Analysis Overview
SHA256
994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03
Threat Level: Known bad
The file 994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03 was found to be: Known bad.
Malicious Activity Summary
Detect PurpleFox Rootkit
Gh0strat
PurpleFox
Gh0st RAT payload
Drops file in Drivers directory
Sets service image path in registry
Loads dropped DLL
Executes dropped EXE
UPX packed file
Drops file in System32 directory
Drops file in Program Files directory
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: LoadsDriver
Suspicious use of SetWindowsHookEx
Runs ping.exe
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-18 06:48
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-18 06:48
Reported
2024-06-18 06:51
Platform
win7-20240611-en
Max time kernel
150s
Max time network
145s
Command Line
Signatures
Detect PurpleFox Rootkit
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gh0st RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gh0strat
PurpleFox
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\drivers\QAssist.sys | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
Sets service image path in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RVN.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\TXPlatforn.exe | C:\Users\Admin\AppData\Local\Temp\RVN.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\TXPlatforn.exe | C:\Users\Admin\AppData\Local\Temp\RVN.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Google\Chrome\Application\chrome.exe | C:\Users\Admin\AppData\Local\Temp\994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\vlc.exe | C:\Users\Admin\AppData\Local\Temp\994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | C:\Users\Admin\AppData\Local\Temp\994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\firefox.exe | C:\Users\Admin\AppData\Local\Temp\994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\wzmain.exe.ntfs\shell\open | C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\wzmain.exe.bz2\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\wzmain.exe.dmg\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe\" -from:extension_association -action:open -in=\"%1\"" | C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\wzmain.exe.tar\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe\" -from:extension_association -action:open -in=\"%1\"" | C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\wzmain.exe.arj\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe\" -from:extension_association -action:open -in=\"%1\"" | C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\wzmain.exe.arj\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\wzmain.exe.xz\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe\" -from:extension_association -action:open -in=\"%1\"" | C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.bzip2\ = "wzmain.exe.bzip2" | C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\wzmain.exe.gzip\shell | C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\wzmain.exe.rar\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe\",1" | C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\wzmain.exe.fat\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\wzmain.exe.xar\shell | C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\wzmain.exe.cab\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\wzmain.exe.hfs\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe\",1" | C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\wzmain.exe.fat\shell | C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\wzmain.exe.lzh | C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\wzmain.exe.rpm | C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\wzmain.exe.rar\shell\open | C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\wzmain.exe.squashfs | C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\wzmain.exe.z\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe\" -from:extension_association -action:open -in=\"%1\"" | C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\wzmain.exe.gzip | C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\wzmain.exe.tar\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe\",1" | C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\wzmain.exe.ntfs\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe\" -from:extension_association -action:open -in=\"%1\"" | C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\wzmain.exe.lzma\shell | C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\wzmain.exe.rpm\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe\" -from:extension_association -action:open -in=\"%1\"" | C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\wzmain.exe.tar\shell\open | C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\wzmain.exe.fat\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe\",1" | C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\wzmain.exe.lzma | C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\wzmain.exe.xar\shell\open | C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\wzmain.exe.lzh\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe\" -from:extension_association -action:open -in=\"%1\"" | C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\wzmain.exe.bzip2\shell | C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\wzmain.exe.arj\shell\open | C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\wzmain.exe.xar\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe\" -from:extension_association -action:open -in=\"%1\"" | C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\wzmain.exe.bz2\shell\open | C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\wzmain.exe.rpm\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe\",1" | C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\wzmain.exe.squashfs\shell\open | C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\wzmain.exe.cpio\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe\",1" | C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\wzmain.exe.lzma\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\wzmain.exe.rpm\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\wzmain.exe.ntfs\shell\open\command | C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\wzmain.exe.squashfs\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe\" -from:extension_association -action:open -in=\"%1\"" | C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\wzmain.exe.7z\shell\open\command | C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\wzmain.exe.cpio\shell\open | C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\wzmain.exe.gz\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\wzmain.exe.hfs\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe\" -from:extension_association -action:open -in=\"%1\"" | C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.lzh\wzmain = "LzhCompressedFolder2" | C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.bzip2\wzmain = "7-Zip\\.bzip2" | C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\wzmain.exe.bzip2\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe\",1" | C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.tar\wzmain = "7-Zip\\.tar" | C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\wzmain.exe.war\shell | C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\wzmain.exe.fat\shell\open | C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\wzmain.exe.hfs | C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.iso\ = "wzmain.exe.iso" | C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\wzmain.exe.dmg | C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.zip\ = "wzmain.exe.zip" | C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\wzmain.exe.gz\shell\open\command | C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\wzmain.exe.tar\shell\open\command | C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\wzmain.exe.cpio\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe\" -from:extension_association -action:open -in=\"%1\"" | C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\wzmain.exe.rar\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\wzmain.exe.7z\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe\",1" | C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\wzmain.exe.xz\shell\open\command | C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.cab\ = "wzmain.exe.cab" | C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\wzmain.exe.fat\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe\" -from:extension_association -action:open -in=\"%1\"" | C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\wzmain.exe.squashfs\shell | C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\RVN.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe
"C:\Users\Admin\AppData\Local\Temp\994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe"
C:\Users\Admin\AppData\Local\Temp\RVN.exe
C:\Users\Admin\AppData\Local\Temp\\RVN.exe
C:\Windows\SysWOW64\TXPlatforn.exe
C:\Windows\SysWOW64\TXPlatforn.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\RVN.exe > nul
C:\Windows\SysWOW64\TXPlatforn.exe
C:\Windows\SysWOW64\TXPlatforn.exe -acsi
C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe
C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | hackerinvasion.f3322.net | udp |
| US | 8.8.8.8:53 | datac.52songshu.com | udp |
| CN | 134.175.215.145:80 | datac.52songshu.com | tcp |
| CN | 134.175.215.145:80 | datac.52songshu.com | tcp |
| CN | 134.175.215.145:80 | datac.52songshu.com | tcp |
| CN | 134.175.215.145:80 | datac.52songshu.com | tcp |
| CN | 134.175.215.145:80 | datac.52songshu.com | tcp |
| CN | 134.175.215.145:80 | datac.52songshu.com | tcp |
| CN | 134.175.215.145:80 | datac.52songshu.com | tcp |
| CN | 134.175.215.145:80 | datac.52songshu.com | tcp |
Files
\Users\Admin\AppData\Local\Temp\RVN.exe
| MD5 | 80ade1893dec9cab7f2e63538a464fcc |
| SHA1 | c06614da33a65eddb506db00a124a3fc3f5be02e |
| SHA256 | 57a920389c044e3f5cf93dabff67070b4511e79779b6f874e08f92d8b0d7afbd |
| SHA512 | fffd4f3fccb5301b3c7a5b3bd92747f31549fbd9d0803fe5d502d1bb0ef979140988718c2ee1406ed3e755790d275185e120a56cbcb5ed2eadf62b5cdbfc4cc4 |
memory/2056-5-0x0000000010000000-0x00000000101B6000-memory.dmp
memory/2056-7-0x0000000010000000-0x00000000101B6000-memory.dmp
memory/2056-8-0x0000000010000000-0x00000000101B6000-memory.dmp
memory/2056-9-0x0000000010000000-0x00000000101B6000-memory.dmp
memory/2672-18-0x0000000010000000-0x00000000101B6000-memory.dmp
\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe
| MD5 | 62a75926e59efe47331bc1874c181297 |
| SHA1 | 22851589804d53227eb701005178435ee755366a |
| SHA256 | 38129ebf9cd62c77869e0c33c81eced8b332d42040b7b5a32d0d169ca5c47aa1 |
| SHA512 | 75a3dccdcb4e239ce5b959b1b4f48a12aeff990f54ba61125bae26f78c2f93d1b0fcabbbb66d3584f4d41807cc571e2b07cd85c8770034f043724006ac42bf54 |
memory/2672-32-0x0000000010000000-0x00000000101B6000-memory.dmp
memory/2700-33-0x0000000010000000-0x00000000101B6000-memory.dmp
memory/2700-37-0x0000000010000000-0x00000000101B6000-memory.dmp
memory/2700-38-0x0000000010000000-0x00000000101B6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\HD_X.dat
| MD5 | 3f1f4873fe8e76b49a8a3584680b880e |
| SHA1 | f056b8dc78a33df3e24be58e2182def2a6abf0db |
| SHA256 | d05cac5b0c3286fc1538f9e0a0a90e9020b55fa2f43814a21cf0b85f262c13db |
| SHA512 | 712e8a32f09a4370e0cc402e82b8fdeccdb5f92b8b872cad8a9bbbd0f9c53b8b6093226577adc034c6e780bfbed3ae42281498152f61f6663d387f6d20615ecf |
C:\Users\Admin\Desktop\BlockFind.exe
| MD5 | 9e8eb92a1e108c6010c29c5874eae80c |
| SHA1 | dbd6409b6547cb465dacef07a388297fad8ae43b |
| SHA256 | 1ce898848455316e7ba86022d9ffbd922b2aa57ac096439eb02c516e6ea76097 |
| SHA512 | ade992d4f042e3355deb87589f64f9569dac87da11291ab8f4c2b0de64e2c1ccf55daa3beb8f8f5e4c10df69c39d9855dee2e20b60904e1996339ea15f3fe321 |
\??\c:\program files\videolan\vlc\vlc.exe
| MD5 | 139cbfee1b2a84b41c3375e06e4585b1 |
| SHA1 | 5fa51cd02acd90f0055bd48a102606a7b5a0f6b4 |
| SHA256 | 03935083ba05dae701e3cb5721fda209e77e845b78ab6988631969ec60ef8dee |
| SHA512 | 9096ba6cc5b6d15e931459353762fc811f78853b835b6a1a9b18b4ea52a2923fe7650e30f5f68feb5fe914278321eccae5d37b18b06a4032e22ed1bc0a2fc455 |
C:\Users\Admin\AppData\Local\Temp\data\fdrecord.dat
| MD5 | e1693263e58c0dab1f69199e06bf1612 |
| SHA1 | 3a5fb5bb73ebdbd0a542049a7444e68f98ecde6e |
| SHA256 | 67b049319f61f823bfbbc1bb5f7a4ed9c1ffca34ea789eb5852688720b6d54c5 |
| SHA512 | 8cdf9c0d3d743d90dfc59eb5086d496231c19df5eb1b4a642a7b42df8e10464c77a8556cdd1507c267606c505e41c3d4a73be6bc423bb0bc4d2b334fe5161e93 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-18 06:48
Reported
2024-06-18 06:51
Platform
win10v2004-20240611-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Detect PurpleFox Rootkit
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gh0st RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gh0strat
PurpleFox
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\drivers\QAssist.sys | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
Sets service image path in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RVN.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\TXPlatforn.exe | C:\Users\Admin\AppData\Local\Temp\RVN.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\TXPlatforn.exe | C:\Users\Admin\AppData\Local\Temp\RVN.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Mozilla Firefox\firefox.exe | C:\Users\Admin\AppData\Local\Temp\994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
| File created | C:\Program Files (x86)\Google\Chrome\Application\chrome.exe | C:\Users\Admin\AppData\Local\Temp\994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\vlc.exe | C:\Users\Admin\AppData\Local\Temp\994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | C:\Users\Admin\AppData\Local\Temp\994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | C:\Users\Admin\AppData\Local\Temp\994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\wzmain.exe.arj\shell | C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\wzmain.exe.arj\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe\" -from:extension_association -action:open -in=\"%1\"" | C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\wzmain.exe.dmg\shell\open\FriendlyAppName = "WinZips" | C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\wzmain.exe.lzma\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe\" -from:extension_association -action:open -in=\"%1\"" | C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\wzmain.exe\OpenWithProgids\wzmain.exe.iso = "0" | C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\wzmain.exe.rar | C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\wzmain.exe.bzip2\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\wzmain.exe.zip\shell\open\command | C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\wzmain.exe.gz\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe\",1" | C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\wzmain.exe.dmg\shell\open\command | C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\wzmain.exe.fat\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe\" -from:extension_association -action:open -in=\"%1\"" | C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\wzmain.exe.hfs | C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\wzmain.exe.wim | C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\wzmain.exe.wim\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe\",1" | C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\wzmain.exe.lzma\shell\open\FriendlyAppName = "WinZips" | C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\wzmain.exe.xar\shell\open\command | C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.zip\ = "wzmain.exe.zip" | C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\wzmain.exe\OpenWithProgids\wzmain.exe.fat = "0" | C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\wzmain.exe.hfs\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe\",1" | C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\wzmain.exe.lzh\shell | C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\wzmain.exe.lzh\shell\open | C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\wzmain.exe.squashfs\shell\open\command | C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\wzmain.exe.wim\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe\" -from:extension_association -action:open -in=\"%1\"" | C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\wzmain.exe.arj\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\wzmain.exe\OpenWithProgids\wzmain.exe.hfs = "0" | C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\wzmain.exe.hfs\shell\open | C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\wzmain.exe.rpm\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe\" -from:extension_association -action:open -in=\"%1\"" | C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\wzmain.exe.z\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe\",1" | C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\wzmain.exe.wim\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.bz2\ = "wzmain.exe.bz2" | C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\wzmain.exe.rar\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe\" -from:extension_association -action:open -in=\"%1\"" | C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\wzmain.exe\OpenWithProgids\wzmain.exe.rpm = "0" | C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\wzmain.exe.z\shell\open | C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\wzmain.exe.dmg | C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\wzmain.exe.dmg\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe\" -from:extension_association -action:open -in=\"%1\"" | C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\wzmain.exe.iso\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe\",1" | C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\wzmain.exe.rpm\shell\open\command | C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\wzmain.exe\OpenWithProgids\wzmain.exe.squashfs = "0" | C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\wzmain.exe.squashfs\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe\" -from:extension_association -action:open -in=\"%1\"" | C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\wzmain.exe.xz\shell\open\FriendlyAppName = "WinZips" | C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\wzmain.exe.cab\shell | C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\wzmain.exe.hfs\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe\" -from:extension_association -action:open -in=\"%1\"" | C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\wzmain.exe.ntfs\shell\open | C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\wzmain.exe.rpm\shell\open\FriendlyAppName = "WinZips" | C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\wzmain.exe\OpenWithProgids\wzmain.exe.war = "0" | C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\wzmain.exe.tar\shell\open\FriendlyAppName = "WinZips" | C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.tar\wzmain = "7-Zip\\.tar" | C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\wzmain.exe.cpio | C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\wzmain.exe.iso\shell | C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\wzmain.exe\OpenWithProgids\wzmain.exe.lzma = "0" | C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\wzmain.exe\OpenWithProgids\wzmain.exe.7z = "0" | C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\wzmain.exe.bzip2\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe\" -from:extension_association -action:open -in=\"%1\"" | C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\wzmain.exe.ntfs\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe\" -from:extension_association -action:open -in=\"%1\"" | C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\wzmain.exe.rpm\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\wzmain.exe.war\shell\open\command | C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\wzmain.exe.war\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe\" -from:extension_association -action:open -in=\"%1\"" | C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\wzmain.exe\OpenWithProgids\wzmain.exe.gzip = "0" | C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\wzmain.exe.tar\shell | C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\wzmain.exe.hfs\shell\open\FriendlyAppName = "WinZips" | C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\wzmain.exe.xz\shell | C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\wzmain.exe.bzip2\shell | C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\wzmain.exe.gzip\shell | C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\wzmain.exe.gzip\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe\" -from:extension_association -action:open -in=\"%1\"" | C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\wzmain.exe.hfs\shell | C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe
"C:\Users\Admin\AppData\Local\Temp\994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe"
C:\Users\Admin\AppData\Local\Temp\RVN.exe
C:\Users\Admin\AppData\Local\Temp\\RVN.exe
C:\Windows\SysWOW64\TXPlatforn.exe
C:\Windows\SysWOW64\TXPlatforn.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\RVN.exe > nul
C:\Windows\SysWOW64\TXPlatforn.exe
C:\Windows\SysWOW64\TXPlatforn.exe -acsi
C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe
C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | hackerinvasion.f3322.net | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | datac.52songshu.com | udp |
| CN | 134.175.215.145:80 | datac.52songshu.com | tcp |
| BE | 88.221.83.193:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 193.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| CN | 134.175.215.145:80 | datac.52songshu.com | tcp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | hackerinvasion.f3322.net | udp |
| US | 8.8.8.8:53 | 65.139.73.23.in-addr.arpa | udp |
| CN | 134.175.215.145:80 | datac.52songshu.com | tcp |
| CN | 134.175.215.145:80 | datac.52songshu.com | tcp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | hackerinvasion.f3322.net | udp |
| CN | 134.175.215.145:80 | datac.52songshu.com | tcp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | hackerinvasion.f3322.net | udp |
| CN | 134.175.215.145:80 | datac.52songshu.com | tcp |
| CN | 134.175.215.145:80 | datac.52songshu.com | tcp |
| US | 8.8.8.8:53 | hackerinvasion.f3322.net | udp |
| CN | 134.175.215.145:80 | datac.52songshu.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\RVN.exe
| MD5 | 80ade1893dec9cab7f2e63538a464fcc |
| SHA1 | c06614da33a65eddb506db00a124a3fc3f5be02e |
| SHA256 | 57a920389c044e3f5cf93dabff67070b4511e79779b6f874e08f92d8b0d7afbd |
| SHA512 | fffd4f3fccb5301b3c7a5b3bd92747f31549fbd9d0803fe5d502d1bb0ef979140988718c2ee1406ed3e755790d275185e120a56cbcb5ed2eadf62b5cdbfc4cc4 |
memory/3380-4-0x0000000010000000-0x00000000101B6000-memory.dmp
memory/3380-6-0x0000000010000000-0x00000000101B6000-memory.dmp
memory/3380-10-0x0000000010000000-0x00000000101B6000-memory.dmp
memory/3380-7-0x0000000010000000-0x00000000101B6000-memory.dmp
memory/3192-15-0x0000000010000000-0x00000000101B6000-memory.dmp
memory/3192-17-0x0000000010000000-0x00000000101B6000-memory.dmp
memory/3192-25-0x0000000010000000-0x00000000101B6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\HD_994870f4b1d6bdd26aba95f212e5b30850f0b171ad71c5596c415e9742ce5a03.exe
| MD5 | 62a75926e59efe47331bc1874c181297 |
| SHA1 | 22851589804d53227eb701005178435ee755366a |
| SHA256 | 38129ebf9cd62c77869e0c33c81eced8b332d42040b7b5a32d0d169ca5c47aa1 |
| SHA512 | 75a3dccdcb4e239ce5b959b1b4f48a12aeff990f54ba61125bae26f78c2f93d1b0fcabbbb66d3584f4d41807cc571e2b07cd85c8770034f043724006ac42bf54 |
memory/4864-27-0x0000000010000000-0x00000000101B6000-memory.dmp
memory/3192-16-0x0000000010000000-0x00000000101B6000-memory.dmp
memory/4864-31-0x0000000010000000-0x00000000101B6000-memory.dmp
memory/4864-70-0x0000000010000000-0x00000000101B6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\X.ico
| MD5 | fb44f7af2882d222b600539171f54c1d |
| SHA1 | 0c5a1a0b1620a55a0f194464227be25a2f0347e1 |
| SHA256 | f2a78e76259bc8fd4ab6af7b4e16dfb49a10643308aca3d14c09e61ac0ebd487 |
| SHA512 | 21e906473f64303c4c8d55213ccb84f4a803c11fb5eef34ce3194adfb391ccbcc91e7c399556c7a4e4f3d33b9b19524d4499ec771ee8e1a10df26ea7cc2dcb67 |
memory/4864-77-0x0000000010000000-0x00000000101B6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\HD_X.dat
| MD5 | 3f1f4873fe8e76b49a8a3584680b880e |
| SHA1 | f056b8dc78a33df3e24be58e2182def2a6abf0db |
| SHA256 | d05cac5b0c3286fc1538f9e0a0a90e9020b55fa2f43814a21cf0b85f262c13db |
| SHA512 | 712e8a32f09a4370e0cc402e82b8fdeccdb5f92b8b872cad8a9bbbd0f9c53b8b6093226577adc034c6e780bfbed3ae42281498152f61f6663d387f6d20615ecf |
memory/3192-13-0x0000000010000000-0x00000000101B6000-memory.dmp
\??\c:\program files (x86)\microsoft\edge\application\msedge.exe
| MD5 | 4fb24ce12a9eb0f335a91134aca2f88e |
| SHA1 | 7a40181c4373826da2a94e9a119c29f07d6363e5 |
| SHA256 | 84f5e1e2b8f18cace0e9fd11d5f418f747b2849e66f61f6adfcff3647a840d0f |
| SHA512 | 1c007aa6f6b4bef1ddfaa76b7de5fdec4bdc95a69268305e3d0ef8fefd6864a23ffb7dc6f9a7733c9b2e79b88c6a79c424aa8d3aa908afcb7e7acf2730a7de6b |
\??\c:\program files\videolan\vlc\vlc.exe
| MD5 | 139cbfee1b2a84b41c3375e06e4585b1 |
| SHA1 | 5fa51cd02acd90f0055bd48a102606a7b5a0f6b4 |
| SHA256 | 03935083ba05dae701e3cb5721fda209e77e845b78ab6988631969ec60ef8dee |
| SHA512 | 9096ba6cc5b6d15e931459353762fc811f78853b835b6a1a9b18b4ea52a2923fe7650e30f5f68feb5fe914278321eccae5d37b18b06a4032e22ed1bc0a2fc455 |
C:\Users\Admin\AppData\Local\Temp\data\fdrecord.dat
| MD5 | e1693263e58c0dab1f69199e06bf1612 |
| SHA1 | 3a5fb5bb73ebdbd0a542049a7444e68f98ecde6e |
| SHA256 | 67b049319f61f823bfbbc1bb5f7a4ed9c1ffca34ea789eb5852688720b6d54c5 |
| SHA512 | 8cdf9c0d3d743d90dfc59eb5086d496231c19df5eb1b4a642a7b42df8e10464c77a8556cdd1507c267606c505e41c3d4a73be6bc423bb0bc4d2b334fe5161e93 |