gh0strat | bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e

Analysis

max time kernel
150s
max time network
149s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
25-05-2024 17:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
Size

2.4MB
MD5

7f9b612b05a19b5c2c1a1776cc620aa6
SHA1

bb80b801a946c0b73a7d31144b266bbf08e1e15a
SHA256

bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e
SHA512

4f0e7a0b6249f51901426c8e33da1d5b5d909bd3aa9a05a1a0458d9af10445131f042d42f4edb3c1cf8cae532d20f3ab15c01e299dbf973e0021de4b87196ffa
SSDEEP

49152:409XJt4HIN2H2tFvduyS1meyboddPSkqeGD+RWk+K:dZJt4HINy2Lk15N7PSkqeGD+X+K

Score

10^/10

gh0strat purplefox persistence rat rootkit trojan upx

Malware Config

Signatures

Detect PurpleFox Rootkit 8 IoCs

Detect PurpleFox Rootkit.

rootkit

Processes:

resource	yara_rule
behavioral1/memory/3024-8-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/3024-12-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/3024-7-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2608-18-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2608-28-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/1728-33-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/1728-37-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/1728-40-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 8 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3024-8-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/3024-12-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/3024-7-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2608-18-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2608-28-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/1728-33-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/1728-37-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/1728-40-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox
Drops file in Drivers directory 1 IoCs

Processes:

TXPlatforn.exe

description ioc process

File created C:\Windows\system32\drivers\QAssist.sys TXPlatforn.exe

description	ioc	process
File created	C:\Windows\system32\drivers\QAssist.sys	TXPlatforn.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

TXPlatforn.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys"	TXPlatforn.exe

Executes dropped EXE 4 IoCs

Processes:

RVN.exeTXPlatforn.exeTXPlatforn.exeHD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe

pid process

3024 RVN.exe
2608 TXPlatforn.exe
1728 TXPlatforn.exe
2872 HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe

pid	process
3024	RVN.exe
2608	TXPlatforn.exe
1728	TXPlatforn.exe
2872	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe

Loads dropped DLL 3 IoCs

Processes:

bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exeTXPlatforn.exe

pid	process
2932	bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
2608	TXPlatforn.exe
2932	bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/3024-5-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/3024-8-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/3024-12-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/3024-7-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2608-18-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2608-28-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/1728-33-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/1728-37-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/1728-40-0x0000000010000000-0x00000000101B6000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

Processes:

RVN.exe

description ioc process

File created C:\Windows\SysWOW64\TXPlatforn.exe RVN.exe
File opened for modification C:\Windows\SysWOW64\TXPlatforn.exe RVN.exe

description	ioc	process
File created	C:\Windows\SysWOW64\TXPlatforn.exe	RVN.exe
File opened for modification	C:\Windows\SysWOW64\TXPlatforn.exe	RVN.exe

Drops file in Program Files directory 4 IoCs

Processes:

bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
File created	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004681791d699f584a809c759d9b54aaa30000000002000000000010660000000100002000000000fd3f1b0676c8c34e4bfdc546d51c42a9b6a70bf29ff455456307f4bf02dff1000000000e8000000002000020000000aef3104e3a473796da3ae3dd7b67f76208f8eec999cd1ba6e9a107e52491485b90000000b495abe6b9f2ed090c3f57c80a28d96918a7c06fc9053c6270aed22b31dbbd0a43a76daf1c4a79a4f818c0e31532bd54d5c93b02785cb1ee3eb27c2d043c6b0e429364e27c7ce9538a6b4402f2cfa8924216d710cb1923b245d38a1fbf06449c5c25e8494970b0b563e13faebdfa65c64d85715efb6310bcf26020b006e68ef0f6940c96002473bde7b9a5de096cd830400000004ffad5b5b473237aeee75d7dca6e8d376dd454ca7c9b96994be0f6712bbd401df1e1dc3746542279cc5691dfcad542de303ebffd5bc4671991476d01c66e3d3e	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "422820738"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004681791d699f584a809c759d9b54aaa3000000000200000000001066000000010000200000003e2a1949a31b21ff80990c01756a9a0034efc240ef95fb2c915c60b58ba6a940000000000e8000000002000020000000aab11c2cc0df03d92803e63f9e21468655829c56fdae14c84bd15ccf5665399020000000c15aeee2015474e8e3a9e9a599389a0e4590aa1341c5f668a0192644b59b493d40000000d62742a96dd7e94927f75416911231b5f170faac9140073440340b5e30f1587a9f220fef6f7e7715b77df204871b39506b8637ad8a9b0c942769e89b414f5645	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F8F8AA91-1ABD-11EF-8FD2-F6A6C85E5F4F} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 0073bdcecaaeda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1712 PING.EXE

pid	process
1712	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exeHD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe

pid	process
2932	bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
2872	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
2872	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
2872	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
2872	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
2872	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
2872	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
2872	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
2872	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
2872	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
2872	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
2872	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
2872	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
2872	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
2872	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
2872	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
2872	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
2872	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
2872	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
2872	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
2872	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
2872	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
2872	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
2872	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
2872	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
2872	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
2872	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
2872	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
2872	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
2872	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
2872	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
2872	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
2872	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
2872	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
2872	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
2872	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
2872	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
2872	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
2872	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
2872	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
2872	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
2872	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
2872	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
2872	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
2872	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
2872	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
2872	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
2872	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
2872	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
2872	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
2872	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
2872	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
2872	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
2872	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
2872	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
2872	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
2872	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
2872	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
2872	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
2872	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
2872	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
2872	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
2872	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
2872	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

TXPlatforn.exe

pid process

1728 TXPlatforn.exe

pid	process
1728	TXPlatforn.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

RVN.exeHD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exeTXPlatforn.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	3024	RVN.exe
Token: SeDebugPrivilege	2872	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
Token: SeLoadDriverPrivilege	1728	TXPlatforn.exe
Token: 33	1728	TXPlatforn.exe
Token: SeIncBasePriorityPrivilege	1728	TXPlatforn.exe
Token: 33	1728	TXPlatforn.exe
Token: SeIncBasePriorityPrivilege	1728	TXPlatforn.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

2992 iexplore.exe

pid	process
2992	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exeHD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exeiexplore.exeIEXPLORE.EXE

pid	process
2932	bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
2932	bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
2872	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
2872	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
2992	iexplore.exe
2992	iexplore.exe
2700	IEXPLORE.EXE
2700	IEXPLORE.EXE
2700	IEXPLORE.EXE
2700	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exeTXPlatforn.exeRVN.execmd.exeHD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exeiexplore.exe

description	pid	process	target process
PID 2932 wrote to memory of 3024	2932	bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe	RVN.exe
PID 2932 wrote to memory of 3024	2932	bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe	RVN.exe
PID 2932 wrote to memory of 3024	2932	bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe	RVN.exe
PID 2932 wrote to memory of 3024	2932	bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe	RVN.exe
PID 2932 wrote to memory of 3024	2932	bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe	RVN.exe
PID 2932 wrote to memory of 3024	2932	bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe	RVN.exe
PID 2932 wrote to memory of 3024	2932	bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe	RVN.exe
PID 2608 wrote to memory of 1728	2608	TXPlatforn.exe	TXPlatforn.exe
PID 2608 wrote to memory of 1728	2608	TXPlatforn.exe	TXPlatforn.exe
PID 2608 wrote to memory of 1728	2608	TXPlatforn.exe	TXPlatforn.exe
PID 2608 wrote to memory of 1728	2608	TXPlatforn.exe	TXPlatforn.exe
PID 2608 wrote to memory of 1728	2608	TXPlatforn.exe	TXPlatforn.exe
PID 2608 wrote to memory of 1728	2608	TXPlatforn.exe	TXPlatforn.exe
PID 2608 wrote to memory of 1728	2608	TXPlatforn.exe	TXPlatforn.exe
PID 3024 wrote to memory of 2548	3024	RVN.exe	cmd.exe
PID 3024 wrote to memory of 2548	3024	RVN.exe	cmd.exe
PID 3024 wrote to memory of 2548	3024	RVN.exe	cmd.exe
PID 3024 wrote to memory of 2548	3024	RVN.exe	cmd.exe
PID 2932 wrote to memory of 2872	2932	bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
PID 2932 wrote to memory of 2872	2932	bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
PID 2932 wrote to memory of 2872	2932	bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
PID 2932 wrote to memory of 2872	2932	bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
PID 2548 wrote to memory of 1712	2548	cmd.exe	PING.EXE
PID 2548 wrote to memory of 1712	2548	cmd.exe	PING.EXE
PID 2548 wrote to memory of 1712	2548	cmd.exe	PING.EXE
PID 2548 wrote to memory of 1712	2548	cmd.exe	PING.EXE
PID 2872 wrote to memory of 2992	2872	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe	iexplore.exe
PID 2872 wrote to memory of 2992	2872	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe	iexplore.exe
PID 2872 wrote to memory of 2992	2872	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe	iexplore.exe
PID 2872 wrote to memory of 2992	2872	HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe	iexplore.exe
PID 2992 wrote to memory of 2700	2992	iexplore.exe	IEXPLORE.EXE
PID 2992 wrote to memory of 2700	2992	iexplore.exe	IEXPLORE.EXE
PID 2992 wrote to memory of 2700	2992	iexplore.exe	IEXPLORE.EXE
PID 2992 wrote to memory of 2700	2992	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
"C:\Users\Admin\AppData\Local\Temp\bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2932

C:\Users\Admin\AppData\Local\Temp\RVN.exe
C:\Users\Admin\AppData\Local\Temp\\RVN.exe
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3024

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\RVN.exe > nul
3⤵
- Suspicious use of WriteProcessMemory
PID:2548

C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
4⤵
- Runs ping.exe
PID:1712

C:\Users\Admin\AppData\Local\Temp\HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
C:\Users\Admin\AppData\Local\Temp\HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2872

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://fivesixseven7.github.io/J-r3i9
3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2992

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2992 CREDAT:275457 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2700

C:\Windows\SysWOW64\TXPlatforn.exe
C:\Windows\SysWOW64\TXPlatforn.exe -auto
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2608

C:\Windows\SysWOW64\TXPlatforn.exe
C:\Windows\SysWOW64\TXPlatforn.exe -acsi
2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:1728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a5963e9388a67f6ba5a65c9a3203357a

SHA1
2e10a5360e2cc84a02ea3eb7eb6e02104e01783e

SHA256
a32bbf81ddf0b254785a1b5bafcd271535c1c5be3de1437ab79589f66049b1dc

SHA512
b2cb1de6a0da0acc4e801104749efd43eaf62dc130705d0c05de1c531bf1bf21e69314ba5e3717004ecc58f120432bd9866433b92a74b9c115f138a0c2c20590

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6311931ff5bbf9f25eb218387d1d3a19

SHA1
201c83c564523a4116629ec17ee941c17363c97c

SHA256
6b723f75b5c91cfc73c72c88c5afb2f255f950e310fe4b4d4d0d4b8d754158c2

SHA512
4d4cb7d361c70d016c9630961e368c6879b0b74f9a1b7afca61146bfa0256c7143ab8571c122fba4576c84c57948ad37d6d9687cf35df0654ed67f647001eadf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2828d0ce3f4989ebc55eec84286dd5db

SHA1
dab7b79d427dcf86930e9c45125a78e092663431

SHA256
e12b846d387a491839c4cda71f28cad5a835811774829777fd49591d4c5b939f

SHA512
b21bfbf454a5fb50074edacff8571344c97a515489f0f5cdc868e207cfb9113e696186750350933dcf6dcfafe5616ef72ed79a731ed070964f7300c373c2e0b3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
202b4601f01216f0a1ccaabd5b145c5e

SHA1
42757b72844beecb1880c1fac0c4d6b4617ae7dc

SHA256
aaa6ba822b934ca1eb2970f20e54b347d3de0d1af84d2b142569bb1cdb5884ee

SHA512
5335dd470a449ab0882a3ae674a442418cda2df65fe8170fc9ff631f64fa917f09cce05235bf2eb853a03fc148577da897425d499b09ba34cf7d3c33b908ed1a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3932936bfb8a5775fbf7e9d92c928f02

SHA1
30bc3581af40545bce355e7114d9e76b6b9e3b86

SHA256
37aad97dab3b3d3a8ab32574ba3e083c1de8223de7a0ffcfce88dbf87977bee9

SHA512
86aef2c56e4f29bcef74c89bd4339535bbd43fdaa9cb0e0def37123deeb3766a1c9b4e7e6cf64f61c5f52109b2e82c1113bbc6ca65a9c2a3834d0fc5c24435d7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7e1ba900d21220ccc9232bd900e153a8

SHA1
fac2a6959fd2f73cd33070dd2bc0f05e876fc160

SHA256
02750f6e6084003d8a275481a1faea7a8de585b121a815d3257e6e9e47068489

SHA512
6819cf15cf45cda70412ae097d21309117394bc2da2f12139d8469a76e9d85ee95df7e87de4c81e5364b3ada42d7c95e43790741dfb9f816d25459c4969fb3c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e768edaac680fb5c4818d87c0d0f41db

SHA1
7f5ac861f26ba4552d50acfe96e35d0f7d97105e

SHA256
59a760556aac70cf0e10bd3ed0a334721dfeddaef311d6a2e5710192fc93773b

SHA512
240913b8c49d077739a8f2eba977d9fda361e0b449c989edcbd2e21bdca407e5981b54229753d421c35fb49a4f1e48833284cdca0fc00b22a9ffec5cc018d7af

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
76abe194c9547bb066680aad6ec35758

SHA1
7582edd6caca1e577051a3b8b98820024a415f07

SHA256
e7021ee981f2cc3f1c651ed1aaf1d4a98cda1a64160356463981d60600b002c6

SHA512
db1f367bec54c6aa9e48bfbe1a85b7014635e6409c0c3742a3639a3a47ee73bddece8d69c30da958747e7c0098591e7ec062ae76a76c1263686bbad78ea99b99

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
07060a573cb84feee45f7a24d9e402ff

SHA1
f5f65295dbf149c00488e7e22d6106cc7fd18e58

SHA256
90c439e9b40680da425caec6935c365eac72ca2339f16cb4c34ae05e3bf4f300

SHA512
e7ad8ba4f0ee96bbcbc93af08aef5d54ce1765733722746a3b92bf19addda15ea770eead363ee80feb4e7db159e8fe065b11de50b3713a6263597e3c0a695c88

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b4a0bc946876d52a1dced189c58b59ed

SHA1
d9faa193c3f5db1c1001bb0dc4c85eb9dafec9bb

SHA256
f762eaa9b5b5a74688f69a41dd9760dbb25da6ffd429d7d37bb4ae23d549e623

SHA512
58f7bbe02459ccc09413f06c847bbd0cfc96240062e42a4efd694a6342f6a7da9f66cc8524e717e4db09dd16d0e02eb890bf57fcb835307807bc912b97cd9a31

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
77b4149a11c91874886e65e92adc035d

SHA1
4b0764a90bd1912cccc2a6be68104ed4b7e0a808

SHA256
46a64ab6285bd9fd93999f335a66a99093f94a27f2441f8263654da6a1bff0dc

SHA512
76292eeaa45f3f848b05c90c0e44d3d2498be0985f0bd078e2057242e1ef9f904d966bbab1da5372e36f0d5f67b50a2f35512e5013d6f263060d6cdefed32aeb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e2c47bae6e77ea30002cebb02347950a

SHA1
144b5175da4c4259ad9808ee73114a6a024df8a5

SHA256
7632fd470ebbf6e7d81bc63b159d86935c6111dbda3e540e01f3fb047d8de3e8

SHA512
1d7cce87e3baa3a83036fd39048a96ad3c3d46d30826131bad3a93cc118d0acf6a95a39753da93af214c10dd47f068503c5185edb8d70c1af065eb565f128e8d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3b8258dba9655f9d28cad55a34e42b21

SHA1
06b7f60f8f34261581a20393319fe6921ed48b41

SHA256
a05f3db8b6db78d55f96276fda415085d681d83aab0fa75b252dba6ae227dae9

SHA512
1a4b0e03a8524c613b2feb4c0ca7b64eb285941fa6001b1fa7948dfff05d4d61e9900101cb6fab42e813173154221ed0d14d0307381c632ea4b4a90d76245e68

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5ac18c9bc5b75bc7e4c7aa385f3220ff

SHA1
8e0664cb01a8fe064ab3c70d351b25506d532613

SHA256
0cc804c5e928a67068f1a227b8ec727e5dac7e143361d13bcd9adb4accd28f05

SHA512
27057041d5e47417e906b62ea1328c54bd62268540a77889ccb11d062f4eae6bf525f572d10d5b1178888862a2f9205bcc38c449c963a8304fdb9c2ca9ffc33a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3f9e1a52a97f4476dd7fc5e3711a2e2c

SHA1
be9420d015a9fec62c858f2a58bab21d30201ea3

SHA256
f5545a7d9ba07ea4a691afad71dfc0321ce7aa1738ace5c631761fe5a0383d94

SHA512
0c27be0d74bbe6bcaae42a9f0428e98e014e483409999ed9e42c743202cac1863988ef6f741d2e9a39394cfecc7b6416f4ae3e43197296ea4430d1a645cad98d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
385cbc9c5b4b017b82e05096809e37b5

SHA1
1e84285120b147ed6faa8968ca1c7a21fdfe3ca5

SHA256
dd9f13be647491cff3e7e94240fa19ac1ae6659ed6886e6c39acdb6fbeb44889

SHA512
37ef95046dfd6410c0a43ed93ee9ed4aea62bd3e38d36f9b238bb1b3614d5a9229151550b21d449c4dd9b4b94ab282604869420aea32eb7c44899f6d5e60d6e6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5f5bc49faaf754cf7ed14749f305cebf

SHA1
0aa5f45cee15461b5bd929ba414fa5f3acdb3b35

SHA256
b90e6363b3c70e76f3450cfb4c62110135da2465fd740692ceb8514d96b41d03

SHA512
c101cd39a4f3c8559eb61415d29b4932d8b85d53956de8b535249804601fc5458f4008bc23afff003be846e28a939da741d0f331552d179bd482c3d7d68ca552

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b1c537f8908b77f5378773dc7fa00c09

SHA1
2ff2fd822457e08cf2e4a286d117b941810aec5b

SHA256
c54d1f589910712e593674e34bfee21e5be0f1635b7431fef68749c07a902754

SHA512
2566ada807ab09da799c1dc361ed66639c5d32bc15bd23b4eed3e543407792468fe1d3a74fc75f9e50b664051f202f5e0add08a071f44e595f985b981ac3ca56

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
169861cd523186eb20e802e40b7787ae

SHA1
38eae58a0618eadfb1d03e9fb6f39b724fca59c7

SHA256
5626de0f09b0e9a3e1131ffcb76d2ebc1db2a42b2654e076da9615d644f5a900

SHA512
a3aafbe2d69d247922016d37ef206b40dd0881d841d5194890e6ae14b3daec011be6b02bdb662dc09cd89354f64d0ba6d30f7a6b8580544a6b2f1713760ad979

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b0988615d5af7812add5d4249509c226

SHA1
edd930c631862b231b33be735e7543ddc3f8175b

SHA256
e2ccd05b2fbc66473223e4508855b26b88fb183e6baf0d272278fa51a155605f

SHA512
42da7fd3dfc9f334a2d2abb2220b53966bf2a0a81963f48e5c968d27db086546fafc1269659c607761b31c96477c8da83dd73eb62a49f104998ba71639e5c881

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
062e6863f2a17e8551940c1e3321db55

SHA1
ab9c97643c18c81804bf3cc1a1c144a31f4a6377

SHA256
9b92df22549bac97b7d6280eb9e802f63016c2392e55fc5360a01c1a7cdaccec

SHA512
58fcb3924be40266f9e6b09fff71c95ff3aea05ecf541253e0bbe42b561c9cba655165107e1c0b8a02369bfd7786d91064cf583e9d2bc99255604b7ebdc5dfb3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e31e38adcb3a4dea521cdf196c2c2c23

SHA1
2efb06e0e268da8de3b2e7b21b7348b5421fc1ba

SHA256
5cbd87f32f545b9631ec64fcbb237cc0bfe278f0f38f35e18b7cc5aaa436de25

SHA512
7ee4c5991b2ef5aaf84be2288e949082c8726ec9cc854a86966e0ee43f75f2e3951635962d16e2f40b58dd942a2c621174aa854925134680c7338caeda9f7db9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a1feb1a2dc804b52495d85c07d32093a

SHA1
66b7bd6639fd69b91226019c6b6f8a5f7cbdde03

SHA256
7aed69f681589fbe24a308187d673fa9c74334659c6109f6f639aca136ea63c9

SHA512
16ce89cb0dea5162d0ee7a1cf9b5e46c9f54943bff88cc5558dd9a9b95b45de34c41bd3fccf263114b0644b0856372b6eaa02e8a53179050d3de6beebc521a1a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d2e1c058e30102be2d47d73294ab20c9

SHA1
2e96c9facc864dacc028ff5532ad5021a6114369

SHA256
768a3bd12d065407b5faf21f6c6442b95437217c927b6638a2eb00e2f9920511

SHA512
e610e457ed043ce2735dd1eff75e115420d660469751189b11ac8c5758a75299ff0b0be0035f1b6d356574687a5d0d638252cfacf02ac022ad46ed054e343817

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b979bfab2410584be4e4703c4e6c15f0

SHA1
b9d08121de39b2ff98443bcf27dcfdd477abc2dc

SHA256
fb5e510f69d7f91e0eb3d54f417e3ff5311b9e2142b733f90f39d4017591df8d

SHA512
5f017e84dce6914a236704cf040146e9603f0c37a515ff075b4dc6cce3d1fc02d7a0bf705183fb475aeb778ccf4407e653da5bcdcd786a5fed78358a393d12de

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
825e1ec40b794c197bdf4b564f8eb3ab

SHA1
8d02c36e77f8cdc8d0669a45febfe07cd45cf070

SHA256
aadcc3dcfdfbe04e264fa1ed2dc16ce535fa20278574b2be689dc26866a9ce76

SHA512
42cc47304e6570bbf657cc484c45321c02815f8fffd4ebc4bb80c4e913767b6a8df5e376a5cf01f5f8c8c399f5241b18a6d973215d87e155ad86445028fe3166

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3b121a0c773e3b140a9162735fd24988

SHA1
359eb9cef6423631a2b3daa9d9f9c4af77aaf036

SHA256
99241ea754e89827953ee7cf8123812629c934e9fd3705c25dc0fb9ceb506f58

SHA512
204a6299faa1030f3995676add2d0516e734ebe751df6d390e8647727099d97c40f3ecbf27f43cf54f659e68571d0441c9471f99e65f95ea534071c528644997

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab66A0.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab677E.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD_X.dat

Filesize
1.2MB

MD5
45e5622ab244146009703db5abba3904

SHA1
a740bd11767d3c0139fe3cefa6643db8f340a423

SHA256
33025464414d0f8063fefebe23d0d35160bc211dbc550c5d7ebf931d1e3bfd1d

SHA512
591bdeec24020a90e9dd3353e5104b52f3f9b66c1129f4ae376b28d9b9701c559378e8b7e3e5a633dacf9d53276076776d7115135cdd6236620c1ccf1dbb6b87

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar67A3.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
\Users\Admin\AppData\Local\Temp\HD_bf86b3d2675df4ea37ecacf9405d361497170093a6d56d5231b708959a7bb28e.exe

Filesize
1.1MB

MD5
5d72f35f0181067a2baba946713a727c

SHA1
b59cd908b93335d689f3ac51c87a3a4835d7e6ce

SHA256
21eb6ca2ba0533e6cafbb740e90e3850dc1cb223119100cfd68704152806ec5f

SHA512
6267d08e5c50419f4f60af4f4c8f7cc42f5e61e963de409ef5aecc51b4c222e1eb2044907a5553d82a1e0b335981738ade01daf372506e5b5a55ed64fbbcac41

Download Submit
\Users\Admin\AppData\Local\Temp\RVN.exe

Filesize
377KB

MD5
80ade1893dec9cab7f2e63538a464fcc

SHA1
c06614da33a65eddb506db00a124a3fc3f5be02e

SHA256
57a920389c044e3f5cf93dabff67070b4511e79779b6f874e08f92d8b0d7afbd

SHA512
fffd4f3fccb5301b3c7a5b3bd92747f31549fbd9d0803fe5d502d1bb0ef979140988718c2ee1406ed3e755790d275185e120a56cbcb5ed2eadf62b5cdbfc4cc4

Download Submit
memory/1728-40-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/1728-33-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/1728-37-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2608-28-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2608-18-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/3024-7-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/3024-12-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/3024-8-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/3024-5-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download