Malware Analysis Report

2024-09-22 15:14

Sample ID 240529-tm5fqsbd6t
Target 5eb75eb167af4d1b5883e2938af9202594068fc92bd5cdf55e951614ecef8ae8
SHA256 5eb75eb167af4d1b5883e2938af9202594068fc92bd5cdf55e951614ecef8ae8
Tags
gh0strat purplefox persistence rat rootkit trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5eb75eb167af4d1b5883e2938af9202594068fc92bd5cdf55e951614ecef8ae8

Threat Level: Known bad

The file 5eb75eb167af4d1b5883e2938af9202594068fc92bd5cdf55e951614ecef8ae8 was found to be: Known bad.

Malicious Activity Summary

gh0strat purplefox persistence rat rootkit trojan upx

PurpleFox

Gh0st RAT payload

Gh0strat

Detect PurpleFox Rootkit

Sets service image path in registry

Drops file in Drivers directory

Sets DLL path for service in the registry

UPX packed file

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Drops file in System32 directory

Unsigned PE

Program crash

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Runs ping.exe

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: LoadsDriver

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-05-29 16:11

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-29 16:11

Reported

2024-05-29 16:14

Platform

win7-20240419-en

Max time kernel

150s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5eb75eb167af4d1b5883e2938af9202594068fc92bd5cdf55e951614ecef8ae8.exe"

Signatures

Detect PurpleFox Rootkit

rootkit
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0strat

rat gh0strat

PurpleFox

rootkit trojan purplefox

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\system32\drivers\QAssist.sys C:\Windows\SysWOW64\TXPlatfor.exe N/A

Sets DLL path for service in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Remote Data\Parameters\ServiceDll = "C:\\Windows\\system32\\259397339.txt" C:\Users\Admin\AppData\Local\Temp\R.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" C:\Windows\SysWOW64\TXPlatfor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\ini.ini C:\Users\Admin\AppData\Local\Temp\R.exe N/A
File created C:\Windows\SysWOW64\Remote Data.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\Remote Data.exe C:\Windows\SysWOW64\svchost.exe N/A
File created C:\Windows\SysWOW64\TXPlatfor.exe C:\Users\Admin\AppData\Local\Temp\N.exe N/A
File opened for modification C:\Windows\SysWOW64\TXPlatfor.exe C:\Users\Admin\AppData\Local\Temp\N.exe N/A
File created C:\Windows\SysWOW64\259397339.txt C:\Users\Admin\AppData\Local\Temp\R.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "423160962" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d7c7e73b934388418857a0db8be9c1d10000000002000000000010660000000100002000000024a58c69feb85b8cef3d8abe24982e93b8ec5ea7cf953a09fb0daa5320761ec2000000000e8000000002000020000000e17fe4f10f7d7a5bb9c4de8b6f051a4bd6a9c050a5ef5dca44bfc43a65d22854200000001cf6c6019776106d741cb2e9bd3ea0e039dc8fa8b7b62e07bc57a094e417cafd400000004d7b71184b2017f3aa22df7ffabc02a73bc27dd5a9ca3d12da79264498268b2d95385350b54be0f3dcd6a31e180b11bbd5736daf1422b5b642f984d8eaaa5243 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f038e232e3b1da01 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1F376691-1DD6-11EF-97A3-C6E8F1D2B27D} = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d7c7e73b934388418857a0db8be9c1d10000000002000000000010660000000100002000000023b98350396971fc9eaa9c58a39797e3af6af298cc89fa40a9f2f1ffce0dafb4000000000e80000000020000200000007b218ddf325f6ddcf13ed0e2382ea3e06cddf7deb759aac18ed7caf4536c7c35900000003d761999ac5948e3989c49a99f8bb00ffcc14c7965a3866ede7388ac3d04e53979cda93cd60a579bcf2e774e3ff197f5bab296d64df7a36333356b27d179aa9b90675d1121e05668c035cad766a8fecdb1b9031430d9231ff5ef1e4f222644f8a10bac722ba07b7ef6ebe39475b30b3d31b832befa20fbcc25f9bcba00033164ebfcf5a112f797f68a582996a112e0cd4000000074ac4f51d64a78fc9e20f3a35ef95f8913dfbd19c875a0155a4806b6b667bb3556a9b5c4a05c9fe7ef521942df59950b4d1a05e36968fc79828daf79fff20ba1 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5eb75eb167af4d1b5883e2938af9202594068fc92bd5cdf55e951614ecef8ae8.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\TXPlatfor.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\N.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\TXPlatfor.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\TXPlatfor.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\TXPlatfor.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\TXPlatfor.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\TXPlatfor.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2176 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\5eb75eb167af4d1b5883e2938af9202594068fc92bd5cdf55e951614ecef8ae8.exe C:\Users\Admin\AppData\Local\Temp\R.exe
PID 2176 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\5eb75eb167af4d1b5883e2938af9202594068fc92bd5cdf55e951614ecef8ae8.exe C:\Users\Admin\AppData\Local\Temp\R.exe
PID 2176 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\5eb75eb167af4d1b5883e2938af9202594068fc92bd5cdf55e951614ecef8ae8.exe C:\Users\Admin\AppData\Local\Temp\R.exe
PID 2176 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\5eb75eb167af4d1b5883e2938af9202594068fc92bd5cdf55e951614ecef8ae8.exe C:\Users\Admin\AppData\Local\Temp\R.exe
PID 2176 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\5eb75eb167af4d1b5883e2938af9202594068fc92bd5cdf55e951614ecef8ae8.exe C:\Users\Admin\AppData\Local\Temp\N.exe
PID 2176 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\5eb75eb167af4d1b5883e2938af9202594068fc92bd5cdf55e951614ecef8ae8.exe C:\Users\Admin\AppData\Local\Temp\N.exe
PID 2176 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\5eb75eb167af4d1b5883e2938af9202594068fc92bd5cdf55e951614ecef8ae8.exe C:\Users\Admin\AppData\Local\Temp\N.exe
PID 2176 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\5eb75eb167af4d1b5883e2938af9202594068fc92bd5cdf55e951614ecef8ae8.exe C:\Users\Admin\AppData\Local\Temp\N.exe
PID 2176 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\5eb75eb167af4d1b5883e2938af9202594068fc92bd5cdf55e951614ecef8ae8.exe C:\Users\Admin\AppData\Local\Temp\N.exe
PID 2176 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\5eb75eb167af4d1b5883e2938af9202594068fc92bd5cdf55e951614ecef8ae8.exe C:\Users\Admin\AppData\Local\Temp\N.exe
PID 2176 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\5eb75eb167af4d1b5883e2938af9202594068fc92bd5cdf55e951614ecef8ae8.exe C:\Users\Admin\AppData\Local\Temp\N.exe
PID 2192 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\N.exe C:\Windows\SysWOW64\cmd.exe
PID 2192 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\N.exe C:\Windows\SysWOW64\cmd.exe
PID 2192 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\N.exe C:\Windows\SysWOW64\cmd.exe
PID 2192 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\N.exe C:\Windows\SysWOW64\cmd.exe
PID 2656 wrote to memory of 2652 N/A C:\Windows\SysWOW64\TXPlatfor.exe C:\Windows\SysWOW64\TXPlatfor.exe
PID 2656 wrote to memory of 2652 N/A C:\Windows\SysWOW64\TXPlatfor.exe C:\Windows\SysWOW64\TXPlatfor.exe
PID 2656 wrote to memory of 2652 N/A C:\Windows\SysWOW64\TXPlatfor.exe C:\Windows\SysWOW64\TXPlatfor.exe
PID 2656 wrote to memory of 2652 N/A C:\Windows\SysWOW64\TXPlatfor.exe C:\Windows\SysWOW64\TXPlatfor.exe
PID 2656 wrote to memory of 2652 N/A C:\Windows\SysWOW64\TXPlatfor.exe C:\Windows\SysWOW64\TXPlatfor.exe
PID 2656 wrote to memory of 2652 N/A C:\Windows\SysWOW64\TXPlatfor.exe C:\Windows\SysWOW64\TXPlatfor.exe
PID 2656 wrote to memory of 2652 N/A C:\Windows\SysWOW64\TXPlatfor.exe C:\Windows\SysWOW64\TXPlatfor.exe
PID 2176 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\5eb75eb167af4d1b5883e2938af9202594068fc92bd5cdf55e951614ecef8ae8.exe C:\Users\Admin\AppData\Local\Temp\HD_5eb75eb167af4d1b5883e2938af9202594068fc92bd5cdf55e951614ecef8ae8.exe
PID 2176 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\5eb75eb167af4d1b5883e2938af9202594068fc92bd5cdf55e951614ecef8ae8.exe C:\Users\Admin\AppData\Local\Temp\HD_5eb75eb167af4d1b5883e2938af9202594068fc92bd5cdf55e951614ecef8ae8.exe
PID 2176 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\5eb75eb167af4d1b5883e2938af9202594068fc92bd5cdf55e951614ecef8ae8.exe C:\Users\Admin\AppData\Local\Temp\HD_5eb75eb167af4d1b5883e2938af9202594068fc92bd5cdf55e951614ecef8ae8.exe
PID 2176 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\5eb75eb167af4d1b5883e2938af9202594068fc92bd5cdf55e951614ecef8ae8.exe C:\Users\Admin\AppData\Local\Temp\HD_5eb75eb167af4d1b5883e2938af9202594068fc92bd5cdf55e951614ecef8ae8.exe
PID 2716 wrote to memory of 2620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2716 wrote to memory of 2620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2716 wrote to memory of 2620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2716 wrote to memory of 2620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2444 wrote to memory of 2940 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\Remote Data.exe
PID 2444 wrote to memory of 2940 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\Remote Data.exe
PID 2444 wrote to memory of 2940 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\Remote Data.exe
PID 2444 wrote to memory of 2940 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\Remote Data.exe
PID 2624 wrote to memory of 284 N/A C:\Users\Admin\AppData\Local\Temp\HD_5eb75eb167af4d1b5883e2938af9202594068fc92bd5cdf55e951614ecef8ae8.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2624 wrote to memory of 284 N/A C:\Users\Admin\AppData\Local\Temp\HD_5eb75eb167af4d1b5883e2938af9202594068fc92bd5cdf55e951614ecef8ae8.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2624 wrote to memory of 284 N/A C:\Users\Admin\AppData\Local\Temp\HD_5eb75eb167af4d1b5883e2938af9202594068fc92bd5cdf55e951614ecef8ae8.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2624 wrote to memory of 284 N/A C:\Users\Admin\AppData\Local\Temp\HD_5eb75eb167af4d1b5883e2938af9202594068fc92bd5cdf55e951614ecef8ae8.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 284 wrote to memory of 1252 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 284 wrote to memory of 1252 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 284 wrote to memory of 1252 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 284 wrote to memory of 1252 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 1252 wrote to memory of 1912 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1252 wrote to memory of 1912 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1252 wrote to memory of 1912 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1252 wrote to memory of 1912 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\5eb75eb167af4d1b5883e2938af9202594068fc92bd5cdf55e951614ecef8ae8.exe

"C:\Users\Admin\AppData\Local\Temp\5eb75eb167af4d1b5883e2938af9202594068fc92bd5cdf55e951614ecef8ae8.exe"

C:\Users\Admin\AppData\Local\Temp\R.exe

C:\Users\Admin\AppData\Local\Temp\\R.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k "Remote Data"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k "Remote Data"

C:\Users\Admin\AppData\Local\Temp\N.exe

C:\Users\Admin\AppData\Local\Temp\\N.exe

C:\Windows\SysWOW64\TXPlatfor.exe

C:\Windows\SysWOW64\TXPlatfor.exe -auto

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\N.exe > nul

C:\Windows\SysWOW64\TXPlatfor.exe

C:\Windows\SysWOW64\TXPlatfor.exe -acsi

C:\Users\Admin\AppData\Local\Temp\HD_5eb75eb167af4d1b5883e2938af9202594068fc92bd5cdf55e951614ecef8ae8.exe

C:\Users\Admin\AppData\Local\Temp\HD_5eb75eb167af4d1b5883e2938af9202594068fc92bd5cdf55e951614ecef8ae8.exe

C:\Windows\SysWOW64\PING.EXE

ping -n 2 127.0.0.1

C:\Windows\SysWOW64\Remote Data.exe

"C:\Windows\system32\Remote Data.exe" "c:\windows\system32\259397339.txt",MainThread

C:\Program Files (x86)\Internet Explorer\iexplore.exe

"C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://se.360.cn/

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://se.360.cn/

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1252 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 se.360.cn udp
US 104.192.108.22:80 se.360.cn tcp
US 104.192.108.22:80 se.360.cn tcp
US 8.8.8.8:53 browser.360.cn udp
CN 1.193.215.228:443 browser.360.cn tcp
CN 1.193.215.228:443 browser.360.cn tcp
CN 36.158.204.228:443 browser.360.cn tcp
CN 36.158.204.228:443 browser.360.cn tcp
CN 61.163.171.161:443 browser.360.cn tcp
CN 61.163.171.161:443 browser.360.cn tcp
CN 61.184.9.227:443 browser.360.cn tcp
CN 61.184.9.227:443 browser.360.cn tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
CN 111.6.185.228:443 browser.360.cn tcp
CN 111.6.185.228:443 browser.360.cn tcp

Files

C:\Users\Admin\AppData\Local\Temp\R.exe

MD5 8dc3adf1c490211971c1e2325f1424d2
SHA1 4eec4a4e7cb97c5efa6c72e0731cd090c0c4adc5
SHA256 bc29f2022ab3b812e50c8681ff196f090c038b5ab51e37daffac4469a8c2eb2c
SHA512 ae92ea20b359849dcdba4808119b154e3af5ef3687ee09de1797610fe8c4d3eb9065b068074d35adddb4b225d17c619baff3944cb137ad196bcef7a6507f920d

\Windows\SysWOW64\259397339.txt

MD5 0ea572dddfbad4b1571d9303ff0c3b19
SHA1 0cbffaa84db8c9c1c739a032378b2e6995fcaa0c
SHA256 fb70755ccf0eec39694f2a60326c7150cd4cdb69065025758ed1a1cb26856c83
SHA512 2284ad9ad65d049e2035c9342a06c4c87a6f0213b14a2ffe5b2189bb72fcfca34f0d831dda8539b2df41d0bc88f85771c07ca8e155a114a39f3caa1c0d6c4a5c

\Users\Admin\AppData\Local\Temp\N.exe

MD5 4a36a48e58829c22381572b2040b6fe0
SHA1 f09d30e44ff7e3f20a5de307720f3ad148c6143b
SHA256 3de6c02f52a661b8f934f59541d0cf297bb489eb2155e346b63c7338e09aeaf8
SHA512 5d0ea398792f6b9eb3f188813c50b7f43929183b5733d2b595b2fd1c78722764fd15f62db1086b5c7edfb157661a6dcd544ddd80907ee7699dddbca1ef4022d0

memory/2192-18-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2192-21-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2192-20-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2652-38-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2652-37-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2652-33-0x0000000010000000-0x00000000101B6000-memory.dmp

\Users\Admin\AppData\Local\Temp\HD_5eb75eb167af4d1b5883e2938af9202594068fc92bd5cdf55e951614ecef8ae8.exe

MD5 45ebd25a2158aed5d54f1164c964c860
SHA1 15b6b76c2853b8309e2b2182bb02b42c8c1e9371
SHA256 22b1e9dd9ec5a056817f425234674aa961a649758f13308a698a4c92854ce4c3
SHA512 16cfdaa5d59d73f7cdd58f621b68b4b22d775b556194f40aa04c99c8798eddc5dbefe844ea3c161c0e188de2143f9c16764011ac68efcfb0d658e84d3cbb0419

memory/2652-41-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2652-47-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2652-49-0x0000000010000000-0x00000000101B6000-memory.dmp

\Windows\SysWOW64\Remote Data.exe

MD5 51138beea3e2c21ec44d0932c71762a8
SHA1 8939cf35447b22dd2c6e6f443446acc1bf986d58
SHA256 5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124
SHA512 794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

C:\Users\Admin\AppData\Local\Temp\Cab321A.tmp

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar32BD.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b29cc839656de49ee089b3cf35068ccc
SHA1 2caff3146e6545ada8cee41698f79d7d28f2c3b4
SHA256 4280884aa70ce9c25bbffdfedf1e08af85596d37adf851d1529115a069c6937c
SHA512 f97e425ec8b9dedf77f5580013190d025ddc1d25dfec0a008cd1af1bbf30bb3f15f7c91065e43b37f224843c06109b5ab79a74ddedd678bb91e0bcc405c4a09b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b813bb5899a6efc216e975f1b12926e8
SHA1 0b632ae8327a8eee2f3cfbbc52c458e710143508
SHA256 7df665ed10b20274b71a3ef1f9d1568fb39cab8f4cffa0e312702adbba323eea
SHA512 2a17274d592c471494c1e06c6fec4b8e06594d021c7dbda2d28ca9787dd4b3a2b62c98103abd7a373e391e3cfea6f259dcf3fbcdb0b53a995fa92e8066226d53

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3e07ee738f982bed1f7fecf2b938a856
SHA1 88863c223e62c8c3c1e06e63d1435cf1b7bf62ad
SHA256 a6dd9890778c59bb841102cfeca9b93631e47d98d553b0dedb10770d16a9aac7
SHA512 a65c7b3277cc1ee928bb8bf6474e356570583320b11e0c5da9766b7e39438418ccd20291c34f0393eb2b8261d9d7378ee2801e85576be762cfc351676710ee7a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 efda36d8ced231fc108b590dfa364723
SHA1 fbc030aa19d8af7770fadaa40c7c940111ddb345
SHA256 04609a932504f070f4058617d85be46adbf5caf9a57a1c4b7439363487098328
SHA512 642abbba5451d6fcc97d92540ee7de70ac40a6f79391fb8d12d41e5b55be7f9cc7a020a445dae0dbe4c888ac630cf03f747dcc4bc91dc971c29b56c9287fc481

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 14134653ea7adaccc0b813138eb82e6e
SHA1 2a9e532e448deeda9fecf59c01330f3f16ae7f1a
SHA256 eeaed6b211779012007578f4e1c01ab658d4bf5a3b950a57ea31a7fc6097e0c6
SHA512 d52017bb2dea65ca49efa76aab2b7b9d1dc2154661181a1bfea73e676e4c979e4393e90137dc955fda0b57143fd39df884d1d20152500267c7cf30055571067c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 48ccbbce0c3f53303315b6858df31d7b
SHA1 1bdf27bca2bbda7bb5c5b621798217bbee603206
SHA256 573780d34e14eb7375e8c8377df3d1dc90edf1113795246ca2ccadcb35f46a86
SHA512 d12ac3eea5b21cb8c668041885bc6a2f01fb43dbccf6e869880f2b1b1e47ad52e6a7ea485a5d61e12571baa8a9bd4c51525d2510d5e7fb6bf87a89529acff109

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7ba7e8e9cce36d3c535d59e82341fffc
SHA1 fb054c252296dcbe9d971885aa7efbb72d474d8e
SHA256 02877710fc3b7977ec10b533b091a6ea83f08f670138211905c3fe77e777fc49
SHA512 51f4e50be9d247624b3b5edcf497564de3ccc2e3d69a5b53ff19a5dc8eb37c2080adcd0c01f3b8b6cf8143a0fcaf7d8282dd0b430708151e1fbbcc1369da9274

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 47879082b8b08a7934dbd72d1c79eac0
SHA1 cf0b74db42f56d1cc43a9caf4126fc0343275caa
SHA256 bf91abecdd5aba1779b0543c25cc143270951d8f549e6413ecfb6507cc8e2354
SHA512 7401fee70b80bf51a0e14d1fde74b1b06dc3102e87facdf715ff181298ad9e7f120c7ad680637a120b095a8f64a06e3479f48fa0f1b7dd8cc395e79067fe3689

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5e67436ee2494d526c5d48b49ebba69b
SHA1 7c5f2b0577d6f7fd24b7042f4b84b536fbf23a32
SHA256 cf969e51b6262890f7c44abc7f8a16c4557f8055b8f603cc52059f4a62bb16bd
SHA512 2fd94b0b97c21ef6b4fa4e951a362347be77120696f0b5c3198fc9fd5b4edebf4fff6973127fe7a7536ee58f0bc0ced40601efd49863215fdf1b4dc8db9e04c4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bd4c7207cb063a494618c409868e46aa
SHA1 e8a1b828b9cfa46a915285d8a5c7fcd9eda60eb5
SHA256 2e55ab67ef44bcee140c4d8a796bf0a513f846694d6cdb49b34968a08df6228d
SHA512 98af6cc101de6fe07f56a749387b6abf4d22eccee7826a825d7620bfc637dff19414d1394a285159fd3d88cf367b9d644c0adc19d44325fa4099286e0d2fad30

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 17277ceadb88cf29b18df04db5af3798
SHA1 b5e188ab11e6b0dc0616b4a65347b1ee16aaf7ff
SHA256 8077bf1bd0ef129347898f15d099f33861c38246f27fee67fff9e4d431dd0d40
SHA512 18eaa0f3fd53e0670cb0bf46fa4bfbb75e9746bcf03e664a6152d4d9588eac500a6a7bf16369ac7a1a3fc67a7329c0b0d38979be31c9450a729b569ebdfb07a3

C:\Users\Admin\AppData\Local\Temp\HD_X.dat

MD5 b7ab7ab6b9c445db7a50620450970f77
SHA1 683a231521d6dd10664aec1b70f182065d24aef7
SHA256 04bf4712a8fbde15c7aab1397dbf6bda316d2221b5eaabaa1aadc31df52444bb
SHA512 2771b164a5598d5f7cbc85ad2baae18b2a4b7bda9ad77194c304dc39ec38ba00e810c71820d1508743182eb33a36aa99474e897ba34050b20c29ccc8e5f5197b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 46b0823cfc3e2568f7aecaf423b9bc1d
SHA1 1d3194cfe4b3ac8f9e203066c2daf3ba4f90b13b
SHA256 7fbc4956fb3c68ce42aa3c13a2eb7bbd7d35d0d126ae9a1a3e954c580fb0c306
SHA512 0012a9845739c7fc0817201ed5f50742110ed2ef0c3783dd492e2a12302bc504b226a33b8b8b5b6cf67e1be4f5c03d52e8cc6d18b4cecf7016ab4d801dce8baf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a9b26523aaa30524f8933a5ee18f24eb
SHA1 1c3c4bc1d2374eaa5f46f19e343b93e5160def76
SHA256 097deee662410d5f4a18eac94418c3361f0c1614a481465705845dfe63ff9d00
SHA512 ed0e7d6d07e1cbb46ff8bef722cd35e9a5e6bca88b4e845fe8c1365e618e399808e4e9ca158086b64c3a209a3e80029317236de616e37389d4d28ffcf9a04bc8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8a3ce2b0b5570ec5253ca4d320a36be2
SHA1 aa9e987ea24551115ce0faf8d36fffca59b0c444
SHA256 faa99bf0dd21ca1a0c32cb8553a83fd6b15623be52a8c3f54e973937f045c32c
SHA512 fcc6aaade6aff431c920e827c0acf060dff424542234b9414126f62dfd346f4256e1eb08e929d70d374d5c74e632ca93911389bfe9dfadbf32808cc55e867dd5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 784955b3aa061b121cdbd921e32f0656
SHA1 beb8525248278d29162b8ac85890a5c6098f5ffa
SHA256 3a7539eb7bc95ada433676ebc1fd33e3683188cdc5f17f97acb56f17502072c1
SHA512 de874fdee51d8bb1a0e6363b58f0baf5ffb8e983e58a48d518007482f3a2a0c395d4ee3ada324cdb610f4c9296ed099afe9c4802d0ebec17d8b205278b5b42c6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 213d1483298b94f5a45b6bd8122b3c60
SHA1 0c66843a806105738cce8e9901f0d46eb46547e3
SHA256 a376e75a8cc9705b9f315fa1dc2b502b10187b3a9d7be23216feee563abc27fb
SHA512 f0b769b3bb2f83deb6897f1044c6381c10ef218b87e66e99979eb6ed8db47021b3b319a5ff2c4d66b3d43306347e25ca6e51652b4eb9f765d5bd0fb0082bdfd5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4c46d746c90af02445097e89ab70db6a
SHA1 678bdcd0e70a65c5136dc1c8c59215d9dddf1ae3
SHA256 5ce012f85242ca99e9a8d296b10c15afb1bbd527acf537a18876145e553de845
SHA512 66e6aa0ef31f7f34892e7d787a92ec635d961aa87ec74c2be5b5c77b8fd41303e3f0e15d7e9734cadc8a96b29561f48a3c413ecc61c7de54e70013479dba11fe

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 766885625749ab90ab9e612f243ae529
SHA1 6d1be478ea9d16b64626ef04f5cb4cbc33d2207d
SHA256 ec585c9314e2beddb39b2140faf1db61509dd8542c44736aaeb42706d856eba2
SHA512 1d96c319dcee03476a7a1526cc5b31cd96181e9cd20aceedaddff81fb1835cd426597f12fc5c78042561f1eb540f642f3305152810a56ef112feb0f2ae7039aa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8ca73ed736b39534e73123805b9e8d4f
SHA1 2f9860ca0eb08b039479df65b241fe991813de6e
SHA256 510d91e8e1ecf7c1febd722e9889e3262fa86d25c19faab4b4cb1532670a464c
SHA512 1cdc97f5af41fe714787301069e7b297f130f891052bf04b7ea5ee27bf163a40c17ed0729fea0c0b3ddae3f90e64b7f06e0f0b349a2db00bea52cdb9c9e32f2c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 784ca7319ed71cac5defee08b235c397
SHA1 fd7ece8e38e7a1a308c234ad4f22e5d8af960344
SHA256 6824c9919c13ab48b5b23f08c3324c2b9af2ed7a6491a567c00658566a4c93b3
SHA512 f6a372abe8f8c355386e10202487fb39ea0a9e9d6608baa7ce2fa25e4927552c7de29c14658234d55a7ecbe1c992326c2fa7fc59d02c01a3d979c92af13feecd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f61b3608cc058ae0ba9ddf9170218573
SHA1 e6052870077e53faee4acecde7a293b17e1e90dc
SHA256 9d83dcdb8ed68c07e83be5ba881b62abfe7eb1b2a24be951e6fd10a57885f07f
SHA512 647b561ce47fac60a37be51e8f6b8fb1f9beef71cef66a592c6b7d4e935a0b335db30e4b97c0b5e9167d9d31c8e390f8e771e3ae3e4d8230303ea9717e3a8556

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-29 16:11

Reported

2024-05-29 16:14

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5eb75eb167af4d1b5883e2938af9202594068fc92bd5cdf55e951614ecef8ae8.exe"

Signatures

Detect PurpleFox Rootkit

rootkit
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0strat

rat gh0strat

PurpleFox

rootkit trojan purplefox

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\system32\drivers\QAssist.sys C:\Windows\SysWOW64\TXPlatfor.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" C:\Windows\SysWOW64\TXPlatfor.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\HD_5eb75eb167af4d1b5883e2938af9202594068fc92bd5cdf55e951614ecef8ae8.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\R.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\240596437.txt C:\Users\Admin\AppData\Local\Temp\R.exe N/A
File created C:\Windows\SysWOW64\TXPlatfor.exe C:\Users\Admin\AppData\Local\Temp\N.exe N/A
File opened for modification C:\Windows\SysWOW64\TXPlatfor.exe C:\Users\Admin\AppData\Local\Temp\N.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\R.exe

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004f8caa1c9f4cba428e26b677a31a634000000000020000000000106600000001000020000000dbfea612a7a737da7726cee87e16ecdc67ca40a306ad6a273f508fa6ebd15cbd000000000e8000000002000020000000f5de24ff6f879b20bd785570ce8c63e667af17aec78f4f8cb560cbdd3778da7f20000000874da8ced414ea91f8ccfdc92df4c4f464982c85275c5ee250443d82183a380c40000000c8bfb89e9b6d8e0a6ef6e39fc5672f4c90141a1dc8f2cfa9d4852769e6b6d771b426e86fc19ed35a1bf68e3ad0f76e8d6dcb3e58f06b94546006dbaec58735fc C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60f2c309e3b1da01 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50adc809e3b1da01 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "4130681510" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004f8caa1c9f4cba428e26b677a31a634000000000020000000000106600000001000020000000383b8dcd2012c8fd93f6b67c6ee5875ded4b5675ec6a0c36666034d342a45124000000000e8000000002000020000000d6f06bab10b9bc5e6656624bb5e314a18514b0fbc28aa4b6b14af5c8eec17789200000005611542a36c5850875842c44e2312906d20ffc535390e45828df4cb05e12ecc64000000064a47b102ac71f653a99aa4b066ab998a1348f25663885057afa9ff2f0a24d1e61b02acb6785bc6decc56d4942320ace31ac5e368c01950db8a436b83fddbb08 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{1FC8AC0C-1DD6-11EF-A2D1-620C7149A6B2} = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4164432093" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "423764071" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31109602" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31109602" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4130681510" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "4164432093" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31109602" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31109602" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\TXPlatfor.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\N.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\TXPlatfor.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\TXPlatfor.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\TXPlatfor.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\TXPlatfor.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\TXPlatfor.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4708 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\5eb75eb167af4d1b5883e2938af9202594068fc92bd5cdf55e951614ecef8ae8.exe C:\Users\Admin\AppData\Local\Temp\R.exe
PID 4708 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\5eb75eb167af4d1b5883e2938af9202594068fc92bd5cdf55e951614ecef8ae8.exe C:\Users\Admin\AppData\Local\Temp\R.exe
PID 4708 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\5eb75eb167af4d1b5883e2938af9202594068fc92bd5cdf55e951614ecef8ae8.exe C:\Users\Admin\AppData\Local\Temp\R.exe
PID 4708 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\5eb75eb167af4d1b5883e2938af9202594068fc92bd5cdf55e951614ecef8ae8.exe C:\Users\Admin\AppData\Local\Temp\N.exe
PID 4708 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\5eb75eb167af4d1b5883e2938af9202594068fc92bd5cdf55e951614ecef8ae8.exe C:\Users\Admin\AppData\Local\Temp\N.exe
PID 4708 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\5eb75eb167af4d1b5883e2938af9202594068fc92bd5cdf55e951614ecef8ae8.exe C:\Users\Admin\AppData\Local\Temp\N.exe
PID 1420 wrote to memory of 3084 N/A C:\Users\Admin\AppData\Local\Temp\N.exe C:\Windows\SysWOW64\cmd.exe
PID 1420 wrote to memory of 3084 N/A C:\Users\Admin\AppData\Local\Temp\N.exe C:\Windows\SysWOW64\cmd.exe
PID 1420 wrote to memory of 3084 N/A C:\Users\Admin\AppData\Local\Temp\N.exe C:\Windows\SysWOW64\cmd.exe
PID 4708 wrote to memory of 3844 N/A C:\Users\Admin\AppData\Local\Temp\5eb75eb167af4d1b5883e2938af9202594068fc92bd5cdf55e951614ecef8ae8.exe C:\Users\Admin\AppData\Local\Temp\HD_5eb75eb167af4d1b5883e2938af9202594068fc92bd5cdf55e951614ecef8ae8.exe
PID 4708 wrote to memory of 3844 N/A C:\Users\Admin\AppData\Local\Temp\5eb75eb167af4d1b5883e2938af9202594068fc92bd5cdf55e951614ecef8ae8.exe C:\Users\Admin\AppData\Local\Temp\HD_5eb75eb167af4d1b5883e2938af9202594068fc92bd5cdf55e951614ecef8ae8.exe
PID 4708 wrote to memory of 3844 N/A C:\Users\Admin\AppData\Local\Temp\5eb75eb167af4d1b5883e2938af9202594068fc92bd5cdf55e951614ecef8ae8.exe C:\Users\Admin\AppData\Local\Temp\HD_5eb75eb167af4d1b5883e2938af9202594068fc92bd5cdf55e951614ecef8ae8.exe
PID 3544 wrote to memory of 5096 N/A C:\Windows\SysWOW64\TXPlatfor.exe C:\Windows\SysWOW64\TXPlatfor.exe
PID 3544 wrote to memory of 5096 N/A C:\Windows\SysWOW64\TXPlatfor.exe C:\Windows\SysWOW64\TXPlatfor.exe
PID 3544 wrote to memory of 5096 N/A C:\Windows\SysWOW64\TXPlatfor.exe C:\Windows\SysWOW64\TXPlatfor.exe
PID 3084 wrote to memory of 976 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3084 wrote to memory of 976 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3084 wrote to memory of 976 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3844 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\HD_5eb75eb167af4d1b5883e2938af9202594068fc92bd5cdf55e951614ecef8ae8.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 3844 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\HD_5eb75eb167af4d1b5883e2938af9202594068fc92bd5cdf55e951614ecef8ae8.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 3844 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\HD_5eb75eb167af4d1b5883e2938af9202594068fc92bd5cdf55e951614ecef8ae8.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2532 wrote to memory of 812 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2532 wrote to memory of 812 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 812 wrote to memory of 4640 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 812 wrote to memory of 4640 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 812 wrote to memory of 4640 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\5eb75eb167af4d1b5883e2938af9202594068fc92bd5cdf55e951614ecef8ae8.exe

"C:\Users\Admin\AppData\Local\Temp\5eb75eb167af4d1b5883e2938af9202594068fc92bd5cdf55e951614ecef8ae8.exe"

C:\Users\Admin\AppData\Local\Temp\R.exe

C:\Users\Admin\AppData\Local\Temp\\R.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1648 -ip 1648

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1648 -s 448

C:\Users\Admin\AppData\Local\Temp\N.exe

C:\Users\Admin\AppData\Local\Temp\\N.exe

C:\Windows\SysWOW64\TXPlatfor.exe

C:\Windows\SysWOW64\TXPlatfor.exe -auto

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\N.exe > nul

C:\Users\Admin\AppData\Local\Temp\HD_5eb75eb167af4d1b5883e2938af9202594068fc92bd5cdf55e951614ecef8ae8.exe

C:\Users\Admin\AppData\Local\Temp\HD_5eb75eb167af4d1b5883e2938af9202594068fc92bd5cdf55e951614ecef8ae8.exe

C:\Windows\SysWOW64\TXPlatfor.exe

C:\Windows\SysWOW64\TXPlatfor.exe -acsi

C:\Windows\SysWOW64\PING.EXE

ping -n 2 127.0.0.1

C:\Program Files (x86)\Internet Explorer\iexplore.exe

"C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://se.360.cn/

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://se.360.cn/

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:812 CREDAT:17410 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 145.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 se.360.cn udp
US 104.192.110.245:80 se.360.cn tcp
US 104.192.110.245:80 se.360.cn tcp
US 8.8.8.8:53 browser.360.cn udp
CN 1.193.215.228:443 browser.360.cn tcp
CN 1.193.215.228:443 browser.360.cn tcp
US 8.8.8.8:53 245.110.192.104.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
CN 36.158.204.228:443 browser.360.cn tcp
CN 36.158.204.228:443 browser.360.cn tcp
CN 61.163.171.161:443 browser.360.cn tcp
CN 61.163.171.161:443 browser.360.cn tcp
CN 61.184.9.227:443 browser.360.cn tcp
CN 61.184.9.227:443 browser.360.cn tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
CN 111.6.185.228:443 browser.360.cn tcp
CN 111.6.185.228:443 browser.360.cn tcp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 se.360.cn udp
US 8.8.8.8:53 105.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 9.179.89.13.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\R.exe

MD5 8dc3adf1c490211971c1e2325f1424d2
SHA1 4eec4a4e7cb97c5efa6c72e0731cd090c0c4adc5
SHA256 bc29f2022ab3b812e50c8681ff196f090c038b5ab51e37daffac4469a8c2eb2c
SHA512 ae92ea20b359849dcdba4808119b154e3af5ef3687ee09de1797610fe8c4d3eb9065b068074d35adddb4b225d17c619baff3944cb137ad196bcef7a6507f920d

C:\Windows\SysWOW64\240596437.txt

MD5 0ea572dddfbad4b1571d9303ff0c3b19
SHA1 0cbffaa84db8c9c1c739a032378b2e6995fcaa0c
SHA256 fb70755ccf0eec39694f2a60326c7150cd4cdb69065025758ed1a1cb26856c83
SHA512 2284ad9ad65d049e2035c9342a06c4c87a6f0213b14a2ffe5b2189bb72fcfca34f0d831dda8539b2df41d0bc88f85771c07ca8e155a114a39f3caa1c0d6c4a5c

C:\Users\Admin\AppData\Local\Temp\N.exe

MD5 4a36a48e58829c22381572b2040b6fe0
SHA1 f09d30e44ff7e3f20a5de307720f3ad148c6143b
SHA256 3de6c02f52a661b8f934f59541d0cf297bb489eb2155e346b63c7338e09aeaf8
SHA512 5d0ea398792f6b9eb3f188813c50b7f43929183b5733d2b595b2fd1c78722764fd15f62db1086b5c7edfb157661a6dcd544ddd80907ee7699dddbca1ef4022d0

memory/1420-12-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/1420-14-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/1420-15-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/1420-18-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/3544-21-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/3544-24-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/3544-27-0x0000000010000000-0x00000000101B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HD_5eb75eb167af4d1b5883e2938af9202594068fc92bd5cdf55e951614ecef8ae8.exe

MD5 45ebd25a2158aed5d54f1164c964c860
SHA1 15b6b76c2853b8309e2b2182bb02b42c8c1e9371
SHA256 22b1e9dd9ec5a056817f425234674aa961a649758f13308a698a4c92854ce4c3
SHA512 16cfdaa5d59d73f7cdd58f621b68b4b22d775b556194f40aa04c99c8798eddc5dbefe844ea3c161c0e188de2143f9c16764011ac68efcfb0d658e84d3cbb0419

memory/3544-33-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/3544-23-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/5096-37-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/5096-39-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/5096-42-0x0000000010000000-0x00000000101B6000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 627d66bdc4801d57b692873de12f2875
SHA1 8dc1d7a0a4de3498e86c01e90fa1511a415e6d7e
SHA256 645050055b9bdafc47a28aef274db47cc1755a4e9fcf1875d099b90c48d7d23f
SHA512 f4b9bd1c845354907a9e3243a5317ad312e43abfece7336f070465aed64f6bbb214959423538c032c01d7157cb558d9e1e1c8b0380819d08a339fba4e4d419d3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 a78885dc856faeb57c7549a4b25d6a6a
SHA1 62cd1234f65a694281b47fb54f6aeb300d023093
SHA256 d586a36a410c287a57fb08f3e0e137f7fa66a303aaa86396c72b81f6abad2c63
SHA512 f41c11f88c04a6f3c8fa528c199790ed701d4f5577820881d29d78f239d03171962942deaa8e53320d83784d77a013d243f84b8f4bcd47fb97e056a197f2093b

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\verD09E.tmp

MD5 1a545d0052b581fbb2ab4c52133846bc
SHA1 62f3266a9b9925cd6d98658b92adec673cbe3dd3
SHA256 557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1
SHA512 bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\Z5ILU938\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

C:\Users\Admin\AppData\Local\Temp\HD_X.dat

MD5 b7ab7ab6b9c445db7a50620450970f77
SHA1 683a231521d6dd10664aec1b70f182065d24aef7
SHA256 04bf4712a8fbde15c7aab1397dbf6bda316d2221b5eaabaa1aadc31df52444bb
SHA512 2771b164a5598d5f7cbc85ad2baae18b2a4b7bda9ad77194c304dc39ec38ba00e810c71820d1508743182eb33a36aa99474e897ba34050b20c29ccc8e5f5197b