Malware Analysis Report

2025-01-02 15:22

Sample ID 240525-vg6x2sbf66
Target ab7964ad3e3d116444fb6be1f8728c395e467b69b737965e86742ee9a2f82e71
SHA256 ab7964ad3e3d116444fb6be1f8728c395e467b69b737965e86742ee9a2f82e71
Tags
gh0strat purplefox persistence rat rootkit trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ab7964ad3e3d116444fb6be1f8728c395e467b69b737965e86742ee9a2f82e71

Threat Level: Known bad

The file ab7964ad3e3d116444fb6be1f8728c395e467b69b737965e86742ee9a2f82e71 was found to be: Known bad.

Malicious Activity Summary

gh0strat purplefox persistence rat rootkit trojan upx

Gh0st RAT payload

Gh0strat

PurpleFox

Detect PurpleFox Rootkit

Sets service image path in registry

Drops file in Drivers directory

Executes dropped EXE

UPX packed file

Loads dropped DLL

Drops file in System32 directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious behavior: LoadsDriver

Suspicious use of WriteProcessMemory

Runs ping.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-25 16:58

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-25 16:58

Reported

2024-05-25 17:01

Platform

win7-20240508-en

Max time kernel

150s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ab7964ad3e3d116444fb6be1f8728c395e467b69b737965e86742ee9a2f82e71.exe"

Signatures

Detect PurpleFox Rootkit

rootkit
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0strat

rat gh0strat

PurpleFox

rootkit trojan purplefox

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\system32\drivers\QAssist.sys C:\Windows\SysWOW64\TXPlatforn.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" C:\Windows\SysWOW64\TXPlatforn.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\TXPlatforn.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe N/A
File opened for modification C:\Windows\SysWOW64\TXPlatforn.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe C:\Users\Admin\AppData\Local\Temp\ab7964ad3e3d116444fb6be1f8728c395e467b69b737965e86742ee9a2f82e71.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe C:\Users\Admin\AppData\Local\Temp\ab7964ad3e3d116444fb6be1f8728c395e467b69b737965e86742ee9a2f82e71.exe N/A
File created C:\Program Files (x86)\Google\Chrome\Application\chrome.exe C:\Users\Admin\AppData\Local\Temp\ab7964ad3e3d116444fb6be1f8728c395e467b69b737965e86742ee9a2f82e71.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe C:\Users\Admin\AppData\Local\Temp\ab7964ad3e3d116444fb6be1f8728c395e467b69b737965e86742ee9a2f82e71.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab7964ad3e3d116444fb6be1f8728c395e467b69b737965e86742ee9a2f82e71.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RVN.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2108 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\ab7964ad3e3d116444fb6be1f8728c395e467b69b737965e86742ee9a2f82e71.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe
PID 2108 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\ab7964ad3e3d116444fb6be1f8728c395e467b69b737965e86742ee9a2f82e71.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe
PID 2108 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\ab7964ad3e3d116444fb6be1f8728c395e467b69b737965e86742ee9a2f82e71.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe
PID 2108 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\ab7964ad3e3d116444fb6be1f8728c395e467b69b737965e86742ee9a2f82e71.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe
PID 2108 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\ab7964ad3e3d116444fb6be1f8728c395e467b69b737965e86742ee9a2f82e71.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe
PID 2108 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\ab7964ad3e3d116444fb6be1f8728c395e467b69b737965e86742ee9a2f82e71.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe
PID 2108 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\ab7964ad3e3d116444fb6be1f8728c395e467b69b737965e86742ee9a2f82e71.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe
PID 836 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\RVN.exe C:\Windows\SysWOW64\cmd.exe
PID 836 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\RVN.exe C:\Windows\SysWOW64\cmd.exe
PID 836 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\RVN.exe C:\Windows\SysWOW64\cmd.exe
PID 836 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\RVN.exe C:\Windows\SysWOW64\cmd.exe
PID 3016 wrote to memory of 2740 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 3016 wrote to memory of 2740 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 3016 wrote to memory of 2740 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 3016 wrote to memory of 2740 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 3016 wrote to memory of 2740 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 3016 wrote to memory of 2740 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 3016 wrote to memory of 2740 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 2636 wrote to memory of 1916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2636 wrote to memory of 1916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2636 wrote to memory of 1916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2636 wrote to memory of 1916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\ab7964ad3e3d116444fb6be1f8728c395e467b69b737965e86742ee9a2f82e71.exe

"C:\Users\Admin\AppData\Local\Temp\ab7964ad3e3d116444fb6be1f8728c395e467b69b737965e86742ee9a2f82e71.exe"

C:\Users\Admin\AppData\Local\Temp\RVN.exe

C:\Users\Admin\AppData\Local\Temp\\RVN.exe

C:\Windows\SysWOW64\TXPlatforn.exe

C:\Windows\SysWOW64\TXPlatforn.exe -auto

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\RVN.exe > nul

C:\Users\Admin\AppData\Local\Temp\HD_ab7964ad3e3d116444fb6be1f8728c395e467b69b737965e86742ee9a2f82e71.exe

C:\Users\Admin\AppData\Local\Temp\HD_ab7964ad3e3d116444fb6be1f8728c395e467b69b737965e86742ee9a2f82e71.exe

C:\Windows\SysWOW64\TXPlatforn.exe

C:\Windows\SysWOW64\TXPlatforn.exe -acsi

C:\Windows\SysWOW64\PING.EXE

ping -n 2 127.0.0.1

Network

Country Destination Domain Proto
US 8.8.8.8:53 hackerinvasion.f3322.net udp

Files

C:\Users\Admin\AppData\Local\Temp\RVN.exe

MD5 80ade1893dec9cab7f2e63538a464fcc
SHA1 c06614da33a65eddb506db00a124a3fc3f5be02e
SHA256 57a920389c044e3f5cf93dabff67070b4511e79779b6f874e08f92d8b0d7afbd
SHA512 fffd4f3fccb5301b3c7a5b3bd92747f31549fbd9d0803fe5d502d1bb0ef979140988718c2ee1406ed3e755790d275185e120a56cbcb5ed2eadf62b5cdbfc4cc4

memory/836-5-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/836-8-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/836-9-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/836-7-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/3016-18-0x0000000010000000-0x00000000101B6000-memory.dmp

\Users\Admin\AppData\Local\Temp\HD_ab7964ad3e3d116444fb6be1f8728c395e467b69b737965e86742ee9a2f82e71.exe

MD5 1611a7dda9df7a034c8221b80975e08f
SHA1 526190bb41ef2b4ec2f56e455d92bc088881b8bd
SHA256 bb0c0802f48d77f4bcbda80d86f7b66e59e0e6672944414d11128ee907b4c505
SHA512 975c18a800a90541fa53442d491235f15065af0b6580983018f0cabdcaff93190700a9117fb62a336018bbcb25bc3ed26a9977a34174b248a957cc85cca91083

memory/3016-32-0x0000000010000000-0x00000000101B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HD_X.dat

MD5 ab58828ed72ff670dd3b9b7993bb132f
SHA1 d105cdf120cf336e79a33d2ecc91ee3aba86bcc4
SHA256 1048f91f151b266cdb67296c3b89c16f58212bff23bf5b8b31184ed912440b15
SHA512 dcc3f9b626dfbf3e2afefd8c9f4ced183dcca6b693bd9650841459b65a099339a08b58d45753c149c00b5a0c58f7aa31d6a48f0181dd1a422936e437913328f9

memory/2740-44-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2740-68-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2740-70-0x0000000010000000-0x00000000101B6000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-25 16:58

Reported

2024-05-25 17:01

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ab7964ad3e3d116444fb6be1f8728c395e467b69b737965e86742ee9a2f82e71.exe"

Signatures

Detect PurpleFox Rootkit

rootkit
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0strat

rat gh0strat

PurpleFox

rootkit trojan purplefox

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\system32\drivers\QAssist.sys C:\Windows\SysWOW64\TXPlatforn.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" C:\Windows\SysWOW64\TXPlatforn.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\TXPlatforn.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe N/A
File created C:\Windows\SysWOW64\TXPlatforn.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe C:\Users\Admin\AppData\Local\Temp\ab7964ad3e3d116444fb6be1f8728c395e467b69b737965e86742ee9a2f82e71.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Users\Admin\AppData\Local\Temp\ab7964ad3e3d116444fb6be1f8728c395e467b69b737965e86742ee9a2f82e71.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe C:\Users\Admin\AppData\Local\Temp\ab7964ad3e3d116444fb6be1f8728c395e467b69b737965e86742ee9a2f82e71.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe C:\Users\Admin\AppData\Local\Temp\ab7964ad3e3d116444fb6be1f8728c395e467b69b737965e86742ee9a2f82e71.exe N/A
File created C:\Program Files (x86)\Google\Chrome\Application\chrome.exe C:\Users\Admin\AppData\Local\Temp\ab7964ad3e3d116444fb6be1f8728c395e467b69b737965e86742ee9a2f82e71.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RVN.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4364 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\ab7964ad3e3d116444fb6be1f8728c395e467b69b737965e86742ee9a2f82e71.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe
PID 4364 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\ab7964ad3e3d116444fb6be1f8728c395e467b69b737965e86742ee9a2f82e71.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe
PID 4364 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\ab7964ad3e3d116444fb6be1f8728c395e467b69b737965e86742ee9a2f82e71.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe
PID 4100 wrote to memory of 468 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 4100 wrote to memory of 468 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 4100 wrote to memory of 468 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 2932 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\RVN.exe C:\Windows\SysWOW64\cmd.exe
PID 2932 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\RVN.exe C:\Windows\SysWOW64\cmd.exe
PID 2932 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\RVN.exe C:\Windows\SysWOW64\cmd.exe
PID 2900 wrote to memory of 1984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2900 wrote to memory of 1984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2900 wrote to memory of 1984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\ab7964ad3e3d116444fb6be1f8728c395e467b69b737965e86742ee9a2f82e71.exe

"C:\Users\Admin\AppData\Local\Temp\ab7964ad3e3d116444fb6be1f8728c395e467b69b737965e86742ee9a2f82e71.exe"

C:\Users\Admin\AppData\Local\Temp\RVN.exe

C:\Users\Admin\AppData\Local\Temp\\RVN.exe

C:\Windows\SysWOW64\TXPlatforn.exe

C:\Windows\SysWOW64\TXPlatforn.exe -auto

C:\Windows\SysWOW64\TXPlatforn.exe

C:\Windows\SysWOW64\TXPlatforn.exe -acsi

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\RVN.exe > nul

C:\Users\Admin\AppData\Local\Temp\HD_ab7964ad3e3d116444fb6be1f8728c395e467b69b737965e86742ee9a2f82e71.exe

C:\Users\Admin\AppData\Local\Temp\HD_ab7964ad3e3d116444fb6be1f8728c395e467b69b737965e86742ee9a2f82e71.exe

C:\Windows\SysWOW64\PING.EXE

ping -n 2 127.0.0.1

Network

Country Destination Domain Proto
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 138.136.73.23.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 17.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\RVN.exe

MD5 80ade1893dec9cab7f2e63538a464fcc
SHA1 c06614da33a65eddb506db00a124a3fc3f5be02e
SHA256 57a920389c044e3f5cf93dabff67070b4511e79779b6f874e08f92d8b0d7afbd
SHA512 fffd4f3fccb5301b3c7a5b3bd92747f31549fbd9d0803fe5d502d1bb0ef979140988718c2ee1406ed3e755790d275185e120a56cbcb5ed2eadf62b5cdbfc4cc4

memory/2932-6-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2932-7-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2932-10-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2932-5-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/4100-15-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/4100-13-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/4100-17-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/468-23-0x0000000010000000-0x00000000101B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HD_ab7964ad3e3d116444fb6be1f8728c395e467b69b737965e86742ee9a2f82e71.exe

MD5 1611a7dda9df7a034c8221b80975e08f
SHA1 526190bb41ef2b4ec2f56e455d92bc088881b8bd
SHA256 bb0c0802f48d77f4bcbda80d86f7b66e59e0e6672944414d11128ee907b4c505
SHA512 975c18a800a90541fa53442d491235f15065af0b6580983018f0cabdcaff93190700a9117fb62a336018bbcb25bc3ed26a9977a34174b248a957cc85cca91083

memory/4100-28-0x0000000010000000-0x00000000101B6000-memory.dmp

C:\Users\Admin\Desktop\ReadOptimize.exe

MD5 5c4097ba4c03e67e2283354bc0f36744
SHA1 49c293db0286f3b5a3eac38fd71a1c1acd0ae389
SHA256 f11fc4baa8b9d13951dcb676b93bbd3c66aaa152725a391fe4f12e994e01fb3e
SHA512 3f9656b43e4e3f3ce5039c0d06c134a13f1a82e96b093fcd8610a34749f8d626c198dcaf063f080184f818052bcd685768ad636888d7ba7ef264552ad9c5a136

memory/4100-16-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/468-49-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/468-81-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/468-80-0x0000000010000000-0x00000000101B6000-memory.dmp