Malware Analysis Report

2025-01-02 15:09

Sample ID 240625-v7fhsatcnb
Target 3387862dba9a68a5279dab6f13eb4c4b7ac550dfc4f6330090d5b7ce2d2a3d89
SHA256 3387862dba9a68a5279dab6f13eb4c4b7ac550dfc4f6330090d5b7ce2d2a3d89
Tags
gh0strat purplefox persistence rat rootkit trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3387862dba9a68a5279dab6f13eb4c4b7ac550dfc4f6330090d5b7ce2d2a3d89

Threat Level: Known bad

The file 3387862dba9a68a5279dab6f13eb4c4b7ac550dfc4f6330090d5b7ce2d2a3d89 was found to be: Known bad.

Malicious Activity Summary

gh0strat purplefox persistence rat rootkit trojan upx

Detect PurpleFox Rootkit

Gh0strat

Gh0st RAT payload

PurpleFox

Sets service image path in registry

Drops file in Drivers directory

UPX packed file

Loads dropped DLL

Executes dropped EXE

Drops file in System32 directory

Drops file in Program Files directory

Program crash

Unsigned PE

Enumerates physical storage devices

Runs ping.exe

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: LoadsDriver

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-25 17:37

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-25 17:37

Reported

2024-06-25 17:40

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

129s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3387862dba9a68a5279dab6f13eb4c4b7ac550dfc4f6330090d5b7ce2d2a3d89.exe"

Signatures

Detect PurpleFox Rootkit

rootkit
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0strat

rat gh0strat

PurpleFox

rootkit trojan purplefox

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\system32\drivers\QAssist.sys C:\Windows\SysWOW64\TXPlatfor.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" C:\Windows\SysWOW64\TXPlatfor.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\R.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\240598468.txt C:\Users\Admin\AppData\Local\Temp\R.exe N/A
File created C:\Windows\SysWOW64\TXPlatfor.exe C:\Users\Admin\AppData\Local\Temp\N.exe N/A
File opened for modification C:\Windows\SysWOW64\TXPlatfor.exe C:\Users\Admin\AppData\Local\Temp\N.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Users\Admin\AppData\Local\Temp\3387862dba9a68a5279dab6f13eb4c4b7ac550dfc4f6330090d5b7ce2d2a3d89.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\R.exe

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\TXPlatfor.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\N.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\TXPlatfor.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\TXPlatfor.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\TXPlatfor.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\TXPlatfor.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\TXPlatfor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5116 wrote to memory of 3452 N/A C:\Users\Admin\AppData\Local\Temp\3387862dba9a68a5279dab6f13eb4c4b7ac550dfc4f6330090d5b7ce2d2a3d89.exe C:\Users\Admin\AppData\Local\Temp\R.exe
PID 5116 wrote to memory of 3452 N/A C:\Users\Admin\AppData\Local\Temp\3387862dba9a68a5279dab6f13eb4c4b7ac550dfc4f6330090d5b7ce2d2a3d89.exe C:\Users\Admin\AppData\Local\Temp\R.exe
PID 5116 wrote to memory of 3452 N/A C:\Users\Admin\AppData\Local\Temp\3387862dba9a68a5279dab6f13eb4c4b7ac550dfc4f6330090d5b7ce2d2a3d89.exe C:\Users\Admin\AppData\Local\Temp\R.exe
PID 5116 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\3387862dba9a68a5279dab6f13eb4c4b7ac550dfc4f6330090d5b7ce2d2a3d89.exe C:\Users\Admin\AppData\Local\Temp\N.exe
PID 5116 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\3387862dba9a68a5279dab6f13eb4c4b7ac550dfc4f6330090d5b7ce2d2a3d89.exe C:\Users\Admin\AppData\Local\Temp\N.exe
PID 5116 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\3387862dba9a68a5279dab6f13eb4c4b7ac550dfc4f6330090d5b7ce2d2a3d89.exe C:\Users\Admin\AppData\Local\Temp\N.exe
PID 3908 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\N.exe C:\Windows\SysWOW64\cmd.exe
PID 3908 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\N.exe C:\Windows\SysWOW64\cmd.exe
PID 3908 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\N.exe C:\Windows\SysWOW64\cmd.exe
PID 2772 wrote to memory of 3732 N/A C:\Windows\SysWOW64\TXPlatfor.exe C:\Windows\SysWOW64\TXPlatfor.exe
PID 2772 wrote to memory of 3732 N/A C:\Windows\SysWOW64\TXPlatfor.exe C:\Windows\SysWOW64\TXPlatfor.exe
PID 2772 wrote to memory of 3732 N/A C:\Windows\SysWOW64\TXPlatfor.exe C:\Windows\SysWOW64\TXPlatfor.exe
PID 5116 wrote to memory of 3340 N/A C:\Users\Admin\AppData\Local\Temp\3387862dba9a68a5279dab6f13eb4c4b7ac550dfc4f6330090d5b7ce2d2a3d89.exe C:\Users\Admin\AppData\Local\Temp\HD_3387862dba9a68a5279dab6f13eb4c4b7ac550dfc4f6330090d5b7ce2d2a3d89.exe
PID 5116 wrote to memory of 3340 N/A C:\Users\Admin\AppData\Local\Temp\3387862dba9a68a5279dab6f13eb4c4b7ac550dfc4f6330090d5b7ce2d2a3d89.exe C:\Users\Admin\AppData\Local\Temp\HD_3387862dba9a68a5279dab6f13eb4c4b7ac550dfc4f6330090d5b7ce2d2a3d89.exe
PID 2640 wrote to memory of 2316 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2640 wrote to memory of 2316 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2640 wrote to memory of 2316 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\3387862dba9a68a5279dab6f13eb4c4b7ac550dfc4f6330090d5b7ce2d2a3d89.exe

"C:\Users\Admin\AppData\Local\Temp\3387862dba9a68a5279dab6f13eb4c4b7ac550dfc4f6330090d5b7ce2d2a3d89.exe"

C:\Users\Admin\AppData\Local\Temp\R.exe

C:\Users\Admin\AppData\Local\Temp\\R.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3452 -ip 3452

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3452 -s 468

C:\Users\Admin\AppData\Local\Temp\N.exe

C:\Users\Admin\AppData\Local\Temp\\N.exe

C:\Windows\SysWOW64\TXPlatfor.exe

C:\Windows\SysWOW64\TXPlatfor.exe -auto

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\N.exe > nul

C:\Windows\SysWOW64\TXPlatfor.exe

C:\Windows\SysWOW64\TXPlatfor.exe -acsi

C:\Users\Admin\AppData\Local\Temp\HD_3387862dba9a68a5279dab6f13eb4c4b7ac550dfc4f6330090d5b7ce2d2a3d89.exe

C:\Users\Admin\AppData\Local\Temp\HD_3387862dba9a68a5279dab6f13eb4c4b7ac550dfc4f6330090d5b7ce2d2a3d89.exe

C:\Windows\SysWOW64\PING.EXE

ping -n 2 127.0.0.1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp

Files

C:\Users\Admin\AppData\Local\Temp\R.exe

MD5 8dc3adf1c490211971c1e2325f1424d2
SHA1 4eec4a4e7cb97c5efa6c72e0731cd090c0c4adc5
SHA256 bc29f2022ab3b812e50c8681ff196f090c038b5ab51e37daffac4469a8c2eb2c
SHA512 ae92ea20b359849dcdba4808119b154e3af5ef3687ee09de1797610fe8c4d3eb9065b068074d35adddb4b225d17c619baff3944cb137ad196bcef7a6507f920d

C:\Windows\SysWOW64\240598468.txt

MD5 1c1023892bd67a02b8f83868b581ed9c
SHA1 fb90ef876ff3ca285427ad1420175c8ad7b5b053
SHA256 286ec5d1bcc046506998e8468b104d4e11dbfcefe024dc3be48fe6bdc84d8dc4
SHA512 bd1463895eab12c782dc7059ce42531b4aa19deb42f6224dde117a12e40c4551691cbab302c3cef813d576d38be481c22d085383b9d25de760e3e8809b4ff073

C:\Users\Admin\AppData\Local\Temp\N.exe

MD5 4a36a48e58829c22381572b2040b6fe0
SHA1 f09d30e44ff7e3f20a5de307720f3ad148c6143b
SHA256 3de6c02f52a661b8f934f59541d0cf297bb489eb2155e346b63c7338e09aeaf8
SHA512 5d0ea398792f6b9eb3f188813c50b7f43929183b5733d2b595b2fd1c78722764fd15f62db1086b5c7edfb157661a6dcd544ddd80907ee7699dddbca1ef4022d0

memory/3908-12-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/3908-15-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/3908-14-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/3908-18-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2772-23-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2772-24-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2772-25-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2772-31-0x0000000010000000-0x00000000101B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HD_3387862dba9a68a5279dab6f13eb4c4b7ac550dfc4f6330090d5b7ce2d2a3d89.exe

MD5 587d8e067ad8e98a15db27237cc39ca1
SHA1 e47c17099a6e2501267d4d13243e1048b2bc9932
SHA256 61b92b044fd3f3445f98d88bd68dfcb1e89690bba0129de48ee6afe44f420367
SHA512 f593ad314af0f28101dd15c46662a68ad1f5156b49a62c84c69829b5af8b4aaae00b8ecdc3fdd88687ca166b58f3589acb62f4f3233b7c11d0bd4dfe34f5da15

memory/2772-21-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/3732-37-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/3732-40-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/3732-42-0x0000000010000000-0x00000000101B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HD_X.dat

MD5 f758a1efd227aedd6fdf7c48cb91ee02
SHA1 43f4cacf0fc43862ca51ab63db12524064cd779c
SHA256 0916cfd5a9d2661af99f4cb6b69a6da827da3a071b63c8dbfda55e286052b901
SHA512 857db1bce8d31bc051a340642f4310aed959fb5a1c8d267f58bb12ed900ee49097f6e64112fb367d9c74fe8084ff20d8822a5c1d3f4cb59157d4a14f8f4b8aeb

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-25 17:37

Reported

2024-06-25 17:40

Platform

win7-20240611-en

Max time kernel

150s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3387862dba9a68a5279dab6f13eb4c4b7ac550dfc4f6330090d5b7ce2d2a3d89.exe"

Signatures

Detect PurpleFox Rootkit

rootkit
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0strat

rat gh0strat

PurpleFox

rootkit trojan purplefox

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\system32\drivers\QAssist.sys C:\Windows\SysWOW64\TXPlatfor.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" C:\Windows\SysWOW64\TXPlatfor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\259417447.txt C:\Users\Admin\AppData\Local\Temp\R.exe N/A
File created C:\Windows\SysWOW64\TXPlatfor.exe C:\Users\Admin\AppData\Local\Temp\N.exe N/A
File opened for modification C:\Windows\SysWOW64\TXPlatfor.exe C:\Users\Admin\AppData\Local\Temp\N.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3387862dba9a68a5279dab6f13eb4c4b7ac550dfc4f6330090d5b7ce2d2a3d89.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\TXPlatfor.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\N.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\TXPlatfor.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\TXPlatfor.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\TXPlatfor.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\TXPlatfor.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\TXPlatfor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1968 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\3387862dba9a68a5279dab6f13eb4c4b7ac550dfc4f6330090d5b7ce2d2a3d89.exe C:\Users\Admin\AppData\Local\Temp\R.exe
PID 1968 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\3387862dba9a68a5279dab6f13eb4c4b7ac550dfc4f6330090d5b7ce2d2a3d89.exe C:\Users\Admin\AppData\Local\Temp\R.exe
PID 1968 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\3387862dba9a68a5279dab6f13eb4c4b7ac550dfc4f6330090d5b7ce2d2a3d89.exe C:\Users\Admin\AppData\Local\Temp\R.exe
PID 1968 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\3387862dba9a68a5279dab6f13eb4c4b7ac550dfc4f6330090d5b7ce2d2a3d89.exe C:\Users\Admin\AppData\Local\Temp\R.exe
PID 1968 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\3387862dba9a68a5279dab6f13eb4c4b7ac550dfc4f6330090d5b7ce2d2a3d89.exe C:\Users\Admin\AppData\Local\Temp\N.exe
PID 1968 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\3387862dba9a68a5279dab6f13eb4c4b7ac550dfc4f6330090d5b7ce2d2a3d89.exe C:\Users\Admin\AppData\Local\Temp\N.exe
PID 1968 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\3387862dba9a68a5279dab6f13eb4c4b7ac550dfc4f6330090d5b7ce2d2a3d89.exe C:\Users\Admin\AppData\Local\Temp\N.exe
PID 1968 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\3387862dba9a68a5279dab6f13eb4c4b7ac550dfc4f6330090d5b7ce2d2a3d89.exe C:\Users\Admin\AppData\Local\Temp\N.exe
PID 1968 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\3387862dba9a68a5279dab6f13eb4c4b7ac550dfc4f6330090d5b7ce2d2a3d89.exe C:\Users\Admin\AppData\Local\Temp\N.exe
PID 1968 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\3387862dba9a68a5279dab6f13eb4c4b7ac550dfc4f6330090d5b7ce2d2a3d89.exe C:\Users\Admin\AppData\Local\Temp\N.exe
PID 1968 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\3387862dba9a68a5279dab6f13eb4c4b7ac550dfc4f6330090d5b7ce2d2a3d89.exe C:\Users\Admin\AppData\Local\Temp\N.exe
PID 2152 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\N.exe C:\Windows\SysWOW64\cmd.exe
PID 2152 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\N.exe C:\Windows\SysWOW64\cmd.exe
PID 2152 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\N.exe C:\Windows\SysWOW64\cmd.exe
PID 2152 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\N.exe C:\Windows\SysWOW64\cmd.exe
PID 2964 wrote to memory of 2608 N/A C:\Windows\SysWOW64\TXPlatfor.exe C:\Windows\SysWOW64\TXPlatfor.exe
PID 2964 wrote to memory of 2608 N/A C:\Windows\SysWOW64\TXPlatfor.exe C:\Windows\SysWOW64\TXPlatfor.exe
PID 2964 wrote to memory of 2608 N/A C:\Windows\SysWOW64\TXPlatfor.exe C:\Windows\SysWOW64\TXPlatfor.exe
PID 2964 wrote to memory of 2608 N/A C:\Windows\SysWOW64\TXPlatfor.exe C:\Windows\SysWOW64\TXPlatfor.exe
PID 2964 wrote to memory of 2608 N/A C:\Windows\SysWOW64\TXPlatfor.exe C:\Windows\SysWOW64\TXPlatfor.exe
PID 2964 wrote to memory of 2608 N/A C:\Windows\SysWOW64\TXPlatfor.exe C:\Windows\SysWOW64\TXPlatfor.exe
PID 2964 wrote to memory of 2608 N/A C:\Windows\SysWOW64\TXPlatfor.exe C:\Windows\SysWOW64\TXPlatfor.exe
PID 1968 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\3387862dba9a68a5279dab6f13eb4c4b7ac550dfc4f6330090d5b7ce2d2a3d89.exe C:\Users\Admin\AppData\Local\Temp\HD_3387862dba9a68a5279dab6f13eb4c4b7ac550dfc4f6330090d5b7ce2d2a3d89.exe
PID 1968 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\3387862dba9a68a5279dab6f13eb4c4b7ac550dfc4f6330090d5b7ce2d2a3d89.exe C:\Users\Admin\AppData\Local\Temp\HD_3387862dba9a68a5279dab6f13eb4c4b7ac550dfc4f6330090d5b7ce2d2a3d89.exe
PID 1968 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\3387862dba9a68a5279dab6f13eb4c4b7ac550dfc4f6330090d5b7ce2d2a3d89.exe C:\Users\Admin\AppData\Local\Temp\HD_3387862dba9a68a5279dab6f13eb4c4b7ac550dfc4f6330090d5b7ce2d2a3d89.exe
PID 1968 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\3387862dba9a68a5279dab6f13eb4c4b7ac550dfc4f6330090d5b7ce2d2a3d89.exe C:\Users\Admin\AppData\Local\Temp\HD_3387862dba9a68a5279dab6f13eb4c4b7ac550dfc4f6330090d5b7ce2d2a3d89.exe
PID 2768 wrote to memory of 2536 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2768 wrote to memory of 2536 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2768 wrote to memory of 2536 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2768 wrote to memory of 2536 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\3387862dba9a68a5279dab6f13eb4c4b7ac550dfc4f6330090d5b7ce2d2a3d89.exe

"C:\Users\Admin\AppData\Local\Temp\3387862dba9a68a5279dab6f13eb4c4b7ac550dfc4f6330090d5b7ce2d2a3d89.exe"

C:\Users\Admin\AppData\Local\Temp\R.exe

C:\Users\Admin\AppData\Local\Temp\\R.exe

C:\Users\Admin\AppData\Local\Temp\N.exe

C:\Users\Admin\AppData\Local\Temp\\N.exe

C:\Windows\SysWOW64\TXPlatfor.exe

C:\Windows\SysWOW64\TXPlatfor.exe -auto

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\N.exe > nul

C:\Windows\SysWOW64\TXPlatfor.exe

C:\Windows\SysWOW64\TXPlatfor.exe -acsi

C:\Users\Admin\AppData\Local\Temp\HD_3387862dba9a68a5279dab6f13eb4c4b7ac550dfc4f6330090d5b7ce2d2a3d89.exe

C:\Users\Admin\AppData\Local\Temp\HD_3387862dba9a68a5279dab6f13eb4c4b7ac550dfc4f6330090d5b7ce2d2a3d89.exe

C:\Windows\SysWOW64\PING.EXE

ping -n 2 127.0.0.1

Network

Country Destination Domain Proto
US 8.8.8.8:53 hackerinvasion.f3322.net udp

Files

C:\Users\Admin\AppData\Local\Temp\R.exe

MD5 8dc3adf1c490211971c1e2325f1424d2
SHA1 4eec4a4e7cb97c5efa6c72e0731cd090c0c4adc5
SHA256 bc29f2022ab3b812e50c8681ff196f090c038b5ab51e37daffac4469a8c2eb2c
SHA512 ae92ea20b359849dcdba4808119b154e3af5ef3687ee09de1797610fe8c4d3eb9065b068074d35adddb4b225d17c619baff3944cb137ad196bcef7a6507f920d

\Windows\SysWOW64\259417447.txt

MD5 1c1023892bd67a02b8f83868b581ed9c
SHA1 fb90ef876ff3ca285427ad1420175c8ad7b5b053
SHA256 286ec5d1bcc046506998e8468b104d4e11dbfcefe024dc3be48fe6bdc84d8dc4
SHA512 bd1463895eab12c782dc7059ce42531b4aa19deb42f6224dde117a12e40c4551691cbab302c3cef813d576d38be481c22d085383b9d25de760e3e8809b4ff073

\Users\Admin\AppData\Local\Temp\N.exe

MD5 4a36a48e58829c22381572b2040b6fe0
SHA1 f09d30e44ff7e3f20a5de307720f3ad148c6143b
SHA256 3de6c02f52a661b8f934f59541d0cf297bb489eb2155e346b63c7338e09aeaf8
SHA512 5d0ea398792f6b9eb3f188813c50b7f43929183b5733d2b595b2fd1c78722764fd15f62db1086b5c7edfb157661a6dcd544ddd80907ee7699dddbca1ef4022d0

memory/2152-14-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2152-16-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2152-17-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2152-15-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2964-26-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2608-37-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2964-36-0x0000000010000000-0x00000000101B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HD_3387862dba9a68a5279dab6f13eb4c4b7ac550dfc4f6330090d5b7ce2d2a3d89.exe

MD5 587d8e067ad8e98a15db27237cc39ca1
SHA1 e47c17099a6e2501267d4d13243e1048b2bc9932
SHA256 61b92b044fd3f3445f98d88bd68dfcb1e89690bba0129de48ee6afe44f420367
SHA512 f593ad314af0f28101dd15c46662a68ad1f5156b49a62c84c69829b5af8b4aaae00b8ecdc3fdd88687ca166b58f3589acb62f4f3233b7c11d0bd4dfe34f5da15

memory/2608-41-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2608-45-0x0000000010000000-0x00000000101B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HD_X.dat

MD5 f758a1efd227aedd6fdf7c48cb91ee02
SHA1 43f4cacf0fc43862ca51ab63db12524064cd779c
SHA256 0916cfd5a9d2661af99f4cb6b69a6da827da3a071b63c8dbfda55e286052b901
SHA512 857db1bce8d31bc051a340642f4310aed959fb5a1c8d267f58bb12ed900ee49097f6e64112fb367d9c74fe8084ff20d8822a5c1d3f4cb59157d4a14f8f4b8aeb