Malware Analysis Report

2024-09-22 14:51

Sample ID 240618-hk394s1gmd
Target 994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03
SHA256 994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03
Tags
gh0strat purplefox persistence rat rootkit trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03

Threat Level: Known bad

The file 994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03 was found to be: Known bad.

Malicious Activity Summary

gh0strat purplefox persistence rat rootkit trojan upx

Detect PurpleFox Rootkit

Gh0strat

PurpleFox

Gh0st RAT payload

Drops file in Drivers directory

Sets service image path in registry

Loads dropped DLL

Executes dropped EXE

UPX packed file

Drops file in System32 directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: LoadsDriver

Suspicious use of SetWindowsHookEx

Runs ping.exe

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-18 06:48

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-18 06:48

Reported

2024-06-18 06:51

Platform

win7-20240611-en

Max time kernel

150s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe"

Signatures

Detect PurpleFox Rootkit

rootkit
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0strat

rat gh0strat

PurpleFox

rootkit trojan purplefox

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\system32\drivers\QAssist.sys C:\Windows\SysWOW64\TXPlatforn.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" C:\Windows\SysWOW64\TXPlatforn.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\TXPlatforn.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe N/A
File opened for modification C:\Windows\SysWOW64\TXPlatforn.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Google\Chrome\Application\chrome.exe C:\Users\Admin\AppData\Local\Temp\994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe C:\Users\Admin\AppData\Local\Temp\994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe C:\Users\Admin\AppData\Local\Temp\994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe C:\Users\Admin\AppData\Local\Temp\994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\wzmain.exe.ntfs\shell\open C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\wzmain.exe.bz2\DefaultIcon C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\wzmain.exe.dmg\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe\" -from:extension_association -action:open -in=\"%1\"" C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\wzmain.exe.tar\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe\" -from:extension_association -action:open -in=\"%1\"" C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\wzmain.exe.arj\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe\" -from:extension_association -action:open -in=\"%1\"" C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\wzmain.exe.arj\DefaultIcon C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\wzmain.exe.xz\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe\" -from:extension_association -action:open -in=\"%1\"" C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bzip2\ = "wzmain.exe.bzip2" C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\wzmain.exe.gzip\shell C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\wzmain.exe.rar\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe\",1" C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\wzmain.exe.fat\DefaultIcon C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\wzmain.exe.xar\shell C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\wzmain.exe.cab\DefaultIcon C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\wzmain.exe.hfs\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe\",1" C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\wzmain.exe.fat\shell C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\wzmain.exe.lzh C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\wzmain.exe.rpm C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\wzmain.exe.rar\shell\open C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\wzmain.exe.squashfs C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\wzmain.exe.z\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe\" -from:extension_association -action:open -in=\"%1\"" C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\wzmain.exe.gzip C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\wzmain.exe.tar\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe\",1" C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\wzmain.exe.ntfs\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe\" -from:extension_association -action:open -in=\"%1\"" C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\wzmain.exe.lzma\shell C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\wzmain.exe.rpm\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe\" -from:extension_association -action:open -in=\"%1\"" C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\wzmain.exe.tar\shell\open C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\wzmain.exe.fat\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe\",1" C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\wzmain.exe.lzma C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\wzmain.exe.xar\shell\open C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\wzmain.exe.lzh\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe\" -from:extension_association -action:open -in=\"%1\"" C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\wzmain.exe.bzip2\shell C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\wzmain.exe.arj\shell\open C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\wzmain.exe.xar\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe\" -from:extension_association -action:open -in=\"%1\"" C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\wzmain.exe.bz2\shell\open C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\wzmain.exe.rpm\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe\",1" C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\wzmain.exe.squashfs\shell\open C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\wzmain.exe.cpio\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe\",1" C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\wzmain.exe.lzma\DefaultIcon C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\wzmain.exe.rpm\DefaultIcon C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\wzmain.exe.ntfs\shell\open\command C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\wzmain.exe.squashfs\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe\" -from:extension_association -action:open -in=\"%1\"" C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\wzmain.exe.7z\shell\open\command C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\wzmain.exe.cpio\shell\open C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\wzmain.exe.gz\DefaultIcon C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\wzmain.exe.hfs\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe\" -from:extension_association -action:open -in=\"%1\"" C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.lzh\wzmain = "LzhCompressedFolder2" C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bzip2\wzmain = "7-Zip\\.bzip2" C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\wzmain.exe.bzip2\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe\",1" C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.tar\wzmain = "7-Zip\\.tar" C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\wzmain.exe.war\shell C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\wzmain.exe.fat\shell\open C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\wzmain.exe.hfs C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.iso\ = "wzmain.exe.iso" C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\wzmain.exe.dmg C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.zip\ = "wzmain.exe.zip" C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\wzmain.exe.gz\shell\open\command C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\wzmain.exe.tar\shell\open\command C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\wzmain.exe.cpio\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe\" -from:extension_association -action:open -in=\"%1\"" C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\wzmain.exe.rar\DefaultIcon C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\wzmain.exe.7z\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe\",1" C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\wzmain.exe.xz\shell\open\command C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.cab\ = "wzmain.exe.cab" C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\wzmain.exe.fat\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe\" -from:extension_association -action:open -in=\"%1\"" C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\wzmain.exe.squashfs\shell C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RVN.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2084 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe
PID 2084 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe
PID 2084 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe
PID 2084 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe
PID 2084 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe
PID 2084 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe
PID 2084 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe
PID 2056 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\RVN.exe C:\Windows\SysWOW64\cmd.exe
PID 2056 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\RVN.exe C:\Windows\SysWOW64\cmd.exe
PID 2056 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\RVN.exe C:\Windows\SysWOW64\cmd.exe
PID 2056 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\RVN.exe C:\Windows\SysWOW64\cmd.exe
PID 2084 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe
PID 2084 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe
PID 2084 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe
PID 2084 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe
PID 2672 wrote to memory of 2700 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 2672 wrote to memory of 2700 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 2672 wrote to memory of 2700 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 2672 wrote to memory of 2700 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 2672 wrote to memory of 2700 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 2672 wrote to memory of 2700 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 2672 wrote to memory of 2700 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 2856 wrote to memory of 2680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2856 wrote to memory of 2680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2856 wrote to memory of 2680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2856 wrote to memory of 2680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe

"C:\Users\Admin\AppData\Local\Temp\994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe"

C:\Users\Admin\AppData\Local\Temp\RVN.exe

C:\Users\Admin\AppData\Local\Temp\\RVN.exe

C:\Windows\SysWOW64\TXPlatforn.exe

C:\Windows\SysWOW64\TXPlatforn.exe -auto

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\RVN.exe > nul

C:\Windows\SysWOW64\TXPlatforn.exe

C:\Windows\SysWOW64\TXPlatforn.exe -acsi

C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe

C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe

C:\Windows\SysWOW64\PING.EXE

ping -n 2 127.0.0.1

Network

Country Destination Domain Proto
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 datac.52songshu.com udp
CN 134.175.215.145:80 datac.52songshu.com tcp
CN 134.175.215.145:80 datac.52songshu.com tcp
CN 134.175.215.145:80 datac.52songshu.com tcp
CN 134.175.215.145:80 datac.52songshu.com tcp
CN 134.175.215.145:80 datac.52songshu.com tcp
CN 134.175.215.145:80 datac.52songshu.com tcp
CN 134.175.215.145:80 datac.52songshu.com tcp
CN 134.175.215.145:80 datac.52songshu.com tcp

Files

\Users\Admin\AppData\Local\Temp\RVN.exe

MD5 80ade1893dec9cab7f2e63538a464fcc
SHA1 c06614da33a65eddb506db00a124a3fc3f5be02e
SHA256 57a920389c044e3f5cf93dabff67070b4511e79779b6f874e08f92d8b0d7afbd
SHA512 fffd4f3fccb5301b3c7a5b3bd92747f31549fbd9d0803fe5d502d1bb0ef979140988718c2ee1406ed3e755790d275185e120a56cbcb5ed2eadf62b5cdbfc4cc4

memory/2056-5-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2056-7-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2056-8-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2056-9-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2672-18-0x0000000010000000-0x00000000101B6000-memory.dmp

\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe

MD5 62a75926e59efe47331bc1874c181297
SHA1 22851589804d53227eb701005178435ee755366a
SHA256 38129ebf9cd62c77869e0c33c81eced8b332d42040b7b5a32d0d169ca5c47aa1
SHA512 75a3dccdcb4e239ce5b959b1b4f48a12aeff990f54ba61125bae26f78c2f93d1b0fcabbbb66d3584f4d41807cc571e2b07cd85c8770034f043724006ac42bf54

memory/2672-32-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2700-33-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2700-37-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2700-38-0x0000000010000000-0x00000000101B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HD_X.dat

MD5 3f1f4873fe8e76b49a8a3584680b880e
SHA1 f056b8dc78a33df3e24be58e2182def2a6abf0db
SHA256 d05cac5b0c3286fc1538f9e0a0a90e9020b55fa2f43814a21cf0b85f262c13db
SHA512 712e8a32f09a4370e0cc402e82b8fdeccdb5f92b8b872cad8a9bbbd0f9c53b8b6093226577adc034c6e780bfbed3ae42281498152f61f6663d387f6d20615ecf

C:\Users\Admin\Desktop\BlockFind.exe

MD5 9e8eb92a1e108c6010c29c5874eae80c
SHA1 dbd6409b6547cb465dacef07a388297fad8ae43b
SHA256 1ce898848455316e7ba86022d9ffbd922b2aa57ac096439eb02c516e6ea76097
SHA512 ade992d4f042e3355deb87589f64f9569dac87da11291ab8f4c2b0de64e2c1ccf55daa3beb8f8f5e4c10df69c39d9855dee2e20b60904e1996339ea15f3fe321

\??\c:\program files\videolan\vlc\vlc.exe

MD5 139cbfee1b2a84b41c3375e06e4585b1
SHA1 5fa51cd02acd90f0055bd48a102606a7b5a0f6b4
SHA256 03935083ba05dae701e3cb5721fda209e77e845b78ab6988631969ec60ef8dee
SHA512 9096ba6cc5b6d15e931459353762fc811f78853b835b6a1a9b18b4ea52a2923fe7650e30f5f68feb5fe914278321eccae5d37b18b06a4032e22ed1bc0a2fc455

C:\Users\Admin\AppData\Local\Temp\data\fdrecord.dat

MD5 e1693263e58c0dab1f69199e06bf1612
SHA1 3a5fb5bb73ebdbd0a542049a7444e68f98ecde6e
SHA256 67b049319f61f823bfbbc1bb5f7a4ed9c1ffca34ea789eb5852688720b6d54c5
SHA512 8cdf9c0d3d743d90dfc59eb5086d496231c19df5eb1b4a642a7b42df8e10464c77a8556cdd1507c267606c505e41c3d4a73be6bc423bb0bc4d2b334fe5161e93

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-18 06:48

Reported

2024-06-18 06:51

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe"

Signatures

Detect PurpleFox Rootkit

rootkit
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0strat

rat gh0strat

PurpleFox

rootkit trojan purplefox

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\system32\drivers\QAssist.sys C:\Windows\SysWOW64\TXPlatforn.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" C:\Windows\SysWOW64\TXPlatforn.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\TXPlatforn.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe N/A
File opened for modification C:\Windows\SysWOW64\TXPlatforn.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe C:\Users\Admin\AppData\Local\Temp\994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
File created C:\Program Files (x86)\Google\Chrome\Application\chrome.exe C:\Users\Admin\AppData\Local\Temp\994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe C:\Users\Admin\AppData\Local\Temp\994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Users\Admin\AppData\Local\Temp\994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe C:\Users\Admin\AppData\Local\Temp\994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\wzmain.exe.arj\shell C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\wzmain.exe.arj\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe\" -from:extension_association -action:open -in=\"%1\"" C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\wzmain.exe.dmg\shell\open\FriendlyAppName = "WinZips" C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\wzmain.exe.lzma\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe\" -from:extension_association -action:open -in=\"%1\"" C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\wzmain.exe\OpenWithProgids\wzmain.exe.iso = "0" C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\wzmain.exe.rar C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\wzmain.exe.bzip2\DefaultIcon C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\wzmain.exe.zip\shell\open\command C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\wzmain.exe.gz\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe\",1" C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\wzmain.exe.dmg\shell\open\command C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\wzmain.exe.fat\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe\" -from:extension_association -action:open -in=\"%1\"" C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\wzmain.exe.hfs C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\wzmain.exe.wim C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\wzmain.exe.wim\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe\",1" C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\wzmain.exe.lzma\shell\open\FriendlyAppName = "WinZips" C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\wzmain.exe.xar\shell\open\command C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.zip\ = "wzmain.exe.zip" C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\wzmain.exe\OpenWithProgids\wzmain.exe.fat = "0" C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\wzmain.exe.hfs\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe\",1" C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\wzmain.exe.lzh\shell C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\wzmain.exe.lzh\shell\open C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\wzmain.exe.squashfs\shell\open\command C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\wzmain.exe.wim\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe\" -from:extension_association -action:open -in=\"%1\"" C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\wzmain.exe.arj\DefaultIcon C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\wzmain.exe\OpenWithProgids\wzmain.exe.hfs = "0" C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\wzmain.exe.hfs\shell\open C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\wzmain.exe.rpm\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe\" -from:extension_association -action:open -in=\"%1\"" C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\wzmain.exe.z\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe\",1" C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\wzmain.exe.wim\DefaultIcon C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bz2\ = "wzmain.exe.bz2" C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\wzmain.exe.rar\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe\" -from:extension_association -action:open -in=\"%1\"" C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\wzmain.exe\OpenWithProgids\wzmain.exe.rpm = "0" C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\wzmain.exe.z\shell\open C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\wzmain.exe.dmg C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\wzmain.exe.dmg\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe\" -from:extension_association -action:open -in=\"%1\"" C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\wzmain.exe.iso\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe\",1" C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\wzmain.exe.rpm\shell\open\command C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\wzmain.exe\OpenWithProgids\wzmain.exe.squashfs = "0" C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\wzmain.exe.squashfs\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe\" -from:extension_association -action:open -in=\"%1\"" C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\wzmain.exe.xz\shell\open\FriendlyAppName = "WinZips" C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\wzmain.exe.cab\shell C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\wzmain.exe.hfs\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe\" -from:extension_association -action:open -in=\"%1\"" C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\wzmain.exe.ntfs\shell\open C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\wzmain.exe.rpm\shell\open\FriendlyAppName = "WinZips" C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\wzmain.exe\OpenWithProgids\wzmain.exe.war = "0" C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\wzmain.exe.tar\shell\open\FriendlyAppName = "WinZips" C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.tar\wzmain = "7-Zip\\.tar" C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\wzmain.exe.cpio C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\wzmain.exe.iso\shell C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\wzmain.exe\OpenWithProgids\wzmain.exe.lzma = "0" C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\wzmain.exe\OpenWithProgids\wzmain.exe.7z = "0" C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\wzmain.exe.bzip2\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe\" -from:extension_association -action:open -in=\"%1\"" C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\wzmain.exe.ntfs\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe\" -from:extension_association -action:open -in=\"%1\"" C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\wzmain.exe.rpm\DefaultIcon C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\wzmain.exe.war\shell\open\command C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\wzmain.exe.war\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe\" -from:extension_association -action:open -in=\"%1\"" C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\wzmain.exe\OpenWithProgids\wzmain.exe.gzip = "0" C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\wzmain.exe.tar\shell C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\wzmain.exe.hfs\shell\open\FriendlyAppName = "WinZips" C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\wzmain.exe.xz\shell C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\wzmain.exe.bzip2\shell C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\wzmain.exe.gzip\shell C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\wzmain.exe.gzip\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe\" -from:extension_association -action:open -in=\"%1\"" C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\wzmain.exe.hfs\shell C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RVN.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1200 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe
PID 1200 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe
PID 1200 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe
PID 3380 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\RVN.exe C:\Windows\SysWOW64\cmd.exe
PID 3380 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\RVN.exe C:\Windows\SysWOW64\cmd.exe
PID 3380 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\RVN.exe C:\Windows\SysWOW64\cmd.exe
PID 3192 wrote to memory of 4864 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 3192 wrote to memory of 4864 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 3192 wrote to memory of 4864 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 1200 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe
PID 1200 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe
PID 1200 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe
PID 792 wrote to memory of 2572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 792 wrote to memory of 2572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 792 wrote to memory of 2572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe

"C:\Users\Admin\AppData\Local\Temp\994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe"

C:\Users\Admin\AppData\Local\Temp\RVN.exe

C:\Users\Admin\AppData\Local\Temp\\RVN.exe

C:\Windows\SysWOW64\TXPlatforn.exe

C:\Windows\SysWOW64\TXPlatforn.exe -auto

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\RVN.exe > nul

C:\Windows\SysWOW64\TXPlatforn.exe

C:\Windows\SysWOW64\TXPlatforn.exe -acsi

C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe

C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe

C:\Windows\SysWOW64\PING.EXE

ping -n 2 127.0.0.1

Network

Country Destination Domain Proto
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 138.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 datac.52songshu.com udp
CN 134.175.215.145:80 datac.52songshu.com tcp
BE 88.221.83.193:443 www.bing.com tcp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 193.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
CN 134.175.215.145:80 datac.52songshu.com tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
CN 134.175.215.145:80 datac.52songshu.com tcp
CN 134.175.215.145:80 datac.52songshu.com tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
CN 134.175.215.145:80 datac.52songshu.com tcp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
CN 134.175.215.145:80 datac.52songshu.com tcp
CN 134.175.215.145:80 datac.52songshu.com tcp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
CN 134.175.215.145:80 datac.52songshu.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\RVN.exe

MD5 80ade1893dec9cab7f2e63538a464fcc
SHA1 c06614da33a65eddb506db00a124a3fc3f5be02e
SHA256 57a920389c044e3f5cf93dabff67070b4511e79779b6f874e08f92d8b0d7afbd
SHA512 fffd4f3fccb5301b3c7a5b3bd92747f31549fbd9d0803fe5d502d1bb0ef979140988718c2ee1406ed3e755790d275185e120a56cbcb5ed2eadf62b5cdbfc4cc4

memory/3380-4-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/3380-6-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/3380-10-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/3380-7-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/3192-15-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/3192-17-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/3192-25-0x0000000010000000-0x00000000101B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe

MD5 62a75926e59efe47331bc1874c181297
SHA1 22851589804d53227eb701005178435ee755366a
SHA256 38129ebf9cd62c77869e0c33c81eced8b332d42040b7b5a32d0d169ca5c47aa1
SHA512 75a3dccdcb4e239ce5b959b1b4f48a12aeff990f54ba61125bae26f78c2f93d1b0fcabbbb66d3584f4d41807cc571e2b07cd85c8770034f043724006ac42bf54

memory/4864-27-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/3192-16-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/4864-31-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/4864-70-0x0000000010000000-0x00000000101B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\X.ico

MD5 fb44f7af2882d222b600539171f54c1d
SHA1 0c5a1a0b1620a55a0f194464227be25a2f0347e1
SHA256 f2a78e76259bc8fd4ab6af7b4e16dfb49a10643308aca3d14c09e61ac0ebd487
SHA512 21e906473f64303c4c8d55213ccb84f4a803c11fb5eef34ce3194adfb391ccbcc91e7c399556c7a4e4f3d33b9b19524d4499ec771ee8e1a10df26ea7cc2dcb67

memory/4864-77-0x0000000010000000-0x00000000101B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HD_X.dat

MD5 3f1f4873fe8e76b49a8a3584680b880e
SHA1 f056b8dc78a33df3e24be58e2182def2a6abf0db
SHA256 d05cac5b0c3286fc1538f9e0a0a90e9020b55fa2f43814a21cf0b85f262c13db
SHA512 712e8a32f09a4370e0cc402e82b8fdeccdb5f92b8b872cad8a9bbbd0f9c53b8b6093226577adc034c6e780bfbed3ae42281498152f61f6663d387f6d20615ecf

memory/3192-13-0x0000000010000000-0x00000000101B6000-memory.dmp

\??\c:\program files (x86)\microsoft\edge\application\msedge.exe

MD5 4fb24ce12a9eb0f335a91134aca2f88e
SHA1 7a40181c4373826da2a94e9a119c29f07d6363e5
SHA256 84f5e1e2b8f18cace0e9fd11d5f418f747b2849e66f61f6adfcff3647a840d0f
SHA512 1c007aa6f6b4bef1ddfaa76b7de5fdec4bdc95a69268305e3d0ef8fefd6864a23ffb7dc6f9a7733c9b2e79b88c6a79c424aa8d3aa908afcb7e7acf2730a7de6b

\??\c:\program files\videolan\vlc\vlc.exe

MD5 139cbfee1b2a84b41c3375e06e4585b1
SHA1 5fa51cd02acd90f0055bd48a102606a7b5a0f6b4
SHA256 03935083ba05dae701e3cb5721fda209e77e845b78ab6988631969ec60ef8dee
SHA512 9096ba6cc5b6d15e931459353762fc811f78853b835b6a1a9b18b4ea52a2923fe7650e30f5f68feb5fe914278321eccae5d37b18b06a4032e22ed1bc0a2fc455

C:\Users\Admin\AppData\Local\Temp\data\fdrecord.dat

MD5 e1693263e58c0dab1f69199e06bf1612
SHA1 3a5fb5bb73ebdbd0a542049a7444e68f98ecde6e
SHA256 67b049319f61f823bfbbc1bb5f7a4ed9c1ffca34ea789eb5852688720b6d54c5
SHA512 8cdf9c0d3d743d90dfc59eb5086d496231c19df5eb1b4a642a7b42df8e10464c77a8556cdd1507c267606c505e41c3d4a73be6bc423bb0bc4d2b334fe5161e93