Analysis Overview
SHA256
81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f
Threat Level: Known bad
The file 81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f was found to be: Known bad.
Malicious Activity Summary
Detect PurpleFox Rootkit
Gh0st RAT payload
PurpleFox
Modifies firewall policy service
Gh0strat
Sets service image path in registry
Sets DLL path for service in the registry
Drops file in Drivers directory
UPX packed file
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Drops file in Program Files directory
Drops file in Windows directory
Enumerates physical storage devices
Program crash
Unsigned PE
Suspicious use of SetWindowsHookEx
Runs ping.exe
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: LoadsDriver
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-08-23 06:00
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2023-08-23 05:59
Reported
2023-08-23 06:02
Platform
win10v2004-20230703-en
Max time kernel
151s
Max time network
156s
Command Line
Signatures
Detect PurpleFox Rootkit
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gh0st RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gh0strat
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Users\Admin\AppData\Local\Temp\81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Users\Admin\AppData\Local\Temp\81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications | C:\Users\Admin\AppData\Local\Temp\81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe:*:enabled:@shell32.dll,-1" | C:\Users\Admin\AppData\Local\Temp\81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe | N/A |
PurpleFox
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\drivers\QAssist.sys | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
Sets DLL path for service in the registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\240611625.txt" | C:\Users\Admin\AppData\Local\Temp\svchos.exe | N/A |
Sets service image path in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchos.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchos.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe | C:\Windows\SysWOW64\svchost.exe | N/A |
| File created | C:\Windows\SysWOW64\TXPlatforn.exe | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\TXPlatforn.exe | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| File created | C:\Windows\SysWOW64\240611625.txt | C:\Users\Admin\AppData\Local\Temp\svchos.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ini.ini | C:\Users\Admin\AppData\Local\Temp\svchos.exe | N/A |
| File created | C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe | C:\Windows\SysWOW64\svchost.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | C:\Users\Admin\AppData\Local\Temp\81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | C:\Users\Admin\AppData\Local\Temp\81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\firefox.exe | C:\Users\Admin\AppData\Local\Temp\81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe | N/A |
| File created | C:\Program Files (x86)\Google\Chrome\Application\chrome.exe | C:\Users\Admin\AppData\Local\Temp\81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\vlc.exe | C:\Users\Admin\AppData\Local\Temp\81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | \??\c:\windows\HPSocket4C.dll | C:\Users\Admin\AppData\Local\Temp\HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe | N/A |
| File opened for modification | \??\c:\windows\HPSocket4C.dll | C:\Users\Admin\AppData\Local\Temp\HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\svchost.exe |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s W32Time
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
C:\Users\Admin\AppData\Local\Temp\81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe
"C:\Users\Admin\AppData\Local\Temp\81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe"
C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\\svchost.exe
C:\Windows\SysWOW64\TXPlatforn.exe
C:\Windows\SysWOW64\TXPlatforn.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\svchost.exe > nul
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"
C:\Users\Admin\AppData\Local\Temp\svchos.exe
C:\Users\Admin\AppData\Local\Temp\\svchos.exe
C:\Windows\SysWOW64\TXPlatforn.exe
C:\Windows\SysWOW64\TXPlatforn.exe -acsi
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Local\Temp\HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe
C:\Users\Admin\AppData\Local\Temp\HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4784 -ip 4784
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4784 -s 604
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"
C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
C:\Windows\system32\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe "c:\windows\system32\240611625.txt",MainThread
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | hackerinvasion.f3322.net | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ilo.brenz.pl | udp |
| PL | 148.81.111.121:80 | ilo.brenz.pl | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 121.111.81.148.in-addr.arpa | udp |
| N/A | 127.0.0.1:6066 | tcp | |
| CN | 1.116.51.226:8810 | 1.116.51.226 | tcp |
| CN | 1.116.51.226:8810 | 1.116.51.226 | tcp |
| US | 8.8.8.8:53 | 226.51.116.1.in-addr.arpa | udp |
| CN | 1.116.51.226:8810 | 1.116.51.226 | tcp |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| CN | 1.116.51.226:8810 | 1.116.51.226 | tcp |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| CN | 1.116.51.226:8810 | 1.116.51.226 | tcp |
| N/A | 127.0.0.1:8088 | tcp | |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| N/A | 127.0.0.1:8088 | tcp | |
| CN | 1.116.51.226:8810 | 1.116.51.226 | tcp |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:6066 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| CN | 1.116.51.226:8810 | 1.116.51.226 | tcp |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| CN | 1.116.51.226:8810 | 1.116.51.226 | tcp |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| US | 8.8.8.8:53 | hackerinvasion.f3322.net | udp |
| N/A | 127.0.0.1:8088 | tcp | |
| US | 8.8.8.8:53 | 254.178.238.8.in-addr.arpa | udp |
| CN | 1.116.51.226:8810 | 1.116.51.226 | tcp |
| US | 8.8.8.8:53 | isdeut.com | udp |
| US | 8.8.8.8:53 | vrfyuo.com | udp |
| US | 8.8.8.8:53 | zioxuo.com | udp |
| US | 8.8.8.8:53 | uximis.com | udp |
| US | 8.8.8.8:53 | oywovb.com | udp |
| US | 8.8.8.8:53 | mcnwnt.com | udp |
| US | 8.8.8.8:53 | wjiqjg.com | udp |
| US | 8.8.8.8:53 | suoibc.com | udp |
| US | 8.8.8.8:53 | ant.trenz.pl | udp |
| US | 8.8.8.8:53 | mohkyi.com | udp |
| PL | 148.81.111.121:80 | ant.trenz.pl | tcp |
| US | 8.8.8.8:53 | ullrar.com | udp |
| US | 8.8.8.8:53 | mpqezv.com | udp |
| US | 8.8.8.8:53 | thkyae.com | udp |
| US | 8.8.8.8:53 | myryol.com | udp |
| US | 8.8.8.8:53 | klkesp.com | udp |
| US | 8.8.8.8:53 | zfllau.com | udp |
| US | 8.8.8.8:53 | wcpkav.com | udp |
| US | 8.8.8.8:53 | ifmaxh.com | udp |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| CN | 1.116.51.226:8810 | 1.116.51.226 | tcp |
| N/A | 127.0.0.1:6066 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| US | 8.8.8.8:53 | frxgnv.com | udp |
| US | 8.8.8.8:53 | mzaamx.com | udp |
| US | 8.8.8.8:53 | ocsjcu.com | udp |
| US | 8.8.8.8:53 | eiwrxb.com | udp |
| US | 8.8.8.8:53 | nmoaza.com | udp |
| US | 8.8.8.8:53 | prvwte.com | udp |
| US | 8.8.8.8:53 | wzpnkq.com | udp |
| US | 8.8.8.8:53 | ennaht.com | udp |
| US | 8.8.8.8:53 | oawooy.com | udp |
| US | 8.8.8.8:53 | nkoyuj.com | udp |
| US | 8.8.8.8:53 | irvsfr.com | udp |
| US | 8.8.8.8:53 | akntxy.com | udp |
| US | 8.8.8.8:53 | yrpziv.com | udp |
| US | 8.8.8.8:53 | oibbsk.com | udp |
| US | 8.8.8.8:53 | alvezd.com | udp |
| US | 8.8.8.8:53 | iykcru.com | udp |
| US | 8.8.8.8:53 | zdwuum.com | udp |
| US | 8.8.8.8:53 | ixsyeg.com | udp |
| US | 8.8.8.8:53 | uoytda.com | udp |
| US | 8.8.8.8:53 | knoumj.com | udp |
| US | 8.8.8.8:53 | vfetho.com | udp |
| US | 8.8.8.8:53 | gjucli.com | udp |
| US | 8.8.8.8:53 | kglwrw.com | udp |
| US | 8.8.8.8:53 | vwinoo.com | udp |
| US | 8.8.8.8:53 | dqtoab.com | udp |
| US | 8.8.8.8:53 | ncfmyr.com | udp |
| US | 8.8.8.8:53 | tssojk.com | udp |
| US | 8.8.8.8:53 | anckka.com | udp |
| US | 8.8.8.8:53 | ueueai.com | udp |
| US | 8.8.8.8:53 | loohil.com | udp |
| US | 8.8.8.8:53 | zsouzz.com | udp |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| US | 8.8.8.8:53 | 86.8.109.52.in-addr.arpa | udp |
| N/A | 127.0.0.1:8088 | tcp | |
| US | 8.8.8.8:53 | jxukoa.com | udp |
| US | 8.8.8.8:53 | zajput.com | udp |
| US | 8.8.8.8:53 | xzakzr.com | udp |
| US | 8.8.8.8:53 | vktese.com | udp |
| US | 8.8.8.8:53 | gdyyyg.com | udp |
| N/A | 127.0.0.1:8088 | tcp | |
| HK | 160.121.241.104:443 | gdyyyg.com | tcp |
| CN | 1.116.51.226:8810 | 1.116.51.226 | tcp |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| CN | 1.116.51.226:8810 | 1.116.51.226 | tcp |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| CN | 1.116.51.226:8810 | 1.116.51.226 | tcp |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:6066 | tcp | |
| US | 8.8.8.8:53 | antxnm.com | udp |
| US | 8.8.8.8:53 | eoaxeg.com | udp |
| US | 8.8.8.8:53 | uuqdru.com | udp |
| US | 8.8.8.8:53 | jfceuy.com | udp |
| US | 8.8.8.8:53 | zmiwir.com | udp |
| US | 8.8.8.8:53 | fzffol.com | udp |
| US | 8.8.8.8:53 | rityup.com | udp |
| US | 8.8.8.8:53 | eblkcl.com | udp |
| US | 8.8.8.8:53 | ghgfnq.com | udp |
| US | 8.8.8.8:53 | zpeaeg.com | udp |
| US | 8.8.8.8:53 | ajerzf.com | udp |
| US | 8.8.8.8:53 | ibefrc.com | udp |
| US | 8.8.8.8:53 | aeeexz.com | udp |
| US | 8.8.8.8:53 | weciei.com | udp |
| US | 8.8.8.8:53 | xuoaca.com | udp |
| US | 8.8.8.8:53 | mufmea.com | udp |
| US | 8.8.8.8:53 | goobyo.com | udp |
| US | 8.8.8.8:53 | sxuyzq.com | udp |
| US | 8.8.8.8:53 | qivbpc.com | udp |
| US | 8.8.8.8:53 | slkshy.com | udp |
| US | 199.59.243.224:443 | slkshy.com | tcp |
| N/A | 127.0.0.1:8088 | tcp | |
| US | 8.8.8.8:53 | 224.243.59.199.in-addr.arpa | udp |
| N/A | 127.0.0.1:8088 | tcp | |
| CN | 1.116.51.226:8810 | 1.116.51.226 | tcp |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| US | 8.8.8.8:53 | hackerinvasion.f3322.net | udp |
| N/A | 127.0.0.1:8088 | tcp | |
| CN | 1.116.51.226:8810 | 1.116.51.226 | tcp |
| DE | 88.198.69.43:80 | tcp | |
| CN | 1.116.51.226:8810 | 1.116.51.226 | tcp |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| US | 8.8.8.8:53 | yixxzk.com | udp |
| US | 8.8.8.8:53 | aciqyc.com | udp |
| US | 8.8.8.8:53 | fhaigk.com | udp |
| US | 8.8.8.8:53 | xwkpmw.com | udp |
| US | 8.8.8.8:53 | vdpqqi.com | udp |
| US | 8.8.8.8:53 | fnixgu.com | udp |
| US | 8.8.8.8:53 | koogcm.com | udp |
| US | 8.8.8.8:53 | gksaof.com | udp |
| US | 8.8.8.8:53 | vwovhz.com | udp |
| US | 8.8.8.8:53 | idipoy.com | udp |
| US | 8.8.8.8:53 | fuofhb.com | udp |
| US | 8.8.8.8:53 | sjvqea.com | udp |
| US | 8.8.8.8:53 | junzme.com | udp |
| US | 8.8.8.8:53 | zdtoeo.com | udp |
| US | 8.8.8.8:53 | vgcezn.com | udp |
| US | 8.8.8.8:53 | fgemad.com | udp |
| US | 8.8.8.8:53 | vanrpa.com | udp |
| US | 8.8.8.8:53 | ajbuug.com | udp |
| US | 8.8.8.8:53 | oeausc.com | udp |
| US | 8.8.8.8:53 | jjojey.com | udp |
| US | 8.8.8.8:53 | korhnx.com | udp |
| US | 8.8.8.8:53 | yzglvn.com | udp |
| US | 8.8.8.8:53 | ofyvoy.com | udp |
| US | 8.8.8.8:53 | lsouuc.com | udp |
| US | 8.8.8.8:53 | tmymhy.com | udp |
| US | 8.8.8.8:53 | cmlvbx.com | udp |
| CN | 1.116.51.226:8810 | 1.116.51.226 | tcp |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| CN | 1.116.51.226:8810 | 1.116.51.226 | tcp |
| N/A | 127.0.0.1:8088 | tcp | |
| US | 8.8.8.8:53 | 200.201.50.20.in-addr.arpa | udp |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:6066 | tcp | |
| CN | 1.116.51.226:8810 | 1.116.51.226 | tcp |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| CN | 1.116.51.226:8810 | 1.116.51.226 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\svchost.exe
| MD5 | a4329177954d4104005bce3020e5ef59 |
| SHA1 | 23c29e295e2dbb8454012d619ca3f81e4c16e85a |
| SHA256 | 6156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd |
| SHA512 | 81e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208 |
C:\Users\Admin\AppData\Local\Temp\svchost.exe
| MD5 | a4329177954d4104005bce3020e5ef59 |
| SHA1 | 23c29e295e2dbb8454012d619ca3f81e4c16e85a |
| SHA256 | 6156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd |
| SHA512 | 81e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208 |
memory/4948-137-0x0000000010000000-0x00000000101B6000-memory.dmp
memory/4948-139-0x0000000010000000-0x00000000101B6000-memory.dmp
memory/4948-141-0x0000000010000000-0x00000000101B6000-memory.dmp
memory/4948-140-0x0000000010000000-0x00000000101B6000-memory.dmp
C:\Windows\SysWOW64\TXPlatforn.exe
| MD5 | a4329177954d4104005bce3020e5ef59 |
| SHA1 | 23c29e295e2dbb8454012d619ca3f81e4c16e85a |
| SHA256 | 6156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd |
| SHA512 | 81e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208 |
C:\Windows\SysWOW64\TXPlatforn.exe
| MD5 | a4329177954d4104005bce3020e5ef59 |
| SHA1 | 23c29e295e2dbb8454012d619ca3f81e4c16e85a |
| SHA256 | 6156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd |
| SHA512 | 81e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208 |
memory/3364-146-0x0000000010000000-0x00000000101B6000-memory.dmp
memory/3364-148-0x0000000010000000-0x00000000101B6000-memory.dmp
memory/3364-149-0x0000000010000000-0x00000000101B6000-memory.dmp
memory/3364-150-0x0000000010000000-0x00000000101B6000-memory.dmp
C:\Windows\SysWOW64\TXPlatforn.exe
| MD5 | a4329177954d4104005bce3020e5ef59 |
| SHA1 | 23c29e295e2dbb8454012d619ca3f81e4c16e85a |
| SHA256 | 6156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd |
| SHA512 | 81e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208 |
memory/4948-153-0x0000000010000000-0x00000000101B6000-memory.dmp
memory/3364-157-0x0000000010000000-0x00000000101B6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\svchos.exe
| MD5 | 3b377ad877a942ec9f60ea285f7119a2 |
| SHA1 | 60b23987b20d913982f723ab375eef50fafa6c70 |
| SHA256 | 62954fdf65e629b39a29f539619d20691332184c6b6be5a826128a8e759bfa84 |
| SHA512 | af3a71f867ad9d28772c48b521097f9bf8931eb89fd2974e8de10990241419a39ddc3c0b36dd38aac4fdf14e1f0c5e228692618e93adce958d5b5dab8940e46f |
C:\Windows\SysWOW64\240611625.txt
| MD5 | c8c8ff11e8ab024234441d9d8536c433 |
| SHA1 | 28a9f4f25191d13b38e6919e7107963468ed2720 |
| SHA256 | cc653810b728259c11f415dfb61b6710b430c02c297149de51129b0465634320 |
| SHA512 | 03e2befe6538313ac5f95e534501cea67146e172c11b16d1988114625f6bd52e866ac633025307c7545575a7dac97c5fd88e5b3814b80d132c5a24e2630d709e |
memory/2412-166-0x0000000010000000-0x00000000101B6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\svchos.exe
| MD5 | 3b377ad877a942ec9f60ea285f7119a2 |
| SHA1 | 60b23987b20d913982f723ab375eef50fafa6c70 |
| SHA256 | 62954fdf65e629b39a29f539619d20691332184c6b6be5a826128a8e759bfa84 |
| SHA512 | af3a71f867ad9d28772c48b521097f9bf8931eb89fd2974e8de10990241419a39ddc3c0b36dd38aac4fdf14e1f0c5e228692618e93adce958d5b5dab8940e46f |
C:\Windows\SysWOW64\240611625.txt
| MD5 | c8c8ff11e8ab024234441d9d8536c433 |
| SHA1 | 28a9f4f25191d13b38e6919e7107963468ed2720 |
| SHA256 | cc653810b728259c11f415dfb61b6710b430c02c297149de51129b0465634320 |
| SHA512 | 03e2befe6538313ac5f95e534501cea67146e172c11b16d1988114625f6bd52e866ac633025307c7545575a7dac97c5fd88e5b3814b80d132c5a24e2630d709e |
\??\c:\windows\SysWOW64\240611625.txt
| MD5 | c8c8ff11e8ab024234441d9d8536c433 |
| SHA1 | 28a9f4f25191d13b38e6919e7107963468ed2720 |
| SHA256 | cc653810b728259c11f415dfb61b6710b430c02c297149de51129b0465634320 |
| SHA512 | 03e2befe6538313ac5f95e534501cea67146e172c11b16d1988114625f6bd52e866ac633025307c7545575a7dac97c5fd88e5b3814b80d132c5a24e2630d709e |
memory/2412-173-0x0000000010000000-0x00000000101B6000-memory.dmp
memory/2412-176-0x0000000010000000-0x00000000101B6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe
| MD5 | 6eff11a79838756628a2d397831f228d |
| SHA1 | df31f63af313a1c986ba13fa21def1e5f6b31d49 |
| SHA256 | 6672a5c1b29e07ce14b756e58e8efa6cc914864568674bcf4a910cccaacb73d3 |
| SHA512 | 78265a88bbf8bbab2163b6c2a2cf1ebc2c4596ad9568c77208123cf99aac03bf58511d19d8d41bfe484f91c9fa4ff563ed4cda162ee0ec18e60f8a8cc8284c83 |
C:\Users\Admin\AppData\Local\Temp\HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe
| MD5 | 6eff11a79838756628a2d397831f228d |
| SHA1 | df31f63af313a1c986ba13fa21def1e5f6b31d49 |
| SHA256 | 6672a5c1b29e07ce14b756e58e8efa6cc914864568674bcf4a910cccaacb73d3 |
| SHA512 | 78265a88bbf8bbab2163b6c2a2cf1ebc2c4596ad9568c77208123cf99aac03bf58511d19d8d41bfe484f91c9fa4ff563ed4cda162ee0ec18e60f8a8cc8284c83 |
memory/3912-182-0x000000007FE40000-0x000000007FE4C000-memory.dmp
memory/3040-184-0x0000000000400000-0x0000000001034000-memory.dmp
memory/3912-183-0x000000007FE40000-0x000000007FE4C000-memory.dmp
memory/3912-185-0x000000007FE40000-0x000000007FE4C000-memory.dmp
memory/3912-186-0x00000000773B3000-0x00000000773B4000-memory.dmp
memory/3040-194-0x0000000010000000-0x000000001003E000-memory.dmp
C:\Windows\HPSocket4C.dll
| MD5 | c091a823c41bb5bc6c5a1ab6c926504c |
| SHA1 | 7b358a9211f8f5e3ce22f38075caf605fc4d2032 |
| SHA256 | c58334cb8bd8e7a2c998d0717fff8bacbd873ab949e40a0e5f053dd51b67cca4 |
| SHA512 | 742ea0c78115f602c16a793d6d34ea97f0ff8bd4fc1ab28b90b7b7a3dc6fe6b921615ce97c0b23839e18f632d8e09f4319052de532dd9d31b70a22f12b7cc68d |
C:\Windows\HPSocket4C.dll
| MD5 | c091a823c41bb5bc6c5a1ab6c926504c |
| SHA1 | 7b358a9211f8f5e3ce22f38075caf605fc4d2032 |
| SHA256 | c58334cb8bd8e7a2c998d0717fff8bacbd873ab949e40a0e5f053dd51b67cca4 |
| SHA512 | 742ea0c78115f602c16a793d6d34ea97f0ff8bd4fc1ab28b90b7b7a3dc6fe6b921615ce97c0b23839e18f632d8e09f4319052de532dd9d31b70a22f12b7cc68d |
memory/3040-189-0x00000000773B2000-0x00000000773B3000-memory.dmp
memory/4784-195-0x00000000773B2000-0x00000000773B3000-memory.dmp
memory/4784-197-0x000000007F440000-0x000000007F44C000-memory.dmp
memory/4784-199-0x00000000773B3000-0x00000000773B4000-memory.dmp
memory/3040-200-0x0000000010000000-0x000000001003E000-memory.dmp
memory/3040-198-0x0000000010000000-0x000000001003E000-memory.dmp
memory/3040-202-0x0000000010000000-0x000000001003E000-memory.dmp
memory/3912-201-0x000000007FE40000-0x000000007FE4C000-memory.dmp
memory/3040-203-0x0000000010000000-0x000000001003E000-memory.dmp
memory/3624-205-0x00000000773B2000-0x00000000773B3000-memory.dmp
memory/3040-207-0x0000000010000000-0x000000001003E000-memory.dmp
memory/3084-208-0x000000007F250000-0x000000007F25C000-memory.dmp
memory/3040-211-0x0000000010000000-0x000000001003E000-memory.dmp
memory/3040-213-0x0000000010000000-0x000000001003E000-memory.dmp
memory/3040-216-0x0000000010000000-0x000000001003E000-memory.dmp
memory/3040-218-0x0000000010000000-0x000000001003E000-memory.dmp
memory/3040-220-0x0000000010000000-0x000000001003E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\HD_X.dat
| MD5 | 36cd7c2f720111cd4ef41e3b5f0db256 |
| SHA1 | 2bd2af69331c5408eeaf23fddd505c58650cdaa9 |
| SHA256 | 23d9db3453f1434a943f3945e0546a7fefad5b75bc04dd7b8f7899172b10f1ff |
| SHA512 | 8216b4065b23c8475ad3e5badcabe1dc91fc3eaf5e504bc0ed0a60658067bc5526310594cb7374715f5ffdf5bb5d858bb6e0c7c86445eb5a64939268e2056b17 |
memory/3912-235-0x000000007FE40000-0x000000007FE4C000-memory.dmp
memory/3040-228-0x0000000000400000-0x0000000001034000-memory.dmp
memory/3040-222-0x0000000010000000-0x000000001003E000-memory.dmp
memory/3040-237-0x0000000010000000-0x000000001003E000-memory.dmp
memory/3040-259-0x0000000010000000-0x000000001003E000-memory.dmp
memory/3040-270-0x0000000010000000-0x000000001003E000-memory.dmp
memory/3040-274-0x0000000010000000-0x000000001003E000-memory.dmp
memory/3040-276-0x0000000010000000-0x000000001003E000-memory.dmp
memory/3040-278-0x0000000010000000-0x000000001003E000-memory.dmp
memory/3040-280-0x0000000010000000-0x000000001003E000-memory.dmp
memory/3040-282-0x0000000010000000-0x000000001003E000-memory.dmp
memory/3040-284-0x0000000010000000-0x000000001003E000-memory.dmp
memory/3040-286-0x0000000010000000-0x000000001003E000-memory.dmp
memory/3040-288-0x0000000010000000-0x000000001003E000-memory.dmp
memory/3040-290-0x0000000010000000-0x000000001003E000-memory.dmp
memory/4784-293-0x000000007F440000-0x000000007F44C000-memory.dmp
memory/3040-295-0x0000000010000000-0x000000001003E000-memory.dmp
C:\Windows\SysWOW64\240611625.txt
| MD5 | c8c8ff11e8ab024234441d9d8536c433 |
| SHA1 | 28a9f4f25191d13b38e6919e7107963468ed2720 |
| SHA256 | cc653810b728259c11f415dfb61b6710b430c02c297149de51129b0465634320 |
| SHA512 | 03e2befe6538313ac5f95e534501cea67146e172c11b16d1988114625f6bd52e866ac633025307c7545575a7dac97c5fd88e5b3814b80d132c5a24e2630d709e |
C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
| MD5 | 889b99c52a60dd49227c5e485a016679 |
| SHA1 | 8fa889e456aa646a4d0a4349977430ce5fa5e2d7 |
| SHA256 | 6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910 |
| SHA512 | 08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641 |
C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
| MD5 | 889b99c52a60dd49227c5e485a016679 |
| SHA1 | 8fa889e456aa646a4d0a4349977430ce5fa5e2d7 |
| SHA256 | 6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910 |
| SHA512 | 08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641 |
C:\Windows\SysWOW64\240611625.txt
| MD5 | c8c8ff11e8ab024234441d9d8536c433 |
| SHA1 | 28a9f4f25191d13b38e6919e7107963468ed2720 |
| SHA256 | cc653810b728259c11f415dfb61b6710b430c02c297149de51129b0465634320 |
| SHA512 | 03e2befe6538313ac5f95e534501cea67146e172c11b16d1988114625f6bd52e866ac633025307c7545575a7dac97c5fd88e5b3814b80d132c5a24e2630d709e |
memory/2412-313-0x000000007FE40000-0x000000007FE4C000-memory.dmp
memory/2412-324-0x000000007FE40000-0x000000007FE4C000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2023-08-23 05:59
Reported
2023-08-23 06:02
Platform
win7-20230712-en
Max time kernel
138s
Max time network
154s
Command Line
Signatures
Detect PurpleFox Rootkit
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gh0st RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gh0strat
PurpleFox
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\drivers\QAssist.sys | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
Sets DLL path for service in the registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259423157.txt" | C:\Users\Admin\AppData\Local\Temp\svchos.exe | N/A |
Sets service image path in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchos.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchos.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\259423157.txt | C:\Users\Admin\AppData\Local\Temp\svchos.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ini.ini | C:\Users\Admin\AppData\Local\Temp\svchos.exe | N/A |
| File created | C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe | C:\Windows\SysWOW64\svchost.exe | N/A |
| File created | C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe | C:\Windows\SysWOW64\svchost.exe | N/A |
| File created | C:\Windows\SysWOW64\TXPlatforn.exe | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\TXPlatforn.exe | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\VideoLAN\VLC\vlc.exe | C:\Users\Admin\AppData\Local\Temp\81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | C:\Users\Admin\AppData\Local\Temp\81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\firefox.exe | C:\Users\Admin\AppData\Local\Temp\81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe | N/A |
| File created | C:\Program Files (x86)\Google\Chrome\Application\chrome.exe | C:\Users\Admin\AppData\Local\Temp\81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | \??\c:\windows\HPSocket4C.dll | C:\Users\Admin\AppData\Local\Temp\HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe | N/A |
| File created | \??\c:\windows\HPSocket4C.dll | C:\Users\Admin\AppData\Local\Temp\HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe | N/A |
Enumerates physical storage devices
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
C:\Windows\system32\wininit.exe
wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\taskhost.exe
"taskhost.exe"
C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
C:\Users\Admin\AppData\Local\Temp\81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe
"C:\Users\Admin\AppData\Local\Temp\81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe"
C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\\svchost.exe
C:\Windows\SysWOW64\TXPlatforn.exe
C:\Windows\SysWOW64\TXPlatforn.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\svchost.exe > nul
C:\Windows\SysWOW64\TXPlatforn.exe
C:\Windows\SysWOW64\TXPlatforn.exe -acsi
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-15024054308906887281488968818-399177287996953393-11804891751891380056370260600"
C:\Users\Admin\AppData\Local\Temp\svchos.exe
C:\Users\Admin\AppData\Local\Temp\\svchos.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Local\Temp\HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe
C:\Users\Admin\AppData\Local\Temp\HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"
C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
C:\Windows\system32\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe "c:\windows\system32\259423157.txt",MainThread
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | hackerinvasion.f3322.net | udp |
| CN | 1.116.51.226:8810 | 1.116.51.226 | tcp |
| N/A | 127.0.0.1:6066 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| CN | 1.116.51.226:8810 | 1.116.51.226 | tcp |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| CN | 1.116.51.226:8810 | 1.116.51.226 | tcp |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| CN | 1.116.51.226:8810 | 1.116.51.226 | tcp |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| CN | 1.116.51.226:8810 | 1.116.51.226 | tcp |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:6066 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| CN | 1.116.51.226:8810 | 1.116.51.226 | tcp |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| CN | 1.116.51.226:8810 | 1.116.51.226 | tcp |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| US | 8.8.8.8:53 | hackerinvasion.f3322.net | udp |
| N/A | 127.0.0.1:8088 | tcp | |
| CN | 1.116.51.226:8810 | 1.116.51.226 | tcp |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:6066 | tcp | |
| CN | 1.116.51.226:8810 | 1.116.51.226 | tcp |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| CN | 1.116.51.226:8810 | 1.116.51.226 | tcp |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| CN | 1.116.51.226:8810 | 1.116.51.226 | tcp |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:6066 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| CN | 1.116.51.226:8810 | 1.116.51.226 | tcp |
| N/A | 127.0.0.1:8088 | tcp | |
| CN | 1.116.51.226:8810 | 1.116.51.226 | tcp |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| CN | 1.116.51.226:8810 | 1.116.51.226 | tcp |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| CN | 1.116.51.226:8810 | 1.116.51.226 | tcp |
| N/A | 127.0.0.1:8088 | tcp | |
| US | 8.8.8.8:53 | hackerinvasion.f3322.net | udp |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| CN | 1.116.51.226:8810 | 1.116.51.226 | tcp |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| CN | 1.116.51.226:8810 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:6066 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp |
Files
\Users\Admin\AppData\Local\Temp\svchost.exe
| MD5 | a4329177954d4104005bce3020e5ef59 |
| SHA1 | 23c29e295e2dbb8454012d619ca3f81e4c16e85a |
| SHA256 | 6156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd |
| SHA512 | 81e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208 |
C:\Users\Admin\AppData\Local\Temp\svchost.exe
| MD5 | a4329177954d4104005bce3020e5ef59 |
| SHA1 | 23c29e295e2dbb8454012d619ca3f81e4c16e85a |
| SHA256 | 6156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd |
| SHA512 | 81e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208 |
memory/2008-59-0x0000000010000000-0x00000000101B6000-memory.dmp
memory/2008-62-0x0000000010000000-0x00000000101B6000-memory.dmp
memory/2008-63-0x0000000010000000-0x00000000101B6000-memory.dmp
memory/2008-61-0x0000000010000000-0x00000000101B6000-memory.dmp
C:\Windows\SysWOW64\TXPlatforn.exe
| MD5 | a4329177954d4104005bce3020e5ef59 |
| SHA1 | 23c29e295e2dbb8454012d619ca3f81e4c16e85a |
| SHA256 | 6156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd |
| SHA512 | 81e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208 |
C:\Users\Admin\AppData\Local\Temp\svchost.exe
| MD5 | a4329177954d4104005bce3020e5ef59 |
| SHA1 | 23c29e295e2dbb8454012d619ca3f81e4c16e85a |
| SHA256 | 6156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd |
| SHA512 | 81e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208 |
C:\Windows\SysWOW64\TXPlatforn.exe
| MD5 | a4329177954d4104005bce3020e5ef59 |
| SHA1 | 23c29e295e2dbb8454012d619ca3f81e4c16e85a |
| SHA256 | 6156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd |
| SHA512 | 81e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208 |
memory/612-71-0x0000000010000000-0x00000000101B6000-memory.dmp
C:\Windows\SysWOW64\TXPlatforn.exe
| MD5 | a4329177954d4104005bce3020e5ef59 |
| SHA1 | 23c29e295e2dbb8454012d619ca3f81e4c16e85a |
| SHA256 | 6156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd |
| SHA512 | 81e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208 |
C:\Windows\SysWOW64\TXPlatforn.exe
| MD5 | a4329177954d4104005bce3020e5ef59 |
| SHA1 | 23c29e295e2dbb8454012d619ca3f81e4c16e85a |
| SHA256 | 6156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd |
| SHA512 | 81e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208 |
\Windows\SysWOW64\TXPlatforn.exe
| MD5 | a4329177954d4104005bce3020e5ef59 |
| SHA1 | 23c29e295e2dbb8454012d619ca3f81e4c16e85a |
| SHA256 | 6156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd |
| SHA512 | 81e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208 |
memory/2008-77-0x0000000010000000-0x00000000101B6000-memory.dmp
\Users\Admin\AppData\Local\Temp\svchos.exe
| MD5 | 3b377ad877a942ec9f60ea285f7119a2 |
| SHA1 | 60b23987b20d913982f723ab375eef50fafa6c70 |
| SHA256 | 62954fdf65e629b39a29f539619d20691332184c6b6be5a826128a8e759bfa84 |
| SHA512 | af3a71f867ad9d28772c48b521097f9bf8931eb89fd2974e8de10990241419a39ddc3c0b36dd38aac4fdf14e1f0c5e228692618e93adce958d5b5dab8940e46f |
memory/612-82-0x0000000010000000-0x00000000101B6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\svchos.exe
| MD5 | 3b377ad877a942ec9f60ea285f7119a2 |
| SHA1 | 60b23987b20d913982f723ab375eef50fafa6c70 |
| SHA256 | 62954fdf65e629b39a29f539619d20691332184c6b6be5a826128a8e759bfa84 |
| SHA512 | af3a71f867ad9d28772c48b521097f9bf8931eb89fd2974e8de10990241419a39ddc3c0b36dd38aac4fdf14e1f0c5e228692618e93adce958d5b5dab8940e46f |
\Windows\SysWOW64\259423157.txt
| MD5 | c8c8ff11e8ab024234441d9d8536c433 |
| SHA1 | 28a9f4f25191d13b38e6919e7107963468ed2720 |
| SHA256 | cc653810b728259c11f415dfb61b6710b430c02c297149de51129b0465634320 |
| SHA512 | 03e2befe6538313ac5f95e534501cea67146e172c11b16d1988114625f6bd52e866ac633025307c7545575a7dac97c5fd88e5b3814b80d132c5a24e2630d709e |
memory/2904-90-0x0000000010000000-0x00000000101B6000-memory.dmp
memory/2904-93-0x0000000010000000-0x00000000101B6000-memory.dmp
\Windows\SysWOW64\259423157.txt
| MD5 | c8c8ff11e8ab024234441d9d8536c433 |
| SHA1 | 28a9f4f25191d13b38e6919e7107963468ed2720 |
| SHA256 | cc653810b728259c11f415dfb61b6710b430c02c297149de51129b0465634320 |
| SHA512 | 03e2befe6538313ac5f95e534501cea67146e172c11b16d1988114625f6bd52e866ac633025307c7545575a7dac97c5fd88e5b3814b80d132c5a24e2630d709e |
\??\c:\windows\SysWOW64\259423157.txt
| MD5 | c8c8ff11e8ab024234441d9d8536c433 |
| SHA1 | 28a9f4f25191d13b38e6919e7107963468ed2720 |
| SHA256 | cc653810b728259c11f415dfb61b6710b430c02c297149de51129b0465634320 |
| SHA512 | 03e2befe6538313ac5f95e534501cea67146e172c11b16d1988114625f6bd52e866ac633025307c7545575a7dac97c5fd88e5b3814b80d132c5a24e2630d709e |
memory/2904-100-0x0000000010000000-0x00000000101B6000-memory.dmp
\Users\Admin\AppData\Local\Temp\HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe
| MD5 | 6eff11a79838756628a2d397831f228d |
| SHA1 | df31f63af313a1c986ba13fa21def1e5f6b31d49 |
| SHA256 | 6672a5c1b29e07ce14b756e58e8efa6cc914864568674bcf4a910cccaacb73d3 |
| SHA512 | 78265a88bbf8bbab2163b6c2a2cf1ebc2c4596ad9568c77208123cf99aac03bf58511d19d8d41bfe484f91c9fa4ff563ed4cda162ee0ec18e60f8a8cc8284c83 |
C:\Users\Admin\AppData\Local\Temp\HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe
| MD5 | 6eff11a79838756628a2d397831f228d |
| SHA1 | df31f63af313a1c986ba13fa21def1e5f6b31d49 |
| SHA256 | 6672a5c1b29e07ce14b756e58e8efa6cc914864568674bcf4a910cccaacb73d3 |
| SHA512 | 78265a88bbf8bbab2163b6c2a2cf1ebc2c4596ad9568c77208123cf99aac03bf58511d19d8d41bfe484f91c9fa4ff563ed4cda162ee0ec18e60f8a8cc8284c83 |
C:\Users\Admin\AppData\Local\Temp\HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe
| MD5 | 6eff11a79838756628a2d397831f228d |
| SHA1 | df31f63af313a1c986ba13fa21def1e5f6b31d49 |
| SHA256 | 6672a5c1b29e07ce14b756e58e8efa6cc914864568674bcf4a910cccaacb73d3 |
| SHA512 | 78265a88bbf8bbab2163b6c2a2cf1ebc2c4596ad9568c77208123cf99aac03bf58511d19d8d41bfe484f91c9fa4ff563ed4cda162ee0ec18e60f8a8cc8284c83 |
\Users\Admin\AppData\Local\Temp\HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe
| MD5 | 6eff11a79838756628a2d397831f228d |
| SHA1 | df31f63af313a1c986ba13fa21def1e5f6b31d49 |
| SHA256 | 6672a5c1b29e07ce14b756e58e8efa6cc914864568674bcf4a910cccaacb73d3 |
| SHA512 | 78265a88bbf8bbab2163b6c2a2cf1ebc2c4596ad9568c77208123cf99aac03bf58511d19d8d41bfe484f91c9fa4ff563ed4cda162ee0ec18e60f8a8cc8284c83 |
memory/2596-110-0x0000000004B60000-0x0000000005794000-memory.dmp
memory/2736-115-0x0000000010000000-0x000000001003E000-memory.dmp
memory/2736-117-0x0000000000400000-0x0000000001034000-memory.dmp
memory/2736-119-0x0000000077E5F000-0x0000000077E60000-memory.dmp
memory/2736-118-0x0000000010000000-0x000000001003E000-memory.dmp
memory/2736-121-0x0000000010000000-0x000000001003E000-memory.dmp
memory/2736-120-0x0000000077E60000-0x0000000077E61000-memory.dmp
C:\USERS\ADMIN\APPDATA\LOCAL\TEMP\HD_81DD38EF1B5FCC2F50F7A22C27F83FA6FD8AD7E1621B554AF1F696C4FE705D1F.EXE
| MD5 | 6eff11a79838756628a2d397831f228d |
| SHA1 | df31f63af313a1c986ba13fa21def1e5f6b31d49 |
| SHA256 | 6672a5c1b29e07ce14b756e58e8efa6cc914864568674bcf4a910cccaacb73d3 |
| SHA512 | 78265a88bbf8bbab2163b6c2a2cf1ebc2c4596ad9568c77208123cf99aac03bf58511d19d8d41bfe484f91c9fa4ff563ed4cda162ee0ec18e60f8a8cc8284c83 |
memory/2904-122-0x0000000077E60000-0x0000000077E61000-memory.dmp
memory/2736-124-0x0000000010000000-0x000000001003E000-memory.dmp
memory/2736-126-0x0000000010000000-0x000000001003E000-memory.dmp
memory/2904-128-0x000000007EF90000-0x000000007EF9C000-memory.dmp
memory/2904-125-0x0000000077E5F000-0x0000000077E60000-memory.dmp
memory/2736-130-0x0000000010000000-0x000000001003E000-memory.dmp
memory/2260-129-0x000000007EFA0000-0x000000007EFAC000-memory.dmp
memory/2736-133-0x0000000010000000-0x000000001003E000-memory.dmp
memory/2596-134-0x0000000004B60000-0x0000000005794000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\HD_X.dat
| MD5 | 36cd7c2f720111cd4ef41e3b5f0db256 |
| SHA1 | 2bd2af69331c5408eeaf23fddd505c58650cdaa9 |
| SHA256 | 23d9db3453f1434a943f3945e0546a7fefad5b75bc04dd7b8f7899172b10f1ff |
| SHA512 | 8216b4065b23c8475ad3e5badcabe1dc91fc3eaf5e504bc0ed0a60658067bc5526310594cb7374715f5ffdf5bb5d858bb6e0c7c86445eb5a64939268e2056b17 |
memory/2736-151-0x0000000010000000-0x000000001003E000-memory.dmp
memory/2736-164-0x0000000010000000-0x000000001003E000-memory.dmp
memory/2736-172-0x0000000010000000-0x000000001003E000-memory.dmp
memory/2736-174-0x0000000010000000-0x000000001003E000-memory.dmp
memory/2260-176-0x000000007EFA0000-0x000000007EFAC000-memory.dmp
memory/2736-177-0x0000000010000000-0x000000001003E000-memory.dmp
memory/2736-179-0x0000000010000000-0x000000001003E000-memory.dmp
memory/2736-182-0x0000000010000000-0x000000001003E000-memory.dmp
memory/2736-185-0x0000000010000000-0x000000001003E000-memory.dmp
memory/2736-188-0x0000000010000000-0x000000001003E000-memory.dmp
memory/2736-190-0x0000000010000000-0x000000001003E000-memory.dmp
memory/2736-192-0x0000000010000000-0x000000001003E000-memory.dmp
memory/2736-194-0x0000000010000000-0x000000001003E000-memory.dmp
memory/2736-196-0x0000000010000000-0x000000001003E000-memory.dmp
memory/2736-198-0x0000000010000000-0x000000001003E000-memory.dmp
memory/2736-200-0x0000000010000000-0x000000001003E000-memory.dmp
memory/3016-203-0x000000007EFA0000-0x000000007EFAC000-memory.dmp
memory/2736-202-0x0000000010000000-0x000000001003E000-memory.dmp
memory/2736-205-0x0000000010000000-0x000000001003E000-memory.dmp
memory/2736-207-0x0000000010000000-0x000000001003E000-memory.dmp
memory/3016-208-0x000000007EFA0000-0x000000007EFAC000-memory.dmp
memory/2848-209-0x000000007EFA0000-0x000000007EFAC000-memory.dmp
memory/2596-210-0x0000000004B60000-0x0000000005794000-memory.dmp
memory/2736-211-0x0000000000400000-0x0000000001034000-memory.dmp
memory/2736-212-0x0000000010000000-0x000000001003E000-memory.dmp
\Windows\SysWOW64\259423157.txt
| MD5 | c8c8ff11e8ab024234441d9d8536c433 |
| SHA1 | 28a9f4f25191d13b38e6919e7107963468ed2720 |
| SHA256 | cc653810b728259c11f415dfb61b6710b430c02c297149de51129b0465634320 |
| SHA512 | 03e2befe6538313ac5f95e534501cea67146e172c11b16d1988114625f6bd52e866ac633025307c7545575a7dac97c5fd88e5b3814b80d132c5a24e2630d709e |
memory/2596-214-0x0000000004B60000-0x0000000005794000-memory.dmp
\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
| MD5 | 51138beea3e2c21ec44d0932c71762a8 |
| SHA1 | 8939cf35447b22dd2c6e6f443446acc1bf986d58 |
| SHA256 | 5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124 |
| SHA512 | 794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d |
C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
| MD5 | 51138beea3e2c21ec44d0932c71762a8 |
| SHA1 | 8939cf35447b22dd2c6e6f443446acc1bf986d58 |
| SHA256 | 5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124 |
| SHA512 | 794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d |
C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
| MD5 | 51138beea3e2c21ec44d0932c71762a8 |
| SHA1 | 8939cf35447b22dd2c6e6f443446acc1bf986d58 |
| SHA256 | 5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124 |
| SHA512 | 794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d |
\Windows\SysWOW64\259423157.txt
| MD5 | c8c8ff11e8ab024234441d9d8536c433 |
| SHA1 | 28a9f4f25191d13b38e6919e7107963468ed2720 |
| SHA256 | cc653810b728259c11f415dfb61b6710b430c02c297149de51129b0465634320 |
| SHA512 | 03e2befe6538313ac5f95e534501cea67146e172c11b16d1988114625f6bd52e866ac633025307c7545575a7dac97c5fd88e5b3814b80d132c5a24e2630d709e |