Malware Analysis Report

2025-01-02 15:25

Sample ID 240524-qx34wafh5v
Target a3d2cb0b4b9fe16ec0bb19f7457669e193af993e3e7940f76c209cfe5cfc7bc3
SHA256 a3d2cb0b4b9fe16ec0bb19f7457669e193af993e3e7940f76c209cfe5cfc7bc3
Tags
gh0strat purplefox persistence rat rootkit trojan upx discovery evasion spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a3d2cb0b4b9fe16ec0bb19f7457669e193af993e3e7940f76c209cfe5cfc7bc3

Threat Level: Known bad

The file a3d2cb0b4b9fe16ec0bb19f7457669e193af993e3e7940f76c209cfe5cfc7bc3 was found to be: Known bad.

Malicious Activity Summary

gh0strat purplefox persistence rat rootkit trojan upx discovery evasion spyware stealer

Detect PurpleFox Rootkit

Gh0strat

Gh0st RAT payload

PurpleFox

Sets DLL path for service in the registry

Sets service image path in registry

Drops file in Drivers directory

UPX packed file

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Reads user/profile data of web browsers

Checks whether UAC is enabled

Checks installed software on the system

Checks system information in the registry

Drops file in System32 directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of SendNotifyMessage

Runs ping.exe

Suspicious use of FindShellTrayWindow

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

Modifies system certificate store

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

System policy modification

Enumerates system info in registry

Suspicious behavior: LoadsDriver

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-24 13:39

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-24 13:39

Reported

2024-05-24 13:41

Platform

win7-20240419-en

Max time kernel

150s

Max time network

135s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a3d2cb0b4b9fe16ec0bb19f7457669e193af993e3e7940f76c209cfe5cfc7bc3.exe"

Signatures

Detect PurpleFox Rootkit

rootkit
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0strat

rat gh0strat

PurpleFox

rootkit trojan purplefox

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\system32\drivers\QAssist.sys C:\Windows\SysWOW64\TXPlatforn.exe N/A

Sets DLL path for service in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259400240.txt" C:\Users\Admin\AppData\Local\Temp\svchos.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" C:\Windows\SysWOW64\TXPlatforn.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\TXPlatforn.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\TXPlatforn.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File created C:\Windows\SysWOW64\259400240.txt C:\Users\Admin\AppData\Local\Temp\svchos.exe N/A
File opened for modification C:\Windows\SysWOW64\ini.ini C:\Users\Admin\AppData\Local\Temp\svchos.exe N/A
File created C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe C:\Windows\SysWOW64\svchost.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe C:\Users\Admin\AppData\Local\Temp\a3d2cb0b4b9fe16ec0bb19f7457669e193af993e3e7940f76c209cfe5cfc7bc3.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe C:\Users\Admin\AppData\Local\Temp\a3d2cb0b4b9fe16ec0bb19f7457669e193af993e3e7940f76c209cfe5cfc7bc3.exe N/A
File created C:\Program Files (x86)\Google\Chrome\Application\chrome.exe C:\Users\Admin\AppData\Local\Temp\a3d2cb0b4b9fe16ec0bb19f7457669e193af993e3e7940f76c209cfe5cfc7bc3.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe C:\Users\Admin\AppData\Local\Temp\a3d2cb0b4b9fe16ec0bb19f7457669e193af993e3e7940f76c209cfe5cfc7bc3.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d7c7e73b934388418857a0db8be9c1d100000000020000000000106600000001000020000000b42dd9e289aed289be0eb406d3880d5af77f556d5a2bfa67e4192ac6352fb6c0000000000e80000000020000200000001cd11ae9bf587b5c3e93ad160e0c03e2bc77d28ab707aee9c6049242d82676279000000058e9de7a7d332a6e414c23d8d0e77ebb7ef2a25ab381d517bc4a1b6476b3d8ac0491ae9f2e1b22a674d2264a93e1f293f648a79829471640643357ae5d5e14fa89d1e634e986f30785710d5ba9a493158e993c3aa8a2c0777f11cc16353f7f457c8c47355d0204966d46624cb818ada0ba0673f4bbf25fa6f5a26fcd0c104ed3126cf8ee59d5aa65f60498aeb9f7e98440000000f47915126f578ca8f468ee7ac24c7a12aee420bc95f5bd433141498ff9ed2d9de188948e708e2f970dccafea56efc3c256922e5aa83a4baef445e04e4a657de7 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d7c7e73b934388418857a0db8be9c1d100000000020000000000106600000001000020000000b30b9a27ed320e85a8cc689078a4b6eb3817c8da454f27cbe6819259d434765c000000000e80000000020000200000008795aa7522ec6e00664063497849cdd508b9fc406617f95069ea5ee3f4af7dbd20000000b4ffab34e9417ccb6a2042c18f8274a9eaa9fd36c2b84ad8eaf9c5ecfb9e5ee640000000acbb6734c951d208d63950d108ce7604f7530337f0da2dc12680136b2db871c4f8d572e0dcf745de870a918ae8c401d9e9bc6ff1f6edde64d5ce1617e8c77be3 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{0B00D321-19D3-11EF-BB79-CEAF39A3A1A9} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 909881e1dfadda01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "422719836" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 C:\Users\Admin\AppData\Local\Temp\HD_a3d2cb0b4b9fe16ec0bb19f7457669e193af993e3e7940f76c209cfe5cfc7bc3.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde C:\Users\Admin\AppData\Local\Temp\HD_a3d2cb0b4b9fe16ec0bb19f7457669e193af993e3e7940f76c209cfe5cfc7bc3.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3d2cb0b4b9fe16ec0bb19f7457669e193af993e3e7940f76c209cfe5cfc7bc3.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2368 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\a3d2cb0b4b9fe16ec0bb19f7457669e193af993e3e7940f76c209cfe5cfc7bc3.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2368 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\a3d2cb0b4b9fe16ec0bb19f7457669e193af993e3e7940f76c209cfe5cfc7bc3.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2368 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\a3d2cb0b4b9fe16ec0bb19f7457669e193af993e3e7940f76c209cfe5cfc7bc3.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2368 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\a3d2cb0b4b9fe16ec0bb19f7457669e193af993e3e7940f76c209cfe5cfc7bc3.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2368 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\a3d2cb0b4b9fe16ec0bb19f7457669e193af993e3e7940f76c209cfe5cfc7bc3.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2368 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\a3d2cb0b4b9fe16ec0bb19f7457669e193af993e3e7940f76c209cfe5cfc7bc3.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2368 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\a3d2cb0b4b9fe16ec0bb19f7457669e193af993e3e7940f76c209cfe5cfc7bc3.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2404 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 2404 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 2404 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 2404 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 2368 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\a3d2cb0b4b9fe16ec0bb19f7457669e193af993e3e7940f76c209cfe5cfc7bc3.exe C:\Users\Admin\AppData\Local\Temp\svchos.exe
PID 2368 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\a3d2cb0b4b9fe16ec0bb19f7457669e193af993e3e7940f76c209cfe5cfc7bc3.exe C:\Users\Admin\AppData\Local\Temp\svchos.exe
PID 2368 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\a3d2cb0b4b9fe16ec0bb19f7457669e193af993e3e7940f76c209cfe5cfc7bc3.exe C:\Users\Admin\AppData\Local\Temp\svchos.exe
PID 2368 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\a3d2cb0b4b9fe16ec0bb19f7457669e193af993e3e7940f76c209cfe5cfc7bc3.exe C:\Users\Admin\AppData\Local\Temp\svchos.exe
PID 2160 wrote to memory of 2696 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 2160 wrote to memory of 2696 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 2160 wrote to memory of 2696 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 2160 wrote to memory of 2696 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 2160 wrote to memory of 2696 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 2160 wrote to memory of 2696 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 2160 wrote to memory of 2696 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 2744 wrote to memory of 2844 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2744 wrote to memory of 2844 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2744 wrote to memory of 2844 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2744 wrote to memory of 2844 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2368 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\a3d2cb0b4b9fe16ec0bb19f7457669e193af993e3e7940f76c209cfe5cfc7bc3.exe C:\Users\Admin\AppData\Local\Temp\HD_a3d2cb0b4b9fe16ec0bb19f7457669e193af993e3e7940f76c209cfe5cfc7bc3.exe
PID 2368 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\a3d2cb0b4b9fe16ec0bb19f7457669e193af993e3e7940f76c209cfe5cfc7bc3.exe C:\Users\Admin\AppData\Local\Temp\HD_a3d2cb0b4b9fe16ec0bb19f7457669e193af993e3e7940f76c209cfe5cfc7bc3.exe
PID 2368 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\a3d2cb0b4b9fe16ec0bb19f7457669e193af993e3e7940f76c209cfe5cfc7bc3.exe C:\Users\Admin\AppData\Local\Temp\HD_a3d2cb0b4b9fe16ec0bb19f7457669e193af993e3e7940f76c209cfe5cfc7bc3.exe
PID 2368 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\a3d2cb0b4b9fe16ec0bb19f7457669e193af993e3e7940f76c209cfe5cfc7bc3.exe C:\Users\Admin\AppData\Local\Temp\HD_a3d2cb0b4b9fe16ec0bb19f7457669e193af993e3e7940f76c209cfe5cfc7bc3.exe
PID 2652 wrote to memory of 340 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
PID 2652 wrote to memory of 340 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
PID 2652 wrote to memory of 340 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
PID 2652 wrote to memory of 340 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
PID 1860 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\HD_a3d2cb0b4b9fe16ec0bb19f7457669e193af993e3e7940f76c209cfe5cfc7bc3.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1860 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\HD_a3d2cb0b4b9fe16ec0bb19f7457669e193af993e3e7940f76c209cfe5cfc7bc3.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1860 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\HD_a3d2cb0b4b9fe16ec0bb19f7457669e193af993e3e7940f76c209cfe5cfc7bc3.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1860 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\HD_a3d2cb0b4b9fe16ec0bb19f7457669e193af993e3e7940f76c209cfe5cfc7bc3.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2208 wrote to memory of 1508 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2208 wrote to memory of 1508 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2208 wrote to memory of 1508 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2208 wrote to memory of 1508 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\a3d2cb0b4b9fe16ec0bb19f7457669e193af993e3e7940f76c209cfe5cfc7bc3.exe

"C:\Users\Admin\AppData\Local\Temp\a3d2cb0b4b9fe16ec0bb19f7457669e193af993e3e7940f76c209cfe5cfc7bc3.exe"

C:\Users\Admin\AppData\Local\Temp\svchost.exe

C:\Users\Admin\AppData\Local\Temp\\svchost.exe

C:\Windows\SysWOW64\TXPlatforn.exe

C:\Windows\SysWOW64\TXPlatforn.exe -auto

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\svchost.exe > nul

C:\Users\Admin\AppData\Local\Temp\svchos.exe

C:\Users\Admin\AppData\Local\Temp\\svchos.exe

C:\Windows\SysWOW64\TXPlatforn.exe

C:\Windows\SysWOW64\TXPlatforn.exe -acsi

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"

C:\Windows\SysWOW64\PING.EXE

ping -n 2 127.0.0.1

C:\Users\Admin\AppData\Local\Temp\HD_a3d2cb0b4b9fe16ec0bb19f7457669e193af993e3e7940f76c209cfe5cfc7bc3.exe

C:\Users\Admin\AppData\Local\Temp\HD_a3d2cb0b4b9fe16ec0bb19f7457669e193af993e3e7940f76c209cfe5cfc7bc3.exe

C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe

C:\Windows\system32\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe "c:\windows\system32\259400240.txt",MainThread

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://support.qq.com/products/285647/faqs/88645

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2208 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 note.youdao.com udp
US 163.181.154.235:443 note.youdao.com tcp
US 8.8.8.8:53 support.qq.com udp
US 8.8.8.8:53 support.qq.com udp
HK 43.135.106.244:443 support.qq.com tcp
HK 43.135.106.244:443 support.qq.com tcp
US 8.8.8.8:53 ocsp.digicert.cn udp
US 8.8.8.8:53 ocsp.digicert.cn udp
GB 163.181.57.163:80 ocsp.digicert.cn tcp
GB 163.181.57.163:80 ocsp.digicert.cn tcp
US 8.8.8.8:53 txc.gtimg.com udp
NL 43.152.42.60:443 txc.gtimg.com tcp
NL 43.152.42.60:443 txc.gtimg.com tcp
NL 43.152.42.60:443 txc.gtimg.com tcp
NL 43.152.42.60:443 txc.gtimg.com tcp
NL 43.152.42.60:443 txc.gtimg.com tcp
NL 43.152.42.60:443 txc.gtimg.com tcp
NL 43.152.42.60:443 txc.gtimg.com tcp
NL 43.152.42.60:443 txc.gtimg.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

\Users\Admin\AppData\Local\Temp\svchost.exe

MD5 a4329177954d4104005bce3020e5ef59
SHA1 23c29e295e2dbb8454012d619ca3f81e4c16e85a
SHA256 6156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd
SHA512 81e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208

memory/2404-5-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2404-9-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2404-8-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2404-7-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2160-22-0x0000000010000000-0x00000000101B6000-memory.dmp

\Users\Admin\AppData\Local\Temp\svchos.exe

MD5 3b377ad877a942ec9f60ea285f7119a2
SHA1 60b23987b20d913982f723ab375eef50fafa6c70
SHA256 62954fdf65e629b39a29f539619d20691332184c6b6be5a826128a8e759bfa84
SHA512 af3a71f867ad9d28772c48b521097f9bf8931eb89fd2974e8de10990241419a39ddc3c0b36dd38aac4fdf14e1f0c5e228692618e93adce958d5b5dab8940e46f

memory/2160-31-0x0000000010000000-0x00000000101B6000-memory.dmp

\Windows\SysWOW64\259400240.txt

MD5 c77d91c4d1c48d939191514dd1297856
SHA1 2e2235ddeb2993d02facad20f299aab72c2c23aa
SHA256 d0729244d3eea8d7e644b5bb67d6faee63aed403aa8b6dfc3a4222d34ab664c6
SHA512 eec0fee413328a9de8c20e3dd22520bd6a20a8251f781c74aa00e8b93d29bcd003f518c38a1ffd1498a031d481ff5b1c39eb6980a6e2b64b263533c766bb5001

memory/2696-35-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2696-39-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2696-40-0x0000000010000000-0x00000000101B6000-memory.dmp

\Users\Admin\AppData\Local\Temp\HD_a3d2cb0b4b9fe16ec0bb19f7457669e193af993e3e7940f76c209cfe5cfc7bc3.exe

MD5 99348b730b90c4f4ef8500b14f655a22
SHA1 7bfe3779376671fc878c84ab079d8469d32849f0
SHA256 879455b926f644616b0b5241d3516cf6b9744c2557ae211920ca0407ea7492f2
SHA512 041ecfa94e0b47e23d08f2fc27440fb74272b6eaaf250e2be2aae53dfd6c463bfb0552da4afda0a99b9d4ca95b3b2dda55f8ed4cf16e5595822b0700c01efc75

memory/1860-52-0x0000000010000000-0x0000000010116000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HD_X.dat

MD5 6e63c6b990dce1307432d21aa52ec946
SHA1 3c14653ed90f7201e7acd329a31a4050aae01998
SHA256 21d91ffeea7893738543006d409964139aae06428e7ccae1e73555ff4c81f44e
SHA512 989e55bc8ef4f05f945ebe44db3a9701a195d1ba35c2cdf848ab1205d61fc4035593bd753377cd2f4125f7801276520accb297e633cd32d1cd1faceb6e9130d4

\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe

MD5 51138beea3e2c21ec44d0932c71762a8
SHA1 8939cf35447b22dd2c6e6f443446acc1bf986d58
SHA256 5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124
SHA512 794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_786387CC77858B88BA3234B304062475

MD5 8ce0395e9e3926280ee3723add4a3b2a
SHA1 46e99ac5095e1801ee4b2071be3c9a733edb7ca7
SHA256 918fc73d5b75e00ea0ce4fa29195db423effa5177068ace9b7c13c9673c09ede
SHA512 e70306b4065d51004d70258bb9e042f82c14b3a314b8a3afde7eb344c3a7bd171c54f9aa73f24e84d30295642e61c1e9d9a1fa0040ecbcb38a2dc4f2564c1a90

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PH7CXNA3\favicon[1].ico

MD5 58542960a51a1d97446b524f7d53015c
SHA1 fd26cecc488203120ce8215961bf4e6ac1d65ad3
SHA256 106fde347539d8e7c82eed9d38e0b536b2185a8424f356c3da93e1b72ed3dfb6
SHA512 a7057661bdf4b3d68f4d83f4d245ce30a11ca4c500509a6240867b9e7cde9eaaaef3d1324f12c2cb6b81b5b739bd4a615fceb6c476907565b69fb7026cf59ccb

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\wi962z5\imagestore.dat

MD5 86b3b2c544262e24bcd3630e3c005c43
SHA1 59c88ff84d5613913de2b9a2c970cbfd31ac5060
SHA256 2a4199fc574f0e4d775da2e95c6d5e72592a3656e1aac48a0287c08494d42417
SHA512 c9ab3bfc57d2f17bb471b16b971e27d6ea65c296bbb4f58d32a14ba23201db4fadea7a7f0c0eb5127cf7f23aa839878193498dec1690f954ae11bce9790d3e40

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 979f96a16ec063060b9cddd79cc8dc13
SHA1 79d606966876b2df1b39ef6e6f646dd03a69b39c
SHA256 1a3fc384096b375160e3796b47818db1d61115ee5f12008e56df1d46b20e6d7b
SHA512 82d873bc34002d5b1a6110594511ff0a91a61c383393b600653f3c16123360bca222208d06461c1b082f37883b8721a952358ee6fcee12d94ee36238ace95c7e

C:\Users\Admin\AppData\Local\Temp\Tar5F52.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\Local\Temp\Cab5F51.tmp

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cab331282c6f70fefdd12242a9ea9b97
SHA1 ca3ea131e64eaf111d5981a436cc3653b61c4b58
SHA256 c54697084b210c2a560cc959a9b32e2c28ad469b3444c5dd64bc0cb16b6ab37b
SHA512 9befbf19f77a8df62eb5c9193f8b75ffd5c5af9185c21207f48500078dedd8aade02c11df5a5c64dae2eff5f20f929161c335e7f73ee880b6d95cc458d3f750b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9030438b7fad91f505c731b6ced4a916
SHA1 48bfade6a1026d9cb374c0a1696726e64a0374e7
SHA256 7b941ee16824213d8fbf78da1a0309d7df9e96e069b5c55cec7f8d484cf01390
SHA512 f434a4b25aecf1ee4b85894d2e56ddba19fc620784b03bf144ef263ad1fe55a11c389dd431928b597215e98d6a1686c2575755c43f93302ecda8a701652ef0d0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 519b30799d50ab85130a49ac49c6902b
SHA1 e24dffea26406ec3de3a1df67d7d7ff9b88ac4f3
SHA256 081ee02bc98fd6521bcc04d6fc1ef61952b25899b5de278bb507ed4c0765046a
SHA512 ce5675c68ab98bda935f663ed9d5b1d62ba74fc1581c9ce4b60e6f287ca05cd3b76ed5ca761f482f278a35d9fee2fad3284c723a5254b44c63035eff81a8735a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5695a4977d935f9a72bcef0e44d48535
SHA1 dc91de9d707919b76a75dba013cec20dbb20b12c
SHA256 b73ea50f7017fa34dfe8643eb5f99ec087e2615cb37c4af8ebdc55f69bca4011
SHA512 4b62dce8069a0929635d757819f766fe76ac1fadcc9ac2179f6d0884be69513da706fa0b69b22a9b853068258b5beb01113aee3c01bd0e00d6c113f562e98021

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e182a13852f9b74551a11dad9716e4c0
SHA1 ee48f6385456a8d632528d7352b0d8719a878778
SHA256 90de5777fb73975d9f82686762a752dbd19ad062c224b570855a245c78cd6b3f
SHA512 40e1d8c7f021119b5a51f3839b1a57b657ae1f784b7eb30bbc5c486ec9d64cc6e435c1752ed62d353270d7c15ff827950c714b3c6dbcc8dc414c967d3515133f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4a69261ad215f4ff84efb8e2128e635e
SHA1 e6851fff5eea47785cab20dd3e3ad75cde102fad
SHA256 d08194c6e671cfbd77a0bcbadd91d6face5604bab2b0efdd76f0340b1fa5c89c
SHA512 e13cc784048eedd97147549fa29405c28ded7870b5608bf879739e93960cabc7d74b193893807adef6d44343225803de85aea44aa494e2caafb4767970bd3cc8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 00f4bb816ae77792529f841f4e608ff0
SHA1 16ee6c344a4baf5bdb4f67f303f6f41466e5216a
SHA256 d760ac3920b8a31ee8e52939385b8bb19bcbf7251f6bf8bf9ff037327e2c4bb8
SHA512 6938025947c45a5423327a961732dd0a0e8b93ae5ed7828cde3e27d1b49c72205d23dc37d6849ffbb8e04d4ac5612e9898da54ca2d6e7797e9a4d2a3fffe0642

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fce0317b3170466daa8f6efe541b8b5b
SHA1 6f706f74c283bb393741bef02b8d74b928e0b8f4
SHA256 232ef0d60f39c53ef0278695e4ee814a209570f5e45cb153b9f1e32e9f740061
SHA512 a293205a172ae34df928fbe237b6f238ea9fab663687764d3cc7803348f57b5831584eb3c6f4b1cce48173fdfc04c2588189d03c7e90fdb931618d4eb37fe65f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 66542cc293c5eb8f7087bf0a503f1d9a
SHA1 abe474d74ffe8650fbf386247b477e58c3569603
SHA256 67f42d976fee677bd3c92ae6e72f7ab8e53440fb7152e1f94f74157197ea2438
SHA512 406a895586ef31c56c6e525c6dfd9f77b6530b8809b5b5f6d3a1ef8bb4d2d46744d4b6cad59d0d8afba892f89bf14bfd31f5663b428cf51d22c2e77df7a6e1bb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 64e5d1fd6d4cd54fd9c6981d2ed1e9d0
SHA1 ac9712956b00e84251007602a1b7ef2fff251480
SHA256 bbe9b5c2c11fb030d3cb6912ebc22c967a1fd98ad6f3854b37fbf8ecfece2290
SHA512 1c6eff3e3a84816f705031ed4e360b3f8ac84d30cf7f50e5a8d03dd1c513b0e9918ddd2f3a569d646d6e087116b90a7aa545d5a9698d345d78f9b39ed5e3c485

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 fe8ec41916ec52bcc04f49e4d50fda64
SHA1 5be9bf9bc6f3ee7e8f7b2481500753135474aaed
SHA256 2fe1eafb733703e71d032213d158f4e1fa7131a1b590d43981ecc2610162ae94
SHA512 aa19c0952c5f8630355d4b622633c92d571ef526803db093d5a843bab49db7f23d6440fa1cfdb63265d3b2c878bd371058e25a7d355423e2ef9c5e36c8be983d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c0cdd7eac80d2de42b407a797b5db18b
SHA1 2285759f8df3bff421639e99dd960beb82ae291f
SHA256 463447c8b8108e277e6087ad706b9e511e90b36c1352d4df155e192e37a0d7b7
SHA512 c35afc3c2a1bda98e7d6f80ccf731997f8543deeaa54eca85d9903e5c48842ec387d9b9a70ffad0865ec24466f4850947f0aee5ed687d6317ec5464ff441ae6b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c36058200a5792065671449fc8f1a519
SHA1 a62cffa81d295d5b32fdefa6d1901df3dfb3a5f0
SHA256 2a45f3f05563c674f48b934705e3b57acf9108b300a7f9e369feb210510b8a71
SHA512 249b685f8e1463bf677cd9ae0969f12ee52267ac73fcbbab2268826beb71e6665579ae387525578899ced3687333b3912531d155bde7295880ed96a4ae20bd81

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 81e75c6b66b71d2920b85db4e37b3041
SHA1 b72c6eaa426b5f3d789562093cf1fbfc41aeb13d
SHA256 cec68f396fb12313003a358931ad594922ca8487c5438614ad7e7895a8fe5a45
SHA512 a9b684325c11bca54cd5863535ecc951b774bb212658c591b0491b3de1c0be51ad62bb25161859fcfbe039e0d117896c67b9023fb6a8e6c3d88e666c0704c02d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9f7ff39961c9f0e376a89ed82a80f617
SHA1 6dee18dea766caf3247c59e0065beebf656b0b57
SHA256 f4ee51ca313604d0d93d759cbd57d3c7ece5dc16b4a39cdd83eb0b63931bc600
SHA512 fd586e9b36e323ef818a2fd94c14690943f7ffeccf2d5a9908a7a2e8ab6ed2e19ed70e5042700bd633cbacad58c67cb1ef66508f42cde4af9eb8711e6bf8ba81

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 21c1cda86fa18eca05adb7af960a6fde
SHA1 0f76c32600cb3022a0f4136b750009af37c017d5
SHA256 77e73c360a2bdeefbb33fe14248d8c7d4ad46c01e584560e0d0f8aa78db222be
SHA512 699b53f14dc74a79c1b1c205c86cca3a1b5296c4da3d31e1b432b12f688438490538ddcff650d445f999dc4d57b88e568fd07ea9eb5e2c656eeeb18f543ff754

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 812dcc3305429901cd04fd50c99a1f7b
SHA1 aaa8419baa6d9853daffb6d66cd9e592cb4af2c2
SHA256 3081072729eca9b8d7377f59c8cfa21f0d3ec1372a25ec6d77a810fd504c493c
SHA512 6895a0e2f3b582201803c0395cb9c615fb5ef6359291c079fdde46346b582fec3461dc7faae4e67ae5a35595fa6b2ef7c809db0748ba93999d4e1d0664743c5f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 e4a68ac854ac5242460afd72481b2a44
SHA1 df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256 cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA512 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f5446754500b03a2a685c074d5a15440
SHA1 37e95fe921a95f604524c1b7d8742662987b21cf
SHA256 1a36c6990b0bf24444604bf5b2042175da1bed07e7c1d8f5a91b154231d246a5
SHA512 f370b496a6f2b82e24d6d93c7054435598831c0ca2d933986bf0c09674ff6824337e7fc905b40dbf7db0b8a2602daab8b19b2157e0ba9b395dd24772e734e8bf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 642d0c2889f532c38c9aac91a3bbaaad
SHA1 5366fed272a5048f8d1f130ef6351d268dfa5f7f
SHA256 fab02c73db95345373c6528650217d9779a435ee7bc0396baecca8f485e10365
SHA512 eac41123ba7577c1803b5e0f09ca1ec268f91de4752554a11b72815d643a4def71c49c055531dcf1b2b5c9ae59908e402a498eecc68202dcba6bd280037c7f91

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d698c9c3c2010f533d893e0b24a4f40a
SHA1 81cdb7223d3c6ee9c90106cf87835b9e540140d1
SHA256 39a1535798f7a166a122dc3deefa5718cd477b5f0cfa02a7cdbbc2adf0c08b49
SHA512 bbb2260e5b5c094d41fb83ed64d938314543344359244738a61dccbff9f12c65d74c81f5c5422f126d69032a491227ed3bc5865cab111b2b753a4ffbd381b69d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cc3fdf17a32a5928c872cb8a0a7297a2
SHA1 3e01bba9ba14fa812f3cb31eb72591e8636488ca
SHA256 79e78d1ca0abb8aa85975c3a21fd0854eb5c0ea3a38768c4e1d02324c013bb5c
SHA512 22801c2d37cd4594f583d0fe0561ce0583ae691e6fe5cde52257c93fe159b882b797bd470125871c21fe88a3e9ff22d54d43dbb848ffb685912e76c346f5d349

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 54791adaefe3e2f900d297287d771213
SHA1 db8571cac7221eed731b63fe7313b8df4def964c
SHA256 f739eec1304a329a09d6c76f069d3eef87bff64cdf038ff5b3fe42b2d744fee3
SHA512 4b108b688ba4ed35010018d8c7478df9d99dfa3ce740688676107012348bac63c9ab26335faf0f1d6d8034e2a7f7637464a50ef42a81de22ab1af95e71850111

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-24 13:39

Reported

2024-05-24 13:41

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a3d2cb0b4b9fe16ec0bb19f7457669e193af993e3e7940f76c209cfe5cfc7bc3.exe"

Signatures

Detect PurpleFox Rootkit

rootkit
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0strat

rat gh0strat

PurpleFox

rootkit trojan purplefox

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\system32\drivers\QAssist.sys C:\Windows\SysWOW64\TXPlatforn.exe N/A

Sets DLL path for service in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\240596625.txt" C:\Users\Admin\AppData\Local\Temp\svchos.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" C:\Windows\SysWOW64\TXPlatforn.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchos.exe N/A
N/A N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_a3d2cb0b4b9fe16ec0bb19f7457669e193af993e3e7940f76c209cfe5cfc7bc3.exe N/A
N/A N/A C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchos.exe N/A
N/A N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A

Checks system information in the registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\TXPlatforn.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\TXPlatforn.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File created C:\Windows\SysWOW64\240596625.txt C:\Users\Admin\AppData\Local\Temp\svchos.exe N/A
File opened for modification C:\Windows\SysWOW64\ini.ini C:\Users\Admin\AppData\Local\Temp\svchos.exe N/A
File created C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe C:\Windows\SysWOW64\svchost.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Google\Chrome\Application\chrome.exe C:\Users\Admin\AppData\Local\Temp\a3d2cb0b4b9fe16ec0bb19f7457669e193af993e3e7940f76c209cfe5cfc7bc3.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Users\Admin\AppData\Local\Temp\a3d2cb0b4b9fe16ec0bb19f7457669e193af993e3e7940f76c209cfe5cfc7bc3.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe C:\Users\Admin\AppData\Local\Temp\a3d2cb0b4b9fe16ec0bb19f7457669e193af993e3e7940f76c209cfe5cfc7bc3.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe C:\Users\Admin\AppData\Local\Temp\a3d2cb0b4b9fe16ec0bb19f7457669e193af993e3e7940f76c209cfe5cfc7bc3.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe C:\Users\Admin\AppData\Local\Temp\a3d2cb0b4b9fe16ec0bb19f7457669e193af993e3e7940f76c209cfe5cfc7bc3.exe N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1240 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\a3d2cb0b4b9fe16ec0bb19f7457669e193af993e3e7940f76c209cfe5cfc7bc3.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 1240 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\a3d2cb0b4b9fe16ec0bb19f7457669e193af993e3e7940f76c209cfe5cfc7bc3.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 1240 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\a3d2cb0b4b9fe16ec0bb19f7457669e193af993e3e7940f76c209cfe5cfc7bc3.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2100 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 2100 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 2100 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 1240 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Local\Temp\a3d2cb0b4b9fe16ec0bb19f7457669e193af993e3e7940f76c209cfe5cfc7bc3.exe C:\Users\Admin\AppData\Local\Temp\svchos.exe
PID 1240 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Local\Temp\a3d2cb0b4b9fe16ec0bb19f7457669e193af993e3e7940f76c209cfe5cfc7bc3.exe C:\Users\Admin\AppData\Local\Temp\svchos.exe
PID 1240 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Local\Temp\a3d2cb0b4b9fe16ec0bb19f7457669e193af993e3e7940f76c209cfe5cfc7bc3.exe C:\Users\Admin\AppData\Local\Temp\svchos.exe
PID 1664 wrote to memory of 664 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 1664 wrote to memory of 664 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 1664 wrote to memory of 664 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 64 wrote to memory of 1640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 64 wrote to memory of 1640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 64 wrote to memory of 1640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1240 wrote to memory of 5872 N/A C:\Users\Admin\AppData\Local\Temp\a3d2cb0b4b9fe16ec0bb19f7457669e193af993e3e7940f76c209cfe5cfc7bc3.exe C:\Users\Admin\AppData\Local\Temp\HD_a3d2cb0b4b9fe16ec0bb19f7457669e193af993e3e7940f76c209cfe5cfc7bc3.exe
PID 1240 wrote to memory of 5872 N/A C:\Users\Admin\AppData\Local\Temp\a3d2cb0b4b9fe16ec0bb19f7457669e193af993e3e7940f76c209cfe5cfc7bc3.exe C:\Users\Admin\AppData\Local\Temp\HD_a3d2cb0b4b9fe16ec0bb19f7457669e193af993e3e7940f76c209cfe5cfc7bc3.exe
PID 1240 wrote to memory of 5872 N/A C:\Users\Admin\AppData\Local\Temp\a3d2cb0b4b9fe16ec0bb19f7457669e193af993e3e7940f76c209cfe5cfc7bc3.exe C:\Users\Admin\AppData\Local\Temp\HD_a3d2cb0b4b9fe16ec0bb19f7457669e193af993e3e7940f76c209cfe5cfc7bc3.exe
PID 712 wrote to memory of 5680 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
PID 712 wrote to memory of 5680 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
PID 712 wrote to memory of 5680 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
PID 5872 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\Temp\HD_a3d2cb0b4b9fe16ec0bb19f7457669e193af993e3e7940f76c209cfe5cfc7bc3.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5872 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\Temp\HD_a3d2cb0b4b9fe16ec0bb19f7457669e193af993e3e7940f76c209cfe5cfc7bc3.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5872 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\Temp\HD_a3d2cb0b4b9fe16ec0bb19f7457669e193af993e3e7940f76c209cfe5cfc7bc3.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3960 wrote to memory of 3992 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 3960 wrote to memory of 3992 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 3960 wrote to memory of 3992 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 3992 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 3992 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 3992 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 3960 wrote to memory of 2820 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Users\Admin\AppData\Local\Temp\svchos.exe
PID 3960 wrote to memory of 2820 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Users\Admin\AppData\Local\Temp\svchos.exe
PID 3960 wrote to memory of 2820 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Users\Admin\AppData\Local\Temp\svchos.exe
PID 1364 wrote to memory of 5252 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 1364 wrote to memory of 5252 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 1364 wrote to memory of 5252 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 3960 wrote to memory of 5372 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
PID 3960 wrote to memory of 5372 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
PID 5372 wrote to memory of 5160 N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
PID 5372 wrote to memory of 5160 N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
PID 4428 wrote to memory of 3972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4428 wrote to memory of 3972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4428 wrote to memory of 3972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 5372 wrote to memory of 1584 N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
PID 5372 wrote to memory of 1584 N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
PID 5372 wrote to memory of 1584 N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
PID 5372 wrote to memory of 1584 N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
PID 5372 wrote to memory of 1584 N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
PID 5372 wrote to memory of 1584 N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
PID 5372 wrote to memory of 1584 N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
PID 5372 wrote to memory of 1584 N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
PID 5372 wrote to memory of 1584 N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
PID 5372 wrote to memory of 1584 N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
PID 5372 wrote to memory of 1584 N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
PID 5372 wrote to memory of 1584 N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
PID 5372 wrote to memory of 1584 N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
PID 5372 wrote to memory of 1584 N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
PID 5372 wrote to memory of 1584 N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
PID 5372 wrote to memory of 1584 N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
PID 5372 wrote to memory of 1584 N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
PID 5372 wrote to memory of 1584 N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
PID 5372 wrote to memory of 1584 N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
PID 5372 wrote to memory of 1584 N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
PID 5372 wrote to memory of 1584 N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a3d2cb0b4b9fe16ec0bb19f7457669e193af993e3e7940f76c209cfe5cfc7bc3.exe

"C:\Users\Admin\AppData\Local\Temp\a3d2cb0b4b9fe16ec0bb19f7457669e193af993e3e7940f76c209cfe5cfc7bc3.exe"

C:\Users\Admin\AppData\Local\Temp\svchost.exe

C:\Users\Admin\AppData\Local\Temp\\svchost.exe

C:\Windows\SysWOW64\TXPlatforn.exe

C:\Windows\SysWOW64\TXPlatforn.exe -auto

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\svchost.exe > nul

C:\Users\Admin\AppData\Local\Temp\svchos.exe

C:\Users\Admin\AppData\Local\Temp\\svchos.exe

C:\Windows\SysWOW64\TXPlatforn.exe

C:\Windows\SysWOW64\TXPlatforn.exe -acsi

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"

C:\Windows\SysWOW64\PING.EXE

ping -n 2 127.0.0.1

C:\Users\Admin\AppData\Local\Temp\HD_a3d2cb0b4b9fe16ec0bb19f7457669e193af993e3e7940f76c209cfe5cfc7bc3.exe

C:\Users\Admin\AppData\Local\Temp\HD_a3d2cb0b4b9fe16ec0bb19f7457669e193af993e3e7940f76c209cfe5cfc7bc3.exe

C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe

C:\Windows\system32\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe "c:\windows\system32\240596625.txt",MainThread

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://support.qq.com/products/285647/faqs/88645

C:\Users\Admin\AppData\Local\Temp\svchost.exe

C:\Users\Admin\AppData\Local\Temp\\svchost.exe

C:\Windows\SysWOW64\TXPlatforn.exe

C:\Windows\SysWOW64\TXPlatforn.exe -auto

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\svchost.exe > nul

C:\Users\Admin\AppData\Local\Temp\svchos.exe

C:\Users\Admin\AppData\Local\Temp\\svchos.exe

C:\Windows\SysWOW64\TXPlatforn.exe

C:\Windows\SysWOW64\TXPlatforn.exe -acsi

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa67ff46f8,0x7ffa67ff4708,0x7ffa67ff4718

C:\Windows\SysWOW64\PING.EXE

ping -n 2 127.0.0.1

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=gpu-process --field-trial-handle=2160,17637444744740342689,9208168140256649281,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,17637444744740342689,9208168140256649281,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2160,17637444744740342689,9208168140256649281,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2888 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2160,17637444744740342689,9208168140256649281,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2160,17637444744740342689,9208168140256649281,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2160,17637444744740342689,9208168140256649281,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5016 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2160,17637444744740342689,9208168140256649281,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4608 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,17637444744740342689,9208168140256649281,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3528 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,17637444744740342689,9208168140256649281,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3528 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2160,17637444744740342689,9208168140256649281,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2160,17637444744740342689,9208168140256649281,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2160,17637444744740342689,9208168140256649281,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4616 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=gpu-process --field-trial-handle=2160,17637444744740342689,9208168140256649281,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2776 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 note.youdao.com udp
US 163.181.154.231:443 note.youdao.com tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.171:443 www.bing.com tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 231.154.181.163.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 171.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
NL 23.62.61.171:443 www.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp

Files

C:\Users\Admin\AppData\Local\Temp\svchost.exe

MD5 a4329177954d4104005bce3020e5ef59
SHA1 23c29e295e2dbb8454012d619ca3f81e4c16e85a
SHA256 6156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd
SHA512 81e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208

memory/2100-6-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2100-4-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2100-7-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2100-10-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/1664-13-0x0000000010000000-0x00000000101B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\svchos.exe

MD5 3b377ad877a942ec9f60ea285f7119a2
SHA1 60b23987b20d913982f723ab375eef50fafa6c70
SHA256 62954fdf65e629b39a29f539619d20691332184c6b6be5a826128a8e759bfa84
SHA512 af3a71f867ad9d28772c48b521097f9bf8931eb89fd2974e8de10990241419a39ddc3c0b36dd38aac4fdf14e1f0c5e228692618e93adce958d5b5dab8940e46f

memory/1664-32-0x0000000010000000-0x00000000101B6000-memory.dmp

C:\Windows\SysWOW64\240596625.txt

MD5 c77d91c4d1c48d939191514dd1297856
SHA1 2e2235ddeb2993d02facad20f299aab72c2c23aa
SHA256 d0729244d3eea8d7e644b5bb67d6faee63aed403aa8b6dfc3a4222d34ab664c6
SHA512 eec0fee413328a9de8c20e3dd22520bd6a20a8251f781c74aa00e8b93d29bcd003f518c38a1ffd1498a031d481ff5b1c39eb6980a6e2b64b263533c766bb5001

memory/664-38-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/664-42-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/664-28-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/664-43-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/1664-19-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/1664-16-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/1664-15-0x0000000010000000-0x00000000101B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HD_a3d2cb0b4b9fe16ec0bb19f7457669e193af993e3e7940f76c209cfe5cfc7bc3.exe

MD5 99348b730b90c4f4ef8500b14f655a22
SHA1 7bfe3779376671fc878c84ab079d8469d32849f0
SHA256 879455b926f644616b0b5241d3516cf6b9744c2557ae211920ca0407ea7492f2
SHA512 041ecfa94e0b47e23d08f2fc27440fb74272b6eaaf250e2be2aae53dfd6c463bfb0552da4afda0a99b9d4ca95b3b2dda55f8ed4cf16e5595822b0700c01efc75

memory/5872-49-0x0000000010000000-0x0000000010116000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HD_X.dat

MD5 6e63c6b990dce1307432d21aa52ec946
SHA1 3c14653ed90f7201e7acd329a31a4050aae01998
SHA256 21d91ffeea7893738543006d409964139aae06428e7ccae1e73555ff4c81f44e
SHA512 989e55bc8ef4f05f945ebe44db3a9701a195d1ba35c2cdf848ab1205d61fc4035593bd753377cd2f4125f7801276520accb297e633cd32d1cd1faceb6e9130d4

C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe

MD5 889b99c52a60dd49227c5e485a016679
SHA1 8fa889e456aa646a4d0a4349977430ce5fa5e2d7
SHA256 6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910
SHA512 08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

MD5 7833c63afd6c38927ec6b66ec18a2f8f
SHA1 7fbd7b8ba7eb611df17ed2363ad7fc4b07be0432
SHA256 8f31934a63450e1d92332c3823e81187fb260cb6c5d4742ad46572e1c75398c8
SHA512 68ced9bc9d1f9b16f6656b63274249e09564c9843d477e81214f7d0be291f0ac17fdc8140b2b43a5b0e90da5af602cdd94a3c568c1958a45d094bb0754c53a40

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe

MD5 ad8536c7440638d40156e883ac25086e
SHA1 fa9e8b7fb10473a01b8925c4c5b0888924a1147c
SHA256 73d84d249f16b943d1d3f9dd9e516fadd323e70939c29b4a640693eb8818ee9a
SHA512 b5f368be8853aa142dba614dcca7e021aba92b337fe36cfc186714092a4dab1c7a2181954cd737923edd351149980182a090dbde91081c81d83f471ff18888fe

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 8b167567021ccb1a9fdf073fa9112ef0
SHA1 3baf293fbfaa7c1e7cdacb5f2975737f4ef69898
SHA256 26764cedf35f118b55f30b3a36e0693f9f38290a5b2b6b8b83a00e990ae18513
SHA512 726098001ef1acf1dd154a658752fa27dea32bca8fbb66395c142cb666102e71632adbad1b7e2f717071cd3e3af3867471932a71707f2ae97b989f4be468ab54

\??\pipe\LOCAL\crashpad_5372_QJGMMBBOGYNSFWKX

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 537815e7cc5c694912ac0308147852e4
SHA1 2ccdd9d9dc637db5462fe8119c0df261146c363c
SHA256 b4b69d099507d88abdeff4835e06cc6711e1c47464c963d013cef0a278e52d4f
SHA512 63969a69af057235dbdecddc483ef5ce0058673179a3580c5aa12938c9501513cdb72dd703a06fa7d4fc08d074f17528283338c795334398497c771ecbd1350a

memory/1584-145-0x00007FFA76A50000-0x00007FFA76A51000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 d8acc4b2fb0badfe9e5da4c6cda1ab51
SHA1 1788e4ec1070090cc7638cc10423a2c10379a70a
SHA256 a414222b19619bbb27362f57a247753eabfb04321dcf12f5b6eeb825010a09e8
SHA512 0a5dd195281e485cf064fcea295edbe80052bb7db92715a7d6f2c5b91d12899231e2c0ce5c1bda5274c3964a9fb8abb4cfcbd8f204fb269684f5a4d354226e67

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 560335e011c9b754bfbee78204609bdd
SHA1 727d2cd33ff00954ec4c2a60b43fa84201707441
SHA256 e6ee0d46817ffb3d28112a5f63e7fea1f1c3367342252e23309e5d60f7729a6d
SHA512 8f78f0d2eb1cc75fa4292c1358bda03e0b2ee0b8501896390b2f6840a434e4d988d41d820876ac4718075d85391265592ca53bea37ef60a74f441bc20949c771

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 636e3cfffe3d9ca1c97a3cf4d9422b01
SHA1 a5642facbce895a13a0dd436a002c9e8bc9967a4
SHA256 32df102281bd624747354a1e7cc270875bbcaa7a6f6d9c06816c712e09575091
SHA512 91626a3a1d87ecfa3d25e0915ecb4d405584a61a96869a70f80c8fe493bdca5b86f9310b7bf52035893c7f6f002daf21e6744c5f91426a00580344e127fdf4a4