Malware Analysis Report

2024-09-22 14:59

Sample ID 240606-d6sy2sgf45
Target 9357679c396d35c504f9a754a45d6b8cf193cdec4ddf3fc6d9dab0681ec6b8a3
SHA256 9357679c396d35c504f9a754a45d6b8cf193cdec4ddf3fc6d9dab0681ec6b8a3
Tags
gh0strat purplefox persistence rat rootkit trojan upx discovery evasion spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9357679c396d35c504f9a754a45d6b8cf193cdec4ddf3fc6d9dab0681ec6b8a3

Threat Level: Known bad

The file 9357679c396d35c504f9a754a45d6b8cf193cdec4ddf3fc6d9dab0681ec6b8a3 was found to be: Known bad.

Malicious Activity Summary

gh0strat purplefox persistence rat rootkit trojan upx discovery evasion spyware stealer

Gh0strat

Detect PurpleFox Rootkit

PurpleFox

Gh0st RAT payload

Sets service image path in registry

Drops file in Drivers directory

Reads user/profile data of web browsers

UPX packed file

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Checks whether UAC is enabled

Checks installed software on the system

Checks system information in the registry

Drops file in System32 directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Runs ping.exe

Suspicious behavior: LoadsDriver

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

System policy modification

Enumerates system info in registry

Suspicious use of FindShellTrayWindow

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-06 03:37

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-06 03:37

Reported

2024-06-06 03:51

Platform

win7-20240221-en

Max time kernel

7s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9357679c396d35c504f9a754a45d6b8cf193cdec4ddf3fc6d9dab0681ec6b8a3.exe"

Signatures

Detect PurpleFox Rootkit

rootkit
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0strat

rat gh0strat

PurpleFox

rootkit trojan purplefox

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\system32\drivers\QAssist.sys C:\Windows\SysWOW64\TXPlatforn.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" C:\Windows\SysWOW64\TXPlatforn.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\TXPlatforn.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe N/A
File opened for modification C:\Windows\SysWOW64\TXPlatforn.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe C:\Users\Admin\AppData\Local\Temp\9357679c396d35c504f9a754a45d6b8cf193cdec4ddf3fc6d9dab0681ec6b8a3.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe C:\Users\Admin\AppData\Local\Temp\9357679c396d35c504f9a754a45d6b8cf193cdec4ddf3fc6d9dab0681ec6b8a3.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe C:\Users\Admin\AppData\Local\Temp\9357679c396d35c504f9a754a45d6b8cf193cdec4ddf3fc6d9dab0681ec6b8a3.exe N/A
File created C:\Program Files (x86)\Google\Chrome\Application\chrome.exe C:\Users\Admin\AppData\Local\Temp\9357679c396d35c504f9a754a45d6b8cf193cdec4ddf3fc6d9dab0681ec6b8a3.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9357679c396d35c504f9a754a45d6b8cf193cdec4ddf3fc6d9dab0681ec6b8a3.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RVN.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2156 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\9357679c396d35c504f9a754a45d6b8cf193cdec4ddf3fc6d9dab0681ec6b8a3.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe
PID 2156 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\9357679c396d35c504f9a754a45d6b8cf193cdec4ddf3fc6d9dab0681ec6b8a3.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe
PID 2156 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\9357679c396d35c504f9a754a45d6b8cf193cdec4ddf3fc6d9dab0681ec6b8a3.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe
PID 2156 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\9357679c396d35c504f9a754a45d6b8cf193cdec4ddf3fc6d9dab0681ec6b8a3.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe
PID 2156 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\9357679c396d35c504f9a754a45d6b8cf193cdec4ddf3fc6d9dab0681ec6b8a3.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe
PID 2156 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\9357679c396d35c504f9a754a45d6b8cf193cdec4ddf3fc6d9dab0681ec6b8a3.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe
PID 2156 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\9357679c396d35c504f9a754a45d6b8cf193cdec4ddf3fc6d9dab0681ec6b8a3.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe
PID 2044 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\RVN.exe C:\Windows\SysWOW64\cmd.exe
PID 2044 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\RVN.exe C:\Windows\SysWOW64\cmd.exe
PID 2044 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\RVN.exe C:\Windows\SysWOW64\cmd.exe
PID 2044 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\RVN.exe C:\Windows\SysWOW64\cmd.exe
PID 2156 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\9357679c396d35c504f9a754a45d6b8cf193cdec4ddf3fc6d9dab0681ec6b8a3.exe C:\Users\Admin\AppData\Local\Temp\HD_9357679c396d35c504f9a754a45d6b8cf193cdec4ddf3fc6d9dab0681ec6b8a3.exe
PID 2156 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\9357679c396d35c504f9a754a45d6b8cf193cdec4ddf3fc6d9dab0681ec6b8a3.exe C:\Users\Admin\AppData\Local\Temp\HD_9357679c396d35c504f9a754a45d6b8cf193cdec4ddf3fc6d9dab0681ec6b8a3.exe
PID 2156 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\9357679c396d35c504f9a754a45d6b8cf193cdec4ddf3fc6d9dab0681ec6b8a3.exe C:\Users\Admin\AppData\Local\Temp\HD_9357679c396d35c504f9a754a45d6b8cf193cdec4ddf3fc6d9dab0681ec6b8a3.exe
PID 2156 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\9357679c396d35c504f9a754a45d6b8cf193cdec4ddf3fc6d9dab0681ec6b8a3.exe C:\Users\Admin\AppData\Local\Temp\HD_9357679c396d35c504f9a754a45d6b8cf193cdec4ddf3fc6d9dab0681ec6b8a3.exe
PID 2304 wrote to memory of 2732 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 2304 wrote to memory of 2732 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 2304 wrote to memory of 2732 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 2304 wrote to memory of 2732 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 2304 wrote to memory of 2732 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 2304 wrote to memory of 2732 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 2304 wrote to memory of 2732 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 2672 wrote to memory of 2620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2672 wrote to memory of 2620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2672 wrote to memory of 2620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2672 wrote to memory of 2620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2596 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\HD_9357679c396d35c504f9a754a45d6b8cf193cdec4ddf3fc6d9dab0681ec6b8a3.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2596 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\HD_9357679c396d35c504f9a754a45d6b8cf193cdec4ddf3fc6d9dab0681ec6b8a3.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2596 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\HD_9357679c396d35c504f9a754a45d6b8cf193cdec4ddf3fc6d9dab0681ec6b8a3.exe C:\Program Files\Internet Explorer\iexplore.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9357679c396d35c504f9a754a45d6b8cf193cdec4ddf3fc6d9dab0681ec6b8a3.exe

"C:\Users\Admin\AppData\Local\Temp\9357679c396d35c504f9a754a45d6b8cf193cdec4ddf3fc6d9dab0681ec6b8a3.exe"

C:\Users\Admin\AppData\Local\Temp\RVN.exe

C:\Users\Admin\AppData\Local\Temp\\RVN.exe

C:\Windows\SysWOW64\TXPlatforn.exe

C:\Windows\SysWOW64\TXPlatforn.exe -auto

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\RVN.exe > nul

C:\Users\Admin\AppData\Local\Temp\HD_9357679c396d35c504f9a754a45d6b8cf193cdec4ddf3fc6d9dab0681ec6b8a3.exe

C:\Users\Admin\AppData\Local\Temp\HD_9357679c396d35c504f9a754a45d6b8cf193cdec4ddf3fc6d9dab0681ec6b8a3.exe

C:\Windows\SysWOW64\TXPlatforn.exe

C:\Windows\SysWOW64\TXPlatforn.exe -acsi

C:\Windows\SysWOW64\PING.EXE

ping -n 2 127.0.0.1

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://pc.weixin.qq.com/

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2944 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 pc.weixin.qq.com udp
US 8.8.8.8:53 pc.weixin.qq.com udp
HK 43.155.124.49:80 pc.weixin.qq.com tcp
HK 43.155.124.49:80 pc.weixin.qq.com tcp
HK 43.155.124.49:443 pc.weixin.qq.com tcp
US 8.8.8.8:53 ocsp.digicert.cn udp
GB 79.133.176.166:80 ocsp.digicert.cn tcp
US 8.8.8.8:53 res.wx.qq.com udp
GB 43.132.64.188:443 res.wx.qq.com tcp
GB 43.132.64.188:443 res.wx.qq.com tcp
GB 43.132.64.188:443 res.wx.qq.com tcp
GB 43.132.64.188:443 res.wx.qq.com tcp
GB 43.132.64.188:443 res.wx.qq.com tcp
GB 79.133.176.166:80 ocsp.digicert.cn tcp
GB 79.133.176.166:80 ocsp.digicert.cn tcp
GB 79.133.176.166:80 ocsp.digicert.cn tcp
GB 79.133.176.166:80 ocsp.digicert.cn tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\RVN.exe

MD5 80ade1893dec9cab7f2e63538a464fcc
SHA1 c06614da33a65eddb506db00a124a3fc3f5be02e
SHA256 57a920389c044e3f5cf93dabff67070b4511e79779b6f874e08f92d8b0d7afbd
SHA512 fffd4f3fccb5301b3c7a5b3bd92747f31549fbd9d0803fe5d502d1bb0ef979140988718c2ee1406ed3e755790d275185e120a56cbcb5ed2eadf62b5cdbfc4cc4

memory/2044-5-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2044-8-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2044-10-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2044-7-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2732-44-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2732-62-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2304-41-0x0000000010000000-0x00000000101B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HD_X.dat

MD5 fb1d8296569bcb3582d0c85c6cdd8aaf
SHA1 c92ebe86c07f3bdfbfff40cd531bf95b98d33771
SHA256 cf3aafcd22549318d89c4dca8f0f1febe69cd8018803476f6d9e8e1ccf0a03c0
SHA512 1810fbb2ca21db4370ebbd53e6c8ea9aa50c748b4878191dd963391c0577b5da12c480b57a5e67510c4c1713b9b10f5076138e10eff5a7a7cf41e33eb6331f75

C:\Users\Admin\AppData\Local\Temp\HD_9357679c396d35c504f9a754a45d6b8cf193cdec4ddf3fc6d9dab0681ec6b8a3.exe

MD5 f425849e05301fd33488dfc5a81f3ef5
SHA1 ff887ef2d9f5134a9afb0223f2363bd02a0425d2
SHA256 67f7a19691a795d39de97cb2e5aa02461b2529b14c3d46e5e41a1df255c54730
SHA512 11b2ee9cd829c472819c281fc6a3d0f78ddf133fa50e63d6ef8ed5161451a0acc3059948b7a8f2f57d9646d34289f0a23f7ec00e8bf8e53cabbe0834d25d37e8

memory/2732-70-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2304-18-0x0000000010000000-0x00000000101B6000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AD5F118F7897046E8CA970AE6A6AB70B_9B8670363F58B4643EB28A4A03EE9887

MD5 612c4484bc31b00e5d8c3bcb0d0575aa
SHA1 0766ab0e67199e56b90c646a07b1673ce6fb64a6
SHA256 3641fbaac8b44b641afd29ea9687fea3f6989fb37dc0068749525df65d50440a
SHA512 77905b1ef0e1e5d21017b09a6746e66471c0d90d313c861354954648880333af37cd68ddc2ff3c51885d2893c979dd5deda427fe01dd7091e307cf836c6ef4fe

C:\Users\Admin\AppData\Local\Temp\Tar7B5B.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\Local\Temp\Cab7B58.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 73b5c9f829d5eafeb3f8c2b088d437b6
SHA1 131c9dcf7d4ab526f5f3cfba3bca4c3bd642b9f1
SHA256 ed859adedc50e1e7b7a25672d567627846e79900752bc7e45dd4b0593b58786d
SHA512 69b0936a2c51df63902b99fb9dd79ef5c929625dbb6f235b68998b6f3049b568567535758d0cc37ddf72404f5349a8e987f62e7e3e6a4c1a3f9099ef2a1e5249

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar7CB9.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0e0508a6a3085036a62df4d3f5ec1dd7
SHA1 1cd309dcf10270c24bc5de355b72d98fa48aeb6e
SHA256 1bb464d2ab7134b6441a5bee9b3b1e52572236f6082e04b989c358139a3a5843
SHA512 ddb1d1701bba19120429e65da7eba9d27cd25e6709de93a1453fe007d169524896186411fc7cfdad331acfac21e63b536513f8731b1b201c28c2f46405b7ab12

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ee0972154f138a3f903a83de760b1e50
SHA1 1f200c2c4f465ca35b62b32074c0bb99d7322b20
SHA256 4bb75145854b944f5f912607ea4362d2178a665557c092800a9e19b9b16724b0
SHA512 09b84341cc0c21b3219a9743e704cc811d60a2946c7460965368ef28dd10110b052852b5e329146c0d67a79ddcbfb7c93fe9781bf877cd70f2dc64da8c4ee6cb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 266aac4add21c8b0deb2ebd1967d85e6
SHA1 8410ab19d1e4b1a5ab8005d6f005547b4e8a4e26
SHA256 f2c1a6cab8e9b52c19c996fd116050b6c7a91fabb78468064719fec38625f8fc
SHA512 e5b0394e816d1f0f7872ea72e7648bb2b06206fcfb89c69b359a05969ab1ab52412cc019997cc1130a87e08a55d8bba74a3b7bacd77f33dc3ee2869fca5ae3bc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 64a490e842d9701c57e5529667b73eea
SHA1 c43de747db8f8c7abd42bbf8e6792e73801af204
SHA256 2e91ccccb2ceba9e088584f858a827adfa8222df3a777b3bafd2a8c06375b431
SHA512 43ccd7a5310132554a5b6214acc4757a5cf8d8efa5f9251bb2316f7f6ab17dc8a3c05008aedb2c6473359e74d939a0b4d630120abb5de4cf645ca247d0d42379

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4e1dc94c2866a2be3bd2c6876799495a
SHA1 457cc40e5bec323a5056d8ba442049999bd5cc1f
SHA256 f002ebf66fb38e30fe188fce08493740d6c4d186c94812cd2426ae5bf82bf216
SHA512 f27f80c57dcfd07646d450c23ebe1d78d11fde0718f8ad949bb47673b586bb7af4cca18cf278480516745aad0659b0f6fd83dcc448cd46228f28d09b210ecc63

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a0e7e5ac1a1977bac2d9aa56932aa942
SHA1 7462b5321eb81c4e1db6a4af91284ea3037f1b5f
SHA256 c118281c5eeb89715afa90769f5a86eb33609ddfd341733dea0eb2becb8b04bd
SHA512 f92653e290ae77eee7f8dded71bfa01cf13d837c7b3c22aa2688409be1c532748885baee8ffcda198d73c1ba94aa019dad6d6a9eca5a4d26e5d51192f6c3299d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3479077b7747a690b2519597e0414154
SHA1 d1fe7b96ab92abdd4e264ebbde8cfd5e6955d2e1
SHA256 dfd2a89142c928b1d0abee151ca2269746ef47f9419446b08488fc82e03821c3
SHA512 702354978df74cc49cfad73ba748fde8b92fa5e5fc5cae1cafea040902f1b17c218b9e8dcfbf095d5cdecf74d2ce99c6179d538a716e2dec3cf87c567cd7f7e1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 b24dd3b00db717c71aceea80d527305d
SHA1 d47e5dbe2cc3194534d5901fc8c01d9c66b3dacc
SHA256 a88470a94311266f32c1c859cb678a7957f7088b9a2c266e03b6b7c20ddb64ce
SHA512 64e9700a9c7be628b31f8649091aaab1735f40231a31a1c3652fe49cb750b49f8a9897a1e654b43f965a5fe84a2b8bf18896cf4edf36f6491542c1431bafd72f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0b7c54625a1a141a37382f6aca29804d
SHA1 320ea0348de7aef95712e86bedf622c824764d87
SHA256 c5f2626a99c888301b8d21982b9a16bec1cfc70c5791b63a7af8cec61ed7012e
SHA512 aec0ee610f9de67b8fac155130991021b681411febef9286d94e1dd8a1ddfd7965c1c308a4c8b502b48470b559e5fc403efb8967855d84383d9ae5fd5bc9b00b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 37d4d7fe34208d3a70ca92e862b77c44
SHA1 dcec8226b45f8866fd0476d7b17d75046ecc1907
SHA256 cf75f4e4cd8c72ea9fc89ab13713cd7b7fadc6f2774f461378ab3ccaf7268bc5
SHA512 9b07dfcd7a623c1b105ecf7c43829d717fe950593eaeda63387e216ea28875834b8821f2d994440649b6d45d66e0b00d643aac9ab446ba91035994badfbf427f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 dae59d12de235314a4cccb212a342e8b
SHA1 6ead41b5e7f6bdb9a5a440bf4fc406b61aebb50f
SHA256 9abc87b4186aa6a2f6593873e5fa891ebe37b7611da10cb5bd08e6282640f9bd
SHA512 cbe2368414d8820100c487cd0666a76213c81fcf544437958ad627f13c100124e57c2685c2a8c1ea83b3335c1e51cbf221e47bebc360ac5222ca5011494a9461

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 faae497cc4ff5d95d4d027fbb385e91a
SHA1 2f064811d1a70acc04b0aa897c2e1f3782777485
SHA256 132042e2b455edcfacf9ca04a7e638ba703fee957d27cdb38d32be10a81d0c8d
SHA512 d31b41686439dc1f0cc9d6c8513b9fbf44ef96b39a474b15260f026638c4f07310cb7d63ab4c72d1f822296245ad2779a283d255ff868c0ca99167fb4418836c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 029838bace91fbcd594fcd1ae7dc0628
SHA1 ca9c0c0eb11585b7872207f006663de5ff7957c8
SHA256 9f0d45293b5173815ec1d38493716bce1e832673886245eac1852dcddf022b62
SHA512 2073af202f6c82c61ae695e8f04cb052a22c7f57e08d4bafac4c0a4d12c3bd8c245e11ac4ac98296464d183170a59f307a5b5c034e9f092e0c96a9d05a0ee884

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 e4a68ac854ac5242460afd72481b2a44
SHA1 df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256 cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA512 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ea020b652d5a94491c85fd8c807211ff
SHA1 f20bd243a52bc7511ed99d650186891b19834e25
SHA256 aa4e8ba18f9a630317e58500f53a161aa1af9b421eb50f4f2ffc0790173b617e
SHA512 3524f2b2b6553e2801faa6a4a0aadfa367fcf85a4cb88d1099d3774f81f6d21eb14a5e7a0c04103e34b5d13396eebb6a93604c3f5925e0ee7231468387f245b6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d6a637a8ff3d2568e5a68fae6923356c
SHA1 9b30f64690ef5ae3e09bd45e048b25838520bfab
SHA256 77f2361b599827605b972b75a8b6ec06cdb582b1bbdd3fef91b3f68947ab7935
SHA512 93ddccb30c1ada223a543b05136b97e6c0950e2d3e96f4da16d1375043393057821f203e5436af6a89790b567bbd91b86f7511dbbb3c3e4466456c882f61af31

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 c3d4598d6fdf145754f81487c4fe37dd
SHA1 bf75310ecc45f4dbbc48ccb61eec9378d50c552e
SHA256 61cb566566dc75065fc807b87a71e23117866cbce1ba646b80a77d4adebe27a3
SHA512 4ad1af60cc7489aff349db6b1dda1fb5827b8129b5cfc775b0a7b27d2600e5ed6089a27e4a6880f249a83be4572dcfaf3ecfc9df75259e59ec1a990bec727598

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cbd6e99a7b61f071b018be2bd55bd979
SHA1 850588dcdc51aea194bd8886077f8ce8fb6811a7
SHA256 8b4f85067f1149b7bc8e90af16b680d23f264bfea68e1c6d5331d63029ef745e
SHA512 ab3cf9fb1bcdcd331eec13339642cac7e8fa186dcfd56ea587e53747ce5ef130fd82c294ff0b35058f6a65f6bc7ffa78df46d944b8b6bb6a27ada5092495167c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b6770c12ac48369382f942a437d0b6fe
SHA1 33bdd86788caff097183a85526f9d52affcbb74b
SHA256 80ee1aa4bfef51f81b41f865b290e34746764b2b3e854ccdd3b1a23b47646fa5
SHA512 fb94749cbbd35c98c65d7b1739dae4a21125e6a21c18f11c08348b50c000da4d77a6c10742be06c53487e09c7c046c3f089317e007fb94502b8a4ee10ded5b0b

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-06 03:37

Reported

2024-06-06 03:51

Platform

win10v2004-20240426-en

Max time kernel

127s

Max time network

163s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9357679c396d35c504f9a754a45d6b8cf193cdec4ddf3fc6d9dab0681ec6b8a3.exe"

Signatures

Detect PurpleFox Rootkit

rootkit
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0strat

rat gh0strat

PurpleFox

rootkit trojan purplefox

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\system32\drivers\QAssist.sys C:\Windows\SysWOW64\TXPlatforn.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" C:\Windows\SysWOW64\TXPlatforn.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RVN.exe N/A
N/A N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
N/A N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_9357679c396d35c504f9a754a45d6b8cf193cdec4ddf3fc6d9dab0681ec6b8a3.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RVN.exe N/A
N/A N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
N/A N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A

Checks system information in the registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\TXPlatforn.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe N/A
File opened for modification C:\Windows\SysWOW64\TXPlatforn.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe C:\Users\Admin\AppData\Local\Temp\9357679c396d35c504f9a754a45d6b8cf193cdec4ddf3fc6d9dab0681ec6b8a3.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Users\Admin\AppData\Local\Temp\9357679c396d35c504f9a754a45d6b8cf193cdec4ddf3fc6d9dab0681ec6b8a3.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe C:\Users\Admin\AppData\Local\Temp\9357679c396d35c504f9a754a45d6b8cf193cdec4ddf3fc6d9dab0681ec6b8a3.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe C:\Users\Admin\AppData\Local\Temp\9357679c396d35c504f9a754a45d6b8cf193cdec4ddf3fc6d9dab0681ec6b8a3.exe N/A
File created C:\Program Files (x86)\Google\Chrome\Application\chrome.exe C:\Users\Admin\AppData\Local\Temp\9357679c396d35c504f9a754a45d6b8cf193cdec4ddf3fc6d9dab0681ec6b8a3.exe N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RVN.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RVN.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1968 wrote to memory of 880 N/A C:\Users\Admin\AppData\Local\Temp\9357679c396d35c504f9a754a45d6b8cf193cdec4ddf3fc6d9dab0681ec6b8a3.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe
PID 1968 wrote to memory of 880 N/A C:\Users\Admin\AppData\Local\Temp\9357679c396d35c504f9a754a45d6b8cf193cdec4ddf3fc6d9dab0681ec6b8a3.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe
PID 1968 wrote to memory of 880 N/A C:\Users\Admin\AppData\Local\Temp\9357679c396d35c504f9a754a45d6b8cf193cdec4ddf3fc6d9dab0681ec6b8a3.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe
PID 880 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\RVN.exe C:\Windows\SysWOW64\cmd.exe
PID 880 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\RVN.exe C:\Windows\SysWOW64\cmd.exe
PID 880 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\RVN.exe C:\Windows\SysWOW64\cmd.exe
PID 1852 wrote to memory of 3552 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 1852 wrote to memory of 3552 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 1852 wrote to memory of 3552 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 1968 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\9357679c396d35c504f9a754a45d6b8cf193cdec4ddf3fc6d9dab0681ec6b8a3.exe C:\Users\Admin\AppData\Local\Temp\HD_9357679c396d35c504f9a754a45d6b8cf193cdec4ddf3fc6d9dab0681ec6b8a3.exe
PID 1968 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\9357679c396d35c504f9a754a45d6b8cf193cdec4ddf3fc6d9dab0681ec6b8a3.exe C:\Users\Admin\AppData\Local\Temp\HD_9357679c396d35c504f9a754a45d6b8cf193cdec4ddf3fc6d9dab0681ec6b8a3.exe
PID 1924 wrote to memory of 3024 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1924 wrote to memory of 3024 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1924 wrote to memory of 3024 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4708 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\HD_9357679c396d35c504f9a754a45d6b8cf193cdec4ddf3fc6d9dab0681ec6b8a3.exe C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
PID 4708 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\HD_9357679c396d35c504f9a754a45d6b8cf193cdec4ddf3fc6d9dab0681ec6b8a3.exe C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
PID 4708 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\HD_9357679c396d35c504f9a754a45d6b8cf193cdec4ddf3fc6d9dab0681ec6b8a3.exe C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
PID 2036 wrote to memory of 4424 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe
PID 2036 wrote to memory of 4424 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe
PID 2036 wrote to memory of 4424 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe
PID 4424 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\RVN.exe C:\Windows\SysWOW64\cmd.exe
PID 4424 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\RVN.exe C:\Windows\SysWOW64\cmd.exe
PID 4424 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\RVN.exe C:\Windows\SysWOW64\cmd.exe
PID 412 wrote to memory of 2184 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 412 wrote to memory of 2184 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 412 wrote to memory of 2184 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 2036 wrote to memory of 5008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
PID 2036 wrote to memory of 5008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
PID 5008 wrote to memory of 3312 N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
PID 5008 wrote to memory of 3312 N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
PID 4308 wrote to memory of 3940 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4308 wrote to memory of 3940 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4308 wrote to memory of 3940 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 5008 wrote to memory of 1788 N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
PID 5008 wrote to memory of 1788 N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
PID 5008 wrote to memory of 1788 N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
PID 5008 wrote to memory of 1788 N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
PID 5008 wrote to memory of 1788 N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
PID 5008 wrote to memory of 1788 N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
PID 5008 wrote to memory of 1788 N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
PID 5008 wrote to memory of 1788 N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
PID 5008 wrote to memory of 1788 N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
PID 5008 wrote to memory of 1788 N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
PID 5008 wrote to memory of 1788 N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
PID 5008 wrote to memory of 1788 N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
PID 5008 wrote to memory of 1788 N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
PID 5008 wrote to memory of 1788 N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
PID 5008 wrote to memory of 1788 N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
PID 5008 wrote to memory of 1788 N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
PID 5008 wrote to memory of 1788 N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
PID 5008 wrote to memory of 1788 N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
PID 5008 wrote to memory of 1788 N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
PID 5008 wrote to memory of 1788 N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
PID 5008 wrote to memory of 1788 N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
PID 5008 wrote to memory of 1788 N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
PID 5008 wrote to memory of 1788 N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
PID 5008 wrote to memory of 1788 N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
PID 5008 wrote to memory of 1788 N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
PID 5008 wrote to memory of 1788 N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
PID 5008 wrote to memory of 1788 N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
PID 5008 wrote to memory of 1788 N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
PID 5008 wrote to memory of 1788 N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
PID 5008 wrote to memory of 1788 N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
PID 5008 wrote to memory of 1788 N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9357679c396d35c504f9a754a45d6b8cf193cdec4ddf3fc6d9dab0681ec6b8a3.exe

"C:\Users\Admin\AppData\Local\Temp\9357679c396d35c504f9a754a45d6b8cf193cdec4ddf3fc6d9dab0681ec6b8a3.exe"

C:\Users\Admin\AppData\Local\Temp\RVN.exe

C:\Users\Admin\AppData\Local\Temp\\RVN.exe

C:\Windows\SysWOW64\TXPlatforn.exe

C:\Windows\SysWOW64\TXPlatforn.exe -auto

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\RVN.exe > nul

C:\Windows\SysWOW64\TXPlatforn.exe

C:\Windows\SysWOW64\TXPlatforn.exe -acsi

C:\Users\Admin\AppData\Local\Temp\HD_9357679c396d35c504f9a754a45d6b8cf193cdec4ddf3fc6d9dab0681ec6b8a3.exe

C:\Users\Admin\AppData\Local\Temp\HD_9357679c396d35c504f9a754a45d6b8cf193cdec4ddf3fc6d9dab0681ec6b8a3.exe

C:\Windows\SysWOW64\PING.EXE

ping -n 2 127.0.0.1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://pc.weixin.qq.com/

C:\Users\Admin\AppData\Local\Temp\RVN.exe

C:\Users\Admin\AppData\Local\Temp\\RVN.exe

C:\Windows\SysWOW64\TXPlatforn.exe

C:\Windows\SysWOW64\TXPlatforn.exe -auto

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\RVN.exe > nul

C:\Windows\SysWOW64\TXPlatforn.exe

C:\Windows\SysWOW64\TXPlatforn.exe -acsi

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffedb0c46f8,0x7ffedb0c4708,0x7ffedb0c4718

C:\Windows\SysWOW64\PING.EXE

ping -n 2 127.0.0.1

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=gpu-process --field-trial-handle=2120,1741928878844859441,14021841028984675993,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,1741928878844859441,14021841028984675993,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,1741928878844859441,14021841028984675993,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2672 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2120,1741928878844859441,14021841028984675993,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2120,1741928878844859441,14021841028984675993,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2120,1741928878844859441,14021841028984675993,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5100 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2120,1741928878844859441,14021841028984675993,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4976 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,1741928878844859441,14021841028984675993,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3516 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,1741928878844859441,14021841028984675993,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3516 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2120,1741928878844859441,14021841028984675993,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3668 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2120,1741928878844859441,14021841028984675993,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3672 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2120,1741928878844859441,14021841028984675993,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2024 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=gpu-process --field-trial-handle=2120,1741928878844859441,14021841028984675993,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4868 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 15.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\RVN.exe

MD5 80ade1893dec9cab7f2e63538a464fcc
SHA1 c06614da33a65eddb506db00a124a3fc3f5be02e
SHA256 57a920389c044e3f5cf93dabff67070b4511e79779b6f874e08f92d8b0d7afbd
SHA512 fffd4f3fccb5301b3c7a5b3bd92747f31549fbd9d0803fe5d502d1bb0ef979140988718c2ee1406ed3e755790d275185e120a56cbcb5ed2eadf62b5cdbfc4cc4

memory/880-10-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/1852-13-0x0000000010000000-0x00000000101B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HD_9357679c396d35c504f9a754a45d6b8cf193cdec4ddf3fc6d9dab0681ec6b8a3.exe

MD5 f425849e05301fd33488dfc5a81f3ef5
SHA1 ff887ef2d9f5134a9afb0223f2363bd02a0425d2
SHA256 67f7a19691a795d39de97cb2e5aa02461b2529b14c3d46e5e41a1df255c54730
SHA512 11b2ee9cd829c472819c281fc6a3d0f78ddf133fa50e63d6ef8ed5161451a0acc3059948b7a8f2f57d9646d34289f0a23f7ec00e8bf8e53cabbe0834d25d37e8

memory/3552-29-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/3552-34-0x0000000010000000-0x00000000101B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HD_X.dat

MD5 fb1d8296569bcb3582d0c85c6cdd8aaf
SHA1 c92ebe86c07f3bdfbfff40cd531bf95b98d33771
SHA256 cf3aafcd22549318d89c4dca8f0f1febe69cd8018803476f6d9e8e1ccf0a03c0
SHA512 1810fbb2ca21db4370ebbd53e6c8ea9aa50c748b4878191dd963391c0577b5da12c480b57a5e67510c4c1713b9b10f5076138e10eff5a7a7cf41e33eb6331f75

memory/3552-56-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/3552-27-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/1852-21-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/1852-17-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/1852-16-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/1852-15-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/880-6-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/880-7-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/880-4-0x0000000010000000-0x00000000101B6000-memory.dmp

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe

MD5 848ab4e5bafe4c55ebf2d5adbb639309
SHA1 6f91cb35025721541a545bdda4b116950fdc74a8
SHA256 177c26ff5e877d2138f90a8406882e22725409a7b8ceffef691461398d12b47b
SHA512 e556871eef9b08f6e9503f2378a594b3bbbdd3e4a1a7a815776e931cb9862ad9af832b7a0b2bcb247aab5e9b01a14d596b76060ac1be7a8255de5aaf23c3d724

C:\Users\Admin\AppData\Local\Temp\HD_X.dat

MD5 3f0a63d61997dd3db6442f17b95c5f43
SHA1 4b92fc86de57f174f4b9c5edefd424201393df08
SHA256 c8cd1ec94258d327c5ecce62adb926d073dec088edddaf6a0913ef7984c1c248
SHA512 7ca63b1808a8e7c8513096a076694b7e5a7b52fc467577116f589e6c23a90a0227ad720cba183a80ca75166925eded749dc5b901c2643786e24aac49a9dcc2e5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 f53207a5ca2ef5c7e976cbb3cb26d870
SHA1 49a8cc44f53da77bb3dfb36fc7676ed54675db43
SHA256 19ab4e3c9da6d9cedda7461efdba9a2085e743513ab89f1dd0fd5a8f9486ad23
SHA512 be734c7e8afda19f445912aef0d78f9941add29baebd4a812bff27f10a1d78b52aeb11c551468c8644443c86e1a2a6b2e4aead3d7f81d39925e3c20406ac1499

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe

MD5 ab3babdf3003fcf9179aa0f4ae8dbd21
SHA1 8597aaf66bf824648b4333314ebbf308b3b0845d
SHA256 9d5853f0c26747d07394c40bcfde24017675aea09d6c418c364fde1311c537f7
SHA512 db317bc37b2d4990b95cff27302af430dfea21b0dd2ea65184b0df31c03b8d767ca8d1de22dbed6d47563c7d6c9d5023f654e46023f97780d694bc784a4b3478

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe

MD5 aeaec4ac23050216fcd9c99529e68334
SHA1 9971694a45a462d7a614ff371457effa03192e45
SHA256 b1403194c71785fd8b057846a9a3ca8052850726a480969709ed49c5e4a180fb
SHA512 e0751f3208b033ae11068c9a3d838b88313dc0562f673c4e7f2c49953c70e3c726de03e4e708368d718525f5b44d5b5edb76283f014b6611cf6eef7b22fbedac

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe

MD5 60b7c04264464c8bc9221b97f33b0cd7
SHA1 eacd9bcbbcdfc440b46f3b1ce9c2f0d6ce7968bc
SHA256 c22cca678b54741969e32d93257baf902f59857df95aa259519d816173d9502c
SHA512 126f61aa31d1af5ead559d6caf52c43e12f6b119074772afe9a4f78d3ff51a7786464cfa3748ab2e48367f74243dbb54da8fa082b3c34d951bb971a6b3b3054e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 ae54e9db2e89f2c54da8cc0bfcbd26bd
SHA1 a88af6c673609ecbc51a1a60dfbc8577830d2b5d
SHA256 5009d3c953de63cfd14a7d911156c514e179ff07d2b94382d9caac6040cb72af
SHA512 e3b70e5eb7321b9deca6f6a17424a15b9fd5c4008bd3789bd01099fd13cb2f4a2f37fe4b920fb51c50517745b576c1f94df83efd1a7e75949551163985599998

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 04cff1ada76ce91c113e261fb8f73a2e
SHA1 f4ba22f56fbf13109ea7564e4bf8f418397bc46d
SHA256 bef3aa1f4d011c02390f3becc4ea52b62882b0458f2023d7a4b3e83349ff7c7e
SHA512 ba522649f24b4aaa833319d0c499287d60f016952c5d4d783dcdaaa9a9fe9eb30d4ae4b5c195e91145574919860dca98e13054524932d8858e77570468c15652

\??\pipe\LOCAL\crashpad_5008_STSPBYHXUMDZGXXT

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1788-121-0x00007FFEF7B90000-0x00007FFEF7B91000-memory.dmp

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe

MD5 ad8536c7440638d40156e883ac25086e
SHA1 fa9e8b7fb10473a01b8925c4c5b0888924a1147c
SHA256 73d84d249f16b943d1d3f9dd9e516fadd323e70939c29b4a640693eb8818ee9a
SHA512 b5f368be8853aa142dba614dcca7e021aba92b337fe36cfc186714092a4dab1c7a2181954cd737923edd351149980182a090dbde91081c81d83f471ff18888fe

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe

MD5 8c3f3d0f59d7564e1ce0080614410c6f
SHA1 a4cc0ca1cc7da5063c864f3130d598a08c23a269
SHA256 57d4e7d9925134a80b95fc05aea66c6ef26c78ae3362bb3044f9e6f07ba8161a
SHA512 666d8672b283db5961707b64016f1022fd8293b9fa4d72db38458ee98320298a226733a1cf219c15c9c761d4a000593e666f7c5c7763d022d01ec0866d25931a

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

MD5 a9393427efb963a1b39caf0542ebf654
SHA1 e6c0a1011383117f16ac8a1574519d3f511ed482
SHA256 e54a6a883e4c290fd5ae51c8ce3beb219627c7ee1a36278404dcf5c6293a3ef6
SHA512 cf4e8bb5db18991f4919043f52513561bc787efab17c23b13da7047db3df58b515bbf52c5ec80febce1f0a8cb6dec5fab1a8ca56e66b2de36ccce6ae3498fe2e

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

MD5 a1d217dcc1c96589259ff335d79ac7a6
SHA1 7bf014eb42dcab36f66f9fe5ee996f4832cb744b
SHA256 fc7d957612baea67b3baa7f1eff6fb6375de21032d29a475cb0ae9e8ff7b16cb
SHA512 fa6d077439ca6f124694bf853bfbbd196daf525b1874caaee8b52f24a4aa689bf58ea61a76ecd4556c88aacb14d5163f884e62cfdfc1c6e0febaf520791c9ef5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe

MD5 b872b851ea9db502135c7088ad3f008b
SHA1 a468bd17cf9a1b55f7d3787756c3c70929c7f63c
SHA256 1d8e240b196bff14c49b3e83cf9f2c4bda84f90ff0fac61cd3c9f73d9df713e7
SHA512 f869eef8cf0e72d20f0278bb6f0a350df1b13f3fd74535befd311e4906554f2d629f46fdea1b8ff7e0d84f5ba96db146a99542b885b67e36d4fa3e84030c24c5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 6ba44ef8d779c9491dc0fe1bbeb6ce8b
SHA1 6621e84dcda024eb12f654e5f0864331a2a132d9
SHA256 0dffac8753d04e76c5bd395e42710cf44729eacd0555379f6031920b6583f721
SHA512 64bb2f23d8e9ce8a11cc4339a7b2f22a4e7129e195b266d14fea2f4cbdcd32ec2758a6029ef16af9270d8f638cf239c4342efaab22f7cc5e07b390d1c65ba673

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 9377ec544082db9513d9ff907a4cec4f
SHA1 4bc3a26fef4c7ee213fac03d9ddc39e8d579722d
SHA256 7397f54779435da462aa80b349b4729e1b2d93ebc1a0103e3afcf6526055f8ae
SHA512 0c6c9c4743afeaaeddff096f405a563025f23e4baeb2c8ed3f21b47c2d88b1461562b06330ba13c38e53a4a789b0efa06bf2a1b1aa69cb3eab2617c46b6c261e

C:\Users\Admin\AppData\Local\Temp\HD_X.dat

MD5 93165ca4308855fb4f7cb8d125ef6954
SHA1 fd8cc7c1637236e2aa05d40c110bd2f157e14913
SHA256 3967fc041e4a9bb59fe80beddaf6ef728d6414d7aa70fc0fffdb8e775f37b3f5
SHA512 a7850361395974b42382ea3d1a401d4ce5225c304263d95d25dc0f1a4d714b1713a9356ba22c7af1a3b430913c29006387000fd5fd23bd431492dfa0c0787d35

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe

MD5 80c0ee8c520ef07f442178a726e09298
SHA1 efe2d175bb67164da36cb685482f137a9f695199
SHA256 df7b82ff145077eab407e7c8cb0a25149b9a719cd12d39a83853167007e4f098
SHA512 24270f4a3a608cb90fa80f28b493c79b1ab3a81577d91a75e435b003a2e64650fb198ee1ace318668a96ef3d9550a9b30a3d0a4d2a03737f37fcf27a4412620e