gh0strat | 1ca73cd5afdea64c01d33f652c47a9c6c3ee446fd5dd49bd6e8ff96fd89772d4

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 02:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1ca73cd5afdea64c01d33f652c47a9c6c3ee446fd5dd49bd6e8ff96fd89772d4.exe
Size

12.1MB
MD5

320a85f96d37a11e753425e694a27307
SHA1

c6c892b3993e384ca6747233bb6722350aa40ad3
SHA256

1ca73cd5afdea64c01d33f652c47a9c6c3ee446fd5dd49bd6e8ff96fd89772d4
SHA512

717d072dc382abb00f12461f3e5b666936d6330dd1669df56987d5b73859fbd9b50959951a7f03005457b542cb49baa7fc52b9dbfbd01a39980385186ebcad0d
SSDEEP

196608:BKXbeO7yL9YE0SCI4rbECIwBbiL4c7NxIYaK+GutOHpDRw0nptlVOmpFEMSesg:S7yhYn/8Ch1vnGutMpDDnpnVVp6fesg

Score

10^/10

gh0strat purplefox evasion persistence rat rootkit trojan upx

Malware Config

Signatures

Detect PurpleFox Rootkit 8 IoCs

Detect PurpleFox Rootkit.

rootkit

Processes:

resource	yara_rule
behavioral2/memory/1456-20-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/1456-19-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/1456-23-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/2032-28-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/2032-29-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/2760-37-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/2760-41-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/2760-42-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 9 IoCs

Processes:

resource	yara_rule
C:\Windows\SysWOW64\240618546.txt	family_gh0strat
behavioral2/memory/1456-20-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/1456-19-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/1456-23-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/2032-28-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/2032-29-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/2760-37-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/2760-41-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/2760-42-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

Runner.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Runner.exe
Drops file in Drivers directory 1 IoCs

Processes:

TXPlatfor.exe

description ioc process

File created C:\Windows\system32\drivers\QAssist.sys TXPlatfor.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Runner.exe

description	ioc	process
File created	C:\Windows\system32\drivers\QAssist.sys	TXPlatfor.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

R.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Remote Data\Parameters\ServiceDll = "C:\\Windows\\system32\\240618546.txt"	R.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

TXPlatfor.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys"	TXPlatfor.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Runner.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Runner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Runner.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

HD_1ca73cd5afdea64c01d33f652c47a9c6c3ee446fd5dd49bd6e8ff96fd89772d4.exeSynaptics.exe._cache_HD_1ca73cd5afdea64c01d33f652c47a9c6c3ee446fd5dd49bd6e8ff96fd89772d4.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	HD_1ca73cd5afdea64c01d33f652c47a9c6c3ee446fd5dd49bd6e8ff96fd89772d4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	._cache_HD_1ca73cd5afdea64c01d33f652c47a9c6c3ee446fd5dd49bd6e8ff96fd89772d4.exe

Executes dropped EXE 11 IoCs

Processes:

R.exeN.exeTXPlatfor.exeTXPlatfor.exeHD_1ca73cd5afdea64c01d33f652c47a9c6c3ee446fd5dd49bd6e8ff96fd89772d4.exe._cache_HD_1ca73cd5afdea64c01d33f652c47a9c6c3ee446fd5dd49bd6e8ff96fd89772d4.exeSynaptics.exeRemote Data.exe._cache_Synaptics.exeRunner.exebinding.exe

pid	process
4188	R.exe
1456	N.exe
2032	TXPlatfor.exe
2760	TXPlatfor.exe
3080	HD_1ca73cd5afdea64c01d33f652c47a9c6c3ee446fd5dd49bd6e8ff96fd89772d4.exe
992	._cache_HD_1ca73cd5afdea64c01d33f652c47a9c6c3ee446fd5dd49bd6e8ff96fd89772d4.exe
4248	Synaptics.exe
1268	Remote Data.exe
648	._cache_Synaptics.exe
4552	Runner.exe
832	binding.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

Runner.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Wine Runner.exe
Loads dropped DLL 8 IoCs

Processes:

R.exesvchost.exeRemote Data.exeSynaptics.exeRunner.exe

pid process

4188 R.exe
32 svchost.exe
1268 Remote Data.exe
4248 Synaptics.exe
4248 Synaptics.exe
4552 Runner.exe
4552 Runner.exe
4552 Runner.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Wine	Runner.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1456-17-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/1456-20-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/1456-19-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/1456-23-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/2032-26-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/2032-28-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/2032-29-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/2760-37-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/2760-41-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/2760-42-0x0000000010000000-0x00000000101B6000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

HD_1ca73cd5afdea64c01d33f652c47a9c6c3ee446fd5dd49bd6e8ff96fd89772d4.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	HD_1ca73cd5afdea64c01d33f652c47a9c6c3ee446fd5dd49bd6e8ff96fd89772d4.exe

Drops file in System32 directory 6 IoCs

Processes:

R.exesvchost.exeN.exe

description	ioc	process
File created	C:\Windows\SysWOW64\240618546.txt	R.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	R.exe
File created	C:\Windows\SysWOW64\Remote Data.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\Remote Data.exe	svchost.exe
File created	C:\Windows\SysWOW64\TXPlatfor.exe	N.exe
File opened for modification	C:\Windows\SysWOW64\TXPlatfor.exe	N.exe

Drops file in Program Files directory 1 IoCs

Processes:

1ca73cd5afdea64c01d33f652c47a9c6c3ee446fd5dd49bd6e8ff96fd89772d4.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	1ca73cd5afdea64c01d33f652c47a9c6c3ee446fd5dd49bd6e8ff96fd89772d4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

._cache_HD_1ca73cd5afdea64c01d33f652c47a9c6c3ee446fd5dd49bd6e8ff96fd89772d4.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Ver = "5bddd3f2"	._cache_HD_1ca73cd5afdea64c01d33f652c47a9c6c3ee446fd5dd49bd6e8ff96fd89772d4.exe

Modifies registry class 38 IoCs

Processes:

Runner.exeHD_1ca73cd5afdea64c01d33f652c47a9c6c3ee446fd5dd49bd6e8ff96fd89772d4.exeSynaptics.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\ProgID	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMRoutine\CLSID	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\ProgID\ = "QMDispatch.QMRoutine"	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\ = "QMDispatch.QMLibrary"	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMLibrary\CLSID\ = "{EBEB87A6-E151-4054-AB45-A6E094C5334B}"	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\InProcServer32\ThreadingModel = "Apartment"	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\ = "QMDispatch.QMVBSRoutine"	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\InProcServer32	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\ = "QMDispatch.QMRoutine"	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\InProcServer32\ThreadingModel = "Apartment"	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\mymacro\\qdisp.dll"	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\InprocServer32	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\InProcServer32\ThreadingModel = "Apartment"	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMVBSRoutine	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMVBSRoutine\ = "QMDispatch.QMVBSRoutine"	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\ProgID	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMLibrary	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMLibrary\CLSID	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\InProcServer32	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\InprocServer32	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	HD_1ca73cd5afdea64c01d33f652c47a9c6c3ee446fd5dd49bd6e8ff96fd89772d4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\ProgID	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\ProgID\ = "QMDispatch.QMVBSRoutine"	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMRoutine\CLSID\ = "{C07DB6A3-34FC-4084-BE2E-76BB9203B049}"	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\InProcServer32	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\ProgID\ = "QMDispatch.QMLibrary"	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMVBSRoutine\CLSID\ = "{241D7F03-9232-4024-8373-149860BE27C0}"	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMLibrary\ = "QMDispatch.QMLibrary"	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMRoutine	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMRoutine\ = "QMDispatch.QMRoutine"	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\mymacro\\qdisp.dll"	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\InprocServer32	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMVBSRoutine\CLSID	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\mymacro\\qdisp.dll"	Runner.exe

Runs ping.exe 1 TTPs 4 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXE

pid process

312 PING.EXE
996 PING.EXE
2624 PING.EXE
1900 PING.EXE

pid	process
312	PING.EXE
996	PING.EXE
2624	PING.EXE
1900	PING.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

1ca73cd5afdea64c01d33f652c47a9c6c3ee446fd5dd49bd6e8ff96fd89772d4.exe._cache_HD_1ca73cd5afdea64c01d33f652c47a9c6c3ee446fd5dd49bd6e8ff96fd89772d4.exe

pid	process
4372	1ca73cd5afdea64c01d33f652c47a9c6c3ee446fd5dd49bd6e8ff96fd89772d4.exe
4372	1ca73cd5afdea64c01d33f652c47a9c6c3ee446fd5dd49bd6e8ff96fd89772d4.exe
992	._cache_HD_1ca73cd5afdea64c01d33f652c47a9c6c3ee446fd5dd49bd6e8ff96fd89772d4.exe
992	._cache_HD_1ca73cd5afdea64c01d33f652c47a9c6c3ee446fd5dd49bd6e8ff96fd89772d4.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

TXPlatfor.exe

pid process

2760 TXPlatfor.exe

pid	process
2760	TXPlatfor.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

N.exeTXPlatfor.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	1456	N.exe
Token: SeLoadDriverPrivilege	2760	TXPlatfor.exe
Token: 33	2760	TXPlatfor.exe
Token: SeIncBasePriorityPrivilege	2760	TXPlatfor.exe
Token: 33	2760	TXPlatfor.exe
Token: SeIncBasePriorityPrivilege	2760	TXPlatfor.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

._cache_HD_1ca73cd5afdea64c01d33f652c47a9c6c3ee446fd5dd49bd6e8ff96fd89772d4.exe

pid process

992 ._cache_HD_1ca73cd5afdea64c01d33f652c47a9c6c3ee446fd5dd49bd6e8ff96fd89772d4.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

._cache_HD_1ca73cd5afdea64c01d33f652c47a9c6c3ee446fd5dd49bd6e8ff96fd89772d4.exe

pid process

992 ._cache_HD_1ca73cd5afdea64c01d33f652c47a9c6c3ee446fd5dd49bd6e8ff96fd89772d4.exe

pid	process
992	._cache_HD_1ca73cd5afdea64c01d33f652c47a9c6c3ee446fd5dd49bd6e8ff96fd89772d4.exe

pid	process
992	._cache_HD_1ca73cd5afdea64c01d33f652c47a9c6c3ee446fd5dd49bd6e8ff96fd89772d4.exe

Suspicious use of SetWindowsHookEx 30 IoCs

Processes:

1ca73cd5afdea64c01d33f652c47a9c6c3ee446fd5dd49bd6e8ff96fd89772d4.exe._cache_HD_1ca73cd5afdea64c01d33f652c47a9c6c3ee446fd5dd49bd6e8ff96fd89772d4.exe._cache_Synaptics.exeRunner.exebinding.exe

pid	process
4372	1ca73cd5afdea64c01d33f652c47a9c6c3ee446fd5dd49bd6e8ff96fd89772d4.exe
4372	1ca73cd5afdea64c01d33f652c47a9c6c3ee446fd5dd49bd6e8ff96fd89772d4.exe
992	._cache_HD_1ca73cd5afdea64c01d33f652c47a9c6c3ee446fd5dd49bd6e8ff96fd89772d4.exe
992	._cache_HD_1ca73cd5afdea64c01d33f652c47a9c6c3ee446fd5dd49bd6e8ff96fd89772d4.exe
992	._cache_HD_1ca73cd5afdea64c01d33f652c47a9c6c3ee446fd5dd49bd6e8ff96fd89772d4.exe
992	._cache_HD_1ca73cd5afdea64c01d33f652c47a9c6c3ee446fd5dd49bd6e8ff96fd89772d4.exe
992	._cache_HD_1ca73cd5afdea64c01d33f652c47a9c6c3ee446fd5dd49bd6e8ff96fd89772d4.exe
992	._cache_HD_1ca73cd5afdea64c01d33f652c47a9c6c3ee446fd5dd49bd6e8ff96fd89772d4.exe
992	._cache_HD_1ca73cd5afdea64c01d33f652c47a9c6c3ee446fd5dd49bd6e8ff96fd89772d4.exe
992	._cache_HD_1ca73cd5afdea64c01d33f652c47a9c6c3ee446fd5dd49bd6e8ff96fd89772d4.exe
992	._cache_HD_1ca73cd5afdea64c01d33f652c47a9c6c3ee446fd5dd49bd6e8ff96fd89772d4.exe
648	._cache_Synaptics.exe
992	._cache_HD_1ca73cd5afdea64c01d33f652c47a9c6c3ee446fd5dd49bd6e8ff96fd89772d4.exe
4552	Runner.exe
4552	Runner.exe
4552	Runner.exe
4552	Runner.exe
4552	Runner.exe
4552	Runner.exe
4552	Runner.exe
4552	Runner.exe
4552	Runner.exe
4552	Runner.exe
4552	Runner.exe
4552	Runner.exe
992	._cache_HD_1ca73cd5afdea64c01d33f652c47a9c6c3ee446fd5dd49bd6e8ff96fd89772d4.exe
992	._cache_HD_1ca73cd5afdea64c01d33f652c47a9c6c3ee446fd5dd49bd6e8ff96fd89772d4.exe
832	binding.exe
832	binding.exe
832	binding.exe

Suspicious use of WriteProcessMemory 45 IoCs

Processes:

1ca73cd5afdea64c01d33f652c47a9c6c3ee446fd5dd49bd6e8ff96fd89772d4.exeN.exeTXPlatfor.execmd.exeHD_1ca73cd5afdea64c01d33f652c47a9c6c3ee446fd5dd49bd6e8ff96fd89772d4.exesvchost.exe._cache_HD_1ca73cd5afdea64c01d33f652c47a9c6c3ee446fd5dd49bd6e8ff96fd89772d4.exeSynaptics.exe

description	pid	process	target process
PID 4372 wrote to memory of 4188	4372	1ca73cd5afdea64c01d33f652c47a9c6c3ee446fd5dd49bd6e8ff96fd89772d4.exe	R.exe
PID 4372 wrote to memory of 4188	4372	1ca73cd5afdea64c01d33f652c47a9c6c3ee446fd5dd49bd6e8ff96fd89772d4.exe	R.exe
PID 4372 wrote to memory of 4188	4372	1ca73cd5afdea64c01d33f652c47a9c6c3ee446fd5dd49bd6e8ff96fd89772d4.exe	R.exe
PID 4372 wrote to memory of 1456	4372	1ca73cd5afdea64c01d33f652c47a9c6c3ee446fd5dd49bd6e8ff96fd89772d4.exe	N.exe
PID 4372 wrote to memory of 1456	4372	1ca73cd5afdea64c01d33f652c47a9c6c3ee446fd5dd49bd6e8ff96fd89772d4.exe	N.exe
PID 4372 wrote to memory of 1456	4372	1ca73cd5afdea64c01d33f652c47a9c6c3ee446fd5dd49bd6e8ff96fd89772d4.exe	N.exe
PID 1456 wrote to memory of 2076	1456	N.exe	cmd.exe
PID 1456 wrote to memory of 2076	1456	N.exe	cmd.exe
PID 1456 wrote to memory of 2076	1456	N.exe	cmd.exe
PID 2032 wrote to memory of 2760	2032	TXPlatfor.exe	TXPlatfor.exe
PID 2032 wrote to memory of 2760	2032	TXPlatfor.exe	TXPlatfor.exe
PID 2032 wrote to memory of 2760	2032	TXPlatfor.exe	TXPlatfor.exe
PID 2076 wrote to memory of 1900	2076	cmd.exe	PING.EXE
PID 2076 wrote to memory of 1900	2076	cmd.exe	PING.EXE
PID 2076 wrote to memory of 1900	2076	cmd.exe	PING.EXE
PID 4372 wrote to memory of 3080	4372	1ca73cd5afdea64c01d33f652c47a9c6c3ee446fd5dd49bd6e8ff96fd89772d4.exe	HD_1ca73cd5afdea64c01d33f652c47a9c6c3ee446fd5dd49bd6e8ff96fd89772d4.exe
PID 4372 wrote to memory of 3080	4372	1ca73cd5afdea64c01d33f652c47a9c6c3ee446fd5dd49bd6e8ff96fd89772d4.exe	HD_1ca73cd5afdea64c01d33f652c47a9c6c3ee446fd5dd49bd6e8ff96fd89772d4.exe
PID 4372 wrote to memory of 3080	4372	1ca73cd5afdea64c01d33f652c47a9c6c3ee446fd5dd49bd6e8ff96fd89772d4.exe	HD_1ca73cd5afdea64c01d33f652c47a9c6c3ee446fd5dd49bd6e8ff96fd89772d4.exe
PID 3080 wrote to memory of 992	3080	HD_1ca73cd5afdea64c01d33f652c47a9c6c3ee446fd5dd49bd6e8ff96fd89772d4.exe	._cache_HD_1ca73cd5afdea64c01d33f652c47a9c6c3ee446fd5dd49bd6e8ff96fd89772d4.exe
PID 3080 wrote to memory of 992	3080	HD_1ca73cd5afdea64c01d33f652c47a9c6c3ee446fd5dd49bd6e8ff96fd89772d4.exe	._cache_HD_1ca73cd5afdea64c01d33f652c47a9c6c3ee446fd5dd49bd6e8ff96fd89772d4.exe
PID 3080 wrote to memory of 992	3080	HD_1ca73cd5afdea64c01d33f652c47a9c6c3ee446fd5dd49bd6e8ff96fd89772d4.exe	._cache_HD_1ca73cd5afdea64c01d33f652c47a9c6c3ee446fd5dd49bd6e8ff96fd89772d4.exe
PID 3080 wrote to memory of 4248	3080	HD_1ca73cd5afdea64c01d33f652c47a9c6c3ee446fd5dd49bd6e8ff96fd89772d4.exe	Synaptics.exe
PID 3080 wrote to memory of 4248	3080	HD_1ca73cd5afdea64c01d33f652c47a9c6c3ee446fd5dd49bd6e8ff96fd89772d4.exe	Synaptics.exe
PID 3080 wrote to memory of 4248	3080	HD_1ca73cd5afdea64c01d33f652c47a9c6c3ee446fd5dd49bd6e8ff96fd89772d4.exe	Synaptics.exe
PID 32 wrote to memory of 1268	32	svchost.exe	Remote Data.exe
PID 32 wrote to memory of 1268	32	svchost.exe	Remote Data.exe
PID 32 wrote to memory of 1268	32	svchost.exe	Remote Data.exe
PID 992 wrote to memory of 312	992	._cache_HD_1ca73cd5afdea64c01d33f652c47a9c6c3ee446fd5dd49bd6e8ff96fd89772d4.exe	PING.EXE
PID 992 wrote to memory of 312	992	._cache_HD_1ca73cd5afdea64c01d33f652c47a9c6c3ee446fd5dd49bd6e8ff96fd89772d4.exe	PING.EXE
PID 992 wrote to memory of 312	992	._cache_HD_1ca73cd5afdea64c01d33f652c47a9c6c3ee446fd5dd49bd6e8ff96fd89772d4.exe	PING.EXE
PID 4248 wrote to memory of 648	4248	Synaptics.exe	._cache_Synaptics.exe
PID 4248 wrote to memory of 648	4248	Synaptics.exe	._cache_Synaptics.exe
PID 4248 wrote to memory of 648	4248	Synaptics.exe	._cache_Synaptics.exe
PID 992 wrote to memory of 4552	992	._cache_HD_1ca73cd5afdea64c01d33f652c47a9c6c3ee446fd5dd49bd6e8ff96fd89772d4.exe	Runner.exe
PID 992 wrote to memory of 4552	992	._cache_HD_1ca73cd5afdea64c01d33f652c47a9c6c3ee446fd5dd49bd6e8ff96fd89772d4.exe	Runner.exe
PID 992 wrote to memory of 4552	992	._cache_HD_1ca73cd5afdea64c01d33f652c47a9c6c3ee446fd5dd49bd6e8ff96fd89772d4.exe	Runner.exe
PID 992 wrote to memory of 996	992	._cache_HD_1ca73cd5afdea64c01d33f652c47a9c6c3ee446fd5dd49bd6e8ff96fd89772d4.exe	PING.EXE
PID 992 wrote to memory of 996	992	._cache_HD_1ca73cd5afdea64c01d33f652c47a9c6c3ee446fd5dd49bd6e8ff96fd89772d4.exe	PING.EXE
PID 992 wrote to memory of 996	992	._cache_HD_1ca73cd5afdea64c01d33f652c47a9c6c3ee446fd5dd49bd6e8ff96fd89772d4.exe	PING.EXE
PID 992 wrote to memory of 2624	992	._cache_HD_1ca73cd5afdea64c01d33f652c47a9c6c3ee446fd5dd49bd6e8ff96fd89772d4.exe	PING.EXE
PID 992 wrote to memory of 2624	992	._cache_HD_1ca73cd5afdea64c01d33f652c47a9c6c3ee446fd5dd49bd6e8ff96fd89772d4.exe	PING.EXE
PID 992 wrote to memory of 2624	992	._cache_HD_1ca73cd5afdea64c01d33f652c47a9c6c3ee446fd5dd49bd6e8ff96fd89772d4.exe	PING.EXE
PID 992 wrote to memory of 832	992	._cache_HD_1ca73cd5afdea64c01d33f652c47a9c6c3ee446fd5dd49bd6e8ff96fd89772d4.exe	binding.exe
PID 992 wrote to memory of 832	992	._cache_HD_1ca73cd5afdea64c01d33f652c47a9c6c3ee446fd5dd49bd6e8ff96fd89772d4.exe	binding.exe
PID 992 wrote to memory of 832	992	._cache_HD_1ca73cd5afdea64c01d33f652c47a9c6c3ee446fd5dd49bd6e8ff96fd89772d4.exe	binding.exe

C:\Users\Admin\AppData\Local\Temp\1ca73cd5afdea64c01d33f652c47a9c6c3ee446fd5dd49bd6e8ff96fd89772d4.exe
"C:\Users\Admin\AppData\Local\Temp\1ca73cd5afdea64c01d33f652c47a9c6c3ee446fd5dd49bd6e8ff96fd89772d4.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4372

C:\Users\Admin\AppData\Local\Temp\R.exe
C:\Users\Admin\AppData\Local\Temp\\R.exe
2⤵
- Sets DLL path for service in the registry
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:4188

C:\Users\Admin\AppData\Local\Temp\N.exe
C:\Users\Admin\AppData\Local\Temp\\N.exe
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1456

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\N.exe > nul
3⤵
- Suspicious use of WriteProcessMemory
PID:2076

C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
4⤵
- Runs ping.exe
PID:1900

C:\Users\Admin\AppData\Local\Temp\HD_1ca73cd5afdea64c01d33f652c47a9c6c3ee446fd5dd49bd6e8ff96fd89772d4.exe
C:\Users\Admin\AppData\Local\Temp\HD_1ca73cd5afdea64c01d33f652c47a9c6c3ee446fd5dd49bd6e8ff96fd89772d4.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3080

C:\Users\Admin\AppData\Local\Temp\._cache_HD_1ca73cd5afdea64c01d33f652c47a9c6c3ee446fd5dd49bd6e8ff96fd89772d4.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_HD_1ca73cd5afdea64c01d33f652c47a9c6c3ee446fd5dd49bd6e8ff96fd89772d4.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:992

C:\Windows\SysWOW64\PING.EXE
"C:\Windows\System32\PING.EXE" www.baidu.com -n 2
4⤵
- Runs ping.exe
PID:312

C:\Users\Admin\AppData\Roaming\MyMacro\Runner.exe
--host_id 3 --verify_key vYHZqQ3SIask --product "C:\Users\Admin\AppData\Local\Temp\._cache_HD_1ca73cd5afdea64c01d33f652c47a9c6c3ee446fd5dd49bd6e8ff96fd89772d4.exe" --version 2014.05.17762
4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4552

C:\Windows\SysWOW64\PING.EXE
"C:\Windows\System32\PING.EXE" www.baidu.com -n 2
4⤵
- Runs ping.exe
PID:996

C:\Windows\SysWOW64\PING.EXE
"C:\Windows\System32\PING.EXE" www.baidu.com -n 2
4⤵
- Runs ping.exe
PID:2624

C:\Users\Admin\AppData\Roaming\MyMacro\binding.exe
C:\Users\Admin\AppData\Roaming\MyMacro\binding.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:832

C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4248

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:648

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "Remote Data"
1⤵
PID:1740

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "Remote Data"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:32

C:\Windows\SysWOW64\Remote Data.exe
"C:\Windows\system32\Remote Data.exe" "c:\windows\system32\240618546.txt",MainThread
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1268

C:\Windows\SysWOW64\TXPlatfor.exe
C:\Windows\SysWOW64\TXPlatfor.exe -auto
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2032

C:\Windows\SysWOW64\TXPlatfor.exe
C:\Windows\SysWOW64\TXPlatfor.exe -acsi
2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:2760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\boost_interprocess\FN3XWUYEH_wo
Filesize
256KB

MD5
b5e95864a0d7730ba40033fbb363f4ba

SHA1
faac69c38f8c81e194cfc746f09ff7369d4a80b1

SHA256
7d1a9f1d9c67dcc13b578e580923084de4f9b1fbf198c3831ae5d75ca2646390

SHA512
5d0fe0de849dbe9082735536143c68528ab5a0eb0a68e36b8e1e0de7eba76e9fd069267255bd0b46978853849f35af7784091f67f074dff210b2b1c187005a34

Download Submit
C:\ProgramData\boost_interprocess\LGjWfBd9GSVM
Filesize
2KB

MD5
047ae827533dcd3012632e48710ab35d

SHA1
6b3762d3c1de0c49595e821e6c56c57548c4d486

SHA256
f234032811b32c7e813a1b5e927272c6c38a59043df00f96c0d658c2790239d9

SHA512
b3529c632e889599fc1aeb47e44b3d5562860155049e8b00452500462a7402cbb95980f06722e65eb8f3b407af753f735b97ce9a55c97ffd79cae5f3918a3146

Download Submit
C:\ProgramData\boost_interprocess\fXtMZTpJVNy
Filesize
258B

MD5
17a93938e043a10eb4b4fbbd2d4e14a3

SHA1
e8ca09e21eceedca6e5b0f720a3248e448e757b8

SHA256
8ed4fc50ba0d7c89bc1067dda0cf5dcbd98176725c9447ab2ae6d369b3d88c75

SHA512
165c1c0a553c4e63df0ded44fa844a1ba308d4c0f47786ecac0f6c532c3e80a7df5b573a004e8c90255123c622ad2cd229cd53edc97e6bda387ab002e620504b

Download Submit
C:\ProgramData\boost_interprocess\fXtMZTpJVNyO
Filesize
256KB

MD5
9c2af634a1c559353d0e082d65a35c33

SHA1
06c5126cddfd4969d8f800c5480f1d04f9ca597d

SHA256
b86599be21ac5ef3bae882304b4546f0819482acb83ff071119a2d59567cbf85

SHA512
aa95ceddd9d2723491bc57e4838a3d0685bf25eb93aa4beb553365903adf80188ecbe9fb53d6cac36e43defc70cb0daeffd7a518dca9b00794df3485b3123821

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_HD_1ca73cd5afdea64c01d33f652c47a9c6c3ee446fd5dd49bd6e8ff96fd89772d4.exe
Filesize
8.9MB

MD5
b36e16fa438970508f45003f96db3fad

SHA1
7c603bf2a00da0873eaa28306a0242dfdb2ff6b6

SHA256
22ac8239eb13919b2df924d2fd401a0f680aa04344fb1d736529d7459ef871c7

SHA512
bca069aa983df6924f1f2a9f21bc7644d5c0540af521f34d5a8eabdc1ea78f85a5188ca7794a2ae3bfce9734bbe7b8c15cead12d91e4c52cef3ef4337c041623

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD_1ca73cd5afdea64c01d33f652c47a9c6c3ee446fd5dd49bd6e8ff96fd89772d4.exe
Filesize
9.7MB

MD5
1ecb6542eeece9094ae447f5ad6a9323

SHA1
e91a40252e966f1defe12e5483de56ca0867c19e

SHA256
a653a6264fc3618cb11792861e56703a268b6873033ad777d4f708ad73471b94

SHA512
11135e11fc6c53b87e3eef6b1bf47c75506c8f1617f3146c64c94cbd27e54568a5081b4d87aab806329864c330fc49c3d950055ecf5aa8e932c17858883aa2b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD_X.dat
Filesize
2.5MB

MD5
acec13aa01bc10d2ca43979c01aa1a72

SHA1
da28ccda34fd599f50a72ee3efd7c4e8a63c1579

SHA256
142abca126fc1ba2c7f3633872a28828a4042107f6145a158a7eab99238d24bb

SHA512
7f2d24fa49703f97a1a6ea0d80cef14aba2bb095358bf836ceb95477954110711157fef7afda97eaef5922e33b19ba7937847165304bedac410cff5f8def67e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\N.exe
Filesize
377KB

MD5
4a36a48e58829c22381572b2040b6fe0

SHA1
f09d30e44ff7e3f20a5de307720f3ad148c6143b

SHA256
3de6c02f52a661b8f934f59541d0cf297bb489eb2155e346b63c7338e09aeaf8

SHA512
5d0ea398792f6b9eb3f188813c50b7f43929183b5733d2b595b2fd1c78722764fd15f62db1086b5c7edfb157661a6dcd544ddd80907ee7699dddbca1ef4022d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\QMLog\20240524.log
Filesize
324B

MD5
5711102c5e34d737b614deafa021c158

SHA1
f639c2640b50df864edafb88e63bac5a635dacc3

SHA256
89d9628f134f7945227c489db38ef9ad470b202c70ef42dec9e0139f34875a60

SHA512
45008cf6196677367e4b86aa7d51625893b618b3d070082357f47ff8b0e45304372b26a60d5de4dee32b3c8cb613c1064f4d018955bdcb71521cfb7dcab99c47

Download Submit
C:\Users\Admin\AppData\Local\Temp\R.exe
Filesize
941KB

MD5
8dc3adf1c490211971c1e2325f1424d2

SHA1
4eec4a4e7cb97c5efa6c72e0731cd090c0c4adc5

SHA256
bc29f2022ab3b812e50c8681ff196f090c038b5ab51e37daffac4469a8c2eb2c

SHA512
ae92ea20b359849dcdba4808119b154e3af5ef3687ee09de1797610fe8c4d3eb9065b068074d35adddb4b225d17c619baff3944cb137ad196bcef7a6507f920d

Download Submit
C:\Users\Admin\AppData\Local\Temp\mac9B36.tmp
Filesize
358B

MD5
14739f7d86ebc59524d1f379b32397f0

SHA1
884acc0579970c637f02370b5fafabdbb4c1c1cf

SHA256
1f4978fd9ab8cdbafb5f8457b97b0feb4217d19d9fea49af9caa6bd46b58f9f1

SHA512
f2e7650ecce616ab0fac4c832f67322f78021cbe2e4a08d117f9a2c2aefc0d31114914570bb5a36a077d62e1b29f67fb5e2e25ec05bc231ed62955d8de4c4e52

Download Submit
C:\Users\Admin\AppData\Roaming\MyMacro\Runner.exe
Filesize
7.2MB

MD5
bf194c1f69ea179613a00c300a537fd6

SHA1
d88ca448d3cb748f0bb8488cf2779adafb19170c

SHA256
774dd36da750db779d107b39e7f6f6f4c6f0766b2722d8d234971639d6e16fbf

SHA512
59e2ef379bafe0a4bc62bcf299776f1a837e0e86ef42651cd8c309a13e4a3d434a7cd4f844bb7346669a84a8d905b44e5ab9da9de557d11ef6e74210306039c4

Download Submit
C:\Users\Admin\AppData\Roaming\MyMacro\binding.exe
Filesize
1.7MB

MD5
6abd36f782e36bcf9e90a3230d6ca97f

SHA1
3c3d5760a8db6c66f4c5b8c31cbf2613a8a7d6b9

SHA256
13652dae4ec58de8a20da51c7455f34144554b91d25ac1c72bec9cbe361ca752

SHA512
05463e3c0028e8e39787465e4529ad22c9c64c2a29701c4673f983b50852573aa3c197c2307fdf58d9ab514cca06f058cc17a8b53d28e76957792be7ac1acce6

Download Submit
C:\Users\Admin\AppData\Roaming\MyMacro\cfgdll.dll
Filesize
59KB

MD5
b35416c2b3e818894df95608b76934f7

SHA1
bbdd1c0f49e9ce54e9312f5edfead76d343c21cf

SHA256
8147481d1c93da5ce5de7ff7a72a45756d45ea1f27d27bb8c9944642f42549a3

SHA512
92382562761b36b4ed2ec0bba832c66c8f720e190630596ff830a047a498889e7a0f3628d1a3ffac066b06ccd8c2d3840e82b4304b636e1b1ee434910c6f0bdf

Download Submit
C:\Users\Admin\AppData\Roaming\MyMacro\qdisp.dll
Filesize
303KB

MD5
014c01cd6522778e1e15be0e696dfe0c

SHA1
c908376fcc4525ec5c4b35d289ef1361ea5cb2d9

SHA256
259eaf1ddc9bf610d11a22413853b3d4386fc5a8412c6e602c74eb43f1a32d46

SHA512
3b8d040b4a6e879ecf3bafba336b2fc8d793d4f6931902faf87e8f64faf6eca7f1f21485794cffe16c7d0ea907b9f6db93df0b4bae8cb3684733e95608523fd9

Download Submit
C:\Users\Admin\Desktop\OptimizeSync.exe
Filesize
9.7MB

MD5
e983ade495b9b4de9ca4f93db8f602a3

SHA1
205dc219ccc1ffeeaa224ad2bc547be05d687df6

SHA256
e7d66976aac6a906480943d56c054c646b684ed00b27360b5bf2d6529862dff2

SHA512
754933b2eb771947f0c5c3851de0b6622a4338617cecc8b5e9635739ef8617a5e6248eb557170cb062092fcda75d83e2ff68ec0ebcbb5cc965a1446447be4f84

Download Submit
C:\Users\Admin\Desktop\OptimizeSync.exe
Filesize
9.7MB

MD5
1dfa94274ae29641ad6b26a7b3d8f3f3

SHA1
ebf2045e677ebe1f73e0746fb392f339bef08c20

SHA256
db7aea569ce04d3b28c7cd2039f54e893112cbc0471dc51340e84d91428514dd

SHA512
3423e8483124e326afbce65dc68ffc95415b74c80a4f26a2a2f02638e44ba134377a4a0b1c9cf58348989be725df06784f047d1e85e597723c162147643231c1

Download Submit
C:\Users\Admin\Desktop\OptimizeSync.exe
Filesize
12.1MB

MD5
af6c3077f1871c65149b886ab688a806

SHA1
662ab7b0355a03fdf9ff438f24625ff15c0d2e6c

SHA256
745a326d355e411db661953eeae6ba7b5557f41b744295a7348d574f5c352ada

SHA512
cefe245bbed46c7baaac7150813dac826ba6bfb094780da3ef41011ceaa277c3009643437ed26501c24e7caeea0edf356f5cc06f65b7a35f4b384485239ac246

Download Submit
C:\Windows\SysWOW64\240618546.txt
Filesize
899KB

MD5
9e1d97f2afa28a34ee6776f5974192e4

SHA1
a2ba1ae20079a7e6b5fe61e1e3a7f0b092799bd6

SHA256
91c160408144ae6cdaff8f7a2a5060dc7c9c6d1123e448c6becdbee309ee1d36

SHA512
c5b8f7d07e22d46a29db600a9a2af4ed9fd16d87cdd9c7b9c7e05f1da08092049861c7a6844dd6051e80f280bda4b23d2a4d0c72095d0dd1752bf3621da9b61e

Download Submit
C:\Windows\SysWOW64\Remote Data.exe
Filesize
60KB

MD5
889b99c52a60dd49227c5e485a016679

SHA1
8fa889e456aa646a4d0a4349977430ce5fa5e2d7

SHA256
6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910

SHA512
08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

Download Submit
memory/1456-17-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/1456-19-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/1456-20-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/1456-23-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2032-29-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2032-28-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2032-26-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2760-37-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2760-42-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2760-41-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/3080-203-0x0000000000400000-0x0000000000DB0000-memory.dmp

Filesize
9.7MB

Download
memory/4248-352-0x0000000000400000-0x0000000000DB0000-memory.dmp

Filesize
9.7MB

Download
memory/4248-407-0x0000000000400000-0x0000000000DB0000-memory.dmp

Filesize
9.7MB

Download
memory/4552-327-0x0000000000400000-0x0000000000B31000-memory.dmp

Filesize
7.2MB

Download
memory/4552-370-0x0000000000400000-0x0000000000B31000-memory.dmp

Filesize
7.2MB

Download
memory/4552-372-0x0000000000400000-0x0000000000B31000-memory.dmp

Filesize
7.2MB

Download
memory/4552-369-0x0000000000400000-0x0000000000B31000-memory.dmp

Filesize
7.2MB

Download
memory/4552-380-0x0000000000400000-0x0000000000B31000-memory.dmp

Filesize
7.2MB

Download
memory/4552-382-0x0000000000400000-0x0000000000B31000-memory.dmp

Filesize
7.2MB

Download
memory/4552-393-0x0000000000400000-0x0000000000B31000-memory.dmp

Filesize
7.2MB

Download
memory/4552-353-0x0000000000400000-0x0000000000B31000-memory.dmp

Filesize
7.2MB

Download
memory/4552-408-0x0000000000400000-0x0000000000B31000-memory.dmp

Filesize
7.2MB

Download
memory/4552-413-0x0000000000400000-0x0000000000B31000-memory.dmp

Filesize
7.2MB

Download
memory/4552-415-0x0000000000400000-0x0000000000B31000-memory.dmp

Filesize
7.2MB

Download
memory/4552-420-0x0000000000400000-0x0000000000B31000-memory.dmp

Filesize
7.2MB

Download
memory/4552-422-0x0000000000400000-0x0000000000B31000-memory.dmp

Filesize
7.2MB

Download
memory/4552-427-0x0000000000400000-0x0000000000B31000-memory.dmp

Filesize
7.2MB

Download
memory/4552-429-0x0000000000400000-0x0000000000B31000-memory.dmp

Filesize
7.2MB

Download
memory/4552-434-0x0000000000400000-0x0000000000B31000-memory.dmp

Filesize
7.2MB

Download