Malware Analysis Report

2025-01-02 15:21

Sample ID 240525-w2k2radd61
Target 2024-05-25_58ed8e68a96f66291f5ee1dabe5629d1_icedid
SHA256 508a7e5c5be104649c9124bb5b26de46f2b99a6481041e7462212d6d5db32f96
Tags
gh0strat purplefox persistence rat rootkit trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

508a7e5c5be104649c9124bb5b26de46f2b99a6481041e7462212d6d5db32f96

Threat Level: Known bad

The file 2024-05-25_58ed8e68a96f66291f5ee1dabe5629d1_icedid was found to be: Known bad.

Malicious Activity Summary

gh0strat purplefox persistence rat rootkit trojan upx

Gh0st RAT payload

Detect PurpleFox Rootkit

PurpleFox

Gh0strat

UPX dump on OEP (original entry point)

Sets service image path in registry

Drops file in Drivers directory

Sets DLL path for service in the registry

UPX packed file

Loads dropped DLL

Executes dropped EXE

Drops file in System32 directory

Drops file in Program Files directory

Program crash

Enumerates physical storage devices

Unsigned PE

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: LoadsDriver

Runs ping.exe

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-25 18:25

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-25 18:25

Reported

2024-05-25 18:27

Platform

win7-20240221-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-25_58ed8e68a96f66291f5ee1dabe5629d1_icedid.exe"

Signatures

Detect PurpleFox Rootkit

rootkit
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0strat

rat gh0strat

PurpleFox

rootkit trojan purplefox

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\system32\drivers\QAssist.sys C:\Windows\SysWOW64\TXPlatforn.exe N/A

Sets DLL path for service in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259429023.txt" C:\Users\Admin\AppData\Local\Temp\svchos.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" C:\Windows\SysWOW64\TXPlatforn.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\TXPlatforn.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File created C:\Windows\SysWOW64\259429023.txt C:\Users\Admin\AppData\Local\Temp\svchos.exe N/A
File opened for modification C:\Windows\SysWOW64\ini.ini C:\Users\Admin\AppData\Local\Temp\svchos.exe N/A
File created C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe C:\Windows\SysWOW64\svchost.exe N/A
File created C:\Windows\SysWOW64\TXPlatforn.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_58ed8e68a96f66291f5ee1dabe5629d1_icedid.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_58ed8e68a96f66291f5ee1dabe5629d1_icedid.exe N/A
File created C:\Program Files (x86)\Google\Chrome\Application\chrome.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_58ed8e68a96f66291f5ee1dabe5629d1_icedid.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_58ed8e68a96f66291f5ee1dabe5629d1_icedid.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001f087631ac7e1b43b4c420322c5fd4b50000000002000000000010660000000100002000000056ce7b8df6883c965000844c528cb404bad605ca360f5f5e11336411f4bf5078000000000e8000000002000020000000a43378f3c15e2d595d644d5900d9d93040f2b810dadc3a89ce9b803ee31fa2e190000000b395c0bdae45821525981636f9d251a61b6731b4ec3bda9617eb5913bff86b32776c46804fb6ad340bc2898041416b68dfe9be9296ef20e8bfab15e966652e30d735677b23a7bbcb1a2d3dd23057caed5b8e2d8a363565d7926e6eed1753f8167a3b88d09431326cbbb40962efacaef331dd04da0455cdcb5e276fd0d517543e7e21a89471b4a5d091c1ffb2ce9f5a7f400000000726a58beba6e02caffcc8bc2bb7df35aa2e3297603bf787f4d365ee874bbf606072cf832774277afb909176c5f0a0e3d5007586da85b9bef2c132bab6df2342 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001f087631ac7e1b43b4c420322c5fd4b5000000000200000000001066000000010000200000003e31fe3452e54bbefb1e17285599badc947c1d168a796f1d034ea8419c7b1929000000000e800000000200002000000018cfe74134b00d5fb79c07ab909b907de382ccb370159a6fb21370cdc37f4e1820000000667848aa3406f81e9dbe74623a857ad5d3b2f158cb74b54007e5f5608aacbd5f400000009f5cf781a7411673f11bfca56a00e39b4a595da2e4852d756ad4c4dc487bd47752a2489f84364b35f105c1c8c8bf038549724b30b48d14317aabbcd2ad0e989a C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{303D4281-1AC4-11EF-9CBB-52ADCDCA366E} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d022df08d1aeda01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "422823410" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_58ed8e68a96f66291f5ee1dabe5629d1_icedid.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1288 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_58ed8e68a96f66291f5ee1dabe5629d1_icedid.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 1288 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_58ed8e68a96f66291f5ee1dabe5629d1_icedid.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 1288 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_58ed8e68a96f66291f5ee1dabe5629d1_icedid.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 1288 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_58ed8e68a96f66291f5ee1dabe5629d1_icedid.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 1288 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_58ed8e68a96f66291f5ee1dabe5629d1_icedid.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 1288 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_58ed8e68a96f66291f5ee1dabe5629d1_icedid.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 1288 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_58ed8e68a96f66291f5ee1dabe5629d1_icedid.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2504 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 2504 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 2504 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 2504 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 2972 wrote to memory of 2684 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 2972 wrote to memory of 2684 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 2972 wrote to memory of 2684 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 2972 wrote to memory of 2684 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 2972 wrote to memory of 2684 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 2972 wrote to memory of 2684 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 2972 wrote to memory of 2684 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 1288 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_58ed8e68a96f66291f5ee1dabe5629d1_icedid.exe C:\Users\Admin\AppData\Local\Temp\svchos.exe
PID 1288 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_58ed8e68a96f66291f5ee1dabe5629d1_icedid.exe C:\Users\Admin\AppData\Local\Temp\svchos.exe
PID 1288 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_58ed8e68a96f66291f5ee1dabe5629d1_icedid.exe C:\Users\Admin\AppData\Local\Temp\svchos.exe
PID 1288 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_58ed8e68a96f66291f5ee1dabe5629d1_icedid.exe C:\Users\Admin\AppData\Local\Temp\svchos.exe
PID 2700 wrote to memory of 2052 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2700 wrote to memory of 2052 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2700 wrote to memory of 2052 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2700 wrote to memory of 2052 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1288 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_58ed8e68a96f66291f5ee1dabe5629d1_icedid.exe C:\Users\Admin\AppData\Local\Temp\HD_2024-05-25_58ed8e68a96f66291f5ee1dabe5629d1_icedid.exe
PID 1288 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_58ed8e68a96f66291f5ee1dabe5629d1_icedid.exe C:\Users\Admin\AppData\Local\Temp\HD_2024-05-25_58ed8e68a96f66291f5ee1dabe5629d1_icedid.exe
PID 1288 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_58ed8e68a96f66291f5ee1dabe5629d1_icedid.exe C:\Users\Admin\AppData\Local\Temp\HD_2024-05-25_58ed8e68a96f66291f5ee1dabe5629d1_icedid.exe
PID 1288 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_58ed8e68a96f66291f5ee1dabe5629d1_icedid.exe C:\Users\Admin\AppData\Local\Temp\HD_2024-05-25_58ed8e68a96f66291f5ee1dabe5629d1_icedid.exe
PID 2596 wrote to memory of 2372 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
PID 2596 wrote to memory of 2372 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
PID 2596 wrote to memory of 2372 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
PID 2596 wrote to memory of 2372 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
PID 2500 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\HD_2024-05-25_58ed8e68a96f66291f5ee1dabe5629d1_icedid.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2500 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\HD_2024-05-25_58ed8e68a96f66291f5ee1dabe5629d1_icedid.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2500 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\HD_2024-05-25_58ed8e68a96f66291f5ee1dabe5629d1_icedid.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2500 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\HD_2024-05-25_58ed8e68a96f66291f5ee1dabe5629d1_icedid.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 832 wrote to memory of 2804 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 832 wrote to memory of 2804 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 832 wrote to memory of 2804 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 832 wrote to memory of 2804 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-25_58ed8e68a96f66291f5ee1dabe5629d1_icedid.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-25_58ed8e68a96f66291f5ee1dabe5629d1_icedid.exe"

C:\Users\Admin\AppData\Local\Temp\svchost.exe

C:\Users\Admin\AppData\Local\Temp\\svchost.exe

C:\Windows\SysWOW64\TXPlatforn.exe

C:\Windows\SysWOW64\TXPlatforn.exe -auto

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\svchost.exe > nul

C:\Windows\SysWOW64\TXPlatforn.exe

C:\Windows\SysWOW64\TXPlatforn.exe -acsi

C:\Users\Admin\AppData\Local\Temp\svchos.exe

C:\Users\Admin\AppData\Local\Temp\\svchos.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"

C:\Windows\SysWOW64\PING.EXE

ping -n 2 127.0.0.1

C:\Users\Admin\AppData\Local\Temp\HD_2024-05-25_58ed8e68a96f66291f5ee1dabe5629d1_icedid.exe

C:\Users\Admin\AppData\Local\Temp\HD_2024-05-25_58ed8e68a96f66291f5ee1dabe5629d1_icedid.exe

C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe

C:\Windows\system32\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe "c:\windows\system32\259429023.txt",MainThread

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://support.qq.com/products/285647/faqs/88645

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:832 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 hackerinvasion.f3322.net udp
CN 124.221.111.140:12151 tcp
US 8.8.8.8:53 support.qq.com udp
HK 43.135.106.244:443 support.qq.com tcp
HK 43.135.106.244:443 support.qq.com tcp
US 8.8.8.8:53 ocsp.digicert.cn udp
US 8.8.8.8:53 ocsp.digicert.cn udp
US 163.181.154.234:80 ocsp.digicert.cn tcp
US 163.181.154.231:80 ocsp.digicert.cn tcp
US 8.8.8.8:53 txc.gtimg.com udp
NL 43.152.42.15:443 txc.gtimg.com tcp
NL 43.152.42.15:443 txc.gtimg.com tcp
NL 43.152.42.15:443 txc.gtimg.com tcp
NL 43.152.42.15:443 txc.gtimg.com tcp
NL 43.152.42.15:443 txc.gtimg.com tcp
NL 43.152.42.15:443 txc.gtimg.com tcp
NL 43.152.42.15:443 txc.gtimg.com tcp
NL 43.152.42.15:443 txc.gtimg.com tcp
NL 43.152.42.15:443 txc.gtimg.com tcp
NL 43.152.42.15:443 txc.gtimg.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

\Users\Admin\AppData\Local\Temp\svchost.exe

MD5 a4329177954d4104005bce3020e5ef59
SHA1 23c29e295e2dbb8454012d619ca3f81e4c16e85a
SHA256 6156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd
SHA512 81e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208

memory/2504-7-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2504-12-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2504-8-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2504-6-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2972-18-0x0000000010000000-0x00000000101B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\svchos.exe

MD5 3b377ad877a942ec9f60ea285f7119a2
SHA1 60b23987b20d913982f723ab375eef50fafa6c70
SHA256 62954fdf65e629b39a29f539619d20691332184c6b6be5a826128a8e759bfa84
SHA512 af3a71f867ad9d28772c48b521097f9bf8931eb89fd2974e8de10990241419a39ddc3c0b36dd38aac4fdf14e1f0c5e228692618e93adce958d5b5dab8940e46f

memory/2972-29-0x0000000010000000-0x00000000101B6000-memory.dmp

\Windows\SysWOW64\259429023.txt

MD5 90ddc22d46131dc52afa92fff0a8abd5
SHA1 e1a502bee584903b4370f703f5db2026e5ff93e9
SHA256 1786b75f1d97156af64c7d37f3968b8e39a8ba4fca1092102b6fb3f192a7ff9d
SHA512 fa9302fe8644dab2f955132323d6ca19a18a47436e088dccdb3617eaae6fe9370e7ae483224960243810622c649d038cb6bf503104983b280bb3f8977c0f8d20

memory/2684-33-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2684-38-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2684-45-0x0000000010000000-0x00000000101B6000-memory.dmp

\Users\Admin\AppData\Local\Temp\HD_2024-05-25_58ed8e68a96f66291f5ee1dabe5629d1_icedid.exe

MD5 ab5e6b6b4d64a08b7daeca9e8cbfc0a1
SHA1 929aac76bbde2bc56ba4b644895b44efc63c68d5
SHA256 5b142673c19eed6f5b7023eeaba3585784f6d46da8746d5c2604a1a1b1f7f409
SHA512 6523f5d8d6dd9aa8a8793e856c4629b5d664659f1193123a890e74ca86dc90e60099bcbd7d3f69f93bff5b14808eda3c3ebb9808de3bbd68d513645a9a071441

memory/2500-52-0x0000000010000000-0x0000000010116000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HD_X.dat

MD5 6e63c6b990dce1307432d21aa52ec946
SHA1 3c14653ed90f7201e7acd329a31a4050aae01998
SHA256 21d91ffeea7893738543006d409964139aae06428e7ccae1e73555ff4c81f44e
SHA512 989e55bc8ef4f05f945ebe44db3a9701a195d1ba35c2cdf848ab1205d61fc4035593bd753377cd2f4125f7801276520accb297e633cd32d1cd1faceb6e9130d4

C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe

MD5 51138beea3e2c21ec44d0932c71762a8
SHA1 8939cf35447b22dd2c6e6f443446acc1bf986d58
SHA256 5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124
SHA512 794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0DA515F703BB9B49479E8697ADB0B955_786387CC77858B88BA3234B304062475

MD5 df30244ca6b73727827d8e6c61b72373
SHA1 b624486fcd815b98e25f10ed32a679aaf0df89b3
SHA256 0e8d6899f0681fc90346b723583878780addb00b321cfddad6c35b3ab2b9e6b0
SHA512 e0dc30e024546462a3ef602085c33087e6b8223c2d4d6cc410c2ea36e284d381793df8ad5eccbb1c46fdb59b16e14ad58cadcad2abecfa469a503a4406cc3d32

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_786387CC77858B88BA3234B304062475

MD5 433e765e288bb1625b1c590e65683034
SHA1 5b07a7c519b6e8a630c39eae1d719e69d19cee48
SHA256 0338b3cb94a236331503ab2ffc1e8e1ea199dac290254d53a843858841baee15
SHA512 681f4f9cfae2922779f4933122cee79b21be46451842640c069e7cea9b9f3aeee8ec57dbad5f46fc964c356b426c707cb6f287dd6861a50cfd50e1358bae213d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CF14D1855652602540DFCFECD21854DB_7108AF76772455C9981D714062ED8BA5

MD5 e7fb23c3d4f565a7bd2339c48a31111d
SHA1 127f94fa5d63b696be62378dab5e92e70862485b
SHA256 735bc169508922bab7d9dc1484c2bee44af0d9db6dc26fb71b150e469f92f16d
SHA512 d1b749451ae463f40448235408436fb488e2ec688b42b4a63467c75c672227e82c8c30e0d53e8d6b0514a592078104bb8f20174bf0ea921427f4cd0187e0b31c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CF14D1855652602540DFCFECD21854DB_7108AF76772455C9981D714062ED8BA5

MD5 c4104f43a143d58f484914f847c47056
SHA1 26d5b3988dd25ccf27b1cea1f3e965561757c498
SHA256 18cf0129c0550bfb09567c18aeb7b993e1b2327efeaafc6d1c158caa2c5733d2
SHA512 8ea5f5687227b9ab71b187d6d2fefba17719851ec5a79eb1896f23ff91d87dc05d693fbf5803a7848fb5c2eb10b233590fdaa4434c087f7045abc8585c69eac9

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\L9PN2QMY\favicon[1].ico

MD5 58542960a51a1d97446b524f7d53015c
SHA1 fd26cecc488203120ce8215961bf4e6ac1d65ad3
SHA256 106fde347539d8e7c82eed9d38e0b536b2185a8424f356c3da93e1b72ed3dfb6
SHA512 a7057661bdf4b3d68f4d83f4d245ce30a11ca4c500509a6240867b9e7cde9eaaaef3d1324f12c2cb6b81b5b739bd4a615fceb6c476907565b69fb7026cf59ccb

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\q905y6j\imagestore.dat

MD5 f4edd7b90c9874692418e9ac455666e6
SHA1 cc3e6dc4bfa8d0c3f8cc6da0b5c2ca350d0ec984
SHA256 6d8939db418c84a25a5cbf823575033cfb89dc6ee7fedd02ed1a7f1d1b7776ac
SHA512 c0356aeba6a2030227a43824949fdf645399ab04aee714a845394693e581738ab4db8e75d383496e2ef2d04168d0c684bf8876cc7964b379a16118727d1888a5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1e5bf49d05a726dbb2f144a71c9434a6
SHA1 12f55fcf1a5df45a3bc6367818fcefc9b9a750b4
SHA256 4daaabdc3da86b53c6a865b8df14af372298b113a4669614aca0dda3936ebfa6
SHA512 c3022bb6e5295d2eda577600f8ecfc9fac3e3b872484e412fce8955bece921b5a49460567de690812059c9a7d8fcd92a0cf70e92480cfa0d07484f264938ce11

C:\Users\Admin\AppData\Local\Temp\Cab22DD.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\Tar22FF.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\Tar240E.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 311126143692685ad56a0c63f3d649cc
SHA1 90698b132c8694b05d29ec0d87ec9a1c01b2395c
SHA256 d237a80bb49fd9c435392abbf4972f335c869737f054e50b7571fab4b18113e9
SHA512 222b572e17dcbd9ed9110fd9f6a33732abe2144d90833676519b77ff9f924d64edbc5065197c7d4f11007c853d1f7d7b2176d187ca3b1bca253133a919509af9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 95e2e0653eaf382acf6856c2cb183762
SHA1 8a28a7941fefa4b34d7a138e9ab101a265ca7593
SHA256 2225ef5ebb958778c464de1f10c0d18f0d1bd5f3d988d4a4e7ccda0bf4dd95a4
SHA512 eded2ae4e9761e403692ffe5a051679ea36df9f151bc0d8bd4e62f459f868690832466d2cac6b4d820b3ee0230ed33a4f1430d44a9c78bfb9a42ce66285f0c53

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fd3d6ed11c40073be297a35a6d7d39b6
SHA1 7b4dcc78e3c7ec92d3a5599c10052f834dc036f0
SHA256 93274d378f6ed162ad230d0bcf4367ee1183ed8f8d7d76387879ddfb74e928e5
SHA512 4f6ebe0b6eb765483fb937c0944acf1cbab99debe6c698da084d97ddcc7982c47c5528299e5609cdfc22365768f1d34df1ac9c7dbb05bc3a76fb247f1c950571

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2ef45fcf16b69435dd62d594e8f081f8
SHA1 3fa1992ae53421b00b3a5ca63cf33cdc66660f95
SHA256 c44dfb8842d1b09460dd8c9345fa72ed571ab319698cd49b3851ee23f15aacba
SHA512 912a8baa6ee72ff622dbff492cf7c17431963e20747bb646200b45f0603f6354cb04b6763d02077e1d52b4b092d73b778b3bea248785625585d391bce948be52

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c1cc62d894f2e6a78897ad27c5c6ce99
SHA1 50061e1e6b6b32f604a21d4137bd87e8f6d7c647
SHA256 7fc1590133bb5a0abf4387eeff9039970c7cbb9d2d27a5c09f493960c2159b2a
SHA512 f0d3addcf64b871dcc67ad09f7b5ad1b0fbe47b9236ab2d1b52f7e772c7aabaf9bdcbb9e8816b29f7eea1546fe72d627e74febb8ec9467351548306b29ba21b5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 07a44a1a5e9432aa14d7aed43f717d07
SHA1 b3e778e0e6c028de46b26a74352a11deddbd7599
SHA256 aabec2fbe5e00aa4a0e223b9711328e412f7b09180d073caf95c5b0adec41167
SHA512 6180e1dd2d77843cdbb2525dc149072d37afe27aa282f748cbf856526715c5cfe2990747792e37338af682e30f650131d56f5fdb44f4a73ab9102bddaa2ff0c6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 33e55cd7b61da27dac90dc9f3d3e9a69
SHA1 830e816018aa6d4d3833ac61b4221dbce7bab4e2
SHA256 ceab7b05183be4e4ca7afabda3363498a0f1f7e9e2da638e030c074328a966a4
SHA512 c691aec2b8491aff6f985a52dd80e93cfe3de8ee719eb2d7c37ecc9614b8050d2e4e28bdcb186940c7782a4c3ba6caaea40216193caba3972f4ae06901f03a80

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cc34a4df06f42dedf36e7f7cae4a505c
SHA1 f2ab08b11e54f99c418bcc9f54b00eaf0f047a85
SHA256 96c44bec5786576a667462880dea1520c57ff496ab4fc28aa1c464c0f500390a
SHA512 c50c70e2bbad5ee4faf1fbc05a912506e4ddad71467eec73be8e6956f86979b6e09fb5055e46f89446e2ab92fdbbb9cf9254977b953505f40770afa9d2b68c38

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a569f306349d0c2f3f33a297e1431531
SHA1 a1c2789aa971248e78bfb1eaa0a0c2b6eeadf7c9
SHA256 7c3daf0e0a42ff010ad313058b74a429d615b8d2cc3271fbd4f45f64ea4e9cff
SHA512 10c8531ab673a229854230aa687d05b0fb51d86af70afac3b0ce4fa2de222cbd1c2a398160467ae5a4a82384a9b266f7d2bd6eb15407dccca4344297177892be

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 87f4fcf1f7d66726b12ba8939a5e2c83
SHA1 783e0b52b23ae6ff13da5526ae1782a2db22cf94
SHA256 4c7d0395de709958788943369da774bb45d9201e98107dae14259d01eeaab1ae
SHA512 afbb5337e87fc23faf33efd84f3c754a389119b55f963ae69b6262e61d71b5be7074bd1d507563599e62662c46a7b155013d33480a0339a73e32c1fd085f456c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 4748d0a4a3db2e5ecca8a70a3af2ebd5
SHA1 6ad3a4005788a5623d6e99c426f948bf57490444
SHA256 0fc91d443d12282ffe44e2a25118ac3c707bbead8e0febed7c25822dfe9886a5
SHA512 303ec4d8267adda092f50ae9e88f65b35ba4f4f811ef1b72e6d9df55b1b3992e7c656134e5ccc2700ef412a5c934193a60aee2ee63a340d756eb423e9e9d2143

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e8b2613ff42e53fcbf785c52c9664cf7
SHA1 32b7b4eda2be97c4483f84472e25a0070cfa0739
SHA256 79dd17f8015072467e5673f61e6388184d658b4c391010317f9e52b801ea90dc
SHA512 5ddf867b6f9c823faabf642b01b08b67506d68834afb0ba0f3f63ac456538bd20733015cb7c3099fd3fb96ef0fd5c8b025eb4ac494b6292f6fe183a065c8ecc9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d94b67130bb0db0c050012600585f799
SHA1 b33ae80b9dd7085d354428781f62fa276febf059
SHA256 2e1a0816f32dd651754b94781107692dc2f51c4e8a6b06ee04d58ea2d7ed5441
SHA512 b3a729790b706cc4ff4af25d2d822713c239049da2594c3c3f74fbc85360e93a57241c5d2a060e622b9859d507789c38265961756fe01492fa4c8a34474b567f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 68d618340c1a9f56a8ea0fc8860fe3c8
SHA1 1daf61967042ceff628359958bd128b4f6b322e0
SHA256 ff7681d1a01158f612f3a9b4f09d809cd93184e26f9afcb405e026a79c13ea9a
SHA512 3b9b3f6131d183f99c9dd041539fd53f0ed0ed9f7e1ecb354a144450d4be26d6a6c86a87e4053cbbc85aed216c408283363aae5fbf3e32199d9f406c3f6249eb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8570858570bf7418e5d621b9af28e6f8
SHA1 204c6f001801ef73a9ae7660ceff75562c16f0c0
SHA256 1cf4ffca77ea84c46c095d8de90d83547ddc6c8cc2b13267ae43966d8e6964d1
SHA512 1ad7310b42625fd029ed7d08881420c2a2bb4b10df01a64f3a2ac9a8f81997f4160e31ac899fd37620c3ce1bd19f03337c730c55c83cdace5369d179af91b0fc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a972feed5c79e54f41a0729c99dba00b
SHA1 53d98bb984d324c108549a6d194b6c55147a6b7c
SHA256 3b75358c04f1f7a6cf654865721b37f2ecfa28030ff1f60345645bf36cfdbbcc
SHA512 1f5d75ea0b0e3e5a9ec30d5ebaa78d7739a69ca596268cf48a4fc500a36a6098001b00c9bcb88fc7d1310ddae46e569dc7777997ae89a5ad14914e740b566800

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 94a501e0342e15698586cc41e027d3fd
SHA1 06dc0f49d74ec30b473fbf471824f541d3300014
SHA256 2c732bd9589c6057fa409e18abae473994fc8d216cc3de92b7e6f7e74468fed6
SHA512 c3774605b0327306aa378611505c6b2f62eef41d03e3c7f6c4a8c32652565fba53e35dede8d5916ecbfef994863461c0189923f0d1bb066d22b4bf65e19f830d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 e4a68ac854ac5242460afd72481b2a44
SHA1 df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256 cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA512 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 37f3287107fa081b39e7440deba08b89
SHA1 9af1a2dd1da3aa672e6b92520446e0623f826ae2
SHA256 9a51121b98093750eeb6cde7cd18ec5fd2dd60aa7eec39b0b2ef1ac3f2b5cfa3
SHA512 c789dce91fa95535dede42870f6b521fb3713249b8b6ef0700d1f6a5b2e6d923192a4857146deda9eb7d7ac580b83548ae4efa2c01bf6bcbf852b991f1c1f607

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6beaae8f7cb8d5fbde80f603ff8cea63
SHA1 b63ac68087f984fb111a001676e3eb181fd3da5f
SHA256 15f63774c720dfcc5fafb8a92d2a86750d52a75934322d39079ab41e9eb18e29
SHA512 8155df78bd8dcdff1bbd74b0ffdb175439d9d288084d6ab5271be018d820e8943f6435f3afd4c7433fac2fbbe1554ceb969b1cdea61dfd4c5e30002f967b46f5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 11bf9cb5c1502d29433bf0db551e4dad
SHA1 109540a5e58755c195a3dcbc4570903e9423d993
SHA256 e467b1e89a94be5d1afc525188798084fcf5d0df1726d4d80ec7299f20768991
SHA512 fc6085a5b709554a9563a56f9565c269625b698def5f3ecb3f7f064973722ef0e29f9c5fb2710d141f023ea0655ece0b2b029d5f8d6407cb82fb664467a8fc47

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 06142e007aac4833e252da01664fde80
SHA1 4233f15d862e2654085812ddc50185e375ebe0b1
SHA256 dd83c8d1eeb3fa3531c0ddc78bc76e849a161c932462cedb72bed17618d436f8
SHA512 e2212713ac0a1171f501e673a7d43cf14d9238195d8be5a6bfeb9e198b3fbcc25a1bbf4d1bd7747ecb587a565c76a9aacc30e93082e0f574bd3d2425973d1f53

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 91c5599bc5027fb9f6537178f269abf0
SHA1 bf9bb0264969fbe41953586743faca481edab804
SHA256 a3cbf8d27e7bf63b0b48d91852e234fe2f5b92912df36f0c1b0c7af9961edd15
SHA512 6c82a79ba837f28fc83a35b0a30273965cd2762ae4679c935422d2875e5fa1e52a6b5b191fd9d8729a23118b1d54ad6f0d86e249140a92b7cd4e0efaa0541702

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b07da498c2c937e231e568ff36686056
SHA1 c9946a9ad105243e35928a386acb05d31b2c7fe8
SHA256 60419e12e1bc4ed70032e29efba051e47a5f97843d06889d6612e3679045a4e8
SHA512 afdd4d19fc79daea9ef7a0864b305eb649d9252bb2f081aa076bacf0983a47cfbe2ec13c2c7a41c5bf4ebacf5ca4324f2900462230f084ef8b970979ab49ee47

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-25 18:25

Reported

2024-05-25 18:27

Platform

win10v2004-20240226-en

Max time kernel

156s

Max time network

160s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-25_58ed8e68a96f66291f5ee1dabe5629d1_icedid.exe"

Signatures

Detect PurpleFox Rootkit

rootkit
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0strat

rat gh0strat

PurpleFox

rootkit trojan purplefox

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\system32\drivers\QAssist.sys C:\Windows\SysWOW64\TXPlatforn.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" C:\Windows\SysWOW64\TXPlatforn.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchos.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\TXPlatforn.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\TXPlatforn.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File created C:\Windows\SysWOW64\240668140.txt C:\Users\Admin\AppData\Local\Temp\svchos.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_58ed8e68a96f66291f5ee1dabe5629d1_icedid.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_58ed8e68a96f66291f5ee1dabe5629d1_icedid.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_58ed8e68a96f66291f5ee1dabe5629d1_icedid.exe N/A
File created C:\Program Files (x86)\Google\Chrome\Application\chrome.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_58ed8e68a96f66291f5ee1dabe5629d1_icedid.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_58ed8e68a96f66291f5ee1dabe5629d1_icedid.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\svchos.exe

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5064 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_58ed8e68a96f66291f5ee1dabe5629d1_icedid.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 5064 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_58ed8e68a96f66291f5ee1dabe5629d1_icedid.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 5064 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_58ed8e68a96f66291f5ee1dabe5629d1_icedid.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 5064 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_58ed8e68a96f66291f5ee1dabe5629d1_icedid.exe C:\Users\Admin\AppData\Local\Temp\svchos.exe
PID 5064 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_58ed8e68a96f66291f5ee1dabe5629d1_icedid.exe C:\Users\Admin\AppData\Local\Temp\svchos.exe
PID 5064 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_58ed8e68a96f66291f5ee1dabe5629d1_icedid.exe C:\Users\Admin\AppData\Local\Temp\svchos.exe
PID 5012 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 5012 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 5012 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 4460 wrote to memory of 2592 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 4460 wrote to memory of 2592 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 4460 wrote to memory of 2592 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 5064 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_58ed8e68a96f66291f5ee1dabe5629d1_icedid.exe C:\Users\Admin\AppData\Local\Temp\HD_2024-05-25_58ed8e68a96f66291f5ee1dabe5629d1_icedid.exe
PID 5064 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_58ed8e68a96f66291f5ee1dabe5629d1_icedid.exe C:\Users\Admin\AppData\Local\Temp\HD_2024-05-25_58ed8e68a96f66291f5ee1dabe5629d1_icedid.exe
PID 5064 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_58ed8e68a96f66291f5ee1dabe5629d1_icedid.exe C:\Users\Admin\AppData\Local\Temp\HD_2024-05-25_58ed8e68a96f66291f5ee1dabe5629d1_icedid.exe
PID 3448 wrote to memory of 3832 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3448 wrote to memory of 3832 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3448 wrote to memory of 3832 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3040 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\HD_2024-05-25_58ed8e68a96f66291f5ee1dabe5629d1_icedid.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3040 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\HD_2024-05-25_58ed8e68a96f66291f5ee1dabe5629d1_icedid.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-25_58ed8e68a96f66291f5ee1dabe5629d1_icedid.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-25_58ed8e68a96f66291f5ee1dabe5629d1_icedid.exe"

C:\Users\Admin\AppData\Local\Temp\svchost.exe

C:\Users\Admin\AppData\Local\Temp\\svchost.exe

C:\Users\Admin\AppData\Local\Temp\svchos.exe

C:\Users\Admin\AppData\Local\Temp\\svchos.exe

C:\Windows\SysWOW64\TXPlatforn.exe

C:\Windows\SysWOW64\TXPlatforn.exe -auto

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\svchost.exe > nul

C:\Windows\SysWOW64\TXPlatforn.exe

C:\Windows\SysWOW64\TXPlatforn.exe -acsi

C:\Users\Admin\AppData\Local\Temp\HD_2024-05-25_58ed8e68a96f66291f5ee1dabe5629d1_icedid.exe

C:\Users\Admin\AppData\Local\Temp\HD_2024-05-25_58ed8e68a96f66291f5ee1dabe5629d1_icedid.exe

C:\Windows\SysWOW64\PING.EXE

ping -n 2 127.0.0.1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4192 -ip 4192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4192 -s 448

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4292 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://support.qq.com/products/285647/faqs/88645

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=5052 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --mojo-platform-channel-handle=4896 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --mojo-platform-channel-handle=5552 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5876 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=3948 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=5216 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
CN 124.221.111.140:12151 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 216.58.204.74:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 pki.goog udp
US 8.8.8.8:53 pki.goog udp
US 216.239.32.29:80 pki.goog tcp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 74.204.58.216.in-addr.arpa udp
US 8.8.8.8:53 29.32.239.216.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 support.qq.com udp
US 8.8.8.8:53 support.qq.com udp
US 8.8.8.8:53 support.qq.com udp
HK 43.135.106.244:443 support.qq.com tcp
US 8.8.8.8:53 244.106.135.43.in-addr.arpa udp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 business.bing.com udp
US 8.8.8.8:53 business.bing.com udp
GB 51.140.242.104:443 nav-edge.smartscreen.microsoft.com tcp
US 13.107.6.158:443 business.bing.com tcp
HK 43.135.106.244:443 support.qq.com tcp
GB 51.140.242.104:443 nav-edge.smartscreen.microsoft.com tcp
US 8.8.8.8:53 bzib.nelreports.net udp
US 8.8.8.8:53 bzib.nelreports.net udp
US 2.17.251.21:443 bzib.nelreports.net tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
BE 2.21.17.194:443 www.microsoft.com tcp
US 8.8.8.8:53 txc.gtimg.com udp
US 8.8.8.8:53 txc.gtimg.com udp
GB 43.132.64.188:443 txc.gtimg.com tcp
GB 43.132.64.188:443 txc.gtimg.com tcp
GB 43.132.64.188:443 txc.gtimg.com tcp
US 8.8.8.8:53 164.189.21.2.in-addr.arpa udp
US 8.8.8.8:53 104.242.140.51.in-addr.arpa udp
US 8.8.8.8:53 21.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 194.17.21.2.in-addr.arpa udp
US 8.8.8.8:53 188.64.132.43.in-addr.arpa udp
US 8.8.8.8:53 www.microsoft.com udp
GB 43.132.64.188:443 txc.gtimg.com tcp
GB 43.132.64.188:443 txc.gtimg.com tcp
GB 43.132.64.188:443 txc.gtimg.com tcp
US 8.8.8.8:53 c.s-microsoft.com udp
US 8.8.8.8:53 c.s-microsoft.com udp
US 8.8.8.8:53 edgestatic.azureedge.net udp
US 8.8.8.8:53 edgestatic.azureedge.net udp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
HK 43.135.106.244:443 support.qq.com tcp
HK 43.135.106.244:443 support.qq.com tcp
US 8.8.8.8:53 horizon-assets.qq.com udp
US 8.8.8.8:53 horizon-assets.qq.com udp
HK 43.129.255.239:443 horizon-assets.qq.com tcp
HK 43.129.255.239:443 horizon-assets.qq.com tcp
US 8.8.8.8:53 239.255.129.43.in-addr.arpa udp
US 8.8.8.8:53 nw-umwatson.events.data.microsoft.com udp
US 52.168.117.173:443 nw-umwatson.events.data.microsoft.com tcp
US 8.8.8.8:53 173.117.168.52.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 13.107.246.64:443 wcpstatic.microsoft.com tcp
US 13.107.246.64:443 wcpstatic.microsoft.com tcp
US 8.8.8.8:53 aegis.qq.com udp
US 8.8.8.8:53 aegis.qq.com udp
HK 43.135.106.244:443 support.qq.com tcp
HK 43.135.106.244:443 support.qq.com tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
CN 43.137.221.145:443 aegis.qq.com tcp
CN 43.137.221.145:443 aegis.qq.com tcp
CN 43.137.221.145:443 aegis.qq.com tcp
CN 43.137.221.145:443 aegis.qq.com tcp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
CN 43.137.221.145:443 aegis.qq.com tcp
N/A 224.0.0.251:5353 udp
NL 23.62.61.97:443 www.bing.com udp
US 8.8.8.8:53 bzib.nelreports.net udp
US 8.8.8.8:53 bzib.nelreports.net udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 215.143.182.52.in-addr.arpa udp
US 8.8.8.8:53 support.qq.com udp
US 8.8.8.8:53 support.qq.com udp
HK 43.135.106.225:443 support.qq.com tcp
HK 43.135.106.225:443 support.qq.com tcp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 225.106.135.43.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\svchost.exe

MD5 a4329177954d4104005bce3020e5ef59
SHA1 23c29e295e2dbb8454012d619ca3f81e4c16e85a
SHA256 6156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd
SHA512 81e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208

memory/5012-5-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/5012-7-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/5012-8-0x0000000010000000-0x00000000101B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\svchos.exe

MD5 3b377ad877a942ec9f60ea285f7119a2
SHA1 60b23987b20d913982f723ab375eef50fafa6c70
SHA256 62954fdf65e629b39a29f539619d20691332184c6b6be5a826128a8e759bfa84
SHA512 af3a71f867ad9d28772c48b521097f9bf8931eb89fd2974e8de10990241419a39ddc3c0b36dd38aac4fdf14e1f0c5e228692618e93adce958d5b5dab8940e46f

memory/5012-9-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/4460-20-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/4460-21-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/4460-22-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/4460-18-0x0000000010000000-0x00000000101B6000-memory.dmp

C:\Windows\SysWOW64\240668140.txt

MD5 90ddc22d46131dc52afa92fff0a8abd5
SHA1 e1a502bee584903b4370f703f5db2026e5ff93e9
SHA256 1786b75f1d97156af64c7d37f3968b8e39a8ba4fca1092102b6fb3f192a7ff9d
SHA512 fa9302fe8644dab2f955132323d6ca19a18a47436e088dccdb3617eaae6fe9370e7ae483224960243810622c649d038cb6bf503104983b280bb3f8977c0f8d20

C:\Users\Admin\AppData\Local\Temp\HD_2024-05-25_58ed8e68a96f66291f5ee1dabe5629d1_icedid.exe

MD5 ab5e6b6b4d64a08b7daeca9e8cbfc0a1
SHA1 929aac76bbde2bc56ba4b644895b44efc63c68d5
SHA256 5b142673c19eed6f5b7023eeaba3585784f6d46da8746d5c2604a1a1b1f7f409
SHA512 6523f5d8d6dd9aa8a8793e856c4629b5d664659f1193123a890e74ca86dc90e60099bcbd7d3f69f93bff5b14808eda3c3ebb9808de3bbd68d513645a9a071441

memory/2592-37-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2592-39-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/4460-43-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/5012-42-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/3040-44-0x0000000010000000-0x0000000010116000-memory.dmp

memory/2592-48-0x0000000010000000-0x00000000101B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HD_X.dat

MD5 6e63c6b990dce1307432d21aa52ec946
SHA1 3c14653ed90f7201e7acd329a31a4050aae01998
SHA256 21d91ffeea7893738543006d409964139aae06428e7ccae1e73555ff4c81f44e
SHA512 989e55bc8ef4f05f945ebe44db3a9701a195d1ba35c2cdf848ab1205d61fc4035593bd753377cd2f4125f7801276520accb297e633cd32d1cd1faceb6e9130d4

C:\Program Files\VideoLAN\VLC\vlc.exe

MD5 1c34fddc55b02a9eec4cc8acc8e64e62
SHA1 5b4a1f0293115182651fb7f66a74aa79442e8ba0
SHA256 f942af9efc956e0b9fd5832cbd1cb6bdd83266a64f3fbe8b9bc773dce26d6cd9
SHA512 3e4001a8392971fb12111dfda63e20e7bf35a2047f1eae91b3bc56513481624d7806a4a6c52d73f037a73df9eba311696ed209daad1202884608b5ccd4cd2512

C:\Users\Admin\AppData\Local\Temp\X.ico

MD5 e33fb6d686b1a8b171349572c5a33f67
SHA1 29f24fe536adf799b69b63c83efadc1bce457a54
SHA256 020c8e0963f89f4b14538b7d69e83c6fec44a29bbbd52fbb6deb2be5c697f450
SHA512 cf1f1d6a9efe53f84e5b4a8246b87c0b96496716605d1b00352d9aae30e664d3d2cbadebf598b4e690a9feef0b5785887a4e643cc5f68938ca744af1d3539e55

C:\Users\Admin\AppData\Local\Temp\RCXD88.tmp

MD5 9cfddc9d5e1bbf49874c66ee874809c5
SHA1 4570d8194145d28dad4ce9e5f67d5bd6fc7b479f
SHA256 bd491bed574cb94d089e1bce4b6bd0fb17ab7cb05340f03c135a6cf9eaea248b
SHA512 98a5fbf77bb0c8093c071885e4ec78b6e8d4fcb24280cfad5ec38460a7699b7a315b8e22a69a21038c7ef64877db6fbb6c96332f621428281f995299c0b4e849