Malware Analysis Report

2024-12-07 21:19

Sample ID 240204-yc91pabchl
Target 8ffb95d5e237a22a2773b17e34a4c6b0
SHA256 31eb4492dbdb099fae987f89fdb66fcd2a79367d6112a7f4a3ae47fdfa9e62d5
Tags
xtremerat persistence rat spyware upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

31eb4492dbdb099fae987f89fdb66fcd2a79367d6112a7f4a3ae47fdfa9e62d5

Threat Level: Known bad

The file 8ffb95d5e237a22a2773b17e34a4c6b0 was found to be: Known bad.

Malicious Activity Summary

xtremerat persistence rat spyware upx

XtremeRAT

Detect XtremeRAT payload

Modifies Installed Components in the registry

Executes dropped EXE

Loads dropped DLL

UPX packed file

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Checks SCSI registry key(s)

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-04 19:39

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-04 19:39

Reported

2024-02-04 19:42

Platform

win7-20231215-en

Max time kernel

148s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8ffb95d5e237a22a2773b17e34a4c6b0.exe"

Signatures

Detect XtremeRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XtremeRAT

persistence spyware rat xtremerat

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{PF38VKJN-7V8U-658N-NM1O-1B1M1TAV43R7} C:\Users\Admin\AppData\Local\Temp\8ffb95d5e237a22a2773b17e34a4c6b0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{PF38VKJN-7V8U-658N-NM1O-1B1M1TAV43R7}\StubPath = "C:\\Windows\\InstallDir\\skypa.exe restart" C:\Users\Admin\AppData\Local\Temp\8ffb95d5e237a22a2773b17e34a4c6b0.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{PF38VKJN-7V8U-658N-NM1O-1B1M1TAV43R7} C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{PF38VKJN-7V8U-658N-NM1O-1B1M1TAV43R7}\StubPath = "C:\\Windows\\InstallDir\\skypa.exe restart" C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{PF38VKJN-7V8U-658N-NM1O-1B1M1TAV43R7} C:\Windows\InstallDir\skypa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{PF38VKJN-7V8U-658N-NM1O-1B1M1TAV43R7}\StubPath = "C:\\Windows\\InstallDir\\skypa.exe restart" C:\Windows\InstallDir\skypa.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AVG = "C:\\Windows\\InstallDir\\skypa.exe" C:\Users\Admin\AppData\Local\Temp\8ffb95d5e237a22a2773b17e34a4c6b0.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\AVG = "C:\\Windows\\InstallDir\\skypa.exe" C:\Users\Admin\AppData\Local\Temp\8ffb95d5e237a22a2773b17e34a4c6b0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AVG = "C:\\Windows\\InstallDir\\skypa.exe" C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\AVG = "C:\\Windows\\InstallDir\\skypa.exe" C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AVG = "C:\\Windows\\InstallDir\\skypa.exe" C:\Windows\InstallDir\skypa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\AVG = "C:\\Windows\\InstallDir\\skypa.exe" C:\Windows\InstallDir\skypa.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\InstallDir\skypa.exe C:\Users\Admin\AppData\Local\Temp\8ffb95d5e237a22a2773b17e34a4c6b0.exe N/A
File opened for modification C:\Windows\InstallDir\ C:\Users\Admin\AppData\Local\Temp\8ffb95d5e237a22a2773b17e34a4c6b0.exe N/A
File opened for modification C:\Windows\InstallDir\skypa.exe C:\Windows\InstallDir\skypa.exe N/A
File opened for modification C:\Windows\InstallDir\ C:\Windows\InstallDir\skypa.exe N/A
File opened for modification C:\Windows\InstallDir\skypa.exe C:\Users\Admin\AppData\Local\Temp\8ffb95d5e237a22a2773b17e34a4c6b0.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8ffb95d5e237a22a2773b17e34a4c6b0.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2184 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\8ffb95d5e237a22a2773b17e34a4c6b0.exe C:\Users\Admin\AppData\Local\Temp\8ffb95d5e237a22a2773b17e34a4c6b0.exe
PID 2184 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\8ffb95d5e237a22a2773b17e34a4c6b0.exe C:\Users\Admin\AppData\Local\Temp\8ffb95d5e237a22a2773b17e34a4c6b0.exe
PID 2184 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\8ffb95d5e237a22a2773b17e34a4c6b0.exe C:\Users\Admin\AppData\Local\Temp\8ffb95d5e237a22a2773b17e34a4c6b0.exe
PID 2184 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\8ffb95d5e237a22a2773b17e34a4c6b0.exe C:\Users\Admin\AppData\Local\Temp\8ffb95d5e237a22a2773b17e34a4c6b0.exe
PID 2184 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\8ffb95d5e237a22a2773b17e34a4c6b0.exe C:\Users\Admin\AppData\Local\Temp\8ffb95d5e237a22a2773b17e34a4c6b0.exe
PID 2184 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\8ffb95d5e237a22a2773b17e34a4c6b0.exe C:\Users\Admin\AppData\Local\Temp\8ffb95d5e237a22a2773b17e34a4c6b0.exe
PID 2184 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\8ffb95d5e237a22a2773b17e34a4c6b0.exe C:\Users\Admin\AppData\Local\Temp\8ffb95d5e237a22a2773b17e34a4c6b0.exe
PID 2184 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\8ffb95d5e237a22a2773b17e34a4c6b0.exe C:\Users\Admin\AppData\Local\Temp\8ffb95d5e237a22a2773b17e34a4c6b0.exe
PID 2184 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\8ffb95d5e237a22a2773b17e34a4c6b0.exe C:\Users\Admin\AppData\Local\Temp\8ffb95d5e237a22a2773b17e34a4c6b0.exe
PID 2184 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\8ffb95d5e237a22a2773b17e34a4c6b0.exe C:\Users\Admin\AppData\Local\Temp\8ffb95d5e237a22a2773b17e34a4c6b0.exe
PID 2184 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\8ffb95d5e237a22a2773b17e34a4c6b0.exe C:\Users\Admin\AppData\Local\Temp\8ffb95d5e237a22a2773b17e34a4c6b0.exe
PID 2184 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\8ffb95d5e237a22a2773b17e34a4c6b0.exe C:\Users\Admin\AppData\Local\Temp\8ffb95d5e237a22a2773b17e34a4c6b0.exe
PID 2712 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\8ffb95d5e237a22a2773b17e34a4c6b0.exe C:\Windows\SysWOW64\svchost.exe
PID 2712 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\8ffb95d5e237a22a2773b17e34a4c6b0.exe C:\Windows\SysWOW64\svchost.exe
PID 2712 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\8ffb95d5e237a22a2773b17e34a4c6b0.exe C:\Windows\SysWOW64\svchost.exe
PID 2712 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\8ffb95d5e237a22a2773b17e34a4c6b0.exe C:\Windows\SysWOW64\svchost.exe
PID 2712 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\8ffb95d5e237a22a2773b17e34a4c6b0.exe C:\Windows\SysWOW64\svchost.exe
PID 2712 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\8ffb95d5e237a22a2773b17e34a4c6b0.exe C:\Windows\SysWOW64\explorer.exe
PID 2712 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\8ffb95d5e237a22a2773b17e34a4c6b0.exe C:\Windows\SysWOW64\explorer.exe
PID 2712 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\8ffb95d5e237a22a2773b17e34a4c6b0.exe C:\Windows\SysWOW64\explorer.exe
PID 2712 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\8ffb95d5e237a22a2773b17e34a4c6b0.exe C:\Windows\SysWOW64\explorer.exe
PID 2712 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\8ffb95d5e237a22a2773b17e34a4c6b0.exe C:\Windows\SysWOW64\explorer.exe
PID 2712 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\8ffb95d5e237a22a2773b17e34a4c6b0.exe C:\Windows\SysWOW64\explorer.exe
PID 2712 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\8ffb95d5e237a22a2773b17e34a4c6b0.exe C:\Windows\SysWOW64\explorer.exe
PID 2712 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\8ffb95d5e237a22a2773b17e34a4c6b0.exe C:\Windows\SysWOW64\explorer.exe
PID 2712 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\8ffb95d5e237a22a2773b17e34a4c6b0.exe C:\Windows\SysWOW64\explorer.exe
PID 2712 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\8ffb95d5e237a22a2773b17e34a4c6b0.exe C:\Windows\SysWOW64\explorer.exe
PID 2712 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\8ffb95d5e237a22a2773b17e34a4c6b0.exe C:\Windows\SysWOW64\explorer.exe
PID 2712 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\8ffb95d5e237a22a2773b17e34a4c6b0.exe C:\Windows\SysWOW64\explorer.exe
PID 2712 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\8ffb95d5e237a22a2773b17e34a4c6b0.exe C:\Windows\SysWOW64\explorer.exe
PID 2712 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\8ffb95d5e237a22a2773b17e34a4c6b0.exe C:\Windows\SysWOW64\explorer.exe
PID 2712 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\8ffb95d5e237a22a2773b17e34a4c6b0.exe C:\Windows\SysWOW64\explorer.exe
PID 2712 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\8ffb95d5e237a22a2773b17e34a4c6b0.exe C:\Windows\SysWOW64\explorer.exe
PID 2712 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\8ffb95d5e237a22a2773b17e34a4c6b0.exe C:\Windows\SysWOW64\explorer.exe
PID 2712 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\8ffb95d5e237a22a2773b17e34a4c6b0.exe C:\Windows\SysWOW64\explorer.exe
PID 2712 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\8ffb95d5e237a22a2773b17e34a4c6b0.exe C:\Windows\SysWOW64\explorer.exe
PID 2712 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\8ffb95d5e237a22a2773b17e34a4c6b0.exe C:\Windows\SysWOW64\explorer.exe
PID 2712 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\8ffb95d5e237a22a2773b17e34a4c6b0.exe C:\Windows\SysWOW64\explorer.exe
PID 2712 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\8ffb95d5e237a22a2773b17e34a4c6b0.exe C:\Windows\SysWOW64\explorer.exe
PID 2712 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\8ffb95d5e237a22a2773b17e34a4c6b0.exe C:\Windows\SysWOW64\explorer.exe
PID 2712 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\8ffb95d5e237a22a2773b17e34a4c6b0.exe C:\Windows\SysWOW64\explorer.exe
PID 2712 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\8ffb95d5e237a22a2773b17e34a4c6b0.exe C:\Windows\SysWOW64\explorer.exe
PID 2712 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\8ffb95d5e237a22a2773b17e34a4c6b0.exe C:\Windows\SysWOW64\explorer.exe
PID 2712 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\8ffb95d5e237a22a2773b17e34a4c6b0.exe C:\Windows\SysWOW64\explorer.exe
PID 2712 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\8ffb95d5e237a22a2773b17e34a4c6b0.exe C:\Windows\SysWOW64\explorer.exe
PID 2712 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\8ffb95d5e237a22a2773b17e34a4c6b0.exe C:\Windows\SysWOW64\explorer.exe
PID 2712 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\8ffb95d5e237a22a2773b17e34a4c6b0.exe C:\Windows\SysWOW64\explorer.exe
PID 2712 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\8ffb95d5e237a22a2773b17e34a4c6b0.exe C:\Windows\SysWOW64\explorer.exe
PID 2712 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\8ffb95d5e237a22a2773b17e34a4c6b0.exe C:\Windows\SysWOW64\explorer.exe
PID 2712 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\8ffb95d5e237a22a2773b17e34a4c6b0.exe C:\Windows\SysWOW64\explorer.exe
PID 2712 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\8ffb95d5e237a22a2773b17e34a4c6b0.exe C:\Windows\SysWOW64\explorer.exe
PID 2712 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\8ffb95d5e237a22a2773b17e34a4c6b0.exe C:\Windows\SysWOW64\explorer.exe
PID 2712 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\8ffb95d5e237a22a2773b17e34a4c6b0.exe C:\Windows\SysWOW64\explorer.exe
PID 2712 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\8ffb95d5e237a22a2773b17e34a4c6b0.exe C:\Windows\SysWOW64\explorer.exe
PID 2712 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\8ffb95d5e237a22a2773b17e34a4c6b0.exe C:\Windows\SysWOW64\explorer.exe
PID 2712 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\8ffb95d5e237a22a2773b17e34a4c6b0.exe C:\Windows\SysWOW64\explorer.exe
PID 2712 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\8ffb95d5e237a22a2773b17e34a4c6b0.exe C:\Windows\SysWOW64\explorer.exe
PID 2712 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\8ffb95d5e237a22a2773b17e34a4c6b0.exe C:\Windows\SysWOW64\explorer.exe
PID 2712 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\8ffb95d5e237a22a2773b17e34a4c6b0.exe C:\Windows\SysWOW64\explorer.exe
PID 2712 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\8ffb95d5e237a22a2773b17e34a4c6b0.exe C:\Windows\SysWOW64\explorer.exe
PID 2712 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\8ffb95d5e237a22a2773b17e34a4c6b0.exe C:\Windows\SysWOW64\explorer.exe
PID 2712 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\8ffb95d5e237a22a2773b17e34a4c6b0.exe C:\Windows\SysWOW64\explorer.exe
PID 2712 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\8ffb95d5e237a22a2773b17e34a4c6b0.exe C:\Windows\SysWOW64\explorer.exe
PID 2712 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\8ffb95d5e237a22a2773b17e34a4c6b0.exe C:\Windows\SysWOW64\explorer.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8ffb95d5e237a22a2773b17e34a4c6b0.exe

"C:\Users\Admin\AppData\Local\Temp\8ffb95d5e237a22a2773b17e34a4c6b0.exe"

C:\Users\Admin\AppData\Local\Temp\8ffb95d5e237a22a2773b17e34a4c6b0.exe

C:\Users\Admin\AppData\Local\Temp\8ffb95d5e237a22a2773b17e34a4c6b0.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\InstallDir\skypa.exe

"C:\Windows\InstallDir\skypa.exe"

C:\Windows\InstallDir\skypa.exe

"C:\Windows\InstallDir\skypa.exe"

C:\Windows\InstallDir\skypa.exe

"C:\Windows\InstallDir\skypa.exe"

C:\Windows\InstallDir\skypa.exe

C:\Windows\InstallDir\skypa.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\InstallDir\skypa.exe

C:\Windows\InstallDir\skypa.exe

C:\Windows\InstallDir\skypa.exe

C:\Windows\InstallDir\skypa.exe

Network

N/A

Files

memory/2184-0-0x0000000023240000-0x000000002326A000-memory.dmp

memory/2712-1-0x0000000000C80000-0x0000000000CE9000-memory.dmp

memory/2712-2-0x0000000000C80000-0x0000000000CE9000-memory.dmp

memory/2712-3-0x0000000000C80000-0x0000000000CE9000-memory.dmp

memory/2712-5-0x0000000000C80000-0x0000000000CE9000-memory.dmp

memory/2712-8-0x0000000000C80000-0x0000000000CE9000-memory.dmp

memory/2712-11-0x0000000000C80000-0x0000000000CE9000-memory.dmp

memory/2712-13-0x0000000000C80000-0x0000000000CE9000-memory.dmp

memory/2712-15-0x0000000000C80000-0x0000000000CE9000-memory.dmp

memory/2712-16-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2712-19-0x0000000000C80000-0x0000000000CE9000-memory.dmp

memory/2764-28-0x0000000000C80000-0x0000000000CE9000-memory.dmp

C:\Windows\InstallDir\skypa.exe

MD5 8ffb95d5e237a22a2773b17e34a4c6b0
SHA1 7e74c23a6d66fc6ad4d6a5397642476af48735ad
SHA256 31eb4492dbdb099fae987f89fdb66fcd2a79367d6112a7f4a3ae47fdfa9e62d5
SHA512 e8a3c594e6d0009ad6cfe1f7d3341dcadac3fb536c001e0490c6b5f702abf904a30efc3964f797894c1aabbe03eb310d79ebf3e436b2a80c51dcc29de7f2aca8

memory/2184-30-0x0000000023240000-0x000000002326A000-memory.dmp

memory/2712-32-0x0000000000C80000-0x0000000000CE9000-memory.dmp

memory/2712-38-0x0000000000C80000-0x0000000000CE9000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\a24hcUtl1.xtr

MD5 6426d400c96fb9ffef4eaa54f6647f4c
SHA1 70a37871aff432790b6adf7d3fc4eb929476e082
SHA256 98bba0cf4c57ecd35b227f45e4aa6dd50ef7cfb1160235cc14687c96eb09fa3c
SHA512 2c8b4d3ab066cbfca6cf0c8d89d5044152b5e3d7100249cbedd1c816e3a4a94efc8bc6b79c1dab4bdf96e3ce476d6caccf625cfbe0aff3bf5e7a29dfcfa948c5

\Windows\InstallDir\skypa.exe

MD5 37ae693d4a9a755b9c620bf5473bd3d1
SHA1 54af2c11b8aae8d6cfe855b250f53a5051728215
SHA256 bbb5b65c4320858bbc4016265cfc49baf1bcff7b9495e4ec29c5576f5f638421
SHA512 96c6eb3dad16b5c7e6e4300983501e390d38415b50515e6412c70b6af7046933aaa7b15edf12676f5ea530273bd83d5e3ed37ed926382f51c682e4570324607d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\a24hcUtl1.cfg

MD5 3c4d3cd283491acb2b8be880e6515e34
SHA1 24a402254b7b16a007a334655e811fee25bfac61
SHA256 077c026e8eaa149a9a0b3b2f361f1d5d90852bd082d40d5366f70a3b783100e5
SHA512 ec420ca447b53ec38b1ac879d8e03ad7f89babf8ce0f81d91d0befae0402f594e6a7f229763d6a3a1483a4d8658cdd5e581a7bf35d496c98402460d608a970c1

memory/800-70-0x0000000001610000-0x0000000001712000-memory.dmp

memory/800-71-0x0000000001610000-0x0000000001712000-memory.dmp

memory/800-73-0x0000000001610000-0x0000000001712000-memory.dmp

memory/800-75-0x0000000001610000-0x0000000001712000-memory.dmp

memory/800-76-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/800-79-0x0000000001610000-0x0000000001712000-memory.dmp

memory/800-80-0x0000000001610000-0x0000000001712000-memory.dmp

memory/764-82-0x0000000023240000-0x000000002326A000-memory.dmp

memory/800-81-0x0000000001610000-0x0000000001712000-memory.dmp

memory/800-83-0x0000000000140000-0x0000000000141000-memory.dmp

memory/800-84-0x0000000001610000-0x0000000001712000-memory.dmp

memory/800-85-0x0000000001610000-0x0000000001712000-memory.dmp

memory/800-87-0x0000000001610000-0x0000000001712000-memory.dmp

memory/800-137-0x0000000000140000-0x0000000000141000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-04 19:39

Reported

2024-02-04 19:42

Platform

win10v2004-20231222-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8ffb95d5e237a22a2773b17e34a4c6b0.exe"

Signatures

Detect XtremeRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XtremeRAT

persistence spyware rat xtremerat

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{PF38VKJN-7V8U-658N-NM1O-1B1M1TAV43R7} C:\Users\Admin\AppData\Local\Temp\8ffb95d5e237a22a2773b17e34a4c6b0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{PF38VKJN-7V8U-658N-NM1O-1B1M1TAV43R7}\StubPath = "C:\\Windows\\InstallDir\\skypa.exe restart" C:\Users\Admin\AppData\Local\Temp\8ffb95d5e237a22a2773b17e34a4c6b0.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{PF38VKJN-7V8U-658N-NM1O-1B1M1TAV43R7} C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{PF38VKJN-7V8U-658N-NM1O-1B1M1TAV43R7}\StubPath = "C:\\Windows\\InstallDir\\skypa.exe restart" C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{PF38VKJN-7V8U-658N-NM1O-1B1M1TAV43R7} C:\Windows\InstallDir\skypa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{PF38VKJN-7V8U-658N-NM1O-1B1M1TAV43R7}\StubPath = "C:\\Windows\\InstallDir\\skypa.exe restart" C:\Windows\InstallDir\skypa.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{PF38VKJN-7V8U-658N-NM1O-1B1M1TAV43R7} C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{PF38VKJN-7V8U-658N-NM1O-1B1M1TAV43R7}\StubPath = "C:\\Windows\\InstallDir\\skypa.exe restart" C:\Windows\SysWOW64\explorer.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\InstallDir\skypa.exe N/A
N/A N/A C:\Windows\InstallDir\skypa.exe N/A
N/A N/A C:\Windows\InstallDir\skypa.exe N/A
N/A N/A C:\Windows\InstallDir\skypa.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AVG = "C:\\Windows\\InstallDir\\skypa.exe" C:\Windows\InstallDir\skypa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AVG = "C:\\Windows\\InstallDir\\skypa.exe" C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AVG = "C:\\Windows\\InstallDir\\skypa.exe" C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AVG = "C:\\Windows\\InstallDir\\skypa.exe" C:\Users\Admin\AppData\Local\Temp\8ffb95d5e237a22a2773b17e34a4c6b0.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AVG = "C:\\Windows\\InstallDir\\skypa.exe" C:\Users\Admin\AppData\Local\Temp\8ffb95d5e237a22a2773b17e34a4c6b0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AVG = "C:\\Windows\\InstallDir\\skypa.exe" C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AVG = "C:\\Windows\\InstallDir\\skypa.exe" C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AVG = "C:\\Windows\\InstallDir\\skypa.exe" C:\Windows\InstallDir\skypa.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\InstallDir\ C:\Users\Admin\AppData\Local\Temp\8ffb95d5e237a22a2773b17e34a4c6b0.exe N/A
File opened for modification C:\Windows\InstallDir\skypa.exe C:\Windows\InstallDir\skypa.exe N/A
File opened for modification C:\Windows\InstallDir\ C:\Windows\InstallDir\skypa.exe N/A
File opened for modification C:\Windows\InstallDir\skypa.exe C:\Users\Admin\AppData\Local\Temp\8ffb95d5e237a22a2773b17e34a4c6b0.exe N/A
File created C:\Windows\InstallDir\skypa.exe C:\Users\Admin\AppData\Local\Temp\8ffb95d5e237a22a2773b17e34a4c6b0.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 C:\Windows\SysWOW64\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 C:\Windows\SysWOW64\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\SysWOW64\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 C:\Windows\SysWOW64\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom C:\Windows\SysWOW64\explorer.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2572 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\8ffb95d5e237a22a2773b17e34a4c6b0.exe C:\Users\Admin\AppData\Local\Temp\8ffb95d5e237a22a2773b17e34a4c6b0.exe
PID 2572 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\8ffb95d5e237a22a2773b17e34a4c6b0.exe C:\Users\Admin\AppData\Local\Temp\8ffb95d5e237a22a2773b17e34a4c6b0.exe
PID 2572 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\8ffb95d5e237a22a2773b17e34a4c6b0.exe C:\Users\Admin\AppData\Local\Temp\8ffb95d5e237a22a2773b17e34a4c6b0.exe
PID 2572 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\8ffb95d5e237a22a2773b17e34a4c6b0.exe C:\Users\Admin\AppData\Local\Temp\8ffb95d5e237a22a2773b17e34a4c6b0.exe
PID 2572 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\8ffb95d5e237a22a2773b17e34a4c6b0.exe C:\Users\Admin\AppData\Local\Temp\8ffb95d5e237a22a2773b17e34a4c6b0.exe
PID 2572 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\8ffb95d5e237a22a2773b17e34a4c6b0.exe C:\Users\Admin\AppData\Local\Temp\8ffb95d5e237a22a2773b17e34a4c6b0.exe
PID 2572 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\8ffb95d5e237a22a2773b17e34a4c6b0.exe C:\Users\Admin\AppData\Local\Temp\8ffb95d5e237a22a2773b17e34a4c6b0.exe
PID 2572 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\8ffb95d5e237a22a2773b17e34a4c6b0.exe C:\Users\Admin\AppData\Local\Temp\8ffb95d5e237a22a2773b17e34a4c6b0.exe
PID 2572 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\8ffb95d5e237a22a2773b17e34a4c6b0.exe C:\Users\Admin\AppData\Local\Temp\8ffb95d5e237a22a2773b17e34a4c6b0.exe
PID 2572 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\8ffb95d5e237a22a2773b17e34a4c6b0.exe C:\Users\Admin\AppData\Local\Temp\8ffb95d5e237a22a2773b17e34a4c6b0.exe
PID 2572 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\8ffb95d5e237a22a2773b17e34a4c6b0.exe C:\Users\Admin\AppData\Local\Temp\8ffb95d5e237a22a2773b17e34a4c6b0.exe
PID 2572 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\8ffb95d5e237a22a2773b17e34a4c6b0.exe C:\Users\Admin\AppData\Local\Temp\8ffb95d5e237a22a2773b17e34a4c6b0.exe
PID 2572 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\8ffb95d5e237a22a2773b17e34a4c6b0.exe C:\Users\Admin\AppData\Local\Temp\8ffb95d5e237a22a2773b17e34a4c6b0.exe
PID 1488 wrote to memory of 3824 N/A C:\Users\Admin\AppData\Local\Temp\8ffb95d5e237a22a2773b17e34a4c6b0.exe C:\Windows\SysWOW64\svchost.exe
PID 1488 wrote to memory of 3824 N/A C:\Users\Admin\AppData\Local\Temp\8ffb95d5e237a22a2773b17e34a4c6b0.exe C:\Windows\SysWOW64\svchost.exe
PID 1488 wrote to memory of 3824 N/A C:\Users\Admin\AppData\Local\Temp\8ffb95d5e237a22a2773b17e34a4c6b0.exe C:\Windows\SysWOW64\svchost.exe
PID 1488 wrote to memory of 3824 N/A C:\Users\Admin\AppData\Local\Temp\8ffb95d5e237a22a2773b17e34a4c6b0.exe C:\Windows\SysWOW64\svchost.exe
PID 1488 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\8ffb95d5e237a22a2773b17e34a4c6b0.exe C:\Windows\SysWOW64\explorer.exe
PID 1488 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\8ffb95d5e237a22a2773b17e34a4c6b0.exe C:\Windows\SysWOW64\explorer.exe
PID 1488 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\8ffb95d5e237a22a2773b17e34a4c6b0.exe C:\Windows\SysWOW64\explorer.exe
PID 1488 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\8ffb95d5e237a22a2773b17e34a4c6b0.exe C:\Windows\SysWOW64\explorer.exe
PID 1564 wrote to memory of 2684 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\InstallDir\skypa.exe
PID 1564 wrote to memory of 2684 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\InstallDir\skypa.exe
PID 1564 wrote to memory of 2684 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\InstallDir\skypa.exe
PID 3824 wrote to memory of 3984 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\InstallDir\skypa.exe
PID 3824 wrote to memory of 3984 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\InstallDir\skypa.exe
PID 3824 wrote to memory of 3984 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\InstallDir\skypa.exe
PID 2684 wrote to memory of 3012 N/A C:\Windows\InstallDir\skypa.exe C:\Windows\InstallDir\skypa.exe
PID 2684 wrote to memory of 3012 N/A C:\Windows\InstallDir\skypa.exe C:\Windows\InstallDir\skypa.exe
PID 2684 wrote to memory of 3012 N/A C:\Windows\InstallDir\skypa.exe C:\Windows\InstallDir\skypa.exe
PID 2684 wrote to memory of 3012 N/A C:\Windows\InstallDir\skypa.exe C:\Windows\InstallDir\skypa.exe
PID 2684 wrote to memory of 3012 N/A C:\Windows\InstallDir\skypa.exe C:\Windows\InstallDir\skypa.exe
PID 2684 wrote to memory of 3012 N/A C:\Windows\InstallDir\skypa.exe C:\Windows\InstallDir\skypa.exe
PID 2684 wrote to memory of 3012 N/A C:\Windows\InstallDir\skypa.exe C:\Windows\InstallDir\skypa.exe
PID 2684 wrote to memory of 3012 N/A C:\Windows\InstallDir\skypa.exe C:\Windows\InstallDir\skypa.exe
PID 2684 wrote to memory of 3012 N/A C:\Windows\InstallDir\skypa.exe C:\Windows\InstallDir\skypa.exe
PID 2684 wrote to memory of 3012 N/A C:\Windows\InstallDir\skypa.exe C:\Windows\InstallDir\skypa.exe
PID 2684 wrote to memory of 3012 N/A C:\Windows\InstallDir\skypa.exe C:\Windows\InstallDir\skypa.exe
PID 2684 wrote to memory of 3012 N/A C:\Windows\InstallDir\skypa.exe C:\Windows\InstallDir\skypa.exe
PID 2684 wrote to memory of 3012 N/A C:\Windows\InstallDir\skypa.exe C:\Windows\InstallDir\skypa.exe
PID 3012 wrote to memory of 3616 N/A C:\Windows\InstallDir\skypa.exe C:\Windows\SysWOW64\explorer.exe
PID 3012 wrote to memory of 3616 N/A C:\Windows\InstallDir\skypa.exe C:\Windows\SysWOW64\explorer.exe
PID 3012 wrote to memory of 3616 N/A C:\Windows\InstallDir\skypa.exe C:\Windows\SysWOW64\explorer.exe
PID 3012 wrote to memory of 3616 N/A C:\Windows\InstallDir\skypa.exe C:\Windows\SysWOW64\explorer.exe
PID 3012 wrote to memory of 3616 N/A C:\Windows\InstallDir\skypa.exe C:\Windows\SysWOW64\explorer.exe
PID 3012 wrote to memory of 3616 N/A C:\Windows\InstallDir\skypa.exe C:\Windows\SysWOW64\explorer.exe
PID 3012 wrote to memory of 3616 N/A C:\Windows\InstallDir\skypa.exe C:\Windows\SysWOW64\explorer.exe
PID 3012 wrote to memory of 3616 N/A C:\Windows\InstallDir\skypa.exe C:\Windows\SysWOW64\explorer.exe
PID 3984 wrote to memory of 2812 N/A C:\Windows\InstallDir\skypa.exe C:\Windows\InstallDir\skypa.exe
PID 3984 wrote to memory of 2812 N/A C:\Windows\InstallDir\skypa.exe C:\Windows\InstallDir\skypa.exe
PID 3984 wrote to memory of 2812 N/A C:\Windows\InstallDir\skypa.exe C:\Windows\InstallDir\skypa.exe
PID 3984 wrote to memory of 2812 N/A C:\Windows\InstallDir\skypa.exe C:\Windows\InstallDir\skypa.exe
PID 3984 wrote to memory of 2812 N/A C:\Windows\InstallDir\skypa.exe C:\Windows\InstallDir\skypa.exe
PID 3984 wrote to memory of 2812 N/A C:\Windows\InstallDir\skypa.exe C:\Windows\InstallDir\skypa.exe
PID 3984 wrote to memory of 2812 N/A C:\Windows\InstallDir\skypa.exe C:\Windows\InstallDir\skypa.exe
PID 3984 wrote to memory of 2812 N/A C:\Windows\InstallDir\skypa.exe C:\Windows\InstallDir\skypa.exe
PID 3984 wrote to memory of 2812 N/A C:\Windows\InstallDir\skypa.exe C:\Windows\InstallDir\skypa.exe
PID 3984 wrote to memory of 2812 N/A C:\Windows\InstallDir\skypa.exe C:\Windows\InstallDir\skypa.exe
PID 3984 wrote to memory of 2812 N/A C:\Windows\InstallDir\skypa.exe C:\Windows\InstallDir\skypa.exe
PID 3984 wrote to memory of 2812 N/A C:\Windows\InstallDir\skypa.exe C:\Windows\InstallDir\skypa.exe
PID 3984 wrote to memory of 2812 N/A C:\Windows\InstallDir\skypa.exe C:\Windows\InstallDir\skypa.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8ffb95d5e237a22a2773b17e34a4c6b0.exe

"C:\Users\Admin\AppData\Local\Temp\8ffb95d5e237a22a2773b17e34a4c6b0.exe"

C:\Users\Admin\AppData\Local\Temp\8ffb95d5e237a22a2773b17e34a4c6b0.exe

C:\Users\Admin\AppData\Local\Temp\8ffb95d5e237a22a2773b17e34a4c6b0.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\InstallDir\skypa.exe

"C:\Windows\InstallDir\skypa.exe"

C:\Windows\InstallDir\skypa.exe

"C:\Windows\InstallDir\skypa.exe"

C:\Windows\InstallDir\skypa.exe

C:\Windows\InstallDir\skypa.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\InstallDir\skypa.exe

C:\Windows\InstallDir\skypa.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 57.110.18.2.in-addr.arpa udp
US 8.8.8.8:53 sweetma198.no-ip.info udp
US 8.8.8.8:53 sweetma198.no-ip.info udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 sweetma198.no-ip.info udp
US 8.8.8.8:53 sweetma198.no-ip.info udp
US 8.8.8.8:53 sweetma198.no-ip.info udp
US 8.8.8.8:53 sweetma198.no-ip.info udp
US 8.8.8.8:53 sweetma198.no-ip.info udp
US 8.8.8.8:53 190.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 sweetma198.no-ip.info udp
US 8.8.8.8:53 sweetma198.no-ip.info udp
US 8.8.8.8:53 sweetma198.no-ip.info udp
US 8.8.8.8:53 sweetma198.no-ip.info udp
US 8.8.8.8:53 sweetma198.no-ip.info udp
US 8.8.8.8:53 sweetma198.no-ip.info udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 sweetma198.no-ip.info udp
US 8.8.8.8:53 sweetma198.no-ip.info udp
US 8.8.8.8:53 sweetma198.no-ip.info udp
US 8.8.8.8:53 sweetma198.no-ip.info udp
US 8.8.8.8:53 sweetma198.no-ip.info udp
US 8.8.8.8:53 sweetma198.no-ip.info udp
US 8.8.8.8:53 sweetma198.no-ip.info udp
US 8.8.8.8:53 sweetma198.no-ip.info udp
US 8.8.8.8:53 sweetma198.no-ip.info udp
US 8.8.8.8:53 sweetma198.no-ip.info udp
US 8.8.8.8:53 171.117.168.52.in-addr.arpa udp
US 8.8.8.8:53 sweetma198.no-ip.info udp

Files

memory/1488-3-0x0000000000C80000-0x0000000000CE9000-memory.dmp

memory/1488-5-0x0000000000C80000-0x0000000000CE9000-memory.dmp

memory/1488-1-0x0000000000C80000-0x0000000000CE9000-memory.dmp

memory/1488-0-0x0000000000C80000-0x0000000000CE9000-memory.dmp

memory/1488-6-0x0000000000C80000-0x0000000000CE9000-memory.dmp

memory/1488-12-0x0000000000C80000-0x0000000000CE9000-memory.dmp

memory/2572-11-0x0000000023240000-0x000000002326A000-memory.dmp

memory/1488-10-0x0000000000C80000-0x0000000000CE9000-memory.dmp

memory/1488-9-0x0000000000C80000-0x0000000000CE9000-memory.dmp

memory/1488-7-0x0000000000C80000-0x0000000000CE9000-memory.dmp

memory/3824-19-0x0000000000C80000-0x0000000000CE9000-memory.dmp

C:\Windows\InstallDir\skypa.exe

MD5 1b386127d0dcc1897ff2e17f53ebcd84
SHA1 2340b99de16664cd0ca7f7863cbf2960cbcf7b1a
SHA256 641181c43c0a29142d61fcb21fd04c0c3db2a8abe5c4995ed766b3381bd32e1c
SHA512 840a5dfbdf5110c6c24cb8bed39f84fd15afad326952e78e23bc908954fc0bed04b930ee1f1668d1f5b8bdf504a387587b1427542bc9e315cd1ccfadb477247d

memory/1564-21-0x0000000000C80000-0x0000000000CE9000-memory.dmp

memory/1488-22-0x0000000000C80000-0x0000000000CE9000-memory.dmp

memory/1564-24-0x0000000000C80000-0x0000000000CE9000-memory.dmp

memory/1564-30-0x0000000000C80000-0x0000000000CE9000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\a24hcUtl1.xtr

MD5 6426d400c96fb9ffef4eaa54f6647f4c
SHA1 70a37871aff432790b6adf7d3fc4eb929476e082
SHA256 98bba0cf4c57ecd35b227f45e4aa6dd50ef7cfb1160235cc14687c96eb09fa3c
SHA512 2c8b4d3ab066cbfca6cf0c8d89d5044152b5e3d7100249cbedd1c816e3a4a94efc8bc6b79c1dab4bdf96e3ce476d6caccf625cfbe0aff3bf5e7a29dfcfa948c5

memory/1564-34-0x0000000000C80000-0x0000000000CE9000-memory.dmp

C:\Windows\InstallDir\skypa.exe

MD5 8ffb95d5e237a22a2773b17e34a4c6b0
SHA1 7e74c23a6d66fc6ad4d6a5397642476af48735ad
SHA256 31eb4492dbdb099fae987f89fdb66fcd2a79367d6112a7f4a3ae47fdfa9e62d5
SHA512 e8a3c594e6d0009ad6cfe1f7d3341dcadac3fb536c001e0490c6b5f702abf904a30efc3964f797894c1aabbe03eb310d79ebf3e436b2a80c51dcc29de7f2aca8

memory/2684-37-0x0000000023240000-0x000000002326A000-memory.dmp

memory/3012-48-0x0000000000C80000-0x0000000000CE9000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\a24hcUtl1.cfg

MD5 3c4d3cd283491acb2b8be880e6515e34
SHA1 24a402254b7b16a007a334655e811fee25bfac61
SHA256 077c026e8eaa149a9a0b3b2f361f1d5d90852bd082d40d5366f70a3b783100e5
SHA512 ec420ca447b53ec38b1ac879d8e03ad7f89babf8ce0f81d91d0befae0402f594e6a7f229763d6a3a1483a4d8658cdd5e581a7bf35d496c98402460d608a970c1

memory/3616-53-0x0000000001610000-0x0000000001712000-memory.dmp

memory/3616-54-0x0000000001610000-0x0000000001712000-memory.dmp

memory/3616-55-0x0000000001610000-0x0000000001712000-memory.dmp

memory/3616-59-0x0000000001610000-0x0000000001712000-memory.dmp

memory/3616-60-0x00000000015C0000-0x00000000015C1000-memory.dmp

memory/3616-61-0x0000000001610000-0x0000000001712000-memory.dmp

memory/3616-65-0x0000000001610000-0x0000000001712000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\a24hcUtl1.dat

MD5 84cad01fdb44ae58dbe6c3973dcd87f5
SHA1 4700b42849fb35be323774820bf1bc8019d26c80
SHA256 8b1f194be530240c18bf0b1ee0d038e750fab8b24c6bd25c864297e5ebb41fa6
SHA512 6e10d3ec4724c1aca9ff3f6a26292ba80065d18e8e9395f1474c0a298008f25e312e2f7024e7d10aab3264764e69a25553cc20afd23090f83921d20e42b989ab

memory/3616-64-0x0000000001610000-0x0000000001712000-memory.dmp

memory/3616-62-0x0000000001610000-0x0000000001712000-memory.dmp

memory/3616-58-0x0000000001610000-0x0000000001712000-memory.dmp

memory/3616-57-0x0000000001610000-0x0000000001712000-memory.dmp

memory/2684-67-0x0000000023240000-0x000000002326A000-memory.dmp

memory/3616-68-0x0000000001610000-0x0000000001712000-memory.dmp

memory/3984-69-0x0000000023240000-0x000000002326A000-memory.dmp

memory/3984-83-0x0000000023240000-0x000000002326A000-memory.dmp

memory/3616-84-0x00000000015C0000-0x00000000015C1000-memory.dmp