gh0strat | 0f49b2806eb0011ebecb96a18961cf5f905ec27b4510d42f85af03647d0eeabf

Analysis

max time kernel
150s
max time network
147s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
26/05/2024, 15:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0f49b2806eb0011ebecb96a18961cf5f905ec27b4510d42f85af03647d0eeabf.exe
Size

2.4MB
MD5

898cd60be8341ee932d96cdb0d5feb61
SHA1

f7b268c071fe34278f739974087869f390a14f53
SHA256

0f49b2806eb0011ebecb96a18961cf5f905ec27b4510d42f85af03647d0eeabf
SHA512

c79e0683382a1a398a6478d43a974fc47a07e79c66ce49ff1455470576e20f585042cefa0046bcae9ff5cc0b5da4847d87e602616f0fef1fb7375d6089f4c93e
SSDEEP

24576:4QZoidOTdVZinacCET9Ecl1erdg0MCiVWhFU7cVa1Dfun2dYA/qVIYT:4QZAdVyVT9n/Gg0P+WhoRDmn2dDC2S

Score

10^/10

gh0strat purplefox persistence rat rootkit trojan upx

Malware Config

Signatures

Detect PurpleFox Rootkit 8 IoCs

Detect PurpleFox Rootkit.

rootkit

resource	yara_rule
behavioral1/memory/308-7-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/308-9-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/308-8-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/312-18-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/312-30-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2708-40-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2708-46-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2708-62-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 9 IoCs

resource	yara_rule
behavioral1/memory/308-7-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/308-9-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/308-8-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/312-18-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/312-30-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/files/0x0007000000014e5a-28.dat	family_gh0strat
behavioral1/memory/2708-40-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2708-46-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2708-62-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\QAssist.sys	TXPlatforn.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259397261.txt"	svchos.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys"	TXPlatforn.exe

Executes dropped EXE 7 IoCs

pid	Process
308	svchost.exe
312	TXPlatforn.exe
2908	svchos.exe
2708	TXPlatforn.exe
2580	HD_0f49b2806eb0011ebecb96a18961cf5f905ec27b4510d42f85af03647d0eeabf.exe
1232	Process not Found
1444	Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe

Loads dropped DLL 8 IoCs

pid	Process
1796	0f49b2806eb0011ebecb96a18961cf5f905ec27b4510d42f85af03647d0eeabf.exe
1796	0f49b2806eb0011ebecb96a18961cf5f905ec27b4510d42f85af03647d0eeabf.exe
312	TXPlatforn.exe
2908	svchos.exe
2548	svchost.exe
1796	0f49b2806eb0011ebecb96a18961cf5f905ec27b4510d42f85af03647d0eeabf.exe
2548	svchost.exe
1444	Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/308-5-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/308-7-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/308-9-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/308-8-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/312-18-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/312-30-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2708-40-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2708-46-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2708-62-0x0000000010000000-0x00000000101B6000-memory.dmp	upx

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe	svchost.exe
File created	C:\Windows\SysWOW64\TXPlatforn.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\TXPlatforn.exe	svchost.exe
File created	C:\Windows\SysWOW64\259397261.txt	svchos.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	svchos.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	0f49b2806eb0011ebecb96a18961cf5f905ec27b4510d42f85af03647d0eeabf.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	0f49b2806eb0011ebecb96a18961cf5f905ec27b4510d42f85af03647d0eeabf.exe
File created	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	0f49b2806eb0011ebecb96a18961cf5f905ec27b4510d42f85af03647d0eeabf.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	0f49b2806eb0011ebecb96a18961cf5f905ec27b4510d42f85af03647d0eeabf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000032bf8fbec880f745bcf4990b75b0435f000000000200000000001066000000010000200000000d3171475e9335108c6c2d000e1c7fd2bc70e866f39655eb840f26d76048f009000000000e800000000200002000000007d8a3f6ef9b90a8cb22a46c8aaa43cb4ec5665c31676407e6878c8d06b36cdd900000009d93975208636e705138caf4fa5683c5139eded9f3371f56da553f65d569a4a2cd4a08f2d3c9f0ba58b3f48cea8a6405a0f3b7bf350a1625ca8f95054e433d0fb0190b7c7f5f0001abf6f2c073952fffefe315f6c2d4c013d626ec17401a7e8c63935568bd9a39761daac51b3cfa2c93652d619248e98be9c84705a955c589f24d0cbf084f67c602ee9367992c757cca40000000a38cd6a5abda84346edddb0cc268f9705ca2478f9d6dbc50d4908461317ffdd0e9bd7744b0407767356f6663b208eae5b0a52c5bc29f59823207a2ba2902e082	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000032bf8fbec880f745bcf4990b75b0435f0000000002000000000010660000000100002000000054e9bf3830590f3ed1c29e46b7055e7d0590b2e7145a5704edd96255c3e85072000000000e8000000002000020000000044507b29dd8040bdb17ba800c45bb88626691e55404d74baf0d49188f719a7720000000246d96eedd211a7c1e246277ab49105744aacd63e8d126103742010db96f86c0400000005e500989c050c36dd67cba7c37c55877ac6ef1f2745de5c7873afc9af3298fb50d7a8bc7922e14774a5dca5bebd35f1e0882bb890bfa52a40b253de30ecaba1a	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c0708cf77dafda01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{2138ED41-1B71-11EF-A304-E60682B688C9} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "422897685"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3008	PING.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1796	0f49b2806eb0011ebecb96a18961cf5f905ec27b4510d42f85af03647d0eeabf.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
2708	TXPlatforn.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	308	svchost.exe
Token: SeLoadDriverPrivilege	2708	TXPlatforn.exe
Token: 33	2708	TXPlatforn.exe
Token: SeIncBasePriorityPrivilege	2708	TXPlatforn.exe
Token: 33	2708	TXPlatforn.exe
Token: SeIncBasePriorityPrivilege	2708	TXPlatforn.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2348	iexplore.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1796	0f49b2806eb0011ebecb96a18961cf5f905ec27b4510d42f85af03647d0eeabf.exe
1796	0f49b2806eb0011ebecb96a18961cf5f905ec27b4510d42f85af03647d0eeabf.exe
2348	iexplore.exe
2348	iexplore.exe
1044	IEXPLORE.EXE
1044	IEXPLORE.EXE
1044	IEXPLORE.EXE
1044	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 41 IoCs

description	pid	Process	procid_target
PID 1796 wrote to memory of 308	1796	0f49b2806eb0011ebecb96a18961cf5f905ec27b4510d42f85af03647d0eeabf.exe	28
PID 1796 wrote to memory of 308	1796	0f49b2806eb0011ebecb96a18961cf5f905ec27b4510d42f85af03647d0eeabf.exe	28
PID 1796 wrote to memory of 308	1796	0f49b2806eb0011ebecb96a18961cf5f905ec27b4510d42f85af03647d0eeabf.exe	28
PID 1796 wrote to memory of 308	1796	0f49b2806eb0011ebecb96a18961cf5f905ec27b4510d42f85af03647d0eeabf.exe	28
PID 1796 wrote to memory of 308	1796	0f49b2806eb0011ebecb96a18961cf5f905ec27b4510d42f85af03647d0eeabf.exe	28
PID 1796 wrote to memory of 308	1796	0f49b2806eb0011ebecb96a18961cf5f905ec27b4510d42f85af03647d0eeabf.exe	28
PID 1796 wrote to memory of 308	1796	0f49b2806eb0011ebecb96a18961cf5f905ec27b4510d42f85af03647d0eeabf.exe	28
PID 308 wrote to memory of 2652	308	svchost.exe	30
PID 308 wrote to memory of 2652	308	svchost.exe	30
PID 308 wrote to memory of 2652	308	svchost.exe	30
PID 308 wrote to memory of 2652	308	svchost.exe	30
PID 1796 wrote to memory of 2908	1796	0f49b2806eb0011ebecb96a18961cf5f905ec27b4510d42f85af03647d0eeabf.exe	32
PID 1796 wrote to memory of 2908	1796	0f49b2806eb0011ebecb96a18961cf5f905ec27b4510d42f85af03647d0eeabf.exe	32
PID 1796 wrote to memory of 2908	1796	0f49b2806eb0011ebecb96a18961cf5f905ec27b4510d42f85af03647d0eeabf.exe	32
PID 1796 wrote to memory of 2908	1796	0f49b2806eb0011ebecb96a18961cf5f905ec27b4510d42f85af03647d0eeabf.exe	32
PID 312 wrote to memory of 2708	312	TXPlatforn.exe	33
PID 312 wrote to memory of 2708	312	TXPlatforn.exe	33
PID 312 wrote to memory of 2708	312	TXPlatforn.exe	33
PID 312 wrote to memory of 2708	312	TXPlatforn.exe	33
PID 312 wrote to memory of 2708	312	TXPlatforn.exe	33
PID 312 wrote to memory of 2708	312	TXPlatforn.exe	33
PID 312 wrote to memory of 2708	312	TXPlatforn.exe	33
PID 2652 wrote to memory of 3008	2652	cmd.exe	36
PID 2652 wrote to memory of 3008	2652	cmd.exe	36
PID 2652 wrote to memory of 3008	2652	cmd.exe	36
PID 2652 wrote to memory of 3008	2652	cmd.exe	36
PID 1796 wrote to memory of 2580	1796	0f49b2806eb0011ebecb96a18961cf5f905ec27b4510d42f85af03647d0eeabf.exe	37
PID 1796 wrote to memory of 2580	1796	0f49b2806eb0011ebecb96a18961cf5f905ec27b4510d42f85af03647d0eeabf.exe	37
PID 1796 wrote to memory of 2580	1796	0f49b2806eb0011ebecb96a18961cf5f905ec27b4510d42f85af03647d0eeabf.exe	37
PID 1796 wrote to memory of 2580	1796	0f49b2806eb0011ebecb96a18961cf5f905ec27b4510d42f85af03647d0eeabf.exe	37
PID 2548 wrote to memory of 1444	2548	svchost.exe	38
PID 2548 wrote to memory of 1444	2548	svchost.exe	38
PID 2548 wrote to memory of 1444	2548	svchost.exe	38
PID 2548 wrote to memory of 1444	2548	svchost.exe	38
PID 2580 wrote to memory of 2348	2580	HD_0f49b2806eb0011ebecb96a18961cf5f905ec27b4510d42f85af03647d0eeabf.exe	39
PID 2580 wrote to memory of 2348	2580	HD_0f49b2806eb0011ebecb96a18961cf5f905ec27b4510d42f85af03647d0eeabf.exe	39
PID 2580 wrote to memory of 2348	2580	HD_0f49b2806eb0011ebecb96a18961cf5f905ec27b4510d42f85af03647d0eeabf.exe	39
PID 2348 wrote to memory of 1044	2348	iexplore.exe	41
PID 2348 wrote to memory of 1044	2348	iexplore.exe	41
PID 2348 wrote to memory of 1044	2348	iexplore.exe	41
PID 2348 wrote to memory of 1044	2348	iexplore.exe	41

C:\Users\Admin\AppData\Local\Temp\0f49b2806eb0011ebecb96a18961cf5f905ec27b4510d42f85af03647d0eeabf.exe
"C:\Users\Admin\AppData\Local\Temp\0f49b2806eb0011ebecb96a18961cf5f905ec27b4510d42f85af03647d0eeabf.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1796
- C:\Users\Admin\AppData\Local\Temp\svchost.exe
  C:\Users\Admin\AppData\Local\Temp\\svchost.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:308
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\svchost.exe > nul
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2652
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 2 127.0.0.1
      4⤵
      Runs ping.exe
      PID:3008
- C:\Users\Admin\AppData\Local\Temp\svchos.exe
  C:\Users\Admin\AppData\Local\Temp\\svchos.exe
  2⤵
  - Sets DLL path for service in the registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  PID:2908
- C:\Users\Admin\AppData\Local\Temp\HD_0f49b2806eb0011ebecb96a18961cf5f905ec27b4510d42f85af03647d0eeabf.exe
  C:\Users\Admin\AppData\Local\Temp\HD_0f49b2806eb0011ebecb96a18961cf5f905ec27b4510d42f85af03647d0eeabf.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2580
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://pc.weixin.qq.com/
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2348
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2348 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1044

C:\Windows\SysWOW64\TXPlatforn.exe
C:\Windows\SysWOW64\TXPlatforn.exe -auto
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:312
- C:\Windows\SysWOW64\TXPlatforn.exe
  C:\Windows\SysWOW64\TXPlatforn.exe -acsi
  2⤵
  - Drops file in Drivers directory
  - Sets service image path in registry
  - Executes dropped EXE
  - Suspicious behavior: LoadsDriver
  - Suspicious use of AdjustPrivilegeToken
  PID:2708

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"
1⤵
PID:2724

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2548
- C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
  C:\Windows\system32\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe "c:\windows\system32\259397261.txt",MainThread
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AD5F118F7897046E8CA970AE6A6AB70B_9B8670363F58B4643EB28A4A03EE9887

Filesize
471B

MD5
bee5fb5e805d35cd55420168a04f34e6

SHA1
526ddcbf946f16456937f29cf75dfcbff5b25e24

SHA256
40e4fcfd75e70860611c16994e1db4a1c339c35270bbbe93f55fd280c503c74d

SHA512
a35f8f918f17aa6566ef6f0a89b12b8184b73709ea42eef5df02ecc89be9df6a1c7e6ba10bffb739e442731321a2566ddde870edcc9ed840c04b28be90f09d76

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
7414647e37ef9ffd3e7b8bc46e52d055

SHA1
a03acc5d411126d05362418f1545e7ae42a2e699

SHA256
33c8ecf52784ad8d3c1d73cb7019aacfe25186388de3651501a1fc93af74eac3

SHA512
436abaebc2dc986db38de0c228fb81c91ae4c341380d6514ff9d445569fc3b05833a4547984c04019ea9fbd8911f8209b47cd0b63b309d7a663c4b352d0b05eb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9bde5a9753ef9dee227902f03e73b035

SHA1
fbcb071ed60ef1586c1dafc97794b48a98451028

SHA256
97575c4fec0dd6925bf1e3e1e9e35deb4becd0891d7f99f9ef6864b542201ef5

SHA512
13ff171ac5a50e7c2776f5d65c3d21178b70a6f50ddafe3b07731057d4813759008f064c78356bd5c6c84a725639c058a0cbd6e9dd86b0f5b9352c355f86b144

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ffc0495b88a11be752bd944bc4f59d2b

SHA1
d8de5e517d91ca60d0ba2d50b5d0eb4f239881f9

SHA256
728b2f18595ad4ffa81a9ab24a2b93eb687999126301afbffca1e6f996e7251d

SHA512
2603608073c4c8533ab96af0cc2323fc67a81d48eb4d8b76a74643dfe3563c67c6b342098af3728c8ac55f469db471ff1bea04f1979f74c05299a7d434d07ea0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
076c19068de6a985e86342a56d8799c9

SHA1
1c37a80f17fd875c804ec0a70f6623fc0075a35e

SHA256
eaeebf64878e74d892f517ef3a72c90f440faf17f8309842061bbfb26c76a2e8

SHA512
70764c0fde1e6d86085250477f9c02578d067d2bebf95211ddb781fd6413c7a60d59b401ec098c8ce30b6c77c18a1ab87eb811f957343ec8975ab4f48c97121b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e9e1daab83abacc264c133e66c27b9b0

SHA1
7f2bcddc628a4e156365c6485eb21a04af724f25

SHA256
67a43a0c498ebba3a9ca63fbe7b818609a0fde9887825d38bd244301d895c422

SHA512
fb339ab725daef3f120e30ed1e53ed396c9b279966cc9a61edbafbff2040c9b07dcd7686f7b1fcf092872d8240eedf4822536fa1e8b9f0ad7370767ce47bfa4a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
37e26e33e297807b89738d4846624686

SHA1
24d7f6a69a075fb102d4f8d69dbe1194c7f26734

SHA256
a69b9c0c9162d5cdda1891ed7d8c564ff1f05ada162c9cfd51de6c3d20840dc8

SHA512
16e48e90961324971f9bbc6112ad03bdf27b0eed66985bbcddd66a3f237203c295ac48be78b68c78f3d50ca48daee1314e628db6092acd6db4a32dc04968bfff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
42f313a45e3c84a0999c4429d94137dc

SHA1
a39a8b13c53e9c67a138b7dcd3099e93e71f25f9

SHA256
a66bbdf01ee16ca0426fa4dbf9e7a731a17dee86ee7fd331286d3ad52ab2823b

SHA512
f5035ecc0f47df0a3b188275a1fc3833eb4f162934cf0ce5cd1f38f220e63a15bb6e2f3e8b0b67a98e3b59b1d14daffe2cc4c919ce01bc1f78bd3edde18a4a4a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
380f549476ef250b7b1ce59599b8a2a4

SHA1
1c3133af337ff08bb9116099cee23818be38a347

SHA256
7ff91071aafe308056579574f79d1c0b475bf34f6f45962d21e9fb36fd503d91

SHA512
c442529c24d29d7ed24c68d09d9298ec3859e49ef89ab40943d7c6bf3ed3cdca26cbee6564f931fd975a64989fe001624adc1ea6125c20537267642ee5266c46

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c051133029e2de277df37a738867d125

SHA1
56c4f51af1adc5424ee6f0794261b9519d7f4fb0

SHA256
e9a2086b22df70260301e410fb0714b75a078a3aca6c88a75e350f5593705911

SHA512
4a1ac2fe63c941d3182e30438bfc9c92caa0e31c1830263bed1bdfd7ffb12cecb02298e9a28870ab2e9f992785eb7338080153013859634df98b33aab86cfb5a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0029c282ad111ff98863430cfb5dd3cc

SHA1
bea239d7af57aebe4f640d2747b21668d7e6ab90

SHA256
83c9100f5928ab801c5dbaa55097586b6764bedf5bc6c891d719104cd819ab20

SHA512
7abefd061f95acf7d76ad723d44374e4ee2a7c313c2525cbd45f3d76d9a5445b189c83199e4e49dae23797930d7b80ecfe702233fcee8f7d0901344c868b90d1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bdd6e6596bf69bff91a120e7ba515b6e

SHA1
b5f5e70baa680df47d80bc5167d72649db193ad4

SHA256
928ab52a459b243961815e390bddb24fd73ce31df201e1bf54b749427adcd372

SHA512
bb9983f068944c5d38b105c1cd2f699fc299a6155545ecc3ef9657c146eca6a2861b51079a53f6d662ea929e3d7dee23a6bfa36a75daa2bebaf2e3904ed6e4f3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
936d874488cc9840555fc409f8d82dd5

SHA1
dfa8b729bed22a936e78087e12a664311cbe2690

SHA256
d51d62d5948b3f22e02c8c3eb1d6a1f901d38a40c2171691ea37e82431dec0a8

SHA512
877d2333965d5083f9b712d93579b71610eeb8fd5933f8a0905c74438058f58f247be35e6cf59622ae22f566a71992f73db9bfaf9e8391d6bce542a9b2a5f76f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f542e740d690367265cec296a49f9d00

SHA1
607ac7a64ce23ee22545834bfbf5d03180eb71bf

SHA256
ab719031ca7d122437496e7e0b9293c9ea13f9c0c91614b5dee6049edf763752

SHA512
1637997b53ed5ceb1f50cb84ddade9f761158779cc01d483409b407f2fa6c2d6f7b62975247dd2ce40b26af365e4ff67d52ec51b445d065e0a1b0cd42ee08081

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7a3d0939eec9db9c0b8c9b64840223be

SHA1
8023e4299342ed372e076b2de8bfe9071cf80621

SHA256
625bdb7a2d97d7af4f431018003c9548d8c49e1e85ba97d2fae5983d9a10f0fd

SHA512
757a540879ccf2eb85dda801ea8a649d4830b67ec61a65c76113d14e0cdec82a96ddc710c521a4b838a6ac455557c36589c2a23eb67e4d0092bbfb02e2ce22e0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
fb43cc51e16d5db8facf5209dd69547f

SHA1
64da28bf469d80c5c2d7b0bd1d55b43cba8a3f7e

SHA256
0381f2d93a4fa0d05ff5d494e7845820baff43dba1e902b6eae596980f0709dc

SHA512
8cee310f7ba99625e9bb29c7d55f76651124f12dc79cfde851e6fb3b8fde08560f77e83c5a83abc151b24459fdc00b81173504aad1524fd6b7238d17054f6329

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6886501256faa85466fab41b69a2e797

SHA1
fd6167eda069d82dfc1bb623aaf9d4c23b218197

SHA256
79a01da916c8459f891795b527009a742d381bbe3280902580a8fbf641055c50

SHA512
ac589a305ac099e53c790c3f55a78da7fb5bb0c54d6a7c84d8da9ea2bacffc6660506ee722d30fe8603afb6ea7908a1a56917dc304745c3624bcf9ad9c0f339c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2c611518ea1d384de8c05b0d78b6a44e

SHA1
309edf27c941db9a5d2346f74cdc5268eb556f24

SHA256
8fd790716b7523373294981eb8c0775f811101bf417eaebf8bc6f5c1848ea039

SHA512
0c81f68c3bf8644b6f0b1b1ff713b126ec3b2e1fa78708ea20c884394c7855bda13d3f4b262bca2c5fa2a26953fe587dcd7b48203b4f5ccfc39c273a9a3f1bdd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3bfce178a4ead83e73261f6020f089b5

SHA1
cc3eaeb280f66b41fe87ac0225d41495c94d9933

SHA256
444078e0e7badb8ab74a7d167e0808c26a70bedd45adc410039e360eae4eb5a4

SHA512
ac237ae1d03646a43298fddaf2627ae24a7e0c082026ed30ad9aa9da35322127e588a126cbec9081a217388c857f33560345cd898b82d619c58bc12ff55d3ff8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1531604ba92c45b9c7ed7c8879199b52

SHA1
5afc987c72504d442fe4d7dbddb4aa1e9fb4f885

SHA256
0e025af24005b5ba47b1d107d18b5de02d968d195e82b172e6899c3e7664c18f

SHA512
d41673459c81b4eea49bedda20050f456acf746d3c27263997aad7a0a7dcde6ee1464a5923de2df7225aa494870b9a72b354dc43446ef0df3d390cc0a4154251

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
cc124c654e7f7e7f894b705dffde1d09

SHA1
878122a72d9a05187abc9684ab2b99da8f80ebd9

SHA256
03aae7d4faa8d8ad321ac125c2cbdf9f8e788ca913a848dc7e617913fcdfc12f

SHA512
4ba8bf394add01ca7ea5fb12e3e7c43daf9a8630091a81bd2079735fb227e211bd3fa13fb4771a3cf3a54043f5de76334109a263b460ff8de44cabcb7973bd00

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
cd6993887fe59921a20defd64301c542

SHA1
b670194d41dc22c78b6987bd6e11643386c62227

SHA256
4d1c5c66ee6e2c64607dfeda2cab0b273db4604256f851ec50245591b19241f6

SHA512
b2d6df0255fd643d4fb3beaec1a20acba4889d04be28b1b7bba18f6b95cf6bb948df635a5faf280d47bb1ba99a62fea37bac57de509ce450ee6fc92fe9285879

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AD5F118F7897046E8CA970AE6A6AB70B_9B8670363F58B4643EB28A4A03EE9887

Filesize
402B

MD5
05cba1b77e6b7e12a06aa3bb9480d476

SHA1
821b216198416e4e92d99ca6c4f838a5b2c5faf8

SHA256
4b12ab6bf1652dfedafbbe3e6dfd3fc8a6067e6284fa0def68bb3a8a866e9892

SHA512
f12d5cf1e9684fc21c0c50bf3ba12803479b2b6d31c288385d44d1f5476860e3f023d5ff98d79acd2fbd3712adc748f7c3dc3f82ffdf5d20a3cc5cae4bf317f7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
1efa2e045f9fea1104a3e4f4bbd70882

SHA1
c5d06147746a9e6c6b975a14db6dc0d23ab8d7ab

SHA256
7476e98c00ec0d1d58dcdad497ca51ea7b31e7e1f7cd7a6e0f352197d6b4b1d8

SHA512
77a0694f2bd2d2ef575254466d76b3c7673fef1809e681934b648105ce532a312797005a8d107055e423f87d67a4efcf24278908b874f27d86b463e837e2a237

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab5380.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD_X.dat

Filesize
1.8MB

MD5
0bfff206304fb76c62ca51cf8411b8c2

SHA1
1132aea6fdb9456ea8f02228d5d4a9c548d88c0a

SHA256
1f33bb47ed3eedb4143763f48726faff896ebc1a3ddc96156bcc7e848356d3d0

SHA512
190613a4aefbd7f7067cfc113fcbbe81ca75d9c42d6c3c04eefcc50334e2e268b6ed75bbd8acb43aa4d5f691428ca42851b5c92606503447745a703a0a809ce1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar537F.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar5461.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
\Users\Admin\AppData\Local\Temp\HD_0f49b2806eb0011ebecb96a18961cf5f905ec27b4510d42f85af03647d0eeabf.exe

Filesize
644KB

MD5
6058d1bda0b3ebda6777191add4a05e8

SHA1
92e534bbd284b8df9754cc5db4bc35cc63b3143d

SHA256
1df8ce11a144020023a8137af8152648e55347b5a2f5c4460e383b2cfa4bf6fb

SHA512
6d30c12a2d79d04f0535703532f79f0b4ccc6667c9fbdf2273b53f81d0b2ca0fc21db3ae3dd32cbd34d7467a500ca4ab852f754301703b4764395cf3e5ecad41

Download Submit
\Users\Admin\AppData\Local\Temp\svchos.exe

Filesize
93KB

MD5
3b377ad877a942ec9f60ea285f7119a2

SHA1
60b23987b20d913982f723ab375eef50fafa6c70

SHA256
62954fdf65e629b39a29f539619d20691332184c6b6be5a826128a8e759bfa84

SHA512
af3a71f867ad9d28772c48b521097f9bf8931eb89fd2974e8de10990241419a39ddc3c0b36dd38aac4fdf14e1f0c5e228692618e93adce958d5b5dab8940e46f

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
377KB

MD5
a4329177954d4104005bce3020e5ef59

SHA1
23c29e295e2dbb8454012d619ca3f81e4c16e85a

SHA256
6156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd

SHA512
81e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208

Download Submit
\Windows\SysWOW64\259397261.txt

Filesize
50KB

MD5
e16816b2091ac60e53474dcc9b4beec3

SHA1
fe71b147be906f7e8df6aa3bb1fb8e3a09913dbc

SHA256
9b3d5a2895caaf4ee1033b1f03bc7fc2fd229b6042b4098f452a5b3e58f78550

SHA512
9a57014c25c363ed4120fcd0e2e3115355d358edf7de57e42e7eecf44de85f8324e76dcfe8a2ff1caaa68d264611a8c269c63d2d550f7f225be99035d1e0ee3b

Download Submit
\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe

Filesize
43KB

MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit
memory/308-8-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/308-9-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/308-7-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/308-5-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/312-30-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/312-18-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2708-46-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2708-40-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2708-62-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download