Malware Analysis Report

2024-09-22 14:50

Sample ID 240621-t8fphaxhkf
Target 3cf8cc5480bf0a2a8a62f25507980b8d12df0268feb077f81d52dbc0695595a3
SHA256 3cf8cc5480bf0a2a8a62f25507980b8d12df0268feb077f81d52dbc0695595a3
Tags
gh0strat purplefox defense_evasion persistence rat rootkit trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3cf8cc5480bf0a2a8a62f25507980b8d12df0268feb077f81d52dbc0695595a3

Threat Level: Known bad

The file 3cf8cc5480bf0a2a8a62f25507980b8d12df0268feb077f81d52dbc0695595a3 was found to be: Known bad.

Malicious Activity Summary

gh0strat purplefox defense_evasion persistence rat rootkit trojan upx

Gh0st RAT payload

Detect PurpleFox Rootkit

Gh0strat

PurpleFox

Sets service image path in registry

Server Software Component: Terminal Services DLL

Drops file in Drivers directory

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

UPX packed file

Hide Artifacts: Hidden Files and Directories

Drops file in System32 directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Modifies Internet Explorer settings

Suspicious use of AdjustPrivilegeToken

Kills process with taskkill

Views/modifies file attributes

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious behavior: LoadsDriver

Suspicious use of FindShellTrayWindow

Runs ping.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-21 16:43

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-21 16:43

Reported

2024-06-21 16:46

Platform

win7-20240221-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3cf8cc5480bf0a2a8a62f25507980b8d12df0268feb077f81d52dbc0695595a3.exe"

Signatures

Detect PurpleFox Rootkit

rootkit
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0strat

rat gh0strat

PurpleFox

rootkit trojan purplefox

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\system32\drivers\QAssist.sys C:\Windows\SysWOW64\TXPlatfor.exe N/A

Server Software Component: Terminal Services DLL

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Remote Data\Parameters\ServiceDll = "C:\\Windows\\system32\\259401863.txt" C:\Users\Admin\AppData\Local\Temp\R.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" C:\Windows\SysWOW64\TXPlatfor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\259401863.txt C:\Users\Admin\AppData\Local\Temp\R.exe N/A
File opened for modification C:\Windows\SysWOW64\ini.ini C:\Users\Admin\AppData\Local\Temp\R.exe N/A
File created C:\Windows\SysWOW64\Remote Data.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\Remote Data.exe C:\Windows\SysWOW64\svchost.exe N/A
File created C:\Windows\SysWOW64\TXPlatfor.exe C:\Users\Admin\AppData\Local\Temp\N.exe N/A
File opened for modification C:\Windows\SysWOW64\TXPlatfor.exe C:\Users\Admin\AppData\Local\Temp\N.exe N/A

Hide Artifacts: Hidden Files and Directories

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\System32\cmd.exe N/A

Enumerates physical storage devices

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DOMStorage C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Enable = "1" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000021c748c0975a5046b1969f3b5592648c0000000002000000000010660000000100002000000000d47caf46b5fb814216cd8630ae87751a842288d75c938d1bca6e041f5287e3000000000e8000000002000020000000076cf00e6e59cdd52edc45545f72ee8bc504e54f5ce8987d4b1acb65cad14be62000000011367d8aac46b0b72e889838d730e5cbc3a480ab380b453d7460fd8abe58199440000000adda7da18846df057b313f9ec364417fde9f74f7882899a070d22ede11f4074a9ba33ff1c100299c601296a398c20f583937b84667a3432c7b3b3fd9aa185e72 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Size = "10" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425150090" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a032c342fac3da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DOMStorage\bandisoft.com\NumberOfSubdomains = "1" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\International\CpMRU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{6AAA9EC1-2FED-11EF-83C2-E25BC60B6402} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Factor = "20" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000021c748c0975a5046b1969f3b5592648c000000000200000000001066000000010000200000002005887db52d649d6a7dfed43a5ad3b3ce52a88aff07045f7c93467320564f9e000000000e8000000002000020000000845d96b54484b4ef199c3f55627435945acde74e49cd85cee95880ea45f28aa790000000b837ad8a3263845ae628ec46d6fc5d46dd093e3b550328d101526b1c7452b5c835c3ce332fe4a9be523c7f61e2bdcfc8104847a68698ad651e61c4d255afb58ba276c0b36f2b94227577ff84aa8330e374761be5adf289178691f10b42c8a6f8b0f03a456b26be389d69e2b5379c4a7d9dc94a630c6c790ff1ec03b5499c5e21407c872b75fef037a152fdd2d9ec7068400000008d04bed3d0090bf3e376cf44c768b22b413aba4e35ae6d170d41f29a42f5579a1eab1a8094bb119e093ca0445d061e6d140fa450182fb38410d960a604c76ee0 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DOMStorage\bandisoft.com C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: CmdExeWriteProcessMemorySpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~7027840522788878354\patch.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3cf8cc5480bf0a2a8a62f25507980b8d12df0268feb077f81d52dbc0695595a3.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\TXPlatfor.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\N.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\TXPlatfor.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Crack.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Crack.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Crack.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Crack.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Crack.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Crack.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Crack.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Crack.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Crack.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Crack.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Crack.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Crack.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Crack.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Crack.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\~4937715723325896951~\sg.tmp N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\~4937715723325896951~\sg.tmp N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\~4937715723325896951~\sg.tmp N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\~4937715723325896951~\sg.tmp N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Crack.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Crack.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Crack.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Crack.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Crack.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Crack.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Crack.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Crack.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\TXPlatfor.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\TXPlatfor.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\TXPlatfor.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\TXPlatfor.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2524 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\3cf8cc5480bf0a2a8a62f25507980b8d12df0268feb077f81d52dbc0695595a3.exe C:\Users\Admin\AppData\Local\Temp\R.exe
PID 2524 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\3cf8cc5480bf0a2a8a62f25507980b8d12df0268feb077f81d52dbc0695595a3.exe C:\Users\Admin\AppData\Local\Temp\R.exe
PID 2524 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\3cf8cc5480bf0a2a8a62f25507980b8d12df0268feb077f81d52dbc0695595a3.exe C:\Users\Admin\AppData\Local\Temp\R.exe
PID 2524 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\3cf8cc5480bf0a2a8a62f25507980b8d12df0268feb077f81d52dbc0695595a3.exe C:\Users\Admin\AppData\Local\Temp\R.exe
PID 2524 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\3cf8cc5480bf0a2a8a62f25507980b8d12df0268feb077f81d52dbc0695595a3.exe C:\Users\Admin\AppData\Local\Temp\N.exe
PID 2524 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\3cf8cc5480bf0a2a8a62f25507980b8d12df0268feb077f81d52dbc0695595a3.exe C:\Users\Admin\AppData\Local\Temp\N.exe
PID 2524 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\3cf8cc5480bf0a2a8a62f25507980b8d12df0268feb077f81d52dbc0695595a3.exe C:\Users\Admin\AppData\Local\Temp\N.exe
PID 2524 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\3cf8cc5480bf0a2a8a62f25507980b8d12df0268feb077f81d52dbc0695595a3.exe C:\Users\Admin\AppData\Local\Temp\N.exe
PID 2524 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\3cf8cc5480bf0a2a8a62f25507980b8d12df0268feb077f81d52dbc0695595a3.exe C:\Users\Admin\AppData\Local\Temp\N.exe
PID 2524 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\3cf8cc5480bf0a2a8a62f25507980b8d12df0268feb077f81d52dbc0695595a3.exe C:\Users\Admin\AppData\Local\Temp\N.exe
PID 2524 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\3cf8cc5480bf0a2a8a62f25507980b8d12df0268feb077f81d52dbc0695595a3.exe C:\Users\Admin\AppData\Local\Temp\N.exe
PID 2580 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\N.exe C:\Windows\SysWOW64\cmd.exe
PID 2580 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\N.exe C:\Windows\SysWOW64\cmd.exe
PID 2580 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\N.exe C:\Windows\SysWOW64\cmd.exe
PID 2580 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\N.exe C:\Windows\SysWOW64\cmd.exe
PID 2596 wrote to memory of 2728 N/A C:\Windows\SysWOW64\TXPlatfor.exe C:\Windows\SysWOW64\TXPlatfor.exe
PID 2596 wrote to memory of 2728 N/A C:\Windows\SysWOW64\TXPlatfor.exe C:\Windows\SysWOW64\TXPlatfor.exe
PID 2596 wrote to memory of 2728 N/A C:\Windows\SysWOW64\TXPlatfor.exe C:\Windows\SysWOW64\TXPlatfor.exe
PID 2596 wrote to memory of 2728 N/A C:\Windows\SysWOW64\TXPlatfor.exe C:\Windows\SysWOW64\TXPlatfor.exe
PID 2596 wrote to memory of 2728 N/A C:\Windows\SysWOW64\TXPlatfor.exe C:\Windows\SysWOW64\TXPlatfor.exe
PID 2596 wrote to memory of 2728 N/A C:\Windows\SysWOW64\TXPlatfor.exe C:\Windows\SysWOW64\TXPlatfor.exe
PID 2596 wrote to memory of 2728 N/A C:\Windows\SysWOW64\TXPlatfor.exe C:\Windows\SysWOW64\TXPlatfor.exe
PID 2524 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\3cf8cc5480bf0a2a8a62f25507980b8d12df0268feb077f81d52dbc0695595a3.exe C:\Users\Admin\AppData\Local\Temp\HD_3cf8cc5480bf0a2a8a62f25507980b8d12df0268feb077f81d52dbc0695595a3.exe
PID 2524 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\3cf8cc5480bf0a2a8a62f25507980b8d12df0268feb077f81d52dbc0695595a3.exe C:\Users\Admin\AppData\Local\Temp\HD_3cf8cc5480bf0a2a8a62f25507980b8d12df0268feb077f81d52dbc0695595a3.exe
PID 2524 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\3cf8cc5480bf0a2a8a62f25507980b8d12df0268feb077f81d52dbc0695595a3.exe C:\Users\Admin\AppData\Local\Temp\HD_3cf8cc5480bf0a2a8a62f25507980b8d12df0268feb077f81d52dbc0695595a3.exe
PID 2524 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\3cf8cc5480bf0a2a8a62f25507980b8d12df0268feb077f81d52dbc0695595a3.exe C:\Users\Admin\AppData\Local\Temp\HD_3cf8cc5480bf0a2a8a62f25507980b8d12df0268feb077f81d52dbc0695595a3.exe
PID 2524 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\3cf8cc5480bf0a2a8a62f25507980b8d12df0268feb077f81d52dbc0695595a3.exe C:\Users\Admin\AppData\Local\Temp\HD_3cf8cc5480bf0a2a8a62f25507980b8d12df0268feb077f81d52dbc0695595a3.exe
PID 2524 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\3cf8cc5480bf0a2a8a62f25507980b8d12df0268feb077f81d52dbc0695595a3.exe C:\Users\Admin\AppData\Local\Temp\HD_3cf8cc5480bf0a2a8a62f25507980b8d12df0268feb077f81d52dbc0695595a3.exe
PID 2524 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\3cf8cc5480bf0a2a8a62f25507980b8d12df0268feb077f81d52dbc0695595a3.exe C:\Users\Admin\AppData\Local\Temp\HD_3cf8cc5480bf0a2a8a62f25507980b8d12df0268feb077f81d52dbc0695595a3.exe
PID 2448 wrote to memory of 2900 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2448 wrote to memory of 2900 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2448 wrote to memory of 2900 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2448 wrote to memory of 2900 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2800 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\HD_3cf8cc5480bf0a2a8a62f25507980b8d12df0268feb077f81d52dbc0695595a3.exe C:\Windows\System32\cmd.exe
PID 2800 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\HD_3cf8cc5480bf0a2a8a62f25507980b8d12df0268feb077f81d52dbc0695595a3.exe C:\Windows\System32\cmd.exe
PID 2800 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\HD_3cf8cc5480bf0a2a8a62f25507980b8d12df0268feb077f81d52dbc0695595a3.exe C:\Windows\System32\cmd.exe
PID 2800 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\HD_3cf8cc5480bf0a2a8a62f25507980b8d12df0268feb077f81d52dbc0695595a3.exe C:\Windows\System32\cmd.exe
PID 2768 wrote to memory of 2892 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\attrib.exe
PID 2768 wrote to memory of 2892 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\attrib.exe
PID 2768 wrote to memory of 2892 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\attrib.exe
PID 2800 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\HD_3cf8cc5480bf0a2a8a62f25507980b8d12df0268feb077f81d52dbc0695595a3.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\BANDIVIEW-SETUP-X64.EXE
PID 2800 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\HD_3cf8cc5480bf0a2a8a62f25507980b8d12df0268feb077f81d52dbc0695595a3.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\BANDIVIEW-SETUP-X64.EXE
PID 2800 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\HD_3cf8cc5480bf0a2a8a62f25507980b8d12df0268feb077f81d52dbc0695595a3.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\BANDIVIEW-SETUP-X64.EXE
PID 2800 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\HD_3cf8cc5480bf0a2a8a62f25507980b8d12df0268feb077f81d52dbc0695595a3.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\BANDIVIEW-SETUP-X64.EXE
PID 2800 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\HD_3cf8cc5480bf0a2a8a62f25507980b8d12df0268feb077f81d52dbc0695595a3.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\BANDIVIEW-SETUP-X64.EXE
PID 2800 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\HD_3cf8cc5480bf0a2a8a62f25507980b8d12df0268feb077f81d52dbc0695595a3.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\BANDIVIEW-SETUP-X64.EXE
PID 2800 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\HD_3cf8cc5480bf0a2a8a62f25507980b8d12df0268feb077f81d52dbc0695595a3.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\BANDIVIEW-SETUP-X64.EXE
PID 2736 wrote to memory of 2068 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\Remote Data.exe
PID 2736 wrote to memory of 2068 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\Remote Data.exe
PID 2736 wrote to memory of 2068 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\Remote Data.exe
PID 2736 wrote to memory of 2068 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\Remote Data.exe
PID 2932 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\BANDIVIEW-SETUP-X64.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2932 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\BANDIVIEW-SETUP-X64.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2932 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\BANDIVIEW-SETUP-X64.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2932 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\BANDIVIEW-SETUP-X64.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2800 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\HD_3cf8cc5480bf0a2a8a62f25507980b8d12df0268feb077f81d52dbc0695595a3.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Crack.exe
PID 2800 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\HD_3cf8cc5480bf0a2a8a62f25507980b8d12df0268feb077f81d52dbc0695595a3.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Crack.exe
PID 2800 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\HD_3cf8cc5480bf0a2a8a62f25507980b8d12df0268feb077f81d52dbc0695595a3.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Crack.exe
PID 2800 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\HD_3cf8cc5480bf0a2a8a62f25507980b8d12df0268feb077f81d52dbc0695595a3.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Crack.exe
PID 2176 wrote to memory of 2684 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2176 wrote to memory of 2684 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2176 wrote to memory of 2684 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2176 wrote to memory of 2684 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2508 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Crack.exe C:\Windows\system32\cmd.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3cf8cc5480bf0a2a8a62f25507980b8d12df0268feb077f81d52dbc0695595a3.exe

"C:\Users\Admin\AppData\Local\Temp\3cf8cc5480bf0a2a8a62f25507980b8d12df0268feb077f81d52dbc0695595a3.exe"

C:\Users\Admin\AppData\Local\Temp\R.exe

C:\Users\Admin\AppData\Local\Temp\\R.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k "Remote Data"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k "Remote Data"

C:\Users\Admin\AppData\Local\Temp\N.exe

C:\Users\Admin\AppData\Local\Temp\\N.exe

C:\Windows\SysWOW64\TXPlatfor.exe

C:\Windows\SysWOW64\TXPlatfor.exe -auto

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\N.exe > nul

C:\Windows\SysWOW64\TXPlatfor.exe

C:\Windows\SysWOW64\TXPlatfor.exe -acsi

C:\Users\Admin\AppData\Local\Temp\HD_3cf8cc5480bf0a2a8a62f25507980b8d12df0268feb077f81d52dbc0695595a3.exe

C:\Users\Admin\AppData\Local\Temp\HD_3cf8cc5480bf0a2a8a62f25507980b8d12df0268feb077f81d52dbc0695595a3.exe

C:\Windows\SysWOW64\PING.EXE

ping -n 2 127.0.0.1

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000"

C:\Windows\system32\attrib.exe

attrib +h "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000"

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\BANDIVIEW-SETUP-X64.EXE

"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\BANDIVIEW-SETUP-X64.EXE" C:\Users\Admin\AppData\Local\Temp\HD_3cf8cc5480bf0a2a8a62f25507980b8d12df0268feb077f81d52dbc0695595a3.exe

C:\Windows\SysWOW64\Remote Data.exe

"C:\Windows\system32\Remote Data.exe" "c:\windows\system32\259401863.txt",MainThread

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://www.bandisoft.com/honeyview/

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Crack.exe

"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Crack.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2176 CREDAT:275457 /prefetch:2

C:\Windows\system32\cmd.exe

cmd.exe /c set

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Crack.exe

PECMD**pecmd-cmd* PUTF -dd -skipb=1439232 -len=60080 "C:\Users\Admin\AppData\Local\Temp\~187200936823697861.tmp",,C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Crack.exe

C:\Users\Admin\AppData\Local\Temp\~4937715723325896951~\sg.tmp

7zG_exe x "C:\Users\Admin\AppData\Local\Temp\~187200936823697861.tmp" -y -aoa -o"C:\Users\Admin\AppData\Local\Temp\~7027840522788878354"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\~7027840522788878354\BandiZip.cmd""

C:\Windows\system32\taskkill.exe

TASKKILL /F /IM BandiView.exe /T

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\BandiView" /v ProgramFolder

C:\Windows\system32\reg.exe

reg query "HKLM\SOFTWARE\BandiView" /v ProgramFolder

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo."

C:\Users\Admin\AppData\Local\Temp\~7027840522788878354\patch.exe

Patch.exe /silent /overwrite /startupworkdir ""

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Crack.exe

PECMD**pecmd-cmd* EXEC -wd:C: -hide cmd /c "C:\Users\Admin\AppData\Local\Temp\~6327780351700030758.cmd"

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\~6327780351700030758.cmd"

Network

Country Destination Domain Proto
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 www.bandisoft.com udp
DE 52.58.129.144:80 www.bandisoft.com tcp
DE 52.58.129.144:80 www.bandisoft.com tcp
DE 52.58.129.144:80 www.bandisoft.com tcp
DE 52.58.129.144:80 www.bandisoft.com tcp
DE 52.58.129.144:80 www.bandisoft.com tcp
DE 52.58.129.144:80 www.bandisoft.com tcp
US 8.8.8.8:53 cdn.jsdelivr.net udp
US 151.101.1.229:443 cdn.jsdelivr.net tcp
US 151.101.1.229:443 cdn.jsdelivr.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 172.217.169.67:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
GB 172.217.169.67:80 o.pki.goog tcp
GB 172.217.169.67:80 o.pki.goog tcp
US 151.101.1.229:443 cdn.jsdelivr.net tcp
US 8.8.8.8:53 fundingchoicesmessages.google.com udp
GB 142.250.187.238:443 fundingchoicesmessages.google.com tcp
GB 142.250.187.238:443 fundingchoicesmessages.google.com tcp
GB 172.217.169.67:80 o.pki.goog tcp
US 8.8.8.8:53 lh3.googleusercontent.com udp
GB 172.217.16.225:443 lh3.googleusercontent.com tcp
GB 172.217.16.225:443 lh3.googleusercontent.com tcp
GB 216.58.201.99:80 fonts.gstatic.com tcp
GB 216.58.201.99:80 fonts.gstatic.com tcp
GB 216.58.201.99:80 fonts.gstatic.com tcp
GB 216.58.201.99:80 fonts.gstatic.com tcp
GB 172.217.169.67:80 o.pki.goog tcp
GB 172.217.169.67:80 o.pki.goog tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

\Users\Admin\AppData\Local\Temp\R.exe

MD5 8dc3adf1c490211971c1e2325f1424d2
SHA1 4eec4a4e7cb97c5efa6c72e0731cd090c0c4adc5
SHA256 bc29f2022ab3b812e50c8681ff196f090c038b5ab51e37daffac4469a8c2eb2c
SHA512 ae92ea20b359849dcdba4808119b154e3af5ef3687ee09de1797610fe8c4d3eb9065b068074d35adddb4b225d17c619baff3944cb137ad196bcef7a6507f920d

\Windows\SysWOW64\259401863.txt

MD5 cd7e7647b21934f286c65598e495f687
SHA1 8b12053e9e33d00051cf19f170df96f2561dbde2
SHA256 332aa5d38a9aa08df7f555733ce239ec058430e0178569da43727bfd0378aa3e
SHA512 d8e4bc4b30328b255674807eca8d1d47affad34af44bba54c79864249cd61a317c87d049acea8e7479893fb2d50b80209f89b66026efe7fdd42afaa124860d12

\Users\Admin\AppData\Local\Temp\N.exe

MD5 4a36a48e58829c22381572b2040b6fe0
SHA1 f09d30e44ff7e3f20a5de307720f3ad148c6143b
SHA256 3de6c02f52a661b8f934f59541d0cf297bb489eb2155e346b63c7338e09aeaf8
SHA512 5d0ea398792f6b9eb3f188813c50b7f43929183b5733d2b595b2fd1c78722764fd15f62db1086b5c7edfb157661a6dcd544ddd80907ee7699dddbca1ef4022d0

memory/2580-20-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2580-21-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2580-18-0x0000000010000000-0x00000000101B6000-memory.dmp

\Users\Admin\AppData\Local\Temp\HD_3cf8cc5480bf0a2a8a62f25507980b8d12df0268feb077f81d52dbc0695595a3.exe

MD5 e6c2996435883b7fbc802bc9565b8600
SHA1 2faf98319a4eaf7e237d45e2108688246e34fbd8
SHA256 d4ef2f3734f71b4e25c53584074b00686530d5222809684a6bfd21216b6fb7b4
SHA512 13298a3559d1ccf0f2476a16667475413ee44acb48f3a5bc22fe9d3ea9b600e613f87acaf6b8eeb30f4297e289b9e9753b44f1eaac2e42dec00a914c72c02ca1

memory/2800-44-0x0000000000400000-0x000000000044B000-memory.dmp

memory/2524-43-0x0000000000380000-0x00000000003CB000-memory.dmp

memory/2728-46-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2728-48-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2728-55-0x0000000010000000-0x00000000101B6000-memory.dmp

\Users\Admin\AppData\Local\Temp\7ZipSfx.000\BANDIVIEW-SETUP-X64.EXE

MD5 e1bc0f19422ea0f4c99af6bf5317632a
SHA1 decffc3bf1ea5edc913afd55e43bb337ab7287cc
SHA256 c7cf671305440c1e33f6a51b1f52aae492b26d2b53360a7d88f4c661b0c38c09
SHA512 804f42bfcf79cc1907ff97c6a39a8155ea54431632fbda594e4bdf80ed95ad677351c9f928c427933897f504f2066d3d5f3b6f2f789b72c7fad1f028d3f55fb2

\Windows\SysWOW64\Remote Data.exe

MD5 51138beea3e2c21ec44d0932c71762a8
SHA1 8939cf35447b22dd2c6e6f443446acc1bf986d58
SHA256 5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124
SHA512 794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Crack.exe

MD5 cc82bfe6ca288bbe94ccfa0fb127ee9a
SHA1 92c512bf32b73a1c06512fb9350cd1250a4c7e5c
SHA256 0258e01ef67eb3c935a4a8c3f9c504dc147e999b2ef0abf931e885449f00940a
SHA512 bbfaa7b2ab35346e17def45f8ccbb814ef2108879bc32299451ecd51da9c292ccb43ea9d5ccf285b3e0d255010c58bf5518b82b9d59b9bc9d22866ce00b5edf0

C:\Users\Admin\AppData\Local\Temp\~187200936823697861.tmp

MD5 5455535b6822a8a9d8e3d3fc3fd7f5db
SHA1 cf94d5842217235c42c2c2b3852528c65414b30f
SHA256 2e73a3334e75a6d6313f2472dd2f8aa319abc114a902028537ee0e5a5dc35061
SHA512 bd21aa69a7ba971cbd854a7b8e379abf09daffbb01a1130ddcc591a3e84bc3d1aa5629d47c1e56a20c39182081391f5c9431522e4f07fbffc583069511274133

\Users\Admin\AppData\Local\Temp\~4937715723325896951~\sg.tmp

MD5 cdc6bdc1e8fe3f1b767b81337ffbc99a
SHA1 dde4aae203b273bf39c0442d97bb9acc027e231d
SHA256 989f4d4da1c2a68ec4f6ccf8fbe9e1c9dc7342ef6fe50b3ab8794fdaa76f09ac
SHA512 777b236fd6768779c3cc799667f706289712239dc74f1be8cde44f9c09b6958c38e6e1bb6440f8b195583b21cfe36376f90142e8161c4e9b9769d307bc37663d

C:\Users\Admin\AppData\Local\Temp\~187200936823697861.tmp

MD5 ae2ad9a5457902fcb664786742c5fcc4
SHA1 ecee38d29af89e69f2b1894844a4fdd6e8bae0cd
SHA256 3bc1d6502a1e5611967c024fbd0902729d571403a73a8d713c8cde6120d8e871
SHA512 e7ee5a4ffffe85da598551127e37f87c78f49ff52bd039cab0cb5436494da00fece4130bac5ffb6c1c725a473a0807cdd853cfd855f662e5def528d47e220ae6

C:\Users\Admin\AppData\Local\Temp\~7027840522788878354\BandiZip.cmd

MD5 f39dc788ad36197d0093f8bb1265f773
SHA1 f3af57e45534e08e43898d18819b611c56d2afa7
SHA256 640b59081d5cd97d4ff2e94bf00332317772160204657e318717d80347b38886
SHA512 5387c3f8fd59a1eba15fc98d82618de3badad35d67d8afbd4c34fe2d1fbd575a09aa702bb0edd8f721c52aed2bcbe5eaefa0671be3e1783d27f4f9042e0c6a5d

C:\Users\Admin\AppData\Local\Temp\~7027840522788878354\patch.exe

MD5 9c83b3c60e4e00cfa7775fd1d322fe02
SHA1 9bcb2eb7ed2a70b9a0b38a281636c064d1607940
SHA256 69defcb0b9eb858ad894d4032636c15d6597673bd923d843eb2ac186b7f438b2
SHA512 90f0316e875b07c67948153ff9e107996df1fcaa3f9d233751b3187d0704340e90ba0526964e8c4ba10b858f55cd2a9bc43dacc95fd82d96a2676f319075adcb

\Users\Admin\AppData\Local\Temp\dup2patcher.dll

MD5 b7d7e524d2d014fd86a2a5fa740e9dab
SHA1 435ba9ec6e18f585fab3b7f21d8867b13417a198
SHA256 dda244a7d246cde723a48fca548cf77156684396aae1dda09934f8b6a3f2239a
SHA512 84a881a9d964d870e13b04e5c37bbfb0971b09bf286b848c61806956340698c78fae08f0412745b5c647a95f728743f14fdf94b68a52b4b8febcaaa7b3ae382e

memory/960-126-0x00000000712C0000-0x00000000712E6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\~6327780351700030758.cmd

MD5 406f0d4e4d89d1913f2959a48269a740
SHA1 5f474afa9094b9c6cd4c25f630f2953f57788a52
SHA256 866db92b46e9ba41f93c130b1ff7954b4c7f3040315d7619dcc854fbedb46362
SHA512 e0713c995225978351d80ad288a82d4220c9ac544a210aeb69961c7c4cf85ad494796fa6e3a9a75f67e66d4c58bc60b412bee3495819a035a05a85ed4a099ca0

memory/2800-163-0x0000000000400000-0x000000000044B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab4CEA.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\Tar4CFD.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2265918fe215165a275b073721e25bef
SHA1 ca2c7aa9a9dbe9f6a29ca95564f1413de1c67c38
SHA256 a71fec94fde262f74848414b6df1dd05b1a04e3819234759ce0e015915221819
SHA512 7b3aeb0e6107cae9bb74174b6f4ac3dbf176920885b81b19df93265c2dba26499edb8fbfde0dd5bb25c98286628cac2feb9d7f547990b03b749f1391e0e59aa9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar4E79.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d108b80320792213059a93f2b52d5b2b
SHA1 9ceb22d2c07598fd26378d69c9813694ac1e9ca6
SHA256 099fb8e65c58fbe8ebf97ca4d47089864c22c035e0841deb1e5c23fb2837bf2a
SHA512 610b7f3b7dff14ce88352a10863fb3094afc1b190387085cd7f6a870259136abe530e1630ddb38bef3acbe9c2312c83810ce0660da8e49c6b60b9c6510c7e9b6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cdbfb0f717c096213a4720dc1c2c890e
SHA1 ae78a1196d5f96499f7a7eaa399b05df52f7847e
SHA256 890347a75cc97ea54c0de5571e1f45d26c6114bfbc8cd543226ba2387563a018
SHA512 ddb4cf5e1cad5ff647a1ea6b4c2d177ba69be54ea1b08b2eaa653b9d8fc5ecf57169168b407f286e823ad12a361cae65b8412c0193785941d9ac2c02211a25b0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e3a18a977c4fc30d0470f7736db36471
SHA1 d42d779d032f71c6b582bff085f596b2ad8ed897
SHA256 3bf3e13d6a7424ec0ece7ca98128694fe0df44d362f28e4836c9b34280c1987b
SHA512 14f087641e325ccf020ed4269d3af60f04b391fa753570775cd986e5dd623cec413cc84acfd0f3df1e40bc83bef43b1ca614500bc9c3c1098fd47db242501d54

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e06b6676d8cd6fb47e4019793e761035
SHA1 1e7d12b371524a4a4ece7393cecea8f4ff000b79
SHA256 cc457c20e538ec40d4390b395a873e76efa63d70152a345a149f5c3f1dc8c28e
SHA512 f3ff511a1adec9ae89efe19c2f141a320478c0ceb8ba28740d3ab93f9a67f00d1f65ab16aab4a57e3390f501baf56bc1d31748ec86d93ec322d61a991b3c751f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d8230015b275179fe781178f375b67a0
SHA1 ba5741f1ceaa52a6d793dcd6ba03101c618e1870
SHA256 8190c5b9055aa0651157dab363acb8cefed772d23ede8b7181bfac64efa39fbd
SHA512 21971db6c41c8e887b59aa9be6f048615e8312e369316e274907d49860aed01a7e75afff98cf753f701e4f49e483c237d06d934dc4048c0955e1521c8653a5ae

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F59A01A8B782D93EA6991BC172CEFFB1

MD5 c5dfb849ca051355ee2dba1ac33eb028
SHA1 d69b561148f01c77c54578c10926df5b856976ad
SHA256 cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b
SHA512 88289cdd2c2dd1f5f4c13ab2cf9bc601fc634b5945309bedf9fc5b96bf21697b4cd6da2f383497825e02272816befbac4f44955282ffbbd4dd0ddc52281082da

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4ca3e7a4714a6abbd24b747d190b355d
SHA1 c59ca49adeea50108d34c8cb50d6d25b03884bc4
SHA256 bbc69fc581d8fb161d9577f07c6dce33e8d3ef817f4211d61e16ff52c202a6f5
SHA512 31d49c4b6357a88f792fe490e24f415e7a8440114051878e3923559bd46b300c994f7f78d94dd9375c9f6317c073201461c12bbd3273f37f0780a86fbed695ea

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F59A01A8B782D93EA6991BC172CEFFB1

MD5 28ee30cd6391aa3d54234920f938816f
SHA1 e97e78fa041d889e778a996e7a0feca36c2a8333
SHA256 ef6816b235596b67cfe9137e08863e332b273761c901ffd2bc2efed92687a323
SHA512 887192d4cb313a10ba74caaed461f276774798ea72a1222b0bdfbf93028af4f9ed46912315e944c298e0b3d213fd71488a6c3e19bbcfb1ea3350730aacc60294

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bef4187f227cda6d9587a1ea41764985
SHA1 469974c6be7dcc3740b35786fd14b2e9ced280cb
SHA256 000371a859ee4976ea4a33f0bf99a7703c1ffa39f9f156e98c49c78dcbde4056
SHA512 cdd466022956e536ae4c4ee2beef10b01d84b1f8d6000dab247c2d3fb8ba9be845175ebcea5843e40df84b073192abb1714b9ddda2af279f3e81e34908a44f55

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9ZQLLOZN\favicon[1].ico

MD5 1555e3da688ef2292197e150a46a6555
SHA1 4b298dd2edb8d798cb8ef0f4c57aeac127700b58
SHA256 31d9945f8faa0591b36362d03b389e9d86bb5c09404d57f4228730f19d7e3dd1
SHA512 80c954b6d8bbb261eedb93ddcd68d2ed4ac8824b366be12eb044e785e791d531e19262ad8d41e65baa77d60c9685b9c032c377a4774efddee72c2ac9db7363bc

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\3pl5scb\imagestore.dat

MD5 e39baa572aa721e70ffaa52196cc5a85
SHA1 b9ecb011269b1c83052b0f68dde65e97fb7e5d03
SHA256 e984413fc7fd885009c2750914910afbd894c4bbfc1ffab63a5fca1fd4fef937
SHA512 2edd7f3dc6a4867bcf096349b24c59452471073f3c48d95f0ca631fd3288389fa309180dbed87ad70ce39da1f5cb57054481ce3001e73464937fb6654cd062b2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6DA548C7E5915679F87E910D6581DEF1_E9DE422BDD7495518DADF35C9B8A2C20

MD5 ca3ff03dbbb40ee72c8f4589cb46a5d5
SHA1 1369bad2ee9973f37057a02e70a1ba6bb441d5cf
SHA256 063b72679109ecb8fde63548f87162de9b0c879f755fdc1d3100fdb1ee76fe9c
SHA512 2bdeed85c9758e375bcd1712921344ba9d95e66027ac94a7699fd13bddf0d0285004a47753bf433754ff3355353d5e26a4f977e8eeee3a9998ec85b1596f58f2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 29816cfc309309b2689711fd5bd8997c
SHA1 c330297664f57c89e1c38344b2131efd4a93a3a3
SHA256 f4d85dd9038fef445870152befb6b46231e35bfdf8be1fda20bdf9f9802e72f7
SHA512 4ff82ecd3e690d58be8b0f962c2c418bdb4c4cc8256f444b2c14e8fbd8f803c114306660364a6be54a432013c2cd5b3dd84be65ee2a9b5ef38413241784e557e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2c909341a9ac8615e6b30ad5c87147ce
SHA1 6c6da1c416b71f783cd2a2907d942805002c4030
SHA256 63fe2b7e2d20f52e12d246d19fb4591233ec4320f54160b4d6556d2a048197ad
SHA512 2086e5e28ddd0c7660420852ee97c0bb5d7b1e0f018d1af6398109257cb9c7d7947bb9f236d34f1420448a8aa1f6fa348cdd8b051c74e051fb5f4c2a64c157e6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7a21b13957732e06a4b89219af3be057
SHA1 dacd177753ccee4d2e56bb4d8b8ffc2e4f0bb424
SHA256 b94c9f96a4d391a6c9e78de8bb4f19d3c89e7a1e1813f5d0401b53106cdba266
SHA512 101f70680529ef698072588013a16de56eda8b0835bcf3ed1906de9eb0f8d69bf0ccb8ac8939c4cc9a1de37875131734021ec89dc9a84902d2628be0ea73409b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bb0e1579d9a1d09e7331e7508aac31cd
SHA1 62f9e356b8c2c4d3643ae9a0829a66a95fa7d236
SHA256 d6290e5c1c39ab584185d4cf341fd20fc2cdf90964c9be7491e35fc977c4033c
SHA512 027796bd16d7732367cabff32efd54ea62386105232b03b55d5716f7ecd18504b72e3f6b5a2088804b76f2f93dd2e8a3b81ebbec69f8db1f8a82c43ba322b1de

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 49b0f524f42124df74195aa580decdea
SHA1 a15842fac0b3b2e4c7980f69885ebf2a53539e02
SHA256 231f3c54bc2a4582aefccf75327afde0552cc470b64c92bca711badb0ccbc02a
SHA512 83727bbc1ae6008accf929009f7e8f9ef66dbe6bfdfb1131697adfef2645de99ef807f47f658ab09308430010705039d30e29e14fcbfba590f4877d4dd18f96f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a47a893d50a97cbb5d1b02482c97ab2d
SHA1 023d864b82c938fdadbc48a387e6e5023ebe3d8c
SHA256 8f6b09307fd3190140dad373284f2e5172a33f3d6d68fdcf195e244f97c7dbe0
SHA512 111b3eb7a518d3952c3bbcf0bbac051bb56794d9227a34e1fb1b4013b4b0c74270a9da62ae1a68f9561f33ebbd97ecf67256e73b51b340417dc54faa8f538534

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2deaacf030e569621fb6629b7af22502
SHA1 ab3ec764ed8e02abf8b657fb38714326fb6170f4
SHA256 0d583487be6ed8f84070333078594ee7631be9e5a0a2e1e088e2340b3c45f7b8
SHA512 66952ff59ae884b6f7f57383e7367e8216fdde3969f465944da21092c74e5aac251215c0430f4d92058fc3675d66c30b9e887d124ec15c5378b264d57067fe4d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 01d2094143a8724d5d23478ea3516058
SHA1 8d2e530bef7bfe9eb5ef43d2cb01cfdc1ddca70a
SHA256 eb4b7fb7ed712c6e5be1150d22507a481d034cf72286907ea5b503d5c62cec2e
SHA512 f9abe7543acd005bd44b62d61b4ea7a964271af12fae942eb6256b8b8da811661545c8ff7a43bf789026ed6db43c5a42588b4bad74527d0feb0f1fc1fe2d71f5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1b5681ee3a6349f92d04da41438fab26
SHA1 d2bbd7f917ac09ec8c1dcdd0d2d29e78cfb72751
SHA256 8551f80b9c2e4b6703bf874cc70534f49ec624aafd4a3b266ce4c40316102bc0
SHA512 ad3dd7447d45b983eefa47daf143cf695a8ace71f17fc8ffb26e5f08ee800ed68bccd28d8f5c22e933c3c3a3bd51c1cebff62ecb79c19f10e70dd93ef54c437d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0aa8967ba1c872a337180241826afe11
SHA1 dac135cbe4e72b140e2dc4ba882fdb24bae1a1af
SHA256 c251544d0d282bdffbcaaf734fae390018b110905e166960b46b6f14377acd01
SHA512 fd378f85d67bb966ab851fb15b676458057487166f3eecf1acdb4a1e5779c408fe3b3ba1c229d5c2203e8a58321fe11ebf5bf5c849e45a506ff68aacc5bbba70

memory/2524-1162-0x0000000000380000-0x00000000003CB000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 17fd83b939f413dd711ea85a0c5e07c6
SHA1 f43f16bdf671f3bdc9b796818930cd032266ac58
SHA256 5aa9c4b7203a4e981d3294807fa51c383c0f03396383f4238e387620eb8cf160
SHA512 e223a21172eb57ca9682026ae652ae8a8eae3ada8dc99eae98b5fba40323a0304529f188c2bc07a531cf2fd309d07769ab78cfc91af461e14eca34500f1db86e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6326cb0e5597b85c9b78c982d49df12e
SHA1 ac2be257e112c26ce7296f5c469919dcf88778c6
SHA256 2253e6dbb0789859674025070886465f30195445136d624970870b697e708cdc
SHA512 e2ada23b2e71562eeab2d289e7af57b77e47383af7f2b5b1ef99006cdb86b88238ec29323320d57752f1e117cbf2cca5bf77de9677f548120ab4391cdf2236a9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 53afcaafa453ba6d63ceab92e2ffb1e8
SHA1 9afac2bab0752d657b13b987e3490b54f5e653a0
SHA256 7dad4f12df94eb5f16d0515957c89c000be2cd7d19784f25aed2ee3eea0d68f9
SHA512 16796c9948a725ae13802c7efdaa8066b4a810eec544daba1739880864adb8d4c64e278c811fc2ac19acbb3162675f711461fbe996e783813f7b5ca3f17444db

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 9971f35be5cc417496d1f1c479bb174e
SHA1 29905b2890d52333bed50c547fb6cc25bdfcb032
SHA256 7d2c1bdb1adbba40609d063d332cc71a9822947e020364eabd4cc3992e3d4cb7
SHA512 e75d267d95fe1dedbd30abef363c105473be07ce530a2b069863a4acd28d3e47cbf8fb93d69d151c3482525b4a100e98fbf94c7b8203d67becbe2b73d5c80512

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c7dfb84854b28a1f20395bbc83aab76d
SHA1 e549f4970a1fffb8675e8f074935f13f80d921b0
SHA256 e0b438701ec01a7510698c7bc68ad3e4527c66304d05713e52ae32d7244e2094
SHA512 b0129bc16589c333f4c430bdf070e58620daa84cfbc687d425fed9b7b86e11bd3f25b677924f0cd59245a7520c35345468e3a565855591f8330962bcafc425fb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ecc664e2022486c8cf7ded01e93c99d4
SHA1 648b43d379be2705fd3b911c4227d226f175c98a
SHA256 47f8571fc92230761f64bce4950ded921433d3767d731db9c68c6280e4680b0d
SHA512 c723516060386d8855d43bcc225c780292a6a2f69303df58e7c31e032ea3fa579a23ab5dc041e5579e1abed53439d79039ed5573403533f9893d11f729a93870

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c1bae676cd6b66ca35ae882ea52dd4fb
SHA1 d03d6558f05acac4fb05b0f4c55e4857d9f11d62
SHA256 ccb2d0c4a9bb654c94343dea17058c299add3492e1784cfbb772ed828067bb27
SHA512 ce620139bffa5f82bf254f6faa697a0b7d30e9c8b01d5d47daa826460095edc2b734449fb58d819347878ba293ca98342f2ca96bd77f29bea91c66f7beae0ac0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 07b69a693fd95d91897c2589ff0521c6
SHA1 7cd62082451cb5cf51b5db9cf3cb6db0779b3dee
SHA256 ce8db79733fbd83748ec157dcda9d827056778458694b18176c980bdbfd9b0e2
SHA512 8f4e2ac1cd97b500046573d3c317cf879b9ebc7f01cf032f59ffeac7d95667639be5a2d7509b71e5209961ec1bf2c8ce048201014de2268b4d2f6a134a9e06e1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 e4a68ac854ac5242460afd72481b2a44
SHA1 df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256 cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA512 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 afc740d17413754620d525357e52d953
SHA1 d9405bfec5f9ed6d8f2e2de24e0c45b4953b80b1
SHA256 b8e364523dade25e9a4f3c60d047c166dfd3bda833d49b6d337558f6a2554dc8
SHA512 f2cb5db45bc8e6a00da215679c15c80641dbb46f5e5751ed38056ebeb1646f0a1602506ff94b74bed4c6d4369ff006ea1d1e812872d8ce81a22ac61fcb0f31c3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0c1e345083041f6773b44cec24fe68fb
SHA1 4057fdf521e60ab84db5b1b46f43dcd2c500b98c
SHA256 16c9e186e8c83948a2f0d18d8a39266fc78b0aa945e186a79389d2bfa1835a1e
SHA512 780f3a80f0995c211bc1de83ffe0bf8fe9e9280d069acec91e7e824dc6cc541e272099135b9b2ff3a067858fcfcd62f09e2c510d1213ecefaed83923762a3ff4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 6852f502c1113cdf295c9075a2ad1031
SHA1 09fc408376bfa5f9f9d83448bc1236b0388c0002
SHA256 b6443d99c804bda3f7df95036b3544d32e78f6825d9804e766493ea2431133ba
SHA512 aa0a488db6e4dd9f3b28e8f9622546ffe2b22f49b614c03efbb887e90487df5352b23a246c9819296d458d86fa801556e07d3895d7bdc01bac91b557bcf18cc7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5bab907c618cb3ae1c14b960370ab348
SHA1 1a1d219d354c84727eb50e330fde7a4b89dda2d8
SHA256 38ac80d3b58fa289444a6bd095f6b8b56d0b362b0ace98be83fb9ad12bb27dbe
SHA512 cf215a98875c0cd8d1071998f6d4d57003c1f3d68678aa8faa745cc2777b20606b08a660790f7c8ff2e987f0dc754905c1ab8e988505bc325a284f9962280bd6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4428c8218494ec783a5ad6bea2ec72dd
SHA1 6dac32249097679cf0cba5d612e2c6f5fda453a0
SHA256 d607ace16ead0aed01a28047a544a049ea10d573566805cbabdf403f90677052
SHA512 1bd8fb2ff9bfd419f6e10a636f3d80c4ab1009201aea04bfadfa2a4f8c63d04becc8b67efcccb73a8ced4894c2400ac22ba87d1c13aae7af91a755ededdcd073

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 40dbfaf5cd287c3a52826d03d7323f55
SHA1 e0e76b781562e6f9912f2557096cb236d37fda0d
SHA256 ddc7270b9f717dfceab29883293f68255c20a0b1649c31a29d1e1cb5255c287e
SHA512 c08f44ed4dacaf3ed5cca875e798e5f4c0ab48ca1a6c81e9536f6e79981f57695b3820371bb8d80def6619d91d87a3cb941d79a2ace3bf5543be28c244872d20

C:\Users\Admin\AppData\Local\Temp\HD_X.dat

MD5 fe3eb47a978d83da8141331f7c408779
SHA1 6f515639ca2e9fb11eaa8d586f8205fbaff51b57
SHA256 8a6b2bdca79be3dcca28240ce2f0f6b7a7bc5de0ecacc416885babbb45f06861
SHA512 e65dfd4b057a829e910d212be405384e2c4144d85f1fb82e0292cd72c3c915954d2eb8be30939e015880d614a2f0f6162a427db63dadbdbf8af43d4c38da48c6

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-21 16:43

Reported

2024-06-21 16:46

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3cf8cc5480bf0a2a8a62f25507980b8d12df0268feb077f81d52dbc0695595a3.exe"

Signatures

Detect PurpleFox Rootkit

rootkit
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0strat

rat gh0strat

PurpleFox

rootkit trojan purplefox

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\system32\drivers\QAssist.sys C:\Windows\SysWOW64\TXPlatfor.exe N/A

Server Software Component: Terminal Services DLL

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Remote Data\Parameters\ServiceDll = "C:\\Windows\\system32\\240598171.txt" C:\Users\Admin\AppData\Local\Temp\R.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" C:\Windows\SysWOW64\TXPlatfor.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\HD_3cf8cc5480bf0a2a8a62f25507980b8d12df0268feb077f81d52dbc0695595a3.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\R.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\Remote Data.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\ini.ini C:\Users\Admin\AppData\Local\Temp\R.exe N/A
File created C:\Windows\SysWOW64\Remote Data.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\Remote Data.exe C:\Windows\SysWOW64\svchost.exe N/A
File created C:\Windows\SysWOW64\TXPlatfor.exe C:\Users\Admin\AppData\Local\Temp\N.exe N/A
File opened for modification C:\Windows\SysWOW64\TXPlatfor.exe C:\Users\Admin\AppData\Local\Temp\N.exe N/A
File created C:\Windows\SysWOW64\240598171.txt C:\Users\Admin\AppData\Local\Temp\R.exe N/A

Hide Artifacts: Hidden Files and Directories

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\System32\cmd.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Users\Admin\AppData\Local\Temp\3cf8cc5480bf0a2a8a62f25507980b8d12df0268feb077f81d52dbc0695595a3.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\TXPlatfor.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\N.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\TXPlatfor.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\TXPlatfor.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\TXPlatfor.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\TXPlatfor.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\TXPlatfor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3912 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\3cf8cc5480bf0a2a8a62f25507980b8d12df0268feb077f81d52dbc0695595a3.exe C:\Users\Admin\AppData\Local\Temp\R.exe
PID 3912 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\3cf8cc5480bf0a2a8a62f25507980b8d12df0268feb077f81d52dbc0695595a3.exe C:\Users\Admin\AppData\Local\Temp\R.exe
PID 3912 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\3cf8cc5480bf0a2a8a62f25507980b8d12df0268feb077f81d52dbc0695595a3.exe C:\Users\Admin\AppData\Local\Temp\R.exe
PID 3912 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Local\Temp\3cf8cc5480bf0a2a8a62f25507980b8d12df0268feb077f81d52dbc0695595a3.exe C:\Users\Admin\AppData\Local\Temp\N.exe
PID 3912 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Local\Temp\3cf8cc5480bf0a2a8a62f25507980b8d12df0268feb077f81d52dbc0695595a3.exe C:\Users\Admin\AppData\Local\Temp\N.exe
PID 3912 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Local\Temp\3cf8cc5480bf0a2a8a62f25507980b8d12df0268feb077f81d52dbc0695595a3.exe C:\Users\Admin\AppData\Local\Temp\N.exe
PID 3432 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\N.exe C:\Windows\SysWOW64\cmd.exe
PID 3432 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\N.exe C:\Windows\SysWOW64\cmd.exe
PID 3432 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\N.exe C:\Windows\SysWOW64\cmd.exe
PID 456 wrote to memory of 4976 N/A C:\Windows\SysWOW64\TXPlatfor.exe C:\Windows\SysWOW64\TXPlatfor.exe
PID 456 wrote to memory of 4976 N/A C:\Windows\SysWOW64\TXPlatfor.exe C:\Windows\SysWOW64\TXPlatfor.exe
PID 456 wrote to memory of 4976 N/A C:\Windows\SysWOW64\TXPlatfor.exe C:\Windows\SysWOW64\TXPlatfor.exe
PID 3912 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\3cf8cc5480bf0a2a8a62f25507980b8d12df0268feb077f81d52dbc0695595a3.exe C:\Users\Admin\AppData\Local\Temp\HD_3cf8cc5480bf0a2a8a62f25507980b8d12df0268feb077f81d52dbc0695595a3.exe
PID 3912 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\3cf8cc5480bf0a2a8a62f25507980b8d12df0268feb077f81d52dbc0695595a3.exe C:\Users\Admin\AppData\Local\Temp\HD_3cf8cc5480bf0a2a8a62f25507980b8d12df0268feb077f81d52dbc0695595a3.exe
PID 3912 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\3cf8cc5480bf0a2a8a62f25507980b8d12df0268feb077f81d52dbc0695595a3.exe C:\Users\Admin\AppData\Local\Temp\HD_3cf8cc5480bf0a2a8a62f25507980b8d12df0268feb077f81d52dbc0695595a3.exe
PID 1200 wrote to memory of 4720 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1200 wrote to memory of 4720 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1200 wrote to memory of 4720 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2260 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\HD_3cf8cc5480bf0a2a8a62f25507980b8d12df0268feb077f81d52dbc0695595a3.exe C:\Windows\System32\cmd.exe
PID 2260 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\HD_3cf8cc5480bf0a2a8a62f25507980b8d12df0268feb077f81d52dbc0695595a3.exe C:\Windows\System32\cmd.exe
PID 1112 wrote to memory of 2060 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\attrib.exe
PID 1112 wrote to memory of 2060 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\attrib.exe
PID 2260 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\HD_3cf8cc5480bf0a2a8a62f25507980b8d12df0268feb077f81d52dbc0695595a3.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\BANDIVIEW-SETUP-X64.EXE
PID 2260 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\HD_3cf8cc5480bf0a2a8a62f25507980b8d12df0268feb077f81d52dbc0695595a3.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\BANDIVIEW-SETUP-X64.EXE
PID 2260 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\HD_3cf8cc5480bf0a2a8a62f25507980b8d12df0268feb077f81d52dbc0695595a3.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\BANDIVIEW-SETUP-X64.EXE
PID 3904 wrote to memory of 4228 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\Remote Data.exe
PID 3904 wrote to memory of 4228 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\Remote Data.exe
PID 3904 wrote to memory of 4228 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\Remote Data.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3cf8cc5480bf0a2a8a62f25507980b8d12df0268feb077f81d52dbc0695595a3.exe

"C:\Users\Admin\AppData\Local\Temp\3cf8cc5480bf0a2a8a62f25507980b8d12df0268feb077f81d52dbc0695595a3.exe"

C:\Users\Admin\AppData\Local\Temp\R.exe

C:\Users\Admin\AppData\Local\Temp\\R.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k "Remote Data"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k "Remote Data"

C:\Users\Admin\AppData\Local\Temp\N.exe

C:\Users\Admin\AppData\Local\Temp\\N.exe

C:\Windows\SysWOW64\TXPlatfor.exe

C:\Windows\SysWOW64\TXPlatfor.exe -auto

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\N.exe > nul

C:\Windows\SysWOW64\TXPlatfor.exe

C:\Windows\SysWOW64\TXPlatfor.exe -acsi

C:\Users\Admin\AppData\Local\Temp\HD_3cf8cc5480bf0a2a8a62f25507980b8d12df0268feb077f81d52dbc0695595a3.exe

C:\Users\Admin\AppData\Local\Temp\HD_3cf8cc5480bf0a2a8a62f25507980b8d12df0268feb077f81d52dbc0695595a3.exe

C:\Windows\SysWOW64\PING.EXE

ping -n 2 127.0.0.1

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000"

C:\Windows\system32\attrib.exe

attrib +h "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000"

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\BANDIVIEW-SETUP-X64.EXE

"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\BANDIVIEW-SETUP-X64.EXE" C:\Users\Admin\AppData\Local\Temp\HD_3cf8cc5480bf0a2a8a62f25507980b8d12df0268feb077f81d52dbc0695595a3.exe

C:\Windows\SysWOW64\Remote Data.exe

"C:\Windows\system32\Remote Data.exe" "c:\windows\system32\240598171.txt",MainThread

Network

Country Destination Domain Proto
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 ver.bandi.so udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
KR 52.78.169.250:443 ver.bandi.so tcp
US 8.8.8.8:53 250.169.78.52.in-addr.arpa udp
US 8.8.8.8:53 233.38.18.104.in-addr.arpa udp
US 8.8.8.8:53 23.149.64.172.in-addr.arpa udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp

Files

C:\Users\Admin\AppData\Local\Temp\R.exe

MD5 8dc3adf1c490211971c1e2325f1424d2
SHA1 4eec4a4e7cb97c5efa6c72e0731cd090c0c4adc5
SHA256 bc29f2022ab3b812e50c8681ff196f090c038b5ab51e37daffac4469a8c2eb2c
SHA512 ae92ea20b359849dcdba4808119b154e3af5ef3687ee09de1797610fe8c4d3eb9065b068074d35adddb4b225d17c619baff3944cb137ad196bcef7a6507f920d

C:\Windows\SysWOW64\240598171.txt

MD5 cd7e7647b21934f286c65598e495f687
SHA1 8b12053e9e33d00051cf19f170df96f2561dbde2
SHA256 332aa5d38a9aa08df7f555733ce239ec058430e0178569da43727bfd0378aa3e
SHA512 d8e4bc4b30328b255674807eca8d1d47affad34af44bba54c79864249cd61a317c87d049acea8e7479893fb2d50b80209f89b66026efe7fdd42afaa124860d12

C:\Users\Admin\AppData\Local\Temp\N.exe

MD5 4a36a48e58829c22381572b2040b6fe0
SHA1 f09d30e44ff7e3f20a5de307720f3ad148c6143b
SHA256 3de6c02f52a661b8f934f59541d0cf297bb489eb2155e346b63c7338e09aeaf8
SHA512 5d0ea398792f6b9eb3f188813c50b7f43929183b5733d2b595b2fd1c78722764fd15f62db1086b5c7edfb157661a6dcd544ddd80907ee7699dddbca1ef4022d0

memory/3432-19-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/3432-20-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/3432-17-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/3432-23-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/456-28-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/456-29-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/456-26-0x0000000010000000-0x00000000101B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HD_3cf8cc5480bf0a2a8a62f25507980b8d12df0268feb077f81d52dbc0695595a3.exe

MD5 e6c2996435883b7fbc802bc9565b8600
SHA1 2faf98319a4eaf7e237d45e2108688246e34fbd8
SHA256 d4ef2f3734f71b4e25c53584074b00686530d5222809684a6bfd21216b6fb7b4
SHA512 13298a3559d1ccf0f2476a16667475413ee44acb48f3a5bc22fe9d3ea9b600e613f87acaf6b8eeb30f4297e289b9e9753b44f1eaac2e42dec00a914c72c02ca1

memory/2260-39-0x0000000000400000-0x000000000044B000-memory.dmp

memory/4976-40-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/4976-42-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/4976-45-0x0000000010000000-0x00000000101B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HD_X.dat

MD5 fe3eb47a978d83da8141331f7c408779
SHA1 6f515639ca2e9fb11eaa8d586f8205fbaff51b57
SHA256 8a6b2bdca79be3dcca28240ce2f0f6b7a7bc5de0ecacc416885babbb45f06861
SHA512 e65dfd4b057a829e910d212be405384e2c4144d85f1fb82e0292cd72c3c915954d2eb8be30939e015880d614a2f0f6162a427db63dadbdbf8af43d4c38da48c6

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\BANDIVIEW-SETUP-X64.EXE

MD5 e1bc0f19422ea0f4c99af6bf5317632a
SHA1 decffc3bf1ea5edc913afd55e43bb337ab7287cc
SHA256 c7cf671305440c1e33f6a51b1f52aae492b26d2b53360a7d88f4c661b0c38c09
SHA512 804f42bfcf79cc1907ff97c6a39a8155ea54431632fbda594e4bdf80ed95ad677351c9f928c427933897f504f2066d3d5f3b6f2f789b72c7fad1f028d3f55fb2

C:\Windows\SysWOW64\Remote Data.exe

MD5 889b99c52a60dd49227c5e485a016679
SHA1 8fa889e456aa646a4d0a4349977430ce5fa5e2d7
SHA256 6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910
SHA512 08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

memory/2260-86-0x0000000000400000-0x000000000044B000-memory.dmp