gh0strat | c0b33353c9f851eff81e9b542cbff2ccffe05f5c0da84658aecbd26f3a165ee8

Analysis

max time kernel
150s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-01-2025 06:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c0b33353c9f851eff81e9b542cbff2ccffe05f5c0da84658aecbd26f3a165ee8.exe
Size

9.2MB
MD5

d93ffee2720341299fd0e9ff4dcf7f08
SHA1

53991521737dd2ce35a90429ced04185198e0f80
SHA256

c0b33353c9f851eff81e9b542cbff2ccffe05f5c0da84658aecbd26f3a165ee8
SHA512

02fa3ba5352821d54a7a2ac5b1bc4fa2f95eae28167204bdb33bdc672edaa5c1ca0bfc610c20f7ea90dd73c5f64e02a9daa9f0bd44ec46da7450550e067e23b7
SSDEEP

98304:0te1xEOX9OcczjREI9tQeek2rT0DIcsn9Vhek2rv0DIRpKWf2gcek2rQ/:VGOXsccpt9crYercrsyfLccrw

Score

10^/10

gh0strat purplefox discovery persistence rat rootkit trojan upx

Malware Config

Signatures

Detect PurpleFox Rootkit 4 IoCs

Detect PurpleFox Rootkit.

rootkit

resource	yara_rule
behavioral2/memory/2896-13098-0x0000000010000000-0x00000000101B5000-memory.dmp	purplefox_rootkit
behavioral2/memory/2896-13099-0x0000000010000000-0x00000000101B5000-memory.dmp	purplefox_rootkit
behavioral2/memory/15000-46888-0x0000000010000000-0x00000000101B5000-memory.dmp	purplefox_rootkit
behavioral2/memory/15000-52955-0x0000000010000000-0x00000000101B5000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 4 IoCs

resource	yara_rule
behavioral2/memory/2896-13098-0x0000000010000000-0x00000000101B5000-memory.dmp	family_gh0strat
behavioral2/memory/2896-13099-0x0000000010000000-0x00000000101B5000-memory.dmp	family_gh0strat
behavioral2/memory/15000-46888-0x0000000010000000-0x00000000101B5000-memory.dmp	family_gh0strat
behavioral2/memory/15000-52955-0x0000000010000000-0x00000000101B5000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox
Purplefox family
purplefox

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\QAssist.sys	Server.dll

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys"	Server.dll

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\COM Surrogate.cmd.lnk	COM Surrogate.cmd
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Security Health.cmd.lnk	Windows Security Health.cmd

Executes dropped EXE 14 IoCs

pid	Process
2084	Windows ygjaxs.dll
2252	COM Surrogate.cmd
4100	Windows Security Health.cmd
2896	Server.dll
15000	Server.dll
15016	Windows.Gaming.Input.exe
8620	Phxph.exe
17248	Serveri.dll
7700	Windows.dll
7716	Serveri.dll
9912	Windows.dll
9904	Serveri.dll
25772	Server.dll
17832	Windows.dll

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows.Gaming.Input = "C:\\Windows\\SysWOW64\\Windows.Gaming.Input.exe"	c0b33353c9f851eff81e9b542cbff2ccffe05f5c0da84658aecbd26f3a165ee8.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Phxph.exe	Server.dll
File opened for modification	C:\Windows\SysWOW64\Phxph.exe	Server.dll
File created	C:\Windows\SysWOW64\Serveri.dll	Windows Security Health.cmd
File opened for modification	C:\Windows\SysWOW64\Serveri.dll	Windows Security Health.cmd
File created	C:\Windows\SysWOW64\Windows.Gaming.Input.exe	c0b33353c9f851eff81e9b542cbff2ccffe05f5c0da84658aecbd26f3a165ee8.exe
File opened for modification	C:\Windows\SysWOW64\Windows.Gaming.Input.exe	c0b33353c9f851eff81e9b542cbff2ccffe05f5c0da84658aecbd26f3a165ee8.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs

pid	Process
2896	Server.dll
2896	Server.dll
2896	Server.dll
2896	Server.dll
2896	Server.dll
2896	Server.dll
2896	Server.dll
2896	Server.dll
2896	Server.dll
2896	Server.dll
2896	Server.dll
2896	Server.dll
2896	Server.dll
15000	Server.dll
15000	Server.dll
15000	Server.dll
15000	Server.dll
15000	Server.dll
15000	Server.dll
15000	Server.dll
2896	Server.dll
2896	Server.dll
2896	Server.dll
2896	Server.dll
2896	Server.dll
2896	Server.dll
8620	Phxph.exe
17248	Serveri.dll
17248	Serveri.dll
17248	Serveri.dll
17248	Serveri.dll
17248	Serveri.dll
17248	Serveri.dll
17248	Serveri.dll
7716	Serveri.dll
7716	Serveri.dll
7716	Serveri.dll
7716	Serveri.dll
7716	Serveri.dll
7716	Serveri.dll
7716	Serveri.dll
7700	Windows.dll
25772	Server.dll
9912	Windows.dll
9904	Serveri.dll
2896	Server.dll
2896	Server.dll
2896	Server.dll
15000	Server.dll
2896	Server.dll
2896	Server.dll
15000	Server.dll
2896	Server.dll
15000	Server.dll
15000	Server.dll
15000	Server.dll
15000	Server.dll
15000	Server.dll
2896	Server.dll
15000	Server.dll
15000	Server.dll
2896	Server.dll
15000	Server.dll
2896	Server.dll

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023c72-3.dat	upx
behavioral2/memory/2084-5-0x0000000000400000-0x0000000000524000-memory.dmp	upx
behavioral2/memory/2896-13098-0x0000000010000000-0x00000000101B5000-memory.dmp	upx
behavioral2/memory/2896-13099-0x0000000010000000-0x00000000101B5000-memory.dmp	upx
behavioral2/memory/2896-13096-0x0000000010000000-0x00000000101B5000-memory.dmp	upx
behavioral2/memory/2084-14333-0x0000000000400000-0x0000000000524000-memory.dmp	upx
behavioral2/memory/2084-27265-0x0000000000400000-0x0000000000524000-memory.dmp	upx
behavioral2/memory/15000-46888-0x0000000010000000-0x00000000101B5000-memory.dmp	upx
behavioral2/memory/15000-52955-0x0000000010000000-0x00000000101B5000-memory.dmp	upx
behavioral2/memory/2084-107879-0x0000000000400000-0x0000000000524000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
71796	9912	WerFault.exe	101
71792	25772	WerFault.exe	103
71828	9904	WerFault.exe	102

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Windows.Gaming.Input.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Windows.dll
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.dll
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Phxph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Windows Security Health.cmd
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Windows ygjaxs.dll
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	COM Surrogate.cmd
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.dll
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Serveri.dll
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c0b33353c9f851eff81e9b542cbff2ccffe05f5c0da84658aecbd26f3a165ee8.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
72200	PING.EXE
72112	cmd.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
72200	PING.EXE

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
15000	Server.dll

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeLoadDriverPrivilege	15000	Server.dll
Token: SeIncBasePriorityPrivilege	2896	Server.dll
Token: 33	15000	Server.dll
Token: SeIncBasePriorityPrivilege	15000	Server.dll
Token: 33	15000	Server.dll
Token: SeIncBasePriorityPrivilege	15000	Server.dll

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
1312	c0b33353c9f851eff81e9b542cbff2ccffe05f5c0da84658aecbd26f3a165ee8.exe
1312	c0b33353c9f851eff81e9b542cbff2ccffe05f5c0da84658aecbd26f3a165ee8.exe
2084	Windows ygjaxs.dll
2084	Windows ygjaxs.dll
2084	Windows ygjaxs.dll
2252	COM Surrogate.cmd
2252	COM Surrogate.cmd
4100	Windows Security Health.cmd
4100	Windows Security Health.cmd
15016	Windows.Gaming.Input.exe
15016	Windows.Gaming.Input.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 1312 wrote to memory of 2084	1312	c0b33353c9f851eff81e9b542cbff2ccffe05f5c0da84658aecbd26f3a165ee8.exe	84
PID 1312 wrote to memory of 2084	1312	c0b33353c9f851eff81e9b542cbff2ccffe05f5c0da84658aecbd26f3a165ee8.exe	84
PID 1312 wrote to memory of 2084	1312	c0b33353c9f851eff81e9b542cbff2ccffe05f5c0da84658aecbd26f3a165ee8.exe	84
PID 1312 wrote to memory of 2252	1312	c0b33353c9f851eff81e9b542cbff2ccffe05f5c0da84658aecbd26f3a165ee8.exe	87
PID 1312 wrote to memory of 2252	1312	c0b33353c9f851eff81e9b542cbff2ccffe05f5c0da84658aecbd26f3a165ee8.exe	87
PID 1312 wrote to memory of 2252	1312	c0b33353c9f851eff81e9b542cbff2ccffe05f5c0da84658aecbd26f3a165ee8.exe	87
PID 1312 wrote to memory of 4100	1312	c0b33353c9f851eff81e9b542cbff2ccffe05f5c0da84658aecbd26f3a165ee8.exe	90
PID 1312 wrote to memory of 4100	1312	c0b33353c9f851eff81e9b542cbff2ccffe05f5c0da84658aecbd26f3a165ee8.exe	90
PID 1312 wrote to memory of 4100	1312	c0b33353c9f851eff81e9b542cbff2ccffe05f5c0da84658aecbd26f3a165ee8.exe	90
PID 2252 wrote to memory of 2896	2252	COM Surrogate.cmd	91
PID 2252 wrote to memory of 2896	2252	COM Surrogate.cmd	91
PID 2252 wrote to memory of 2896	2252	COM Surrogate.cmd	91
PID 2252 wrote to memory of 15000	2252	COM Surrogate.cmd	93
PID 2252 wrote to memory of 15000	2252	COM Surrogate.cmd	93
PID 2252 wrote to memory of 15000	2252	COM Surrogate.cmd	93
PID 1312 wrote to memory of 15016	1312	c0b33353c9f851eff81e9b542cbff2ccffe05f5c0da84658aecbd26f3a165ee8.exe	94
PID 1312 wrote to memory of 15016	1312	c0b33353c9f851eff81e9b542cbff2ccffe05f5c0da84658aecbd26f3a165ee8.exe	94
PID 1312 wrote to memory of 15016	1312	c0b33353c9f851eff81e9b542cbff2ccffe05f5c0da84658aecbd26f3a165ee8.exe	94
PID 4100 wrote to memory of 17248	4100	Windows Security Health.cmd	97
PID 4100 wrote to memory of 17248	4100	Windows Security Health.cmd	97
PID 4100 wrote to memory of 17248	4100	Windows Security Health.cmd	97
PID 15016 wrote to memory of 7700	15016	Windows.Gaming.Input.exe	99
PID 15016 wrote to memory of 7700	15016	Windows.Gaming.Input.exe	99
PID 15016 wrote to memory of 7700	15016	Windows.Gaming.Input.exe	99
PID 4100 wrote to memory of 7716	4100	Windows Security Health.cmd	100
PID 4100 wrote to memory of 7716	4100	Windows Security Health.cmd	100
PID 4100 wrote to memory of 7716	4100	Windows Security Health.cmd	100
PID 15016 wrote to memory of 9912	15016	Windows.Gaming.Input.exe	101
PID 15016 wrote to memory of 9912	15016	Windows.Gaming.Input.exe	101
PID 15016 wrote to memory of 9912	15016	Windows.Gaming.Input.exe	101
PID 4100 wrote to memory of 9904	4100	Windows Security Health.cmd	102
PID 4100 wrote to memory of 9904	4100	Windows Security Health.cmd	102
PID 4100 wrote to memory of 9904	4100	Windows Security Health.cmd	102
PID 2252 wrote to memory of 25772	2252	COM Surrogate.cmd	103
PID 2252 wrote to memory of 25772	2252	COM Surrogate.cmd	103
PID 2252 wrote to memory of 25772	2252	COM Surrogate.cmd	103
PID 15016 wrote to memory of 17832	15016	Windows.Gaming.Input.exe	104
PID 15016 wrote to memory of 17832	15016	Windows.Gaming.Input.exe	104
PID 15016 wrote to memory of 17832	15016	Windows.Gaming.Input.exe	104
PID 2896 wrote to memory of 72112	2896	Server.dll	118
PID 2896 wrote to memory of 72112	2896	Server.dll	118
PID 2896 wrote to memory of 72112	2896	Server.dll	118
PID 72112 wrote to memory of 72200	72112	cmd.exe	121
PID 72112 wrote to memory of 72200	72112	cmd.exe	121
PID 72112 wrote to memory of 72200	72112	cmd.exe	121

C:\Users\Admin\AppData\Local\Temp\c0b33353c9f851eff81e9b542cbff2ccffe05f5c0da84658aecbd26f3a165ee8.exe
"C:\Users\Admin\AppData\Local\Temp\c0b33353c9f851eff81e9b542cbff2ccffe05f5c0da84658aecbd26f3a165ee8.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1312
- C:\Users\Admin\AppData\Local\Temp\Windows ygjaxs.dll
  "C:\Users\Admin\AppData\Local\Temp\\Windows ygjaxs.dll"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2084
- C:\Users\Admin\AppData\Local\Temp\COM Surrogate.cmd
  "C:\Users\Admin\AppData\Local\Temp\\COM Surrogate.cmd"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2252
- - C:\Users\Admin\AppData\Local\Temp\Server.dll
    C:\Users\Admin\AppData\Local\Temp\\Server.dll
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2896
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\Server.dll > nul
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Suspicious use of WriteProcessMemory
      PID:72112
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        5⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:72200
- - C:\Users\Admin\AppData\Local\Temp\Server.dll
    C:\Users\Admin\AppData\Local\Temp\\Server.dll
    3⤵
    - Drops file in Drivers directory
    - Sets service image path in registry
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: LoadsDriver
    - Suspicious use of AdjustPrivilegeToken
    PID:15000
- - C:\Users\Admin\AppData\Local\Temp\Server.dll
    C:\Users\Admin\AppData\Local\Temp\\Server.dll
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    PID:25772
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 25772 -s 192
      4⤵
      Program crash
      PID:71792
- C:\Users\Admin\AppData\Roaming\Windows Security Health.cmd
  "C:\Users\Admin\AppData\Roaming\\Windows Security Health.cmd"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4100
- - C:\Windows\SysWOW64\Serveri.dll
    C:\Windows\system32\\Serveri.dll
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:17248
- - C:\Windows\SysWOW64\Serveri.dll
    C:\Windows\system32\\Serveri.dll
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    PID:7716
- - C:\Windows\SysWOW64\Serveri.dll
    C:\Windows\system32\\Serveri.dll
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    PID:9904
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 9904 -s 300
      4⤵
      Program crash
      PID:71828
- C:\Windows\SysWOW64\Windows.Gaming.Input.exe
  C:\Windows\system32\\Windows.Gaming.Input.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:15016
- - C:\Users\Admin\AppData\Roaming\Windows.dll
    C:\Users\Admin\AppData\Roaming\\Windows.dll
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:7700
- - C:\Users\Admin\AppData\Roaming\Windows.dll
    C:\Users\Admin\AppData\Roaming\\Windows.dll
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    PID:9912
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 9912 -s 296
      4⤵
      Program crash
      PID:71796
- - C:\Users\Admin\AppData\Roaming\Windows.dll
    C:\Users\Admin\AppData\Roaming\\Windows.dll
    3⤵
    - Executes dropped EXE
    PID:17832

C:\Windows\SysWOW64\Phxph.exe
C:\Windows\SysWOW64\Phxph.exe -auto
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:8620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 9904 -ip 9904
1⤵
PID:71660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 9912 -ip 9912
1⤵
PID:71668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 25772 -ip 25772
1⤵
PID:71692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 7700 -ip 7700
1⤵
PID:71732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 17832 -ip 17832
1⤵
PID:71744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\COM Surrogate.cmd

Filesize
2.9MB

MD5
e1d44431b799d360d924352fb87c0aae

SHA1
87210f7c8f8759a5b23e8567643b2dfef51fc1e7

SHA256
f41cea6229006c96d286c284cda8ae342d987edfcbec9e3da2a38dc4233ad9f7

SHA512
a1cf0fe054e92770d5b7bb22538cd90ce906e0e3119ce66761da3f3cc55642818f0d7cadafb23fb62215395ce1b475affc4c0389e69f5209b708c8dbfcdd646c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server.dll

Filesize
1.1MB

MD5
1144ea1e19cb2a42f7ad2fa04db8e476

SHA1
2ef6e0f9c5e57305bff6d30080cf68c1d3e101d9

SHA256
20569e9045f5c150eafa51752334b62c78b9dbc308d61dacfcb2098a76c5cf50

SHA512
3df308eafc0f014a07fbdeb706b32eb5de7e02a7496e70e5035d9b76db239435a2511964fc027380aad19763755c4e07e52f4e157b691c55c5a03d5b21593556

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windows ygjaxs.dll

Filesize
459KB

MD5
f6bad3e56004d0ec916b9f93bbb971a1

SHA1
75e7d20bc42572a7dc1b9a12dc464576079b90b8

SHA256
d0b6965be9cc036a316acb456491562aea12d2bb52af12a475966ee7b41fc000

SHA512
07961000646b1e95504528afb0d2812a0ad0f3196999cc91401ebad0ecc520bd41075d85fdcce90d4d52b99d92ac21420b5e4140ccc3553a03969af6bab555a6

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Security Health.cmd

Filesize
2.9MB

MD5
fe86e62f1f8cc2b9160c316c7e1ccffd

SHA1
540ed568fad46b2e4bccd6460e98e7e07a78068f

SHA256
bac9522027f995192c65ef3695741d690c3d1e43c15db42f42e52f3018db64af

SHA512
1cbe0eba13af47bfa1781d766dfaab6a0a185afa8f48694b5aab25c20a557101b69b63977a04c4cef0f9b5fde66deaea888e459f755fdee99c061e63f7eeb48a

Download Submit
C:\Windows\SysWOW64\Phxph.exe

Filesize
22.1MB

MD5
44d1ce29474bad8ada3d778af1dac0f3

SHA1
319f966cc44529a564f9d5d19e0fb99e0af2ea19

SHA256
d75217eccc9e4b9a2ccfb2819b1fdbf01a074042292bcf3162ec27a01b7ee1cf

SHA512
511ac3bfa10928190c7cb035a976c673fb758950ce4accde4a80b81b62ee0585d5d51930571ffa177fb1d63ecd4a770415bc09800cc5cd1ac6cb7efa16b7d025

Download Submit
C:\Windows\SysWOW64\Windows.Gaming.Input.exe

Filesize
2.0MB

MD5
7c42c0289a8ef2395efc1e7925b2d16e

SHA1
5b75f9495a791d982e269f3fb4dcac2b95f5138c

SHA256
24de619d714456dbba177b8461b82e889b63f96f154f722f01029d22b59399c7

SHA512
01e5a6f9a5145e01603c84f772e038b2ee40e45fb4d9b307269b199411fa68127e2443ede7ea30f0c630d2c84090de2c38b75ff8e139a7886e341e82b36750bc

Download Submit
memory/2084-5-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download
memory/2084-27265-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download
memory/2084-14333-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download
memory/2084-107879-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download
memory/2896-23-0x0000000076C40000-0x0000000076E55000-memory.dmp

Filesize
2.1MB

Download
memory/2896-5909-0x0000000075F70000-0x0000000075FEA000-memory.dmp

Filesize
488KB

Download
memory/2896-13095-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/2896-13094-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/2896-13099-0x0000000010000000-0x00000000101B5000-memory.dmp

Filesize
1.7MB

Download
memory/2896-22-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/2896-13098-0x0000000010000000-0x00000000101B5000-memory.dmp

Filesize
1.7MB

Download
memory/2896-13096-0x0000000010000000-0x00000000101B5000-memory.dmp

Filesize
1.7MB

Download
memory/2896-3900-0x0000000075FF0000-0x0000000076190000-memory.dmp

Filesize
1.6MB

Download
memory/2896-43705-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/7700-40903-0x0000000076C40000-0x0000000076E55000-memory.dmp

Filesize
2.1MB

Download
memory/7700-72361-0x0000000075FF0000-0x0000000076190000-memory.dmp

Filesize
1.6MB

Download
memory/7700-39990-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/7700-107895-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/7716-57428-0x0000000075F70000-0x0000000075FEA000-memory.dmp

Filesize
488KB

Download
memory/7716-98923-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/7716-40960-0x0000000076C40000-0x0000000076E55000-memory.dmp

Filesize
2.1MB

Download
memory/7716-47972-0x0000000075FF0000-0x0000000076190000-memory.dmp

Filesize
1.6MB

Download
memory/7716-39991-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/7716-107883-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/7716-98922-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/8620-107900-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/8620-29056-0x0000000075FF0000-0x0000000076190000-memory.dmp

Filesize
1.6MB

Download
memory/8620-17832-0x0000000076C40000-0x0000000076E55000-memory.dmp

Filesize
2.1MB

Download
memory/8620-35948-0x0000000075F70000-0x0000000075FEA000-memory.dmp

Filesize
488KB

Download
memory/9904-107897-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/9904-48475-0x0000000076C40000-0x0000000076E55000-memory.dmp

Filesize
2.1MB

Download
memory/9904-77948-0x0000000075FF0000-0x0000000076190000-memory.dmp

Filesize
1.6MB

Download
memory/9904-86804-0x0000000075F70000-0x0000000075FEA000-memory.dmp

Filesize
488KB

Download
memory/9912-53983-0x0000000076C40000-0x0000000076E55000-memory.dmp

Filesize
2.1MB

Download
memory/9912-107896-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/15000-19911-0x0000000075F70000-0x0000000075FEA000-memory.dmp

Filesize
488KB

Download
memory/15000-13108-0x0000000076C40000-0x0000000076E55000-memory.dmp

Filesize
2.1MB

Download
memory/15000-107888-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/15000-13103-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/15000-52955-0x0000000010000000-0x00000000101B5000-memory.dmp

Filesize
1.7MB

Download
memory/15000-44545-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/15000-46888-0x0000000010000000-0x00000000101B5000-memory.dmp

Filesize
1.7MB

Download
memory/15000-16990-0x0000000075FF0000-0x0000000076190000-memory.dmp

Filesize
1.6MB

Download
memory/15000-44546-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/17248-107882-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/17248-37348-0x0000000075F70000-0x0000000075FEA000-memory.dmp

Filesize
488KB

Download
memory/17248-90182-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/17248-90183-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/17248-20140-0x0000000076C40000-0x0000000076E55000-memory.dmp

Filesize
2.1MB

Download
memory/17248-29675-0x0000000075FF0000-0x0000000076190000-memory.dmp

Filesize
1.6MB

Download
memory/17832-88792-0x0000000076C40000-0x0000000076E55000-memory.dmp

Filesize
2.1MB

Download
memory/17832-107893-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/25772-64342-0x0000000076C40000-0x0000000076E55000-memory.dmp

Filesize
2.1MB

Download
memory/25772-87505-0x0000000075FF0000-0x0000000076190000-memory.dmp

Filesize
1.6MB

Download
memory/25772-95081-0x0000000075F70000-0x0000000075FEA000-memory.dmp

Filesize
488KB

Download
memory/25772-107898-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads