Malware Analysis Report

2025-01-02 15:11

Sample ID 240625-wfb7qawhmn
Target 10b0d34e318f8c4654c098eb2647f2404cd52a38fa70b2590f106d7d99879bb5
SHA256 10b0d34e318f8c4654c098eb2647f2404cd52a38fa70b2590f106d7d99879bb5
Tags
gh0strat purplefox persistence rat rootkit trojan upx discovery evasion spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

10b0d34e318f8c4654c098eb2647f2404cd52a38fa70b2590f106d7d99879bb5

Threat Level: Known bad

The file 10b0d34e318f8c4654c098eb2647f2404cd52a38fa70b2590f106d7d99879bb5 was found to be: Known bad.

Malicious Activity Summary

gh0strat purplefox persistence rat rootkit trojan upx discovery evasion spyware stealer

Detect PurpleFox Rootkit

Gh0strat

Gh0st RAT payload

PurpleFox

Sets service image path in registry

Server Software Component: Terminal Services DLL

Drops file in Drivers directory

Reads user/profile data of web browsers

Loads dropped DLL

Checks computer location settings

UPX packed file

Executes dropped EXE

Checks whether UAC is enabled

Checks installed software on the system

Checks system information in the registry

Drops file in System32 directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: LoadsDriver

Suspicious use of WriteProcessMemory

System policy modification

Runs ping.exe

Modifies Internet Explorer settings

Enumerates system info in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-25 17:51

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-25 17:51

Reported

2024-06-25 17:53

Platform

win7-20240611-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\10b0d34e318f8c4654c098eb2647f2404cd52a38fa70b2590f106d7d99879bb5.exe"

Signatures

Detect PurpleFox Rootkit

rootkit
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0strat

rat gh0strat

PurpleFox

rootkit trojan purplefox

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\system32\drivers\QAssist.sys C:\Windows\SysWOW64\TXPlatforn.exe N/A

Server Software Component: Terminal Services DLL

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259394546.txt" C:\Users\Admin\AppData\Local\Temp\svchos.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" C:\Windows\SysWOW64\TXPlatforn.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\259394546.txt C:\Users\Admin\AppData\Local\Temp\svchos.exe N/A
File opened for modification C:\Windows\SysWOW64\ini.ini C:\Users\Admin\AppData\Local\Temp\svchos.exe N/A
File created C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe C:\Windows\SysWOW64\svchost.exe N/A
File created C:\Windows\SysWOW64\TXPlatforn.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\TXPlatforn.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe C:\Users\Admin\AppData\Local\Temp\10b0d34e318f8c4654c098eb2647f2404cd52a38fa70b2590f106d7d99879bb5.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe C:\Users\Admin\AppData\Local\Temp\10b0d34e318f8c4654c098eb2647f2404cd52a38fa70b2590f106d7d99879bb5.exe N/A
File created C:\Program Files (x86)\Google\Chrome\Application\chrome.exe C:\Users\Admin\AppData\Local\Temp\10b0d34e318f8c4654c098eb2647f2404cd52a38fa70b2590f106d7d99879bb5.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe C:\Users\Admin\AppData\Local\Temp\10b0d34e318f8c4654c098eb2647f2404cd52a38fa70b2590f106d7d99879bb5.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{8FFE3571-331B-11EF-9586-DE271FC37611} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 309eae6628c7da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000b2968c6cf60b74b94229c882944fb8100000000020000000000106600000001000020000000f99d0c610e32a5b7976ec076dcb1773126b71edd0d5d8c648182227484b4b3ae000000000e8000000002000020000000dbaafa7eaa34b630b4e4ea61d35625433b5b1372e5f61ffa2052c7bb7100c2d990000000e59ad5eeb8ea82c0dda96c4bcaccf55bf8946e946ea7ee5a0b8dcfaa5fb24ddfaf0c9ed49c50d65e6ed7bb300b9a899a5c4ad28122a181f2362951c4034c6d7b191bcecf71097e5beeddfa52890fc17ba967f52ae0922504969bb17ae21806fb156e2f1c58555c9d6befb16da0deaa73fdfdf08b4af2e46c508f950c88ea91c1a76204cc7a287682f48e9528d4ab45074000000036123ed7c10c3c899f69b35108f702c61ec123c2b20823ff0df3d92094700e40e80fab63b1f86f2ae114fa7a4aa12009d0c58e0c0f84147aac116f8d120aedfc C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000b2968c6cf60b74b94229c882944fb8100000000020000000000106600000001000020000000591106d5361139617f630cce2d5895bbdfd6120e322c716fcacdc6c2c3255b08000000000e800000000200002000000030ed2d90c39b27dbc4aa16b8f0c24bb73b3baa3b9df913939961c518fe56170f20000000bc6b991b1fc81cae685797b2058b8c6b082fc9256cf0f47d12b6120796d7f69a400000009228376ec4a59593805bcad7240617da253003dabd0a1cbc64f90b32b7ae0d47109f8b02eb646dcc82422d7b85229f53979ab9db259ab2da38e1fe15cfcad15b C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425499762" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\10b0d34e318f8c4654c098eb2647f2404cd52a38fa70b2590f106d7d99879bb5.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2648 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\10b0d34e318f8c4654c098eb2647f2404cd52a38fa70b2590f106d7d99879bb5.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2648 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\10b0d34e318f8c4654c098eb2647f2404cd52a38fa70b2590f106d7d99879bb5.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2648 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\10b0d34e318f8c4654c098eb2647f2404cd52a38fa70b2590f106d7d99879bb5.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2648 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\10b0d34e318f8c4654c098eb2647f2404cd52a38fa70b2590f106d7d99879bb5.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2648 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\10b0d34e318f8c4654c098eb2647f2404cd52a38fa70b2590f106d7d99879bb5.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2648 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\10b0d34e318f8c4654c098eb2647f2404cd52a38fa70b2590f106d7d99879bb5.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2648 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\10b0d34e318f8c4654c098eb2647f2404cd52a38fa70b2590f106d7d99879bb5.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2388 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 2388 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 2388 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 2388 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 2648 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\10b0d34e318f8c4654c098eb2647f2404cd52a38fa70b2590f106d7d99879bb5.exe C:\Users\Admin\AppData\Local\Temp\svchos.exe
PID 2648 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\10b0d34e318f8c4654c098eb2647f2404cd52a38fa70b2590f106d7d99879bb5.exe C:\Users\Admin\AppData\Local\Temp\svchos.exe
PID 2648 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\10b0d34e318f8c4654c098eb2647f2404cd52a38fa70b2590f106d7d99879bb5.exe C:\Users\Admin\AppData\Local\Temp\svchos.exe
PID 2648 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\10b0d34e318f8c4654c098eb2647f2404cd52a38fa70b2590f106d7d99879bb5.exe C:\Users\Admin\AppData\Local\Temp\svchos.exe
PID 2676 wrote to memory of 2296 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 2676 wrote to memory of 2296 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 2676 wrote to memory of 2296 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 2676 wrote to memory of 2296 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 2676 wrote to memory of 2296 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 2676 wrote to memory of 2296 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 2676 wrote to memory of 2296 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 2812 wrote to memory of 2604 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2812 wrote to memory of 2604 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2812 wrote to memory of 2604 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2812 wrote to memory of 2604 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2648 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\10b0d34e318f8c4654c098eb2647f2404cd52a38fa70b2590f106d7d99879bb5.exe C:\Users\Admin\AppData\Local\Temp\HD_10b0d34e318f8c4654c098eb2647f2404cd52a38fa70b2590f106d7d99879bb5.exe
PID 2648 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\10b0d34e318f8c4654c098eb2647f2404cd52a38fa70b2590f106d7d99879bb5.exe C:\Users\Admin\AppData\Local\Temp\HD_10b0d34e318f8c4654c098eb2647f2404cd52a38fa70b2590f106d7d99879bb5.exe
PID 2648 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\10b0d34e318f8c4654c098eb2647f2404cd52a38fa70b2590f106d7d99879bb5.exe C:\Users\Admin\AppData\Local\Temp\HD_10b0d34e318f8c4654c098eb2647f2404cd52a38fa70b2590f106d7d99879bb5.exe
PID 2648 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\10b0d34e318f8c4654c098eb2647f2404cd52a38fa70b2590f106d7d99879bb5.exe C:\Users\Admin\AppData\Local\Temp\HD_10b0d34e318f8c4654c098eb2647f2404cd52a38fa70b2590f106d7d99879bb5.exe
PID 2572 wrote to memory of 2628 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
PID 2572 wrote to memory of 2628 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
PID 2572 wrote to memory of 2628 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
PID 2572 wrote to memory of 2628 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
PID 2860 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\HD_10b0d34e318f8c4654c098eb2647f2404cd52a38fa70b2590f106d7d99879bb5.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2860 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\HD_10b0d34e318f8c4654c098eb2647f2404cd52a38fa70b2590f106d7d99879bb5.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2860 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\HD_10b0d34e318f8c4654c098eb2647f2404cd52a38fa70b2590f106d7d99879bb5.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2080 wrote to memory of 1792 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2080 wrote to memory of 1792 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2080 wrote to memory of 1792 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2080 wrote to memory of 1792 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\10b0d34e318f8c4654c098eb2647f2404cd52a38fa70b2590f106d7d99879bb5.exe

"C:\Users\Admin\AppData\Local\Temp\10b0d34e318f8c4654c098eb2647f2404cd52a38fa70b2590f106d7d99879bb5.exe"

C:\Users\Admin\AppData\Local\Temp\svchost.exe

C:\Users\Admin\AppData\Local\Temp\\svchost.exe

C:\Windows\SysWOW64\TXPlatforn.exe

C:\Windows\SysWOW64\TXPlatforn.exe -auto

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\svchost.exe > nul

C:\Users\Admin\AppData\Local\Temp\svchos.exe

C:\Users\Admin\AppData\Local\Temp\\svchos.exe

C:\Windows\SysWOW64\TXPlatforn.exe

C:\Windows\SysWOW64\TXPlatforn.exe -acsi

C:\Windows\SysWOW64\PING.EXE

ping -n 2 127.0.0.1

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"

C:\Users\Admin\AppData\Local\Temp\HD_10b0d34e318f8c4654c098eb2647f2404cd52a38fa70b2590f106d7d99879bb5.exe

C:\Users\Admin\AppData\Local\Temp\HD_10b0d34e318f8c4654c098eb2647f2404cd52a38fa70b2590f106d7d99879bb5.exe

C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe

C:\Windows\system32\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe "c:\windows\system32\259394546.txt",MainThread

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://pc.weixin.qq.com/

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2080 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 pc.weixin.qq.com udp
US 8.8.8.8:53 pc.weixin.qq.com udp
HK 43.155.124.49:80 pc.weixin.qq.com tcp
HK 43.155.124.49:80 pc.weixin.qq.com tcp
HK 43.155.124.49:443 pc.weixin.qq.com tcp
US 8.8.8.8:53 ocsp.digicert.cn udp
GB 163.181.57.244:80 ocsp.digicert.cn tcp
US 8.8.8.8:53 res.wx.qq.com udp
GB 43.132.64.188:443 res.wx.qq.com tcp
GB 43.132.64.188:443 res.wx.qq.com tcp
GB 43.132.64.188:443 res.wx.qq.com tcp
GB 43.132.64.188:443 res.wx.qq.com tcp
GB 43.132.64.188:443 res.wx.qq.com tcp
GB 163.181.57.244:80 ocsp.digicert.cn tcp
GB 163.181.57.244:80 ocsp.digicert.cn tcp
GB 163.181.57.244:80 ocsp.digicert.cn tcp
GB 163.181.57.244:80 ocsp.digicert.cn tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

\Users\Admin\AppData\Local\Temp\svchost.exe

MD5 a4329177954d4104005bce3020e5ef59
SHA1 23c29e295e2dbb8454012d619ca3f81e4c16e85a
SHA256 6156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd
SHA512 81e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208

memory/2388-5-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2388-7-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2388-8-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2388-12-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2676-18-0x0000000010000000-0x00000000101B6000-memory.dmp

\Users\Admin\AppData\Local\Temp\svchos.exe

MD5 3b377ad877a942ec9f60ea285f7119a2
SHA1 60b23987b20d913982f723ab375eef50fafa6c70
SHA256 62954fdf65e629b39a29f539619d20691332184c6b6be5a826128a8e759bfa84
SHA512 af3a71f867ad9d28772c48b521097f9bf8931eb89fd2974e8de10990241419a39ddc3c0b36dd38aac4fdf14e1f0c5e228692618e93adce958d5b5dab8940e46f

memory/2676-30-0x0000000010000000-0x00000000101B6000-memory.dmp

\Windows\SysWOW64\259394546.txt

MD5 6f35436b0a3e409a9a74ed495decc1c9
SHA1 58db0c578e0ceefcb0a105502130f6e2f0f099c2
SHA256 59363397ec61f597289f2369a5a987905fffac06a20dbbd5145ba96c9d4fd968
SHA512 d6bed18679353a87059f8bca33d02e7af7ab775e608b742b613c5509dee7f96cbd89c0774e5586feb9267183f3f067b2503d2d17cd0a00a760039cc5b0cc2fed

memory/2296-35-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2296-38-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2296-40-0x0000000010000000-0x00000000101B6000-memory.dmp

\Users\Admin\AppData\Local\Temp\HD_10b0d34e318f8c4654c098eb2647f2404cd52a38fa70b2590f106d7d99879bb5.exe

MD5 776fdc0e7331d3d16a6e2eeb956a52b8
SHA1 1960568f4f7d47966e9ce5e3d6fd646b129fe322
SHA256 caaa46d47506f6503156f4ada2543981741250468a63d54bc6a937818372f9c4
SHA512 e53e244770c249622968133b8b217c5084d8cd55dba2a047dd1317deef080c04afa96ee2c51a8cf77ea9449e5d0d322e043ab88773c42c3677f9ed1db1557b8a

C:\Users\Admin\AppData\Local\Temp\HD_X.dat

MD5 dbc3b16cae3853aa6fe3fd899f51b4fc
SHA1 cb100b43795bde45358bcbcdd30e7a360d626e6d
SHA256 ae0b5dacd4f7a34fbdc50ccded67625003e1132a4ec0059d88ce7b70c5345a9d
SHA512 00de8de50bfba7ddc33d27b2d5d432162ec8c4323b80877a96e020e00487bfa0202307e26766682c1e30125fe3a1ed0d6d8f51c172de13b0dcb084d85210c86c

\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe

MD5 51138beea3e2c21ec44d0932c71762a8
SHA1 8939cf35447b22dd2c6e6f443446acc1bf986d58
SHA256 5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124
SHA512 794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

C:\Users\Admin\AppData\Local\Temp\Cab2EEF.tmp

MD5 2d3dcf90f6c99f47e7593ea250c9e749
SHA1 51be82be4a272669983313565b4940d4b1385237
SHA256 8714e7be9f9b6de26673d9d09bd4c9f41b1b27ae10b1d56a7ad83abd7430ebd4
SHA512 9c11dd7d448ffebe2167acde37be77d42175edacf5aaf6fb31d3bdfe6bb1f63f5fdbc9a0a2125ed9d5ce0529b6b548818c8021532e1ea6b324717cc9bec0aaa5

C:\Users\Admin\AppData\Local\Temp\Tar308B.tmp

MD5 7186ad693b8ad9444401bd9bcd2217c2
SHA1 5c28ca10a650f6026b0df4737078fa4197f3bac1
SHA256 9a71fa0cb44aa51412b16a0bf83a275977ba4e807d022f78364338b99b3a3eed
SHA512 135be0e6370fd057762c56149526f46bf6a62fb65ef5b3b26ae01fa07b4c4e37188e203bd3812f31e260ec5cccff5924633dd55ab17e9fa106479783c2fb212b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AD5F118F7897046E8CA970AE6A6AB70B_9B8670363F58B4643EB28A4A03EE9887

MD5 04ec7192d24d44ec17702fd6d9b675c9
SHA1 3838c42dbd6a66149e3ace3da073a8d78db3ccce
SHA256 ed3168ee4f75076cc37dc3c48e9b5e6dcdfe29281293dee85c13c90c9aec1ea9
SHA512 e016ff25b9cdf3de80b249004fe6d3a7f12679f40e6d02d70f2ab4ada560b49b3f91c6c859791a6bc740c22d7fb4abb3eebf39d837a8bb69ddf65404f8349cbd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c246b6e2e33fc4a13b5e596683d73b20
SHA1 886ceb1a8066fb5d488b4a93776b27f3f6522353
SHA256 c8f525e03ec21dde39935b6038f69a82dc659e2c27ab9c439037b0531e9d0617
SHA512 6e88a4e77fbbacd9e1facddf955ee4711312ed5da1fbcfd8655901215db978fbee5d419a91f40045c4554f03ab87657c47c2dcaa7f01410e380108324496d9af

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d22009d5e2e624ae6c62d9e1697bc01a
SHA1 4fb66eea228512984b0df57249a6de695e23e126
SHA256 3e6946bc41adaf35890f856d73077f504885555d1902d12cba2d1964ee3c2970
SHA512 8a36b2e929d70c2aba197588964a3e7352b5ac073e325744c026a6e07a34bd58ef738174e315c5e09d2a35d925d049edb65efca9a0b06658d402ad673281227b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ea84ea2576b03439d39f705bb9b3b014
SHA1 078c65762a0ed851945ac844b437090a2c96e525
SHA256 7eaa67d74897b3efbd61c073a9800648a379c37e1a52f2261f5d352deb6a7298
SHA512 af066a92ba621cfc3151aae6a002231dc4830a28e446b804ffc4aba76a562d3087b6d218a63135009bbf9b949123d0b4ce39dadf223a8a4e1f7381c0c3a13be6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1f2c2b57a50e79bfdb02aaa2b6d01f48
SHA1 7fe6c62696f332f26c80feee3d7cf53cfb92cc61
SHA256 3567fa27ba68261c607e8ca6c9f9faa9a46544b2fec7520cf78a58ad6a4f15e6
SHA512 4e5341d22bd71ea1ff56c7ecad8d194e9dacf799253750f7ebc47e3b94f64562dbf64333d4339c366d7edd574ab84c00002f29d4a0f1ef9c7a22bc1f3a7258a5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8a9a1cb660d694d598651239dc95c563
SHA1 df1e55d3e0bc1871973e04845af088c0175c5725
SHA256 7e7813cc133dee03a38372fde476186b377995c188b50e7a56f358c6565f0a32
SHA512 e858130bf54a5ca1752f2ab2a94c6362fc5535c09236d0bae47f25ce728d4138b7f026f7c1698c96bb984958ead9c6fe874e1524a61bcf92e7433f46e630ef43

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 355d2d2e19c92ed0c08cf630491577a2
SHA1 af8ce7fd1373a330d5669282592c92e265f52e0f
SHA256 29e6910c1ec824745e91d045ae2aae08e232566caad3edd3c8799d109be6f620
SHA512 e73b3d121114f210d6bd18f1011f94d432c30bf29b9f4753aa1d397ee2dfa29901c5d2e6e54e0786ccc3a2992a736fc857571d82c74647085800675d032bcb63

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 26041f59ff495d4af13ea0ce694bbca9
SHA1 b6aeef6a3134678920f595dcae34193f37b46032
SHA256 4e739876c3a5467e5af176e9f742a316333f0a87b862786ed5f3972fa1cf052a
SHA512 e00ce4b29e69fc7897e1afd8833c101374691b56e338859d20132688265258f3639cb81f70ebbfe13dfb1d7fc2f2c8ab211ec59d639b3c7aa3890f3cd441b0bc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 72c49f0de2695f9da54eddb0b481d310
SHA1 429832ddae8a80a987f3728409ec1e5d9aaab4ae
SHA256 b0a81dbf20b3dd24693a46551193448cd5cf9dbfdf4430f8e536402ff44b4160
SHA512 af0c3f7546ff517fa7f87ae99d2e6d8137a990480df9509a76cdc81b74afd41bde4097a8e702b82c8f80e360ff077d9647ef3cb9dc59b14d64c172762d231f6b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e7e3b4cafdd7324bde1c1e413db8f080
SHA1 3979abb460ae7a86be56c80375ba36f06d35f28a
SHA256 772efb87d92bcdac526a6f75a7626f8e71405c1d7a141520d508c113d10b311c
SHA512 59ca32b78441d3e4dd8fa5bb48e418f5a7bcb38bd3eb7878bbef244e79c6c408908f920a7f48ecaf5fd40aaf6b4a42ada73fb156a0e1961e04588a326af53752

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 db1d4fea57a28ee72d45aae1f20ad573
SHA1 b41a27c16efe05121b868445e228e507bd472822
SHA256 1d0bd3ee8cca838ac777260f47505c72cdc9553220bcbbec40d700222d40fdc3
SHA512 c9dd2de8ae962924f1f68cdd1b0d7ea6c03db47bd2a756ef38c40e8e85af69acda82c1f2e5842c69eea0340024ba9f0544f1bfccd776b79bb1daa6974dcfa148

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bf4d7a6eb5e31279d445ce1ce583692b
SHA1 a899b7f08cb818add1c13d7b9a7ad812a991723c
SHA256 c3f98b84ddb9219c8f92cb67ea857a4a41e2c546babaf52e1ef97577c12768db
SHA512 fc63e77059af7506604d73df4f1469fd725153c374831a459aaf9c01f9f15197341ab50d154d1db257e9059619c081270f6d29122d96fe333e373557cc8055b5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c0937b352bb5715d0fa6ac8ec03e6511
SHA1 b97cc1c78ba5a4283218add1b75336544299b66f
SHA256 574d47d825be411c2b1303e58a0b4135824836652677a0f2453ad439230d1c29
SHA512 974ef32b3f2a6f061002b54810eddb5fcec0c7e80f3a66c1d2e26014c429dbe3579782bfb88db9c25faf0aa7440e56fd20f970720ffe1bda06989140b1e7d7be

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 95d27c10bb3f4ed668f1070c1ced7ccd
SHA1 154cb618d0f747d82c88b66c9dc769714b913080
SHA256 1691d9a1e46b327eb713891ad391d79dc4450c227d1870ea7c8403c39e4ce70d
SHA512 9329f70559faa241b7754d2dbf68287d5deafb91599fb47d8d1a686ebda5ffc0d7cc6a6e298115bf5a330a658d29be3b8e3388b42cc4a7752d07e24a7380cdb9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1f73e8cb45a0680806b14fffe0bb0ec4
SHA1 bab2163b6770bdddc9e92bf240ce96805ba5a74b
SHA256 f5e01ff2314316b294499dee742f3060b6800fe6b3d45aa8173731858ecedaec
SHA512 b8cf9fe04ab88bfaf82d453b8e9498f9ae8c056c5965820f795c6467c32b8db8fb13e9bd28f60838af0dc555acfb3bc741a29ef79495abd49eedff07c57205da

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 16fb3c500fbb17dd83a0ff9121671881
SHA1 9601db8cdc3db83917dfbea7a55f12452b1a0a41
SHA256 fd671c8d27c55eca35e5604cf53443974b100bd81b68a5e87a351e23cce04bd0
SHA512 39b89de1db98375b4a5d8717cc5659ff53986a69bbbe07ba627f01b97cf43c08a83d7b4bea6a9c6c9e709ddeeda4ea1608783f50a9e8a23a4733c4608c0ad1e9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c4a19fbb12660a09fde14609e41a8007
SHA1 e00f98babff3837dcc9e0f68908aabd9ef566d57
SHA256 f63193220ae0f2e521709a38c5f63169bcea6c11b1ea8fe8fee708e0b7f6b0e7
SHA512 ea48083c9697d8845d93ffbed83abed811e69243faca6461d9458173953f9b26d4ea4de52379dce67124af7319007d0fc0d2bb29d4d3f11321a473ae54834959

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 268ae127adcee3390439570c6addac53
SHA1 e48016a1ab084e792627de15840c43014d01db83
SHA256 8edcaea69be64ad28e192eeee9daf66755fa04eb897d0685d5e60378f6456372
SHA512 6c098225660e1a9238b36e61bfe56122d5f481e5d5c409af455548a2b5cd098763b97f4ce0ce195763611b913facc274338921219158c4ec7c3e2ef194a62905

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 57d226ebf81c854a715a41e31de66c86
SHA1 f5690b2818d325212832e10047a58a51545dcdf8
SHA256 53c94d357712c20ae937d762366faaaab09b8c91373634b8cdec0d079bc2b0fe
SHA512 0926d1a8f11c70ab6b596835e23f2e65acdfbe82844419b75cd557bd60b9ed2382c0e568f1634e8caf853165d7eb9462f634d459c94377436c754e933e6b96de

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f9ff4866d93beade33bf02ee27a7cfc2
SHA1 26fe0ed7dd6fd887eac566619e8721a64d278743
SHA256 f2146f5d782e1b299b6b3a55fbcd427a7ce9953aaca1089451e6f7bf4528fef5
SHA512 0824967f6717976fdafc4f4b41bbf7c63df6e5c17bc9671bb7b60542d5a4df20cd29c2e1f8c848f03445f11efcd60eece99be72e2decd67faaef00dd5dadab22

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b0a15933a80c477942d0fadbb6a5e825
SHA1 e2cf747c588eca4a0e3d56654d2cfc53b6015e97
SHA256 8e664b465babb4a5240e89c07621b1c031b1d84c27c080c06b56218dd7f9e232
SHA512 6adc8b8393049d0902928b25909c7aa8595d03ed738be17e810e78e72a1c3c07aaff307cc31f62530f170a9ad052160f41990ab017099c6099ded0ff0897e337

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5279113ac598c0aa4f3572209ba5ee20
SHA1 4fc53dd36ad9327133c839f5d73b171135b284da
SHA256 efc22a2647e1f8acd6cee8986434da3e10468bcf5c93d53e3694d68aced2a915
SHA512 ff402d21603ddad9e3c6f6a68d6043ac92e3d1852ad58a3b460815481b550c41b1d83b1d0827aeb22010ea453327e05bab512fcaf033dd542882e16ac64d0f43

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d6dff5785ffa2893e0f5d4eb3287d7f9
SHA1 820793c6487d39236677c722566099ef8de9bafb
SHA256 23daa61cbd51b1a366e4fef1083e5cf88fdafcf2961587c2b087265fa7c00d4d
SHA512 41023b6a6ea8b96af5640005366c4c2eeb053f40dabc090512c4b06543f3af0ddc2a90f5e1028f31a99022bc37521cb2f1861466e46af194606993457bbf7c58

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-25 17:51

Reported

2024-06-25 17:54

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\10b0d34e318f8c4654c098eb2647f2404cd52a38fa70b2590f106d7d99879bb5.exe"

Signatures

Detect PurpleFox Rootkit

rootkit
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0strat

rat gh0strat

PurpleFox

rootkit trojan purplefox

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\system32\drivers\QAssist.sys C:\Windows\SysWOW64\TXPlatforn.exe N/A

Server Software Component: Terminal Services DLL

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\240617187.txt" C:\Users\Admin\AppData\Local\Temp\svchos.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" C:\Windows\SysWOW64\TXPlatforn.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchos.exe N/A
N/A N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_10b0d34e318f8c4654c098eb2647f2404cd52a38fa70b2590f106d7d99879bb5.exe N/A
N/A N/A C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
N/A N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchos.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A

Checks system information in the registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\ini.ini C:\Users\Admin\AppData\Local\Temp\svchos.exe N/A
File created C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe C:\Windows\SysWOW64\svchost.exe N/A
File created C:\Windows\SysWOW64\TXPlatforn.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\TXPlatforn.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File created C:\Windows\SysWOW64\240617187.txt C:\Users\Admin\AppData\Local\Temp\svchos.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe C:\Users\Admin\AppData\Local\Temp\10b0d34e318f8c4654c098eb2647f2404cd52a38fa70b2590f106d7d99879bb5.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe C:\Users\Admin\AppData\Local\Temp\10b0d34e318f8c4654c098eb2647f2404cd52a38fa70b2590f106d7d99879bb5.exe N/A
File created C:\Program Files (x86)\Google\Chrome\Application\chrome.exe C:\Users\Admin\AppData\Local\Temp\10b0d34e318f8c4654c098eb2647f2404cd52a38fa70b2590f106d7d99879bb5.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe C:\Users\Admin\AppData\Local\Temp\10b0d34e318f8c4654c098eb2647f2404cd52a38fa70b2590f106d7d99879bb5.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Users\Admin\AppData\Local\Temp\10b0d34e318f8c4654c098eb2647f2404cd52a38fa70b2590f106d7d99879bb5.exe N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2032 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\10b0d34e318f8c4654c098eb2647f2404cd52a38fa70b2590f106d7d99879bb5.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2032 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\10b0d34e318f8c4654c098eb2647f2404cd52a38fa70b2590f106d7d99879bb5.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2032 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\10b0d34e318f8c4654c098eb2647f2404cd52a38fa70b2590f106d7d99879bb5.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2348 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 2348 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 2348 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 2032 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\10b0d34e318f8c4654c098eb2647f2404cd52a38fa70b2590f106d7d99879bb5.exe C:\Users\Admin\AppData\Local\Temp\svchos.exe
PID 2032 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\10b0d34e318f8c4654c098eb2647f2404cd52a38fa70b2590f106d7d99879bb5.exe C:\Users\Admin\AppData\Local\Temp\svchos.exe
PID 2032 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\10b0d34e318f8c4654c098eb2647f2404cd52a38fa70b2590f106d7d99879bb5.exe C:\Users\Admin\AppData\Local\Temp\svchos.exe
PID 3016 wrote to memory of 2768 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 3016 wrote to memory of 2768 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 3016 wrote to memory of 2768 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 2032 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\10b0d34e318f8c4654c098eb2647f2404cd52a38fa70b2590f106d7d99879bb5.exe C:\Users\Admin\AppData\Local\Temp\HD_10b0d34e318f8c4654c098eb2647f2404cd52a38fa70b2590f106d7d99879bb5.exe
PID 2032 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\10b0d34e318f8c4654c098eb2647f2404cd52a38fa70b2590f106d7d99879bb5.exe C:\Users\Admin\AppData\Local\Temp\HD_10b0d34e318f8c4654c098eb2647f2404cd52a38fa70b2590f106d7d99879bb5.exe
PID 3872 wrote to memory of 3276 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3872 wrote to memory of 3276 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3872 wrote to memory of 3276 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4912 wrote to memory of 3580 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
PID 4912 wrote to memory of 3580 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
PID 4912 wrote to memory of 3580 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
PID 1008 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\HD_10b0d34e318f8c4654c098eb2647f2404cd52a38fa70b2590f106d7d99879bb5.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1008 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\HD_10b0d34e318f8c4654c098eb2647f2404cd52a38fa70b2590f106d7d99879bb5.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1008 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\HD_10b0d34e318f8c4654c098eb2647f2404cd52a38fa70b2590f106d7d99879bb5.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1436 wrote to memory of 4784 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 1436 wrote to memory of 4784 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 1436 wrote to memory of 4784 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 4784 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 4784 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 4784 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 4840 wrote to memory of 4492 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 4840 wrote to memory of 4492 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 4840 wrote to memory of 4492 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 1436 wrote to memory of 4268 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Users\Admin\AppData\Local\Temp\svchos.exe
PID 1436 wrote to memory of 4268 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Users\Admin\AppData\Local\Temp\svchos.exe
PID 1436 wrote to memory of 4268 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Users\Admin\AppData\Local\Temp\svchos.exe
PID 1436 wrote to memory of 3080 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
PID 1436 wrote to memory of 3080 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
PID 4088 wrote to memory of 2312 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4088 wrote to memory of 2312 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4088 wrote to memory of 2312 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3080 wrote to memory of 2884 N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
PID 3080 wrote to memory of 2884 N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
PID 3080 wrote to memory of 1476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
PID 3080 wrote to memory of 1476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
PID 3080 wrote to memory of 1476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
PID 3080 wrote to memory of 1476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
PID 3080 wrote to memory of 1476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
PID 3080 wrote to memory of 1476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
PID 3080 wrote to memory of 1476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
PID 3080 wrote to memory of 1476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
PID 3080 wrote to memory of 1476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
PID 3080 wrote to memory of 1476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
PID 3080 wrote to memory of 1476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
PID 3080 wrote to memory of 1476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
PID 3080 wrote to memory of 1476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
PID 3080 wrote to memory of 1476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
PID 3080 wrote to memory of 1476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
PID 3080 wrote to memory of 1476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
PID 3080 wrote to memory of 1476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
PID 3080 wrote to memory of 1476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
PID 3080 wrote to memory of 1476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
PID 3080 wrote to memory of 1476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
PID 3080 wrote to memory of 1476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
PID 3080 wrote to memory of 1476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\10b0d34e318f8c4654c098eb2647f2404cd52a38fa70b2590f106d7d99879bb5.exe

"C:\Users\Admin\AppData\Local\Temp\10b0d34e318f8c4654c098eb2647f2404cd52a38fa70b2590f106d7d99879bb5.exe"

C:\Users\Admin\AppData\Local\Temp\svchost.exe

C:\Users\Admin\AppData\Local\Temp\\svchost.exe

C:\Windows\SysWOW64\TXPlatforn.exe

C:\Windows\SysWOW64\TXPlatforn.exe -auto

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\svchost.exe > nul

C:\Users\Admin\AppData\Local\Temp\svchos.exe

C:\Users\Admin\AppData\Local\Temp\\svchos.exe

C:\Windows\SysWOW64\TXPlatforn.exe

C:\Windows\SysWOW64\TXPlatforn.exe -acsi

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"

C:\Users\Admin\AppData\Local\Temp\HD_10b0d34e318f8c4654c098eb2647f2404cd52a38fa70b2590f106d7d99879bb5.exe

C:\Users\Admin\AppData\Local\Temp\HD_10b0d34e318f8c4654c098eb2647f2404cd52a38fa70b2590f106d7d99879bb5.exe

C:\Windows\SysWOW64\PING.EXE

ping -n 2 127.0.0.1

C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe

C:\Windows\system32\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe "c:\windows\system32\240617187.txt",MainThread

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://pc.weixin.qq.com/

C:\Users\Admin\AppData\Local\Temp\svchost.exe

C:\Users\Admin\AppData\Local\Temp\\svchost.exe

C:\Windows\SysWOW64\TXPlatforn.exe

C:\Windows\SysWOW64\TXPlatforn.exe -auto

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\svchost.exe > nul

C:\Windows\SysWOW64\TXPlatforn.exe

C:\Windows\SysWOW64\TXPlatforn.exe -acsi

C:\Users\Admin\AppData\Local\Temp\svchos.exe

C:\Users\Admin\AppData\Local\Temp\\svchos.exe

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"

C:\Windows\SysWOW64\PING.EXE

ping -n 2 127.0.0.1

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa8e6046f8,0x7ffa8e604708,0x7ffa8e604718

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=gpu-process --field-trial-handle=2076,9927368126352394801,7059862433199011064,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,9927368126352394801,7059862433199011064,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2076,9927368126352394801,7059862433199011064,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2852 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2076,9927368126352394801,7059862433199011064,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2076,9927368126352394801,7059862433199011064,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2076,9927368126352394801,7059862433199011064,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4604 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2076,9927368126352394801,7059862433199011064,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3896 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,9927368126352394801,7059862433199011064,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3420 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,9927368126352394801,7059862433199011064,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3420 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2076,9927368126352394801,7059862433199011064,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3528 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2076,9927368126352394801,7059862433199011064,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3496 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2076,9927368126352394801,7059862433199011064,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4544 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=gpu-process --field-trial-handle=2076,9927368126352394801,7059862433199011064,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1292 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 3.166.122.92.in-addr.arpa udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp

Files

C:\Users\Admin\AppData\Local\Temp\svchost.exe

MD5 a4329177954d4104005bce3020e5ef59
SHA1 23c29e295e2dbb8454012d619ca3f81e4c16e85a
SHA256 6156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd
SHA512 81e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208

memory/2348-6-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2348-5-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2348-10-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2348-7-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/3016-13-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/3016-18-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/3016-16-0x0000000010000000-0x00000000101B6000-memory.dmp

C:\Windows\SysWOW64\240617187.txt

MD5 6f35436b0a3e409a9a74ed495decc1c9
SHA1 58db0c578e0ceefcb0a105502130f6e2f0f099c2
SHA256 59363397ec61f597289f2369a5a987905fffac06a20dbbd5145ba96c9d4fd968
SHA512 d6bed18679353a87059f8bca33d02e7af7ab775e608b742b613c5509dee7f96cbd89c0774e5586feb9267183f3f067b2503d2d17cd0a00a760039cc5b0cc2fed

C:\Users\Admin\AppData\Local\Temp\HD_10b0d34e318f8c4654c098eb2647f2404cd52a38fa70b2590f106d7d99879bb5.exe

MD5 776fdc0e7331d3d16a6e2eeb956a52b8
SHA1 1960568f4f7d47966e9ce5e3d6fd646b129fe322
SHA256 caaa46d47506f6503156f4ada2543981741250468a63d54bc6a937818372f9c4
SHA512 e53e244770c249622968133b8b217c5084d8cd55dba2a047dd1317deef080c04afa96ee2c51a8cf77ea9449e5d0d322e043ab88773c42c3677f9ed1db1557b8a

memory/2768-37-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/3016-26-0x0000000010000000-0x00000000101B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\svchos.exe

MD5 3b377ad877a942ec9f60ea285f7119a2
SHA1 60b23987b20d913982f723ab375eef50fafa6c70
SHA256 62954fdf65e629b39a29f539619d20691332184c6b6be5a826128a8e759bfa84
SHA512 af3a71f867ad9d28772c48b521097f9bf8931eb89fd2974e8de10990241419a39ddc3c0b36dd38aac4fdf14e1f0c5e228692618e93adce958d5b5dab8940e46f

C:\Users\Admin\AppData\Local\Temp\HD_X.dat

MD5 dbc3b16cae3853aa6fe3fd899f51b4fc
SHA1 cb100b43795bde45358bcbcdd30e7a360d626e6d
SHA256 ae0b5dacd4f7a34fbdc50ccded67625003e1132a4ec0059d88ce7b70c5345a9d
SHA512 00de8de50bfba7ddc33d27b2d5d432162ec8c4323b80877a96e020e00487bfa0202307e26766682c1e30125fe3a1ed0d6d8f51c172de13b0dcb084d85210c86c

memory/2768-42-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2768-43-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/3016-15-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2768-55-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2768-73-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2768-91-0x0000000010000000-0x00000000101B6000-memory.dmp

C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe

MD5 889b99c52a60dd49227c5e485a016679
SHA1 8fa889e456aa646a4d0a4349977430ce5fa5e2d7
SHA256 6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910
SHA512 08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

MD5 da6f027fde35af0b3bb950dc29091b94
SHA1 f2f33075cf52c88a97b106db4c49d4f9fda9f8b0
SHA256 ae0d458b2574ae97f54465ded0be97abf72813a305b96b230730b9fd4100f1af
SHA512 4fe409b1e1681f8dc2db74b1c6972393d1bac623670e492518a03ee70165f8a6d55a3834cbfd4a006409c7e201142be203960882f32061047050f35dd720f293

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe

MD5 ad8536c7440638d40156e883ac25086e
SHA1 fa9e8b7fb10473a01b8925c4c5b0888924a1147c
SHA256 73d84d249f16b943d1d3f9dd9e516fadd323e70939c29b4a640693eb8818ee9a
SHA512 b5f368be8853aa142dba614dcca7e021aba92b337fe36cfc186714092a4dab1c7a2181954cd737923edd351149980182a090dbde91081c81d83f471ff18888fe

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 56067634f68231081c4bd5bdbfcc202f
SHA1 5582776da6ffc75bb0973840fc3d15598bc09eb1
SHA256 8c08b0cbceb301c8f960aa674c6e7f6dbf40b4a1c2684e6fb0456ec5ff0e56b4
SHA512 c4657393e0b9ec682570d7e251644a858d33e056ccd0f3eebffd0fde25244b3a699b8d9244bcdac00d6f74b49833629b270e099c2b557f729a9066922583f784

\??\pipe\LOCAL\crashpad_3080_UXEXEKBYLPZJQKGF

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1476-142-0x00007FFAAB760000-0x00007FFAAB761000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 81e892ca5c5683efdf9135fe0f2adb15
SHA1 39159b30226d98a465ece1da28dc87088b20ecad
SHA256 830f394548cff6eed3608476190a7ee7d65fe651adc638c5b27ce58639a91e17
SHA512 c943f4cfe8615ac159cfac13c10b67e6c0c9093851dd3ac6dda3b82e195d3554e3c37962010a2d0ae5074828d376402624f0dda5499c9997e962e4cfd26444c0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\606abc5a-043e-48d4-83a5-54b8f00050a0.tmp

MD5 78218a3a8f322e8d15c0c49edff241cb
SHA1 96c585cd3eac8e6c5b862e0e83560c7ad6e0087b
SHA256 a47a5dcf396345c59c0660c55b237061efa6867bf5b6208065b9f944519f8fb3
SHA512 b2839291523cfb8c7463389fd5394fca75392e952d506e29fc034b64976dcd5a69f9160b7d8b0b3a2fb2d24bed62698f668017c5d5a6f66ab0b6f57b166a1aee

memory/336-175-0x0000027380700000-0x000002738079E000-memory.dmp

memory/2240-176-0x00000256EF100000-0x00000256EF19E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

memory/432-198-0x0000025698AD0000-0x0000025698B6E000-memory.dmp

memory/4424-205-0x000002192EB10000-0x000002192EBAE000-memory.dmp

memory/4544-206-0x0000021C53E00000-0x0000021C53E9E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 f61b6d4385ad12546fe3caa40547cefd
SHA1 b50b80ad4391be320a7a52c0f9eb4e90934d4b2a
SHA256 7a1fd2bba7f9db0d94c4b349d61b0dcf833a22048b3ff95ddf3850e00ff6a084
SHA512 b8179ed24fb72a304a5aa6c0b02c1dbecc1f5a70ee3b54e1cb32b08d3b322fcdce3bebe5ef6108b64adfccdccc150fcbe62fb4aa545809a61c1f89d0fed69833

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 494616f04d731446ea8dfbd8c501042c
SHA1 68e22baac8239290f0f3fe4fd2997f987ab54fd3
SHA256 61a6955afba902e4a02e10d2c58efb96f672e8cdc3188826d2734ed906ec7eeb
SHA512 3d9564bb0d7b420a80b41053ba8f9596cda3b5f43f2cd3dada4f6d10a64e29150f7228839d163bc88dc210d37fdb74b4ec33b88230f62a2f5abb868bf774fefa

memory/1476-225-0x0000022B2FCD0000-0x0000022B2FD6E000-memory.dmp

memory/876-226-0x00000181CFCD0000-0x00000181CFD6E000-memory.dmp

memory/2020-234-0x000001BFB9320000-0x000001BFB93BE000-memory.dmp

memory/1600-235-0x0000021381160000-0x00000213811FE000-memory.dmp

memory/1476-259-0x0000022B2FCD0000-0x0000022B2FD6E000-memory.dmp

memory/876-260-0x00000181CFCD0000-0x00000181CFD6E000-memory.dmp

memory/2020-261-0x000001BFB9320000-0x000001BFB93BE000-memory.dmp

memory/1600-262-0x0000021381160000-0x00000213811FE000-memory.dmp

memory/2020-280-0x000001BFB9320000-0x000001BFB93BE000-memory.dmp