gh0strat | 150a83836ed6a4b133e9486b39ad55841f5aac6a43806d1cfae89032b135c294

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
25/06/2024, 11:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

150a83836ed6a4b133e9486b39ad55841f5aac6a43806d1cfae89032b135c294.exe
Size

7.9MB
MD5

8fb60aacdbae702cef6c315966ef338c
SHA1

4935d60a2ee95ddb9c807a52a9d98c28f1331790
SHA256

150a83836ed6a4b133e9486b39ad55841f5aac6a43806d1cfae89032b135c294
SHA512

096e57960aa0c66426555e0899f3ad7c095abc757d136ff5bcf14c5e692a4e6f51a565ddea23dfdd22002bb206e26a3235ee996be29b2112ee7ac6467221e437
SSDEEP

196608:fWT9nO7WymnHhWAwJOwDuEwUdMDSOyIN9fhjtTYIYYmKL+cqCf4J:V7BUWAwJOEujUdM2OyG9VtUIYdHY8

Score

10^/10

gh0strat purplefox bootkit discovery evasion persistence rat rootkit spyware stealer trojan upx

Malware Config

Signatures

Detect PurpleFox Rootkit 10 IoCs

Detect PurpleFox Rootkit.

rootkit

resource	yara_rule
behavioral2/memory/1848-6-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/1848-10-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/1848-7-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/4620-15-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/4620-16-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/4620-17-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/4612-38-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/4612-43-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/4612-42-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/4620-29-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 12 IoCs

resource	yara_rule
behavioral2/memory/1848-6-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/1848-10-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/1848-7-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/4620-15-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/4620-16-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/4620-17-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/files/0x00080000000234ce-36.dat	family_gh0strat
behavioral2/memory/4612-38-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/4612-43-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/4612-42-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/4620-29-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/4612-25-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\QAssist.sys	TXPlatforn.exe

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\240618109.txt"	svchos.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys"	TXPlatforn.exe

Checks computer location settings 2 TTPs 8 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation	HD_msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation	HD_msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation	HD_msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation	HD_msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation	HD_msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation	HD_msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation	HD_msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation	HD_msedge.exe

Executes dropped EXE 24 IoCs

pid	Process
1848	svchost.exe
4620	TXPlatforn.exe
516	svchos.exe
4612	TXPlatforn.exe
3148	HD_150a83836ed6a4b133e9486b39ad55841f5aac6a43806d1cfae89032b135c294.exe
2468	Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
2032	msedge.exe
2308	svchost.exe
4808	TXPlatforn.exe
4584	TXPlatforn.exe
4508	svchos.exe
4192	HD_msedge.exe
4724	HD_msedge.exe
3436	HD_msedge.exe
1704	HD_msedge.exe
5036	HD_msedge.exe
3628	HD_msedge.exe
3748	HD_msedge.exe
4408	HD_msedge.exe
1620	HD_msedge.exe
2688	HD_msedge.exe
4140	HD_msedge.exe
3748	HD_msedge.exe
4640	HD_msedge.exe

Loads dropped DLL 3 IoCs

pid	Process
516	svchos.exe
4492	svchost.exe
2468	Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1848-5-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/1848-6-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/1848-10-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/1848-7-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/4620-15-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/4620-16-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/4620-13-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/4620-17-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/4612-38-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/4612-43-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/4612-42-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/4620-29-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/4612-25-0x0000000010000000-0x00000000101B6000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	HD_msedge.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	HD_150a83836ed6a4b133e9486b39ad55841f5aac6a43806d1cfae89032b135c294.exe

Checks system information in the registry 2 TTPs 2 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	HD_msedge.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	HD_msedge.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\240618109.txt	svchos.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	svchos.exe
File created	C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe	svchost.exe
File created	C:\Windows\SysWOW64\TXPlatforn.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\TXPlatforn.exe	svchost.exe

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	150a83836ed6a4b133e9486b39ad55841f5aac6a43806d1cfae89032b135c294.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	150a83836ed6a4b133e9486b39ad55841f5aac6a43806d1cfae89032b135c294.exe
File created	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	150a83836ed6a4b133e9486b39ad55841f5aac6a43806d1cfae89032b135c294.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	150a83836ed6a4b133e9486b39ad55841f5aac6a43806d1cfae89032b135c294.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	150a83836ed6a4b133e9486b39ad55841f5aac6a43806d1cfae89032b135c294.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	HD_msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	HD_msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	HD_msedge.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
1828	PING.EXE
2276	PING.EXE

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
2128	150a83836ed6a4b133e9486b39ad55841f5aac6a43806d1cfae89032b135c294.exe
2128	150a83836ed6a4b133e9486b39ad55841f5aac6a43806d1cfae89032b135c294.exe
3148	HD_150a83836ed6a4b133e9486b39ad55841f5aac6a43806d1cfae89032b135c294.exe
3148	HD_150a83836ed6a4b133e9486b39ad55841f5aac6a43806d1cfae89032b135c294.exe
3148	HD_150a83836ed6a4b133e9486b39ad55841f5aac6a43806d1cfae89032b135c294.exe
3148	HD_150a83836ed6a4b133e9486b39ad55841f5aac6a43806d1cfae89032b135c294.exe
2032	msedge.exe
2032	msedge.exe
1704	HD_msedge.exe
1704	HD_msedge.exe
4192	HD_msedge.exe
4192	HD_msedge.exe
3576	identity_helper.exe
3576	identity_helper.exe
4640	HD_msedge.exe
4640	HD_msedge.exe
4640	HD_msedge.exe
4640	HD_msedge.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
4612	TXPlatforn.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1848	svchost.exe
Token: SeLoadDriverPrivilege	4612	TXPlatforn.exe
Token: SeIncBasePriorityPrivilege	2308	svchost.exe
Token: 33	4612	TXPlatforn.exe
Token: SeIncBasePriorityPrivilege	4612	TXPlatforn.exe
Token: 33	4612	TXPlatforn.exe
Token: SeIncBasePriorityPrivilege	4612	TXPlatforn.exe

Suspicious use of FindShellTrayWindow 29 IoCs

pid	Process
3148	HD_150a83836ed6a4b133e9486b39ad55841f5aac6a43806d1cfae89032b135c294.exe
3148	HD_150a83836ed6a4b133e9486b39ad55841f5aac6a43806d1cfae89032b135c294.exe
3148	HD_150a83836ed6a4b133e9486b39ad55841f5aac6a43806d1cfae89032b135c294.exe
3148	HD_150a83836ed6a4b133e9486b39ad55841f5aac6a43806d1cfae89032b135c294.exe
4192	HD_msedge.exe
4192	HD_msedge.exe
4192	HD_msedge.exe
4192	HD_msedge.exe
4192	HD_msedge.exe
4192	HD_msedge.exe
4192	HD_msedge.exe
4192	HD_msedge.exe
4192	HD_msedge.exe
4192	HD_msedge.exe
4192	HD_msedge.exe
4192	HD_msedge.exe
4192	HD_msedge.exe
4192	HD_msedge.exe
4192	HD_msedge.exe
4192	HD_msedge.exe
4192	HD_msedge.exe
4192	HD_msedge.exe
4192	HD_msedge.exe
4192	HD_msedge.exe
4192	HD_msedge.exe
4192	HD_msedge.exe
4192	HD_msedge.exe
4192	HD_msedge.exe
4192	HD_msedge.exe

Suspicious use of SendNotifyMessage 27 IoCs

pid	Process
3148	HD_150a83836ed6a4b133e9486b39ad55841f5aac6a43806d1cfae89032b135c294.exe
3148	HD_150a83836ed6a4b133e9486b39ad55841f5aac6a43806d1cfae89032b135c294.exe
3148	HD_150a83836ed6a4b133e9486b39ad55841f5aac6a43806d1cfae89032b135c294.exe
4192	HD_msedge.exe
4192	HD_msedge.exe
4192	HD_msedge.exe
4192	HD_msedge.exe
4192	HD_msedge.exe
4192	HD_msedge.exe
4192	HD_msedge.exe
4192	HD_msedge.exe
4192	HD_msedge.exe
4192	HD_msedge.exe
4192	HD_msedge.exe
4192	HD_msedge.exe
4192	HD_msedge.exe
4192	HD_msedge.exe
4192	HD_msedge.exe
4192	HD_msedge.exe
4192	HD_msedge.exe
4192	HD_msedge.exe
4192	HD_msedge.exe
4192	HD_msedge.exe
4192	HD_msedge.exe
4192	HD_msedge.exe
4192	HD_msedge.exe
4192	HD_msedge.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2128	150a83836ed6a4b133e9486b39ad55841f5aac6a43806d1cfae89032b135c294.exe
2128	150a83836ed6a4b133e9486b39ad55841f5aac6a43806d1cfae89032b135c294.exe
3148	HD_150a83836ed6a4b133e9486b39ad55841f5aac6a43806d1cfae89032b135c294.exe
2032	msedge.exe
2032	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2128 wrote to memory of 1848	2128	150a83836ed6a4b133e9486b39ad55841f5aac6a43806d1cfae89032b135c294.exe	88
PID 2128 wrote to memory of 1848	2128	150a83836ed6a4b133e9486b39ad55841f5aac6a43806d1cfae89032b135c294.exe	88
PID 2128 wrote to memory of 1848	2128	150a83836ed6a4b133e9486b39ad55841f5aac6a43806d1cfae89032b135c294.exe	88
PID 1848 wrote to memory of 3904	1848	svchost.exe	90
PID 1848 wrote to memory of 3904	1848	svchost.exe	90
PID 1848 wrote to memory of 3904	1848	svchost.exe	90
PID 2128 wrote to memory of 516	2128	150a83836ed6a4b133e9486b39ad55841f5aac6a43806d1cfae89032b135c294.exe	91
PID 2128 wrote to memory of 516	2128	150a83836ed6a4b133e9486b39ad55841f5aac6a43806d1cfae89032b135c294.exe	91
PID 2128 wrote to memory of 516	2128	150a83836ed6a4b133e9486b39ad55841f5aac6a43806d1cfae89032b135c294.exe	91
PID 4620 wrote to memory of 4612	4620	TXPlatforn.exe	92
PID 4620 wrote to memory of 4612	4620	TXPlatforn.exe	92
PID 4620 wrote to memory of 4612	4620	TXPlatforn.exe	92
PID 3904 wrote to memory of 1828	3904	cmd.exe	97
PID 3904 wrote to memory of 1828	3904	cmd.exe	97
PID 3904 wrote to memory of 1828	3904	cmd.exe	97
PID 2128 wrote to memory of 3148	2128	150a83836ed6a4b133e9486b39ad55841f5aac6a43806d1cfae89032b135c294.exe	99
PID 2128 wrote to memory of 3148	2128	150a83836ed6a4b133e9486b39ad55841f5aac6a43806d1cfae89032b135c294.exe	99
PID 2128 wrote to memory of 3148	2128	150a83836ed6a4b133e9486b39ad55841f5aac6a43806d1cfae89032b135c294.exe	99
PID 4492 wrote to memory of 2468	4492	svchost.exe	102
PID 4492 wrote to memory of 2468	4492	svchost.exe	102
PID 4492 wrote to memory of 2468	4492	svchost.exe	102
PID 3148 wrote to memory of 2032	3148	HD_150a83836ed6a4b133e9486b39ad55841f5aac6a43806d1cfae89032b135c294.exe	105
PID 3148 wrote to memory of 2032	3148	HD_150a83836ed6a4b133e9486b39ad55841f5aac6a43806d1cfae89032b135c294.exe	105
PID 3148 wrote to memory of 2032	3148	HD_150a83836ed6a4b133e9486b39ad55841f5aac6a43806d1cfae89032b135c294.exe	105
PID 2032 wrote to memory of 2308	2032	msedge.exe	106
PID 2032 wrote to memory of 2308	2032	msedge.exe	106
PID 2032 wrote to memory of 2308	2032	msedge.exe	106
PID 2308 wrote to memory of 2160	2308	svchost.exe	108
PID 2308 wrote to memory of 2160	2308	svchost.exe	108
PID 2308 wrote to memory of 2160	2308	svchost.exe	108
PID 4808 wrote to memory of 4584	4808	TXPlatforn.exe	110
PID 4808 wrote to memory of 4584	4808	TXPlatforn.exe	110
PID 4808 wrote to memory of 4584	4808	TXPlatforn.exe	110
PID 2032 wrote to memory of 4508	2032	msedge.exe	109
PID 2032 wrote to memory of 4508	2032	msedge.exe	109
PID 2032 wrote to memory of 4508	2032	msedge.exe	109
PID 2032 wrote to memory of 4192	2032	msedge.exe	112
PID 2032 wrote to memory of 4192	2032	msedge.exe	112
PID 4192 wrote to memory of 4724	4192	HD_msedge.exe	113
PID 4192 wrote to memory of 4724	4192	HD_msedge.exe	113
PID 2160 wrote to memory of 2276	2160	cmd.exe	114
PID 2160 wrote to memory of 2276	2160	cmd.exe	114
PID 2160 wrote to memory of 2276	2160	cmd.exe	114
PID 4192 wrote to memory of 3436	4192	HD_msedge.exe	116
PID 4192 wrote to memory of 3436	4192	HD_msedge.exe	116
PID 4192 wrote to memory of 3436	4192	HD_msedge.exe	116
PID 4192 wrote to memory of 3436	4192	HD_msedge.exe	116
PID 4192 wrote to memory of 3436	4192	HD_msedge.exe	116
PID 4192 wrote to memory of 3436	4192	HD_msedge.exe	116
PID 4192 wrote to memory of 3436	4192	HD_msedge.exe	116
PID 4192 wrote to memory of 3436	4192	HD_msedge.exe	116
PID 4192 wrote to memory of 3436	4192	HD_msedge.exe	116
PID 4192 wrote to memory of 3436	4192	HD_msedge.exe	116
PID 4192 wrote to memory of 3436	4192	HD_msedge.exe	116
PID 4192 wrote to memory of 3436	4192	HD_msedge.exe	116
PID 4192 wrote to memory of 3436	4192	HD_msedge.exe	116
PID 4192 wrote to memory of 3436	4192	HD_msedge.exe	116
PID 4192 wrote to memory of 3436	4192	HD_msedge.exe	116
PID 4192 wrote to memory of 3436	4192	HD_msedge.exe	116
PID 4192 wrote to memory of 3436	4192	HD_msedge.exe	116
PID 4192 wrote to memory of 3436	4192	HD_msedge.exe	116
PID 4192 wrote to memory of 3436	4192	HD_msedge.exe	116
PID 4192 wrote to memory of 3436	4192	HD_msedge.exe	116
PID 4192 wrote to memory of 3436	4192	HD_msedge.exe	116

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection	HD_msedge.exe

C:\Users\Admin\AppData\Local\Temp\150a83836ed6a4b133e9486b39ad55841f5aac6a43806d1cfae89032b135c294.exe
"C:\Users\Admin\AppData\Local\Temp\150a83836ed6a4b133e9486b39ad55841f5aac6a43806d1cfae89032b135c294.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2128
- C:\Users\Admin\AppData\Local\Temp\svchost.exe
  C:\Users\Admin\AppData\Local\Temp\\svchost.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1848
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\svchost.exe > nul
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3904
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 2 127.0.0.1
      4⤵
      Runs ping.exe
      PID:1828
- C:\Users\Admin\AppData\Local\Temp\svchos.exe
  C:\Users\Admin\AppData\Local\Temp\\svchos.exe
  2⤵
  - Server Software Component: Terminal Services DLL
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  PID:516
- C:\Users\Admin\AppData\Local\Temp\HD_150a83836ed6a4b133e9486b39ad55841f5aac6a43806d1cfae89032b135c294.exe
  C:\Users\Admin\AppData\Local\Temp\HD_150a83836ed6a4b133e9486b39ad55841f5aac6a43806d1cfae89032b135c294.exe
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3148
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://dl.ludashi.com/ludashi/ludashisetup.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2032
  - - C:\Users\Admin\AppData\Local\Temp\svchost.exe
      C:\Users\Admin\AppData\Local\Temp\\svchost.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2308
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\svchost.exe > nul
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2160
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:2276
  - - C:\Users\Admin\AppData\Local\Temp\svchos.exe
      C:\Users\Admin\AppData\Local\Temp\\svchos.exe
      4⤵
      Executes dropped EXE
      PID:4508
  - - C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Checks whether UAC is enabled
      Checks system information in the registry
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:4192
    - - C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xe0,0xe4,0x104,0xd8,0x108,0x7ffbb46e46f8,0x7ffbb46e4708,0x7ffbb46e4718
        5⤵
        Executes dropped EXE
        
        PID:4724
    - - C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=gpu-process --field-trial-handle=2076,10122536472111656478,15163091394555182433,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:2
        5⤵
        Executes dropped EXE
        
        PID:3436
    - - C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,10122536472111656478,15163091394555182433,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2056 /prefetch:3
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1704
    - - C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2076,10122536472111656478,15163091394555182433,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2868 /prefetch:8
        5⤵
        Executes dropped EXE
        
        PID:5036
    - - C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2076,10122536472111656478,15163091394555182433,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3628
    - - C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2076,10122536472111656478,15163091394555182433,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3748
    - - C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2076,10122536472111656478,15163091394555182433,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5112 /prefetch:1
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4408
    - - C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2076,10122536472111656478,15163091394555182433,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3792 /prefetch:1
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1620
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,10122536472111656478,15163091394555182433,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3440 /prefetch:8
        5⤵
        
        PID:1940
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,10122536472111656478,15163091394555182433,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3440 /prefetch:8
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3576
    - - C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2076,10122536472111656478,15163091394555182433,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=180 /prefetch:1
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2688
    - - C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2076,10122536472111656478,15163091394555182433,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5224 /prefetch:1
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4140
    - - C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2076,10122536472111656478,15163091394555182433,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4244 /prefetch:1
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3748
    - - C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=gpu-process --field-trial-handle=2076,10122536472111656478,15163091394555182433,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3120 /prefetch:2
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:4640

C:\Windows\SysWOW64\TXPlatforn.exe
C:\Windows\SysWOW64\TXPlatforn.exe -auto
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4620
- C:\Windows\SysWOW64\TXPlatforn.exe
  C:\Windows\SysWOW64\TXPlatforn.exe -acsi
  2⤵
  - Drops file in Drivers directory
  - Sets service image path in registry
  - Executes dropped EXE
  - Suspicious behavior: LoadsDriver
  - Suspicious use of AdjustPrivilegeToken
  PID:4612

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"
1⤵
PID:1400

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4492
- C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
  C:\Windows\system32\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe "c:\windows\system32\240618109.txt",MainThread
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2468

C:\Windows\SysWOW64\TXPlatforn.exe
C:\Windows\SysWOW64\TXPlatforn.exe -auto
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4808
- C:\Windows\SysWOW64\TXPlatforn.exe
  C:\Windows\SysWOW64\TXPlatforn.exe -acsi
  2⤵
  - Executes dropped EXE
  PID:4584

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2356

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe

Filesize
3.2MB

MD5
ad8536c7440638d40156e883ac25086e

SHA1
fa9e8b7fb10473a01b8925c4c5b0888924a1147c

SHA256
73d84d249f16b943d1d3f9dd9e516fadd323e70939c29b4a640693eb8818ee9a

SHA512
b5f368be8853aa142dba614dcca7e021aba92b337fe36cfc186714092a4dab1c7a2181954cd737923edd351149980182a090dbde91081c81d83f471ff18888fe

Download Submit
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Filesize
4.6MB

MD5
01f13bef7c609877bfe41cfe897c2c67

SHA1
774f5a99e8c3aeaf9ebda42ed3deaa9912eddb3e

SHA256
6046fcdffb537c10086c640b0e596b59063d121b8907e8d9852c6744d3e911e5

SHA512
ff4b8a4ad71a325ea5d200f153917765867e9e2d13789ef44bd2919a537d22f993edc74e8c5c5479da588495eeb12fa7978e47690baabcf7d6ef081e4a770a98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4819fbc4513c82d92618f50a379ee232

SHA1
ab618827ff269655283bf771fc957c8798ab51ee

SHA256
05e479e8ec96b7505e01e5ec757ccfe35cb73cd46b27ff4746dce90d43d9237c

SHA512
bc24fb972d04b55505101300e268f91b11e5833f1a18e925b5ded7e758b5e3e08bee1aa8f3a0b65514d6df981d0cbfa8798344db7f2a3675307df8de12ae475b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
257c0005d0c4d0bb282cb470925e4376

SHA1
f9b8efb511ed64292568977c9f2ec255509e8f7d

SHA256
8185c36aaacfc71e42f94fad8e198fe7fb2d868398ceabb89261cae94341cb22

SHA512
2f3e8f352ed3ef88e8c28650390f93f98c92174d268330b886f3ebd1ba0163999051298ee12a054606b4986005452a241c6864cd292e69492d79c37d500556f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
87a58afc183bb74a0f091dd73e07f5fc

SHA1
653ca49d59114b3f212f89747967b663684c9c09

SHA256
006366253aa50bd7222362e0e04d1968a223c11f6bbbf0cc83a7b1e4847c1a9d

SHA512
75982f24df293d62b6ef2d99e67d39470aad202f9ef7a96b8ef3d1e0c54c952a6dcd193be1aa59f0cf19ec2c16621821a1d2227039fb14aee6df1a024d874c2b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
aab8bec4fc51925c0e66d0bfa0506c8d

SHA1
ade3e89b9c31bd02c787a6035f37543ec1cc53a1

SHA256
e1d3391b16bb429aa38eac023d6d05fff0a66bb5420a93ab85a38524e35b7ec6

SHA512
bdfa3484287acb4546df155c87481822a75e2ba365d897d120b4866986382c059cffc5b98c4f60aca88ecad7d6edb587b987570ea973e48d404141cb663a1ada

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
95cd1581c30a5c26f698a8210bcab430

SHA1
5e8e551a47dd682ec51a7d6808fe8e0f2af39e86

SHA256
d58162c5ae5e18fc06604c285e024c01686093d70994dc93b4ae9d85b4c3f7b9

SHA512
e49403df10177053634c431203a91d26df5dfb23cbbb88847459ecdf4b6107040d0944a3e84ee6bb26cb4e8017a35c8c31b658387cd1b6938ba4cb9f59606ece

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
b4c0fe93c53093ae2b6b266e8941754f

SHA1
fa43b8d37b25bd66cd41ba7a29a999555a333fb9

SHA256
de6c7548ba1f2913dd7feaaed96b78bad3bf41bbd6c5c8ad9ba055d4eb3c51bd

SHA512
ba7d9d2b34b87d111d48379dbb732693e87c1110715cbe8c16711ae9e6466d5a4ae3a8e478938375e519dff191574b5abc5bd0ce734ababf2beff2a2283c9483

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD_150a83836ed6a4b133e9486b39ad55841f5aac6a43806d1cfae89032b135c294.exe

Filesize
6.4MB

MD5
433333d95590d6987cd2255701e0974c

SHA1
7a15a5d3dd68d8a3ff1b5ce0742ba8da0618bc07

SHA256
dbef829a072c41161020cf3f7b10754ee73071ed09e77ed3b7f8b9843d1dfd3b

SHA512
e420b2a6201b4a29974ad236491506501b8eec81d710ce20a9e55328085ed848d452e87f7d73dbf1320928f52bf8f094f40883614451f9f058c0c51150444dd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD_X.dat

Filesize
1.5MB

MD5
272bedf8d490dba91c7657b955d61c22

SHA1
529cd24a7bba3d88948619763f549e6e85f2b8e8

SHA256
0822eae1f2e85712b1c3afb7e37bffd34262b0207c409ccbe89173e9e9bd7465

SHA512
e42f270eb4cc35041cef3d6ed4bf713abbcdb741d2514f28fefd98787828b6be788b91a4487187ed36fa4725b45de87573a42f5421a73d36b3794506ab35c58b

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchos.exe

Filesize
93KB

MD5
3b377ad877a942ec9f60ea285f7119a2

SHA1
60b23987b20d913982f723ab375eef50fafa6c70

SHA256
62954fdf65e629b39a29f539619d20691332184c6b6be5a826128a8e759bfa84

SHA512
af3a71f867ad9d28772c48b521097f9bf8931eb89fd2974e8de10990241419a39ddc3c0b36dd38aac4fdf14e1f0c5e228692618e93adce958d5b5dab8940e46f

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
377KB

MD5
a4329177954d4104005bce3020e5ef59

SHA1
23c29e295e2dbb8454012d619ca3f81e4c16e85a

SHA256
6156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd

SHA512
81e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208

Download Submit
C:\Windows\SysWOW64\240618109.txt

Filesize
50KB

MD5
fc928b3ff6b0dfb30b0bb48b1a7d9e5b

SHA1
3d8462a2ccb344a74f3c6d88d1cfb7ce06507cae

SHA256
498b6b6b17b98fa2e0d232a4cc53e1d7e864b9546044975344238cadb3b208e3

SHA512
35f7855253f1d5debcc1e9e09c6584c343e09df357e9520e24c1c2a8adb36f240351edf7b7203983c42067128b12aded46f72de72637ba39c533c94549ef6c71

Download Submit
C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe

Filesize
60KB

MD5
889b99c52a60dd49227c5e485a016679

SHA1
8fa889e456aa646a4d0a4349977430ce5fa5e2d7

SHA256
6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910

SHA512
08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

Download Submit
memory/1620-244-0x0000026587A10000-0x0000026587AAE000-memory.dmp

Filesize
632KB

Download
memory/1848-5-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/1848-6-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/1848-10-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/1848-7-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2688-217-0x000002A324200000-0x000002A32429E000-memory.dmp

Filesize
632KB

Download
memory/3148-51-0x0000000000760000-0x0000000000761000-memory.dmp

Filesize
4KB

Download
memory/3148-55-0x00000000009C0000-0x0000000001769000-memory.dmp

Filesize
13.7MB

Download
memory/3148-52-0x0000000000770000-0x0000000000771000-memory.dmp

Filesize
4KB

Download
memory/3148-53-0x00000000009A0000-0x00000000009A1000-memory.dmp

Filesize
4KB

Download
memory/3148-54-0x00000000009B0000-0x00000000009B1000-memory.dmp

Filesize
4KB

Download
memory/3148-49-0x0000000000730000-0x0000000000731000-memory.dmp

Filesize
4KB

Download
memory/3148-50-0x0000000000750000-0x0000000000751000-memory.dmp

Filesize
4KB

Download
memory/3436-242-0x0000024C614D0000-0x0000024C6156E000-memory.dmp

Filesize
632KB

Download
memory/3436-152-0x00007FFBC2450000-0x00007FFBC2451000-memory.dmp

Filesize
4KB

Download
memory/3628-188-0x0000018F5D4D0000-0x0000018F5D56E000-memory.dmp

Filesize
632KB

Download
memory/3748-251-0x0000029DEF8D0000-0x0000029DEF96E000-memory.dmp

Filesize
632KB

Download
memory/3748-191-0x000002BC692D0000-0x000002BC6936E000-memory.dmp

Filesize
632KB

Download
memory/4140-218-0x00000204292D0000-0x000002042936E000-memory.dmp

Filesize
632KB

Download
memory/4408-210-0x000002BD65E00000-0x000002BD65E9E000-memory.dmp

Filesize
632KB

Download
memory/4612-43-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/4612-42-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/4612-25-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/4612-38-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/4620-17-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/4620-13-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/4620-16-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/4620-15-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/4620-29-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/5036-243-0x00000293A7600000-0x00000293A769E000-memory.dmp

Filesize
632KB

Download