Malware Analysis Report

2025-01-02 15:09

Sample ID 240625-vl8bnssclc
Target d7bf9badb5dfae2af0857e02b89a32b175d9114c2a62a4ba4c95da812a03ff48
SHA256 d7bf9badb5dfae2af0857e02b89a32b175d9114c2a62a4ba4c95da812a03ff48
Tags
gh0strat purplefox persistence rat rootkit trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d7bf9badb5dfae2af0857e02b89a32b175d9114c2a62a4ba4c95da812a03ff48

Threat Level: Known bad

The file d7bf9badb5dfae2af0857e02b89a32b175d9114c2a62a4ba4c95da812a03ff48 was found to be: Known bad.

Malicious Activity Summary

gh0strat purplefox persistence rat rootkit trojan upx

Gh0st RAT payload

Detect PurpleFox Rootkit

Gh0strat

PurpleFox

Sets service image path in registry

Drops file in Drivers directory

UPX packed file

Loads dropped DLL

Executes dropped EXE

Drops file in System32 directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Runs ping.exe

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: LoadsDriver

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-25 17:05

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-25 17:05

Reported

2024-06-25 17:08

Platform

win7-20240611-en

Max time kernel

150s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d7bf9badb5dfae2af0857e02b89a32b175d9114c2a62a4ba4c95da812a03ff48.exe"

Signatures

Detect PurpleFox Rootkit

rootkit
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0strat

rat gh0strat

PurpleFox

rootkit trojan purplefox

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\system32\drivers\QAssist.sys C:\Windows\SysWOW64\TXPlatforn.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" C:\Windows\SysWOW64\TXPlatforn.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\TXPlatforn.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe N/A
File created C:\Windows\SysWOW64\TXPlatforn.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe C:\Users\Admin\AppData\Local\Temp\d7bf9badb5dfae2af0857e02b89a32b175d9114c2a62a4ba4c95da812a03ff48.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe C:\Users\Admin\AppData\Local\Temp\d7bf9badb5dfae2af0857e02b89a32b175d9114c2a62a4ba4c95da812a03ff48.exe N/A
File created C:\Program Files (x86)\Google\Chrome\Application\chrome.exe C:\Users\Admin\AppData\Local\Temp\d7bf9badb5dfae2af0857e02b89a32b175d9114c2a62a4ba4c95da812a03ff48.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe C:\Users\Admin\AppData\Local\Temp\d7bf9badb5dfae2af0857e02b89a32b175d9114c2a62a4ba4c95da812a03ff48.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7bf9badb5dfae2af0857e02b89a32b175d9114c2a62a4ba4c95da812a03ff48.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RVN.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2872 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\d7bf9badb5dfae2af0857e02b89a32b175d9114c2a62a4ba4c95da812a03ff48.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe
PID 2872 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\d7bf9badb5dfae2af0857e02b89a32b175d9114c2a62a4ba4c95da812a03ff48.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe
PID 2872 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\d7bf9badb5dfae2af0857e02b89a32b175d9114c2a62a4ba4c95da812a03ff48.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe
PID 2872 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\d7bf9badb5dfae2af0857e02b89a32b175d9114c2a62a4ba4c95da812a03ff48.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe
PID 2872 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\d7bf9badb5dfae2af0857e02b89a32b175d9114c2a62a4ba4c95da812a03ff48.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe
PID 2872 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\d7bf9badb5dfae2af0857e02b89a32b175d9114c2a62a4ba4c95da812a03ff48.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe
PID 2872 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\d7bf9badb5dfae2af0857e02b89a32b175d9114c2a62a4ba4c95da812a03ff48.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe
PID 2396 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\RVN.exe C:\Windows\SysWOW64\cmd.exe
PID 2396 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\RVN.exe C:\Windows\SysWOW64\cmd.exe
PID 2396 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\RVN.exe C:\Windows\SysWOW64\cmd.exe
PID 2396 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\RVN.exe C:\Windows\SysWOW64\cmd.exe
PID 2816 wrote to memory of 2676 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 2816 wrote to memory of 2676 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 2816 wrote to memory of 2676 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 2816 wrote to memory of 2676 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 2816 wrote to memory of 2676 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 2816 wrote to memory of 2676 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 2816 wrote to memory of 2676 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 2872 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\d7bf9badb5dfae2af0857e02b89a32b175d9114c2a62a4ba4c95da812a03ff48.exe C:\Users\Admin\AppData\Local\Temp\HD_d7bf9badb5dfae2af0857e02b89a32b175d9114c2a62a4ba4c95da812a03ff48.exe
PID 2872 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\d7bf9badb5dfae2af0857e02b89a32b175d9114c2a62a4ba4c95da812a03ff48.exe C:\Users\Admin\AppData\Local\Temp\HD_d7bf9badb5dfae2af0857e02b89a32b175d9114c2a62a4ba4c95da812a03ff48.exe
PID 2872 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\d7bf9badb5dfae2af0857e02b89a32b175d9114c2a62a4ba4c95da812a03ff48.exe C:\Users\Admin\AppData\Local\Temp\HD_d7bf9badb5dfae2af0857e02b89a32b175d9114c2a62a4ba4c95da812a03ff48.exe
PID 2872 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\d7bf9badb5dfae2af0857e02b89a32b175d9114c2a62a4ba4c95da812a03ff48.exe C:\Users\Admin\AppData\Local\Temp\HD_d7bf9badb5dfae2af0857e02b89a32b175d9114c2a62a4ba4c95da812a03ff48.exe
PID 2756 wrote to memory of 2700 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2756 wrote to memory of 2700 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2756 wrote to memory of 2700 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2756 wrote to memory of 2700 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\d7bf9badb5dfae2af0857e02b89a32b175d9114c2a62a4ba4c95da812a03ff48.exe

"C:\Users\Admin\AppData\Local\Temp\d7bf9badb5dfae2af0857e02b89a32b175d9114c2a62a4ba4c95da812a03ff48.exe"

C:\Users\Admin\AppData\Local\Temp\RVN.exe

C:\Users\Admin\AppData\Local\Temp\\RVN.exe

C:\Windows\SysWOW64\TXPlatforn.exe

C:\Windows\SysWOW64\TXPlatforn.exe -auto

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\RVN.exe > nul

C:\Windows\SysWOW64\TXPlatforn.exe

C:\Windows\SysWOW64\TXPlatforn.exe -acsi

C:\Users\Admin\AppData\Local\Temp\HD_d7bf9badb5dfae2af0857e02b89a32b175d9114c2a62a4ba4c95da812a03ff48.exe

C:\Users\Admin\AppData\Local\Temp\HD_d7bf9badb5dfae2af0857e02b89a32b175d9114c2a62a4ba4c95da812a03ff48.exe

C:\Windows\SysWOW64\PING.EXE

ping -n 2 127.0.0.1

Network

Country Destination Domain Proto
US 8.8.8.8:53 hackerinvasion.f3322.net udp

Files

\Users\Admin\AppData\Local\Temp\RVN.exe

MD5 80ade1893dec9cab7f2e63538a464fcc
SHA1 c06614da33a65eddb506db00a124a3fc3f5be02e
SHA256 57a920389c044e3f5cf93dabff67070b4511e79779b6f874e08f92d8b0d7afbd
SHA512 fffd4f3fccb5301b3c7a5b3bd92747f31549fbd9d0803fe5d502d1bb0ef979140988718c2ee1406ed3e755790d275185e120a56cbcb5ed2eadf62b5cdbfc4cc4

memory/2396-7-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2396-8-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2396-12-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2396-5-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2816-18-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2676-29-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2816-28-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2676-30-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2676-34-0x0000000010000000-0x00000000101B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HD_d7bf9badb5dfae2af0857e02b89a32b175d9114c2a62a4ba4c95da812a03ff48.exe

MD5 fb250b74d6a2578bc29b980691b23933
SHA1 cea1e9726cb2da673ad74f0d235e3f203f904b5a
SHA256 c7fc5541c14427aba1348412b9d251e5a8d895aa7168fd04437194f0073affb4
SHA512 5d296c79497a74e4c48d02430b2d7c095deab457d646f8b5d1b8a03118c74d8ec73228421b1c35cd4a5130fd4af7bad38b086b8abf693121b9257223c97d0c43

C:\Users\Admin\AppData\Local\Temp\HD_X.dat

MD5 48d5e69ac172bb47ac7c75cf0edf9ac8
SHA1 2392fdf0b15728126067a56b9c41e6684bf7c67b
SHA256 1c40909f89d241192aef118e2bb4945fb5a17742d79bf92be3ab6a3381ab9177
SHA512 3b5eb6f5b255082c9a208adb8d7898bf5947077e18c5ecc39bce9399d26e499c60d76efdd1c740416b2321907a774b3198fe243f54a531ffda8cdb335d43f1b0

memory/2676-75-0x0000000010000000-0x00000000101B6000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-25 17:05

Reported

2024-06-25 17:08

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d7bf9badb5dfae2af0857e02b89a32b175d9114c2a62a4ba4c95da812a03ff48.exe"

Signatures

Detect PurpleFox Rootkit

rootkit
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0strat

rat gh0strat

PurpleFox

rootkit trojan purplefox

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\system32\drivers\QAssist.sys C:\Windows\SysWOW64\TXPlatforn.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" C:\Windows\SysWOW64\TXPlatforn.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\TXPlatforn.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe N/A
File opened for modification C:\Windows\SysWOW64\TXPlatforn.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe C:\Users\Admin\AppData\Local\Temp\d7bf9badb5dfae2af0857e02b89a32b175d9114c2a62a4ba4c95da812a03ff48.exe N/A
File created C:\Program Files (x86)\Google\Chrome\Application\chrome.exe C:\Users\Admin\AppData\Local\Temp\d7bf9badb5dfae2af0857e02b89a32b175d9114c2a62a4ba4c95da812a03ff48.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe C:\Users\Admin\AppData\Local\Temp\d7bf9badb5dfae2af0857e02b89a32b175d9114c2a62a4ba4c95da812a03ff48.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Users\Admin\AppData\Local\Temp\d7bf9badb5dfae2af0857e02b89a32b175d9114c2a62a4ba4c95da812a03ff48.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe C:\Users\Admin\AppData\Local\Temp\d7bf9badb5dfae2af0857e02b89a32b175d9114c2a62a4ba4c95da812a03ff48.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RVN.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4864 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\d7bf9badb5dfae2af0857e02b89a32b175d9114c2a62a4ba4c95da812a03ff48.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe
PID 4864 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\d7bf9badb5dfae2af0857e02b89a32b175d9114c2a62a4ba4c95da812a03ff48.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe
PID 4864 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\d7bf9badb5dfae2af0857e02b89a32b175d9114c2a62a4ba4c95da812a03ff48.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe
PID 2440 wrote to memory of 3816 N/A C:\Users\Admin\AppData\Local\Temp\RVN.exe C:\Windows\SysWOW64\cmd.exe
PID 2440 wrote to memory of 3816 N/A C:\Users\Admin\AppData\Local\Temp\RVN.exe C:\Windows\SysWOW64\cmd.exe
PID 2440 wrote to memory of 3816 N/A C:\Users\Admin\AppData\Local\Temp\RVN.exe C:\Windows\SysWOW64\cmd.exe
PID 3940 wrote to memory of 1320 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 3940 wrote to memory of 1320 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 3940 wrote to memory of 1320 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 4864 wrote to memory of 4400 N/A C:\Users\Admin\AppData\Local\Temp\d7bf9badb5dfae2af0857e02b89a32b175d9114c2a62a4ba4c95da812a03ff48.exe C:\Users\Admin\AppData\Local\Temp\HD_d7bf9badb5dfae2af0857e02b89a32b175d9114c2a62a4ba4c95da812a03ff48.exe
PID 4864 wrote to memory of 4400 N/A C:\Users\Admin\AppData\Local\Temp\d7bf9badb5dfae2af0857e02b89a32b175d9114c2a62a4ba4c95da812a03ff48.exe C:\Users\Admin\AppData\Local\Temp\HD_d7bf9badb5dfae2af0857e02b89a32b175d9114c2a62a4ba4c95da812a03ff48.exe
PID 4864 wrote to memory of 4400 N/A C:\Users\Admin\AppData\Local\Temp\d7bf9badb5dfae2af0857e02b89a32b175d9114c2a62a4ba4c95da812a03ff48.exe C:\Users\Admin\AppData\Local\Temp\HD_d7bf9badb5dfae2af0857e02b89a32b175d9114c2a62a4ba4c95da812a03ff48.exe
PID 3816 wrote to memory of 5116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3816 wrote to memory of 5116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3816 wrote to memory of 5116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\d7bf9badb5dfae2af0857e02b89a32b175d9114c2a62a4ba4c95da812a03ff48.exe

"C:\Users\Admin\AppData\Local\Temp\d7bf9badb5dfae2af0857e02b89a32b175d9114c2a62a4ba4c95da812a03ff48.exe"

C:\Users\Admin\AppData\Local\Temp\RVN.exe

C:\Users\Admin\AppData\Local\Temp\\RVN.exe

C:\Windows\SysWOW64\TXPlatforn.exe

C:\Windows\SysWOW64\TXPlatforn.exe -auto

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\RVN.exe > nul

C:\Windows\SysWOW64\TXPlatforn.exe

C:\Windows\SysWOW64\TXPlatforn.exe -acsi

C:\Users\Admin\AppData\Local\Temp\HD_d7bf9badb5dfae2af0857e02b89a32b175d9114c2a62a4ba4c95da812a03ff48.exe

C:\Users\Admin\AppData\Local\Temp\HD_d7bf9badb5dfae2af0857e02b89a32b175d9114c2a62a4ba4c95da812a03ff48.exe

C:\Windows\SysWOW64\PING.EXE

ping -n 2 127.0.0.1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp

Files

C:\Users\Admin\AppData\Local\Temp\RVN.exe

MD5 80ade1893dec9cab7f2e63538a464fcc
SHA1 c06614da33a65eddb506db00a124a3fc3f5be02e
SHA256 57a920389c044e3f5cf93dabff67070b4511e79779b6f874e08f92d8b0d7afbd
SHA512 fffd4f3fccb5301b3c7a5b3bd92747f31549fbd9d0803fe5d502d1bb0ef979140988718c2ee1406ed3e755790d275185e120a56cbcb5ed2eadf62b5cdbfc4cc4

memory/2440-4-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2440-6-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2440-10-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2440-7-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/3940-15-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/3940-17-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/3940-16-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/3940-13-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/1320-27-0x0000000010000000-0x00000000101B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HD_d7bf9badb5dfae2af0857e02b89a32b175d9114c2a62a4ba4c95da812a03ff48.exe

MD5 fb250b74d6a2578bc29b980691b23933
SHA1 cea1e9726cb2da673ad74f0d235e3f203f904b5a
SHA256 c7fc5541c14427aba1348412b9d251e5a8d895aa7168fd04437194f0073affb4
SHA512 5d296c79497a74e4c48d02430b2d7c095deab457d646f8b5d1b8a03118c74d8ec73228421b1c35cd4a5130fd4af7bad38b086b8abf693121b9257223c97d0c43

memory/3940-25-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/1320-36-0x0000000010000000-0x00000000101B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HD_X.dat

MD5 48d5e69ac172bb47ac7c75cf0edf9ac8
SHA1 2392fdf0b15728126067a56b9c41e6684bf7c67b
SHA256 1c40909f89d241192aef118e2bb4945fb5a17742d79bf92be3ab6a3381ab9177
SHA512 3b5eb6f5b255082c9a208adb8d7898bf5947077e18c5ecc39bce9399d26e499c60d76efdd1c740416b2321907a774b3198fe243f54a531ffda8cdb335d43f1b0

memory/1320-54-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/1320-78-0x0000000010000000-0x00000000101B6000-memory.dmp