gh0strat | b2bc2ab840a7d71c763e39e47afcd0d78869494dfd0c20a482f53c5a07059f28

Analysis

max time kernel
150s
max time network
142s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
26-05-2024 06:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b2bc2ab840a7d71c763e39e47afcd0d78869494dfd0c20a482f53c5a07059f28.exe
Size

4.0MB
MD5

c3cafe552c05806b82a04351a605e461
SHA1

e1ea22d087fa96397a2fd464c75373f5e543c521
SHA256

b2bc2ab840a7d71c763e39e47afcd0d78869494dfd0c20a482f53c5a07059f28
SHA512

9eab74b15d74a6d7fb992abf342b45dffbca1fffc0e80f5276986910d56d8f6c341c3539621dfb924346881aed70be2e0f9392f75cbed803ca14410631364c18
SSDEEP

98304:WGdVyVT9nOgmhnU/o/atXpuzeaXCY2Ohkgk:FWT9nO7yAJv28V

Score

10^/10

gh0strat purplefox persistence rat rootkit trojan upx

Malware Config

Signatures

Detect PurpleFox Rootkit 9 IoCs

Detect PurpleFox Rootkit.

rootkit

Processes:

resource	yara_rule
behavioral1/memory/2044-7-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2044-8-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2044-9-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2020-40-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2704-36-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2020-35-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2020-32-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2704-18-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2020-46-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 10 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2044-7-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2044-8-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2044-9-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2020-40-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2704-36-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2020-35-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2020-32-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
\Windows\SysWOW64\259398758.txt	family_gh0strat
behavioral1/memory/2704-18-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2020-46-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox
Drops file in Drivers directory 1 IoCs

Processes:

TXPlatforn.exe

description ioc process

File created C:\Windows\system32\drivers\QAssist.sys TXPlatforn.exe

description	ioc	process
File created	C:\Windows\system32\drivers\QAssist.sys	TXPlatforn.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

svchos.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259398758.txt"	svchos.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

TXPlatforn.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys"	TXPlatforn.exe

Executes dropped EXE 6 IoCs

Processes:

svchost.exeTXPlatforn.exeTXPlatforn.exesvchos.exeHD_b2bc2ab840a7d71c763e39e47afcd0d78869494dfd0c20a482f53c5a07059f28.exeÖ÷¶¯·ÀÓù·þÎñÄ£¿é.exe

pid	process
2044	svchost.exe
2704	TXPlatforn.exe
2020	TXPlatforn.exe
2540	svchos.exe
2496	HD_b2bc2ab840a7d71c763e39e47afcd0d78869494dfd0c20a482f53c5a07059f28.exe
2216	Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe

Loads dropped DLL 9 IoCs

Processes:

b2bc2ab840a7d71c763e39e47afcd0d78869494dfd0c20a482f53c5a07059f28.exeTXPlatforn.exesvchos.exesvchost.exeÖ÷¶¯·ÀÓù·þÎñÄ£¿é.exeHD_b2bc2ab840a7d71c763e39e47afcd0d78869494dfd0c20a482f53c5a07059f28.exe

pid	process
3048	b2bc2ab840a7d71c763e39e47afcd0d78869494dfd0c20a482f53c5a07059f28.exe
2704	TXPlatforn.exe
3048	b2bc2ab840a7d71c763e39e47afcd0d78869494dfd0c20a482f53c5a07059f28.exe
2540	svchos.exe
2592	svchost.exe
3048	b2bc2ab840a7d71c763e39e47afcd0d78869494dfd0c20a482f53c5a07059f28.exe
2592	svchost.exe
2216	Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
2496	HD_b2bc2ab840a7d71c763e39e47afcd0d78869494dfd0c20a482f53c5a07059f28.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2044-5-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2044-7-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2044-8-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2044-9-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2020-40-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2704-36-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2020-35-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2020-32-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2704-18-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2020-46-0x0000000010000000-0x00000000101B6000-memory.dmp	upx

Drops file in System32 directory 6 IoCs

Processes:

svchost.exesvchost.exesvchos.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe	svchost.exe
File created	C:\Windows\SysWOW64\TXPlatforn.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\TXPlatforn.exe	svchost.exe
File created	C:\Windows\SysWOW64\259398758.txt	svchos.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	svchos.exe
File created	C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe	svchost.exe

Drops file in Program Files directory 4 IoCs

Processes:

b2bc2ab840a7d71c763e39e47afcd0d78869494dfd0c20a482f53c5a07059f28.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	b2bc2ab840a7d71c763e39e47afcd0d78869494dfd0c20a482f53c5a07059f28.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	b2bc2ab840a7d71c763e39e47afcd0d78869494dfd0c20a482f53c5a07059f28.exe
File created	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	b2bc2ab840a7d71c763e39e47afcd0d78869494dfd0c20a482f53c5a07059f28.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	b2bc2ab840a7d71c763e39e47afcd0d78869494dfd0c20a482f53c5a07059f28.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d04f855a33afda01	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000eba5fd3c6813b54b85183992b57f929400000000020000000000106600000001000020000000783e177e119c8ab94ef9f561d1617d85cfd4f331337a4f6803b46bf6001cc2b5000000000e8000000002000020000000e0e4fc6663ef20a3e5d58e3c180d1573b196324b9c07e4dc0e903e0ecc7380cd20000000d39c890fdc1a51be3d6a6e57642b73a5be8c343ad98c0ae3e9f6fbb3fa8cd7a44000000035a604bf9ba5d849e994333aa066c5fdab4ccaf7f2156a40470ccfe84facb4fad3a68bf76e1a751cb6ba45efebbcc04e33bf94595e951443fa417a956d5a3160	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000eba5fd3c6813b54b85183992b57f929400000000020000000000106600000001000020000000c2382d33e42bef9677e67d0280fe5e280cad73101ada73973a772b5d1ff9a828000000000e80000000020000200000003243ff6db6fa08bc4334449f2e179940ce2e7a8576b04216b2759ff7393958d390000000437fceb3cb3b788d690f243800c1f61d0232578d6216c20e95a7114c4ffb4dc72c36f9c1985a1c10614ad1a9b6812755ed9b05cdc5e74575250142fa0b326f4cb4642808a04c709a80ee9010d383db5cbbc3c2247e015972f1eeb406e13c8f310b6c7a0c4695a2611227c2a6c2b214af10e941c7ec39476a139ecadcbb82f947e792d7ca584a036ce886d752595e3ddd40000000028110ed31bec1e87d411014f3ef3443303cbd1c3736affb42bc9f6c361b75d7040d968e9c445516ef75b914410d4d12f95d96a64fdeb7b14451a28f06cb4168	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "422865536"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{466833A1-1B26-11EF-8221-D669B05BD432} = "0"	IEXPLORE.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2432 PING.EXE
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

b2bc2ab840a7d71c763e39e47afcd0d78869494dfd0c20a482f53c5a07059f28.exe

pid process

3048 b2bc2ab840a7d71c763e39e47afcd0d78869494dfd0c20a482f53c5a07059f28.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

TXPlatforn.exe

pid process

2020 TXPlatforn.exe

pid	process
2432	PING.EXE

pid	process
2020	TXPlatforn.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

svchost.exeTXPlatforn.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	2044	svchost.exe
Token: SeLoadDriverPrivilege	2020	TXPlatforn.exe
Token: 33	2020	TXPlatforn.exe
Token: SeIncBasePriorityPrivilege	2020	TXPlatforn.exe
Token: 33	2020	TXPlatforn.exe
Token: SeIncBasePriorityPrivilege	2020	TXPlatforn.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

IEXPLORE.EXE

pid process

1644 IEXPLORE.EXE

pid	process
1644	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

b2bc2ab840a7d71c763e39e47afcd0d78869494dfd0c20a482f53c5a07059f28.exeIEXPLORE.EXEIEXPLORE.EXE

pid	process
3048	b2bc2ab840a7d71c763e39e47afcd0d78869494dfd0c20a482f53c5a07059f28.exe
3048	b2bc2ab840a7d71c763e39e47afcd0d78869494dfd0c20a482f53c5a07059f28.exe
1644	IEXPLORE.EXE
1644	IEXPLORE.EXE
2376	IEXPLORE.EXE
2376	IEXPLORE.EXE
2376	IEXPLORE.EXE
2376	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 46 IoCs

Processes:

b2bc2ab840a7d71c763e39e47afcd0d78869494dfd0c20a482f53c5a07059f28.exesvchost.exeTXPlatforn.execmd.exesvchost.exeHD_b2bc2ab840a7d71c763e39e47afcd0d78869494dfd0c20a482f53c5a07059f28.exeiexplore.exeIEXPLORE.EXE

description	pid	process	target process
PID 3048 wrote to memory of 2044	3048	b2bc2ab840a7d71c763e39e47afcd0d78869494dfd0c20a482f53c5a07059f28.exe	svchost.exe
PID 3048 wrote to memory of 2044	3048	b2bc2ab840a7d71c763e39e47afcd0d78869494dfd0c20a482f53c5a07059f28.exe	svchost.exe
PID 3048 wrote to memory of 2044	3048	b2bc2ab840a7d71c763e39e47afcd0d78869494dfd0c20a482f53c5a07059f28.exe	svchost.exe
PID 3048 wrote to memory of 2044	3048	b2bc2ab840a7d71c763e39e47afcd0d78869494dfd0c20a482f53c5a07059f28.exe	svchost.exe
PID 3048 wrote to memory of 2044	3048	b2bc2ab840a7d71c763e39e47afcd0d78869494dfd0c20a482f53c5a07059f28.exe	svchost.exe
PID 3048 wrote to memory of 2044	3048	b2bc2ab840a7d71c763e39e47afcd0d78869494dfd0c20a482f53c5a07059f28.exe	svchost.exe
PID 3048 wrote to memory of 2044	3048	b2bc2ab840a7d71c763e39e47afcd0d78869494dfd0c20a482f53c5a07059f28.exe	svchost.exe
PID 2044 wrote to memory of 2768	2044	svchost.exe	cmd.exe
PID 2044 wrote to memory of 2768	2044	svchost.exe	cmd.exe
PID 2044 wrote to memory of 2768	2044	svchost.exe	cmd.exe
PID 2044 wrote to memory of 2768	2044	svchost.exe	cmd.exe
PID 2704 wrote to memory of 2020	2704	TXPlatforn.exe	TXPlatforn.exe
PID 2704 wrote to memory of 2020	2704	TXPlatforn.exe	TXPlatforn.exe
PID 2704 wrote to memory of 2020	2704	TXPlatforn.exe	TXPlatforn.exe
PID 2704 wrote to memory of 2020	2704	TXPlatforn.exe	TXPlatforn.exe
PID 2704 wrote to memory of 2020	2704	TXPlatforn.exe	TXPlatforn.exe
PID 2704 wrote to memory of 2020	2704	TXPlatforn.exe	TXPlatforn.exe
PID 2704 wrote to memory of 2020	2704	TXPlatforn.exe	TXPlatforn.exe
PID 3048 wrote to memory of 2540	3048	b2bc2ab840a7d71c763e39e47afcd0d78869494dfd0c20a482f53c5a07059f28.exe	svchos.exe
PID 3048 wrote to memory of 2540	3048	b2bc2ab840a7d71c763e39e47afcd0d78869494dfd0c20a482f53c5a07059f28.exe	svchos.exe
PID 3048 wrote to memory of 2540	3048	b2bc2ab840a7d71c763e39e47afcd0d78869494dfd0c20a482f53c5a07059f28.exe	svchos.exe
PID 3048 wrote to memory of 2540	3048	b2bc2ab840a7d71c763e39e47afcd0d78869494dfd0c20a482f53c5a07059f28.exe	svchos.exe
PID 2768 wrote to memory of 2432	2768	cmd.exe	PING.EXE
PID 2768 wrote to memory of 2432	2768	cmd.exe	PING.EXE
PID 2768 wrote to memory of 2432	2768	cmd.exe	PING.EXE
PID 2768 wrote to memory of 2432	2768	cmd.exe	PING.EXE
PID 3048 wrote to memory of 2496	3048	b2bc2ab840a7d71c763e39e47afcd0d78869494dfd0c20a482f53c5a07059f28.exe	HD_b2bc2ab840a7d71c763e39e47afcd0d78869494dfd0c20a482f53c5a07059f28.exe
PID 3048 wrote to memory of 2496	3048	b2bc2ab840a7d71c763e39e47afcd0d78869494dfd0c20a482f53c5a07059f28.exe	HD_b2bc2ab840a7d71c763e39e47afcd0d78869494dfd0c20a482f53c5a07059f28.exe
PID 3048 wrote to memory of 2496	3048	b2bc2ab840a7d71c763e39e47afcd0d78869494dfd0c20a482f53c5a07059f28.exe	HD_b2bc2ab840a7d71c763e39e47afcd0d78869494dfd0c20a482f53c5a07059f28.exe
PID 3048 wrote to memory of 2496	3048	b2bc2ab840a7d71c763e39e47afcd0d78869494dfd0c20a482f53c5a07059f28.exe	HD_b2bc2ab840a7d71c763e39e47afcd0d78869494dfd0c20a482f53c5a07059f28.exe
PID 2592 wrote to memory of 2216	2592	svchost.exe	Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
PID 2592 wrote to memory of 2216	2592	svchost.exe	Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
PID 2592 wrote to memory of 2216	2592	svchost.exe	Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
PID 2592 wrote to memory of 2216	2592	svchost.exe	Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
PID 2496 wrote to memory of 1200	2496	HD_b2bc2ab840a7d71c763e39e47afcd0d78869494dfd0c20a482f53c5a07059f28.exe	iexplore.exe
PID 2496 wrote to memory of 1200	2496	HD_b2bc2ab840a7d71c763e39e47afcd0d78869494dfd0c20a482f53c5a07059f28.exe	iexplore.exe
PID 2496 wrote to memory of 1200	2496	HD_b2bc2ab840a7d71c763e39e47afcd0d78869494dfd0c20a482f53c5a07059f28.exe	iexplore.exe
PID 2496 wrote to memory of 1200	2496	HD_b2bc2ab840a7d71c763e39e47afcd0d78869494dfd0c20a482f53c5a07059f28.exe	iexplore.exe
PID 1200 wrote to memory of 1644	1200	iexplore.exe	IEXPLORE.EXE
PID 1200 wrote to memory of 1644	1200	iexplore.exe	IEXPLORE.EXE
PID 1200 wrote to memory of 1644	1200	iexplore.exe	IEXPLORE.EXE
PID 1200 wrote to memory of 1644	1200	iexplore.exe	IEXPLORE.EXE
PID 1644 wrote to memory of 2376	1644	IEXPLORE.EXE	IEXPLORE.EXE
PID 1644 wrote to memory of 2376	1644	IEXPLORE.EXE	IEXPLORE.EXE
PID 1644 wrote to memory of 2376	1644	IEXPLORE.EXE	IEXPLORE.EXE
PID 1644 wrote to memory of 2376	1644	IEXPLORE.EXE	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\b2bc2ab840a7d71c763e39e47afcd0d78869494dfd0c20a482f53c5a07059f28.exe
"C:\Users\Admin\AppData\Local\Temp\b2bc2ab840a7d71c763e39e47afcd0d78869494dfd0c20a482f53c5a07059f28.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3048

C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\\svchost.exe
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\svchost.exe > nul
3⤵
- Suspicious use of WriteProcessMemory
PID:2768

C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
4⤵
- Runs ping.exe
PID:2432

C:\Users\Admin\AppData\Local\Temp\svchos.exe
C:\Users\Admin\AppData\Local\Temp\\svchos.exe
2⤵
- Sets DLL path for service in the registry
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2540

C:\Users\Admin\AppData\Local\Temp\HD_b2bc2ab840a7d71c763e39e47afcd0d78869494dfd0c20a482f53c5a07059f28.exe
C:\Users\Admin\AppData\Local\Temp\HD_b2bc2ab840a7d71c763e39e47afcd0d78869494dfd0c20a482f53c5a07059f28.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2496

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://se.360.cn/
3⤵
- Suspicious use of WriteProcessMemory
PID:1200

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://se.360.cn/
4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1644

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1644 CREDAT:275457 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2376

C:\Windows\SysWOW64\TXPlatforn.exe
C:\Windows\SysWOW64\TXPlatforn.exe -auto
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2704

C:\Windows\SysWOW64\TXPlatforn.exe
C:\Windows\SysWOW64\TXPlatforn.exe -acsi
2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:2020

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"
1⤵
PID:2440

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2592

C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
C:\Windows\system32\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe "c:\windows\system32\259398758.txt",MainThread
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC
Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC
Filesize
252B

MD5
1c98bfa6997508594d99fd3ed12e595c

SHA1
b4d24239b19c96365ee73feac13aea57ab93375d

SHA256
5eab80a57e35e6f61f7f8ca7d06a4bbb564ac060e5fdca66ff8be910f07cfca6

SHA512
aa4585a0a786976b2eaa91ad96dc8a8b38bc8a16b35206101058ce9a398032a76b24fa4904152926b502f7376e0f31aa89b16325058e06f5106a238b67a4bd15

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
974a18b5a95309f36c726cc0f3bb0b19

SHA1
16ee2392e78921eb84b96724ab5c598cad633c29

SHA256
9fd0ced1f1bcff20b0bcd8856503c2cbe5eff6ba6b063bbb62a3f29c59d8d553

SHA512
db1223ad101078241b0d50c4ff9fb226c897e2b43dfca989051c273607c477447ed9e2a134159ded176a3612c943d69339f1e2be91ebc9b94446d688c5c89fd4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
682b26a337762d6bb4178069c04b8d2e

SHA1
19ba0546834e0002d3237c3e36e04ddb0ec03553

SHA256
4b2cb030b8277fa598ac3741391b9abe539ab0cb86386c0d333384ed94215958

SHA512
c0d6ca9e0df86337fb9202b0d088179abe32e03bad41ea748ca2fb7afc954b2c89ace14bc50fbb710dd3fafe4d5b285611808305bed58303da1eab2eb9482ab6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
0b2cafda10e919c6e727a4c57a97dbf8

SHA1
503208c53fa8e31c23a27bc707177afe98ecac7f

SHA256
c1985d7a3358d88527c05d6bb1a3606e3edef39cf6d1b378c1b0eedb1bb81282

SHA512
3f93ce2de6c1bb3cb1244bee8a1240b7b77fa851c12ba7fb833403b28dc7800ebde09b580e6da09fcb771d26dcb3a620df71fe98037444f957866aa63dedb263

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
c04661c29bd2131d0d0c4f1d08ae3f0e

SHA1
25bfe8da1527cc9f20e3db86f8de868b96a2eb95

SHA256
f4431ca9c426d028848dc2529c9fb37bc470c08565b83117a56c2421fe48bc88

SHA512
a3f116487425a199e840f752420bf537acd808f34d7298523ee1b67a028d4e0d436eaf95723d06519d6898f3504e3d56af3719f9c94b1b4a0012aa344a74f8aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
802d168f65f30bdd71a2a3a18a2bf0af

SHA1
734cfdb965d65a485c5ffe23f9fefae4e97b4a8a

SHA256
be9967adce055d648f5cd3935f643511852eddb8d59817e765c1de9a9443d3c4

SHA512
0d67a3d11d1a56b5d3e46dc67fb9bd9622818d22e0151e30ccce1b8ae98d42b708f23670842546f9f6b9de5b8138e7c27941ffc9e9bb82ad7da267972e941e7b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
79d5d58306a55b88eb3141ceb0baa70e

SHA1
49df1982439f8c53f3b783ff283ca48407d5b514

SHA256
a8e565b2724b66e737cfda13d290cc613ff34158921faba87a177d525ec67b4d

SHA512
b0fc7859c01b95a3995992f2adada575a9a993359e0e9e0c244803e41f9a38394b24a9880f10058ff1cf086eb6b389b935904ebc453650cbcdf3f608d4ce510a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
2016d0a138e970d3976f97605e28a556

SHA1
612bc61ee0bd3efce4a0a144422ca4eb5379e6cc

SHA256
4770b1c0bd3a386965340d56d73cfd1f12da0284dfc7412a1f759d6d7349d3c6

SHA512
25955a7cad9c76e4be8fb0770027ffd902be3d3a150750b3ba80010ee9140047612613d2909b7e0195ccd66052c533afa0f765aae02193faa1009cef47e94db8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
57452778ac0958c8ad455ca3fea0f606

SHA1
0a3296e38dc25ecffc6873f017461651bff2d1b3

SHA256
73ca25e1015b3f17c906fb19a4ab28244637d5a42c2f4f58b6bc4da1c8a84ddc

SHA512
2557b7f320678c06ad66af6250f7584cdea783e45646f8e4b8e57345b4dac5f99bcd8d552b0d2ea658f98c09875e9f88656bc65d5a0ea6cc469a22d514d410e6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
6878cc82a7c0281db76de9cd5e706bda

SHA1
c0bc7e4df6771b2455a742b4a036f5a25ad89a0b

SHA256
f5dd424272310c541d87066588dc855d89bd92e4b567dca15fb6654d7f0f7668

SHA512
78a87cb8b5d40ef1733b9cdbbafddb107bbce608371a75580da22075fe66a56eea486873a78f7fdf61a26fbb6c21008e4efe1c9502293db7f7c2f9d90999c917

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
dadfb53a41b5fee4963829c68d96796c

SHA1
ab4299f67ec4be88e635469f5e50a878f7ad6e67

SHA256
2399248fc373dec300da80b58cea52291731b305d2d596945349583b07d8008b

SHA512
83c798cef9ed861f0757697c694006d2603fae436001b8847e921bd59e21143d1768e953ef3f9fb46695bb26df2d23196d37734b9394be75cc6adb2ca94899ad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
aa84b3be1e0d16151718ad1d18d55941

SHA1
ebfedbeb0238b2e0543088799f10690005708642

SHA256
7149c74744cb225a2a77f5fa37fa512f2fd5df20a374185347939cf35e3672e9

SHA512
8ce5b2dc524d6e15b0dd6568b1939783931c625b9354f7d1261380cae3fd0dc86fdebdee08221dd9690c6f80c70fef3ad92412e01a9876a89d9d9384f6a33d68

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
a25fb0f0342fda0a7e0dae742828e39e

SHA1
4c7c81ab41d0803661d7fd6043db5f77e7d6dcda

SHA256
0e765e5d330e75b42c4b631a5e111d985d40bd8dd51418b5cbefef1e6765bdba

SHA512
b3dedeaee2a17bac074d37346f2420a987ebbcab4b98d9980adddf66c453cebfdd3d3c5683b22e679f599b1884df01bf45cbcaa5ee1ed5cfbc7070c77c1e5ec7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
5fc6a34843847d860d4be1f973bbbab0

SHA1
f0550ca6f6b669a08596b22a0d425bf9f16fb40f

SHA256
5188da226410a29787f3ae9e767aa55337c1e101e251fb4b9817aaf24543134a

SHA512
c0af98d7e3bb67bea16344d15498c7d198bd50a89a8e574879c99b24081521934639065c0b685358ffae231c7a4c482c695cd826d8ee585f9f77d7bba1b8cb17

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
ac49df14d646b33c776f54d1cc5ce180

SHA1
9cb80129fa9685b53b4c549de412085d1a1007a3

SHA256
de309a2dae621dfe641d4c5fa14b90381e076122a96a6a5c8b798e26984246cf

SHA512
19c84f652beb3da5792e05a3745b2550077821452533e5c65c478007af70a166a4e0faef2f8168d305bfed39d4e6516097fc669c0c97caeac2afe31f817f549a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
54c7a3e74e5a068ce8e6ac27b01b78c0

SHA1
a01b925beae2054b1b781b10e509f99cbb5c3f28

SHA256
511b0fb2d324dc4651f049d67315f6425c9150ab1966bfeb7f341c56182cf509

SHA512
fb7ddb740b7f45fe4a0b54b08aef54d7597674a328f0270e4a8753a44cf544fd171632394b7ed4b78ba8cdf918d814ef2c972c5ecf37a3d7ef6765bf6be0b9ff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
781a8751549cc742f9f23d8c89dd6ac4

SHA1
b576ee10d98b7af381a395dcb13984e5c2ace178

SHA256
5ce840defe26a8678b24109b0baf355d4f8229d64898613ee01f3cf141a90aca

SHA512
9a7d1d62fca2053cedec8403f23da511a7510f0e6ff8d334ac3d93c30d4f35f8c806e42dde40bfdb56ae6661e6a6095b012b5260bbb1f06aee9d3f67d892dd42

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
fc825ffca7da553a293b7d152bb6d96d

SHA1
43ff9b9d0004c5593eb56499696be6191e44fb7e

SHA256
ff352742edf9d191c82a998d9028d3f284c612c1de80c3e66c3b97a2656b37e5

SHA512
23828db1345d0d54adf2eb5d741dcf646a9458ab3105c7e259ab265f349abe73235ad46d8c9ba3a2d1fd0e0483cb1e44cebb8048b6f776456b3842662d9e0647

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
c62d2fd13f971d3c7f65aa8d0672c570

SHA1
1598df8d490868e222238d586af0242156e8edb5

SHA256
13beb8ad0659cf3b2744938e4123893ec5b14695575d43c2ec22994832a31a9e

SHA512
bebaf58f77b33808c35efd1d948ef5f9c9a57059379a8920d1a2427dd3837d084c42725b054bc4d3644b3bd3d31030fe2e0140bb3dfc940420075395e034f7f9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
16f4053f74afedec11121afc3b523083

SHA1
4a1d06ef2e5fb99b8b90d29b6c1a1b3bdb59ea39

SHA256
490603784ed6813a992bb7fa5afd5063e2ab20b1d9d90739b98732aa410260c5

SHA512
6cbb91dd36e3d0148a856ce036e9da66717111852929d1b358ca3acd0c31d711f5aabc7185de655d2ade6cb67833a886533dfb82a2f6fd968a4617a2e2e76a64

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
242B

MD5
579eb9dc3b0c8785d772eb3c2a892f38

SHA1
7cf39a062ff09b5c4ad9e77ecba5722ba836deca

SHA256
566a670df14a3b0d1aa52ec2e2de8b83a12fcabf109891a33c56d24a3a14c7fa

SHA512
8a0be2ab774d859b8b3d543be667b12bf90e80feb44da3e39d34994d9eec3060e979307488e32aebf157b29ac79f60c2eb2aa19e2297d9bfdc4bb03058606b7c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
Filesize
4KB

MD5
da597791be3b6e732f0bc8b20e38ee62

SHA1
1125c45d285c360542027d7554a5c442288974de

SHA256
5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07

SHA512
d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3756.tmp
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD_X.dat
Filesize
1.2MB

MD5
eca2e581b367ad0d68df3a91612192dc

SHA1
c0657067fed8ea82c35d3ba085c57f98c4f40940

SHA256
c66ccea293aa25c5a24134e45801f8162b330e5c1b2d68c68e1449dd314fb4b4

SHA512
552755526af444265a7049063bef856d5c061723806dc3ab91026deb102b6bc35da2831a40c8abe9145423718b3a1aee1f230a627da708d75849570a1a2edc57

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar390F.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchos.exe
Filesize
93KB

MD5
3b377ad877a942ec9f60ea285f7119a2

SHA1
60b23987b20d913982f723ab375eef50fafa6c70

SHA256
62954fdf65e629b39a29f539619d20691332184c6b6be5a826128a8e759bfa84

SHA512
af3a71f867ad9d28772c48b521097f9bf8931eb89fd2974e8de10990241419a39ddc3c0b36dd38aac4fdf14e1f0c5e228692618e93adce958d5b5dab8940e46f

Download Submit
C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
Filesize
43KB

MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit
\Users\Admin\AppData\Local\Temp\HD_b2bc2ab840a7d71c763e39e47afcd0d78869494dfd0c20a482f53c5a07059f28.exe
Filesize
2.8MB

MD5
21e47fdc2151c0e89f1767c0b617ab2f

SHA1
e62bc0cbb7781e740bdff43f9b10114a0310ca90

SHA256
ee0d5895e7d806eb91be1ca194f7c86b2c52660242efe1f22bce94afbba4981a

SHA512
f453076c466faef8fbf0624501078dd6e5c7e6fed9e42cf2d21f1a4a88dbfe8fe23c79c9751fd759fdb11dd0597f3e5f15d1c54789e0efe775acb1b9d5fce610

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
377KB

MD5
a4329177954d4104005bce3020e5ef59

SHA1
23c29e295e2dbb8454012d619ca3f81e4c16e85a

SHA256
6156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd

SHA512
81e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208

Download Submit
\Windows\SysWOW64\259398758.txt
Filesize
50KB

MD5
c65eb886b43d6d652ec72efdb7b01057

SHA1
37234001561da3e2af7dd179a917816a6e6240dd

SHA256
c8a039455fe7f81c4a10e2faf5e7211f388e9ca4608da41843d94e44beb93639

SHA512
00f0047151215a9ac03960b37921ec06f09cf68ad4c2077761d7daa05e2bb0a9bca024b2e6f68a76cf09e6432b39cf76c6d0becb0bf44c1d841411db36e9deed

Download Submit
memory/2020-32-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2020-35-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2020-40-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2020-46-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2044-9-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2044-8-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2044-7-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2044-5-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2704-36-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2704-18-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download