Malware Analysis Report

2024-09-22 14:52

Sample ID 240619-f8lc4azajp
Target 2959d625def5feb3d528813444a406d5ccd07cb2f0b0655b19cd5c8f59742469
SHA256 2959d625def5feb3d528813444a406d5ccd07cb2f0b0655b19cd5c8f59742469
Tags
gh0strat purplefox persistence rat rootkit trojan upx discovery evasion spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2959d625def5feb3d528813444a406d5ccd07cb2f0b0655b19cd5c8f59742469

Threat Level: Known bad

The file 2959d625def5feb3d528813444a406d5ccd07cb2f0b0655b19cd5c8f59742469 was found to be: Known bad.

Malicious Activity Summary

gh0strat purplefox persistence rat rootkit trojan upx discovery evasion spyware stealer

PurpleFox

Gh0st RAT payload

Detect PurpleFox Rootkit

Gh0strat

Sets service image path in registry

Drops file in Drivers directory

UPX packed file

Reads user/profile data of web browsers

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Checks installed software on the system

Checks whether UAC is enabled

Drops file in System32 directory

Checks system information in the registry

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of SendNotifyMessage

Modifies Internet Explorer settings

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Runs ping.exe

Suspicious use of WriteProcessMemory

Suspicious behavior: LoadsDriver

Enumerates system info in registry

System policy modification

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-19 05:32

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-19 05:32

Reported

2024-06-19 05:35

Platform

win7-20240419-en

Max time kernel

150s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2959d625def5feb3d528813444a406d5ccd07cb2f0b0655b19cd5c8f59742469.exe"

Signatures

Detect PurpleFox Rootkit

rootkit
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0strat

rat gh0strat

PurpleFox

rootkit trojan purplefox

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\system32\drivers\QAssist.sys C:\Windows\SysWOW64\TXPlatforn.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" C:\Windows\SysWOW64\TXPlatforn.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\TXPlatforn.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe N/A
File opened for modification C:\Windows\SysWOW64\TXPlatforn.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe C:\Users\Admin\AppData\Local\Temp\2959d625def5feb3d528813444a406d5ccd07cb2f0b0655b19cd5c8f59742469.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe C:\Users\Admin\AppData\Local\Temp\2959d625def5feb3d528813444a406d5ccd07cb2f0b0655b19cd5c8f59742469.exe N/A
File created C:\Program Files (x86)\Google\Chrome\Application\chrome.exe C:\Users\Admin\AppData\Local\Temp\2959d625def5feb3d528813444a406d5ccd07cb2f0b0655b19cd5c8f59742469.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe C:\Users\Admin\AppData\Local\Temp\2959d625def5feb3d528813444a406d5ccd07cb2f0b0655b19cd5c8f59742469.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d7c7e73b934388418857a0db8be9c1d100000000020000000000106600000001000020000000dd3654bc85e1e39228a502ef36223ce6dce29aa07e4f4c2488e8972e1bfb80de000000000e800000000200002000000098271c0dd0a5686c1d72b5808d9dade014ed82ea4943c8b06173f03f2bf4b46c9000000078d56f11e3b2013031b96dbe48173c7505301a8a271ad9a7d98ca6e2b3c28a643fcbc505047d24312d43013733d8220979d5f830f759abcfe40a1c6269490998613402e70277bd50e060dc1baf65e2946b1748ab9b43ba7cb4f9676528df72c93c7ce9480f3111cd783ef991a5f4901da594400e09c63bb074dde8f2074374a8f63dc9c74613e5024813475b88ab4a8b40000000747082d505bd5d907095f8bf259166236d60ccbecf3dea73f56491a7305752ef1ee39d9938d36c7cfcfa3afec679d29f3ffe2006604e2ca0e1d687e5ee66591d C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "424937031" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d7c7e73b934388418857a0db8be9c1d100000000020000000000106600000001000020000000457da404af41221717797694810dce580b377adbcf1a8660ec329c1800b9ee61000000000e80000000020000200000001465568d3dfc3af39f10d1f18a8ccc9d18d4cda85ea6c39a2d7924af90397af82000000072bdcce347d400b12b00f0acb58d7d141f5c9612e85136362218881f56940fa040000000c544bd044b9de5a88f8617365d4b884d939d2aadb71595c0fc942b33059e254ef00c74b024c92e5a2a65545004de43d26e824afcee60b89734882c442937a25c C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{5AC897B1-2DFD-11EF-9CF3-F62AD7DF13FC} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d08dcd300ac2da01 C:\Program Files\Internet Explorer\iexplore.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2959d625def5feb3d528813444a406d5ccd07cb2f0b0655b19cd5c8f59742469.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RVN.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2012 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\2959d625def5feb3d528813444a406d5ccd07cb2f0b0655b19cd5c8f59742469.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe
PID 2012 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\2959d625def5feb3d528813444a406d5ccd07cb2f0b0655b19cd5c8f59742469.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe
PID 2012 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\2959d625def5feb3d528813444a406d5ccd07cb2f0b0655b19cd5c8f59742469.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe
PID 2012 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\2959d625def5feb3d528813444a406d5ccd07cb2f0b0655b19cd5c8f59742469.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe
PID 2012 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\2959d625def5feb3d528813444a406d5ccd07cb2f0b0655b19cd5c8f59742469.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe
PID 2012 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\2959d625def5feb3d528813444a406d5ccd07cb2f0b0655b19cd5c8f59742469.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe
PID 2012 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\2959d625def5feb3d528813444a406d5ccd07cb2f0b0655b19cd5c8f59742469.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe
PID 1252 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\RVN.exe C:\Windows\SysWOW64\cmd.exe
PID 1252 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\RVN.exe C:\Windows\SysWOW64\cmd.exe
PID 1252 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\RVN.exe C:\Windows\SysWOW64\cmd.exe
PID 1252 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\RVN.exe C:\Windows\SysWOW64\cmd.exe
PID 2932 wrote to memory of 1648 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 2932 wrote to memory of 1648 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 2932 wrote to memory of 1648 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 2932 wrote to memory of 1648 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 2932 wrote to memory of 1648 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 2932 wrote to memory of 1648 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 2932 wrote to memory of 1648 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 2012 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2959d625def5feb3d528813444a406d5ccd07cb2f0b0655b19cd5c8f59742469.exe C:\Users\Admin\AppData\Local\Temp\HD_2959d625def5feb3d528813444a406d5ccd07cb2f0b0655b19cd5c8f59742469.exe
PID 2012 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2959d625def5feb3d528813444a406d5ccd07cb2f0b0655b19cd5c8f59742469.exe C:\Users\Admin\AppData\Local\Temp\HD_2959d625def5feb3d528813444a406d5ccd07cb2f0b0655b19cd5c8f59742469.exe
PID 2012 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2959d625def5feb3d528813444a406d5ccd07cb2f0b0655b19cd5c8f59742469.exe C:\Users\Admin\AppData\Local\Temp\HD_2959d625def5feb3d528813444a406d5ccd07cb2f0b0655b19cd5c8f59742469.exe
PID 2012 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2959d625def5feb3d528813444a406d5ccd07cb2f0b0655b19cd5c8f59742469.exe C:\Users\Admin\AppData\Local\Temp\HD_2959d625def5feb3d528813444a406d5ccd07cb2f0b0655b19cd5c8f59742469.exe
PID 2324 wrote to memory of 2812 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2324 wrote to memory of 2812 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2324 wrote to memory of 2812 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2324 wrote to memory of 2812 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2608 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\HD_2959d625def5feb3d528813444a406d5ccd07cb2f0b0655b19cd5c8f59742469.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2608 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\HD_2959d625def5feb3d528813444a406d5ccd07cb2f0b0655b19cd5c8f59742469.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2608 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\HD_2959d625def5feb3d528813444a406d5ccd07cb2f0b0655b19cd5c8f59742469.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2896 wrote to memory of 744 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2896 wrote to memory of 744 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2896 wrote to memory of 744 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2896 wrote to memory of 744 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\2959d625def5feb3d528813444a406d5ccd07cb2f0b0655b19cd5c8f59742469.exe

"C:\Users\Admin\AppData\Local\Temp\2959d625def5feb3d528813444a406d5ccd07cb2f0b0655b19cd5c8f59742469.exe"

C:\Users\Admin\AppData\Local\Temp\RVN.exe

C:\Users\Admin\AppData\Local\Temp\\RVN.exe

C:\Windows\SysWOW64\TXPlatforn.exe

C:\Windows\SysWOW64\TXPlatforn.exe -auto

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\RVN.exe > nul

C:\Windows\SysWOW64\TXPlatforn.exe

C:\Windows\SysWOW64\TXPlatforn.exe -acsi

C:\Users\Admin\AppData\Local\Temp\HD_2959d625def5feb3d528813444a406d5ccd07cb2f0b0655b19cd5c8f59742469.exe

C:\Users\Admin\AppData\Local\Temp\HD_2959d625def5feb3d528813444a406d5ccd07cb2f0b0655b19cd5c8f59742469.exe

C:\Windows\SysWOW64\PING.EXE

ping -n 2 127.0.0.1

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://pc.weixin.qq.com/

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2896 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 pc.weixin.qq.com udp
HK 43.154.240.170:80 pc.weixin.qq.com tcp
HK 43.154.240.170:80 pc.weixin.qq.com tcp
HK 43.154.240.170:443 pc.weixin.qq.com tcp
US 8.8.8.8:53 ocsp.digicert.cn udp
US 163.181.154.233:80 ocsp.digicert.cn tcp
US 8.8.8.8:53 res.wx.qq.com udp
GB 43.132.64.151:443 res.wx.qq.com tcp
GB 43.132.64.151:443 res.wx.qq.com tcp
GB 43.132.64.151:443 res.wx.qq.com tcp
GB 43.132.64.151:443 res.wx.qq.com tcp
GB 43.132.64.151:443 res.wx.qq.com tcp
US 163.181.154.233:80 ocsp.digicert.cn tcp
US 163.181.154.233:80 ocsp.digicert.cn tcp
US 163.181.154.233:80 ocsp.digicert.cn tcp
US 163.181.154.233:80 ocsp.digicert.cn tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/2012-0-0x0000000000400000-0x00000000005C7000-memory.dmp

\Users\Admin\AppData\Local\Temp\RVN.exe

MD5 80ade1893dec9cab7f2e63538a464fcc
SHA1 c06614da33a65eddb506db00a124a3fc3f5be02e
SHA256 57a920389c044e3f5cf93dabff67070b4511e79779b6f874e08f92d8b0d7afbd
SHA512 fffd4f3fccb5301b3c7a5b3bd92747f31549fbd9d0803fe5d502d1bb0ef979140988718c2ee1406ed3e755790d275185e120a56cbcb5ed2eadf62b5cdbfc4cc4

memory/1252-6-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/1252-13-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/1252-9-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/1252-8-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2932-19-0x0000000010000000-0x00000000101B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HD_X.dat

MD5 c6715ac6563090e73b5c7ce70d27ecf2
SHA1 2aec16e393ce173cfaea8e8aa914e2c6d867300d
SHA256 2c4cae601268fa8a52847fad9d9374f01503fb78a06f758e2792fbcb21349a10
SHA512 f7f62b81143580f1d15ee1ccf2790dd397184e93a4fc40c029c06c0c8d8d83457ec62091ca9423dac00526734fb14b320a264bed68f63644242f980a71167514

C:\Users\Admin\AppData\Local\Temp\HD_2959d625def5feb3d528813444a406d5ccd07cb2f0b0655b19cd5c8f59742469.exe

MD5 8af4e9791937a1e2cfc76c8a9a591cf8
SHA1 bb8e7d0a467686b6e6a98043f29db5c0aefaa830
SHA256 095502d31f2633de2c55d6cb2668fda3f68e621f9beaaabce2e7a8aee2876339
SHA512 eca9075770ec55990c697a30c86cb1b3f87b5077f349fb37ca5ca003aa4af0834cb75cbf8673a6078cc18dcb38a82df72d2ff8185f7c7c39378b2a0336b8736d

memory/1648-36-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/1648-32-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2932-30-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/1648-29-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/1648-72-0x0000000010000000-0x00000000101B6000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AD5F118F7897046E8CA970AE6A6AB70B_9B8670363F58B4643EB28A4A03EE9887

MD5 61bb3208866d0bba08be5e545cb5d8ab
SHA1 540d3f9d52a928c6291f6f9fd6f8ae6f71d33172
SHA256 802848c9bc3a8685ae7b4711763979d7db29c12c4beccbfbafcfc6361715b29d
SHA512 9dac79f99de0781b9f3fd508330d7538b035bdb74a546aeccff4eb01f32bb5bbfccdc28f5f7d3724d3a9a1d1e6039a465f7ec5cf72e32321ec7d50a336e6bcd7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1f5497683fd648a45d0b8e77eea80b84
SHA1 d2826a430e743a02f8ab909dcc50a0cdb17b0684
SHA256 5724fcb2ad72f10246d744b348e2e5f40dd5c9fc92c4af432ce5a0bd99f983f5
SHA512 77f0869aec85144b114df5acfc4754922644a13999098796a69cdecc420d9b20e776bec1b8e1364859e7df7803abe7b984d8e8ce2a45ba7b9045dd5f4a0615fd

C:\Users\Admin\AppData\Local\Temp\Cab68F1.tmp

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\Tar68F4.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar6996.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c87a7605a6285f0484aa6725cd3ae208
SHA1 b870af695608d6c7634ce7bfd36d41575cfee6a2
SHA256 51ce321c0e3af7da479a20de803b064e2a32b928d98f5afb735af221cd0b71df
SHA512 89d3fb21d50235a7740dfc357e750e7a914e243a9bf170a1cdc5aa4bac8ffec71e2363f0e5536882249de27f13997eed4f8e1c2e99266534f955f4e06b814586

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 98c8716887f3eb66d3228bc736b4cb86
SHA1 11e1b96b8fcad4dcf9f94d6c029b83fd88e39e68
SHA256 c8ebcf0fdda84f57529a72baf4c55c24853f94cf1926fe73608ce46536ce1b1b
SHA512 98a43b287d114092f5bb33322b3473c0edf33ea30b8db003eb7041616606be848f1cf91775ac8bf055e17347944b7c2ebf24b1fe8a37f6e2179dba12ddeaf561

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5e3d543c329680332fef95bba026e600
SHA1 8c3158cc6cbc321c80bc980a3c6cf0a6edde33ea
SHA256 f9e3ee9931194de5ef4e0c84e196a3af517a3066fcfa1a93c6eb43c7340074d3
SHA512 ced7bbcdca3a3c7ba216e4c10984e7a6f6fb43102ae47cab400ab2b69f45f56672d02c6684e3637b31f37c7b6a7783006d38a31e8fc0866ba228d1882c7c79bf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e9b93b940f75662cc4a791ec59b66839
SHA1 f9b7715bfd396fea62a5bc9034867be46f261a4f
SHA256 20cb386497976ea3fcef3ca833726fb4e01d28dd3b2416f16352c7175531acfc
SHA512 33feee43cdac60b46285b3e15a4f7413fc5c54e9907e7bc912923bc306ccab911351d5006d0340acfc2f47575fa4903135823dc31ca5fb615ebb5d1026267eb5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d0d142a05c9b8786b0c3af935e4578e8
SHA1 ea00dce6b05b3a99e8e31237b22466bcd976694e
SHA256 4b39445f62280c183b800646a0a72c9e8f0330c7e62e8f4298d27cdde6a11703
SHA512 0f7f8a1adf6738df58ab006c3c6e48b450b7dfe1ec7409ce41149049c25c9fa842a2b44ebfd05986e0e67a2a391220590d0815092d59c2033cb76f1983f6e069

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 919ad71803704a138ce9cfd05ae7811a
SHA1 ff40cd1c58384511fac724d44d50c041f8258662
SHA256 fdcd18020148bda8d6d8e96a599d7c06634381c89d1f26dc2e0038146fbcf20a
SHA512 380d0a7107378d1b5fd43a1351d690f3a8281b69a187d82e6707725f20a064d73acc21f6bed773099db34ff671fc5c1b9a8231e1e899fc04c50caeeab1e07532

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2172967933eba46ccc0d862264898d11
SHA1 e2b88d820dab6472add4802efb19f8388ff6b29c
SHA256 a43cdf3ba851e8bb5595dee68035b3f70339bde2599d79b63de17955f113807e
SHA512 6cd27e32dd0e6afbb8ab9d62d87e0123d06c16435e639762694cc9ea4af729b8e1b061a0b1bd63697a0e6fb63e8d289478e1b7dff7ccacc06245f3fbeb907efb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7afeed58e37edfd5ab6484be0e04dec6
SHA1 603fca2aa2c906cbdc362ecda41cc11c5ecd8690
SHA256 fdb73276e324730dd8643d3454a5818da7822868ccffdd054ea7414682af205c
SHA512 ccb806102483bb35798ac92ddd0533d059033f3785d9817875bae552a003988cf2376a2dbb99fa58371b0b4eb528da3194037e148fdec6ccc20bb1bf01bc385b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 75c6a6ea928db4bb67bd2b011e9fcc46
SHA1 7d3c84443e566d2b51102b4c77300cd211b5738a
SHA256 8d39c25b7d3a219fe663723687c6325f0a24ac23862c655dedf3f11437abae38
SHA512 1b951f45cacdd6817cf706ac9e07f63c06cafea6c05ffd7bf83b40dc0c992cc52dccea32725129da4c04e6cfee5136dea2c5b30d21c174f713cb845c8969dbe6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 abc62a614c0487c8fcf02de6af0e909f
SHA1 a5907a76e3bb88ffff625fcc61676420c3fbb5cd
SHA256 e938f009033fbad54dfe2f238cdeeaac66a76ee6caa9afca877c48f41f036522
SHA512 00e85c51aeaa99d313438ff7bb486a17a95a16e7ba566c429bfa305c257552ab67060be2293be88acf6252982c364c39ddc9c9a4f31518a6dcbe212630e4f38b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9e02e466a28d61f6547f24b0c0643dca
SHA1 44b34b4d5aa6144c8b0b2815828e0752c3c0124b
SHA256 186ce13bacd3f71cfe625dd6edcf0dcb1ed394cd069dab7f4e105c9f06ffbd2e
SHA512 0fa820fd909252136c1fe7ef4ab14af98afbd4ef1bb8b6199c8cea78f7085fcef92f8de41994130e7972b467c930ee330e9f19b63811c8c948de533f86a8baa5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 681cec3fc8b5bcb8e0632694cf719c96
SHA1 aaa98ffcc5c9d33ee33fb25f2104692fd046330b
SHA256 69648bc7df0f7bd4be5c77140769e8ed68093d33367e9a78e9ae3e25d23f04fd
SHA512 4d00273ef805839fb91eb5246aca91fe4402ed5bcad58fcda573dbde1ecd20d72494282403b1e461e0ada2cfe78410c27a60031f9c7d2c7cf0366c48d576052f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0ba3acabe3d4c4cb84f95097b6d14191
SHA1 5772458c521ae2b08f135d53f532648df5c46715
SHA256 412c38069f6c1c233645bf5f62045214b83c694b32858ed15ffc283a38847290
SHA512 ee3da499852c5c9ff128dafe22f0ba17d6dd9c437b0e40b54a88a50501ebad8e7a4ad18a6ffea5ed26feb08caf075a62b36f6743432c9ce57a36fadf57e8b3fd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 59d8292e5424b960d72959f40eb6154e
SHA1 5cb0f3015138544f507c81e193be7fcdd1b15a47
SHA256 7447f53ceb3207c000f8cadb04970023c9b019c386ac47924e0dbfa04f530837
SHA512 5c8d0e0ae57e3babc45b1a37bf04f96c32129b2a732a62be6a1b98b6b838656fbb459a07a111fee1772c802af33033bb2807ba4a533b2aa1f13bc69ff5e87fab

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 eed7ff67490579711846020014c99872
SHA1 771b399ed40e84a635618eb640bcae88e5747779
SHA256 67735a52cf452c83cb3b7a6ea54b73470863adc8ad2d94c0a2691aa1389c455f
SHA512 569a74bb2c0f1aa3f86a28b6a2921b760cdf2d70577927dd8194cf9fea5b3770a34110e5329cdc003c6d475331aac17e44a7406149dbaa61cfca6677dc9d8d37

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 36989e0fa248a5f114a20a4f266b8a22
SHA1 9585e5cd9792c66f973b927a99a7795518390bf1
SHA256 e2825499c6db7b5cba6b44566117a7771265f85a8a559732d8fc5ddfbff06d5f
SHA512 4daf831229c952cdcc367ec534e91554faae0d1c6621ab599c16c74d37b7eec3495da8dfd56ef9c679eab81cd7d5027768ddab50b2883e64f571dd50eecffc22

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 03f04a658ffa740992add2a80c11bab7
SHA1 ebfcdf0e3f70155ddf10a6456d7e62a933c44d26
SHA256 2e6efe573fefd19910347c491429e8405fdf7a277a123c2e996640a785fd549d
SHA512 654b2ceab89b4abacb8c78261696eec1f62a7be82cac91e12a9f4a04d3ec54c84d015217846de590e5118570a92aca477489c935a5e5c11e96871ed1370bef53

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 7eaf8d15fa6f7b5ab1711a6ea59bb4e2
SHA1 574de56e5e94d6c75929eb23b00c42d2316703cc
SHA256 6f7542f637e135ae767a88b49a49da31ea93525c5560216588c19160ed5db4f5
SHA512 6381802aeb9072b62d1ebeb9a39b4af778fd0ee0f54c523a9567df2c6279bd903f40587072b40e8fe6e4c7b13d51e55ed75ea5eb855067f5d878b78b123197ac

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 e4a68ac854ac5242460afd72481b2a44
SHA1 df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256 cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA512 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1346e7b889ed9e0c000be73b3cddb067
SHA1 4b3790391f9ab4518fc91eec009f08d8514876da
SHA256 65a9e49204dec0057c25a521d7df43e4bb75bfec627384c65b3b11bc70c1acaf
SHA512 7ffe0da491eb5a3bc2e9416c7ff06d266b513fe9a0064989a902149977dd61f8c24d4c48f6c8f4259da330ac4168576d69327d6357cc3c27ead5ac7883192618

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f6740b5a7df3edd8455f93eddd7f0048
SHA1 072d469e8de7dfcecc7fe3fe531e81b8fb2b4eb7
SHA256 76234528b4585024da51e50e30d929fa36587a543f89b7df0b66a38fc2f6c45f
SHA512 85d8762b9a81ea0e916717ea04af4bcf5030c400492769ce42be576436d56854c30da499ccb19e9d129e247752a4cef5e21fa7da47c1494f9dcf8fbdc26af947

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 521fa9966b8f9ea26d444ffbb15911f7
SHA1 f4142011e333b6f6f68b11a2f5e3d81352caa7ab
SHA256 7a81148317446221c1972b56480dfe720aab242bc929b324c5469ba509eb24e1
SHA512 dce599632dd3938633ebc6e353bc976f1c1cb58f0ae7e38f14fd6cbdd8cf01816d3b42295cd59eff2b367de900c49dfaba40a7b8acb0773f58b00c2641b7b25c

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-19 05:32

Reported

2024-06-19 05:35

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

132s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2959d625def5feb3d528813444a406d5ccd07cb2f0b0655b19cd5c8f59742469.exe"

Signatures

Detect PurpleFox Rootkit

rootkit
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0strat

rat gh0strat

PurpleFox

rootkit trojan purplefox

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\system32\drivers\QAssist.sys C:\Windows\SysWOW64\TXPlatforn.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" C:\Windows\SysWOW64\TXPlatforn.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RVN.exe N/A
N/A N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
N/A N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_2959d625def5feb3d528813444a406d5ccd07cb2f0b0655b19cd5c8f59742469.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RVN.exe N/A
N/A N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
N/A N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A

Checks system information in the registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\TXPlatforn.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe N/A
File opened for modification C:\Windows\SysWOW64\TXPlatforn.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Users\Admin\AppData\Local\Temp\2959d625def5feb3d528813444a406d5ccd07cb2f0b0655b19cd5c8f59742469.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe C:\Users\Admin\AppData\Local\Temp\2959d625def5feb3d528813444a406d5ccd07cb2f0b0655b19cd5c8f59742469.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe C:\Users\Admin\AppData\Local\Temp\2959d625def5feb3d528813444a406d5ccd07cb2f0b0655b19cd5c8f59742469.exe N/A
File created C:\Program Files (x86)\Google\Chrome\Application\chrome.exe C:\Users\Admin\AppData\Local\Temp\2959d625def5feb3d528813444a406d5ccd07cb2f0b0655b19cd5c8f59742469.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe C:\Users\Admin\AppData\Local\Temp\2959d625def5feb3d528813444a406d5ccd07cb2f0b0655b19cd5c8f59742469.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RVN.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RVN.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1976 wrote to memory of 116 N/A C:\Users\Admin\AppData\Local\Temp\2959d625def5feb3d528813444a406d5ccd07cb2f0b0655b19cd5c8f59742469.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe
PID 1976 wrote to memory of 116 N/A C:\Users\Admin\AppData\Local\Temp\2959d625def5feb3d528813444a406d5ccd07cb2f0b0655b19cd5c8f59742469.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe
PID 1976 wrote to memory of 116 N/A C:\Users\Admin\AppData\Local\Temp\2959d625def5feb3d528813444a406d5ccd07cb2f0b0655b19cd5c8f59742469.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe
PID 116 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\RVN.exe C:\Windows\SysWOW64\cmd.exe
PID 116 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\RVN.exe C:\Windows\SysWOW64\cmd.exe
PID 116 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\RVN.exe C:\Windows\SysWOW64\cmd.exe
PID 3576 wrote to memory of 2752 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 3576 wrote to memory of 2752 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 3576 wrote to memory of 2752 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 1976 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\2959d625def5feb3d528813444a406d5ccd07cb2f0b0655b19cd5c8f59742469.exe C:\Users\Admin\AppData\Local\Temp\HD_2959d625def5feb3d528813444a406d5ccd07cb2f0b0655b19cd5c8f59742469.exe
PID 1976 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\2959d625def5feb3d528813444a406d5ccd07cb2f0b0655b19cd5c8f59742469.exe C:\Users\Admin\AppData\Local\Temp\HD_2959d625def5feb3d528813444a406d5ccd07cb2f0b0655b19cd5c8f59742469.exe
PID 3404 wrote to memory of 2572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3404 wrote to memory of 2572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3404 wrote to memory of 2572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1836 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\HD_2959d625def5feb3d528813444a406d5ccd07cb2f0b0655b19cd5c8f59742469.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1836 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\HD_2959d625def5feb3d528813444a406d5ccd07cb2f0b0655b19cd5c8f59742469.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1836 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\HD_2959d625def5feb3d528813444a406d5ccd07cb2f0b0655b19cd5c8f59742469.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2620 wrote to memory of 2336 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe
PID 2620 wrote to memory of 2336 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe
PID 2620 wrote to memory of 2336 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe
PID 2336 wrote to memory of 3248 N/A C:\Users\Admin\AppData\Local\Temp\RVN.exe C:\Windows\SysWOW64\cmd.exe
PID 2336 wrote to memory of 3248 N/A C:\Users\Admin\AppData\Local\Temp\RVN.exe C:\Windows\SysWOW64\cmd.exe
PID 2336 wrote to memory of 3248 N/A C:\Users\Admin\AppData\Local\Temp\RVN.exe C:\Windows\SysWOW64\cmd.exe
PID 2932 wrote to memory of 4560 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 2932 wrote to memory of 4560 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 2932 wrote to memory of 4560 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 2620 wrote to memory of 2004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
PID 2620 wrote to memory of 2004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
PID 2004 wrote to memory of 4968 N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
PID 2004 wrote to memory of 4968 N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
PID 3248 wrote to memory of 536 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3248 wrote to memory of 536 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3248 wrote to memory of 536 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2004 wrote to memory of 3256 N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
PID 2004 wrote to memory of 3256 N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
PID 2004 wrote to memory of 3256 N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
PID 2004 wrote to memory of 3256 N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
PID 2004 wrote to memory of 3256 N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
PID 2004 wrote to memory of 3256 N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
PID 2004 wrote to memory of 3256 N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
PID 2004 wrote to memory of 3256 N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
PID 2004 wrote to memory of 3256 N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
PID 2004 wrote to memory of 3256 N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
PID 2004 wrote to memory of 3256 N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
PID 2004 wrote to memory of 3256 N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
PID 2004 wrote to memory of 3256 N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
PID 2004 wrote to memory of 3256 N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
PID 2004 wrote to memory of 3256 N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
PID 2004 wrote to memory of 3256 N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
PID 2004 wrote to memory of 3256 N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
PID 2004 wrote to memory of 3256 N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
PID 2004 wrote to memory of 3256 N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
PID 2004 wrote to memory of 3256 N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
PID 2004 wrote to memory of 3256 N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
PID 2004 wrote to memory of 3256 N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
PID 2004 wrote to memory of 3256 N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
PID 2004 wrote to memory of 3256 N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
PID 2004 wrote to memory of 3256 N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
PID 2004 wrote to memory of 3256 N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
PID 2004 wrote to memory of 3256 N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
PID 2004 wrote to memory of 3256 N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
PID 2004 wrote to memory of 3256 N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
PID 2004 wrote to memory of 3256 N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
PID 2004 wrote to memory of 3256 N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2959d625def5feb3d528813444a406d5ccd07cb2f0b0655b19cd5c8f59742469.exe

"C:\Users\Admin\AppData\Local\Temp\2959d625def5feb3d528813444a406d5ccd07cb2f0b0655b19cd5c8f59742469.exe"

C:\Users\Admin\AppData\Local\Temp\RVN.exe

C:\Users\Admin\AppData\Local\Temp\\RVN.exe

C:\Windows\SysWOW64\TXPlatforn.exe

C:\Windows\SysWOW64\TXPlatforn.exe -auto

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\RVN.exe > nul

C:\Windows\SysWOW64\TXPlatforn.exe

C:\Windows\SysWOW64\TXPlatforn.exe -acsi

C:\Users\Admin\AppData\Local\Temp\HD_2959d625def5feb3d528813444a406d5ccd07cb2f0b0655b19cd5c8f59742469.exe

C:\Users\Admin\AppData\Local\Temp\HD_2959d625def5feb3d528813444a406d5ccd07cb2f0b0655b19cd5c8f59742469.exe

C:\Windows\SysWOW64\PING.EXE

ping -n 2 127.0.0.1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://pc.weixin.qq.com/

C:\Users\Admin\AppData\Local\Temp\RVN.exe

C:\Users\Admin\AppData\Local\Temp\\RVN.exe

C:\Windows\SysWOW64\TXPlatforn.exe

C:\Windows\SysWOW64\TXPlatforn.exe -auto

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\RVN.exe > nul

C:\Windows\SysWOW64\TXPlatforn.exe

C:\Windows\SysWOW64\TXPlatforn.exe -acsi

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0x7c,0x108,0x7ffe8fe146f8,0x7ffe8fe14708,0x7ffe8fe14718

C:\Windows\SysWOW64\PING.EXE

ping -n 2 127.0.0.1

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=gpu-process --field-trial-handle=2112,4239587246688525213,15647199024736414498,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,4239587246688525213,15647199024736414498,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,4239587246688525213,15647199024736414498,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2740 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2112,4239587246688525213,15647199024736414498,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2112,4239587246688525213,15647199024736414498,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2112,4239587246688525213,15647199024736414498,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4252 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2112,4239587246688525213,15647199024736414498,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4292 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,4239587246688525213,15647199024736414498,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4688 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,4239587246688525213,15647199024736414498,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4688 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2112,4239587246688525213,15647199024736414498,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3608 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2112,4239587246688525213,15647199024736414498,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4988 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2112,4239587246688525213,15647199024736414498,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4844 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=gpu-process --field-trial-handle=2112,4239587246688525213,15647199024736414498,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4204 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp

Files

memory/1976-0-0x0000000000400000-0x00000000005C7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RVN.exe

MD5 80ade1893dec9cab7f2e63538a464fcc
SHA1 c06614da33a65eddb506db00a124a3fc3f5be02e
SHA256 57a920389c044e3f5cf93dabff67070b4511e79779b6f874e08f92d8b0d7afbd
SHA512 fffd4f3fccb5301b3c7a5b3bd92747f31549fbd9d0803fe5d502d1bb0ef979140988718c2ee1406ed3e755790d275185e120a56cbcb5ed2eadf62b5cdbfc4cc4

memory/116-7-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/116-5-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/116-11-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/116-8-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/3576-27-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/3576-18-0x0000000010000000-0x00000000101B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HD_2959d625def5feb3d528813444a406d5ccd07cb2f0b0655b19cd5c8f59742469.exe

MD5 8af4e9791937a1e2cfc76c8a9a591cf8
SHA1 bb8e7d0a467686b6e6a98043f29db5c0aefaa830
SHA256 095502d31f2633de2c55d6cb2668fda3f68e621f9beaaabce2e7a8aee2876339
SHA512 eca9075770ec55990c697a30c86cb1b3f87b5077f349fb37ca5ca003aa4af0834cb75cbf8673a6078cc18dcb38a82df72d2ff8185f7c7c39378b2a0336b8736d

memory/2752-28-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2752-31-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2752-44-0x0000000010000000-0x00000000101B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HD_X.dat

MD5 c6715ac6563090e73b5c7ce70d27ecf2
SHA1 2aec16e393ce173cfaea8e8aa914e2c6d867300d
SHA256 2c4cae601268fa8a52847fad9d9374f01503fb78a06f758e2792fbcb21349a10
SHA512 f7f62b81143580f1d15ee1ccf2790dd397184e93a4fc40c029c06c0c8d8d83457ec62091ca9423dac00526734fb14b320a264bed68f63644242f980a71167514

memory/3576-17-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2752-78-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/3576-16-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/3576-14-0x0000000010000000-0x00000000101B6000-memory.dmp

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

MD5 7ff871fb93920d310e71f19a972a1a71
SHA1 5f8b0b55025dd942caa6975742d61e9a1e3c689d
SHA256 bea296ef715ea7ff806affed47e501b2bf382ba329ca5f2e7f17565ed08abe5b
SHA512 bcdb485bad7101b7f27365524fec8462acfbe6b9adccbec70805e6dc7aa623a37d45879d4c0e4732706532e264ce77fd18662ae8c549815f51585a8b85cac657

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe

MD5 ad8536c7440638d40156e883ac25086e
SHA1 fa9e8b7fb10473a01b8925c4c5b0888924a1147c
SHA256 73d84d249f16b943d1d3f9dd9e516fadd323e70939c29b4a640693eb8818ee9a
SHA512 b5f368be8853aa142dba614dcca7e021aba92b337fe36cfc186714092a4dab1c7a2181954cd737923edd351149980182a090dbde91081c81d83f471ff18888fe

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 4158365912175436289496136e7912c2
SHA1 813d11f772b1cfe9ceac2bf37f4f741e5e8fbe59
SHA256 354de4b033ba6e4d85f94d91230cb8501f62e0a4e302cd4076c7e0ad73bedbd1
SHA512 74b4f7b24ad4ea395f3a4cd8dbfae54f112a7c87bce3d286ee5161f6b63d62dfa19bb0d96bb7ed1c6d925f5697a2580c25023d5052c6a09992e6fd9dd49ea82b

\??\pipe\LOCAL\crashpad_2004_ZVUYHPVCEAPKGTQO

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/3256-122-0x00007FFE9EBD0000-0x00007FFE9EBD1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 ce4c898f8fc7601e2fbc252fdadb5115
SHA1 01bf06badc5da353e539c7c07527d30dccc55a91
SHA256 bce2dfaa91f0d44e977e0f79c60e64954a7b9dc828b0e30fbaa67dbe82f750aa
SHA512 80fff4c722c8d3e69ec4f09510779b7e3518ae60725d2d36903e606a27ec1eaedbdbfac5b662bf2c19194c572ccf0125445f22a907b329ad256e6c00b9cf032c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 1696cc78391a09d172f55ba6a052f7af
SHA1 9ea9ae62dfc0e254449b43cd4b5a00f4f79d7f80
SHA256 c3e1a6a30ca702a4133ebe9b40b52261d19ec4afd8d17cdc37aa57a78e142594
SHA512 685f4ea93c89494fc9f59b2dea95515517e5459aff0dffbfdf4b687bd3b10cf0422b00f9fd4eeccfc43d869af79f9c55bbb7a979e417e99bb9b7c64461deea4f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 5667ed87c8d93f13dd1cd84170323bf8
SHA1 b372f415ea3b162aa57cc59ce5a355679e245d1b
SHA256 8e4653fee85b36babf222eb078f35d25862820c5798fd9cc2248dd0167e05bc4
SHA512 a0026f83f62f0c89fe28cc48700f4de4fe9f9f7cda0d7f176f47210d3fce81037acd327537c2bd0de1ce0b1b1f6a818a7dcb6ba6fad05fc9be6312c2e3cf0b8e

memory/3256-201-0x0000021150540000-0x0000021150570000-memory.dmp

memory/4764-202-0x000002A1BE070000-0x000002A1BE0A0000-memory.dmp