Malware Analysis Report

2024-09-22 15:20

Sample ID 240603-ptplmsga24
Target abe350c97682d509dae94c89366883d3ba5dd91ba20066ea23bc9d8238774d2e
SHA256 abe350c97682d509dae94c89366883d3ba5dd91ba20066ea23bc9d8238774d2e
Tags
gh0strat purplefox persistence rat rootkit trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

abe350c97682d509dae94c89366883d3ba5dd91ba20066ea23bc9d8238774d2e

Threat Level: Known bad

The file abe350c97682d509dae94c89366883d3ba5dd91ba20066ea23bc9d8238774d2e was found to be: Known bad.

Malicious Activity Summary

gh0strat purplefox persistence rat rootkit trojan upx

Detect PurpleFox Rootkit

Gh0strat

Gh0st RAT payload

PurpleFox

Sets service image path in registry

Drops file in Drivers directory

Sets DLL path for service in the registry

Checks computer location settings

Loads dropped DLL

UPX packed file

Executes dropped EXE

Drops file in System32 directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: LoadsDriver

Runs ping.exe

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies system certificate store

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-03 12:37

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 12:37

Reported

2024-06-03 12:40

Platform

win7-20240508-en

Max time kernel

149s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\abe350c97682d509dae94c89366883d3ba5dd91ba20066ea23bc9d8238774d2e.exe"

Signatures

Detect PurpleFox Rootkit

rootkit
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0strat

rat gh0strat

PurpleFox

rootkit trojan purplefox

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\system32\drivers\QAssist.sys C:\Windows\SysWOW64\TXPlatfor.exe N/A

Sets DLL path for service in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Remote Data\Parameters\ServiceDll = "C:\\Windows\\system32\\259396840.txt" C:\Users\Admin\AppData\Local\Temp\R.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" C:\Windows\SysWOW64\TXPlatfor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\259396840.txt C:\Users\Admin\AppData\Local\Temp\R.exe N/A
File opened for modification C:\Windows\SysWOW64\ini.ini C:\Users\Admin\AppData\Local\Temp\R.exe N/A
File created C:\Windows\SysWOW64\Remote Data.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\Remote Data.exe C:\Windows\SysWOW64\svchost.exe N/A
File created C:\Windows\SysWOW64\TXPlatfor.exe C:\Users\Admin\AppData\Local\Temp\N.exe N/A
File opened for modification C:\Windows\SysWOW64\TXPlatfor.exe C:\Users\Admin\AppData\Local\Temp\N.exe N/A

Enumerates physical storage devices

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd C:\Users\Admin\AppData\Local\Temp\7zS8FB50306\BlueStacksInstaller.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A C:\Users\Admin\AppData\Local\Temp\7zS8FB50306\BlueStacksInstaller.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 C:\Users\Admin\AppData\Local\Temp\7zS8FB50306\BlueStacksInstaller.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 C:\Users\Admin\AppData\Local\Temp\7zS8FB50306\BlueStacksInstaller.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d46240f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a190000000100000010000000fd960962ac6938e0d4b0769aa1a64e262000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 C:\Users\Admin\AppData\Local\Temp\7zS8FB50306\BlueStacksInstaller.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6 C:\Users\Admin\AppData\Local\Temp\7zS8FB50306\BlueStacksInstaller.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd C:\Users\Admin\AppData\Local\Temp\7zS8FB50306\BlueStacksInstaller.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd C:\Users\Admin\AppData\Local\Temp\7zS8FB50306\BlueStacksInstaller.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\TXPlatfor.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\N.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\TXPlatfor.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8FB50306\BlueStacksInstaller.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\TXPlatfor.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\TXPlatfor.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\TXPlatfor.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\TXPlatfor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2460 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\abe350c97682d509dae94c89366883d3ba5dd91ba20066ea23bc9d8238774d2e.exe C:\Users\Admin\AppData\Local\Temp\R.exe
PID 2460 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\abe350c97682d509dae94c89366883d3ba5dd91ba20066ea23bc9d8238774d2e.exe C:\Users\Admin\AppData\Local\Temp\R.exe
PID 2460 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\abe350c97682d509dae94c89366883d3ba5dd91ba20066ea23bc9d8238774d2e.exe C:\Users\Admin\AppData\Local\Temp\R.exe
PID 2460 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\abe350c97682d509dae94c89366883d3ba5dd91ba20066ea23bc9d8238774d2e.exe C:\Users\Admin\AppData\Local\Temp\R.exe
PID 2460 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\abe350c97682d509dae94c89366883d3ba5dd91ba20066ea23bc9d8238774d2e.exe C:\Users\Admin\AppData\Local\Temp\N.exe
PID 2460 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\abe350c97682d509dae94c89366883d3ba5dd91ba20066ea23bc9d8238774d2e.exe C:\Users\Admin\AppData\Local\Temp\N.exe
PID 2460 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\abe350c97682d509dae94c89366883d3ba5dd91ba20066ea23bc9d8238774d2e.exe C:\Users\Admin\AppData\Local\Temp\N.exe
PID 2460 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\abe350c97682d509dae94c89366883d3ba5dd91ba20066ea23bc9d8238774d2e.exe C:\Users\Admin\AppData\Local\Temp\N.exe
PID 2460 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\abe350c97682d509dae94c89366883d3ba5dd91ba20066ea23bc9d8238774d2e.exe C:\Users\Admin\AppData\Local\Temp\N.exe
PID 2460 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\abe350c97682d509dae94c89366883d3ba5dd91ba20066ea23bc9d8238774d2e.exe C:\Users\Admin\AppData\Local\Temp\N.exe
PID 2460 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\abe350c97682d509dae94c89366883d3ba5dd91ba20066ea23bc9d8238774d2e.exe C:\Users\Admin\AppData\Local\Temp\N.exe
PID 2108 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\N.exe C:\Windows\SysWOW64\cmd.exe
PID 2108 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\N.exe C:\Windows\SysWOW64\cmd.exe
PID 2108 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\N.exe C:\Windows\SysWOW64\cmd.exe
PID 2108 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\N.exe C:\Windows\SysWOW64\cmd.exe
PID 2732 wrote to memory of 1924 N/A C:\Windows\SysWOW64\TXPlatfor.exe C:\Windows\SysWOW64\TXPlatfor.exe
PID 2732 wrote to memory of 1924 N/A C:\Windows\SysWOW64\TXPlatfor.exe C:\Windows\SysWOW64\TXPlatfor.exe
PID 2732 wrote to memory of 1924 N/A C:\Windows\SysWOW64\TXPlatfor.exe C:\Windows\SysWOW64\TXPlatfor.exe
PID 2732 wrote to memory of 1924 N/A C:\Windows\SysWOW64\TXPlatfor.exe C:\Windows\SysWOW64\TXPlatfor.exe
PID 2732 wrote to memory of 1924 N/A C:\Windows\SysWOW64\TXPlatfor.exe C:\Windows\SysWOW64\TXPlatfor.exe
PID 2732 wrote to memory of 1924 N/A C:\Windows\SysWOW64\TXPlatfor.exe C:\Windows\SysWOW64\TXPlatfor.exe
PID 2732 wrote to memory of 1924 N/A C:\Windows\SysWOW64\TXPlatfor.exe C:\Windows\SysWOW64\TXPlatfor.exe
PID 2460 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\abe350c97682d509dae94c89366883d3ba5dd91ba20066ea23bc9d8238774d2e.exe C:\Users\Admin\AppData\Local\Temp\HD_abe350c97682d509dae94c89366883d3ba5dd91ba20066ea23bc9d8238774d2e.exe
PID 2460 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\abe350c97682d509dae94c89366883d3ba5dd91ba20066ea23bc9d8238774d2e.exe C:\Users\Admin\AppData\Local\Temp\HD_abe350c97682d509dae94c89366883d3ba5dd91ba20066ea23bc9d8238774d2e.exe
PID 2460 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\abe350c97682d509dae94c89366883d3ba5dd91ba20066ea23bc9d8238774d2e.exe C:\Users\Admin\AppData\Local\Temp\HD_abe350c97682d509dae94c89366883d3ba5dd91ba20066ea23bc9d8238774d2e.exe
PID 2460 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\abe350c97682d509dae94c89366883d3ba5dd91ba20066ea23bc9d8238774d2e.exe C:\Users\Admin\AppData\Local\Temp\HD_abe350c97682d509dae94c89366883d3ba5dd91ba20066ea23bc9d8238774d2e.exe
PID 2460 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\abe350c97682d509dae94c89366883d3ba5dd91ba20066ea23bc9d8238774d2e.exe C:\Users\Admin\AppData\Local\Temp\HD_abe350c97682d509dae94c89366883d3ba5dd91ba20066ea23bc9d8238774d2e.exe
PID 2460 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\abe350c97682d509dae94c89366883d3ba5dd91ba20066ea23bc9d8238774d2e.exe C:\Users\Admin\AppData\Local\Temp\HD_abe350c97682d509dae94c89366883d3ba5dd91ba20066ea23bc9d8238774d2e.exe
PID 2460 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\abe350c97682d509dae94c89366883d3ba5dd91ba20066ea23bc9d8238774d2e.exe C:\Users\Admin\AppData\Local\Temp\HD_abe350c97682d509dae94c89366883d3ba5dd91ba20066ea23bc9d8238774d2e.exe
PID 2652 wrote to memory of 3068 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2652 wrote to memory of 3068 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2652 wrote to memory of 3068 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2652 wrote to memory of 3068 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3064 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\HD_abe350c97682d509dae94c89366883d3ba5dd91ba20066ea23bc9d8238774d2e.exe C:\Users\Admin\AppData\Local\Temp\7zS8FB50306\BlueStacksInstaller.exe
PID 3064 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\HD_abe350c97682d509dae94c89366883d3ba5dd91ba20066ea23bc9d8238774d2e.exe C:\Users\Admin\AppData\Local\Temp\7zS8FB50306\BlueStacksInstaller.exe
PID 3064 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\HD_abe350c97682d509dae94c89366883d3ba5dd91ba20066ea23bc9d8238774d2e.exe C:\Users\Admin\AppData\Local\Temp\7zS8FB50306\BlueStacksInstaller.exe
PID 3064 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\HD_abe350c97682d509dae94c89366883d3ba5dd91ba20066ea23bc9d8238774d2e.exe C:\Users\Admin\AppData\Local\Temp\7zS8FB50306\BlueStacksInstaller.exe
PID 1816 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\7zS8FB50306\BlueStacksInstaller.exe C:\Users\Admin\AppData\Local\Temp\7zS8FB50306\HD-CheckCpu.exe
PID 1816 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\7zS8FB50306\BlueStacksInstaller.exe C:\Users\Admin\AppData\Local\Temp\7zS8FB50306\HD-CheckCpu.exe
PID 1816 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\7zS8FB50306\BlueStacksInstaller.exe C:\Users\Admin\AppData\Local\Temp\7zS8FB50306\HD-CheckCpu.exe
PID 1816 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\7zS8FB50306\BlueStacksInstaller.exe C:\Users\Admin\AppData\Local\Temp\7zS8FB50306\HD-CheckCpu.exe
PID 1284 wrote to memory of 1836 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\Remote Data.exe
PID 1284 wrote to memory of 1836 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\Remote Data.exe
PID 1284 wrote to memory of 1836 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\Remote Data.exe
PID 1284 wrote to memory of 1836 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\Remote Data.exe

Processes

C:\Users\Admin\AppData\Local\Temp\abe350c97682d509dae94c89366883d3ba5dd91ba20066ea23bc9d8238774d2e.exe

"C:\Users\Admin\AppData\Local\Temp\abe350c97682d509dae94c89366883d3ba5dd91ba20066ea23bc9d8238774d2e.exe"

C:\Users\Admin\AppData\Local\Temp\R.exe

C:\Users\Admin\AppData\Local\Temp\\R.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k "Remote Data"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k "Remote Data"

C:\Users\Admin\AppData\Local\Temp\N.exe

C:\Users\Admin\AppData\Local\Temp\\N.exe

C:\Windows\SysWOW64\TXPlatfor.exe

C:\Windows\SysWOW64\TXPlatfor.exe -auto

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\N.exe > nul

C:\Windows\SysWOW64\TXPlatfor.exe

C:\Windows\SysWOW64\TXPlatfor.exe -acsi

C:\Users\Admin\AppData\Local\Temp\HD_abe350c97682d509dae94c89366883d3ba5dd91ba20066ea23bc9d8238774d2e.exe

C:\Users\Admin\AppData\Local\Temp\HD_abe350c97682d509dae94c89366883d3ba5dd91ba20066ea23bc9d8238774d2e.exe

C:\Windows\SysWOW64\PING.EXE

ping -n 2 127.0.0.1

C:\Users\Admin\AppData\Local\Temp\7zS8FB50306\BlueStacksInstaller.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8FB50306\BlueStacksInstaller.exe"

C:\Users\Admin\AppData\Local\Temp\7zS8FB50306\HD-CheckCpu.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8FB50306\HD-CheckCpu.exe" --cmd checkHypervEnabled

C:\Windows\SysWOW64\Remote Data.exe

"C:\Windows\system32\Remote Data.exe" "c:\windows\system32\259396840.txt",MainThread

Network

Country Destination Domain Proto
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 cloud.bluestacks.com udp
US 34.160.86.181:443 cloud.bluestacks.com tcp
US 34.160.86.181:443 cloud.bluestacks.com tcp
US 34.160.86.181:443 cloud.bluestacks.com tcp
US 34.160.86.181:443 cloud.bluestacks.com tcp
US 34.160.86.181:443 cloud.bluestacks.com tcp
US 8.8.8.8:53 delegate.bluestacks.com udp
US 52.21.129.184:443 delegate.bluestacks.com tcp
US 34.160.86.181:443 cloud.bluestacks.com tcp
US 34.160.86.181:443 cloud.bluestacks.com tcp
US 34.160.86.181:443 cloud.bluestacks.com tcp
US 52.21.129.184:443 delegate.bluestacks.com tcp
US 34.160.86.181:443 cloud.bluestacks.com tcp

Files

\Users\Admin\AppData\Local\Temp\R.exe

MD5 8dc3adf1c490211971c1e2325f1424d2
SHA1 4eec4a4e7cb97c5efa6c72e0731cd090c0c4adc5
SHA256 bc29f2022ab3b812e50c8681ff196f090c038b5ab51e37daffac4469a8c2eb2c
SHA512 ae92ea20b359849dcdba4808119b154e3af5ef3687ee09de1797610fe8c4d3eb9065b068074d35adddb4b225d17c619baff3944cb137ad196bcef7a6507f920d

\Windows\SysWOW64\259396840.txt

MD5 4866cb16aa02afad6eea275a17c34517
SHA1 a3252550f456e4f2b215699530f3609f7c194a6f
SHA256 b83fd739f5e2b20d6b6ecbc4518d8d6fc09dab1472513d888ebc5514b97e1106
SHA512 da8b4c78f3cd2c8d384bf713540d37cd8eafb5f1e86264e24027ba19bd054e654b9447df12f53be4a2e770402beb52985fe35fbef13448c410c462888f466019

\Users\Admin\AppData\Local\Temp\N.exe

MD5 4a36a48e58829c22381572b2040b6fe0
SHA1 f09d30e44ff7e3f20a5de307720f3ad148c6143b
SHA256 3de6c02f52a661b8f934f59541d0cf297bb489eb2155e346b63c7338e09aeaf8
SHA512 5d0ea398792f6b9eb3f188813c50b7f43929183b5733d2b595b2fd1c78722764fd15f62db1086b5c7edfb157661a6dcd544ddd80907ee7699dddbca1ef4022d0

memory/2108-18-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2108-21-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2108-20-0x0000000010000000-0x00000000101B6000-memory.dmp

\Users\Admin\AppData\Local\Temp\HD_abe350c97682d509dae94c89366883d3ba5dd91ba20066ea23bc9d8238774d2e.exe

MD5 7dc4321f6abf7303d24f192ab8539d70
SHA1 f88604f35ddbe7dfa37a03b7a3e5124573c46b99
SHA256 5e1a07cb244d9af7c4259cdccd1d7ba2837bb9b71793019985bd6f889fc9b1ce
SHA512 f1078365d637ce237e09590013253d22b3d5a1ee05e0d20d86f9a0d8ca4555d2ec5d07fe2b53adfe7a50089789c5c878b51ec8cc6561d42bcb55ad2eb721a686

memory/1924-44-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/1924-48-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/1924-80-0x0000000010000000-0x00000000101B6000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zS8FB50306\BlueStacksInstaller.exe

MD5 afaa1ff1ca826fbd182cd68285a6fd40
SHA1 25982bd191895b0fe69c673fcf18a1bcd481b3d7
SHA256 48e6dfbc66f740b46ed2530e94c3ce2f154586ded094b9aba9e913be0cd7a6a8
SHA512 7f84ecab7e8f531ef5b9e9b72ab17a9c8da7d4c91839872dce59e838a2d82a5acbba59e0b5a12799b18cfee15b1e87a958bf649c4b512127bd0b03ae0e9c8f05

C:\Users\Admin\AppData\Local\Temp\7zS8FB50306\BlueStacksInstaller.exe.config

MD5 1b456d88546e29f4f007cd0bf1025703
SHA1 e5c444fcfe5baf2ef71c1813afc3f2c1100cab86
SHA256 d6d316584b63bb0d670a42f88b8f84e0de0db4275f1a342084dc383ebeb278eb
SHA512 c545e416c841b8786e4589fc9ca2b732b16cdd759813ec03f558332f2436f165ec1ad2fbc65012b5709fa19ff1e8396639c17bfad150cabeb51328a39ea556e6

memory/1816-173-0x0000000000EF0000-0x0000000000F8E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS8FB50306\JSON.dll

MD5 f5fd966e29f5c359f78cb61a571d1be4
SHA1 a55e7ed593b4bc7a77586da0f1223cfd9d51a233
SHA256 d2c8d26f95f55431e632c8581154db7c19547b656380e051194a9d2583dd2156
SHA512 d99e6fe250bb106257f86135938635f6e7ad689b2c11a96bb274f4c4c5e9a85cfacba40122dbc953f77b5d33d886c6af30bff821f10945e15b21a24b66f6c8be

memory/1816-175-0x0000000000580000-0x00000000005E8000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar1E03.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\Local\Temp\7zS8FB50306\Locales\i18n.en-US.txt

MD5 206562eed57e938afe21fc6942fa8e59
SHA1 779e90fec866c0fd2f47da020651db71c89ec3dd
SHA256 27d611a71edf36307a7ed0651f6c5910292ac7e2b68074a7e33d306b3d93ec45
SHA512 275c3192a7aee28fad31beb521cf5e7c66010e7562ce244ba9fc4de352f35b4ab63180ed12a56ea0b1458c185e076e2d07ba6d8797467177d3c5b2ac14371b26

C:\Users\Admin\AppData\Local\Temp\7zS8FB50306\HD-CheckCpu.exe

MD5 81234fd9895897b8d1f5e6772a1b38d0
SHA1 80b2fec4a85ed90c4db2f09b63bd8f37038db0d3
SHA256 2e14887f3432b4a313442247fc669f891dbdad7ef1a2d371466a2afa88074a4c
SHA512 4c924d6524dc2c7d834bfc1a0d98b21753a7bf1e94b1c2c6650f755e6f265512d3a963bc7bc745351f79f547add57c37e29ba9270707edbf62b60df3a541bc16

memory/1816-240-0x0000000000430000-0x000000000043A000-memory.dmp

memory/1816-239-0x0000000000430000-0x000000000043A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS8FB50306\Assets\loader.png

MD5 03903fd42ed2ee3cb014f0f3b410bcb4
SHA1 762a95240607fe8a304867a46bc2d677f494f5c2
SHA256 076263cc65f9824f4f82eb6beaa594d1df90218a2ee21664cf209181557e04b1
SHA512 8b0e717268590e5287c07598a06d89220c5e9a33cd1c29c55f8720321f4b3efc869d20c61fcc892e13188d77f0fdc4c73a2ee6dece174bf876fcc3a6c5683857

C:\Users\Admin\AppData\Local\Temp\7zS8FB50306\ThemeFile

MD5 c3e6bab4f92ee40b9453821136878993
SHA1 94493a6b3dfb3135e5775b7d3be227659856fbc4
SHA256 de1a2e6b560e036da5ea6b042e29e81a5bfcf67dde89670c332fc5199e811ba6
SHA512 a64b6b06b3a0f3591892b60e59699682700f4018b898efe55d6bd5fb417965a55027671c58092d1eb7e21c2dbac42bc68dfb8c70468d98bed45a8cff0e945895

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bf1a46d5bb1e2f75371fa5f7527b1c9c
SHA1 634fdbf6ad4e3e728525785b162b72a645350cdc
SHA256 8c2515cfe945e791be58c6c96b94d5f6e5038c974d141c15f2589858f99a0e64
SHA512 49119fa97441cb5b7ae19ecd638112f4e8729d17f0e8cbfb789f9d1125b1e5a90ff869addfe9d716aeb07c2f24983e6cb5808001e8c80f8f81c8a2e4aec7a1f6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cbd84da68c30ec5f6bca0eec3258e6be
SHA1 26727e39599199eb067e0765bbe7a8146ff7295c
SHA256 b1e7d7566378578415206e78f69d5c74549a31e6aec06664132cc4794c0abdd5
SHA512 a8603761d09318c7da87fb958f58c2a32b25053a240c7417a1abf051ead39aafbc160511b93129014a4da839c396ef0bc27dbbb5238dc1ffb2414af3c57729cf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 efb6aea7121c13f1c9bf5581a2d832af
SHA1 464e0da1240b6a7cce2733784f0ff7d363f9c510
SHA256 8ae74d0da46c98968761bdec5bd9b106eecebdb62d6c2024f7d420ebbb8b6b7f
SHA512 4885939eb3de36b4d869219fa41bd4424d737e378a673ce61101b4cc01326709e405bbc2f3abb44f4feb46efa8b56fd7df5d09684dc8547d9b8bba07baf4bb24

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 767eb573c745899b8473d23ee0d34991
SHA1 2822a418234a05a766d38d7ff094ab29eaf8bd12
SHA256 1f9122850fb42a552b268d224bc25cad6f672b8a912648f3ce7ed27ed399cbf5
SHA512 ccd3a2987a5b379675371c6fafb49f523e5d01205c979ba26753b225c5a2831b8a0df32eb13cac36ad67bb73a3e6c1a5a49e5c94dd294b8f10b827d602e1521e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 801d672c742b78f82c5376d262f76945
SHA1 fb7446323ad65196516c1bcd22778ddd63e4a0ea
SHA256 c46a596b383b5a03fe710232b89cc74e6d70e26948a56c5604f26741aa2cd807
SHA512 4ce69a6c930e400ffd81fba0d8ae0830dcc0c2e5ce2744b57c6c1e434846c884f5e911eb59427a033dd5065609ccd207ee208e3a584dd014c80306411a8de0df

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b1b0b98043c7282d0abbe7d8045b0bb2
SHA1 e70b31bd1cd3189730cd07e8dee08017fb812a5d
SHA256 5dcaee4aa2f751afdf85f49af1b40dc512db0db3af7759fc465d938bf2bcfe82
SHA512 0fdfbec531b636adb05b3c8cf24c63a50ad41cbaec7ef7e44bce8aa91d234c332bddf8f27f785d2ddecb35893a5acca023c94a41b6a2d765e35ad9bd7fcf172f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 34159d2256be974eacd4be73a2096a98
SHA1 379e55b48ea00c378c6e9a64b6acfedb1479394b
SHA256 5132cf3ab8c5e74205f0f845b6848ea37380d65b67300a7e23c46229e2699900
SHA512 1e09309576f17e09bdb5f3f210e3da9ec87a238006af913c748e046d77ec8e5f5014faacf2e75619d95c05de7d7ec2c297ee203b12bd480080358ac7b6148582

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 56c10455e8c9735a5bfcc56dde298054
SHA1 975129a7ee2e73fefe709aa2c5fc06bd8ee78c25
SHA256 0d80d2e8b1f651410852444638340370394caa4c0404e4d241d8236c2c8304ed
SHA512 23ceb92518454bb39e0088970c1fbc148f5b7043cd2e8d38a204bc7a605d3ae03e9fcda0fd3d425e9648a32f141d0c34f75f5025dfb5d50c03a468836730a861

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a45a0a2f586bbece8648d6a12e63e063
SHA1 47700c65a84fa01de543fdb12ae9ad5d98120530
SHA256 d6e8fe723885c2caaf4931b719fec607444e11db3b63363f7e489c0ffb43d330
SHA512 0b51fa47b173cd125c04fa29a43b050a3ccbe1e70075e82b4ee076245b583667ef731673b843e55a0caa1922e756d50e881686bcb957ab7034c13e7d063936b5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9f5807021d3e98c92afe1d6ee935b9e1
SHA1 50024c38fc8649d40223ed14fe1019f8b06f2d0c
SHA256 72d30086232ece578322829b40c57785dd649d07b237d33597e29a3c9b725fa2
SHA512 0121746828323d25bf27cbf63fae8890ebde5bb0d53e3edbaa31d28f8bd5aa6a5f8b2cc3c8228e98c1f5ad5fbc68ba26247e88c72ea7860bd7832cf135aa1baf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0931699e0ae552ecedca7398f7a4bc48
SHA1 9450693c9ad280b17662e14f3f0d16fed581bac7
SHA256 bbbe77486d2120e35cc5287bfca5d88c912befdd771be9741d61d2c2771442a0
SHA512 f7ebc7605a7dd69864e7e54f4a1b039654829a9a55c4623ca46290b33a5961f547cb128b3766f6239b8313c278e5786a08e471ec5fc3b89bee25530e588d2a68

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416

MD5 decc917a9fa141938f1ff8f16e2b28f5
SHA1 a23ec71f349ad4e8d9c85e6143c5643f96e39a87
SHA256 9d847cc8bf64fba4b3af26f08ce33a362a9d24db323cedbb9e2e0eef8e1ea4b2
SHA512 64a4bb403defdc4dc1ce717799ff0e09f65120981c692844db5005146d310aab53fb3c76adafac6aa3df5c7727341cc70f9d095818c08a7e30f36f1e1aeeb1bf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416

MD5 55540a230bdab55187a841cfe1aa1545
SHA1 363e4734f757bdeb89868efe94907774a327695e
SHA256 d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb
SHA512 c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b7729d0e3fdeb736f8fcae0b92975f27
SHA1 7f63fef27b2d9b34eb957b5fa8ed32195c640d32
SHA256 d8566094f561bc7e576d6f6436432d2b7ad33097d10a49419ae36c1439f2b658
SHA512 e59f34b3408b4410d8e09e546dd37cb4b0477fade8ed256949872700d51fd5711766c7d18ee3d673776f44497a7cf6b9ec98c011aa4e7b4da1f42c5465d63c65

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4ec9cabc8d792e2b6c41cdfc9a122681
SHA1 29ad7a56895c18ff5d2ff3be567e247876d5e78d
SHA256 f0022dd4adeb1ea761cb8fe1e9b7e9c905c4a14a79a3f74f64dbabeb6a01c896
SHA512 dcc0ea70663d6d4563228209fc87d43429e10e2fe1dbb27aa54c72851bdd9191f0b491b370a18b7b5a853dffe4ff1ddd6c486ac77043117fd9058329af693066

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 dc93ce05f34091f0054157fc5a2663bb
SHA1 3b03b750934530d7380c66daf319f54751c90b5a
SHA256 a902b9654cc3e8255f8dc807e9c781cbe5f46271449c500e7e517f841296d4df
SHA512 d5046108156cf8934af0cb682a3d58deb9a7b233a3f94f2426c5e33c912e3458fb7b580d956e05d0c85baedbc05dac633593c139aa216b86a47fde11f0841bb4

C:\Users\Admin\AppData\Local\Temp\7zS8FB50306\Assets\exit_close.png

MD5 26eb04b9e0105a7b121ea9c6601bbf2a
SHA1 efc08370d90c8173df8d8c4b122d2bb64c07ccd8
SHA256 7aaef329ba9fa052791d1a09f127551289641ea743baba171de55faa30ec1157
SHA512 9df3c723314d11a6b4ce0577eb61488061f2f96a9746a944eb6a4ee8c0c4d29131231a1b20988ef5454b79f9475b43d62c710839ecc0a9c98324f977cab6db68

C:\Users\Admin\AppData\Local\Temp\7zS8FB50306\Assets\minimize_progress.png

MD5 1504b80f2a6f2d3fefc305da54a2a6c2
SHA1 432a9d89ebc2f693836d3c2f0743ea5d2077848d
SHA256 2f62d4e8c643051093f907058dddc78cc525147d9c4f4a0d78b4d0e5c90979f6
SHA512 675db04baf3199c8d94af30a1f1c252830a56a90f633c3a72aa9841738b04242902a5e7c56dd792626338e8b7eabc1f359514bb3a2e62bc36c16919e196cfd94

\Windows\SysWOW64\Remote Data.exe

MD5 51138beea3e2c21ec44d0932c71762a8
SHA1 8939cf35447b22dd2c6e6f443446acc1bf986d58
SHA256 5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124
SHA512 794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

C:\Users\Admin\AppData\Local\Temp\7zS8FB50306\Assets\error_icon_72.png

MD5 4aaf83d2b3fd56ad806708e60474df39
SHA1 144777a265879b69fadea3eb3ac6939458918578
SHA256 84e59d14d9433e6c3d92daeb8c443063b5e3be6c0b297f0403dbde473a05cb3f
SHA512 3b8485f054fe6ed2374bc81cb1786f09741219fbfcb22503707b11cf5db1ab262ba4349633597d5d9ddabc3415b170fa8eebc932f58d211d7092b8fb96fa1304

C:\Users\Admin\AppData\Local\Temp\7zS8FB50306\Assets\link.png

MD5 ae2c73ee43d722c327c7fb6fdbee905c
SHA1 96f238bf53ac80f5b7a9ad6ef2531e8e3f274628
SHA256 28c0abc6bfe7a155815104883a37a53dd783d142300471064c95eddf3cae0eaf
SHA512 5a1e341f727cf1cb4832cced8e96c5a74971451629603c48bfb91ceb4561d0122ab9ae701f8b34681d5f13115a384467d430ccb8282494b40f4577ebc3ad825b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fe74328d65b75cd9af4b3ae3e0bdc3d9
SHA1 e13e684f79abceb763f8ffb18f47673f114e88b9
SHA256 79b62ddd65e47534ae31e74815298f6023368ee86911e0f51f7e644a1b9dd286
SHA512 258fbb07d15695f8eb1905d3d46588a100cab751531fb9208e4a313b47ecb8a41da625d1e7636c15dcd7200c9f733eeebd1bf26f0bc43fe08afe8cb56b1a00c8

memory/1816-927-0x0000000000430000-0x000000000043A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HD_X.dat

MD5 b5d8bb398b8becec50bbfdc050092b1d
SHA1 d62c9521e0585b74183b51d921fcb06d114e8932
SHA256 eb0f5f9a7d0d328e67c8e250a41decc5bcb0fe3935ad4c2eb27063beaa99fe08
SHA512 7602c55cf3bd117bdc39375ac1fdc1fc49953e0f31e277207f1f90747c32f2b38d445c99ef4c1f4df9b2565499fcb77fc259b37084d6bfd6d981d68fcb913dff

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 12:37

Reported

2024-06-03 12:40

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\abe350c97682d509dae94c89366883d3ba5dd91ba20066ea23bc9d8238774d2e.exe"

Signatures

Detect PurpleFox Rootkit

rootkit
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0strat

rat gh0strat

PurpleFox

rootkit trojan purplefox

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\system32\drivers\QAssist.sys C:\Windows\SysWOW64\TXPlatfor.exe N/A

Sets DLL path for service in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Remote Data\Parameters\ServiceDll = "C:\\Windows\\system32\\240618500.txt" C:\Users\Admin\AppData\Local\Temp\R.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" C:\Windows\SysWOW64\TXPlatfor.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\HD_abe350c97682d509dae94c89366883d3ba5dd91ba20066ea23bc9d8238774d2e.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\R.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\Remote Data.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Remote Data.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\Remote Data.exe C:\Windows\SysWOW64\svchost.exe N/A
File created C:\Windows\SysWOW64\TXPlatfor.exe C:\Users\Admin\AppData\Local\Temp\N.exe N/A
File opened for modification C:\Windows\SysWOW64\TXPlatfor.exe C:\Users\Admin\AppData\Local\Temp\N.exe N/A
File created C:\Windows\SysWOW64\240618500.txt C:\Users\Admin\AppData\Local\Temp\R.exe N/A
File opened for modification C:\Windows\SysWOW64\ini.ini C:\Users\Admin\AppData\Local\Temp\R.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Users\Admin\AppData\Local\Temp\abe350c97682d509dae94c89366883d3ba5dd91ba20066ea23bc9d8238774d2e.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\TXPlatfor.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\N.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\TXPlatfor.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0A0961D7\BlueStacksInstaller.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\TXPlatfor.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\TXPlatfor.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\TXPlatfor.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\TXPlatfor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3760 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\abe350c97682d509dae94c89366883d3ba5dd91ba20066ea23bc9d8238774d2e.exe C:\Users\Admin\AppData\Local\Temp\R.exe
PID 3760 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\abe350c97682d509dae94c89366883d3ba5dd91ba20066ea23bc9d8238774d2e.exe C:\Users\Admin\AppData\Local\Temp\R.exe
PID 3760 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\abe350c97682d509dae94c89366883d3ba5dd91ba20066ea23bc9d8238774d2e.exe C:\Users\Admin\AppData\Local\Temp\R.exe
PID 3760 wrote to memory of 3180 N/A C:\Users\Admin\AppData\Local\Temp\abe350c97682d509dae94c89366883d3ba5dd91ba20066ea23bc9d8238774d2e.exe C:\Users\Admin\AppData\Local\Temp\N.exe
PID 3760 wrote to memory of 3180 N/A C:\Users\Admin\AppData\Local\Temp\abe350c97682d509dae94c89366883d3ba5dd91ba20066ea23bc9d8238774d2e.exe C:\Users\Admin\AppData\Local\Temp\N.exe
PID 3760 wrote to memory of 3180 N/A C:\Users\Admin\AppData\Local\Temp\abe350c97682d509dae94c89366883d3ba5dd91ba20066ea23bc9d8238774d2e.exe C:\Users\Admin\AppData\Local\Temp\N.exe
PID 3180 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\N.exe C:\Windows\SysWOW64\cmd.exe
PID 3180 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\N.exe C:\Windows\SysWOW64\cmd.exe
PID 3180 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\N.exe C:\Windows\SysWOW64\cmd.exe
PID 892 wrote to memory of 712 N/A C:\Windows\SysWOW64\TXPlatfor.exe C:\Windows\SysWOW64\TXPlatfor.exe
PID 892 wrote to memory of 712 N/A C:\Windows\SysWOW64\TXPlatfor.exe C:\Windows\SysWOW64\TXPlatfor.exe
PID 892 wrote to memory of 712 N/A C:\Windows\SysWOW64\TXPlatfor.exe C:\Windows\SysWOW64\TXPlatfor.exe
PID 3760 wrote to memory of 4256 N/A C:\Users\Admin\AppData\Local\Temp\abe350c97682d509dae94c89366883d3ba5dd91ba20066ea23bc9d8238774d2e.exe C:\Users\Admin\AppData\Local\Temp\HD_abe350c97682d509dae94c89366883d3ba5dd91ba20066ea23bc9d8238774d2e.exe
PID 3760 wrote to memory of 4256 N/A C:\Users\Admin\AppData\Local\Temp\abe350c97682d509dae94c89366883d3ba5dd91ba20066ea23bc9d8238774d2e.exe C:\Users\Admin\AppData\Local\Temp\HD_abe350c97682d509dae94c89366883d3ba5dd91ba20066ea23bc9d8238774d2e.exe
PID 3760 wrote to memory of 4256 N/A C:\Users\Admin\AppData\Local\Temp\abe350c97682d509dae94c89366883d3ba5dd91ba20066ea23bc9d8238774d2e.exe C:\Users\Admin\AppData\Local\Temp\HD_abe350c97682d509dae94c89366883d3ba5dd91ba20066ea23bc9d8238774d2e.exe
PID 4256 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\HD_abe350c97682d509dae94c89366883d3ba5dd91ba20066ea23bc9d8238774d2e.exe C:\Users\Admin\AppData\Local\Temp\7zS0A0961D7\BlueStacksInstaller.exe
PID 4256 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\HD_abe350c97682d509dae94c89366883d3ba5dd91ba20066ea23bc9d8238774d2e.exe C:\Users\Admin\AppData\Local\Temp\7zS0A0961D7\BlueStacksInstaller.exe
PID 4544 wrote to memory of 3132 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4544 wrote to memory of 3132 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4544 wrote to memory of 3132 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4852 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\7zS0A0961D7\BlueStacksInstaller.exe C:\Users\Admin\AppData\Local\Temp\7zS0A0961D7\HD-CheckCpu.exe
PID 4852 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\7zS0A0961D7\BlueStacksInstaller.exe C:\Users\Admin\AppData\Local\Temp\7zS0A0961D7\HD-CheckCpu.exe
PID 4852 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\7zS0A0961D7\BlueStacksInstaller.exe C:\Users\Admin\AppData\Local\Temp\7zS0A0961D7\HD-CheckCpu.exe
PID 4852 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\7zS0A0961D7\BlueStacksInstaller.exe C:\Users\Admin\AppData\Local\Temp\7zS0A0961D7\HD-CheckCpu.exe
PID 4852 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\7zS0A0961D7\BlueStacksInstaller.exe C:\Users\Admin\AppData\Local\Temp\7zS0A0961D7\HD-CheckCpu.exe
PID 4852 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\7zS0A0961D7\BlueStacksInstaller.exe C:\Users\Admin\AppData\Local\Temp\7zS0A0961D7\HD-CheckCpu.exe
PID 4400 wrote to memory of 3468 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\Remote Data.exe
PID 4400 wrote to memory of 3468 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\Remote Data.exe
PID 4400 wrote to memory of 3468 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\Remote Data.exe

Processes

C:\Users\Admin\AppData\Local\Temp\abe350c97682d509dae94c89366883d3ba5dd91ba20066ea23bc9d8238774d2e.exe

"C:\Users\Admin\AppData\Local\Temp\abe350c97682d509dae94c89366883d3ba5dd91ba20066ea23bc9d8238774d2e.exe"

C:\Users\Admin\AppData\Local\Temp\R.exe

C:\Users\Admin\AppData\Local\Temp\\R.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k "Remote Data"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k "Remote Data"

C:\Users\Admin\AppData\Local\Temp\N.exe

C:\Users\Admin\AppData\Local\Temp\\N.exe

C:\Windows\SysWOW64\TXPlatfor.exe

C:\Windows\SysWOW64\TXPlatfor.exe -auto

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\N.exe > nul

C:\Windows\SysWOW64\TXPlatfor.exe

C:\Windows\SysWOW64\TXPlatfor.exe -acsi

C:\Users\Admin\AppData\Local\Temp\HD_abe350c97682d509dae94c89366883d3ba5dd91ba20066ea23bc9d8238774d2e.exe

C:\Users\Admin\AppData\Local\Temp\HD_abe350c97682d509dae94c89366883d3ba5dd91ba20066ea23bc9d8238774d2e.exe

C:\Users\Admin\AppData\Local\Temp\7zS0A0961D7\BlueStacksInstaller.exe

"C:\Users\Admin\AppData\Local\Temp\7zS0A0961D7\BlueStacksInstaller.exe"

C:\Windows\SysWOW64\PING.EXE

ping -n 2 127.0.0.1

C:\Users\Admin\AppData\Local\Temp\7zS0A0961D7\HD-CheckCpu.exe

"C:\Users\Admin\AppData\Local\Temp\7zS0A0961D7\HD-CheckCpu.exe" --cmd checkHypervEnabled

C:\Users\Admin\AppData\Local\Temp\7zS0A0961D7\HD-CheckCpu.exe

"C:\Users\Admin\AppData\Local\Temp\7zS0A0961D7\HD-CheckCpu.exe" --cmd checkSSE4

C:\Windows\SysWOW64\Remote Data.exe

"C:\Windows\system32\Remote Data.exe" "c:\windows\system32\240618500.txt",MainThread

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 cloud.bluestacks.com udp
US 34.160.86.181:443 cloud.bluestacks.com tcp
US 34.160.86.181:443 cloud.bluestacks.com tcp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 181.86.160.34.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 cdn-bgp.bluestacks.com udp
GB 104.91.71.143:443 cdn-bgp.bluestacks.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 143.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 89.16.208.104.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\R.exe

MD5 8dc3adf1c490211971c1e2325f1424d2
SHA1 4eec4a4e7cb97c5efa6c72e0731cd090c0c4adc5
SHA256 bc29f2022ab3b812e50c8681ff196f090c038b5ab51e37daffac4469a8c2eb2c
SHA512 ae92ea20b359849dcdba4808119b154e3af5ef3687ee09de1797610fe8c4d3eb9065b068074d35adddb4b225d17c619baff3944cb137ad196bcef7a6507f920d

C:\Windows\SysWOW64\240618500.txt

MD5 4866cb16aa02afad6eea275a17c34517
SHA1 a3252550f456e4f2b215699530f3609f7c194a6f
SHA256 b83fd739f5e2b20d6b6ecbc4518d8d6fc09dab1472513d888ebc5514b97e1106
SHA512 da8b4c78f3cd2c8d384bf713540d37cd8eafb5f1e86264e24027ba19bd054e654b9447df12f53be4a2e770402beb52985fe35fbef13448c410c462888f466019

C:\Users\Admin\AppData\Local\Temp\N.exe

MD5 4a36a48e58829c22381572b2040b6fe0
SHA1 f09d30e44ff7e3f20a5de307720f3ad148c6143b
SHA256 3de6c02f52a661b8f934f59541d0cf297bb489eb2155e346b63c7338e09aeaf8
SHA512 5d0ea398792f6b9eb3f188813c50b7f43929183b5733d2b595b2fd1c78722764fd15f62db1086b5c7edfb157661a6dcd544ddd80907ee7699dddbca1ef4022d0

memory/3180-17-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/3180-23-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/3180-20-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/3180-19-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/892-28-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/892-29-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/892-26-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/712-35-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/712-40-0x0000000010000000-0x00000000101B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HD_abe350c97682d509dae94c89366883d3ba5dd91ba20066ea23bc9d8238774d2e.exe

MD5 7dc4321f6abf7303d24f192ab8539d70
SHA1 f88604f35ddbe7dfa37a03b7a3e5124573c46b99
SHA256 5e1a07cb244d9af7c4259cdccd1d7ba2837bb9b71793019985bd6f889fc9b1ce
SHA512 f1078365d637ce237e09590013253d22b3d5a1ee05e0d20d86f9a0d8ca4555d2ec5d07fe2b53adfe7a50089789c5c878b51ec8cc6561d42bcb55ad2eb721a686

memory/712-56-0x0000000010000000-0x00000000101B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HD_X.dat

MD5 b5d8bb398b8becec50bbfdc050092b1d
SHA1 d62c9521e0585b74183b51d921fcb06d114e8932
SHA256 eb0f5f9a7d0d328e67c8e250a41decc5bcb0fe3935ad4c2eb27063beaa99fe08
SHA512 7602c55cf3bd117bdc39375ac1fdc1fc49953e0f31e277207f1f90747c32f2b38d445c99ef4c1f4df9b2565499fcb77fc259b37084d6bfd6d981d68fcb913dff

C:\Users\Admin\AppData\Local\Temp\7zS0A0961D7\BlueStacksInstaller.exe

MD5 afaa1ff1ca826fbd182cd68285a6fd40
SHA1 25982bd191895b0fe69c673fcf18a1bcd481b3d7
SHA256 48e6dfbc66f740b46ed2530e94c3ce2f154586ded094b9aba9e913be0cd7a6a8
SHA512 7f84ecab7e8f531ef5b9e9b72ab17a9c8da7d4c91839872dce59e838a2d82a5acbba59e0b5a12799b18cfee15b1e87a958bf649c4b512127bd0b03ae0e9c8f05

C:\Users\Admin\AppData\Local\Temp\7zS0A0961D7\BlueStacksInstaller.exe.config

MD5 1b456d88546e29f4f007cd0bf1025703
SHA1 e5c444fcfe5baf2ef71c1813afc3f2c1100cab86
SHA256 d6d316584b63bb0d670a42f88b8f84e0de0db4275f1a342084dc383ebeb278eb
SHA512 c545e416c841b8786e4589fc9ca2b732b16cdd759813ec03f558332f2436f165ec1ad2fbc65012b5709fa19ff1e8396639c17bfad150cabeb51328a39ea556e6

memory/4852-177-0x0000000000A00000-0x0000000000A9E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS0A0961D7\JSON.dll

MD5 f5fd966e29f5c359f78cb61a571d1be4
SHA1 a55e7ed593b4bc7a77586da0f1223cfd9d51a233
SHA256 d2c8d26f95f55431e632c8581154db7c19547b656380e051194a9d2583dd2156
SHA512 d99e6fe250bb106257f86135938635f6e7ad689b2c11a96bb274f4c4c5e9a85cfacba40122dbc953f77b5d33d886c6af30bff821f10945e15b21a24b66f6c8be

memory/4852-179-0x000000001B720000-0x000000001B788000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS0A0961D7\Locales\i18n.en-US.txt

MD5 206562eed57e938afe21fc6942fa8e59
SHA1 779e90fec866c0fd2f47da020651db71c89ec3dd
SHA256 27d611a71edf36307a7ed0651f6c5910292ac7e2b68074a7e33d306b3d93ec45
SHA512 275c3192a7aee28fad31beb521cf5e7c66010e7562ce244ba9fc4de352f35b4ab63180ed12a56ea0b1458c185e076e2d07ba6d8797467177d3c5b2ac14371b26

C:\Users\Admin\AppData\Local\Temp\7zS0A0961D7\HD-CheckCpu.exe

MD5 81234fd9895897b8d1f5e6772a1b38d0
SHA1 80b2fec4a85ed90c4db2f09b63bd8f37038db0d3
SHA256 2e14887f3432b4a313442247fc669f891dbdad7ef1a2d371466a2afa88074a4c
SHA512 4c924d6524dc2c7d834bfc1a0d98b21753a7bf1e94b1c2c6650f755e6f265512d3a963bc7bc745351f79f547add57c37e29ba9270707edbf62b60df3a541bc16

memory/4852-187-0x000000001CCC0000-0x000000001D1E8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS0A0961D7\Assets\loader.png

MD5 03903fd42ed2ee3cb014f0f3b410bcb4
SHA1 762a95240607fe8a304867a46bc2d677f494f5c2
SHA256 076263cc65f9824f4f82eb6beaa594d1df90218a2ee21664cf209181557e04b1
SHA512 8b0e717268590e5287c07598a06d89220c5e9a33cd1c29c55f8720321f4b3efc869d20c61fcc892e13188d77f0fdc4c73a2ee6dece174bf876fcc3a6c5683857

C:\Users\Admin\AppData\Local\Temp\7zS0A0961D7\ThemeFile

MD5 c3e6bab4f92ee40b9453821136878993
SHA1 94493a6b3dfb3135e5775b7d3be227659856fbc4
SHA256 de1a2e6b560e036da5ea6b042e29e81a5bfcf67dde89670c332fc5199e811ba6
SHA512 a64b6b06b3a0f3591892b60e59699682700f4018b898efe55d6bd5fb417965a55027671c58092d1eb7e21c2dbac42bc68dfb8c70468d98bed45a8cff0e945895

memory/4852-191-0x000000001C2D0000-0x000000001C2DE000-memory.dmp

memory/4852-190-0x000000001C300000-0x000000001C338000-memory.dmp

C:\Windows\SysWOW64\Remote Data.exe

MD5 889b99c52a60dd49227c5e485a016679
SHA1 8fa889e456aa646a4d0a4349977430ce5fa5e2d7
SHA256 6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910
SHA512 08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

C:\Users\Admin\AppData\Local\Temp\7zS0A0961D7\Assets\installer_minimize.png

MD5 38b539a1e4229738e5c196eedb4eb225
SHA1 f027b08dce77c47aaed75a28a2fce218ff8c936c
SHA256 a064f417e3c2b8f3121a14bbded268b2cdf635706880b7006f931de31476bbc2
SHA512 2ce433689a94fae454ef65e0e9ec33657b89718bbb5a038bf32950f6d68722803922f3a427278bad432395a1716523e589463fcce4279dc2a895fd77434821cc

C:\Users\Admin\AppData\Local\Temp\7zS0A0961D7\Assets\close_red.png

MD5 93216b2f9d66d423b3e1311c0573332d
SHA1 5efaebec5f20f91f164f80d1e36f98c9ddaff805
SHA256 d0b6d143642d356b40c47459a996131a344cade6bb86158f1b74693426b09bfb
SHA512 922a7292de627c5e637818556d25d9842a88e89f2b198885835925679500dfd44a1e25ce79e521e63c4f84a6b0bd6bf98e46143ad8cee80ecdbaf3d3bc0f3a32

C:\Users\Admin\AppData\Local\Temp\7zS0A0961D7\Assets\installer_logo.png

MD5 e33432b5d6dafb8b58f161cf38b8f177
SHA1 d7f520887ce1bfa0a1abd49c5a7b215c24cbbf6a
SHA256 9f3104493216c1fa114ff935d23e3e41c7c3511792a30b10a40b507936c0d183
SHA512 520dc99f3176117ebc28da5ef5439b132486ef67d02fa17f28b7eab0c59db0fa99566e44c0ca7bb75c9e7bd5244e4a23d87611a55c841c6f9c9776e457fb1cbf

C:\Users\Admin\AppData\Local\Temp\7zS0A0961D7\Assets\custom.png

MD5 03b17f0b1c067826b0fcc6746cced2cb
SHA1 e07e4434e10df4d6c81b55fceb6eca2281362477
SHA256 fbece8bb5f4dfa55dcfbf41151b10608af807b9477e99acf0940954a11e68f7b
SHA512 67c78ec01e20e9c8d9cdbba665bb2fd2bb150356f30b88d3d400bbdb0ae92010f5d7bcb683dcf6f895722a9151d8e669d8bef913eb6e728ba56bb02f264573b2

C:\Users\Admin\AppData\Local\Temp\7zS0A0961D7\Assets\unchecked_gray.png

MD5 e50df2a0768f7fc4c3fe8d784564fea3
SHA1 d1fc4db50fe8e534019eb7ce70a61fd4c954621a
SHA256 671f26795b12008fbea1943143f660095f3dca5d925f67d765e2352fd7ee2396
SHA512 c87a8308a73b17cbdd179737631fb1ba7fdaeb65e82263f6617727519b70a81266bb695867b9e599c1306ee2cf0de525452f77ce367ca89bf870ea3ae7189998

C:\Users\Admin\AppData\Local\Temp\7zS0A0961D7\Assets\backicon.png

MD5 7ff5dc8270b5fa7ef6c4a1420bd67a7f
SHA1 b224300372feaa97d882ca2552b227c0f2ef4e3e
SHA256 fa64884054171515e97b78aaa1aad1ec5baa9d1daf9c682e0b3fb4a41a9cb1c1
SHA512 f0d5a842a01b99f189f3d46ab59d2c388a974951b042b25bbce54a15f5a3f386984d19cfca22ba1440eebd79260066a37dfeff6cb0d1332fca136add14488eef

C:\Users\Admin\AppData\Local\Temp\7zS0A0961D7\Assets\setpath.png

MD5 b2e7f40179744c74fded932e829cb12a
SHA1 a0059ab8158a497d2cf583a292b13f87326ec3f0
SHA256 5bbb2f41f9f3a805986c3c88a639bcc22d90067d4b8de9f1e21e3cf9e5c1766b
SHA512 b95b7ebdb4a74639276eaa5c055fd8d9431e2f58a5f7c57303f7cf22e8b599f6f2a7852074cf71b19b49eb31cc9bf2509aedf41d608981d116e49a00030c797c

memory/4852-204-0x0000000020670000-0x0000000020678000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS0A0961D7\Assets\installer_bg.jpg

MD5 3478e24ba1dd52c80a0ff0d43828b6b5
SHA1 b5b13bbf3fb645efb81d3562296599e76a2abac0
SHA256 4c7471c986e16de0cd451be27d4b3171e595fe2916b4b3bf7ca52df6ec368904
SHA512 5c8c9cc76d6dbc7ce482d0d1b6c2f3d48a7a510cd9ed01c191328763e1bccb56daeb3d18c33a9b10ac7c9780127007aa13799fa82d838de27fbe0a02ad98119d