Malware Analysis Report

2024-09-22 14:55

Sample ID 240619-d15qnashmc
Target 26ddf74d54596afeecde5b60f62d4b7b8f1f19d6c888bd850031e05476057975
SHA256 26ddf74d54596afeecde5b60f62d4b7b8f1f19d6c888bd850031e05476057975
Tags
gh0strat purplefox persistence rat rootkit trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

26ddf74d54596afeecde5b60f62d4b7b8f1f19d6c888bd850031e05476057975

Threat Level: Known bad

The file 26ddf74d54596afeecde5b60f62d4b7b8f1f19d6c888bd850031e05476057975 was found to be: Known bad.

Malicious Activity Summary

gh0strat purplefox persistence rat rootkit trojan upx

PurpleFox

Gh0strat

Gh0st RAT payload

Detect PurpleFox Rootkit

Sets service image path in registry

Drops file in Drivers directory

Loads dropped DLL

Executes dropped EXE

UPX packed file

Drops file in System32 directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: LoadsDriver

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Runs ping.exe

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-19 03:29

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-19 03:29

Reported

2024-06-19 03:32

Platform

win7-20240220-en

Max time kernel

150s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\26ddf74d54596afeecde5b60f62d4b7b8f1f19d6c888bd850031e05476057975.exe"

Signatures

Detect PurpleFox Rootkit

rootkit
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0strat

rat gh0strat

PurpleFox

rootkit trojan purplefox

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\system32\drivers\QAssist.sys C:\Windows\SysWOW64\TXPlatforn.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" C:\Windows\SysWOW64\TXPlatforn.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\TXPlatforn.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe N/A
File opened for modification C:\Windows\SysWOW64\TXPlatforn.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Google\Chrome\Application\chrome.exe C:\Users\Admin\AppData\Local\Temp\26ddf74d54596afeecde5b60f62d4b7b8f1f19d6c888bd850031e05476057975.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe C:\Users\Admin\AppData\Local\Temp\26ddf74d54596afeecde5b60f62d4b7b8f1f19d6c888bd850031e05476057975.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe C:\Users\Admin\AppData\Local\Temp\26ddf74d54596afeecde5b60f62d4b7b8f1f19d6c888bd850031e05476057975.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe C:\Users\Admin\AppData\Local\Temp\26ddf74d54596afeecde5b60f62d4b7b8f1f19d6c888bd850031e05476057975.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\26ddf74d54596afeecde5b60f62d4b7b8f1f19d6c888bd850031e05476057975.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RVN.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2468 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\26ddf74d54596afeecde5b60f62d4b7b8f1f19d6c888bd850031e05476057975.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe
PID 2468 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\26ddf74d54596afeecde5b60f62d4b7b8f1f19d6c888bd850031e05476057975.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe
PID 2468 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\26ddf74d54596afeecde5b60f62d4b7b8f1f19d6c888bd850031e05476057975.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe
PID 2468 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\26ddf74d54596afeecde5b60f62d4b7b8f1f19d6c888bd850031e05476057975.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe
PID 2468 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\26ddf74d54596afeecde5b60f62d4b7b8f1f19d6c888bd850031e05476057975.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe
PID 2468 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\26ddf74d54596afeecde5b60f62d4b7b8f1f19d6c888bd850031e05476057975.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe
PID 2468 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\26ddf74d54596afeecde5b60f62d4b7b8f1f19d6c888bd850031e05476057975.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe
PID 2008 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\RVN.exe C:\Windows\SysWOW64\cmd.exe
PID 2008 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\RVN.exe C:\Windows\SysWOW64\cmd.exe
PID 2008 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\RVN.exe C:\Windows\SysWOW64\cmd.exe
PID 2008 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\RVN.exe C:\Windows\SysWOW64\cmd.exe
PID 2068 wrote to memory of 2592 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 2068 wrote to memory of 2592 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 2068 wrote to memory of 2592 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 2068 wrote to memory of 2592 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 2068 wrote to memory of 2592 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 2068 wrote to memory of 2592 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 2068 wrote to memory of 2592 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 2980 wrote to memory of 2428 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2980 wrote to memory of 2428 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2980 wrote to memory of 2428 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2980 wrote to memory of 2428 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\26ddf74d54596afeecde5b60f62d4b7b8f1f19d6c888bd850031e05476057975.exe

"C:\Users\Admin\AppData\Local\Temp\26ddf74d54596afeecde5b60f62d4b7b8f1f19d6c888bd850031e05476057975.exe"

C:\Users\Admin\AppData\Local\Temp\RVN.exe

C:\Users\Admin\AppData\Local\Temp\\RVN.exe

C:\Windows\SysWOW64\TXPlatforn.exe

C:\Windows\SysWOW64\TXPlatforn.exe -auto

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\RVN.exe > nul

C:\Windows\SysWOW64\TXPlatforn.exe

C:\Windows\SysWOW64\TXPlatforn.exe -acsi

C:\Users\Admin\AppData\Local\Temp\HD_26ddf74d54596afeecde5b60f62d4b7b8f1f19d6c888bd850031e05476057975.exe

C:\Users\Admin\AppData\Local\Temp\HD_26ddf74d54596afeecde5b60f62d4b7b8f1f19d6c888bd850031e05476057975.exe

C:\Windows\SysWOW64\PING.EXE

ping -n 2 127.0.0.1

Network

Country Destination Domain Proto
US 8.8.8.8:53 hackerinvasion.f3322.net udp

Files

\Users\Admin\AppData\Local\Temp\RVN.exe

MD5 80ade1893dec9cab7f2e63538a464fcc
SHA1 c06614da33a65eddb506db00a124a3fc3f5be02e
SHA256 57a920389c044e3f5cf93dabff67070b4511e79779b6f874e08f92d8b0d7afbd
SHA512 fffd4f3fccb5301b3c7a5b3bd92747f31549fbd9d0803fe5d502d1bb0ef979140988718c2ee1406ed3e755790d275185e120a56cbcb5ed2eadf62b5cdbfc4cc4

memory/2008-5-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2008-8-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2008-12-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2008-7-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2068-20-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2592-25-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2068-24-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2592-29-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2592-30-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2592-28-0x0000000010000000-0x00000000101B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HD_26ddf74d54596afeecde5b60f62d4b7b8f1f19d6c888bd850031e05476057975.exe

MD5 32ead83951f217d2858678d3957b137a
SHA1 a1cddc925625d24b27b21e7bb06df4a3e9e22732
SHA256 6bec15dd47ce6261e0635d21cb5ed2ced15a4be8482312f79e32273806444f99
SHA512 8a9e76d2aef03a723eb95c650912a746f1535398641c4205bf809aed0092f2db71451345b382ab7393b2e1529f0e70a8413c52d72cd64ae6a634294e27687a87

memory/2592-34-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2592-38-0x0000000010000000-0x00000000101B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HD_X.dat

MD5 eff3c687be048189f316ce984c92b3da
SHA1 cb8ac73fc51cd8b2ce21dc497ad5f7fd5326cf6d
SHA256 d7f86499c7934f01c3ed03b5eb6bf34f98daaa9c0f93db28d7f8355367bf5c02
SHA512 98da18e0b35699fe6879c5ae049ccb7b970bd3a10db34564f1417e550cd00a8f2db8755380042777bc52d0bbbe031e4c5036d5d0e773a04522f35424a97b2ebb

memory/2592-71-0x0000000010000000-0x00000000101B6000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-19 03:29

Reported

2024-06-19 03:32

Platform

win10v2004-20240226-en

Max time kernel

151s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\26ddf74d54596afeecde5b60f62d4b7b8f1f19d6c888bd850031e05476057975.exe"

Signatures

Detect PurpleFox Rootkit

rootkit
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0strat

rat gh0strat

PurpleFox

rootkit trojan purplefox

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\system32\drivers\QAssist.sys C:\Windows\SysWOW64\TXPlatforn.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" C:\Windows\SysWOW64\TXPlatforn.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\TXPlatforn.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe N/A
File opened for modification C:\Windows\SysWOW64\TXPlatforn.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Users\Admin\AppData\Local\Temp\26ddf74d54596afeecde5b60f62d4b7b8f1f19d6c888bd850031e05476057975.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe C:\Users\Admin\AppData\Local\Temp\26ddf74d54596afeecde5b60f62d4b7b8f1f19d6c888bd850031e05476057975.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe C:\Users\Admin\AppData\Local\Temp\26ddf74d54596afeecde5b60f62d4b7b8f1f19d6c888bd850031e05476057975.exe N/A
File created C:\Program Files (x86)\Google\Chrome\Application\chrome.exe C:\Users\Admin\AppData\Local\Temp\26ddf74d54596afeecde5b60f62d4b7b8f1f19d6c888bd850031e05476057975.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe C:\Users\Admin\AppData\Local\Temp\26ddf74d54596afeecde5b60f62d4b7b8f1f19d6c888bd850031e05476057975.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RVN.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4780 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\26ddf74d54596afeecde5b60f62d4b7b8f1f19d6c888bd850031e05476057975.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe
PID 4780 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\26ddf74d54596afeecde5b60f62d4b7b8f1f19d6c888bd850031e05476057975.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe
PID 4780 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\26ddf74d54596afeecde5b60f62d4b7b8f1f19d6c888bd850031e05476057975.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe
PID 3508 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\Temp\RVN.exe C:\Windows\SysWOW64\cmd.exe
PID 3508 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\Temp\RVN.exe C:\Windows\SysWOW64\cmd.exe
PID 3508 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\Temp\RVN.exe C:\Windows\SysWOW64\cmd.exe
PID 2492 wrote to memory of 4580 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 2492 wrote to memory of 4580 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 2492 wrote to memory of 4580 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 4404 wrote to memory of 1064 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4404 wrote to memory of 1064 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4404 wrote to memory of 1064 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\26ddf74d54596afeecde5b60f62d4b7b8f1f19d6c888bd850031e05476057975.exe

"C:\Users\Admin\AppData\Local\Temp\26ddf74d54596afeecde5b60f62d4b7b8f1f19d6c888bd850031e05476057975.exe"

C:\Users\Admin\AppData\Local\Temp\RVN.exe

C:\Users\Admin\AppData\Local\Temp\\RVN.exe

C:\Windows\SysWOW64\TXPlatforn.exe

C:\Windows\SysWOW64\TXPlatforn.exe -auto

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\RVN.exe > nul

C:\Windows\SysWOW64\TXPlatforn.exe

C:\Windows\SysWOW64\TXPlatforn.exe -acsi

C:\Users\Admin\AppData\Local\Temp\HD_26ddf74d54596afeecde5b60f62d4b7b8f1f19d6c888bd850031e05476057975.exe

C:\Users\Admin\AppData\Local\Temp\HD_26ddf74d54596afeecde5b60f62d4b7b8f1f19d6c888bd850031e05476057975.exe

C:\Windows\SysWOW64\PING.EXE

ping -n 2 127.0.0.1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3672 --field-trial-handle=2276,i,5697607538120380977,9987005253899555344,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
GB 96.16.110.114:80 tcp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
GB 142.250.187.234:443 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 10.73.50.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\RVN.exe

MD5 80ade1893dec9cab7f2e63538a464fcc
SHA1 c06614da33a65eddb506db00a124a3fc3f5be02e
SHA256 57a920389c044e3f5cf93dabff67070b4511e79779b6f874e08f92d8b0d7afbd
SHA512 fffd4f3fccb5301b3c7a5b3bd92747f31549fbd9d0803fe5d502d1bb0ef979140988718c2ee1406ed3e755790d275185e120a56cbcb5ed2eadf62b5cdbfc4cc4

memory/3508-4-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/3508-6-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/3508-8-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/3508-7-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2492-13-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2492-15-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2492-16-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2492-19-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2492-26-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/4580-28-0x0000000010000000-0x00000000101B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HD_26ddf74d54596afeecde5b60f62d4b7b8f1f19d6c888bd850031e05476057975.exe

MD5 32ead83951f217d2858678d3957b137a
SHA1 a1cddc925625d24b27b21e7bb06df4a3e9e22732
SHA256 6bec15dd47ce6261e0635d21cb5ed2ced15a4be8482312f79e32273806444f99
SHA512 8a9e76d2aef03a723eb95c650912a746f1535398641c4205bf809aed0092f2db71451345b382ab7393b2e1529f0e70a8413c52d72cd64ae6a634294e27687a87

memory/4580-34-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/4580-27-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/3508-18-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/4580-36-0x0000000010000000-0x00000000101B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HD_X.dat

MD5 eff3c687be048189f316ce984c92b3da
SHA1 cb8ac73fc51cd8b2ce21dc497ad5f7fd5326cf6d
SHA256 d7f86499c7934f01c3ed03b5eb6bf34f98daaa9c0f93db28d7f8355367bf5c02
SHA512 98da18e0b35699fe6879c5ae049ccb7b970bd3a10db34564f1417e550cd00a8f2db8755380042777bc52d0bbbe031e4c5036d5d0e773a04522f35424a97b2ebb

C:\Users\Admin\AppData\Local\Temp\RCX8D1D.tmp

MD5 b3958a68315f871d01e6f959990a71e7
SHA1 a3a704efacc2b32e2a9f836e009bbacf56b16250
SHA256 d758c980148e62c69d30148f6ac65e60ff6a8f425c649f5e5a07bb7412d1bb9d
SHA512 006d4a67386843135b6800da983676de073fe616fe5e53639fd37ba02e507ac8a5721004bee5b259a1c053456560d473690781047b385a7ee2802c710744d3a3

C:\Users\Admin\AppData\Local\Temp\X.ico

MD5 e33fb6d686b1a8b171349572c5a33f67
SHA1 29f24fe536adf799b69b63c83efadc1bce457a54
SHA256 020c8e0963f89f4b14538b7d69e83c6fec44a29bbbd52fbb6deb2be5c697f450
SHA512 cf1f1d6a9efe53f84e5b4a8246b87c0b96496716605d1b00352d9aae30e664d3d2cbadebf598b4e690a9feef0b5785887a4e643cc5f68938ca744af1d3539e55