gh0strat | c0b33353c9f851eff81e9b542cbff2ccffe05f5c0da84658aecbd26f3a165ee8

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-01-2025 06:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c0b33353c9f851eff81e9b542cbff2ccffe05f5c0da84658aecbd26f3a165ee8.exe
Size

9.2MB
MD5

d93ffee2720341299fd0e9ff4dcf7f08
SHA1

53991521737dd2ce35a90429ced04185198e0f80
SHA256

c0b33353c9f851eff81e9b542cbff2ccffe05f5c0da84658aecbd26f3a165ee8
SHA512

02fa3ba5352821d54a7a2ac5b1bc4fa2f95eae28167204bdb33bdc672edaa5c1ca0bfc610c20f7ea90dd73c5f64e02a9daa9f0bd44ec46da7450550e067e23b7
SSDEEP

98304:0te1xEOX9OcczjREI9tQeek2rT0DIcsn9Vhek2rv0DIRpKWf2gcek2rQ/:VGOXsccpt9crYercrsyfLccrw

Score

10^/10

gh0strat purplefox discovery persistence rat rootkit trojan upx

Malware Config

Signatures

Detect PurpleFox Rootkit 4 IoCs

Detect PurpleFox Rootkit.

rootkit

resource	yara_rule
behavioral2/memory/2220-13104-0x0000000010000000-0x00000000101B5000-memory.dmp	purplefox_rootkit
behavioral2/memory/2220-13103-0x0000000010000000-0x00000000101B5000-memory.dmp	purplefox_rootkit
behavioral2/memory/6440-75053-0x0000000010000000-0x00000000101B5000-memory.dmp	purplefox_rootkit
behavioral2/memory/6440-75864-0x0000000010000000-0x00000000101B5000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 4 IoCs

resource	yara_rule
behavioral2/memory/2220-13104-0x0000000010000000-0x00000000101B5000-memory.dmp	family_gh0strat
behavioral2/memory/2220-13103-0x0000000010000000-0x00000000101B5000-memory.dmp	family_gh0strat
behavioral2/memory/6440-75053-0x0000000010000000-0x00000000101B5000-memory.dmp	family_gh0strat
behavioral2/memory/6440-75864-0x0000000010000000-0x00000000101B5000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox
Purplefox family
purplefox

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\QAssist.sys	Serveri.dll

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys"	Serveri.dll

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Security Health.cmd.lnk	Windows Security Health.cmd
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\COM Surrogate.cmd.lnk	COM Surrogate.cmd

Executes dropped EXE 15 IoCs

pid	Process
2680	Windows ygjaxs.dll
1732	COM Surrogate.cmd
4280	Windows Security Health.cmd
2220	Server.dll
6396	Server.dll
8248	Windows.Gaming.Input.exe
6440	Serveri.dll
6476	Phxph.exe
7308	Server.dll
17160	Windows.dll
8960	Serveri.dll
65884	Windows.dll
79588	Serveri.dll
74344	Windows.dll
47996	Phxph.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows.Gaming.Input = "C:\\Windows\\SysWOW64\\Windows.Gaming.Input.exe"	c0b33353c9f851eff81e9b542cbff2ccffe05f5c0da84658aecbd26f3a165ee8.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Serveri.dll	Windows Security Health.cmd
File opened for modification	C:\Windows\SysWOW64\Serveri.dll	Windows Security Health.cmd
File created	C:\Windows\SysWOW64\Windows.Gaming.Input.exe	c0b33353c9f851eff81e9b542cbff2ccffe05f5c0da84658aecbd26f3a165ee8.exe
File opened for modification	C:\Windows\SysWOW64\Windows.Gaming.Input.exe	c0b33353c9f851eff81e9b542cbff2ccffe05f5c0da84658aecbd26f3a165ee8.exe
File created	C:\Windows\SysWOW64\Phxph.exe	Server.dll
File opened for modification	C:\Windows\SysWOW64\Phxph.exe	Server.dll

Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs

pid	Process
2220	Server.dll
2220	Server.dll
2220	Server.dll
2220	Server.dll
2220	Server.dll
2220	Server.dll
2220	Server.dll
2220	Server.dll
2220	Server.dll
2220	Server.dll
2220	Server.dll
2220	Server.dll
2220	Server.dll
6396	Server.dll
6440	Serveri.dll
6396	Server.dll
6396	Server.dll
6396	Server.dll
6396	Server.dll
6396	Server.dll
6396	Server.dll
6440	Serveri.dll
6440	Serveri.dll
6440	Serveri.dll
6440	Serveri.dll
6440	Serveri.dll
6440	Serveri.dll
6476	Phxph.exe
17160	Windows.dll
8960	Serveri.dll
2220	Server.dll
2220	Server.dll
2220	Server.dll
2220	Server.dll
2220	Server.dll
2220	Server.dll
6440	Serveri.dll
6440	Serveri.dll
6440	Serveri.dll
6440	Serveri.dll
6440	Serveri.dll
6440	Serveri.dll
7308	Server.dll
7308	Server.dll
7308	Server.dll
7308	Server.dll
7308	Server.dll
7308	Server.dll
7308	Server.dll
79588	Serveri.dll
2220	Server.dll
2220	Server.dll
2220	Server.dll
2220	Server.dll
2220	Server.dll
2220	Server.dll
6440	Serveri.dll
6440	Serveri.dll
6440	Serveri.dll
6440	Serveri.dll
6440	Serveri.dll
6440	Serveri.dll
65884	Windows.dll
65884	Windows.dll

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000200000001e72a-3.dat	upx
behavioral2/memory/2680-4-0x0000000000400000-0x0000000000524000-memory.dmp	upx
behavioral2/memory/2220-13104-0x0000000010000000-0x00000000101B5000-memory.dmp	upx
behavioral2/memory/2220-13103-0x0000000010000000-0x00000000101B5000-memory.dmp	upx
behavioral2/memory/2220-13101-0x0000000010000000-0x00000000101B5000-memory.dmp	upx
behavioral2/memory/2680-13415-0x0000000000400000-0x0000000000524000-memory.dmp	upx
behavioral2/memory/6440-75053-0x0000000010000000-0x00000000101B5000-memory.dmp	upx
behavioral2/memory/2680-75054-0x0000000000400000-0x0000000000524000-memory.dmp	upx
behavioral2/memory/6440-75864-0x0000000010000000-0x00000000101B5000-memory.dmp	upx
behavioral2/memory/2680-75856-0x0000000000400000-0x0000000000524000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
44016	17160	WerFault.exe	93
104552	8960	WerFault.exe	94

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Windows Security Health.cmd
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Phxph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c0b33353c9f851eff81e9b542cbff2ccffe05f5c0da84658aecbd26f3a165ee8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Windows ygjaxs.dll
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	COM Surrogate.cmd
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.dll
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Windows.Gaming.Input.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Serveri.dll
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Windows.dll

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
24692	cmd.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
6440	Serveri.dll

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeLoadDriverPrivilege	6440	Serveri.dll
Token: SeIncBasePriorityPrivilege	2220	Server.dll
Token: 33	6440	Serveri.dll
Token: SeIncBasePriorityPrivilege	6440	Serveri.dll

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
808	c0b33353c9f851eff81e9b542cbff2ccffe05f5c0da84658aecbd26f3a165ee8.exe
808	c0b33353c9f851eff81e9b542cbff2ccffe05f5c0da84658aecbd26f3a165ee8.exe
2680	Windows ygjaxs.dll
2680	Windows ygjaxs.dll
2680	Windows ygjaxs.dll
1732	COM Surrogate.cmd
1732	COM Surrogate.cmd
4280	Windows Security Health.cmd
4280	Windows Security Health.cmd
8248	Windows.Gaming.Input.exe
8248	Windows.Gaming.Input.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 808 wrote to memory of 2680	808	c0b33353c9f851eff81e9b542cbff2ccffe05f5c0da84658aecbd26f3a165ee8.exe	82
PID 808 wrote to memory of 2680	808	c0b33353c9f851eff81e9b542cbff2ccffe05f5c0da84658aecbd26f3a165ee8.exe	82
PID 808 wrote to memory of 2680	808	c0b33353c9f851eff81e9b542cbff2ccffe05f5c0da84658aecbd26f3a165ee8.exe	82
PID 808 wrote to memory of 1732	808	c0b33353c9f851eff81e9b542cbff2ccffe05f5c0da84658aecbd26f3a165ee8.exe	83
PID 808 wrote to memory of 1732	808	c0b33353c9f851eff81e9b542cbff2ccffe05f5c0da84658aecbd26f3a165ee8.exe	83
PID 808 wrote to memory of 1732	808	c0b33353c9f851eff81e9b542cbff2ccffe05f5c0da84658aecbd26f3a165ee8.exe	83
PID 808 wrote to memory of 4280	808	c0b33353c9f851eff81e9b542cbff2ccffe05f5c0da84658aecbd26f3a165ee8.exe	84
PID 808 wrote to memory of 4280	808	c0b33353c9f851eff81e9b542cbff2ccffe05f5c0da84658aecbd26f3a165ee8.exe	84
PID 808 wrote to memory of 4280	808	c0b33353c9f851eff81e9b542cbff2ccffe05f5c0da84658aecbd26f3a165ee8.exe	84
PID 1732 wrote to memory of 2220	1732	COM Surrogate.cmd	85
PID 1732 wrote to memory of 2220	1732	COM Surrogate.cmd	85
PID 1732 wrote to memory of 2220	1732	COM Surrogate.cmd	85
PID 1732 wrote to memory of 6396	1732	COM Surrogate.cmd	86
PID 1732 wrote to memory of 6396	1732	COM Surrogate.cmd	86
PID 1732 wrote to memory of 6396	1732	COM Surrogate.cmd	86
PID 808 wrote to memory of 8248	808	c0b33353c9f851eff81e9b542cbff2ccffe05f5c0da84658aecbd26f3a165ee8.exe	87
PID 808 wrote to memory of 8248	808	c0b33353c9f851eff81e9b542cbff2ccffe05f5c0da84658aecbd26f3a165ee8.exe	87
PID 808 wrote to memory of 8248	808	c0b33353c9f851eff81e9b542cbff2ccffe05f5c0da84658aecbd26f3a165ee8.exe	87
PID 4280 wrote to memory of 6440	4280	Windows Security Health.cmd	90
PID 4280 wrote to memory of 6440	4280	Windows Security Health.cmd	90
PID 4280 wrote to memory of 6440	4280	Windows Security Health.cmd	90
PID 1732 wrote to memory of 7308	1732	COM Surrogate.cmd	92
PID 1732 wrote to memory of 7308	1732	COM Surrogate.cmd	92
PID 1732 wrote to memory of 7308	1732	COM Surrogate.cmd	92
PID 8248 wrote to memory of 17160	8248	Windows.Gaming.Input.exe	93
PID 8248 wrote to memory of 17160	8248	Windows.Gaming.Input.exe	93
PID 8248 wrote to memory of 17160	8248	Windows.Gaming.Input.exe	93
PID 4280 wrote to memory of 8960	4280	Windows Security Health.cmd	94
PID 4280 wrote to memory of 8960	4280	Windows Security Health.cmd	94
PID 4280 wrote to memory of 8960	4280	Windows Security Health.cmd	94
PID 8248 wrote to memory of 65884	8248	Windows.Gaming.Input.exe	96
PID 8248 wrote to memory of 65884	8248	Windows.Gaming.Input.exe	96
PID 8248 wrote to memory of 65884	8248	Windows.Gaming.Input.exe	96
PID 4280 wrote to memory of 79588	4280	Windows Security Health.cmd	98
PID 4280 wrote to memory of 79588	4280	Windows Security Health.cmd	98
PID 4280 wrote to memory of 79588	4280	Windows Security Health.cmd	98
PID 2220 wrote to memory of 24692	2220	Server.dll	106
PID 2220 wrote to memory of 24692	2220	Server.dll	106
PID 2220 wrote to memory of 24692	2220	Server.dll	106
PID 8248 wrote to memory of 74344	8248	Windows.Gaming.Input.exe	108
PID 8248 wrote to memory of 74344	8248	Windows.Gaming.Input.exe	108
PID 8248 wrote to memory of 74344	8248	Windows.Gaming.Input.exe	108

C:\Users\Admin\AppData\Local\Temp\c0b33353c9f851eff81e9b542cbff2ccffe05f5c0da84658aecbd26f3a165ee8.exe
"C:\Users\Admin\AppData\Local\Temp\c0b33353c9f851eff81e9b542cbff2ccffe05f5c0da84658aecbd26f3a165ee8.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:808
- C:\Users\Admin\AppData\Local\Temp\Windows ygjaxs.dll
  "C:\Users\Admin\AppData\Local\Temp\\Windows ygjaxs.dll"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2680
- C:\Users\Admin\AppData\Local\Temp\COM Surrogate.cmd
  "C:\Users\Admin\AppData\Local\Temp\\COM Surrogate.cmd"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1732
- - C:\Users\Admin\AppData\Local\Temp\Server.dll
    C:\Users\Admin\AppData\Local\Temp\\Server.dll
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2220
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\Server.dll > nul
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      PID:24692
- - C:\Users\Admin\AppData\Local\Temp\Server.dll
    C:\Users\Admin\AppData\Local\Temp\\Server.dll
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    PID:6396
- - C:\Users\Admin\AppData\Local\Temp\Server.dll
    C:\Users\Admin\AppData\Local\Temp\\Server.dll
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    PID:7308
- C:\Users\Admin\AppData\Roaming\Windows Security Health.cmd
  "C:\Users\Admin\AppData\Roaming\\Windows Security Health.cmd"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4280
- - C:\Windows\SysWOW64\Serveri.dll
    C:\Windows\system32\\Serveri.dll
    3⤵
    - Drops file in Drivers directory
    - Sets service image path in registry
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: LoadsDriver
    - Suspicious use of AdjustPrivilegeToken
    PID:6440
- - C:\Windows\SysWOW64\Serveri.dll
    C:\Windows\system32\\Serveri.dll
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    PID:8960
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 8960 -s 304
      4⤵
      Program crash
      PID:104552
- - C:\Windows\SysWOW64\Serveri.dll
    C:\Windows\system32\\Serveri.dll
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    PID:79588
- C:\Windows\SysWOW64\Windows.Gaming.Input.exe
  C:\Windows\system32\\Windows.Gaming.Input.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:8248
- - C:\Users\Admin\AppData\Roaming\Windows.dll
    C:\Users\Admin\AppData\Roaming\\Windows.dll
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:17160
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 17160 -s 340
      4⤵
      Program crash
      PID:44016
- - C:\Users\Admin\AppData\Roaming\Windows.dll
    C:\Users\Admin\AppData\Roaming\\Windows.dll
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    PID:65884
- - C:\Users\Admin\AppData\Roaming\Windows.dll
    C:\Users\Admin\AppData\Roaming\\Windows.dll
    3⤵
    - Executes dropped EXE
    PID:74344

C:\Windows\SysWOW64\Phxph.exe
C:\Windows\SysWOW64\Phxph.exe -auto
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:6476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 8960 -ip 8960
1⤵
PID:28168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 17160 -ip 17160
1⤵
PID:83372

C:\Windows\SysWOW64\Phxph.exe
C:\Windows\SysWOW64\Phxph.exe -auto
1⤵
- Executes dropped EXE
PID:47996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\COM Surrogate.cmd

Filesize
2.9MB

MD5
e1d44431b799d360d924352fb87c0aae

SHA1
87210f7c8f8759a5b23e8567643b2dfef51fc1e7

SHA256
f41cea6229006c96d286c284cda8ae342d987edfcbec9e3da2a38dc4233ad9f7

SHA512
a1cf0fe054e92770d5b7bb22538cd90ce906e0e3119ce66761da3f3cc55642818f0d7cadafb23fb62215395ce1b475affc4c0389e69f5209b708c8dbfcdd646c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server.dll

Filesize
1.1MB

MD5
1144ea1e19cb2a42f7ad2fa04db8e476

SHA1
2ef6e0f9c5e57305bff6d30080cf68c1d3e101d9

SHA256
20569e9045f5c150eafa51752334b62c78b9dbc308d61dacfcb2098a76c5cf50

SHA512
3df308eafc0f014a07fbdeb706b32eb5de7e02a7496e70e5035d9b76db239435a2511964fc027380aad19763755c4e07e52f4e157b691c55c5a03d5b21593556

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windows ygjaxs.dll

Filesize
459KB

MD5
f6bad3e56004d0ec916b9f93bbb971a1

SHA1
75e7d20bc42572a7dc1b9a12dc464576079b90b8

SHA256
d0b6965be9cc036a316acb456491562aea12d2bb52af12a475966ee7b41fc000

SHA512
07961000646b1e95504528afb0d2812a0ad0f3196999cc91401ebad0ecc520bd41075d85fdcce90d4d52b99d92ac21420b5e4140ccc3553a03969af6bab555a6

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Security Health.cmd

Filesize
2.9MB

MD5
fe86e62f1f8cc2b9160c316c7e1ccffd

SHA1
540ed568fad46b2e4bccd6460e98e7e07a78068f

SHA256
bac9522027f995192c65ef3695741d690c3d1e43c15db42f42e52f3018db64af

SHA512
1cbe0eba13af47bfa1781d766dfaab6a0a185afa8f48694b5aab25c20a557101b69b63977a04c4cef0f9b5fde66deaea888e459f755fdee99c061e63f7eeb48a

Download Submit
C:\Windows\SysWOW64\Phxph.exe

Filesize
22.1MB

MD5
44d1ce29474bad8ada3d778af1dac0f3

SHA1
319f966cc44529a564f9d5d19e0fb99e0af2ea19

SHA256
d75217eccc9e4b9a2ccfb2819b1fdbf01a074042292bcf3162ec27a01b7ee1cf

SHA512
511ac3bfa10928190c7cb035a976c673fb758950ce4accde4a80b81b62ee0585d5d51930571ffa177fb1d63ecd4a770415bc09800cc5cd1ac6cb7efa16b7d025

Download Submit
C:\Windows\SysWOW64\Windows.Gaming.Input.exe

Filesize
2.0MB

MD5
7c42c0289a8ef2395efc1e7925b2d16e

SHA1
5b75f9495a791d982e269f3fb4dcac2b95f5138c

SHA256
24de619d714456dbba177b8461b82e889b63f96f154f722f01029d22b59399c7

SHA512
01e5a6f9a5145e01603c84f772e038b2ee40e45fb4d9b307269b199411fa68127e2443ede7ea30f0c630d2c84090de2c38b75ff8e139a7886e341e82b36750bc

Download Submit
memory/2220-13104-0x0000000010000000-0x00000000101B5000-memory.dmp

Filesize
1.7MB

Download
memory/2220-13103-0x0000000010000000-0x00000000101B5000-memory.dmp

Filesize
1.7MB

Download
memory/2220-75061-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/2220-5913-0x0000000076260000-0x00000000762DA000-memory.dmp

Filesize
488KB

Download
memory/2220-24-0x0000000076F60000-0x0000000077175000-memory.dmp

Filesize
2.1MB

Download
memory/2220-21-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/2220-3900-0x0000000077180000-0x0000000077320000-memory.dmp

Filesize
1.6MB

Download
memory/2220-13099-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/2220-13101-0x0000000010000000-0x00000000101B5000-memory.dmp

Filesize
1.7MB

Download
memory/2220-13100-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/2680-75054-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download
memory/2680-4-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download
memory/2680-75856-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download
memory/2680-13415-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download
memory/6396-13113-0x0000000076F60000-0x0000000077175000-memory.dmp

Filesize
2.1MB

Download
memory/6396-21082-0x0000000077180000-0x0000000077320000-memory.dmp

Filesize
1.6MB

Download
memory/6396-26745-0x0000000076260000-0x00000000762DA000-memory.dmp

Filesize
488KB

Download
memory/6396-75056-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/6396-5143-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/6396-59634-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/6396-59635-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/6440-60824-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/6440-60823-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/6440-13600-0x0000000076F60000-0x0000000077175000-memory.dmp

Filesize
2.1MB

Download
memory/6440-75864-0x0000000010000000-0x00000000101B5000-memory.dmp

Filesize
1.7MB

Download
memory/6440-20870-0x0000000077180000-0x0000000077320000-memory.dmp

Filesize
1.6MB

Download
memory/6440-75053-0x0000000010000000-0x00000000101B5000-memory.dmp

Filesize
1.7MB

Download
memory/6440-27597-0x0000000076260000-0x00000000762DA000-memory.dmp

Filesize
488KB

Download
memory/6440-75057-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/6476-75058-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/6476-43275-0x0000000076260000-0x00000000762DA000-memory.dmp

Filesize
488KB

Download
memory/6476-22555-0x0000000076F60000-0x0000000077175000-memory.dmp

Filesize
2.1MB

Download
memory/6476-35952-0x0000000077180000-0x0000000077320000-memory.dmp

Filesize
1.6MB

Download
memory/7308-91420-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/7308-24971-0x0000000076F60000-0x0000000077175000-memory.dmp

Filesize
2.1MB

Download
memory/7308-96896-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/7308-78350-0x0000000077180000-0x0000000077320000-memory.dmp

Filesize
1.6MB

Download
memory/7308-90250-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/7308-80360-0x0000000076260000-0x00000000762DA000-memory.dmp

Filesize
488KB

Download
memory/8960-62563-0x0000000077180000-0x0000000077320000-memory.dmp

Filesize
1.6MB

Download
memory/8960-49085-0x0000000076F60000-0x0000000077175000-memory.dmp

Filesize
2.1MB

Download
memory/8960-75060-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/8960-67120-0x0000000076260000-0x00000000762DA000-memory.dmp

Filesize
488KB

Download
memory/17160-49457-0x0000000077180000-0x0000000077320000-memory.dmp

Filesize
1.6MB

Download
memory/17160-56550-0x0000000076260000-0x00000000762DA000-memory.dmp

Filesize
488KB

Download
memory/17160-75059-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/17160-31604-0x0000000076F60000-0x0000000077175000-memory.dmp

Filesize
2.1MB

Download
memory/47996-132145-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/65884-132150-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/74344-132149-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/79588-96885-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/79588-86786-0x0000000076F60000-0x0000000077175000-memory.dmp

Filesize
2.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads