executes dropped EXE
PID:3844 -
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe53⤵PID:236
-
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe54⤵
- Executes dropped EXE
PID:4336 -
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe55⤵
- Executes dropped EXE
PID:2360 -
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe56⤵
- Executes dropped EXE
PID:2404 -
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe57⤵PID:3788
-
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe58⤵PID:3424
-
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe59⤵
- Executes dropped EXE
PID:2144 -
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe60⤵
- Executes dropped EXE
PID:1412 -
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe61⤵
- Executes dropped EXE
PID:3348 -
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe62⤵PID:5100
-
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe63⤵PID:2500
-
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe64⤵
- Executes dropped EXE
PID:4968 -
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe65⤵
- Executes dropped EXE
PID:4544 -
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe66⤵PID:3332
-
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe67⤵PID:848
-
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe68⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3340 -
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe69⤵PID:584
-
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe70⤵PID:3004
-
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe71⤵PID:408
-
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe72⤵PID:980
-
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe73⤵PID:5000
-
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe74⤵PID:1488
-
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe75⤵PID:4172
-
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe76⤵
- Adds Run key to start application
PID:2028 -
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe77⤵PID:3644
-
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe78⤵PID:4232
-
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe79⤵PID:3720
-
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe80⤵PID:884
-
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe81⤵PID:1712
-
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe82⤵
- Executes dropped EXE
PID:1820 -
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe83⤵PID:1800
-
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe84⤵PID:4632
-
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe85⤵
- Drops file in System32 directory
PID:3608 -
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe86⤵PID:3264
-
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe87⤵PID:1808
-
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe88⤵PID:3112
-
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe89⤵PID:3488
-
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe90⤵PID:3904
-
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe91⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4860 -
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe92⤵PID:3524
-
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe93⤵
- Adds Run key to start application
PID:2676 -
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe94⤵PID:2980
-
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe95⤵PID:3840
-
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe96⤵PID:3360
-
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe97⤵PID:2120
-
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe98⤵PID:3880
-
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe99⤵PID:2892
-
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe100⤵PID:4900
-
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe101⤵PID:2768
-
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe102⤵PID:2840
-
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe103⤵PID:268
-
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe104⤵PID:1432
-
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe105⤵PID:740
-
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe106⤵PID:4624
-
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe107⤵PID:2836
-
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe108⤵PID:1860
-
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe109⤵PID:5012
-
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe110⤵PID:5100
-
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe111⤵
- Executes dropped EXE
PID:2500 -
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe112⤵PID:1672
-
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe113⤵PID:5020
-
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe114⤵PID:3480
-
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe115⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4220 -
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe116⤵PID:3108
-
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe117⤵PID:4456
-
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe118⤵PID:3152
-
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe119⤵PID:3192
-
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe120⤵
- Executes dropped EXE
PID:4820 -
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe121⤵PID:5004
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-