gh0strat | b6660f4b0556f0717e8d949a1df4f5be1b675403ecdb01ac48c36f6bc23077eb

Analysis

max time kernel
150s
max time network
151s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
25-05-2024 15:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b6660f4b0556f0717e8d949a1df4f5be1b675403ecdb01ac48c36f6bc23077eb.exe
Size

2.2MB
MD5

7f7da36574264be4b7dd67af4f73b1b1
SHA1

432f20d5fd94056d258fde3b4907f096190cc8bc
SHA256

b6660f4b0556f0717e8d949a1df4f5be1b675403ecdb01ac48c36f6bc23077eb
SHA512

d13d7fb1aeb001fe4c7cd113f342c281ffc20b39566d83d2d29adafd8c6bbec71c60144071a0b67f77500c00ea7ac518753dbf2a33c21f53aa2831817d9bc9dd
SSDEEP

24576:rQZoidOTdVZinacCET9Ecl1erdg0MCiVWhFU7cVVMwS0kpY:rQZAdVyVT9n/Gg0P+WhoIMH0v

Score

10^/10

gh0strat purplefox persistence rat rootkit trojan upx

Malware Config

Signatures

Detect PurpleFox Rootkit 10 IoCs

Detect PurpleFox Rootkit.

rootkit

Processes:

resource	yara_rule
behavioral1/memory/2208-8-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2208-7-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2208-12-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2628-18-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2628-26-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2528-34-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2528-33-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2528-35-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2528-38-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2528-50-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 11 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2208-8-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2208-7-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2208-12-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2628-18-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2628-26-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
\Windows\SysWOW64\259419912.txt	family_gh0strat
behavioral1/memory/2528-34-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2528-33-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2528-35-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2528-38-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2528-50-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox
Drops file in Drivers directory 1 IoCs

Processes:

TXPlatforn.exe

description ioc process

File created C:\Windows\system32\drivers\QAssist.sys TXPlatforn.exe

description	ioc	process
File created	C:\Windows\system32\drivers\QAssist.sys	TXPlatforn.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

svchos.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259419912.txt"	svchos.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

TXPlatforn.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys"	TXPlatforn.exe

Executes dropped EXE 7 IoCs

Processes:

svchost.exeTXPlatforn.exesvchos.exeTXPlatforn.exeHD_b6660f4b0556f0717e8d949a1df4f5be1b675403ecdb01ac48c36f6bc23077eb.exeÖ÷¶¯·ÀÓù·þÎñÄ£¿é.exe

pid	process
2208	svchost.exe
2628	TXPlatforn.exe
2688	svchos.exe
2528	TXPlatforn.exe
1708	HD_b6660f4b0556f0717e8d949a1df4f5be1b675403ecdb01ac48c36f6bc23077eb.exe
1392
2256	Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe

Loads dropped DLL 8 IoCs

Processes:

b6660f4b0556f0717e8d949a1df4f5be1b675403ecdb01ac48c36f6bc23077eb.exeTXPlatforn.exesvchos.exesvchost.exeÖ÷¶¯·ÀÓù·þÎñÄ£¿é.exe

pid	process
3024	b6660f4b0556f0717e8d949a1df4f5be1b675403ecdb01ac48c36f6bc23077eb.exe
3024	b6660f4b0556f0717e8d949a1df4f5be1b675403ecdb01ac48c36f6bc23077eb.exe
2628	TXPlatforn.exe
2688	svchos.exe
2484	svchost.exe
3024	b6660f4b0556f0717e8d949a1df4f5be1b675403ecdb01ac48c36f6bc23077eb.exe
2484	svchost.exe
2256	Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2208-5-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2208-8-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2208-7-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2208-12-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2628-18-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2628-26-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2528-31-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2528-34-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2528-33-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2528-35-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2528-38-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2528-50-0x0000000010000000-0x00000000101B6000-memory.dmp	upx

Drops file in System32 directory 6 IoCs

Processes:

svchos.exesvchost.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\ini.ini	svchos.exe
File created	C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe	svchost.exe
File created	C:\Windows\SysWOW64\TXPlatforn.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\TXPlatforn.exe	svchost.exe
File created	C:\Windows\SysWOW64\259419912.txt	svchos.exe

Drops file in Program Files directory 4 IoCs

Processes:

b6660f4b0556f0717e8d949a1df4f5be1b675403ecdb01ac48c36f6bc23077eb.exe

description	ioc	process
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	b6660f4b0556f0717e8d949a1df4f5be1b675403ecdb01ac48c36f6bc23077eb.exe
File created	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	b6660f4b0556f0717e8d949a1df4f5be1b675403ecdb01ac48c36f6bc23077eb.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	b6660f4b0556f0717e8d949a1df4f5be1b675403ecdb01ac48c36f6bc23077eb.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	b6660f4b0556f0717e8d949a1df4f5be1b675403ecdb01ac48c36f6bc23077eb.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ddf9d99692d21e46b898d7f4e19017d500000000020000000000106600000001000020000000d769a9e9221292cd1d7981319dad8b046f2b4d976c90bd24e2ef39097420a330000000000e80000000020000200000005ac2874d3c5534642aa7e04d0f74e6c125f8f5097703558e34e849233410ffbe200000000cd1ab449addce655fefc3101210d5118566c9ab404e21bd8b65e3f002e465fd4000000054dad74b36ebc379ea2dcfaf14df5d0f1f84683b40736591cca90c1efdf50d695bf04d6f1ec632eab9a277ff2e579c319d06c6fc5fe7a7cb4d08d974d577960a	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50a48566bcaeda01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ddf9d99692d21e46b898d7f4e19017d500000000020000000000106600000001000020000000ab34e3bfb71d95dc7f4104a87346b6d3e87729c05e92c6e82f7c2cc3d48b6604000000000e8000000002000020000000fbabc0cf9018e5ce41702588cea01fb9f8d9afcbd910d594fe8845743d9c5a9e90000000917e74e91007a4bcd9a8e8c7d4f034a0b78e03515137490a58903adced6bfcc686b5b4f4a2cff4e3fa272d724cef9fd3c6581909b78e6fcb186522adee8bf367364e5d884c635a5b14be65e5e5f48dc679e72487f831c9450138b84a0a425ede3a99050cdd18272d969c90cde268cb334e160ab2ffb724c1bc64adcb016f0d66b9ecfb7f7b98c0d155eeef56c3baa455400000006fbd514910131b1f32747e5b1a08c9c057837213f31700dc9b73442aec053cd7627d8a758027c11e0d83915439b89c27e78bb10e54c8fb6bbfd660c0ddbb4590	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "422814548"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{8EE72A41-1AAF-11EF-A692-6A83D32C515E} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2580 PING.EXE
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

b6660f4b0556f0717e8d949a1df4f5be1b675403ecdb01ac48c36f6bc23077eb.exe

pid process

3024 b6660f4b0556f0717e8d949a1df4f5be1b675403ecdb01ac48c36f6bc23077eb.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

TXPlatforn.exe

pid process

2528 TXPlatforn.exe

pid	process
2580	PING.EXE

pid	process
2528	TXPlatforn.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

svchost.exeTXPlatforn.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	2208	svchost.exe
Token: SeLoadDriverPrivilege	2528	TXPlatforn.exe
Token: 33	2528	TXPlatforn.exe
Token: SeIncBasePriorityPrivilege	2528	TXPlatforn.exe
Token: 33	2528	TXPlatforn.exe
Token: SeIncBasePriorityPrivilege	2528	TXPlatforn.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1460 iexplore.exe

pid	process
1460	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

b6660f4b0556f0717e8d949a1df4f5be1b675403ecdb01ac48c36f6bc23077eb.exeiexplore.exeIEXPLORE.EXE

pid	process
3024	b6660f4b0556f0717e8d949a1df4f5be1b675403ecdb01ac48c36f6bc23077eb.exe
3024	b6660f4b0556f0717e8d949a1df4f5be1b675403ecdb01ac48c36f6bc23077eb.exe
1460	iexplore.exe
1460	iexplore.exe
1480	IEXPLORE.EXE
1480	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 41 IoCs

Processes:

b6660f4b0556f0717e8d949a1df4f5be1b675403ecdb01ac48c36f6bc23077eb.exesvchost.exeTXPlatforn.execmd.exesvchost.exeHD_b6660f4b0556f0717e8d949a1df4f5be1b675403ecdb01ac48c36f6bc23077eb.exeiexplore.exe

description	pid	process	target process
PID 3024 wrote to memory of 2208	3024	b6660f4b0556f0717e8d949a1df4f5be1b675403ecdb01ac48c36f6bc23077eb.exe	svchost.exe
PID 3024 wrote to memory of 2208	3024	b6660f4b0556f0717e8d949a1df4f5be1b675403ecdb01ac48c36f6bc23077eb.exe	svchost.exe
PID 3024 wrote to memory of 2208	3024	b6660f4b0556f0717e8d949a1df4f5be1b675403ecdb01ac48c36f6bc23077eb.exe	svchost.exe
PID 3024 wrote to memory of 2208	3024	b6660f4b0556f0717e8d949a1df4f5be1b675403ecdb01ac48c36f6bc23077eb.exe	svchost.exe
PID 3024 wrote to memory of 2208	3024	b6660f4b0556f0717e8d949a1df4f5be1b675403ecdb01ac48c36f6bc23077eb.exe	svchost.exe
PID 3024 wrote to memory of 2208	3024	b6660f4b0556f0717e8d949a1df4f5be1b675403ecdb01ac48c36f6bc23077eb.exe	svchost.exe
PID 3024 wrote to memory of 2208	3024	b6660f4b0556f0717e8d949a1df4f5be1b675403ecdb01ac48c36f6bc23077eb.exe	svchost.exe
PID 2208 wrote to memory of 2536	2208	svchost.exe	cmd.exe
PID 2208 wrote to memory of 2536	2208	svchost.exe	cmd.exe
PID 2208 wrote to memory of 2536	2208	svchost.exe	cmd.exe
PID 2208 wrote to memory of 2536	2208	svchost.exe	cmd.exe
PID 3024 wrote to memory of 2688	3024	b6660f4b0556f0717e8d949a1df4f5be1b675403ecdb01ac48c36f6bc23077eb.exe	svchos.exe
PID 3024 wrote to memory of 2688	3024	b6660f4b0556f0717e8d949a1df4f5be1b675403ecdb01ac48c36f6bc23077eb.exe	svchos.exe
PID 3024 wrote to memory of 2688	3024	b6660f4b0556f0717e8d949a1df4f5be1b675403ecdb01ac48c36f6bc23077eb.exe	svchos.exe
PID 3024 wrote to memory of 2688	3024	b6660f4b0556f0717e8d949a1df4f5be1b675403ecdb01ac48c36f6bc23077eb.exe	svchos.exe
PID 2628 wrote to memory of 2528	2628	TXPlatforn.exe	TXPlatforn.exe
PID 2628 wrote to memory of 2528	2628	TXPlatforn.exe	TXPlatforn.exe
PID 2628 wrote to memory of 2528	2628	TXPlatforn.exe	TXPlatforn.exe
PID 2628 wrote to memory of 2528	2628	TXPlatforn.exe	TXPlatforn.exe
PID 2628 wrote to memory of 2528	2628	TXPlatforn.exe	TXPlatforn.exe
PID 2628 wrote to memory of 2528	2628	TXPlatforn.exe	TXPlatforn.exe
PID 2628 wrote to memory of 2528	2628	TXPlatforn.exe	TXPlatforn.exe
PID 2536 wrote to memory of 2580	2536	cmd.exe	PING.EXE
PID 2536 wrote to memory of 2580	2536	cmd.exe	PING.EXE
PID 2536 wrote to memory of 2580	2536	cmd.exe	PING.EXE
PID 2536 wrote to memory of 2580	2536	cmd.exe	PING.EXE
PID 3024 wrote to memory of 1708	3024	b6660f4b0556f0717e8d949a1df4f5be1b675403ecdb01ac48c36f6bc23077eb.exe	HD_b6660f4b0556f0717e8d949a1df4f5be1b675403ecdb01ac48c36f6bc23077eb.exe
PID 3024 wrote to memory of 1708	3024	b6660f4b0556f0717e8d949a1df4f5be1b675403ecdb01ac48c36f6bc23077eb.exe	HD_b6660f4b0556f0717e8d949a1df4f5be1b675403ecdb01ac48c36f6bc23077eb.exe
PID 3024 wrote to memory of 1708	3024	b6660f4b0556f0717e8d949a1df4f5be1b675403ecdb01ac48c36f6bc23077eb.exe	HD_b6660f4b0556f0717e8d949a1df4f5be1b675403ecdb01ac48c36f6bc23077eb.exe
PID 3024 wrote to memory of 1708	3024	b6660f4b0556f0717e8d949a1df4f5be1b675403ecdb01ac48c36f6bc23077eb.exe	HD_b6660f4b0556f0717e8d949a1df4f5be1b675403ecdb01ac48c36f6bc23077eb.exe
PID 2484 wrote to memory of 2256	2484	svchost.exe	Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
PID 2484 wrote to memory of 2256	2484	svchost.exe	Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
PID 2484 wrote to memory of 2256	2484	svchost.exe	Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
PID 2484 wrote to memory of 2256	2484	svchost.exe	Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
PID 1708 wrote to memory of 1460	1708	HD_b6660f4b0556f0717e8d949a1df4f5be1b675403ecdb01ac48c36f6bc23077eb.exe	iexplore.exe
PID 1708 wrote to memory of 1460	1708	HD_b6660f4b0556f0717e8d949a1df4f5be1b675403ecdb01ac48c36f6bc23077eb.exe	iexplore.exe
PID 1708 wrote to memory of 1460	1708	HD_b6660f4b0556f0717e8d949a1df4f5be1b675403ecdb01ac48c36f6bc23077eb.exe	iexplore.exe
PID 1460 wrote to memory of 1480	1460	iexplore.exe	IEXPLORE.EXE
PID 1460 wrote to memory of 1480	1460	iexplore.exe	IEXPLORE.EXE
PID 1460 wrote to memory of 1480	1460	iexplore.exe	IEXPLORE.EXE
PID 1460 wrote to memory of 1480	1460	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\b6660f4b0556f0717e8d949a1df4f5be1b675403ecdb01ac48c36f6bc23077eb.exe
"C:\Users\Admin\AppData\Local\Temp\b6660f4b0556f0717e8d949a1df4f5be1b675403ecdb01ac48c36f6bc23077eb.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3024
- C:\Users\Admin\AppData\Local\Temp\svchost.exe
  C:\Users\Admin\AppData\Local\Temp\\svchost.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2208
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\svchost.exe > nul
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2536
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 2 127.0.0.1
      4⤵
      Runs ping.exe
      PID:2580
- C:\Users\Admin\AppData\Local\Temp\svchos.exe
  C:\Users\Admin\AppData\Local\Temp\\svchos.exe
  2⤵
  - Sets DLL path for service in the registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  PID:2688
- C:\Users\Admin\AppData\Local\Temp\HD_b6660f4b0556f0717e8d949a1df4f5be1b675403ecdb01ac48c36f6bc23077eb.exe
  C:\Users\Admin\AppData\Local\Temp\HD_b6660f4b0556f0717e8d949a1df4f5be1b675403ecdb01ac48c36f6bc23077eb.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1708
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://pc.weixin.qq.com/
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1460
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1460 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1480

C:\Windows\SysWOW64\TXPlatforn.exe
C:\Windows\SysWOW64\TXPlatforn.exe -auto
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2628
- C:\Windows\SysWOW64\TXPlatforn.exe
  C:\Windows\SysWOW64\TXPlatforn.exe -acsi
  2⤵
  - Drops file in Drivers directory
  - Sets service image path in registry
  - Executes dropped EXE
  - Suspicious behavior: LoadsDriver
  - Suspicious use of AdjustPrivilegeToken
  PID:2528

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"
1⤵
PID:2424

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2484
- C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
  C:\Windows\system32\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe "c:\windows\system32\259419912.txt",MainThread
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
db20696ad0cc65c8cbd40dd73311a8c2

SHA1
d1442e5d4983fc7d021e13037162942a9b844418

SHA256
2d2c02c270781a46f60f53962571ba999c922f92c2429753e7971b8a65a4bd6f

SHA512
8488bbdb86b79207c43e2930e3cb381cb48a51f87bbd993e3d53daf09b3e06dfc34d82bdb6d82a366ff1edd7caa901ce67cd77b85af86f7e34f866d8b657cf82

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
19ee8e16ea7b8b04a885eff6bb042265

SHA1
98efa08269ae57d0b9b2189135fce245fb6f55de

SHA256
31fb09f3b08bb11049df528e3b2f804564be73788e9e67231b3920a87c5d158e

SHA512
9ca1f8a8e9a5ed3baf4b394d84ef299764a25dabe5da4d23e0bdd5a04fb7628c12669295ee048d2fcb4f876e87d1c4e826d51793a7a47bf48cae720f26d258fb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5b431be47ecdc96bdf000952e045af43

SHA1
44cb8435f4d45c0ff23ee645dc55a292ed38c3e8

SHA256
a45db378f1db7b5773a19ed14ebfbe76dbcecf1c5b78c4747d606a903cc07490

SHA512
b01f7592d6aac06956a49e27384a7c0c2025b088c4a9ba44eef220b41e23cc12b81bd996d8083a8ed529ac95b5352583804e8ad6ee49f0f9dafab81a653f6840

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bb5f5887a4a210cb403a336d362d7ab3

SHA1
99993b8538cd6922552da06b7efdc420081844b7

SHA256
a3e905d6ff2e22a67811051ec309014b739a025eeedafb70e2ee9492de480458

SHA512
da5046744ac10696c8026440cb5b56d9a7647239ceb2c621ffa8716ba20990b555d621b47a6fcf63f777e3ccefe4a26d53c24d2a3f8fc4cef8e3de099b5c6c4e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b15348cf51c6f1264d67c03163159794

SHA1
6b9b2d811f5524c1121002e023934a7522697b7e

SHA256
b11f710b7c513f5c4afbe62ad6db740dd87b5ea8a647b279cdbafd88fc2986f8

SHA512
2be86f4927984b366e32ed574ba01a507e6e0272b2ba6e7815ac9c3020b7f05aa71e7697c4adb0cf9e49c88ed9639cd428aa31f0654695558c3127d6eb2a1b4f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4ca668fc780bca5a2434d5c8b356c3e7

SHA1
6293888deab006b6def19a07188fb056d69064e8

SHA256
7597e017a3dfc3f395ec8e2e5960c84f23c4942bbb43bf98a9fa88b940984fc8

SHA512
507b453899fcd2f74a06ce93df9604aea87c321a7534029395aa27110d7d148d55f61ea9d709882900b224d9dbcfe3e6f919fda50abb8ec48be953ed138cab41

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d04a7d20e63833332a2dd9ec18a4917a

SHA1
4e4fe003450ace30057de5b9aa1aa307e7354cd7

SHA256
b9fa75aa6aa439e2d5b9612566a7abcb3a136272ef0124a04e81faf7a8509f7e

SHA512
0ed5c4c6416bf2ebfa1e711aef22f25b209387c84bddeca3c4576617f33f446f7199c5a7f26d2e9567cef527054abbb7d21ff62d0fefb7ded4a4e83112c59346

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8073fd9b209928216ce1255775faad2a

SHA1
02b55d38cdad3b49e4e32135471ee1b492d6505a

SHA256
8480e0e81ed6dce58a5943913e45253aaba2493d88e180d796cfec6759820802

SHA512
a8c3dfc8563ecdb8887a806416023a9d35ae5cc1d4dc045885327a3cbe47334bbf882ef03f1b310280a8409f19bdc6351de373250d6ec37978a5716d5065b140

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9ea792326ed12797b0ab55c853baffdc

SHA1
db004635b3555e54718e64d08b082f5dab0b9f38

SHA256
80d16cbb810546ae0290e2d5dd69e2c651825bff393cb54e1afc9cdba7c163d5

SHA512
ac4925920cf01d32c86cf7c129a8d2916a29db276dc4037521368495de4308ebc843e17fe8538b202236b56d34f141709d4e03702a926a407b3e9d4c6495186a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2d552c42ec9bb3e9ba960c855f916047

SHA1
579d54936c18818433926653ed297aa228bce51d

SHA256
6de0d9451946acf11f7014eb9a70f55161735774093a9ff7021899e835e1e9c4

SHA512
7d7ce36a85617e02079b032393085262ad30c40523964e9e2dd8dd87c4f50715f910cdfce4fe06910688cadb17289a643ad58122f7f51f39769be4858d5d4f03

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
fbb031e6445c665b1045d3e1a6a1cfc1

SHA1
a8570438e0f06658b13dc86a5165cd7e7c495aae

SHA256
28806b64a421455096dc5c2957e2d239b1d6fa5b632c780b816d00925ee519e7

SHA512
1c34dc3f665c4683add5048194d899fdc29b4a12f2aa0721b3aa923858801ae8b6c9f5f1dfe50ddfd7df067408f8290b012db3a848e10b6da2078bdee14d7e50

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b36e62b3a028ea655c1e8816e12ab0f2

SHA1
b69bdb5c0471a857612609cb589621a163fcf3c0

SHA256
889738c97e6e0e232ab4a42990cbf3e70ae00dd094b7393eb8c6fef42dc71bfb

SHA512
c8f7463186c7adbdcf2fb5b38bffb9fb69ec18e0044978e14a202e22d60d5b7e9b1c7af7b6e4bd8673f17e9e7367d1b37892e3c33dd1a5cfa67b9460145014a0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
34e8b920fc011688636c5496908290a7

SHA1
70982fc96e11ed12a0e9c7c2964dd6b35ad6008b

SHA256
52b84fd110c4b58d63a0f082425e161cb6439054bd24cb674c909578003c90ef

SHA512
e52a58a94593498e335bc84c51ac67e401cdc237cf5a0c969fd18bac65c8756944aa48f548636fb232fc0d28a81454eaf32365482ed337accf707ad5602d5746

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6209b6108579703ef79683e5eaee73c0

SHA1
3f54ae0e97ffca997f17d351f3d071fabf90ad25

SHA256
6a475b1d8d7a4b94cad4c327a8175b6ba78a14978fa3d3ca8ccd50665f904f03

SHA512
cf908474ebf061a3455a0a69ac4f3ea06e2a405cd421e132b7fef2046a4645ab5b08f5d00f9e0520b380612401641cdab26c06233aaa26e5d948f22d726db629

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8395fd92720a0dd446e1bb2fd3dd78b0

SHA1
8aad47a644e27f036e324db48716a1bbcbb38a5b

SHA256
ea85f8855d5e68c4800c89d1a6218dd114b4176308aeb78f5ebb9457be9a2965

SHA512
1f83023797012799f3aaf5fcc9d1e523c6be2c00514d1351c1bd82dcc385c9c9e8e25c00d4af2ed5f50302eed3fb4e921d3eb8209e142db18844650f705fd18e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b83613a23dfb64c5168202195c70d960

SHA1
6da69cabc0455ed38c1d03fc2eae3e8c6d254fe1

SHA256
6effafac00012bd85119b9bb97b5cce386ec5b339b138a4e9311e4b341d3f0b0

SHA512
d57b570dcef62e4f2641b555038a2489532ed7223b13db6213297151f7f0f13f858e717ab99063e26df89042cf2d8756d99ec5536d43dd3bd596824b2eeb1d7b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
99001cf02831c5858284f39bc7001a81

SHA1
38d6c0496b4a7c8a7e4829bb1e2cd31484202b44

SHA256
3e8d354afe631c36c16d71f0639dfd5697af6728e18b1a778af017f782d8bc21

SHA512
9619fb5bc38652c17ce57f471ba7cd2ad14f324a3b2f70aade3b7c52ab6d66fa3be61cf8c9c46f1f316a353b6d3c6d323ab0dde03ca297069550a3c12b115df3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d6b2985672d11c425b8e96ce3a499881

SHA1
c7961dc931c03c2772a35cf655c46623537f025a

SHA256
53eb0423dbdd1ca52b11b516a77fa80c4eb48972d16bd7d634644ff4b366a8e3

SHA512
11dbc72dd87083fa5ef1895cab2da81b4374e8a05b419e128bbe6869a8183434f89734b30e8b7ae1ec70241f987af06a6526c88c4b7e7681723f28eeb421023d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e77dded174cc3a3bbdc490ee375555d5

SHA1
1993946f11be12bd105ce60bbea3b9d6e6b54940

SHA256
ccac70edf080445814e1f79ab0886ba71507f1ab56c13c8a8b007519331fd525

SHA512
bd328eb306a6dc54ebe32d664e69bc244704a1e77d4e0b1dcb5ba249178304dcb6edfe5cb4792356db38ecf14a9c05042ebc134bf74eabcc935b1e2bde0cc135

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
75819f2e78e4009481a0d5c4f00c7ef5

SHA1
9b7fce05523dcf71c7b4f767aac0f950a111c58b

SHA256
70b79bdb828be010c59b55ed57f8d356b28342fd744c041111b79994ddb08a1a

SHA512
5b4107a3d50001491a6c64b6b43105aa47af038bead3de2a18c5ea2851347958cc10c0489a2336c34c1efd19be346d65cdabf2c23e84a8c9cf325145b657a5b9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f36755d17c4ef0b7f2308fcb7b5899ec

SHA1
b5823caafdf1cd5089a0a6c19fc47fe5d0b2f708

SHA256
a02818c90abd63d6c7b7e84d7c0df6efd929d3bfb34a3dcbe5ca72e4d7472c51

SHA512
0681032171361cbba59f44b4155790d52cd0d36f7998e26c10473bb220a7dd63f4a97730ae1aa4251ee20d0fa2549af092485044860507ba8f472d86e4c87a2c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2927d6e9586c2c680d185340f74baef6

SHA1
2b5ed6c64678714b22def8b3b27d1928b77dcd8f

SHA256
054af554273adbb6db1c9f0e32ef486684617898edd1e71cfee6ef5fcb9eeccf

SHA512
04f994305e11e946765437a08f035d5f760be7a48a1cffde52f3263a8df6b808b822f73f616ade94cad4323a5379fb0e1164bff138af324d49200667ba19b3bb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
971a0b4298fd7c7e69f21cd57bd7ba49

SHA1
757a36fb8313ce0f8f576da41660891036a27119

SHA256
2e65714744c78b6028e7dc0011dcec1f1ed131f0f4566e008686963c803b1fff

SHA512
9a804527afb2bb8d825a437bf06de04b8cbef6172dc9887bfc3a2e3b9f2487d4f5a511b7f46e39bf68d374f07cc3ad4c27931da60061ae7ba0787fc86e3e0a6b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
43a493196d02a02f90b4f7414c33f0fd

SHA1
d1328140adb50e1f60c5a31af326ecfef7c65959

SHA256
1257ba14390354d0862707e033f7a5c8f17fe76592792dee8b2bc38bc6b61e79

SHA512
491c8220ee5257ffec677daa73a3b10dfb9d754877a8dfcfbadb084324966a992277ce13cccd7e1f342d9881b2b9d6b6c64bc2b9481435473a94180b1a3bced4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
74efcc4b8b8c642fe914b64e30279e78

SHA1
0b96548cd7a064507447761ea2f80a9989505a07

SHA256
78bd6ec2b42f3f673784fae47a356d8dcda49e202e6ae9495724021a2418e9bf

SHA512
0eabfecaba2353a787622b91782bc0328a499d6c13cd6d15750aa7a476a9aaba75f9e2415a9a813f505d4336c39f4c85196e116a1a0e4927bcb81b62e62ae257

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
fba24388be651be7d3a59a339dce0cb6

SHA1
ef4c40c78b5b911bade7623ccb99be712f4ea0fd

SHA256
027baa1f028e70a65ab148a264e3c971c8e3dcf5159f36687b324019be802bc2

SHA512
eb3440d9f0169a173e46318775068def95dc33a7c5651a4adc4e1f6a51f9ae7ea5e710dbb1222591ec5bcc64acc94c65861bec45443b4c83f0c4f47650a7f9b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabAE7B.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabAF86.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD_X.dat

Filesize
1.6MB

MD5
239aa557c50920d5b084fad8f3c40867

SHA1
5a72500c38b4c1fd633791a7b5604d2dbc7c3fd2

SHA256
223723c3c853c4f387caebaf1a5caa8428c5683fd603bc8a6af8527c2dc3c1f6

SHA512
3e2ea3d00af49e15aa83ad30236205cda1b2bb9cbe18ccddcbb8175e7b09a10e1a23f5a8be82912298ceccf95026028b56499cd7a5a82b744280653d9a183d79

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarAE7C.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarAFF8.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
377KB

MD5
a4329177954d4104005bce3020e5ef59

SHA1
23c29e295e2dbb8454012d619ca3f81e4c16e85a

SHA256
6156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd

SHA512
81e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208

Download Submit
\Users\Admin\AppData\Local\Temp\HD_b6660f4b0556f0717e8d949a1df4f5be1b675403ecdb01ac48c36f6bc23077eb.exe

Filesize
639KB

MD5
75f9bbc35802ae5cf0215c0ebbfa7390

SHA1
81c85fb9906c1fe95399ee19210d15d6ad4ba0f4

SHA256
2f69433df55a5e5ca40a37a40334d4fe085d1d420c50bbefc00b3eb7cd5e26f7

SHA512
4eb88bb9f2a3e1aa5d99c6e1ca6e50ab9327640388652af45a053111dd197e883541a300dbf1dce30d941eac789b4081ea066a307ddbba75e2cf2b35f4601cf5

Download Submit
\Users\Admin\AppData\Local\Temp\svchos.exe

Filesize
93KB

MD5
3b377ad877a942ec9f60ea285f7119a2

SHA1
60b23987b20d913982f723ab375eef50fafa6c70

SHA256
62954fdf65e629b39a29f539619d20691332184c6b6be5a826128a8e759bfa84

SHA512
af3a71f867ad9d28772c48b521097f9bf8931eb89fd2974e8de10990241419a39ddc3c0b36dd38aac4fdf14e1f0c5e228692618e93adce958d5b5dab8940e46f

Download Submit
\Windows\SysWOW64\259419912.txt

Filesize
50KB

MD5
faf3f34e723aba381f7f4d43b7dc4f40

SHA1
b4fb808bbc51c07c6369546e78d03efbeab54410

SHA256
a92488b8b46ef72e178d693838b8dbecc1bc27d2fbe9c92c75a53618b1632fcb

SHA512
f571ecc94ffbd4dba188a72dae7aeb2e45d6e8ea6a7f597cab5b171edab3c4f8cfefd168db522291c5073e7f34908600b727bac292c5ce90b54a55d73df5023c

Download Submit
\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe

Filesize
43KB

MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit
memory/2208-5-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2208-8-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2208-7-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2208-12-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2528-33-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2528-50-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2528-38-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2528-35-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2528-34-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2528-31-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2628-18-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2628-26-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download