Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/06/2024, 11:54

General

  • Target

    150a83836ed6a4b133e9486b39ad55841f5aac6a43806d1cfae89032b135c294.exe

  • Size

    7.9MB

  • MD5

    8fb60aacdbae702cef6c315966ef338c

  • SHA1

    4935d60a2ee95ddb9c807a52a9d98c28f1331790

  • SHA256

    150a83836ed6a4b133e9486b39ad55841f5aac6a43806d1cfae89032b135c294

  • SHA512

    096e57960aa0c66426555e0899f3ad7c095abc757d136ff5bcf14c5e692a4e6f51a565ddea23dfdd22002bb206e26a3235ee996be29b2112ee7ac6467221e437

  • SSDEEP

    196608:fWT9nO7WymnHhWAwJOwDuEwUdMDSOyIN9fhjtTYIYYmKL+cqCf4J:V7BUWAwJOEujUdM2OyG9VtUIYdHY8

Malware Config

Signatures

  • Detect PurpleFox Rootkit 10 IoCs

    Detect PurpleFox Rootkit.

  • Gh0st RAT payload 12 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

  • PurpleFox

    PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

  • Drops file in Drivers directory 1 IoCs
  • Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
  • Checks computer location settings 2 TTPs 8 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 24 IoCs
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • UPX packed file 13 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Checks system information in the registry 2 TTPs 2 IoCs

    System information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 6 IoCs
  • Drops file in Program Files directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of FindShellTrayWindow 29 IoCs
  • Suspicious use of SendNotifyMessage 27 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\150a83836ed6a4b133e9486b39ad55841f5aac6a43806d1cfae89032b135c294.exe
    "C:\Users\Admin\AppData\Local\Temp\150a83836ed6a4b133e9486b39ad55841f5aac6a43806d1cfae89032b135c294.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2128
    • C:\Users\Admin\AppData\Local\Temp\svchost.exe
      C:\Users\Admin\AppData\Local\Temp\\svchost.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1848
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\svchost.exe > nul
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3904
        • C:\Windows\SysWOW64\PING.EXE
          ping -n 2 127.0.0.1
          4⤵
          • Runs ping.exe
          PID:1828
    • C:\Users\Admin\AppData\Local\Temp\svchos.exe
      C:\Users\Admin\AppData\Local\Temp\\svchos.exe
      2⤵
      • Server Software Component: Terminal Services DLL
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      PID:516
    • C:\Users\Admin\AppData\Local\Temp\HD_150a83836ed6a4b133e9486b39ad55841f5aac6a43806d1cfae89032b135c294.exe
      C:\Users\Admin\AppData\Local\Temp\HD_150a83836ed6a4b133e9486b39ad55841f5aac6a43806d1cfae89032b135c294.exe
      2⤵
      • Executes dropped EXE
      • Writes to the Master Boot Record (MBR)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3148
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://dl.ludashi.com/ludashi/ludashisetup.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2032
        • C:\Users\Admin\AppData\Local\Temp\svchost.exe
          C:\Users\Admin\AppData\Local\Temp\\svchost.exe
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2308
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\svchost.exe > nul
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2160
            • C:\Windows\SysWOW64\PING.EXE
              ping -n 2 127.0.0.1
              6⤵
              • Runs ping.exe
              PID:2276
        • C:\Users\Admin\AppData\Local\Temp\svchos.exe
          C:\Users\Admin\AppData\Local\Temp\\svchos.exe
          4⤵
          • Executes dropped EXE
          PID:4508
        • C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Checks system information in the registry
          • Enumerates system info in registry
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:4192
          • C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xe0,0xe4,0x104,0xd8,0x108,0x7ffbb46e46f8,0x7ffbb46e4708,0x7ffbb46e4718
            5⤵
            • Executes dropped EXE
            PID:4724
          • C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=gpu-process --field-trial-handle=2076,10122536472111656478,15163091394555182433,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:2
            5⤵
            • Executes dropped EXE
            PID:3436
          • C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,10122536472111656478,15163091394555182433,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2056 /prefetch:3
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            PID:1704
          • C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2076,10122536472111656478,15163091394555182433,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2868 /prefetch:8
            5⤵
            • Executes dropped EXE
            PID:5036
          • C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2076,10122536472111656478,15163091394555182433,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            PID:3628
          • C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2076,10122536472111656478,15163091394555182433,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            PID:3748
          • C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2076,10122536472111656478,15163091394555182433,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5112 /prefetch:1
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            PID:4408
          • C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2076,10122536472111656478,15163091394555182433,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3792 /prefetch:1
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            PID:1620
          • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,10122536472111656478,15163091394555182433,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3440 /prefetch:8
            5⤵
              PID:1940
            • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,10122536472111656478,15163091394555182433,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3440 /prefetch:8
              5⤵
              • Suspicious behavior: EnumeratesProcesses
              PID:3576
            • C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2076,10122536472111656478,15163091394555182433,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=180 /prefetch:1
              5⤵
              • Checks computer location settings
              • Executes dropped EXE
              PID:2688
            • C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2076,10122536472111656478,15163091394555182433,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5224 /prefetch:1
              5⤵
              • Checks computer location settings
              • Executes dropped EXE
              PID:4140
            • C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2076,10122536472111656478,15163091394555182433,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4244 /prefetch:1
              5⤵
              • Checks computer location settings
              • Executes dropped EXE
              PID:3748
            • C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=gpu-process --field-trial-handle=2076,10122536472111656478,15163091394555182433,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3120 /prefetch:2
              5⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              PID:4640
    • C:\Windows\SysWOW64\TXPlatforn.exe
      C:\Windows\SysWOW64\TXPlatforn.exe -auto
      1⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:4620
      • C:\Windows\SysWOW64\TXPlatforn.exe
        C:\Windows\SysWOW64\TXPlatforn.exe -acsi
        2⤵
        • Drops file in Drivers directory
        • Sets service image path in registry
        • Executes dropped EXE
        • Suspicious behavior: LoadsDriver
        • Suspicious use of AdjustPrivilegeToken
        PID:4612
    • C:\Windows\SysWOW64\svchost.exe
      C:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"
      1⤵
        PID:1400
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"
        1⤵
        • Loads dropped DLL
        • Drops file in System32 directory
        • Suspicious use of WriteProcessMemory
        PID:4492
        • C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
          C:\Windows\system32\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe "c:\windows\system32\240618109.txt",MainThread
          2⤵
          • Executes dropped EXE
          • Loads dropped DLL
          PID:2468
      • C:\Windows\SysWOW64\TXPlatforn.exe
        C:\Windows\SysWOW64\TXPlatforn.exe -auto
        1⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:4808
        • C:\Windows\SysWOW64\TXPlatforn.exe
          C:\Windows\SysWOW64\TXPlatforn.exe -acsi
          2⤵
          • Executes dropped EXE
          PID:4584
      • C:\Windows\System32\CompPkgSrv.exe
        C:\Windows\System32\CompPkgSrv.exe -Embedding
        1⤵
          PID:2356
        • C:\Windows\System32\CompPkgSrv.exe
          C:\Windows\System32\CompPkgSrv.exe -Embedding
          1⤵
            PID:220

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe

            Filesize

            3.2MB

            MD5

            ad8536c7440638d40156e883ac25086e

            SHA1

            fa9e8b7fb10473a01b8925c4c5b0888924a1147c

            SHA256

            73d84d249f16b943d1d3f9dd9e516fadd323e70939c29b4a640693eb8818ee9a

            SHA512

            b5f368be8853aa142dba614dcca7e021aba92b337fe36cfc186714092a4dab1c7a2181954cd737923edd351149980182a090dbde91081c81d83f471ff18888fe

          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

            Filesize

            4.6MB

            MD5

            01f13bef7c609877bfe41cfe897c2c67

            SHA1

            774f5a99e8c3aeaf9ebda42ed3deaa9912eddb3e

            SHA256

            6046fcdffb537c10086c640b0e596b59063d121b8907e8d9852c6744d3e911e5

            SHA512

            ff4b8a4ad71a325ea5d200f153917765867e9e2d13789ef44bd2919a537d22f993edc74e8c5c5479da588495eeb12fa7978e47690baabcf7d6ef081e4a770a98

          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

            Filesize

            152B

            MD5

            4819fbc4513c82d92618f50a379ee232

            SHA1

            ab618827ff269655283bf771fc957c8798ab51ee

            SHA256

            05e479e8ec96b7505e01e5ec757ccfe35cb73cd46b27ff4746dce90d43d9237c

            SHA512

            bc24fb972d04b55505101300e268f91b11e5833f1a18e925b5ded7e758b5e3e08bee1aa8f3a0b65514d6df981d0cbfa8798344db7f2a3675307df8de12ae475b

          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

            Filesize

            152B

            MD5

            257c0005d0c4d0bb282cb470925e4376

            SHA1

            f9b8efb511ed64292568977c9f2ec255509e8f7d

            SHA256

            8185c36aaacfc71e42f94fad8e198fe7fb2d868398ceabb89261cae94341cb22

            SHA512

            2f3e8f352ed3ef88e8c28650390f93f98c92174d268330b886f3ebd1ba0163999051298ee12a054606b4986005452a241c6864cd292e69492d79c37d500556f4

          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

            Filesize

            5KB

            MD5

            87a58afc183bb74a0f091dd73e07f5fc

            SHA1

            653ca49d59114b3f212f89747967b663684c9c09

            SHA256

            006366253aa50bd7222362e0e04d1968a223c11f6bbbf0cc83a7b1e4847c1a9d

            SHA512

            75982f24df293d62b6ef2d99e67d39470aad202f9ef7a96b8ef3d1e0c54c952a6dcd193be1aa59f0cf19ec2c16621821a1d2227039fb14aee6df1a024d874c2b

          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

            Filesize

            5KB

            MD5

            aab8bec4fc51925c0e66d0bfa0506c8d

            SHA1

            ade3e89b9c31bd02c787a6035f37543ec1cc53a1

            SHA256

            e1d3391b16bb429aa38eac023d6d05fff0a66bb5420a93ab85a38524e35b7ec6

            SHA512

            bdfa3484287acb4546df155c87481822a75e2ba365d897d120b4866986382c059cffc5b98c4f60aca88ecad7d6edb587b987570ea973e48d404141cb663a1ada

          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

            Filesize

            24KB

            MD5

            95cd1581c30a5c26f698a8210bcab430

            SHA1

            5e8e551a47dd682ec51a7d6808fe8e0f2af39e86

            SHA256

            d58162c5ae5e18fc06604c285e024c01686093d70994dc93b4ae9d85b4c3f7b9

            SHA512

            e49403df10177053634c431203a91d26df5dfb23cbbb88847459ecdf4b6107040d0944a3e84ee6bb26cb4e8017a35c8c31b658387cd1b6938ba4cb9f59606ece

          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

            Filesize

            16B

            MD5

            6752a1d65b201c13b62ea44016eb221f

            SHA1

            58ecf154d01a62233ed7fb494ace3c3d4ffce08b

            SHA256

            0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

            SHA512

            9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

            Filesize

            10KB

            MD5

            b4c0fe93c53093ae2b6b266e8941754f

            SHA1

            fa43b8d37b25bd66cd41ba7a29a999555a333fb9

            SHA256

            de6c7548ba1f2913dd7feaaed96b78bad3bf41bbd6c5c8ad9ba055d4eb3c51bd

            SHA512

            ba7d9d2b34b87d111d48379dbb732693e87c1110715cbe8c16711ae9e6466d5a4ae3a8e478938375e519dff191574b5abc5bd0ce734ababf2beff2a2283c9483

          • C:\Users\Admin\AppData\Local\Temp\HD_150a83836ed6a4b133e9486b39ad55841f5aac6a43806d1cfae89032b135c294.exe

            Filesize

            6.4MB

            MD5

            433333d95590d6987cd2255701e0974c

            SHA1

            7a15a5d3dd68d8a3ff1b5ce0742ba8da0618bc07

            SHA256

            dbef829a072c41161020cf3f7b10754ee73071ed09e77ed3b7f8b9843d1dfd3b

            SHA512

            e420b2a6201b4a29974ad236491506501b8eec81d710ce20a9e55328085ed848d452e87f7d73dbf1320928f52bf8f094f40883614451f9f058c0c51150444dd4

          • C:\Users\Admin\AppData\Local\Temp\HD_X.dat

            Filesize

            1.5MB

            MD5

            272bedf8d490dba91c7657b955d61c22

            SHA1

            529cd24a7bba3d88948619763f549e6e85f2b8e8

            SHA256

            0822eae1f2e85712b1c3afb7e37bffd34262b0207c409ccbe89173e9e9bd7465

            SHA512

            e42f270eb4cc35041cef3d6ed4bf713abbcdb741d2514f28fefd98787828b6be788b91a4487187ed36fa4725b45de87573a42f5421a73d36b3794506ab35c58b

          • C:\Users\Admin\AppData\Local\Temp\svchos.exe

            Filesize

            93KB

            MD5

            3b377ad877a942ec9f60ea285f7119a2

            SHA1

            60b23987b20d913982f723ab375eef50fafa6c70

            SHA256

            62954fdf65e629b39a29f539619d20691332184c6b6be5a826128a8e759bfa84

            SHA512

            af3a71f867ad9d28772c48b521097f9bf8931eb89fd2974e8de10990241419a39ddc3c0b36dd38aac4fdf14e1f0c5e228692618e93adce958d5b5dab8940e46f

          • C:\Users\Admin\AppData\Local\Temp\svchost.exe

            Filesize

            377KB

            MD5

            a4329177954d4104005bce3020e5ef59

            SHA1

            23c29e295e2dbb8454012d619ca3f81e4c16e85a

            SHA256

            6156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd

            SHA512

            81e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208

          • C:\Windows\SysWOW64\240618109.txt

            Filesize

            50KB

            MD5

            fc928b3ff6b0dfb30b0bb48b1a7d9e5b

            SHA1

            3d8462a2ccb344a74f3c6d88d1cfb7ce06507cae

            SHA256

            498b6b6b17b98fa2e0d232a4cc53e1d7e864b9546044975344238cadb3b208e3

            SHA512

            35f7855253f1d5debcc1e9e09c6584c343e09df357e9520e24c1c2a8adb36f240351edf7b7203983c42067128b12aded46f72de72637ba39c533c94549ef6c71

          • C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe

            Filesize

            60KB

            MD5

            889b99c52a60dd49227c5e485a016679

            SHA1

            8fa889e456aa646a4d0a4349977430ce5fa5e2d7

            SHA256

            6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910

            SHA512

            08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

          • memory/1620-244-0x0000026587A10000-0x0000026587AAE000-memory.dmp

            Filesize

            632KB

          • memory/1848-5-0x0000000010000000-0x00000000101B6000-memory.dmp

            Filesize

            1.7MB

          • memory/1848-6-0x0000000010000000-0x00000000101B6000-memory.dmp

            Filesize

            1.7MB

          • memory/1848-10-0x0000000010000000-0x00000000101B6000-memory.dmp

            Filesize

            1.7MB

          • memory/1848-7-0x0000000010000000-0x00000000101B6000-memory.dmp

            Filesize

            1.7MB

          • memory/2688-217-0x000002A324200000-0x000002A32429E000-memory.dmp

            Filesize

            632KB

          • memory/3148-51-0x0000000000760000-0x0000000000761000-memory.dmp

            Filesize

            4KB

          • memory/3148-55-0x00000000009C0000-0x0000000001769000-memory.dmp

            Filesize

            13.7MB

          • memory/3148-52-0x0000000000770000-0x0000000000771000-memory.dmp

            Filesize

            4KB

          • memory/3148-53-0x00000000009A0000-0x00000000009A1000-memory.dmp

            Filesize

            4KB

          • memory/3148-54-0x00000000009B0000-0x00000000009B1000-memory.dmp

            Filesize

            4KB

          • memory/3148-49-0x0000000000730000-0x0000000000731000-memory.dmp

            Filesize

            4KB

          • memory/3148-50-0x0000000000750000-0x0000000000751000-memory.dmp

            Filesize

            4KB

          • memory/3436-242-0x0000024C614D0000-0x0000024C6156E000-memory.dmp

            Filesize

            632KB

          • memory/3436-152-0x00007FFBC2450000-0x00007FFBC2451000-memory.dmp

            Filesize

            4KB

          • memory/3628-188-0x0000018F5D4D0000-0x0000018F5D56E000-memory.dmp

            Filesize

            632KB

          • memory/3748-251-0x0000029DEF8D0000-0x0000029DEF96E000-memory.dmp

            Filesize

            632KB

          • memory/3748-191-0x000002BC692D0000-0x000002BC6936E000-memory.dmp

            Filesize

            632KB

          • memory/4140-218-0x00000204292D0000-0x000002042936E000-memory.dmp

            Filesize

            632KB

          • memory/4408-210-0x000002BD65E00000-0x000002BD65E9E000-memory.dmp

            Filesize

            632KB

          • memory/4612-43-0x0000000010000000-0x00000000101B6000-memory.dmp

            Filesize

            1.7MB

          • memory/4612-42-0x0000000010000000-0x00000000101B6000-memory.dmp

            Filesize

            1.7MB

          • memory/4612-25-0x0000000010000000-0x00000000101B6000-memory.dmp

            Filesize

            1.7MB

          • memory/4612-38-0x0000000010000000-0x00000000101B6000-memory.dmp

            Filesize

            1.7MB

          • memory/4620-17-0x0000000010000000-0x00000000101B6000-memory.dmp

            Filesize

            1.7MB

          • memory/4620-13-0x0000000010000000-0x00000000101B6000-memory.dmp

            Filesize

            1.7MB

          • memory/4620-16-0x0000000010000000-0x00000000101B6000-memory.dmp

            Filesize

            1.7MB

          • memory/4620-15-0x0000000010000000-0x00000000101B6000-memory.dmp

            Filesize

            1.7MB

          • memory/4620-29-0x0000000010000000-0x00000000101B6000-memory.dmp

            Filesize

            1.7MB

          • memory/5036-243-0x00000293A7600000-0x00000293A769E000-memory.dmp

            Filesize

            632KB