Analysis Overview
SHA256
3d6c55a41196e573a44153aaf6b3d8892fca5d633ff4db972c9a22413c191796
Threat Level: Known bad
The file 3d6c55a41196e573a44153aaf6b3d8892fca5d633ff4db972c9a22413c191796 was found to be: Known bad.
Malicious Activity Summary
Detect PurpleFox Rootkit
Gh0strat
Gh0st RAT payload
PurpleFox
Sets DLL path for service in the registry
Drops file in Drivers directory
Sets service image path in registry
Loads dropped DLL
Executes dropped EXE
UPX packed file
Drops file in System32 directory
Drops file in Program Files directory
Enumerates physical storage devices
Unsigned PE
Suspicious use of SetWindowsHookEx
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Runs ping.exe
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-08-28 09:03
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-08-28 09:03
Reported
2023-08-28 09:06
Platform
win7-20230712-en
Max time kernel
150s
Max time network
123s
Command Line
Signatures
Detect PurpleFox Rootkit
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gh0st RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gh0strat
PurpleFox
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\drivers\QAssist.sys | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
Sets DLL path for service in the registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259425091.txt" | C:\Users\Admin\AppData\Local\Temp\svchos.exe | N/A |
Sets service image path in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchos.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\HD_3d6c55a41196e573a44153aaf6b3d8892fca5d633ff4db972c9a22413c191796.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3d6c55a41196e573a44153aaf6b3d8892fca5d633ff4db972c9a22413c191796.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3d6c55a41196e573a44153aaf6b3d8892fca5d633ff4db972c9a22413c191796.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchos.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3d6c55a41196e573a44153aaf6b3d8892fca5d633ff4db972c9a22413c191796.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\TXPlatforn.exe | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\TXPlatforn.exe | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| File created | C:\Windows\SysWOW64\259425091.txt | C:\Users\Admin\AppData\Local\Temp\svchos.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ini.ini | C:\Users\Admin\AppData\Local\Temp\svchos.exe | N/A |
| File created | C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe | C:\Windows\SysWOW64\svchost.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | C:\Users\Admin\AppData\Local\Temp\3d6c55a41196e573a44153aaf6b3d8892fca5d633ff4db972c9a22413c191796.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\firefox.exe | C:\Users\Admin\AppData\Local\Temp\3d6c55a41196e573a44153aaf6b3d8892fca5d633ff4db972c9a22413c191796.exe | N/A |
| File created | C:\Program Files (x86)\Google\Chrome\Application\chrome.exe | C:\Users\Admin\AppData\Local\Temp\3d6c55a41196e573a44153aaf6b3d8892fca5d633ff4db972c9a22413c191796.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\vlc.exe | C:\Users\Admin\AppData\Local\Temp\3d6c55a41196e573a44153aaf6b3d8892fca5d633ff4db972c9a22413c191796.exe | N/A |
Enumerates physical storage devices
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3d6c55a41196e573a44153aaf6b3d8892fca5d633ff4db972c9a22413c191796.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3d6c55a41196e573a44153aaf6b3d8892fca5d633ff4db972c9a22413c191796.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3d6c55a41196e573a44153aaf6b3d8892fca5d633ff4db972c9a22413c191796.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3d6c55a41196e573a44153aaf6b3d8892fca5d633ff4db972c9a22413c191796.exe
"C:\Users\Admin\AppData\Local\Temp\3d6c55a41196e573a44153aaf6b3d8892fca5d633ff4db972c9a22413c191796.exe"
C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\\svchost.exe
C:\Windows\SysWOW64\TXPlatforn.exe
C:\Windows\SysWOW64\TXPlatforn.exe -auto
C:\Windows\SysWOW64\TXPlatforn.exe
C:\Windows\SysWOW64\TXPlatforn.exe -acsi
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\svchost.exe > nul
C:\Users\Admin\AppData\Local\Temp\svchos.exe
C:\Users\Admin\AppData\Local\Temp\\svchos.exe
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"
C:\Users\Admin\AppData\Local\Temp\HD_3d6c55a41196e573a44153aaf6b3d8892fca5d633ff4db972c9a22413c191796.exe
C:\Users\Admin\AppData\Local\Temp\HD_3d6c55a41196e573a44153aaf6b3d8892fca5d633ff4db972c9a22413c191796.exe
C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
C:\Windows\system32\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe "c:\windows\system32\259425091.txt",MainThread
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | hackerinvasion.f3322.net | udp |
| N/A | 127.0.0.1:6066 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:6066 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| US | 8.8.8.8:53 | hackerinvasion.f3322.net | udp |
| N/A | 127.0.0.1:8088 | tcp | |
| US | 8.8.8.8:53 | hackerinvasion.f3322.net | udp |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:6066 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:6066 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| US | 8.8.8.8:53 | hackerinvasion.f3322.net | udp |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:6066 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp |
Files
\Users\Admin\AppData\Local\Temp\svchost.exe
| MD5 | a4329177954d4104005bce3020e5ef59 |
| SHA1 | 23c29e295e2dbb8454012d619ca3f81e4c16e85a |
| SHA256 | 6156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd |
| SHA512 | 81e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208 |
C:\Users\Admin\AppData\Local\Temp\svchost.exe
| MD5 | a4329177954d4104005bce3020e5ef59 |
| SHA1 | 23c29e295e2dbb8454012d619ca3f81e4c16e85a |
| SHA256 | 6156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd |
| SHA512 | 81e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208 |
memory/856-5-0x0000000010000000-0x00000000101B6000-memory.dmp
memory/856-9-0x0000000010000000-0x00000000101B6000-memory.dmp
memory/856-8-0x0000000010000000-0x00000000101B6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\svchost.exe
| MD5 | a4329177954d4104005bce3020e5ef59 |
| SHA1 | 23c29e295e2dbb8454012d619ca3f81e4c16e85a |
| SHA256 | 6156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd |
| SHA512 | 81e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208 |
C:\Windows\SysWOW64\TXPlatforn.exe
| MD5 | a4329177954d4104005bce3020e5ef59 |
| SHA1 | 23c29e295e2dbb8454012d619ca3f81e4c16e85a |
| SHA256 | 6156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd |
| SHA512 | 81e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208 |
C:\Windows\SysWOW64\TXPlatforn.exe
| MD5 | a4329177954d4104005bce3020e5ef59 |
| SHA1 | 23c29e295e2dbb8454012d619ca3f81e4c16e85a |
| SHA256 | 6156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd |
| SHA512 | 81e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208 |
memory/1476-17-0x0000000010000000-0x00000000101B6000-memory.dmp
memory/856-23-0x0000000010000000-0x00000000101B6000-memory.dmp
C:\Windows\SysWOW64\TXPlatforn.exe
| MD5 | a4329177954d4104005bce3020e5ef59 |
| SHA1 | 23c29e295e2dbb8454012d619ca3f81e4c16e85a |
| SHA256 | 6156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd |
| SHA512 | 81e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208 |
\Users\Admin\AppData\Local\Temp\svchos.exe
| MD5 | 3b377ad877a942ec9f60ea285f7119a2 |
| SHA1 | 60b23987b20d913982f723ab375eef50fafa6c70 |
| SHA256 | 62954fdf65e629b39a29f539619d20691332184c6b6be5a826128a8e759bfa84 |
| SHA512 | af3a71f867ad9d28772c48b521097f9bf8931eb89fd2974e8de10990241419a39ddc3c0b36dd38aac4fdf14e1f0c5e228692618e93adce958d5b5dab8940e46f |
\Windows\SysWOW64\TXPlatforn.exe
| MD5 | a4329177954d4104005bce3020e5ef59 |
| SHA1 | 23c29e295e2dbb8454012d619ca3f81e4c16e85a |
| SHA256 | 6156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd |
| SHA512 | 81e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208 |
C:\Windows\SysWOW64\TXPlatforn.exe
| MD5 | a4329177954d4104005bce3020e5ef59 |
| SHA1 | 23c29e295e2dbb8454012d619ca3f81e4c16e85a |
| SHA256 | 6156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd |
| SHA512 | 81e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208 |
\Windows\SysWOW64\259425091.txt
| MD5 | c273ba7459d59fa3ecccc80a5894500b |
| SHA1 | 33e52c2ac485f70acb964eeb27ece96335e3d9ae |
| SHA256 | 5e25d7ce179ef1ed886a571f0e8b98d2cc5f2b9412cb7773617a74d25214057e |
| SHA512 | 6276b6eaf0a8bc3696636ca3dd3a18d8ec53d42eb6ea3c67e5e024ae932ee6f683e87e11746893cd15e272e6f2f6e68bb63454f964221329243b996ca5524435 |
C:\Users\Admin\AppData\Local\Temp\svchos.exe
| MD5 | 3b377ad877a942ec9f60ea285f7119a2 |
| SHA1 | 60b23987b20d913982f723ab375eef50fafa6c70 |
| SHA256 | 62954fdf65e629b39a29f539619d20691332184c6b6be5a826128a8e759bfa84 |
| SHA512 | af3a71f867ad9d28772c48b521097f9bf8931eb89fd2974e8de10990241419a39ddc3c0b36dd38aac4fdf14e1f0c5e228692618e93adce958d5b5dab8940e46f |
memory/1476-35-0x0000000010000000-0x00000000101B6000-memory.dmp
memory/2312-36-0x0000000010000000-0x00000000101B6000-memory.dmp
memory/2312-39-0x0000000010000000-0x00000000101B6000-memory.dmp
memory/2312-41-0x0000000010000000-0x00000000101B6000-memory.dmp
\Windows\SysWOW64\259425091.txt
| MD5 | c273ba7459d59fa3ecccc80a5894500b |
| SHA1 | 33e52c2ac485f70acb964eeb27ece96335e3d9ae |
| SHA256 | 5e25d7ce179ef1ed886a571f0e8b98d2cc5f2b9412cb7773617a74d25214057e |
| SHA512 | 6276b6eaf0a8bc3696636ca3dd3a18d8ec53d42eb6ea3c67e5e024ae932ee6f683e87e11746893cd15e272e6f2f6e68bb63454f964221329243b996ca5524435 |
\??\c:\windows\SysWOW64\259425091.txt
| MD5 | c273ba7459d59fa3ecccc80a5894500b |
| SHA1 | 33e52c2ac485f70acb964eeb27ece96335e3d9ae |
| SHA256 | 5e25d7ce179ef1ed886a571f0e8b98d2cc5f2b9412cb7773617a74d25214057e |
| SHA512 | 6276b6eaf0a8bc3696636ca3dd3a18d8ec53d42eb6ea3c67e5e024ae932ee6f683e87e11746893cd15e272e6f2f6e68bb63454f964221329243b996ca5524435 |
\Users\Admin\AppData\Local\Temp\HD_3d6c55a41196e573a44153aaf6b3d8892fca5d633ff4db972c9a22413c191796.exe
| MD5 | ccb852904a2216c1d110d475009c5182 |
| SHA1 | 2319964fea08b7ff95e14aeb6614ebf25a18796c |
| SHA256 | 6e16f4691a0c3250c8fcce465827c4996611229c2e74abc40c280afc1582831c |
| SHA512 | ab946559c55cc3f90046cc85b02635cd7c3aa9fa137d905c8c621a0697f3f37774e45ff440430107245c5e3bebe167511d9156adb6ae538f87a00d8c8631cb1f |
C:\Users\Admin\AppData\Local\Temp\HD_3d6c55a41196e573a44153aaf6b3d8892fca5d633ff4db972c9a22413c191796.exe
| MD5 | ccb852904a2216c1d110d475009c5182 |
| SHA1 | 2319964fea08b7ff95e14aeb6614ebf25a18796c |
| SHA256 | 6e16f4691a0c3250c8fcce465827c4996611229c2e74abc40c280afc1582831c |
| SHA512 | ab946559c55cc3f90046cc85b02635cd7c3aa9fa137d905c8c621a0697f3f37774e45ff440430107245c5e3bebe167511d9156adb6ae538f87a00d8c8631cb1f |
C:\Users\Admin\AppData\Local\Temp\HD_X.dat
| MD5 | cd1ddb651f6ca789eb274e31da5a76e6 |
| SHA1 | 23d22d976c55c7da5ac61585c599cea37a052778 |
| SHA256 | c7efc5e3fbc98f81f948f6edae820709029fc10dd4940b4d42bf5f44dfd6190f |
| SHA512 | 1d94154f4ceb0fc0134c884abb245f723103b56a5f100f2d762d7c4731fe159b7e3a7ec06fbdf0ff4baafb306abfa31e0c14a7926c5e4393cf952866662d4aad |
\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
| MD5 | 51138beea3e2c21ec44d0932c71762a8 |
| SHA1 | 8939cf35447b22dd2c6e6f443446acc1bf986d58 |
| SHA256 | 5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124 |
| SHA512 | 794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d |
C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
| MD5 | 51138beea3e2c21ec44d0932c71762a8 |
| SHA1 | 8939cf35447b22dd2c6e6f443446acc1bf986d58 |
| SHA256 | 5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124 |
| SHA512 | 794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d |
C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
| MD5 | 51138beea3e2c21ec44d0932c71762a8 |
| SHA1 | 8939cf35447b22dd2c6e6f443446acc1bf986d58 |
| SHA256 | 5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124 |
| SHA512 | 794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d |
\Windows\SysWOW64\259425091.txt
| MD5 | c273ba7459d59fa3ecccc80a5894500b |
| SHA1 | 33e52c2ac485f70acb964eeb27ece96335e3d9ae |
| SHA256 | 5e25d7ce179ef1ed886a571f0e8b98d2cc5f2b9412cb7773617a74d25214057e |
| SHA512 | 6276b6eaf0a8bc3696636ca3dd3a18d8ec53d42eb6ea3c67e5e024ae932ee6f683e87e11746893cd15e272e6f2f6e68bb63454f964221329243b996ca5524435 |
Analysis: behavioral2
Detonation Overview
Submitted
2023-08-28 09:03
Reported
2023-08-28 09:06
Platform
win10v2004-20230703-en
Max time kernel
150s
Max time network
147s
Command Line
Signatures
Detect PurpleFox Rootkit
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gh0st RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gh0strat
PurpleFox
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\drivers\QAssist.sys | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
Sets DLL path for service in the registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\240620218.txt" | C:\Users\Admin\AppData\Local\Temp\svchos.exe | N/A |
Sets service image path in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchos.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\HD_3d6c55a41196e573a44153aaf6b3d8892fca5d633ff4db972c9a22413c191796.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchos.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\TXPlatforn.exe | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| File created | C:\Windows\SysWOW64\240620218.txt | C:\Users\Admin\AppData\Local\Temp\svchos.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ini.ini | C:\Users\Admin\AppData\Local\Temp\svchos.exe | N/A |
| File created | C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe | C:\Windows\SysWOW64\svchost.exe | N/A |
| File created | C:\Windows\SysWOW64\TXPlatforn.exe | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | C:\Users\Admin\AppData\Local\Temp\3d6c55a41196e573a44153aaf6b3d8892fca5d633ff4db972c9a22413c191796.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | C:\Users\Admin\AppData\Local\Temp\3d6c55a41196e573a44153aaf6b3d8892fca5d633ff4db972c9a22413c191796.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\firefox.exe | C:\Users\Admin\AppData\Local\Temp\3d6c55a41196e573a44153aaf6b3d8892fca5d633ff4db972c9a22413c191796.exe | N/A |
| File created | C:\Program Files (x86)\Google\Chrome\Application\chrome.exe | C:\Users\Admin\AppData\Local\Temp\3d6c55a41196e573a44153aaf6b3d8892fca5d633ff4db972c9a22413c191796.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\vlc.exe | C:\Users\Admin\AppData\Local\Temp\3d6c55a41196e573a44153aaf6b3d8892fca5d633ff4db972c9a22413c191796.exe | N/A |
Enumerates physical storage devices
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3d6c55a41196e573a44153aaf6b3d8892fca5d633ff4db972c9a22413c191796.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3d6c55a41196e573a44153aaf6b3d8892fca5d633ff4db972c9a22413c191796.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3d6c55a41196e573a44153aaf6b3d8892fca5d633ff4db972c9a22413c191796.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3d6c55a41196e573a44153aaf6b3d8892fca5d633ff4db972c9a22413c191796.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3d6c55a41196e573a44153aaf6b3d8892fca5d633ff4db972c9a22413c191796.exe
"C:\Users\Admin\AppData\Local\Temp\3d6c55a41196e573a44153aaf6b3d8892fca5d633ff4db972c9a22413c191796.exe"
C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\\svchost.exe
C:\Windows\SysWOW64\TXPlatforn.exe
C:\Windows\SysWOW64\TXPlatforn.exe -auto
C:\Windows\SysWOW64\TXPlatforn.exe
C:\Windows\SysWOW64\TXPlatforn.exe -acsi
C:\Users\Admin\AppData\Local\Temp\svchos.exe
C:\Users\Admin\AppData\Local\Temp\\svchos.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\svchost.exe > nul
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"
C:\Users\Admin\AppData\Local\Temp\HD_3d6c55a41196e573a44153aaf6b3d8892fca5d633ff4db972c9a22413c191796.exe
C:\Users\Admin\AppData\Local\Temp\HD_3d6c55a41196e573a44153aaf6b3d8892fca5d633ff4db972c9a22413c191796.exe
C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
C:\Windows\system32\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe "c:\windows\system32\240620218.txt",MainThread
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.23.238.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | hackerinvasion.f3322.net | udp |
| N/A | 127.0.0.1:6066 | tcp | |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | hackerinvasion.f3322.net | udp |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| N/A | 127.0.0.1:8088 | tcp | |
| US | 8.8.8.8:53 | 254.131.241.8.in-addr.arpa | udp |
| N/A | 127.0.0.1:6066 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| US | 8.8.8.8:53 | hackerinvasion.f3322.net | udp |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| US | 8.8.8.8:53 | hackerinvasion.f3322.net | udp |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:6066 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:6066 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| US | 8.8.8.8:53 | hackerinvasion.f3322.net | udp |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:6066 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| US | 8.8.8.8:53 | 122.10.44.20.in-addr.arpa | udp |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\svchost.exe
| MD5 | a4329177954d4104005bce3020e5ef59 |
| SHA1 | 23c29e295e2dbb8454012d619ca3f81e4c16e85a |
| SHA256 | 6156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd |
| SHA512 | 81e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208 |
C:\Users\Admin\AppData\Local\Temp\svchost.exe
| MD5 | a4329177954d4104005bce3020e5ef59 |
| SHA1 | 23c29e295e2dbb8454012d619ca3f81e4c16e85a |
| SHA256 | 6156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd |
| SHA512 | 81e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208 |
memory/3848-4-0x0000000010000000-0x00000000101B6000-memory.dmp
memory/3848-7-0x0000000010000000-0x00000000101B6000-memory.dmp
memory/3848-8-0x0000000010000000-0x00000000101B6000-memory.dmp
memory/3848-6-0x0000000010000000-0x00000000101B6000-memory.dmp
C:\Windows\SysWOW64\TXPlatforn.exe
| MD5 | a4329177954d4104005bce3020e5ef59 |
| SHA1 | 23c29e295e2dbb8454012d619ca3f81e4c16e85a |
| SHA256 | 6156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd |
| SHA512 | 81e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208 |
C:\Windows\SysWOW64\TXPlatforn.exe
| MD5 | a4329177954d4104005bce3020e5ef59 |
| SHA1 | 23c29e295e2dbb8454012d619ca3f81e4c16e85a |
| SHA256 | 6156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd |
| SHA512 | 81e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208 |
memory/4524-13-0x0000000010000000-0x00000000101B6000-memory.dmp
memory/4524-17-0x0000000010000000-0x00000000101B6000-memory.dmp
memory/4524-16-0x0000000010000000-0x00000000101B6000-memory.dmp
C:\Windows\SysWOW64\TXPlatforn.exe
| MD5 | a4329177954d4104005bce3020e5ef59 |
| SHA1 | 23c29e295e2dbb8454012d619ca3f81e4c16e85a |
| SHA256 | 6156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd |
| SHA512 | 81e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208 |
memory/4524-23-0x0000000010000000-0x00000000101B6000-memory.dmp
memory/3848-21-0x0000000010000000-0x00000000101B6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\svchos.exe
| MD5 | 3b377ad877a942ec9f60ea285f7119a2 |
| SHA1 | 60b23987b20d913982f723ab375eef50fafa6c70 |
| SHA256 | 62954fdf65e629b39a29f539619d20691332184c6b6be5a826128a8e759bfa84 |
| SHA512 | af3a71f867ad9d28772c48b521097f9bf8931eb89fd2974e8de10990241419a39ddc3c0b36dd38aac4fdf14e1f0c5e228692618e93adce958d5b5dab8940e46f |
C:\Users\Admin\AppData\Local\Temp\svchos.exe
| MD5 | 3b377ad877a942ec9f60ea285f7119a2 |
| SHA1 | 60b23987b20d913982f723ab375eef50fafa6c70 |
| SHA256 | 62954fdf65e629b39a29f539619d20691332184c6b6be5a826128a8e759bfa84 |
| SHA512 | af3a71f867ad9d28772c48b521097f9bf8931eb89fd2974e8de10990241419a39ddc3c0b36dd38aac4fdf14e1f0c5e228692618e93adce958d5b5dab8940e46f |
memory/1388-29-0x0000000010000000-0x00000000101B6000-memory.dmp
C:\Windows\SysWOW64\240620218.txt
| MD5 | c273ba7459d59fa3ecccc80a5894500b |
| SHA1 | 33e52c2ac485f70acb964eeb27ece96335e3d9ae |
| SHA256 | 5e25d7ce179ef1ed886a571f0e8b98d2cc5f2b9412cb7773617a74d25214057e |
| SHA512 | 6276b6eaf0a8bc3696636ca3dd3a18d8ec53d42eb6ea3c67e5e024ae932ee6f683e87e11746893cd15e272e6f2f6e68bb63454f964221329243b996ca5524435 |
memory/1388-35-0x0000000010000000-0x00000000101B6000-memory.dmp
C:\Windows\SysWOW64\240620218.txt
| MD5 | c273ba7459d59fa3ecccc80a5894500b |
| SHA1 | 33e52c2ac485f70acb964eeb27ece96335e3d9ae |
| SHA256 | 5e25d7ce179ef1ed886a571f0e8b98d2cc5f2b9412cb7773617a74d25214057e |
| SHA512 | 6276b6eaf0a8bc3696636ca3dd3a18d8ec53d42eb6ea3c67e5e024ae932ee6f683e87e11746893cd15e272e6f2f6e68bb63454f964221329243b996ca5524435 |
\??\c:\windows\SysWOW64\240620218.txt
| MD5 | c273ba7459d59fa3ecccc80a5894500b |
| SHA1 | 33e52c2ac485f70acb964eeb27ece96335e3d9ae |
| SHA256 | 5e25d7ce179ef1ed886a571f0e8b98d2cc5f2b9412cb7773617a74d25214057e |
| SHA512 | 6276b6eaf0a8bc3696636ca3dd3a18d8ec53d42eb6ea3c67e5e024ae932ee6f683e87e11746893cd15e272e6f2f6e68bb63454f964221329243b996ca5524435 |
memory/1388-40-0x0000000010000000-0x00000000101B6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\HD_3d6c55a41196e573a44153aaf6b3d8892fca5d633ff4db972c9a22413c191796.exe
| MD5 | ccb852904a2216c1d110d475009c5182 |
| SHA1 | 2319964fea08b7ff95e14aeb6614ebf25a18796c |
| SHA256 | 6e16f4691a0c3250c8fcce465827c4996611229c2e74abc40c280afc1582831c |
| SHA512 | ab946559c55cc3f90046cc85b02635cd7c3aa9fa137d905c8c621a0697f3f37774e45ff440430107245c5e3bebe167511d9156adb6ae538f87a00d8c8631cb1f |
C:\Users\Admin\AppData\Local\Temp\HD_3d6c55a41196e573a44153aaf6b3d8892fca5d633ff4db972c9a22413c191796.exe
| MD5 | ccb852904a2216c1d110d475009c5182 |
| SHA1 | 2319964fea08b7ff95e14aeb6614ebf25a18796c |
| SHA256 | 6e16f4691a0c3250c8fcce465827c4996611229c2e74abc40c280afc1582831c |
| SHA512 | ab946559c55cc3f90046cc85b02635cd7c3aa9fa137d905c8c621a0697f3f37774e45ff440430107245c5e3bebe167511d9156adb6ae538f87a00d8c8631cb1f |
C:\Users\Admin\AppData\Local\Temp\HD_X.dat
| MD5 | cd1ddb651f6ca789eb274e31da5a76e6 |
| SHA1 | 23d22d976c55c7da5ac61585c599cea37a052778 |
| SHA256 | c7efc5e3fbc98f81f948f6edae820709029fc10dd4940b4d42bf5f44dfd6190f |
| SHA512 | 1d94154f4ceb0fc0134c884abb245f723103b56a5f100f2d762d7c4731fe159b7e3a7ec06fbdf0ff4baafb306abfa31e0c14a7926c5e4393cf952866662d4aad |
C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
| MD5 | 889b99c52a60dd49227c5e485a016679 |
| SHA1 | 8fa889e456aa646a4d0a4349977430ce5fa5e2d7 |
| SHA256 | 6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910 |
| SHA512 | 08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641 |
C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
| MD5 | 889b99c52a60dd49227c5e485a016679 |
| SHA1 | 8fa889e456aa646a4d0a4349977430ce5fa5e2d7 |
| SHA256 | 6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910 |
| SHA512 | 08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641 |
C:\Windows\SysWOW64\240620218.txt
| MD5 | c273ba7459d59fa3ecccc80a5894500b |
| SHA1 | 33e52c2ac485f70acb964eeb27ece96335e3d9ae |
| SHA256 | 5e25d7ce179ef1ed886a571f0e8b98d2cc5f2b9412cb7773617a74d25214057e |
| SHA512 | 6276b6eaf0a8bc3696636ca3dd3a18d8ec53d42eb6ea3c67e5e024ae932ee6f683e87e11746893cd15e272e6f2f6e68bb63454f964221329243b996ca5524435 |