Analysis

  • max time kernel
    151s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/08/2023, 05:59

General

  • Target

    81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe

  • Size

    13.6MB

  • MD5

    d69c7e8a72ac1862676f3b1dad3b040f

  • SHA1

    f25b9fad59131babc9581d769921e160cb340366

  • SHA256

    81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f

  • SHA512

    37d996749076277bde69c0b513711703472d0b14979024bd8eaf91f5352ab1483c9c25ea3677c7109d3a23ebf2318edbea17332c99faa2fe999a7616c6d228c8

  • SSDEEP

    393216:m7aA9iNATLFrUaE+gsevy5nU9uffWER6o4wX:OkNCLFrRXgjy5nU9ufjR6k

Malware Config

Signatures

  • Detect PurpleFox Rootkit 10 IoCs

    Detect PurpleFox Rootkit.

  • Gh0st RAT payload 16 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

  • Modifies firewall policy service 2 TTPs 4 IoCs
  • PurpleFox

    PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

  • Drops file in Drivers directory 1 IoCs
  • Sets DLL path for service in the registry 2 TTPs 1 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 5 IoCs
  • UPX packed file 38 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in System32 directory 7 IoCs
  • Drops file in Program Files directory 5 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious behavior: MapViewOfSection 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\lsass.exe
    C:\Windows\system32\lsass.exe
    1⤵
      PID:684
    • C:\Windows\system32\winlogon.exe
      winlogon.exe
      1⤵
        PID:604
        • C:\Windows\system32\fontdrvhost.exe
          "fontdrvhost.exe"
          2⤵
            PID:836
          • C:\Windows\system32\dwm.exe
            "dwm.exe"
            2⤵
              PID:404
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe -k DcomLaunch -p
            1⤵
              PID:804
              • C:\Windows\System32\RuntimeBroker.exe
                C:\Windows\System32\RuntimeBroker.exe -Embedding
                2⤵
                  PID:3772
                • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                  "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                  2⤵
                    PID:3856
                  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                    2⤵
                      PID:3652
                    • C:\Windows\System32\RuntimeBroker.exe
                      C:\Windows\System32\RuntimeBroker.exe -Embedding
                      2⤵
                        PID:3488
                      • C:\Windows\system32\DllHost.exe
                        C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                        2⤵
                          PID:3556
                        • C:\Windows\system32\SppExtComObj.exe
                          C:\Windows\system32\SppExtComObj.exe -Embedding
                          2⤵
                            PID:5048
                          • C:\Windows\system32\DllHost.exe
                            C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                            2⤵
                              PID:920
                            • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
                              "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
                              2⤵
                                PID:2768
                              • C:\Windows\system32\wbem\unsecapp.exe
                                C:\Windows\system32\wbem\unsecapp.exe -Embedding
                                2⤵
                                  PID:2720
                                • C:\Windows\System32\RuntimeBroker.exe
                                  C:\Windows\System32\RuntimeBroker.exe -Embedding
                                  2⤵
                                    PID:4916
                                • C:\Windows\system32\svchost.exe
                                  C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
                                  1⤵
                                    PID:976
                                  • C:\Windows\system32\svchost.exe
                                    C:\Windows\system32\svchost.exe -k RPCSS -p
                                    1⤵
                                      PID:924
                                    • C:\Windows\system32\fontdrvhost.exe
                                      "fontdrvhost.exe"
                                      1⤵
                                        PID:828
                                      • C:\Windows\system32\svchost.exe
                                        C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
                                        1⤵
                                          PID:412
                                        • C:\Windows\System32\svchost.exe
                                          C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
                                          1⤵
                                            PID:672
                                          • C:\Windows\system32\svchost.exe
                                            C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
                                            1⤵
                                              PID:1108
                                              • C:\Windows\system32\taskhostw.exe
                                                taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
                                                2⤵
                                                  PID:2672
                                              • C:\Windows\system32\svchost.exe
                                                C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
                                                1⤵
                                                  PID:1100
                                                • C:\Windows\system32\svchost.exe
                                                  C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
                                                  1⤵
                                                    PID:1036
                                                  • C:\Windows\System32\svchost.exe
                                                    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                                                    1⤵
                                                      PID:532
                                                    • C:\Windows\system32\svchost.exe
                                                      C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
                                                      1⤵
                                                        PID:1392
                                                        • C:\Windows\system32\sihost.exe
                                                          sihost.exe
                                                          2⤵
                                                            PID:2384
                                                        • C:\Windows\system32\svchost.exe
                                                          C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
                                                          1⤵
                                                            PID:2648
                                                          • C:\Windows\system32\svchost.exe
                                                            C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
                                                            1⤵
                                                              PID:5056
                                                            • C:\Windows\system32\svchost.exe
                                                              C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
                                                              1⤵
                                                                PID:3324
                                                              • C:\Windows\Explorer.EXE
                                                                C:\Windows\Explorer.EXE
                                                                1⤵
                                                                  PID:3188
                                                                  • C:\Users\Admin\AppData\Local\Temp\81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe
                                                                    "C:\Users\Admin\AppData\Local\Temp\81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe"
                                                                    2⤵
                                                                    • Modifies firewall policy service
                                                                    • Drops file in Program Files directory
                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                    • Suspicious use of SetWindowsHookEx
                                                                    • Suspicious use of WriteProcessMemory
                                                                    PID:3912
                                                                    • C:\Users\Admin\AppData\Local\Temp\svchost.exe
                                                                      C:\Users\Admin\AppData\Local\Temp\\svchost.exe
                                                                      3⤵
                                                                      • Executes dropped EXE
                                                                      • Drops file in System32 directory
                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                      • Suspicious use of WriteProcessMemory
                                                                      PID:4948
                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\svchost.exe > nul
                                                                        4⤵
                                                                        • Suspicious use of WriteProcessMemory
                                                                        PID:3084
                                                                        • C:\Windows\System32\Conhost.exe
                                                                          \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                          5⤵
                                                                            PID:2624
                                                                          • C:\Windows\SysWOW64\PING.EXE
                                                                            ping -n 2 127.0.0.1
                                                                            5⤵
                                                                            • Runs ping.exe
                                                                            PID:3624
                                                                      • C:\Users\Admin\AppData\Local\Temp\svchos.exe
                                                                        C:\Users\Admin\AppData\Local\Temp\\svchos.exe
                                                                        3⤵
                                                                        • Sets DLL path for service in the registry
                                                                        • Executes dropped EXE
                                                                        • Loads dropped DLL
                                                                        • Drops file in System32 directory
                                                                        PID:4748
                                                                      • C:\Users\Admin\AppData\Local\Temp\HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe
                                                                        C:\Users\Admin\AppData\Local\Temp\HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe
                                                                        3⤵
                                                                        • Executes dropped EXE
                                                                        • Loads dropped DLL
                                                                        • Drops file in Windows directory
                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                        • Suspicious behavior: MapViewOfSection
                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                        • Suspicious use of SetWindowsHookEx
                                                                        • Suspicious use of WriteProcessMemory
                                                                        PID:3040
                                                                  • C:\Windows\System32\svchost.exe
                                                                    C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                    1⤵
                                                                      PID:4648
                                                                    • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
                                                                      "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
                                                                      1⤵
                                                                        PID:3840
                                                                      • C:\Windows\system32\svchost.exe
                                                                        C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
                                                                        1⤵
                                                                          PID:4996
                                                                        • C:\Windows\System32\svchost.exe
                                                                          C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
                                                                          1⤵
                                                                            PID:4364
                                                                          • C:\Windows\system32\svchost.exe
                                                                            C:\Windows\system32\svchost.exe -k LocalService -s W32Time
                                                                            1⤵
                                                                              PID:3760
                                                                            • C:\Windows\system32\svchost.exe
                                                                              C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
                                                                              1⤵
                                                                                PID:3768
                                                                              • C:\Windows\System32\svchost.exe
                                                                                C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
                                                                                1⤵
                                                                                  PID:2080
                                                                                • C:\Windows\system32\svchost.exe
                                                                                  C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
                                                                                  1⤵
                                                                                    PID:2656
                                                                                  • C:\Windows\System32\svchost.exe
                                                                                    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
                                                                                    1⤵
                                                                                      PID:2640
                                                                                    • C:\Windows\sysmon.exe
                                                                                      C:\Windows\sysmon.exe
                                                                                      1⤵
                                                                                        PID:2600
                                                                                      • C:\Windows\system32\svchost.exe
                                                                                        C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
                                                                                        1⤵
                                                                                          PID:2572
                                                                                        • C:\Windows\system32\svchost.exe
                                                                                          C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
                                                                                          1⤵
                                                                                            PID:2480
                                                                                          • C:\Windows\system32\svchost.exe
                                                                                            C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
                                                                                            1⤵
                                                                                              PID:2436
                                                                                            • C:\Windows\system32\svchost.exe
                                                                                              C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
                                                                                              1⤵
                                                                                                PID:2356
                                                                                              • C:\Windows\system32\svchost.exe
                                                                                                C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
                                                                                                1⤵
                                                                                                  PID:2348
                                                                                                • C:\Windows\System32\svchost.exe
                                                                                                  C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
                                                                                                  1⤵
                                                                                                    PID:2084
                                                                                                  • C:\Windows\system32\svchost.exe
                                                                                                    C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
                                                                                                    1⤵
                                                                                                      PID:1936
                                                                                                    • C:\Windows\System32\svchost.exe
                                                                                                      C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
                                                                                                      1⤵
                                                                                                        PID:1712
                                                                                                      • C:\Windows\System32\spoolsv.exe
                                                                                                        C:\Windows\System32\spoolsv.exe
                                                                                                        1⤵
                                                                                                          PID:1480
                                                                                                        • C:\Windows\System32\svchost.exe
                                                                                                          C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
                                                                                                          1⤵
                                                                                                            PID:1952
                                                                                                          • C:\Windows\system32\svchost.exe
                                                                                                            C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
                                                                                                            1⤵
                                                                                                              PID:1892
                                                                                                            • C:\Windows\System32\svchost.exe
                                                                                                              C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
                                                                                                              1⤵
                                                                                                                PID:1876
                                                                                                              • C:\Windows\system32\svchost.exe
                                                                                                                C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
                                                                                                                1⤵
                                                                                                                  PID:1864
                                                                                                                • C:\Windows\System32\svchost.exe
                                                                                                                  C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
                                                                                                                  1⤵
                                                                                                                    PID:1848
                                                                                                                  • C:\Windows\System32\svchost.exe
                                                                                                                    C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
                                                                                                                    1⤵
                                                                                                                      PID:1716
                                                                                                                    • C:\Windows\System32\svchost.exe
                                                                                                                      C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
                                                                                                                      1⤵
                                                                                                                        PID:1704
                                                                                                                      • C:\Windows\System32\svchost.exe
                                                                                                                        C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
                                                                                                                        1⤵
                                                                                                                          PID:1616
                                                                                                                        • C:\Windows\system32\svchost.exe
                                                                                                                          C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
                                                                                                                          1⤵
                                                                                                                            PID:1560
                                                                                                                          • C:\Windows\system32\svchost.exe
                                                                                                                            C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
                                                                                                                            1⤵
                                                                                                                              PID:1528
                                                                                                                            • C:\Windows\system32\svchost.exe
                                                                                                                              C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
                                                                                                                              1⤵
                                                                                                                                PID:1400
                                                                                                                              • C:\Windows\system32\svchost.exe
                                                                                                                                C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
                                                                                                                                1⤵
                                                                                                                                  PID:1372
                                                                                                                                • C:\Windows\System32\svchost.exe
                                                                                                                                  C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
                                                                                                                                  1⤵
                                                                                                                                    PID:1356
                                                                                                                                  • C:\Windows\system32\svchost.exe
                                                                                                                                    C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
                                                                                                                                    1⤵
                                                                                                                                      PID:1324
                                                                                                                                    • C:\Windows\System32\svchost.exe
                                                                                                                                      C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
                                                                                                                                      1⤵
                                                                                                                                        PID:1220
                                                                                                                                      • C:\Windows\system32\svchost.exe
                                                                                                                                        C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
                                                                                                                                        1⤵
                                                                                                                                          PID:1212
                                                                                                                                        • C:\Windows\system32\svchost.exe
                                                                                                                                          C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
                                                                                                                                          1⤵
                                                                                                                                            PID:1044
                                                                                                                                          • C:\Windows\system32\svchost.exe
                                                                                                                                            C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
                                                                                                                                            1⤵
                                                                                                                                              PID:1516
                                                                                                                                            • C:\Windows\SysWOW64\TXPlatforn.exe
                                                                                                                                              C:\Windows\SysWOW64\TXPlatforn.exe -auto
                                                                                                                                              1⤵
                                                                                                                                              • Executes dropped EXE
                                                                                                                                              • Suspicious use of WriteProcessMemory
                                                                                                                                              PID:3364
                                                                                                                                              • C:\Windows\SysWOW64\TXPlatforn.exe
                                                                                                                                                C:\Windows\SysWOW64\TXPlatforn.exe -acsi
                                                                                                                                                2⤵
                                                                                                                                                • Drops file in Drivers directory
                                                                                                                                                • Sets service image path in registry
                                                                                                                                                • Executes dropped EXE
                                                                                                                                                • Suspicious behavior: LoadsDriver
                                                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                PID:2412
                                                                                                                                            • C:\Windows\SysWOW64\svchost.exe
                                                                                                                                              C:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"
                                                                                                                                              1⤵
                                                                                                                                              • Loads dropped DLL
                                                                                                                                              • Drops file in System32 directory
                                                                                                                                              PID:4784
                                                                                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                C:\Windows\SysWOW64\WerFault.exe -u -p 4784 -s 604
                                                                                                                                                2⤵
                                                                                                                                                • Program crash
                                                                                                                                                PID:1468
                                                                                                                                            • C:\Windows\SysWOW64\svchost.exe
                                                                                                                                              C:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"
                                                                                                                                              1⤵
                                                                                                                                                PID:1940
                                                                                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4784 -ip 4784
                                                                                                                                                1⤵
                                                                                                                                                  PID:3384
                                                                                                                                                • C:\Windows\SysWOW64\svchost.exe
                                                                                                                                                  C:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"
                                                                                                                                                  1⤵
                                                                                                                                                  • Loads dropped DLL
                                                                                                                                                  • Drops file in System32 directory
                                                                                                                                                  PID:1192
                                                                                                                                                  • C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
                                                                                                                                                    C:\Windows\system32\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe "c:\windows\system32\240611625.txt",MainThread
                                                                                                                                                    2⤵
                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                    • Loads dropped DLL
                                                                                                                                                    PID:5068

                                                                                                                                                Network

                                                                                                                                                      MITRE ATT&CK Enterprise v15

                                                                                                                                                      Replay Monitor

                                                                                                                                                      Loading Replay Monitor...

                                                                                                                                                      Downloads

                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe

                                                                                                                                                        Filesize

                                                                                                                                                        11.9MB

                                                                                                                                                        MD5

                                                                                                                                                        6eff11a79838756628a2d397831f228d

                                                                                                                                                        SHA1

                                                                                                                                                        df31f63af313a1c986ba13fa21def1e5f6b31d49

                                                                                                                                                        SHA256

                                                                                                                                                        6672a5c1b29e07ce14b756e58e8efa6cc914864568674bcf4a910cccaacb73d3

                                                                                                                                                        SHA512

                                                                                                                                                        78265a88bbf8bbab2163b6c2a2cf1ebc2c4596ad9568c77208123cf99aac03bf58511d19d8d41bfe484f91c9fa4ff563ed4cda162ee0ec18e60f8a8cc8284c83

                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe

                                                                                                                                                        Filesize

                                                                                                                                                        11.9MB

                                                                                                                                                        MD5

                                                                                                                                                        6eff11a79838756628a2d397831f228d

                                                                                                                                                        SHA1

                                                                                                                                                        df31f63af313a1c986ba13fa21def1e5f6b31d49

                                                                                                                                                        SHA256

                                                                                                                                                        6672a5c1b29e07ce14b756e58e8efa6cc914864568674bcf4a910cccaacb73d3

                                                                                                                                                        SHA512

                                                                                                                                                        78265a88bbf8bbab2163b6c2a2cf1ebc2c4596ad9568c77208123cf99aac03bf58511d19d8d41bfe484f91c9fa4ff563ed4cda162ee0ec18e60f8a8cc8284c83

                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\HD_X.dat

                                                                                                                                                        Filesize

                                                                                                                                                        1.7MB

                                                                                                                                                        MD5

                                                                                                                                                        36cd7c2f720111cd4ef41e3b5f0db256

                                                                                                                                                        SHA1

                                                                                                                                                        2bd2af69331c5408eeaf23fddd505c58650cdaa9

                                                                                                                                                        SHA256

                                                                                                                                                        23d9db3453f1434a943f3945e0546a7fefad5b75bc04dd7b8f7899172b10f1ff

                                                                                                                                                        SHA512

                                                                                                                                                        8216b4065b23c8475ad3e5badcabe1dc91fc3eaf5e504bc0ed0a60658067bc5526310594cb7374715f5ffdf5bb5d858bb6e0c7c86445eb5a64939268e2056b17

                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\svchos.exe

                                                                                                                                                        Filesize

                                                                                                                                                        93KB

                                                                                                                                                        MD5

                                                                                                                                                        3b377ad877a942ec9f60ea285f7119a2

                                                                                                                                                        SHA1

                                                                                                                                                        60b23987b20d913982f723ab375eef50fafa6c70

                                                                                                                                                        SHA256

                                                                                                                                                        62954fdf65e629b39a29f539619d20691332184c6b6be5a826128a8e759bfa84

                                                                                                                                                        SHA512

                                                                                                                                                        af3a71f867ad9d28772c48b521097f9bf8931eb89fd2974e8de10990241419a39ddc3c0b36dd38aac4fdf14e1f0c5e228692618e93adce958d5b5dab8940e46f

                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\svchos.exe

                                                                                                                                                        Filesize

                                                                                                                                                        93KB

                                                                                                                                                        MD5

                                                                                                                                                        3b377ad877a942ec9f60ea285f7119a2

                                                                                                                                                        SHA1

                                                                                                                                                        60b23987b20d913982f723ab375eef50fafa6c70

                                                                                                                                                        SHA256

                                                                                                                                                        62954fdf65e629b39a29f539619d20691332184c6b6be5a826128a8e759bfa84

                                                                                                                                                        SHA512

                                                                                                                                                        af3a71f867ad9d28772c48b521097f9bf8931eb89fd2974e8de10990241419a39ddc3c0b36dd38aac4fdf14e1f0c5e228692618e93adce958d5b5dab8940e46f

                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\svchost.exe

                                                                                                                                                        Filesize

                                                                                                                                                        377KB

                                                                                                                                                        MD5

                                                                                                                                                        a4329177954d4104005bce3020e5ef59

                                                                                                                                                        SHA1

                                                                                                                                                        23c29e295e2dbb8454012d619ca3f81e4c16e85a

                                                                                                                                                        SHA256

                                                                                                                                                        6156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd

                                                                                                                                                        SHA512

                                                                                                                                                        81e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208

                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\svchost.exe

                                                                                                                                                        Filesize

                                                                                                                                                        377KB

                                                                                                                                                        MD5

                                                                                                                                                        a4329177954d4104005bce3020e5ef59

                                                                                                                                                        SHA1

                                                                                                                                                        23c29e295e2dbb8454012d619ca3f81e4c16e85a

                                                                                                                                                        SHA256

                                                                                                                                                        6156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd

                                                                                                                                                        SHA512

                                                                                                                                                        81e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208

                                                                                                                                                      • C:\Windows\HPSocket4C.dll

                                                                                                                                                        Filesize

                                                                                                                                                        2.1MB

                                                                                                                                                        MD5

                                                                                                                                                        c091a823c41bb5bc6c5a1ab6c926504c

                                                                                                                                                        SHA1

                                                                                                                                                        7b358a9211f8f5e3ce22f38075caf605fc4d2032

                                                                                                                                                        SHA256

                                                                                                                                                        c58334cb8bd8e7a2c998d0717fff8bacbd873ab949e40a0e5f053dd51b67cca4

                                                                                                                                                        SHA512

                                                                                                                                                        742ea0c78115f602c16a793d6d34ea97f0ff8bd4fc1ab28b90b7b7a3dc6fe6b921615ce97c0b23839e18f632d8e09f4319052de532dd9d31b70a22f12b7cc68d

                                                                                                                                                      • C:\Windows\HPSocket4C.dll

                                                                                                                                                        Filesize

                                                                                                                                                        2.1MB

                                                                                                                                                        MD5

                                                                                                                                                        c091a823c41bb5bc6c5a1ab6c926504c

                                                                                                                                                        SHA1

                                                                                                                                                        7b358a9211f8f5e3ce22f38075caf605fc4d2032

                                                                                                                                                        SHA256

                                                                                                                                                        c58334cb8bd8e7a2c998d0717fff8bacbd873ab949e40a0e5f053dd51b67cca4

                                                                                                                                                        SHA512

                                                                                                                                                        742ea0c78115f602c16a793d6d34ea97f0ff8bd4fc1ab28b90b7b7a3dc6fe6b921615ce97c0b23839e18f632d8e09f4319052de532dd9d31b70a22f12b7cc68d

                                                                                                                                                      • C:\Windows\SysWOW64\240611625.txt

                                                                                                                                                        Filesize

                                                                                                                                                        50KB

                                                                                                                                                        MD5

                                                                                                                                                        c8c8ff11e8ab024234441d9d8536c433

                                                                                                                                                        SHA1

                                                                                                                                                        28a9f4f25191d13b38e6919e7107963468ed2720

                                                                                                                                                        SHA256

                                                                                                                                                        cc653810b728259c11f415dfb61b6710b430c02c297149de51129b0465634320

                                                                                                                                                        SHA512

                                                                                                                                                        03e2befe6538313ac5f95e534501cea67146e172c11b16d1988114625f6bd52e866ac633025307c7545575a7dac97c5fd88e5b3814b80d132c5a24e2630d709e

                                                                                                                                                      • C:\Windows\SysWOW64\240611625.txt

                                                                                                                                                        Filesize

                                                                                                                                                        50KB

                                                                                                                                                        MD5

                                                                                                                                                        c8c8ff11e8ab024234441d9d8536c433

                                                                                                                                                        SHA1

                                                                                                                                                        28a9f4f25191d13b38e6919e7107963468ed2720

                                                                                                                                                        SHA256

                                                                                                                                                        cc653810b728259c11f415dfb61b6710b430c02c297149de51129b0465634320

                                                                                                                                                        SHA512

                                                                                                                                                        03e2befe6538313ac5f95e534501cea67146e172c11b16d1988114625f6bd52e866ac633025307c7545575a7dac97c5fd88e5b3814b80d132c5a24e2630d709e

                                                                                                                                                      • C:\Windows\SysWOW64\240611625.txt

                                                                                                                                                        Filesize

                                                                                                                                                        50KB

                                                                                                                                                        MD5

                                                                                                                                                        c8c8ff11e8ab024234441d9d8536c433

                                                                                                                                                        SHA1

                                                                                                                                                        28a9f4f25191d13b38e6919e7107963468ed2720

                                                                                                                                                        SHA256

                                                                                                                                                        cc653810b728259c11f415dfb61b6710b430c02c297149de51129b0465634320

                                                                                                                                                        SHA512

                                                                                                                                                        03e2befe6538313ac5f95e534501cea67146e172c11b16d1988114625f6bd52e866ac633025307c7545575a7dac97c5fd88e5b3814b80d132c5a24e2630d709e

                                                                                                                                                      • C:\Windows\SysWOW64\240611625.txt

                                                                                                                                                        Filesize

                                                                                                                                                        50KB

                                                                                                                                                        MD5

                                                                                                                                                        c8c8ff11e8ab024234441d9d8536c433

                                                                                                                                                        SHA1

                                                                                                                                                        28a9f4f25191d13b38e6919e7107963468ed2720

                                                                                                                                                        SHA256

                                                                                                                                                        cc653810b728259c11f415dfb61b6710b430c02c297149de51129b0465634320

                                                                                                                                                        SHA512

                                                                                                                                                        03e2befe6538313ac5f95e534501cea67146e172c11b16d1988114625f6bd52e866ac633025307c7545575a7dac97c5fd88e5b3814b80d132c5a24e2630d709e

                                                                                                                                                      • C:\Windows\SysWOW64\TXPlatforn.exe

                                                                                                                                                        Filesize

                                                                                                                                                        377KB

                                                                                                                                                        MD5

                                                                                                                                                        a4329177954d4104005bce3020e5ef59

                                                                                                                                                        SHA1

                                                                                                                                                        23c29e295e2dbb8454012d619ca3f81e4c16e85a

                                                                                                                                                        SHA256

                                                                                                                                                        6156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd

                                                                                                                                                        SHA512

                                                                                                                                                        81e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208

                                                                                                                                                      • C:\Windows\SysWOW64\TXPlatforn.exe

                                                                                                                                                        Filesize

                                                                                                                                                        377KB

                                                                                                                                                        MD5

                                                                                                                                                        a4329177954d4104005bce3020e5ef59

                                                                                                                                                        SHA1

                                                                                                                                                        23c29e295e2dbb8454012d619ca3f81e4c16e85a

                                                                                                                                                        SHA256

                                                                                                                                                        6156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd

                                                                                                                                                        SHA512

                                                                                                                                                        81e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208

                                                                                                                                                      • C:\Windows\SysWOW64\TXPlatforn.exe

                                                                                                                                                        Filesize

                                                                                                                                                        377KB

                                                                                                                                                        MD5

                                                                                                                                                        a4329177954d4104005bce3020e5ef59

                                                                                                                                                        SHA1

                                                                                                                                                        23c29e295e2dbb8454012d619ca3f81e4c16e85a

                                                                                                                                                        SHA256

                                                                                                                                                        6156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd

                                                                                                                                                        SHA512

                                                                                                                                                        81e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208

                                                                                                                                                      • C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe

                                                                                                                                                        Filesize

                                                                                                                                                        60KB

                                                                                                                                                        MD5

                                                                                                                                                        889b99c52a60dd49227c5e485a016679

                                                                                                                                                        SHA1

                                                                                                                                                        8fa889e456aa646a4d0a4349977430ce5fa5e2d7

                                                                                                                                                        SHA256

                                                                                                                                                        6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910

                                                                                                                                                        SHA512

                                                                                                                                                        08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

                                                                                                                                                      • C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe

                                                                                                                                                        Filesize

                                                                                                                                                        60KB

                                                                                                                                                        MD5

                                                                                                                                                        889b99c52a60dd49227c5e485a016679

                                                                                                                                                        SHA1

                                                                                                                                                        8fa889e456aa646a4d0a4349977430ce5fa5e2d7

                                                                                                                                                        SHA256

                                                                                                                                                        6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910

                                                                                                                                                        SHA512

                                                                                                                                                        08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

                                                                                                                                                      • \??\c:\windows\SysWOW64\240611625.txt

                                                                                                                                                        Filesize

                                                                                                                                                        50KB

                                                                                                                                                        MD5

                                                                                                                                                        c8c8ff11e8ab024234441d9d8536c433

                                                                                                                                                        SHA1

                                                                                                                                                        28a9f4f25191d13b38e6919e7107963468ed2720

                                                                                                                                                        SHA256

                                                                                                                                                        cc653810b728259c11f415dfb61b6710b430c02c297149de51129b0465634320

                                                                                                                                                        SHA512

                                                                                                                                                        03e2befe6538313ac5f95e534501cea67146e172c11b16d1988114625f6bd52e866ac633025307c7545575a7dac97c5fd88e5b3814b80d132c5a24e2630d709e

                                                                                                                                                      • memory/2412-166-0x0000000010000000-0x00000000101B6000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        1.7MB

                                                                                                                                                      • memory/2412-313-0x000000007FE40000-0x000000007FE4C000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        48KB

                                                                                                                                                      • memory/2412-173-0x0000000010000000-0x00000000101B6000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        1.7MB

                                                                                                                                                      • memory/2412-176-0x0000000010000000-0x00000000101B6000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        1.7MB

                                                                                                                                                      • memory/2412-324-0x000000007FE40000-0x000000007FE4C000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        48KB

                                                                                                                                                      • memory/3040-237-0x0000000010000000-0x000000001003E000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        248KB

                                                                                                                                                      • memory/3040-220-0x0000000010000000-0x000000001003E000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        248KB

                                                                                                                                                      • memory/3040-184-0x0000000000400000-0x0000000001034000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        12.2MB

                                                                                                                                                      • memory/3040-295-0x0000000010000000-0x000000001003E000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        248KB

                                                                                                                                                      • memory/3040-290-0x0000000010000000-0x000000001003E000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        248KB

                                                                                                                                                      • memory/3040-288-0x0000000010000000-0x000000001003E000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        248KB

                                                                                                                                                      • memory/3040-194-0x0000000010000000-0x000000001003E000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        248KB

                                                                                                                                                      • memory/3040-286-0x0000000010000000-0x000000001003E000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        248KB

                                                                                                                                                      • memory/3040-284-0x0000000010000000-0x000000001003E000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        248KB

                                                                                                                                                      • memory/3040-189-0x00000000773B2000-0x00000000773B3000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        4KB

                                                                                                                                                      • memory/3040-282-0x0000000010000000-0x000000001003E000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        248KB

                                                                                                                                                      • memory/3040-280-0x0000000010000000-0x000000001003E000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        248KB

                                                                                                                                                      • memory/3040-278-0x0000000010000000-0x000000001003E000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        248KB

                                                                                                                                                      • memory/3040-200-0x0000000010000000-0x000000001003E000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        248KB

                                                                                                                                                      • memory/3040-198-0x0000000010000000-0x000000001003E000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        248KB

                                                                                                                                                      • memory/3040-202-0x0000000010000000-0x000000001003E000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        248KB

                                                                                                                                                      • memory/3040-276-0x0000000010000000-0x000000001003E000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        248KB

                                                                                                                                                      • memory/3040-203-0x0000000010000000-0x000000001003E000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        248KB

                                                                                                                                                      • memory/3040-274-0x0000000010000000-0x000000001003E000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        248KB

                                                                                                                                                      • memory/3040-207-0x0000000010000000-0x000000001003E000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        248KB

                                                                                                                                                      • memory/3040-270-0x0000000010000000-0x000000001003E000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        248KB

                                                                                                                                                      • memory/3040-211-0x0000000010000000-0x000000001003E000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        248KB

                                                                                                                                                      • memory/3040-213-0x0000000010000000-0x000000001003E000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        248KB

                                                                                                                                                      • memory/3040-216-0x0000000010000000-0x000000001003E000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        248KB

                                                                                                                                                      • memory/3040-218-0x0000000010000000-0x000000001003E000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        248KB

                                                                                                                                                      • memory/3040-259-0x0000000010000000-0x000000001003E000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        248KB

                                                                                                                                                      • memory/3040-222-0x0000000010000000-0x000000001003E000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        248KB

                                                                                                                                                      • memory/3040-228-0x0000000000400000-0x0000000001034000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        12.2MB

                                                                                                                                                      • memory/3084-208-0x000000007F250000-0x000000007F25C000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        48KB

                                                                                                                                                      • memory/3364-157-0x0000000010000000-0x00000000101B6000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        1.7MB

                                                                                                                                                      • memory/3364-150-0x0000000010000000-0x00000000101B6000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        1.7MB

                                                                                                                                                      • memory/3364-149-0x0000000010000000-0x00000000101B6000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        1.7MB

                                                                                                                                                      • memory/3364-146-0x0000000010000000-0x00000000101B6000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        1.7MB

                                                                                                                                                      • memory/3364-148-0x0000000010000000-0x00000000101B6000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        1.7MB

                                                                                                                                                      • memory/3624-205-0x00000000773B2000-0x00000000773B3000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        4KB

                                                                                                                                                      • memory/3912-183-0x000000007FE40000-0x000000007FE4C000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        48KB

                                                                                                                                                      • memory/3912-185-0x000000007FE40000-0x000000007FE4C000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        48KB

                                                                                                                                                      • memory/3912-182-0x000000007FE40000-0x000000007FE4C000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        48KB

                                                                                                                                                      • memory/3912-201-0x000000007FE40000-0x000000007FE4C000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        48KB

                                                                                                                                                      • memory/3912-235-0x000000007FE40000-0x000000007FE4C000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        48KB

                                                                                                                                                      • memory/3912-186-0x00000000773B3000-0x00000000773B4000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        4KB

                                                                                                                                                      • memory/4784-199-0x00000000773B3000-0x00000000773B4000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        4KB

                                                                                                                                                      • memory/4784-293-0x000000007F440000-0x000000007F44C000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        48KB

                                                                                                                                                      • memory/4784-197-0x000000007F440000-0x000000007F44C000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        48KB

                                                                                                                                                      • memory/4784-195-0x00000000773B2000-0x00000000773B3000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        4KB

                                                                                                                                                      • memory/4948-153-0x0000000010000000-0x00000000101B6000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        1.7MB

                                                                                                                                                      • memory/4948-140-0x0000000010000000-0x00000000101B6000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        1.7MB

                                                                                                                                                      • memory/4948-141-0x0000000010000000-0x00000000101B6000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        1.7MB

                                                                                                                                                      • memory/4948-139-0x0000000010000000-0x00000000101B6000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        1.7MB

                                                                                                                                                      • memory/4948-137-0x0000000010000000-0x00000000101B6000-memory.dmp

                                                                                                                                                        Filesize

                                                                                                                                                        1.7MB