Analysis
-
max time kernel
99s -
max time network
111s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
11/09/2024, 05:53
Behavioral task
behavioral1
Sample
f32c7e53a8c61f82fe8f4bd56d2c8990N.exe
Resource
win7-20240903-en
windows7-x64
4 signatures
120 seconds
Behavioral task
behavioral2
Sample
f32c7e53a8c61f82fe8f4bd56d2c8990N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
6 signatures
120 seconds
General
-
Target
f32c7e53a8c61f82fe8f4bd56d2c8990N.exe
-
Size
180KB
-
MD5
f32c7e53a8c61f82fe8f4bd56d2c8990
-
SHA1
8565ef71d88ec3204a9902f75a640f1d31c0c4da
-
SHA256
5c811f56a330ba73f56fc6163c4bb6a272ecaba341875be5bb17de58cae71851
-
SHA512
d4eafd85428cfda4895da9979794291d299be79d92bf698a867bde7bc8bb04bb66fb0257bf713773d9c06e06b033e2f91bb2d8d04e6b1123c2b181164d587936
-
SSDEEP
3072:Au3Sw3DhTkuQBphtJZGYru7EDmlFBphtJZGYru7EDml:NlpQBpht3cEyrBpht3cEy
Score
7/10
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
pid Process 2696 skybot.exe 1036 skybot.exe 2808 skybot.exe 3224 skybot.exe 1900 skybot.exe 2012 skybot.exe 2140 skybot.exe 1888 skybot.exe 4372 skybot.exe 2440 skybot.exe 5060 skybot.exe 4892 skybot.exe 3120 skybot.exe 4768 skybot.exe 3932 skybot.exe 1004 skybot.exe 5116 skybot.exe 1532 skybot.exe 2248 skybot.exe 3492 skybot.exe 1232 skybot.exe 452 skybot.exe 3920 skybot.exe 2244 skybot.exe 2124 skybot.exe 2968 skybot.exe 3760 skybot.exe 3588 skybot.exe 3192 skybot.exe 1924 skybot.exe 4200 skybot.exe 4448 skybot.exe 4900 skybot.exe 4772 skybot.exe 864 skybot.exe 3928 skybot.exe 2892 skybot.exe 1452 skybot.exe 1404 skybot.exe 4760 skybot.exe 2448 skybot.exe 2860 skybot.exe 4468 skybot.exe 4344 skybot.exe 4128 skybot.exe 4080 skybot.exe 4296 skybot.exe 1036 skybot.exe 2808 skybot.exe 3224 skybot.exe 3700 skybot.exe 4124 skybot.exe 2192 skybot.exe 1412 skybot.exe 3360 skybot.exe 3532 skybot.exe 1248 skybot.exe 3568 skybot.exe 544 skybot.exe 4620 skybot.exe 748 skybot.exe 336 skybot.exe 1056 skybot.exe 3480 skybot.exe -
resource yara_rule behavioral2/memory/5020-0-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral2/files/0x0003000000022ab1-5.dat upx behavioral2/memory/2696-6-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral2/memory/2696-11-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral2/memory/1036-10-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral2/memory/5020-8-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral2/memory/1036-13-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral2/memory/2808-15-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral2/memory/3224-17-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral2/memory/1900-19-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral2/memory/2012-21-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral2/memory/2140-23-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral2/memory/4372-26-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral2/memory/2440-28-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral2/memory/3120-32-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral2/memory/4892-33-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral2/memory/5060-30-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral2/memory/3120-35-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral2/memory/3932-38-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral2/memory/3932-41-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral2/memory/1004-40-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral2/memory/4768-37-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral2/memory/1004-43-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral2/memory/5116-45-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral2/memory/2248-48-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral2/memory/3492-50-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral2/memory/1232-52-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral2/memory/452-54-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral2/memory/2244-57-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral2/memory/2124-59-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral2/memory/3760-62-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral2/memory/3760-64-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral2/memory/3588-66-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral2/memory/2968-61-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral2/memory/1924-71-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral2/memory/4200-72-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral2/memory/4200-74-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral2/memory/3192-68-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral2/memory/1924-69-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral2/memory/4900-77-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral2/memory/4448-76-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral2/memory/4772-79-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral2/memory/4772-81-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral2/memory/864-83-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral2/memory/3928-85-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral2/memory/2892-87-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral2/memory/1452-89-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral2/memory/1404-91-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral2/memory/4760-93-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral2/memory/2448-95-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral2/memory/2860-97-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral2/memory/4468-99-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral2/memory/4344-101-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral2/memory/4296-104-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral2/memory/4080-105-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral2/memory/4296-107-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral2/memory/1036-109-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral2/memory/2808-111-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral2/memory/3224-113-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral2/memory/3700-116-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral2/memory/4124-115-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral2/memory/1412-120-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral2/memory/3360-122-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral2/memory/1248-125-0x0000000000400000-0x0000000000410000-memory.dmp upx -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WINDOWS SYSTEM = "\\skybot.exe" skybot.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WINDOWS SYSTEM = "\\skybot.exe" skybot.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WINDOWS SYSTEM = "\\skybot.exe" skybot.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WINDOWS SYSTEM = "\\skybot.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WINDOWS SYSTEM = "\\skybot.exe" skybot.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WINDOWS SYSTEM = "\\skybot.exe" skybot.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WINDOWS SYSTEM = "\\skybot.exe" skybot.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WINDOWS SYSTEM = "\\skybot.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WINDOWS SYSTEM = "\\skybot.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WINDOWS SYSTEM = "\\skybot.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WINDOWS SYSTEM = "\\skybot.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WINDOWS SYSTEM = "skybot.exe" skybot.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WINDOWS SYSTEM = "\\skybot.exe" skybot.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WINDOWS SYSTEM = "\\skybot.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WINDOWS SYSTEM = "\\skybot.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WINDOWS SYSTEM = "\\skybot.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WINDOWS SYSTEM = "\\skybot.exe" skybot.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WINDOWS SYSTEM = "\\skybot.exe" skybot.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WINDOWS SYSTEM = "\\skybot.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WINDOWS SYSTEM = "\\skybot.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WINDOWS SYSTEM = "\\skybot.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WINDOWS SYSTEM = "\\skybot.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WINDOWS SYSTEM = "skybot.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WINDOWS SYSTEM = "\\skybot.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WINDOWS SYSTEM = "\\skybot.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WINDOWS SYSTEM = "\\skybot.exe" skybot.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WINDOWS SYSTEM = "\\skybot.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WINDOWS SYSTEM = "\\skybot.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WINDOWS SYSTEM = "\\skybot.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WINDOWS SYSTEM = "\\skybot.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WINDOWS SYSTEM = "\\skybot.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WINDOWS SYSTEM = "\\skybot.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WINDOWS SYSTEM = "\\skybot.exe" skybot.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WINDOWS SYSTEM = "\\skybot.exe" skybot.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WINDOWS SYSTEM = "\\skybot.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WINDOWS SYSTEM = "\\skybot.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WINDOWS SYSTEM = "\\skybot.exe" skybot.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WINDOWS SYSTEM = "\\skybot.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WINDOWS SYSTEM = "\\skybot.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WINDOWS SYSTEM = "\\skybot.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WINDOWS SYSTEM = "\\skybot.exe" skybot.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WINDOWS SYSTEM = "\\skybot.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WINDOWS SYSTEM = "\\skybot.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WINDOWS SYSTEM = "\\skybot.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WINDOWS SYSTEM = "\\skybot.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WINDOWS SYSTEM = "\\skybot.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WINDOWS SYSTEM = "\\skybot.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WINDOWS SYSTEM = "\\skybot.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WINDOWS SYSTEM = "\\skybot.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WINDOWS SYSTEM = "\\skybot.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WINDOWS SYSTEM = "\\skybot.exe" skybot.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WINDOWS SYSTEM = "\\skybot.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WINDOWS SYSTEM = "\\skybot.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WINDOWS SYSTEM = "\\skybot.exe" skybot.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WINDOWS SYSTEM = "\\skybot.exe" skybot.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WINDOWS SYSTEM = "\\skybot.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WINDOWS SYSTEM = "\\skybot.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WINDOWS SYSTEM = "\\skybot.exe" skybot.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WINDOWS SYSTEM = "\\skybot.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WINDOWS SYSTEM = "\\skybot.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WINDOWS SYSTEM = "\\skybot.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WINDOWS SYSTEM = "\\skybot.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WINDOWS SYSTEM = "\\skybot.exe" skybot.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WINDOWS SYSTEM = "\\skybot.exe" skybot.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\skybot.exe skybot.exe File created C:\Windows\SysWOW64\skybot.exe Process not Found File created C:\Windows\SysWOW64\skybot.exe skybot.exe File created C:\Windows\SysWOW64\skybot.exe Process not Found File created C:\Windows\SysWOW64\skybot.exe Process not Found File created C:\Windows\SysWOW64\skybot.exe Process not Found File created C:\Windows\SysWOW64\skybot.exe Process not Found File created C:\Windows\SysWOW64\skybot.exe Process not Found File created C:\Windows\SysWOW64\skybot.exe skybot.exe File created C:\Windows\SysWOW64\skybot.exe skybot.exe File created C:\Windows\SysWOW64\skybot.exe Process not Found File created C:\Windows\SysWOW64\skybot.exe Process not Found File created C:\Windows\SysWOW64\skybot.exe Process not Found File created C:\Windows\SysWOW64\skybot.exe skybot.exe File created C:\Windows\SysWOW64\skybot.exe Process not Found File created C:\Windows\SysWOW64\skybot.exe Process not Found File created C:\Windows\SysWOW64\skybot.exe Process not Found File created C:\Windows\SysWOW64\skybot.exe Process not Found File created C:\Windows\SysWOW64\skybot.exe skybot.exe File created C:\Windows\SysWOW64\skybot.exe Process not Found File created C:\Windows\SysWOW64\skybot.exe Process not Found File created C:\Windows\SysWOW64\skybot.exe Process not Found File created C:\Windows\SysWOW64\skybot.exe Process not Found File created C:\Windows\SysWOW64\skybot.exe skybot.exe File created C:\Windows\SysWOW64\skybot.exe Process not Found File created C:\Windows\SysWOW64\skybot.exe Process not Found File created C:\Windows\SysWOW64\skybot.exe Process not Found File created C:\Windows\SysWOW64\skybot.exe skybot.exe File created C:\Windows\SysWOW64\skybot.exe Process not Found File created C:\Windows\SysWOW64\skybot.exe Process not Found File created C:\Windows\SysWOW64\skybot.exe Process not Found File created C:\Windows\SysWOW64\skybot.exe skybot.exe File created C:\Windows\SysWOW64\skybot.exe skybot.exe File created C:\Windows\SysWOW64\skybot.exe Process not Found File created C:\Windows\SysWOW64\skybot.exe Process not Found File created C:\Windows\SysWOW64\skybot.exe Process not Found File created C:\Windows\SysWOW64\skybot.exe skybot.exe File created C:\Windows\SysWOW64\skybot.exe Process not Found File created C:\Windows\SysWOW64\skybot.exe Process not Found File created C:\Windows\SysWOW64\skybot.exe skybot.exe File created C:\Windows\SysWOW64\skybot.exe skybot.exe File created C:\Windows\SysWOW64\skybot.exe Process not Found File created C:\Windows\SysWOW64\skybot.exe Process not Found File created C:\Windows\SysWOW64\skybot.exe Process not Found File created C:\Windows\SysWOW64\skybot.exe Process not Found File created C:\Windows\SysWOW64\skybot.exe Process not Found File created C:\Windows\SysWOW64\skybot.exe Process not Found File created C:\Windows\SysWOW64\skybot.exe skybot.exe File created C:\Windows\SysWOW64\skybot.exe Process not Found File created C:\Windows\SysWOW64\skybot.exe Process not Found File created C:\Windows\SysWOW64\skybot.exe Process not Found File created C:\Windows\SysWOW64\skybot.exe Process not Found File created C:\Windows\SysWOW64\skybot.exe Process not Found File created C:\Windows\SysWOW64\skybot.exe Process not Found File created C:\Windows\SysWOW64\skybot.exe skybot.exe File created C:\Windows\SysWOW64\skybot.exe skybot.exe File created C:\Windows\SysWOW64\skybot.exe skybot.exe File created C:\Windows\SysWOW64\skybot.exe skybot.exe File created C:\Windows\SysWOW64\skybot.exe Process not Found File created C:\Windows\SysWOW64\skybot.exe skybot.exe File created C:\Windows\SysWOW64\skybot.exe Process not Found File created C:\Windows\SysWOW64\skybot.exe Process not Found File created C:\Windows\SysWOW64\skybot.exe Process not Found File created C:\Windows\SysWOW64\skybot.exe Process not Found -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skybot.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skybot.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skybot.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skybot.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skybot.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skybot.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skybot.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skybot.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skybot.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skybot.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skybot.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skybot.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skybot.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skybot.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skybot.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skybot.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skybot.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skybot.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skybot.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skybot.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skybot.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5020 wrote to memory of 2696 5020 f32c7e53a8c61f82fe8f4bd56d2c8990N.exe 85 PID 5020 wrote to memory of 2696 5020 f32c7e53a8c61f82fe8f4bd56d2c8990N.exe 85 PID 5020 wrote to memory of 2696 5020 f32c7e53a8c61f82fe8f4bd56d2c8990N.exe 85 PID 2696 wrote to memory of 1036 2696 skybot.exe 86 PID 2696 wrote to memory of 1036 2696 skybot.exe 86 PID 2696 wrote to memory of 1036 2696 skybot.exe 86 PID 1036 wrote to memory of 2808 1036 skybot.exe 87 PID 1036 wrote to memory of 2808 1036 skybot.exe 87 PID 1036 wrote to memory of 2808 1036 skybot.exe 87 PID 2808 wrote to memory of 3224 2808 skybot.exe 88 PID 2808 wrote to memory of 3224 2808 skybot.exe 88 PID 2808 wrote to memory of 3224 2808 skybot.exe 88 PID 3224 wrote to memory of 1900 3224 skybot.exe 89 PID 3224 wrote to memory of 1900 3224 skybot.exe 89 PID 3224 wrote to memory of 1900 3224 skybot.exe 89 PID 1900 wrote to memory of 2012 1900 skybot.exe 90 PID 1900 wrote to memory of 2012 1900 skybot.exe 90 PID 1900 wrote to memory of 2012 1900 skybot.exe 90 PID 2012 wrote to memory of 2140 2012 skybot.exe 91 PID 2012 wrote to memory of 2140 2012 skybot.exe 91 PID 2012 wrote to memory of 2140 2012 skybot.exe 91 PID 2140 wrote to memory of 1888 2140 skybot.exe 92 PID 2140 wrote to memory of 1888 2140 skybot.exe 92 PID 2140 wrote to memory of 1888 2140 skybot.exe 92 PID 1888 wrote to memory of 4372 1888 skybot.exe 93 PID 1888 wrote to memory of 4372 1888 skybot.exe 93 PID 1888 wrote to memory of 4372 1888 skybot.exe 93 PID 4372 wrote to memory of 2440 4372 skybot.exe 94 PID 4372 wrote to memory of 2440 4372 skybot.exe 94 PID 4372 wrote to memory of 2440 4372 skybot.exe 94 PID 2440 wrote to memory of 5060 2440 skybot.exe 95 PID 2440 wrote to memory of 5060 2440 skybot.exe 95 PID 2440 wrote to memory of 5060 2440 skybot.exe 95 PID 5060 wrote to memory of 4892 5060 skybot.exe 97 PID 5060 wrote to memory of 4892 5060 skybot.exe 97 PID 5060 wrote to memory of 4892 5060 skybot.exe 97 PID 4892 wrote to memory of 3120 4892 skybot.exe 98 PID 4892 wrote to memory of 3120 4892 skybot.exe 98 PID 4892 wrote to memory of 3120 4892 skybot.exe 98 PID 3120 wrote to memory of 4768 3120 skybot.exe 99 PID 3120 wrote to memory of 4768 3120 skybot.exe 99 PID 3120 wrote to memory of 4768 3120 skybot.exe 99 PID 4768 wrote to memory of 3932 4768 skybot.exe 100 PID 4768 wrote to memory of 3932 4768 skybot.exe 100 PID 4768 wrote to memory of 3932 4768 skybot.exe 100 PID 3932 wrote to memory of 1004 3932 skybot.exe 101 PID 3932 wrote to memory of 1004 3932 skybot.exe 101 PID 3932 wrote to memory of 1004 3932 skybot.exe 101 PID 1004 wrote to memory of 5116 1004 skybot.exe 102 PID 1004 wrote to memory of 5116 1004 skybot.exe 102 PID 1004 wrote to memory of 5116 1004 skybot.exe 102 PID 5116 wrote to memory of 1532 5116 skybot.exe 103 PID 5116 wrote to memory of 1532 5116 skybot.exe 103 PID 5116 wrote to memory of 1532 5116 skybot.exe 103 PID 1532 wrote to memory of 2248 1532 skybot.exe 104 PID 1532 wrote to memory of 2248 1532 skybot.exe 104 PID 1532 wrote to memory of 2248 1532 skybot.exe 104 PID 2248 wrote to memory of 3492 2248 skybot.exe 105 PID 2248 wrote to memory of 3492 2248 skybot.exe 105 PID 2248 wrote to memory of 3492 2248 skybot.exe 105 PID 3492 wrote to memory of 1232 3492 skybot.exe 106 PID 3492 wrote to memory of 1232 3492 skybot.exe 106 PID 3492 wrote to memory of 1232 3492 skybot.exe 106 PID 1232 wrote to memory of 452 1232 skybot.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\f32c7e53a8c61f82fe8f4bd56d2c8990N.exe"C:\Users\Admin\AppData\Local\Temp\f32c7e53a8c61f82fe8f4bd56d2c8990N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5020 -
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1036 -
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3224 -
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1900 -
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe9⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1888 -
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4372 -
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5060 -
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4892 -
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3120 -
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4768 -
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3932 -
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1004 -
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5116 -
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3492 -
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1232 -
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe23⤵
- Executes dropped EXE
PID:452 -
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe24⤵
- Executes dropped EXE
PID:3920 -
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe25⤵
- Executes dropped EXE
PID:2244 -
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe26⤵
- Executes dropped EXE
PID:2124 -
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe27⤵
- Executes dropped EXE
PID:2968 -
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe28⤵
- Executes dropped EXE
PID:3760 -
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe29⤵
- Executes dropped EXE
PID:3588 -
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe30⤵
- Executes dropped EXE
PID:3192 -
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe31⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1924 -
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe32⤵
- Executes dropped EXE
PID:4200 -
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4448 -
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe34⤵
- Executes dropped EXE
PID:4900 -
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe35⤵
- Executes dropped EXE
PID:4772 -
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe36⤵
- Executes dropped EXE
PID:864 -
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe37⤵
- Executes dropped EXE
PID:3928 -
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe38⤵
- Executes dropped EXE
PID:2892 -
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe39⤵
- Executes dropped EXE
PID:1452 -
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe40⤵
- Executes dropped EXE
PID:1404 -
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe41⤵
- Executes dropped EXE
PID:4760 -
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe42⤵
- Executes dropped EXE
PID:2448 -
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe43⤵
- Executes dropped EXE
PID:2860 -
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe44⤵
- Executes dropped EXE
PID:4468 -
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe45⤵
- Executes dropped EXE
PID:4344 -
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe46⤵
- Executes dropped EXE
PID:4128 -
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe47⤵
- Executes dropped EXE
PID:4080 -
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe48⤵
- Executes dropped EXE
PID:4296 -
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe49⤵
- Executes dropped EXE
PID:1036 -
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe50⤵
- Executes dropped EXE
PID:2808 -
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe51⤵
- Executes dropped EXE
PID:3224 -
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe52⤵
- Executes dropped EXE
PID:3700 -
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe53⤵
- Executes dropped EXE
PID:4124 -
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe54⤵
- Executes dropped EXE
PID:2192 -
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe55⤵
- Executes dropped EXE
PID:1412 -
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe56⤵
- Executes dropped EXE
PID:3360 -
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe57⤵
- Executes dropped EXE
PID:3532 -
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe58⤵
- Executes dropped EXE
PID:1248 -
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe59⤵
- Executes dropped EXE
PID:3568 -
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe60⤵
- Executes dropped EXE
PID:544 -
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe61⤵
- Executes dropped EXE
PID:4620 -
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe62⤵
- Executes dropped EXE
PID:748 -
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe63⤵
- Executes dropped EXE
PID:336 -
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe64⤵
- Executes dropped EXE
PID:1056 -
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe65⤵
- Executes dropped EXE
PID:3480 -
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe66⤵PID:3160
-
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe67⤵PID:1360
-
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe68⤵PID:4160
-
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe69⤵PID:516
-
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe70⤵PID:460
-
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe71⤵
- Drops file in System32 directory
PID:2008 -
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe72⤵PID:1588
-
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe73⤵PID:2508
-
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe74⤵PID:3812
-
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe75⤵PID:1300
-
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe76⤵PID:2024
-
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe77⤵PID:2592
-
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe78⤵PID:3836
-
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe79⤵PID:1476
-
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe80⤵PID:2632
-
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe81⤵PID:3668
-
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe82⤵PID:2488
-
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe83⤵PID:4308
-
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe84⤵PID:3452
-
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe85⤵PID:4764
-
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe86⤵PID:2084
-
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe87⤵PID:3164
-
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe88⤵PID:2364
-
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe89⤵PID:4580
-
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe90⤵PID:728
-
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe91⤵PID:3952
-
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe92⤵PID:1964
-
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe93⤵PID:812
-
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe94⤵PID:2648
-
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe95⤵PID:2240
-
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe96⤵PID:4760
-
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe97⤵PID:2448
-
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe98⤵PID:2584
-
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe99⤵PID:1252
-
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe100⤵PID:1348
-
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe101⤵PID:4356
-
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe102⤵PID:4348
-
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe103⤵PID:2684
-
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe104⤵PID:5020
-
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe105⤵PID:4688
-
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe106⤵PID:932
-
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe107⤵PID:1776
-
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe108⤵PID:2808
-
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe109⤵PID:4488
-
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe110⤵PID:4960
-
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe111⤵PID:4556
-
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe112⤵PID:2476
-
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe113⤵PID:4372
-
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe114⤵PID:4896
-
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe115⤵PID:3580
-
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe116⤵PID:1248
-
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe117⤵PID:3120
-
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe118⤵PID:4768
-
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe119⤵PID:1624
-
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe120⤵PID:4004
-
C:\Windows\SysWOW64\skybot.exeC:\Windows\system32\skybot.exe121⤵PID:1364
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-