gh0strat | 0dd6d189ab0a47cbfcef1d09283bbf52cb71029cb079ada2f1c52227d22a80f4

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
26-05-2024 08:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0dd6d189ab0a47cbfcef1d09283bbf52cb71029cb079ada2f1c52227d22a80f4.exe
Size

3.0MB
MD5

d130725ca7506894910504571f9ec162
SHA1

e347b77c19d59a155ab46ebcc2701bc31eb3fc58
SHA256

0dd6d189ab0a47cbfcef1d09283bbf52cb71029cb079ada2f1c52227d22a80f4
SHA512

928e2a365fce813838f2c2bfb6e46866dbd97731f988b3d5537babd51bbb77da24370deaa9eb295b7196695ec6a5935562a49ffe84a65bc7f2f20988a3085de2
SSDEEP

49152:P09XJt4HIN2H2tFvduyS0E3d5ZQ1rxJ+:cZJt4HINy2Lk0E3d5Za

Score

10^/10

gh0strat metasploit purplefox backdoor discovery evasion persistence rat rootkit spyware stealer trojan upx

Malware Config

Extracted

Family

metasploit

Version

windows/shell_reverse_tcp

1.15.12.73:4567

Signatures

Detect PurpleFox Rootkit 11 IoCs

Detect PurpleFox Rootkit.

rootkit

Processes:

resource	yara_rule
behavioral2/memory/4120-7-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/4120-10-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/4120-6-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/1204-15-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/1204-16-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/1204-20-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/5112-24-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/5112-30-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/5112-34-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/1204-29-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/5112-35-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 11 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4120-7-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/4120-10-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/4120-6-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/1204-15-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/1204-16-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/1204-20-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/5112-24-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/5112-30-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/5112-34-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/1204-29-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/5112-35-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox

Drops file in Drivers directory 2 IoCs

Processes:

TXPlatforn.exeHD_0dd6d189ab0a47cbfcef1d09283bbf52cb71029cb079ada2f1c52227d22a80f4.exe

description	ioc	process
File created	C:\Windows\system32\drivers\QAssist.sys	TXPlatforn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	HD_0dd6d189ab0a47cbfcef1d09283bbf52cb71029cb079ada2f1c52227d22a80f4.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

TXPlatforn.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys"	TXPlatforn.exe

Checks computer location settings 2 TTPs 8 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

HD_0dd6d189ab0a47cbfcef1d09283bbf52cb71029cb079ada2f1c52227d22a80f4.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	HD_0dd6d189ab0a47cbfcef1d09283bbf52cb71029cb079ada2f1c52227d22a80f4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	HD_msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	HD_msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	HD_msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	HD_msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	HD_msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	HD_msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	HD_msedge.exe

Executes dropped EXE 22 IoCs

Processes:

RVN.exeTXPlatforn.exeTXPlatforn.exeHD_0dd6d189ab0a47cbfcef1d09283bbf52cb71029cb079ada2f1c52227d22a80f4.exeHD_0dd6d189ab0a47cbfcef1d09283bbf52cb71029cb079ada2f1c52227d22a80f4.exemsedge.exeRVN.exeTXPlatforn.exeTXPlatforn.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exe

pid	process
4120	RVN.exe
1204	TXPlatforn.exe
5112	TXPlatforn.exe
3172	HD_0dd6d189ab0a47cbfcef1d09283bbf52cb71029cb079ada2f1c52227d22a80f4.exe
3644	HD_0dd6d189ab0a47cbfcef1d09283bbf52cb71029cb079ada2f1c52227d22a80f4.exe
4348	msedge.exe
1236	RVN.exe
1800	TXPlatforn.exe
1204	TXPlatforn.exe
4048	HD_msedge.exe
4852	HD_msedge.exe
5072	HD_msedge.exe
3516	HD_msedge.exe
4688	HD_msedge.exe
2796	HD_msedge.exe
4652	HD_msedge.exe
3532	HD_msedge.exe
2372	HD_msedge.exe
3540	HD_msedge.exe
4712	HD_msedge.exe
448	HD_msedge.exe
660	HD_msedge.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4120-7-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/4120-10-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/4120-4-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/4120-6-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/1204-13-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/1204-15-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/1204-16-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/1204-20-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/5112-24-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/5112-30-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/5112-34-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/1204-29-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/5112-35-0x0000000010000000-0x00000000101B6000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

HD_msedge.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA HD_msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	HD_msedge.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

HD_0dd6d189ab0a47cbfcef1d09283bbf52cb71029cb079ada2f1c52227d22a80f4.exe

description	ioc	process
File opened (read-only)	\??\P:	HD_0dd6d189ab0a47cbfcef1d09283bbf52cb71029cb079ada2f1c52227d22a80f4.exe
File opened (read-only)	\??\Y:	HD_0dd6d189ab0a47cbfcef1d09283bbf52cb71029cb079ada2f1c52227d22a80f4.exe
File opened (read-only)	\??\Z:	HD_0dd6d189ab0a47cbfcef1d09283bbf52cb71029cb079ada2f1c52227d22a80f4.exe
File opened (read-only)	\??\A:	HD_0dd6d189ab0a47cbfcef1d09283bbf52cb71029cb079ada2f1c52227d22a80f4.exe
File opened (read-only)	\??\G:	HD_0dd6d189ab0a47cbfcef1d09283bbf52cb71029cb079ada2f1c52227d22a80f4.exe
File opened (read-only)	\??\K:	HD_0dd6d189ab0a47cbfcef1d09283bbf52cb71029cb079ada2f1c52227d22a80f4.exe
File opened (read-only)	\??\L:	HD_0dd6d189ab0a47cbfcef1d09283bbf52cb71029cb079ada2f1c52227d22a80f4.exe
File opened (read-only)	\??\X:	HD_0dd6d189ab0a47cbfcef1d09283bbf52cb71029cb079ada2f1c52227d22a80f4.exe
File opened (read-only)	\??\I:	HD_0dd6d189ab0a47cbfcef1d09283bbf52cb71029cb079ada2f1c52227d22a80f4.exe
File opened (read-only)	\??\N:	HD_0dd6d189ab0a47cbfcef1d09283bbf52cb71029cb079ada2f1c52227d22a80f4.exe
File opened (read-only)	\??\T:	HD_0dd6d189ab0a47cbfcef1d09283bbf52cb71029cb079ada2f1c52227d22a80f4.exe
File opened (read-only)	\??\W:	HD_0dd6d189ab0a47cbfcef1d09283bbf52cb71029cb079ada2f1c52227d22a80f4.exe
File opened (read-only)	\??\M:	HD_0dd6d189ab0a47cbfcef1d09283bbf52cb71029cb079ada2f1c52227d22a80f4.exe
File opened (read-only)	\??\R:	HD_0dd6d189ab0a47cbfcef1d09283bbf52cb71029cb079ada2f1c52227d22a80f4.exe
File opened (read-only)	\??\S:	HD_0dd6d189ab0a47cbfcef1d09283bbf52cb71029cb079ada2f1c52227d22a80f4.exe
File opened (read-only)	\??\O:	HD_0dd6d189ab0a47cbfcef1d09283bbf52cb71029cb079ada2f1c52227d22a80f4.exe
File opened (read-only)	\??\Q:	HD_0dd6d189ab0a47cbfcef1d09283bbf52cb71029cb079ada2f1c52227d22a80f4.exe
File opened (read-only)	\??\U:	HD_0dd6d189ab0a47cbfcef1d09283bbf52cb71029cb079ada2f1c52227d22a80f4.exe
File opened (read-only)	\??\V:	HD_0dd6d189ab0a47cbfcef1d09283bbf52cb71029cb079ada2f1c52227d22a80f4.exe
File opened (read-only)	\??\B:	HD_0dd6d189ab0a47cbfcef1d09283bbf52cb71029cb079ada2f1c52227d22a80f4.exe
File opened (read-only)	\??\E:	HD_0dd6d189ab0a47cbfcef1d09283bbf52cb71029cb079ada2f1c52227d22a80f4.exe
File opened (read-only)	\??\H:	HD_0dd6d189ab0a47cbfcef1d09283bbf52cb71029cb079ada2f1c52227d22a80f4.exe
File opened (read-only)	\??\J:	HD_0dd6d189ab0a47cbfcef1d09283bbf52cb71029cb079ada2f1c52227d22a80f4.exe

Checks system information in the registry 2 TTPs 2 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

HD_msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	HD_msedge.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	HD_msedge.exe

Drops file in System32 directory 2 IoCs

Processes:

RVN.exe

description ioc process

File created C:\Windows\SysWOW64\TXPlatforn.exe RVN.exe
File opened for modification C:\Windows\SysWOW64\TXPlatforn.exe RVN.exe

description	ioc	process
File created	C:\Windows\SysWOW64\TXPlatforn.exe	RVN.exe
File opened for modification	C:\Windows\SysWOW64\TXPlatforn.exe	RVN.exe

Drops file in Program Files directory 7 IoCs

Processes:

0dd6d189ab0a47cbfcef1d09283bbf52cb71029cb079ada2f1c52227d22a80f4.exemsedge.exe

description	ioc	process
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	0dd6d189ab0a47cbfcef1d09283bbf52cb71029cb079ada2f1c52227d22a80f4.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	0dd6d189ab0a47cbfcef1d09283bbf52cb71029cb079ada2f1c52227d22a80f4.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	0dd6d189ab0a47cbfcef1d09283bbf52cb71029cb079ada2f1c52227d22a80f4.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	0dd6d189ab0a47cbfcef1d09283bbf52cb71029cb079ada2f1c52227d22a80f4.exe
File created	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	0dd6d189ab0a47cbfcef1d09283bbf52cb71029cb079ada2f1c52227d22a80f4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

HD_msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	HD_msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	HD_msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	HD_msedge.exe

Modifies registry class 1 IoCs

Processes:

HD_0dd6d189ab0a47cbfcef1d09283bbf52cb71029cb079ada2f1c52227d22a80f4.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	HD_0dd6d189ab0a47cbfcef1d09283bbf52cb71029cb079ada2f1c52227d22a80f4.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

812 PING.EXE
4884 PING.EXE

pid	process
812	PING.EXE
4884	PING.EXE

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

0dd6d189ab0a47cbfcef1d09283bbf52cb71029cb079ada2f1c52227d22a80f4.exemsedge.exeHD_msedge.exeHD_msedge.exeidentity_helper.exeHD_msedge.exe

pid	process
3252	0dd6d189ab0a47cbfcef1d09283bbf52cb71029cb079ada2f1c52227d22a80f4.exe
3252	0dd6d189ab0a47cbfcef1d09283bbf52cb71029cb079ada2f1c52227d22a80f4.exe
4348	msedge.exe
4348	msedge.exe
5072	HD_msedge.exe
5072	HD_msedge.exe
4048	HD_msedge.exe
4048	HD_msedge.exe
4696	identity_helper.exe
4696	identity_helper.exe
660	HD_msedge.exe
660	HD_msedge.exe
660	HD_msedge.exe
660	HD_msedge.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

TXPlatforn.exe

pid process

5112 TXPlatforn.exe

pid	process
5112	TXPlatforn.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

RVN.exeTXPlatforn.exeHD_0dd6d189ab0a47cbfcef1d09283bbf52cb71029cb079ada2f1c52227d22a80f4.exeHD_0dd6d189ab0a47cbfcef1d09283bbf52cb71029cb079ada2f1c52227d22a80f4.exeRVN.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	4120	RVN.exe
Token: SeLoadDriverPrivilege	5112	TXPlatforn.exe
Token: SeDebugPrivilege	3172	HD_0dd6d189ab0a47cbfcef1d09283bbf52cb71029cb079ada2f1c52227d22a80f4.exe
Token: SeDebugPrivilege	3172	HD_0dd6d189ab0a47cbfcef1d09283bbf52cb71029cb079ada2f1c52227d22a80f4.exe
Token: SeDebugPrivilege	3644	HD_0dd6d189ab0a47cbfcef1d09283bbf52cb71029cb079ada2f1c52227d22a80f4.exe
Token: SeDebugPrivilege	3644	HD_0dd6d189ab0a47cbfcef1d09283bbf52cb71029cb079ada2f1c52227d22a80f4.exe
Token: SeIncBasePriorityPrivilege	1236	RVN.exe
Token: 33	5112	TXPlatforn.exe
Token: SeIncBasePriorityPrivilege	5112	TXPlatforn.exe
Token: 33	5112	TXPlatforn.exe
Token: SeIncBasePriorityPrivilege	5112	TXPlatforn.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

HD_msedge.exe

pid	process
4048	HD_msedge.exe
4048	HD_msedge.exe
4048	HD_msedge.exe
4048	HD_msedge.exe
4048	HD_msedge.exe
4048	HD_msedge.exe
4048	HD_msedge.exe
4048	HD_msedge.exe
4048	HD_msedge.exe
4048	HD_msedge.exe
4048	HD_msedge.exe
4048	HD_msedge.exe
4048	HD_msedge.exe
4048	HD_msedge.exe
4048	HD_msedge.exe
4048	HD_msedge.exe
4048	HD_msedge.exe
4048	HD_msedge.exe
4048	HD_msedge.exe
4048	HD_msedge.exe
4048	HD_msedge.exe
4048	HD_msedge.exe
4048	HD_msedge.exe
4048	HD_msedge.exe
4048	HD_msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

HD_msedge.exe

pid	process
4048	HD_msedge.exe
4048	HD_msedge.exe
4048	HD_msedge.exe
4048	HD_msedge.exe
4048	HD_msedge.exe
4048	HD_msedge.exe
4048	HD_msedge.exe
4048	HD_msedge.exe
4048	HD_msedge.exe
4048	HD_msedge.exe
4048	HD_msedge.exe
4048	HD_msedge.exe
4048	HD_msedge.exe
4048	HD_msedge.exe
4048	HD_msedge.exe
4048	HD_msedge.exe
4048	HD_msedge.exe
4048	HD_msedge.exe
4048	HD_msedge.exe
4048	HD_msedge.exe
4048	HD_msedge.exe
4048	HD_msedge.exe
4048	HD_msedge.exe
4048	HD_msedge.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

0dd6d189ab0a47cbfcef1d09283bbf52cb71029cb079ada2f1c52227d22a80f4.exemsedge.exe

pid	process
3252	0dd6d189ab0a47cbfcef1d09283bbf52cb71029cb079ada2f1c52227d22a80f4.exe
3252	0dd6d189ab0a47cbfcef1d09283bbf52cb71029cb079ada2f1c52227d22a80f4.exe
4348	msedge.exe
4348	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

0dd6d189ab0a47cbfcef1d09283bbf52cb71029cb079ada2f1c52227d22a80f4.exeRVN.exeTXPlatforn.execmd.exeHD_0dd6d189ab0a47cbfcef1d09283bbf52cb71029cb079ada2f1c52227d22a80f4.exeHD_0dd6d189ab0a47cbfcef1d09283bbf52cb71029cb079ada2f1c52227d22a80f4.exemsedge.exeRVN.exeTXPlatforn.exeHD_msedge.execmd.exe

description	pid	process	target process
PID 3252 wrote to memory of 4120	3252	0dd6d189ab0a47cbfcef1d09283bbf52cb71029cb079ada2f1c52227d22a80f4.exe	RVN.exe
PID 3252 wrote to memory of 4120	3252	0dd6d189ab0a47cbfcef1d09283bbf52cb71029cb079ada2f1c52227d22a80f4.exe	RVN.exe
PID 3252 wrote to memory of 4120	3252	0dd6d189ab0a47cbfcef1d09283bbf52cb71029cb079ada2f1c52227d22a80f4.exe	RVN.exe
PID 4120 wrote to memory of 3712	4120	RVN.exe	cmd.exe
PID 4120 wrote to memory of 3712	4120	RVN.exe	cmd.exe
PID 4120 wrote to memory of 3712	4120	RVN.exe	cmd.exe
PID 1204 wrote to memory of 5112	1204	TXPlatforn.exe	TXPlatforn.exe
PID 1204 wrote to memory of 5112	1204	TXPlatforn.exe	TXPlatforn.exe
PID 1204 wrote to memory of 5112	1204	TXPlatforn.exe	TXPlatforn.exe
PID 3252 wrote to memory of 3172	3252	0dd6d189ab0a47cbfcef1d09283bbf52cb71029cb079ada2f1c52227d22a80f4.exe	HD_0dd6d189ab0a47cbfcef1d09283bbf52cb71029cb079ada2f1c52227d22a80f4.exe
PID 3252 wrote to memory of 3172	3252	0dd6d189ab0a47cbfcef1d09283bbf52cb71029cb079ada2f1c52227d22a80f4.exe	HD_0dd6d189ab0a47cbfcef1d09283bbf52cb71029cb079ada2f1c52227d22a80f4.exe
PID 3252 wrote to memory of 3172	3252	0dd6d189ab0a47cbfcef1d09283bbf52cb71029cb079ada2f1c52227d22a80f4.exe	HD_0dd6d189ab0a47cbfcef1d09283bbf52cb71029cb079ada2f1c52227d22a80f4.exe
PID 3712 wrote to memory of 812	3712	cmd.exe	PING.EXE
PID 3712 wrote to memory of 812	3712	cmd.exe	PING.EXE
PID 3712 wrote to memory of 812	3712	cmd.exe	PING.EXE
PID 3172 wrote to memory of 3644	3172	HD_0dd6d189ab0a47cbfcef1d09283bbf52cb71029cb079ada2f1c52227d22a80f4.exe	HD_0dd6d189ab0a47cbfcef1d09283bbf52cb71029cb079ada2f1c52227d22a80f4.exe
PID 3172 wrote to memory of 3644	3172	HD_0dd6d189ab0a47cbfcef1d09283bbf52cb71029cb079ada2f1c52227d22a80f4.exe	HD_0dd6d189ab0a47cbfcef1d09283bbf52cb71029cb079ada2f1c52227d22a80f4.exe
PID 3172 wrote to memory of 3644	3172	HD_0dd6d189ab0a47cbfcef1d09283bbf52cb71029cb079ada2f1c52227d22a80f4.exe	HD_0dd6d189ab0a47cbfcef1d09283bbf52cb71029cb079ada2f1c52227d22a80f4.exe
PID 3644 wrote to memory of 4348	3644	HD_0dd6d189ab0a47cbfcef1d09283bbf52cb71029cb079ada2f1c52227d22a80f4.exe	msedge.exe
PID 3644 wrote to memory of 4348	3644	HD_0dd6d189ab0a47cbfcef1d09283bbf52cb71029cb079ada2f1c52227d22a80f4.exe	msedge.exe
PID 3644 wrote to memory of 4348	3644	HD_0dd6d189ab0a47cbfcef1d09283bbf52cb71029cb079ada2f1c52227d22a80f4.exe	msedge.exe
PID 4348 wrote to memory of 1236	4348	msedge.exe	RVN.exe
PID 4348 wrote to memory of 1236	4348	msedge.exe	RVN.exe
PID 4348 wrote to memory of 1236	4348	msedge.exe	RVN.exe
PID 1236 wrote to memory of 732	1236	RVN.exe	cmd.exe
PID 1236 wrote to memory of 732	1236	RVN.exe	cmd.exe
PID 1236 wrote to memory of 732	1236	RVN.exe	cmd.exe
PID 1800 wrote to memory of 1204	1800	TXPlatforn.exe	TXPlatforn.exe
PID 1800 wrote to memory of 1204	1800	TXPlatforn.exe	TXPlatforn.exe
PID 1800 wrote to memory of 1204	1800	TXPlatforn.exe	TXPlatforn.exe
PID 4348 wrote to memory of 4048	4348	msedge.exe	HD_msedge.exe
PID 4348 wrote to memory of 4048	4348	msedge.exe	HD_msedge.exe
PID 4048 wrote to memory of 4852	4048	HD_msedge.exe	HD_msedge.exe
PID 4048 wrote to memory of 4852	4048	HD_msedge.exe	HD_msedge.exe
PID 732 wrote to memory of 4884	732	cmd.exe	PING.EXE
PID 732 wrote to memory of 4884	732	cmd.exe	PING.EXE
PID 732 wrote to memory of 4884	732	cmd.exe	PING.EXE
PID 4048 wrote to memory of 3516	4048	HD_msedge.exe	HD_msedge.exe
PID 4048 wrote to memory of 3516	4048	HD_msedge.exe	HD_msedge.exe
PID 4048 wrote to memory of 3516	4048	HD_msedge.exe	HD_msedge.exe
PID 4048 wrote to memory of 3516	4048	HD_msedge.exe	HD_msedge.exe
PID 4048 wrote to memory of 3516	4048	HD_msedge.exe	HD_msedge.exe
PID 4048 wrote to memory of 3516	4048	HD_msedge.exe	HD_msedge.exe
PID 4048 wrote to memory of 3516	4048	HD_msedge.exe	HD_msedge.exe
PID 4048 wrote to memory of 3516	4048	HD_msedge.exe	HD_msedge.exe
PID 4048 wrote to memory of 3516	4048	HD_msedge.exe	HD_msedge.exe
PID 4048 wrote to memory of 3516	4048	HD_msedge.exe	HD_msedge.exe
PID 4048 wrote to memory of 3516	4048	HD_msedge.exe	HD_msedge.exe
PID 4048 wrote to memory of 3516	4048	HD_msedge.exe	HD_msedge.exe
PID 4048 wrote to memory of 3516	4048	HD_msedge.exe	HD_msedge.exe
PID 4048 wrote to memory of 3516	4048	HD_msedge.exe	HD_msedge.exe
PID 4048 wrote to memory of 3516	4048	HD_msedge.exe	HD_msedge.exe
PID 4048 wrote to memory of 3516	4048	HD_msedge.exe	HD_msedge.exe
PID 4048 wrote to memory of 3516	4048	HD_msedge.exe	HD_msedge.exe
PID 4048 wrote to memory of 3516	4048	HD_msedge.exe	HD_msedge.exe
PID 4048 wrote to memory of 3516	4048	HD_msedge.exe	HD_msedge.exe
PID 4048 wrote to memory of 3516	4048	HD_msedge.exe	HD_msedge.exe
PID 4048 wrote to memory of 3516	4048	HD_msedge.exe	HD_msedge.exe
PID 4048 wrote to memory of 3516	4048	HD_msedge.exe	HD_msedge.exe
PID 4048 wrote to memory of 3516	4048	HD_msedge.exe	HD_msedge.exe
PID 4048 wrote to memory of 3516	4048	HD_msedge.exe	HD_msedge.exe
PID 4048 wrote to memory of 3516	4048	HD_msedge.exe	HD_msedge.exe
PID 4048 wrote to memory of 3516	4048	HD_msedge.exe	HD_msedge.exe
PID 4048 wrote to memory of 3516	4048	HD_msedge.exe	HD_msedge.exe

System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

HD_msedge.exe

description ioc process

Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection HD_msedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection	HD_msedge.exe

C:\Users\Admin\AppData\Local\Temp\0dd6d189ab0a47cbfcef1d09283bbf52cb71029cb079ada2f1c52227d22a80f4.exe
"C:\Users\Admin\AppData\Local\Temp\0dd6d189ab0a47cbfcef1d09283bbf52cb71029cb079ada2f1c52227d22a80f4.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3252

C:\Users\Admin\AppData\Local\Temp\RVN.exe
C:\Users\Admin\AppData\Local\Temp\\RVN.exe
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4120

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\RVN.exe > nul
3⤵
- Suspicious use of WriteProcessMemory
PID:3712

C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
4⤵
- Runs ping.exe
PID:812

C:\Users\Admin\AppData\Local\Temp\HD_0dd6d189ab0a47cbfcef1d09283bbf52cb71029cb079ada2f1c52227d22a80f4.exe
C:\Users\Admin\AppData\Local\Temp\HD_0dd6d189ab0a47cbfcef1d09283bbf52cb71029cb079ada2f1c52227d22a80f4.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3172

C:\Users\Admin\AppData\Local\Temp\HD_0dd6d189ab0a47cbfcef1d09283bbf52cb71029cb079ada2f1c52227d22a80f4.exe
"C:\Users\Admin\AppData\Local\Temp\HD_0dd6d189ab0a47cbfcef1d09283bbf52cb71029cb079ada2f1c52227d22a80f4.exe" Admin
3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3644

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.178stu.com/my.htm
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4348

C:\Users\Admin\AppData\Local\Temp\RVN.exe
C:\Users\Admin\AppData\Local\Temp\\RVN.exe
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1236

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\RVN.exe > nul
6⤵
- Suspicious use of WriteProcessMemory
PID:732

C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
7⤵
- Runs ping.exe
PID:4884

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"
5⤵
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Checks system information in the registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4048

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffba1746f8,0x7fffba174708,0x7fffba174718
6⤵
- Executes dropped EXE
PID:4852

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=gpu-process --field-trial-handle=1988,8660916068305519540,12276738231274377254,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2060 /prefetch:2
6⤵
- Executes dropped EXE
PID:3516

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1988,8660916068305519540,12276738231274377254,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2432 /prefetch:3
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:5072

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1988,8660916068305519540,12276738231274377254,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2916 /prefetch:8
6⤵
- Executes dropped EXE
PID:4688

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=1988,8660916068305519540,12276738231274377254,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
6⤵
- Checks computer location settings
- Executes dropped EXE
PID:2796

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=1988,8660916068305519540,12276738231274377254,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
6⤵
- Checks computer location settings
- Executes dropped EXE
PID:4652

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=1988,8660916068305519540,12276738231274377254,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4304 /prefetch:1
6⤵
- Checks computer location settings
- Executes dropped EXE
PID:3532

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=1988,8660916068305519540,12276738231274377254,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4376 /prefetch:1
6⤵
- Checks computer location settings
- Executes dropped EXE
PID:2372

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1988,8660916068305519540,12276738231274377254,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5308 /prefetch:8
6⤵
PID:4480

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1988,8660916068305519540,12276738231274377254,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5308 /prefetch:8
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:4696

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=1988,8660916068305519540,12276738231274377254,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5332 /prefetch:1
6⤵
- Executes dropped EXE
PID:3540

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=1988,8660916068305519540,12276738231274377254,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5364 /prefetch:1
6⤵
- Checks computer location settings
- Executes dropped EXE
PID:4712

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=1988,8660916068305519540,12276738231274377254,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4064 /prefetch:1
6⤵
- Checks computer location settings
- Executes dropped EXE
PID:448

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=gpu-process --field-trial-handle=1988,8660916068305519540,12276738231274377254,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4596 /prefetch:2
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:660

C:\Windows\SysWOW64\TXPlatforn.exe
C:\Windows\SysWOW64\TXPlatforn.exe -auto
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1204

C:\Windows\SysWOW64\TXPlatforn.exe
C:\Windows\SysWOW64\TXPlatforn.exe -acsi
2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:5112

C:\Windows\SysWOW64\TXPlatforn.exe
C:\Windows\SysWOW64\TXPlatforn.exe -auto
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1800

C:\Windows\SysWOW64\TXPlatforn.exe
C:\Windows\SysWOW64\TXPlatforn.exe -acsi
2⤵
- Executes dropped EXE
PID:1204

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4432

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe

Filesize
3.2MB

MD5
ad8536c7440638d40156e883ac25086e

SHA1
fa9e8b7fb10473a01b8925c4c5b0888924a1147c

SHA256
73d84d249f16b943d1d3f9dd9e516fadd323e70939c29b4a640693eb8818ee9a

SHA512
b5f368be8853aa142dba614dcca7e021aba92b337fe36cfc186714092a4dab1c7a2181954cd737923edd351149980182a090dbde91081c81d83f471ff18888fe

Download Submit
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Filesize
4.3MB

MD5
038252e4dffb608e23bb9f52b05f136e

SHA1
382104f4f2d1e9cedc22c5573365c77830088c50

SHA256
ecd6e2f172bfdd8ef667b716c21fc00be76254191f83f017ccd08282107415ad

SHA512
420b9ac55b8b6bc9b883e76b9a1a457560ac224c44140f7796de81f393dcc1aa1ced5f6e5d7a37965e3ee654afd12caa6e7b5f2707fb9d85fee8b2c7c67442b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
439b5e04ca18c7fb02cf406e6eb24167

SHA1
e0c5bb6216903934726e3570b7d63295b9d28987

SHA256
247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654

SHA512
d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a8e767fd33edd97d306efb6905f93252

SHA1
a6f80ace2b57599f64b0ae3c7381f34e9456f9d3

SHA256
c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb

SHA512
07b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
b25c247aa02b313578965a2ded07ebed

SHA1
3d851c586600c38d0478b8216977a548b9bae9c7

SHA256
c0902a7b46d955450b7015069d646191deb7b0a373ee76c3c45a15d50c9fa76f

SHA512
6613e6bbc475ab93f7cadf7a28a48da42823562a126a2ebe54661777656b59ef6551ab9643f3f3329e33fe4171ab545be4c83356fc649cbcf22ee83d0c578357

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a3fe21e3224b304303b1ee453df24902

SHA1
0ebae7805fbe44f55e85ef04f1add073bf704b5e

SHA256
8f85da3f19849c4ac59727f4aef7b7957a5ee8dd96c2391be9c862f0466b7194

SHA512
bb67819a61ca4a8b26ec0505d929d7b16bd8056e439d50dec870e67d0b32a3b96ce083a7c93743010f161ca5ea47b2f794c403973f0376f19ca6f220e3dbb277

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
ec4c8d976fbbd07b5441a21dcd719254

SHA1
124c0f42f37742905ba171557f56aec228c245f4

SHA256
44ef04bb647d67327989df62861935839781a1db08403c8985c037ce037aae88

SHA512
d9fa791812f99118ce6c229ce367de1632ca396b1201116212fd6cf5768ec8e597b9607ed0c3d93d38254e3f7ee30459b218543e6185f94f853b81fb3a320bfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD_0dd6d189ab0a47cbfcef1d09283bbf52cb71029cb079ada2f1c52227d22a80f4.exe

Filesize
1.8MB

MD5
a6277a4dd6da17e31eebb8c702e86d6b

SHA1
c93a52e6ca0b877871049174569dd5568d93d341

SHA256
f771efee7b5ea61757ce49e53fb7e0ba4623b45df099a472b48dc3e1a0a9d6cb

SHA512
fc07116a531be4b8d6599c90301fd2c16768c518a23b9d6d27a9c2335f66811253811daa831032f81bcddef18c384341d538d411bb92a9834de484eff02348a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD_X.dat

Filesize
1.2MB

MD5
bac68825468087126b1bf35caa76fcf7

SHA1
6be32677a936a103c8bfc52b7b9dd6e90dc511a9

SHA256
76522a8224923099ecbe474d7153b9fc163493e301531f3167076c124b9ad3ad

SHA512
d3ae905feefae88cd5633859102f7d40a54f3a9906fc440e7d680fc63284d1cf04b7cd51f5da3b0d490f74f0d0903d4dd03289a6b3eb1ee7b4b450c122d565dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RVN.exe

Filesize
377KB

MD5
80ade1893dec9cab7f2e63538a464fcc

SHA1
c06614da33a65eddb506db00a124a3fc3f5be02e

SHA256
57a920389c044e3f5cf93dabff67070b4511e79779b6f874e08f92d8b0d7afbd

SHA512
fffd4f3fccb5301b3c7a5b3bd92747f31549fbd9d0803fe5d502d1bb0ef979140988718c2ee1406ed3e755790d275185e120a56cbcb5ed2eadf62b5cdbfc4cc4

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
822B

MD5
03450e8ddb20859f242195450c19b8f1

SHA1
9698f8caf67c8853e14c8bf4933949f458c3044a

SHA256
1bdd8f1dd7bd82b5b2313d8770dfe4f41cd3f45bbaeab8b8a7f75fc5e2d3720b

SHA512
87371e57bf2296af5ec7f5db772a4ce66729d54aa23a8b384e3f4c42310b97b636576c7dff67c27a3b679339cdeee05b836563ae2a878f0367caf247b3e1ba7b

Download Submit
\??\pipe\LOCAL\crashpad_4048_RWHAANCXWPODRIID

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1204-13-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/1204-29-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/1204-20-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/1204-16-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/1204-15-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/3172-36-0x0000000000990000-0x0000000000991000-memory.dmp

Filesize
4KB

Download
memory/3172-83-0x0000000000990000-0x0000000000991000-memory.dmp

Filesize
4KB

Download
memory/3172-84-0x0000000000400000-0x00000000005E5000-memory.dmp

Filesize
1.9MB

Download
memory/3516-143-0x00007FFFD6EF0000-0x00007FFFD6EF1000-memory.dmp

Filesize
4KB

Download
memory/3516-220-0x000001B120960000-0x000001B12098B000-memory.dmp

Filesize
172KB

Download
memory/3644-96-0x0000000000400000-0x00000000005E5000-memory.dmp

Filesize
1.9MB

Download
memory/3644-88-0x0000000000400000-0x00000000005E5000-memory.dmp

Filesize
1.9MB

Download
memory/3644-101-0x0000000000400000-0x00000000005E5000-memory.dmp

Filesize
1.9MB

Download
memory/4120-10-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/4120-7-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/4120-6-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/4120-4-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/4688-221-0x0000017F2E3D0000-0x0000017F2E3FB000-memory.dmp

Filesize
172KB

Download
memory/5112-35-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/5112-24-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/5112-30-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/5112-34-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download