Malware Analysis Report

2025-01-02 15:09

Sample ID 240625-vtp53asfka
Target bc8fa17932705dda2d094c42fff6f52c753666dde4b26f441c762201df91342d
SHA256 bc8fa17932705dda2d094c42fff6f52c753666dde4b26f441c762201df91342d
Tags
gh0strat purplefox persistence rat rootkit trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bc8fa17932705dda2d094c42fff6f52c753666dde4b26f441c762201df91342d

Threat Level: Known bad

The file bc8fa17932705dda2d094c42fff6f52c753666dde4b26f441c762201df91342d was found to be: Known bad.

Malicious Activity Summary

gh0strat purplefox persistence rat rootkit trojan upx

Gh0st RAT payload

Gh0strat

PurpleFox

Detect PurpleFox Rootkit

Sets service image path in registry

Drops file in Drivers directory

Loads dropped DLL

UPX packed file

Executes dropped EXE

Drops file in System32 directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: LoadsDriver

Suspicious use of AdjustPrivilegeToken

Runs ping.exe

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-25 17:17

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-25 17:17

Reported

2024-06-25 17:19

Platform

win7-20240611-en

Max time kernel

150s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bc8fa17932705dda2d094c42fff6f52c753666dde4b26f441c762201df91342d.exe"

Signatures

Detect PurpleFox Rootkit

rootkit
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0strat

rat gh0strat

PurpleFox

rootkit trojan purplefox

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\system32\drivers\QAssist.sys C:\Windows\SysWOW64\TXPlatforn.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" C:\Windows\SysWOW64\TXPlatforn.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\TXPlatforn.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe N/A
File opened for modification C:\Windows\SysWOW64\TXPlatforn.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe C:\Users\Admin\AppData\Local\Temp\bc8fa17932705dda2d094c42fff6f52c753666dde4b26f441c762201df91342d.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe C:\Users\Admin\AppData\Local\Temp\bc8fa17932705dda2d094c42fff6f52c753666dde4b26f441c762201df91342d.exe N/A
File created C:\Program Files (x86)\Google\Chrome\Application\chrome.exe C:\Users\Admin\AppData\Local\Temp\bc8fa17932705dda2d094c42fff6f52c753666dde4b26f441c762201df91342d.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe C:\Users\Admin\AppData\Local\Temp\bc8fa17932705dda2d094c42fff6f52c753666dde4b26f441c762201df91342d.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bc8fa17932705dda2d094c42fff6f52c753666dde4b26f441c762201df91342d.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_bc8fa17932705dda2d094c42fff6f52c753666dde4b26f441c762201df91342d.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RVN.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\HD_bc8fa17932705dda2d094c42fff6f52c753666dde4b26f441c762201df91342d.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\HD_bc8fa17932705dda2d094c42fff6f52c753666dde4b26f441c762201df91342d.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2024 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\bc8fa17932705dda2d094c42fff6f52c753666dde4b26f441c762201df91342d.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe
PID 2024 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\bc8fa17932705dda2d094c42fff6f52c753666dde4b26f441c762201df91342d.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe
PID 2024 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\bc8fa17932705dda2d094c42fff6f52c753666dde4b26f441c762201df91342d.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe
PID 2024 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\bc8fa17932705dda2d094c42fff6f52c753666dde4b26f441c762201df91342d.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe
PID 2024 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\bc8fa17932705dda2d094c42fff6f52c753666dde4b26f441c762201df91342d.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe
PID 2024 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\bc8fa17932705dda2d094c42fff6f52c753666dde4b26f441c762201df91342d.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe
PID 2024 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\bc8fa17932705dda2d094c42fff6f52c753666dde4b26f441c762201df91342d.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe
PID 2036 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\RVN.exe C:\Windows\SysWOW64\cmd.exe
PID 2036 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\RVN.exe C:\Windows\SysWOW64\cmd.exe
PID 2036 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\RVN.exe C:\Windows\SysWOW64\cmd.exe
PID 2036 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\RVN.exe C:\Windows\SysWOW64\cmd.exe
PID 2024 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\bc8fa17932705dda2d094c42fff6f52c753666dde4b26f441c762201df91342d.exe C:\Users\Admin\AppData\Local\Temp\HD_bc8fa17932705dda2d094c42fff6f52c753666dde4b26f441c762201df91342d.exe
PID 2024 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\bc8fa17932705dda2d094c42fff6f52c753666dde4b26f441c762201df91342d.exe C:\Users\Admin\AppData\Local\Temp\HD_bc8fa17932705dda2d094c42fff6f52c753666dde4b26f441c762201df91342d.exe
PID 2024 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\bc8fa17932705dda2d094c42fff6f52c753666dde4b26f441c762201df91342d.exe C:\Users\Admin\AppData\Local\Temp\HD_bc8fa17932705dda2d094c42fff6f52c753666dde4b26f441c762201df91342d.exe
PID 2024 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\bc8fa17932705dda2d094c42fff6f52c753666dde4b26f441c762201df91342d.exe C:\Users\Admin\AppData\Local\Temp\HD_bc8fa17932705dda2d094c42fff6f52c753666dde4b26f441c762201df91342d.exe
PID 1388 wrote to memory of 2660 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1388 wrote to memory of 2660 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1388 wrote to memory of 2660 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1388 wrote to memory of 2660 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2792 wrote to memory of 3068 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 2792 wrote to memory of 3068 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 2792 wrote to memory of 3068 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 2792 wrote to memory of 3068 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 2792 wrote to memory of 3068 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 2792 wrote to memory of 3068 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 2792 wrote to memory of 3068 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe

Processes

C:\Users\Admin\AppData\Local\Temp\bc8fa17932705dda2d094c42fff6f52c753666dde4b26f441c762201df91342d.exe

"C:\Users\Admin\AppData\Local\Temp\bc8fa17932705dda2d094c42fff6f52c753666dde4b26f441c762201df91342d.exe"

C:\Users\Admin\AppData\Local\Temp\RVN.exe

C:\Users\Admin\AppData\Local\Temp\\RVN.exe

C:\Windows\SysWOW64\TXPlatforn.exe

C:\Windows\SysWOW64\TXPlatforn.exe -auto

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\RVN.exe > nul

C:\Users\Admin\AppData\Local\Temp\HD_bc8fa17932705dda2d094c42fff6f52c753666dde4b26f441c762201df91342d.exe

C:\Users\Admin\AppData\Local\Temp\HD_bc8fa17932705dda2d094c42fff6f52c753666dde4b26f441c762201df91342d.exe

C:\Windows\SysWOW64\TXPlatforn.exe

C:\Windows\SysWOW64\TXPlatforn.exe -acsi

C:\Windows\SysWOW64\PING.EXE

ping -n 2 127.0.0.1

Network

Country Destination Domain Proto
US 8.8.8.8:53 hackerinvasion.f3322.net udp

Files

\Users\Admin\AppData\Local\Temp\RVN.exe

MD5 80ade1893dec9cab7f2e63538a464fcc
SHA1 c06614da33a65eddb506db00a124a3fc3f5be02e
SHA256 57a920389c044e3f5cf93dabff67070b4511e79779b6f874e08f92d8b0d7afbd
SHA512 fffd4f3fccb5301b3c7a5b3bd92747f31549fbd9d0803fe5d502d1bb0ef979140988718c2ee1406ed3e755790d275185e120a56cbcb5ed2eadf62b5cdbfc4cc4

memory/2036-5-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2036-7-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2036-9-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2036-8-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2792-18-0x0000000010000000-0x00000000101B6000-memory.dmp

\Users\Admin\AppData\Local\Temp\HD_bc8fa17932705dda2d094c42fff6f52c753666dde4b26f441c762201df91342d.exe

MD5 b161d842906239bf2f32ad158bea57f1
SHA1 4a125d6cbeae9658e862c637aba8f8b9f3bf5cf7
SHA256 3345c48505e0906f1352499ba7cbd439ac0c509a33f04c7d678e2c960c8b9f03
SHA512 0d14c75c8e80af8246ddf122052190f5ffb1f81ffd5b752990747b7efcb566b49842219d9b26df9dbe267c9a3876d7b60158c9f08d295d0926b60dbbebc1fa3c

memory/2792-30-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/3068-35-0x0000000010000000-0x00000000101B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HD_X.dat

MD5 d7d176fb6473c7b9c9abb21722afebdb
SHA1 80b92220aa97bff7c6245cfbe098cc3f159f8bb2
SHA256 5bcb77fa2c5abbf6753f046a5638251d4bb0c0f6e4ee92afb791d99f57aff39b
SHA512 87fb0695cc86247ad9936fee875b60d76340bf7ac162b1ed9d4cd04e210cd2ffd559285695a8bfc23a147c632f1828e678fbb6b65003202f4657f1a9a6594944

memory/3068-73-0x0000000010000000-0x00000000101B6000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-25 17:17

Reported

2024-06-25 17:19

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bc8fa17932705dda2d094c42fff6f52c753666dde4b26f441c762201df91342d.exe"

Signatures

Detect PurpleFox Rootkit

rootkit
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0strat

rat gh0strat

PurpleFox

rootkit trojan purplefox

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\system32\drivers\QAssist.sys C:\Windows\SysWOW64\TXPlatforn.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" C:\Windows\SysWOW64\TXPlatforn.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\TXPlatforn.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe N/A
File opened for modification C:\Windows\SysWOW64\TXPlatforn.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe C:\Users\Admin\AppData\Local\Temp\bc8fa17932705dda2d094c42fff6f52c753666dde4b26f441c762201df91342d.exe N/A
File created C:\Program Files (x86)\Google\Chrome\Application\chrome.exe C:\Users\Admin\AppData\Local\Temp\bc8fa17932705dda2d094c42fff6f52c753666dde4b26f441c762201df91342d.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe C:\Users\Admin\AppData\Local\Temp\bc8fa17932705dda2d094c42fff6f52c753666dde4b26f441c762201df91342d.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Users\Admin\AppData\Local\Temp\bc8fa17932705dda2d094c42fff6f52c753666dde4b26f441c762201df91342d.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe C:\Users\Admin\AppData\Local\Temp\bc8fa17932705dda2d094c42fff6f52c753666dde4b26f441c762201df91342d.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RVN.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\HD_bc8fa17932705dda2d094c42fff6f52c753666dde4b26f441c762201df91342d.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\HD_bc8fa17932705dda2d094c42fff6f52c753666dde4b26f441c762201df91342d.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3312 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\bc8fa17932705dda2d094c42fff6f52c753666dde4b26f441c762201df91342d.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe
PID 3312 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\bc8fa17932705dda2d094c42fff6f52c753666dde4b26f441c762201df91342d.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe
PID 3312 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\bc8fa17932705dda2d094c42fff6f52c753666dde4b26f441c762201df91342d.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe
PID 2984 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\RVN.exe C:\Windows\SysWOW64\cmd.exe
PID 2984 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\RVN.exe C:\Windows\SysWOW64\cmd.exe
PID 2984 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\RVN.exe C:\Windows\SysWOW64\cmd.exe
PID 3312 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\bc8fa17932705dda2d094c42fff6f52c753666dde4b26f441c762201df91342d.exe C:\Users\Admin\AppData\Local\Temp\HD_bc8fa17932705dda2d094c42fff6f52c753666dde4b26f441c762201df91342d.exe
PID 3312 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\bc8fa17932705dda2d094c42fff6f52c753666dde4b26f441c762201df91342d.exe C:\Users\Admin\AppData\Local\Temp\HD_bc8fa17932705dda2d094c42fff6f52c753666dde4b26f441c762201df91342d.exe
PID 3260 wrote to memory of 4556 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 3260 wrote to memory of 4556 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 3260 wrote to memory of 4556 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 2904 wrote to memory of 4252 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2904 wrote to memory of 4252 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2904 wrote to memory of 4252 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\bc8fa17932705dda2d094c42fff6f52c753666dde4b26f441c762201df91342d.exe

"C:\Users\Admin\AppData\Local\Temp\bc8fa17932705dda2d094c42fff6f52c753666dde4b26f441c762201df91342d.exe"

C:\Users\Admin\AppData\Local\Temp\RVN.exe

C:\Users\Admin\AppData\Local\Temp\\RVN.exe

C:\Windows\SysWOW64\TXPlatforn.exe

C:\Windows\SysWOW64\TXPlatforn.exe -auto

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\RVN.exe > nul

C:\Users\Admin\AppData\Local\Temp\HD_bc8fa17932705dda2d094c42fff6f52c753666dde4b26f441c762201df91342d.exe

C:\Users\Admin\AppData\Local\Temp\HD_bc8fa17932705dda2d094c42fff6f52c753666dde4b26f441c762201df91342d.exe

C:\Windows\SysWOW64\TXPlatforn.exe

C:\Windows\SysWOW64\TXPlatforn.exe -acsi

C:\Windows\SysWOW64\PING.EXE

ping -n 2 127.0.0.1

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
IE 52.111.236.22:443 tcp
US 8.8.8.8:53 101.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 udp

Files

C:\Users\Admin\AppData\Local\Temp\RVN.exe

MD5 80ade1893dec9cab7f2e63538a464fcc
SHA1 c06614da33a65eddb506db00a124a3fc3f5be02e
SHA256 57a920389c044e3f5cf93dabff67070b4511e79779b6f874e08f92d8b0d7afbd
SHA512 fffd4f3fccb5301b3c7a5b3bd92747f31549fbd9d0803fe5d502d1bb0ef979140988718c2ee1406ed3e755790d275185e120a56cbcb5ed2eadf62b5cdbfc4cc4

memory/2984-7-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2984-6-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2984-5-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2984-10-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/3260-15-0x0000000010000000-0x00000000101B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HD_bc8fa17932705dda2d094c42fff6f52c753666dde4b26f441c762201df91342d.exe

MD5 b161d842906239bf2f32ad158bea57f1
SHA1 4a125d6cbeae9658e862c637aba8f8b9f3bf5cf7
SHA256 3345c48505e0906f1352499ba7cbd439ac0c509a33f04c7d678e2c960c8b9f03
SHA512 0d14c75c8e80af8246ddf122052190f5ffb1f81ffd5b752990747b7efcb566b49842219d9b26df9dbe267c9a3876d7b60158c9f08d295d0926b60dbbebc1fa3c

memory/3260-27-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/3260-16-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/3260-19-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/3260-13-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/4556-28-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/4556-32-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/4556-34-0x0000000010000000-0x00000000101B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HD_X.dat

MD5 d7d176fb6473c7b9c9abb21722afebdb
SHA1 80b92220aa97bff7c6245cfbe098cc3f159f8bb2
SHA256 5bcb77fa2c5abbf6753f046a5638251d4bb0c0f6e4ee92afb791d99f57aff39b
SHA512 87fb0695cc86247ad9936fee875b60d76340bf7ac162b1ed9d4cd04e210cd2ffd559285695a8bfc23a147c632f1828e678fbb6b65003202f4657f1a9a6594944