gh0strat | dbbc5c04662f8c2f42b1346225f60e8eae47f36ba405237f2caaf72ad651e320

Analysis

max time kernel
150s
max time network
129s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
25-05-2024 17:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dbbc5c04662f8c2f42b1346225f60e8eae47f36ba405237f2caaf72ad651e320.exe
Size

2.6MB
MD5

c8b200ca4f616fcc2195c8998a7b1d14
SHA1

0877f6e9ae978d76844f1ebb5962de5acc016433
SHA256

dbbc5c04662f8c2f42b1346225f60e8eae47f36ba405237f2caaf72ad651e320
SHA512

fafea314c28ff53cfcd35f2250087fcfa3fb908f642ff2ebb4baa4312914f8b14f8f89659b701231f9204442add1eae15bd3171b09dc8291decc07e5244b462b
SSDEEP

49152:yCwsbCANnKXferL7Vwe/Gg0P+WhbXqIn:Vws2ANnKXOaeOgmhb6In

Score

10^/10

gh0strat purplefox persistence rat rootkit trojan upx vmprotect

Malware Config

Signatures

Detect PurpleFox Rootkit 5 IoCs

Detect PurpleFox Rootkit.

rootkit

Processes:

resource	yara_rule
behavioral1/memory/3044-21-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/3044-20-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2792-44-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2792-46-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2792-49-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 6 IoCs

Processes:

resource	yara_rule
\Windows\SysWOW64\259392908.txt	family_gh0strat
behavioral1/memory/3044-21-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/3044-20-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2792-44-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2792-46-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2792-49-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox
Drops file in Drivers directory 1 IoCs

Processes:

TXPlatfor.exe

description ioc process

File created C:\Windows\system32\drivers\QAssist.sys TXPlatfor.exe

description	ioc	process
File created	C:\Windows\system32\drivers\QAssist.sys	TXPlatfor.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

R.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Remote Data\Parameters\ServiceDll = "C:\\Windows\\system32\\259392908.txt"	R.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

TXPlatfor.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys"	TXPlatfor.exe

Executes dropped EXE 6 IoCs

Processes:

R.exeN.exeTXPlatfor.exeTXPlatfor.exeHD_dbbc5c04662f8c2f42b1346225f60e8eae47f36ba405237f2caaf72ad651e320.exeRemote Data.exe

pid	process
1228	R.exe
3044	N.exe
2724	TXPlatfor.exe
2792	TXPlatfor.exe
2780	HD_dbbc5c04662f8c2f42b1346225f60e8eae47f36ba405237f2caaf72ad651e320.exe
1620	Remote Data.exe

Loads dropped DLL 8 IoCs

Processes:

dbbc5c04662f8c2f42b1346225f60e8eae47f36ba405237f2caaf72ad651e320.exeR.exesvchost.exeTXPlatfor.exeRemote Data.exe

pid	process
2028	dbbc5c04662f8c2f42b1346225f60e8eae47f36ba405237f2caaf72ad651e320.exe
1228	R.exe
2228	svchost.exe
2028	dbbc5c04662f8c2f42b1346225f60e8eae47f36ba405237f2caaf72ad651e320.exe
2724	TXPlatfor.exe
2028	dbbc5c04662f8c2f42b1346225f60e8eae47f36ba405237f2caaf72ad651e320.exe
2228	svchost.exe
1620	Remote Data.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/3044-18-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/3044-21-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/3044-20-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2792-44-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2792-46-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2792-49-0x0000000010000000-0x00000000101B6000-memory.dmp	upx

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\HD_dbbc5c04662f8c2f42b1346225f60e8eae47f36ba405237f2caaf72ad651e320.exe	vmprotect
behavioral1/memory/2780-50-0x00000000000C0000-0x0000000000146000-memory.dmp	vmprotect

Drops file in System32 directory 6 IoCs

Processes:

R.exesvchost.exeN.exe

description	ioc	process
File created	C:\Windows\SysWOW64\259392908.txt	R.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	R.exe
File created	C:\Windows\SysWOW64\Remote Data.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\Remote Data.exe	svchost.exe
File created	C:\Windows\SysWOW64\TXPlatfor.exe	N.exe
File opened for modification	C:\Windows\SysWOW64\TXPlatfor.exe	N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "422821624"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d7c7e73b934388418857a0db8be9c1d1000000000200000000001066000000010000200000001069c6bf0121c0cc09d856aa4f838901b1ef4f48a9cd8d6cbe1e18e27eab2ff4000000000e8000000002000020000000b78c6f29022ccc015c2adfecf2b4eaee4a382317fa1a44676b9495b6f0369269900000004d3d8fde5df1262a6cc2df7b3262d4a3f5d44b3850814c7ca066dd81fd6c672934513c630cff62bd27cea4b871a17f63ef541fa920929ed31ab8c3a139b6a2f2bf4ffbdd598c8d50e7ec5c1e0e1355d96ff96187e8bb0b96c0a23744e82c323ec6df719e64ab25900709ffa9fdaf89c200152be883bb441065ec42d6ea323b0eb3c282c05a28a9f69502c3adce53e36140000000592410089a934eea52af4f13fa2bd4815e79960ae105cb0f492ae54c4cabda40831277e7f385120b13897a02823cb1b09b4eea6fc425731679261497e87177e4	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{09AA85A1-1AC0-11EF-A346-76B743CBA6BC} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50b46ce1ccaeda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d7c7e73b934388418857a0db8be9c1d100000000020000000000106600000001000020000000ec79674946d0444ac3b64246d46ab0b9e793f700b7c8a98f2b8200b854f2b89f000000000e8000000002000020000000177afecb0a95f468dbfe28fd72b61c5f48328642dfc2eb4e0adc9a2e5d7e05d1200000009e6c381eeeb3d284884920424e1fe0448816cc30272a6a53c546cab29d8d12b4400000008fd16cb7b364e39c06c1f8dc82950178104607be053344c476ed1ad16a3b36b2653b778381b51137d306751f6404ae4bbe25a14909564c1830d0dc8481977a54	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2528 PING.EXE
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

dbbc5c04662f8c2f42b1346225f60e8eae47f36ba405237f2caaf72ad651e320.exe

pid process

2028 dbbc5c04662f8c2f42b1346225f60e8eae47f36ba405237f2caaf72ad651e320.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

TXPlatfor.exe

pid process

2792 TXPlatfor.exe

pid	process
2528	PING.EXE

pid	process
2792	TXPlatfor.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

N.exeTXPlatfor.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	3044	N.exe
Token: SeLoadDriverPrivilege	2792	TXPlatfor.exe
Token: 33	2792	TXPlatfor.exe
Token: SeIncBasePriorityPrivilege	2792	TXPlatfor.exe
Token: 33	2792	TXPlatfor.exe
Token: SeIncBasePriorityPrivilege	2792	TXPlatfor.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1952 iexplore.exe

pid	process
1952	iexplore.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

dbbc5c04662f8c2f42b1346225f60e8eae47f36ba405237f2caaf72ad651e320.exeiexplore.exeIEXPLORE.EXE

pid	process
2028	dbbc5c04662f8c2f42b1346225f60e8eae47f36ba405237f2caaf72ad651e320.exe
2028	dbbc5c04662f8c2f42b1346225f60e8eae47f36ba405237f2caaf72ad651e320.exe
1952	iexplore.exe
1952	iexplore.exe
2628	IEXPLORE.EXE
2628	IEXPLORE.EXE
2628	IEXPLORE.EXE
2628	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

dbbc5c04662f8c2f42b1346225f60e8eae47f36ba405237f2caaf72ad651e320.exeN.exeTXPlatfor.execmd.exeHD_dbbc5c04662f8c2f42b1346225f60e8eae47f36ba405237f2caaf72ad651e320.exeiexplore.exesvchost.exe

description	pid	process	target process
PID 2028 wrote to memory of 1228	2028	dbbc5c04662f8c2f42b1346225f60e8eae47f36ba405237f2caaf72ad651e320.exe	R.exe
PID 2028 wrote to memory of 1228	2028	dbbc5c04662f8c2f42b1346225f60e8eae47f36ba405237f2caaf72ad651e320.exe	R.exe
PID 2028 wrote to memory of 1228	2028	dbbc5c04662f8c2f42b1346225f60e8eae47f36ba405237f2caaf72ad651e320.exe	R.exe
PID 2028 wrote to memory of 1228	2028	dbbc5c04662f8c2f42b1346225f60e8eae47f36ba405237f2caaf72ad651e320.exe	R.exe
PID 2028 wrote to memory of 3044	2028	dbbc5c04662f8c2f42b1346225f60e8eae47f36ba405237f2caaf72ad651e320.exe	N.exe
PID 2028 wrote to memory of 3044	2028	dbbc5c04662f8c2f42b1346225f60e8eae47f36ba405237f2caaf72ad651e320.exe	N.exe
PID 2028 wrote to memory of 3044	2028	dbbc5c04662f8c2f42b1346225f60e8eae47f36ba405237f2caaf72ad651e320.exe	N.exe
PID 2028 wrote to memory of 3044	2028	dbbc5c04662f8c2f42b1346225f60e8eae47f36ba405237f2caaf72ad651e320.exe	N.exe
PID 2028 wrote to memory of 3044	2028	dbbc5c04662f8c2f42b1346225f60e8eae47f36ba405237f2caaf72ad651e320.exe	N.exe
PID 2028 wrote to memory of 3044	2028	dbbc5c04662f8c2f42b1346225f60e8eae47f36ba405237f2caaf72ad651e320.exe	N.exe
PID 2028 wrote to memory of 3044	2028	dbbc5c04662f8c2f42b1346225f60e8eae47f36ba405237f2caaf72ad651e320.exe	N.exe
PID 3044 wrote to memory of 2632	3044	N.exe	cmd.exe
PID 3044 wrote to memory of 2632	3044	N.exe	cmd.exe
PID 3044 wrote to memory of 2632	3044	N.exe	cmd.exe
PID 3044 wrote to memory of 2632	3044	N.exe	cmd.exe
PID 2724 wrote to memory of 2792	2724	TXPlatfor.exe	TXPlatfor.exe
PID 2724 wrote to memory of 2792	2724	TXPlatfor.exe	TXPlatfor.exe
PID 2724 wrote to memory of 2792	2724	TXPlatfor.exe	TXPlatfor.exe
PID 2724 wrote to memory of 2792	2724	TXPlatfor.exe	TXPlatfor.exe
PID 2724 wrote to memory of 2792	2724	TXPlatfor.exe	TXPlatfor.exe
PID 2724 wrote to memory of 2792	2724	TXPlatfor.exe	TXPlatfor.exe
PID 2724 wrote to memory of 2792	2724	TXPlatfor.exe	TXPlatfor.exe
PID 2028 wrote to memory of 2780	2028	dbbc5c04662f8c2f42b1346225f60e8eae47f36ba405237f2caaf72ad651e320.exe	HD_dbbc5c04662f8c2f42b1346225f60e8eae47f36ba405237f2caaf72ad651e320.exe
PID 2028 wrote to memory of 2780	2028	dbbc5c04662f8c2f42b1346225f60e8eae47f36ba405237f2caaf72ad651e320.exe	HD_dbbc5c04662f8c2f42b1346225f60e8eae47f36ba405237f2caaf72ad651e320.exe
PID 2028 wrote to memory of 2780	2028	dbbc5c04662f8c2f42b1346225f60e8eae47f36ba405237f2caaf72ad651e320.exe	HD_dbbc5c04662f8c2f42b1346225f60e8eae47f36ba405237f2caaf72ad651e320.exe
PID 2028 wrote to memory of 2780	2028	dbbc5c04662f8c2f42b1346225f60e8eae47f36ba405237f2caaf72ad651e320.exe	HD_dbbc5c04662f8c2f42b1346225f60e8eae47f36ba405237f2caaf72ad651e320.exe
PID 2632 wrote to memory of 2528	2632	cmd.exe	PING.EXE
PID 2632 wrote to memory of 2528	2632	cmd.exe	PING.EXE
PID 2632 wrote to memory of 2528	2632	cmd.exe	PING.EXE
PID 2632 wrote to memory of 2528	2632	cmd.exe	PING.EXE
PID 2780 wrote to memory of 1952	2780	HD_dbbc5c04662f8c2f42b1346225f60e8eae47f36ba405237f2caaf72ad651e320.exe	iexplore.exe
PID 2780 wrote to memory of 1952	2780	HD_dbbc5c04662f8c2f42b1346225f60e8eae47f36ba405237f2caaf72ad651e320.exe	iexplore.exe
PID 2780 wrote to memory of 1952	2780	HD_dbbc5c04662f8c2f42b1346225f60e8eae47f36ba405237f2caaf72ad651e320.exe	iexplore.exe
PID 2780 wrote to memory of 1952	2780	HD_dbbc5c04662f8c2f42b1346225f60e8eae47f36ba405237f2caaf72ad651e320.exe	iexplore.exe
PID 1952 wrote to memory of 2628	1952	iexplore.exe	IEXPLORE.EXE
PID 1952 wrote to memory of 2628	1952	iexplore.exe	IEXPLORE.EXE
PID 1952 wrote to memory of 2628	1952	iexplore.exe	IEXPLORE.EXE
PID 1952 wrote to memory of 2628	1952	iexplore.exe	IEXPLORE.EXE
PID 2228 wrote to memory of 1620	2228	svchost.exe	Remote Data.exe
PID 2228 wrote to memory of 1620	2228	svchost.exe	Remote Data.exe
PID 2228 wrote to memory of 1620	2228	svchost.exe	Remote Data.exe
PID 2228 wrote to memory of 1620	2228	svchost.exe	Remote Data.exe

C:\Users\Admin\AppData\Local\Temp\dbbc5c04662f8c2f42b1346225f60e8eae47f36ba405237f2caaf72ad651e320.exe
"C:\Users\Admin\AppData\Local\Temp\dbbc5c04662f8c2f42b1346225f60e8eae47f36ba405237f2caaf72ad651e320.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Users\Admin\AppData\Local\Temp\R.exe
  C:\Users\Admin\AppData\Local\Temp\\R.exe
  2⤵
  - Sets DLL path for service in the registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  PID:1228
- C:\Users\Admin\AppData\Local\Temp\N.exe
  C:\Users\Admin\AppData\Local\Temp\\N.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3044
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\N.exe > nul
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2632
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 2 127.0.0.1
      4⤵
      Runs ping.exe
      PID:2528
- C:\Users\Admin\AppData\Local\Temp\HD_dbbc5c04662f8c2f42b1346225f60e8eae47f36ba405237f2caaf72ad651e320.exe
  C:\Users\Admin\AppData\Local\Temp\HD_dbbc5c04662f8c2f42b1346225f60e8eae47f36ba405237f2caaf72ad651e320.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2780
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://jq.qq.com/?_wv=1027&k=a1Npzmf5
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1952
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1952 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2628

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "Remote Data"
1⤵
PID:2884

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "Remote Data"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2228
- C:\Windows\SysWOW64\Remote Data.exe
  "C:\Windows\system32\Remote Data.exe" "c:\windows\system32\259392908.txt",MainThread
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1620

C:\Windows\SysWOW64\TXPlatfor.exe
C:\Windows\SysWOW64\TXPlatfor.exe -auto
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2724
- C:\Windows\SysWOW64\TXPlatfor.exe
  C:\Windows\SysWOW64\TXPlatfor.exe -acsi
  2⤵
  - Drops file in Drivers directory
  - Sets service image path in registry
  - Executes dropped EXE
  - Suspicious behavior: LoadsDriver
  - Suspicious use of AdjustPrivilegeToken
  PID:2792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
4cd561e8c82fa0300c71aba82ab8e07a

SHA1
375a0828ae929a65a907f06ae259163bb2f1d205

SHA256
1d317987f13b29867a7e8084a91c57d5bade86ecd8e153aa37ac6897058b0bb8

SHA512
4e9fae674b6c3b1c7d5a8a8d2faf565168db0669a14d2f74eb454fae5aa1a8a34a514677d9aefa5e2bfd8894a54cd0bd4524aa79b4db3db423647c150602cb48

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
abd516a6c3ba20dc83bb6d2ac9e1b32f

SHA1
4dd27f9328912e3cafc3e8b3cd93186b12fa65aa

SHA256
34b0a175f630aaba314d8f16aeec0d86efaa9101f755a65c776a99bb04bf5b4b

SHA512
bb3735a6e356caee7676ab9e354f26d3e29e3642d16fb4b2d7bb69fb6cd737175a9c3ec4a35e8ff66eeafb6ebb0a06f32a0498f927f5f4496002dbe79d1f7f28

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c79b6936e5e67c728e7c2c4c551e5717

SHA1
3a86e19d9770f933a8d2636ba0e24e7ba25d21ec

SHA256
7970f719cfd69d4bd0b3518b923b71de8891373e5ef5b555875bbd8e356cad0d

SHA512
826f5abe3402c77a04d71ea9e82fe9cb9a2782d2e0619557bb76ad1ae24c1ffe158eb041a229c191d7b03ca733d8b13953114e2b3c110cd257d0480958298409

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
93d868fea8592b9067dc7a49ec14c620

SHA1
4e7bc00f3646a2d28325d1ee29c7b50f2198fa3a

SHA256
099564bf94d92d90e29b40d098601802d81ba8dbc08cf14fc9826659ca2bf70b

SHA512
9a503954e5e480ab2e248c17fe8add82828e85e044763ca27212c2cacb3fc246b979c8ce524279ccbf6c2be4c460a23d5e6ae80fed23f0f9a614aa3be47ca52d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d3197890b42108c560f91adf4fc5a41e

SHA1
733b6f0af4223df8ad91685a1134c16190b0a3d4

SHA256
b989ce2ccffbe42f64df1533037ab4b74575de59bf93df28099e16a9a8dc4df4

SHA512
215dd9a78fb4bf3208456fc8bf98ec424bdc40ba88a5db6d17f2b4769ce67039a9a0eb77f7c00fee293bcbbf16d50c7854b2806cc9fc819a4130dfa62d15131a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e2d71e57ff331fdb24294877fa2a3d0a

SHA1
ca113865b896ffe814c5472f4ce0b5fa4d7f2ffe

SHA256
c0dc7a0bb3606b001e5d2076afe73fdb8d6b517f081ebb368a887c4b4afa985f

SHA512
269cbf39e24a79c181ad19e882381737efdbdfc2eb962ccbbcb872ce8f322dac6e002774180019c645fcbf8e95277f7eaef954193197ddffd3e33e1c93293010

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
99762f59540d545ec69ba453a7568642

SHA1
6b2eb337ff79cdb728694e221483d61b19b9b2c8

SHA256
9657e48179433beffef4caa5596c92bd5b572b9633f728c34d707f6861f1c664

SHA512
e828594896a177509e5b1f18a6ea059301076ab404defd61562e8d7c4b60b1e081be71526617d0605dd336dc941b9a8e99ee3e94d53119b4752ced4c0e7b172b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
580b9b7f7b220447148471b32700c5b9

SHA1
56364bfba4d38a0755ff69ab913d36035b5d13fb

SHA256
5f2b15ed7d5a7f9e2edcf158f52a2bbd4f723734f16e628087c7ee942cfd568c

SHA512
4e84b37482b3df03a63da89c93b6a793633cf351a089215927c608ab86732d6ddece97a1887d589b2cdf9e648911387db0b2194ba22e19a58dca64539ee81098

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
757b3d7d995d51916ab0d28fc707e50a

SHA1
270e047236a781c8a0c48c584dcf8c479fee1cf8

SHA256
5114ee7a2d5fec59425b30939c1c5777310477bcc2cdaedf9720133d636561b5

SHA512
e85149bcc99a27c5b74d88f342b523db18733360645576f3bac6b5281b435fb12957723eb12836bfa8cd9d39cfad2e52666fda78543f20b502f9c9cb7c475490

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
404235693fcf26de21e029a8da7bbad9

SHA1
ef1f52481f8c27d13727918298c8975cadef21c3

SHA256
c62627b3351266880ea9afac6c4859a676bc617ed608fbefa80e97cfd80bdc15

SHA512
c31f298e53b2ea56240e490804af1f45ee0e59d25ad7b0c03c36a2b9d42fb3565defd00b94234da50e6290dc9790d587375ad5392bf6edb7bb9e7bf0b426d0db

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
cb7c05348d3be5463501c7d010a47488

SHA1
566301e3f442c1c4538baac4d2edb4d7521f12b5

SHA256
ac2bc08592050eae08a093b8b77cb7ef90ee8105a7135db0277086578c86288a

SHA512
8ade85aedd1169e0f015b9bd0e063503f2e1de031770460d26b6cce0700ad10c47363b911828fc104d26e647a9131375aa2c7c4f8656c19a9a4a0415b8960075

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8152d43a95b562fa4e40733df4e3487a

SHA1
aa7a05c0fd1396bcf2869f3ba0693c674cb5872e

SHA256
4e0340a4dcc4cd9bd26ab1b43394435d3cf1cbfce13533c37a7aaaa317779dab

SHA512
7a133229d7d44422a04cafe792523efec4f3e8970db71873d56350e54b3d76c431e683ea77b3211a9262d73636859fecaddc71178817c132aaff6a0bfaa5c8e3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
146eab41e4d326aa466c804ac432187a

SHA1
37116a4576a6a81609e917254932e1943a307e81

SHA256
83868b1889133b9bb22b1dced1747db5e0d26b7c601ef5eeecb7d3e011b11f63

SHA512
f90cd74a0ec2f1b834e27ea8476369cf40062412d6862565a347f26af37a2ca3c5a38eb9d268bc4bca8b3ed1358bc86206c3b9fd9517973d17d344c00a71d5f5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3c67979a1097c8cdbff9146461edd338

SHA1
357f3e6dc840563b587d97773a3888fcc0e8a63b

SHA256
ee1777098681db75761346de5f715157f7e45bef413efb53047a332297f0e206

SHA512
55299f5e52ee258e9f6c86245105033d5226d3fa1174fe1cd5527e40eee85099fbd5613246b813899796173b27f312ac26cbba76987305a1d08730859103a83d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
89f624b5baff1d52db6e238a3c165544

SHA1
07aff775c656bd48f92f4f6a47a24ac6b9423917

SHA256
1622a07f0a8ee15d91e9494524d09467babb5fd85f67f103c132a9de0fb66455

SHA512
2ead1695a6aba0c3c837ad306f43f14c6982863fec9529f4340bd9d205c7612dac78ebc65efe08e8b95a5ef6d0a8abafbec2dfd8c99f70f51f6acc9d23cabaf7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e36cc3a8f993c684c04b93a4baadd05f

SHA1
21b2aef716bcf8b52458c835bde8a98b39ba7c1f

SHA256
4ef6bbd4935a9610d0e18a6ba498a2e9bcc28b73a9d65cb1ef5b3979c25de7c1

SHA512
775a5784f5fad530cff32ebfcd189b33506737c8d9296eebe12553f71b81c79c733c5e0afb1947af96c990ececf7028231c190588aeff18eaabc7cd1c45a6783

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
511444e6d0d6619b3468e8f2f52497d4

SHA1
85b0e87956ebcb6639f084a736f3fa64eaea9a18

SHA256
ce4b505fb4f1014ce6017dd6a169ae191aedeb7c790636745666b0155ca0785b

SHA512
8d2cfe75e7c25c7a79b6886579390090d98620baa37301a2f84eae70bd08c5768549546685f4cdd2bd41cd059c0eeb88769f7aa65f5fa399f99af2dc7baa228d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
064fa0bde8048a0ffd65d07de069d5d8

SHA1
9380355f6d622fa3ea70dfba688bb41e678631a8

SHA256
ce084b6b1a8c2b1a2db11e22f90a7bfc54be7eb0e04ea010c4473710c85b9a40

SHA512
c049235c122e50829cf60dd616e86a8722162dc3f4aeec1362918d01be964ac91136031a7ee423f8e43231a4fdefc3dcf5a23bf8b93abff9930b2b37358be7d4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7682ef9789b679a697dcaaa43329a002

SHA1
3291bbb6ebc5534c9f5c2cca032bc3f47dea7e7f

SHA256
4a28b11bd4b56ddb653041f22002a38aded76879e02a158e002e5067c0199c58

SHA512
e7a5381743546739c6de72fdb9d1462678679e107271cc7fac7fa0ea209c7b66df3d6609a71ad25a7fca153f202e486c103625b8d0ccd1543ddae1f27c8c68de

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
be233de94d45a65d940de4718a06d1aa

SHA1
cccf57e07d0f32802dd7997bad488b4d6ba5ec24

SHA256
53b50d2db0a1aa9b7ed1d4c3ee1e39e6faaea6b8945103600b3a2a77767d2766

SHA512
1d95a1216a466f7533c8c747b9e1e6019d53881ba9db2a0e1d70dec1021b3615ddadc1b39948acfe1a0908471a761bcb06d35813a1b968bfe5a3b222965f1d4e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5ad93d7351751e03cd94e524836fdaf6

SHA1
13204a7dc81b1cce5713ad8042d9240142ef2c53

SHA256
b737d1ba12c4269919922b23db4d55a7c2243709738c1c607249ae7f1ebff6ad

SHA512
58142509912625e3c93ec97e8b3972f1322cc0f7a751168d4405ed5e89be676ef77935ce87eeb629c55a9038288039b60213cdbd9f4c65e60f61ae06fe8bc0d3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
da64e246443bf21142544251dcd03267

SHA1
9a2055ac4abbd6b77853a88ea28049da1e65d3e0

SHA256
b0b4a916b8cd86638d415eb3109f97d5e4075c578d03fd96cc24709655ecddad

SHA512
625b0fc506b6f8a197f36493dd193105e70798481d9d3e9dcbc52a71e5cb1ae68cc0f682e6ff4058341e67cc64b43d7baef46639518d11960f774d53452a2b38

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
82f4f50f44525cc18ee2d069a9b124d5

SHA1
d4387c442d6d124fe696870a3f865235919bac3e

SHA256
bc6fb4c7d0de5003edbbde559489fca6337bd9d490ab4c354bfff348be29b476

SHA512
f3dc2e02833a9f1287148ddc0a19a1e2799cbef84cb5b46077cf031ca424de3205aa44cf9d2c8bcf2cde88ff23972f2b87e3d4f72dd3f63140c059a413eec742

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3728.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD_X.dat

Filesize
2.3MB

MD5
232aa6a6aaba5a6c0177a608f5feb2a4

SHA1
730689a1fba1d9a7a4568e6ee8c1b0f78e05310d

SHA256
5050790a5de5238740494f788f086f53132c98dc4efd539a2eb7668bd43376db

SHA512
3ba99df31406f66e37fab5f15f7466ebbeb9f7b0b628511e8818ac507de687ffff11b670f9e89c0847430a725004ea822f550cd5437c69ef3894c3e32a94e28d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar373A.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
\Users\Admin\AppData\Local\Temp\HD_dbbc5c04662f8c2f42b1346225f60e8eae47f36ba405237f2caaf72ad651e320.exe

Filesize
306KB

MD5
a628ce62a6c3da2e4b85062be977ac68

SHA1
78d71dc33db5a37f4ea0c9d2acea86ed438d2fdc

SHA256
d32f06b47ba2e4ba0fe9b5ee6be8f6047118c5fa8bb37d130e32999c83c0df71

SHA512
3af191268d4a87e3aed00ecf359f53fc7658ee25a718f0b98fe1cf299688acecb91b92591b913feb0eed3d4dbde7d3526137f3e40cb09bf45c556f96f0748cec

Download Submit
\Users\Admin\AppData\Local\Temp\N.exe

Filesize
377KB

MD5
4a36a48e58829c22381572b2040b6fe0

SHA1
f09d30e44ff7e3f20a5de307720f3ad148c6143b

SHA256
3de6c02f52a661b8f934f59541d0cf297bb489eb2155e346b63c7338e09aeaf8

SHA512
5d0ea398792f6b9eb3f188813c50b7f43929183b5733d2b595b2fd1c78722764fd15f62db1086b5c7edfb157661a6dcd544ddd80907ee7699dddbca1ef4022d0

Download Submit
\Users\Admin\AppData\Local\Temp\R.exe

Filesize
941KB

MD5
8dc3adf1c490211971c1e2325f1424d2

SHA1
4eec4a4e7cb97c5efa6c72e0731cd090c0c4adc5

SHA256
bc29f2022ab3b812e50c8681ff196f090c038b5ab51e37daffac4469a8c2eb2c

SHA512
ae92ea20b359849dcdba4808119b154e3af5ef3687ee09de1797610fe8c4d3eb9065b068074d35adddb4b225d17c619baff3944cb137ad196bcef7a6507f920d

Download Submit
\Windows\SysWOW64\259392908.txt

Filesize
899KB

MD5
84756f77126d1e15d6d4457bcb38c918

SHA1
3897da2268f4bda7dc69589fddc1e2586c22fac5

SHA256
da21b689544619588cbd3ca1edfebd94888915c4bf107f35b91cca81e2305915

SHA512
4a03e1cd1df5c1fad8fe4d799067f97a7b41113303895957c36c7713de6f6bfaae2af94e9504a738ff22b8f0bebd7bc22194bfd4901b7eb91c8402861ba4d5ee

Download Submit
\Windows\SysWOW64\Remote Data.exe

Filesize
43KB

MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit
memory/2780-50-0x00000000000C0000-0x0000000000146000-memory.dmp

Filesize
536KB

Download
memory/2780-51-0x0000000000490000-0x0000000000496000-memory.dmp

Filesize
24KB

Download
memory/2792-46-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2792-44-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2792-49-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/3044-18-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/3044-21-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/3044-20-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download