gh0strat | 04edc9338ad0f32be4ec24e21712717596a9a533e174cf58e2a719208b92a90b

Analysis

max time kernel
150s
max time network
141s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
23-09-2024 08:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

04edc9338ad0f32be4ec24e21712717596a9a533e174cf58e2a719208b92a90b.exe
Size

4.4MB
MD5

f456e777aac7fd1e9a7792d719c4c9ce
SHA1

ac9822db803ec294fc8800d6b11577a35fd17306
SHA256

04edc9338ad0f32be4ec24e21712717596a9a533e174cf58e2a719208b92a90b
SHA512

694fa90adab1011c8f2b03c8590fc2acaf61bbee5f643be7fda81d264314f0d08f4e40b1df174d56b06b620a0d7661630d50f2153ff0a01196d1bd5ba32dc69f
SSDEEP

98304:Fws2ANnKXOaeOgmhDi/Q8EumB+ioj6qhRADQ9GS+:vKXbeO7w/Q8aB+iNqLB+

Score

10^/10

gh0strat purplefox discovery persistence rat rootkit trojan upx

Malware Config

Signatures

Detect PurpleFox Rootkit 5 IoCs

Detect PurpleFox Rootkit.

rootkit

resource	yara_rule
behavioral1/memory/1908-20-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/1908-21-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2768-49-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2768-53-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2768-54-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 6 IoCs

resource	yara_rule
behavioral1/files/0x00070000000195d6-6.dat	family_gh0strat
behavioral1/memory/1908-20-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/1908-21-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2768-49-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2768-53-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2768-54-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\QAssist.sys	TXPlatfor.exe

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Remote Data\Parameters\ServiceDll = "C:\\Windows\\system32\\259507897.txt"	R.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys"	TXPlatfor.exe

Executes dropped EXE 6 IoCs

pid	Process
380	R.exe
1908	N.exe
3060	TXPlatfor.exe
2768	TXPlatfor.exe
2688	HD_04edc9338ad0f32be4ec24e21712717596a9a533e174cf58e2a719208b92a90b.exe
2880	Remote Data.exe

Loads dropped DLL 16 IoCs

pid	Process
2300	04edc9338ad0f32be4ec24e21712717596a9a533e174cf58e2a719208b92a90b.exe
380	R.exe
2840	svchost.exe
2300	04edc9338ad0f32be4ec24e21712717596a9a533e174cf58e2a719208b92a90b.exe
3060	TXPlatfor.exe
2300	04edc9338ad0f32be4ec24e21712717596a9a533e174cf58e2a719208b92a90b.exe
2300	04edc9338ad0f32be4ec24e21712717596a9a533e174cf58e2a719208b92a90b.exe
2688	HD_04edc9338ad0f32be4ec24e21712717596a9a533e174cf58e2a719208b92a90b.exe
2688	HD_04edc9338ad0f32be4ec24e21712717596a9a533e174cf58e2a719208b92a90b.exe
2688	HD_04edc9338ad0f32be4ec24e21712717596a9a533e174cf58e2a719208b92a90b.exe
2688	HD_04edc9338ad0f32be4ec24e21712717596a9a533e174cf58e2a719208b92a90b.exe
2688	HD_04edc9338ad0f32be4ec24e21712717596a9a533e174cf58e2a719208b92a90b.exe
2688	HD_04edc9338ad0f32be4ec24e21712717596a9a533e174cf58e2a719208b92a90b.exe
2840	svchost.exe
2880	Remote Data.exe
2688	HD_04edc9338ad0f32be4ec24e21712717596a9a533e174cf58e2a719208b92a90b.exe

UPX packed file 26 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1908-20-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/1908-21-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/1908-18-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2768-49-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2768-53-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2768-54-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2688-134-0x0000000004730000-0x000000000476E000-memory.dmp	upx
behavioral1/memory/2688-132-0x0000000004730000-0x000000000476E000-memory.dmp	upx
behavioral1/memory/2688-130-0x0000000004730000-0x000000000476E000-memory.dmp	upx
behavioral1/memory/2688-128-0x0000000004730000-0x000000000476E000-memory.dmp	upx
behavioral1/memory/2688-126-0x0000000004730000-0x000000000476E000-memory.dmp	upx
behavioral1/memory/2688-124-0x0000000004730000-0x000000000476E000-memory.dmp	upx
behavioral1/memory/2688-122-0x0000000004730000-0x000000000476E000-memory.dmp	upx
behavioral1/memory/2688-120-0x0000000004730000-0x000000000476E000-memory.dmp	upx
behavioral1/memory/2688-118-0x0000000004730000-0x000000000476E000-memory.dmp	upx
behavioral1/memory/2688-116-0x0000000004730000-0x000000000476E000-memory.dmp	upx
behavioral1/memory/2688-114-0x0000000004730000-0x000000000476E000-memory.dmp	upx
behavioral1/memory/2688-112-0x0000000004730000-0x000000000476E000-memory.dmp	upx
behavioral1/memory/2688-110-0x0000000004730000-0x000000000476E000-memory.dmp	upx
behavioral1/memory/2688-108-0x0000000004730000-0x000000000476E000-memory.dmp	upx
behavioral1/memory/2688-106-0x0000000004730000-0x000000000476E000-memory.dmp	upx
behavioral1/memory/2688-104-0x0000000004730000-0x000000000476E000-memory.dmp	upx
behavioral1/memory/2688-103-0x0000000004730000-0x000000000476E000-memory.dmp	upx
behavioral1/memory/2688-102-0x0000000004730000-0x000000000476E000-memory.dmp	upx
behavioral1/memory/2688-101-0x0000000004730000-0x000000000476E000-memory.dmp	upx
behavioral1/memory/2688-99-0x0000000004730000-0x000000000476E000-memory.dmp	upx

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\TXPlatfor.exe	N.exe
File created	C:\Windows\SysWOW64\259507897.txt	R.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	R.exe
File created	C:\Windows\SysWOW64\Remote Data.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\Remote Data.exe	svchost.exe
File created	C:\Windows\SysWOW64\TXPlatfor.exe	N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Remote Data.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TXPlatfor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HD_04edc9338ad0f32be4ec24e21712717596a9a533e174cf58e2a719208b92a90b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	04edc9338ad0f32be4ec24e21712717596a9a533e174cf58e2a719208b92a90b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	R.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
580	cmd.exe
2764	PING.EXE

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "433242806"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f0002494940ddb01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004961a9603b5d8740891a04601e8b8fb90000000002000000000010660000000100002000000036a04da367625e8f0b59f3f303810dd2704f96c83f2251d89ed7d2cbcb049653000000000e8000000002000020000000c9f0d0e3ea2759fe4ce9cafb971e4656d05e82315981402320d1edbd24141bf520000000dcabc899e219657ae712708d8e94232fccac686ac6c6e76d73b1bfe4a24578a8400000008516def9181974b689704fac64dc6593458fb0c62df0634b89d1a17a077acc3051975c3f5bc78c4b107ff626c48959e0a5e3cd389be8ba3c94224f4c24cfce29	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{BE098ED1-7987-11EF-A9B2-6AA32409C124} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004961a9603b5d8740891a04601e8b8fb900000000020000000000106600000001000020000000d2cc5b191ff555efdea8178a1a8a97cee9df98efceba79de8d153d481bf69a65000000000e800000000200002000000081d64b665bfa4039d5c2e012511d001065bd98cb994bc27974fe0293888d3b86900000001145fa43591ef3d064481c147e10a12552f1ba5ffc5410f167ed1d9c4760e251a5279dd9ce8aeab2513d716c3a1e4dcbc8357b7c1fdf74d8e2842d98460e83d804684954af96cbcd1800f5423f68da4c605a6d31cfac4478ed18f8f2b69e8ca9ab066cad1885d704770f485c0af9ebcd245ab0e6abccf0aa0bf83d8070d49bbed440bf9d94a4e5b7e950a23e307707bc400000007fab75149b78920d0671b601a9fdf4b9814cc69646ffe30e9e328d67e8189774e64f2f2ece3b14332d7e65d857b7326239cb12ca3c522bba8649be3a5a840584	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2764	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2300	04edc9338ad0f32be4ec24e21712717596a9a533e174cf58e2a719208b92a90b.exe
2688	HD_04edc9338ad0f32be4ec24e21712717596a9a533e174cf58e2a719208b92a90b.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
2768	TXPlatfor.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1908	N.exe
Token: SeLoadDriverPrivilege	2768	TXPlatfor.exe
Token: 33	2768	TXPlatfor.exe
Token: SeIncBasePriorityPrivilege	2768	TXPlatfor.exe
Token: 33	2768	TXPlatfor.exe
Token: SeIncBasePriorityPrivilege	2768	TXPlatfor.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1560	iexplore.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2300	04edc9338ad0f32be4ec24e21712717596a9a533e174cf58e2a719208b92a90b.exe
2300	04edc9338ad0f32be4ec24e21712717596a9a533e174cf58e2a719208b92a90b.exe
2688	HD_04edc9338ad0f32be4ec24e21712717596a9a533e174cf58e2a719208b92a90b.exe
2688	HD_04edc9338ad0f32be4ec24e21712717596a9a533e174cf58e2a719208b92a90b.exe
2688	HD_04edc9338ad0f32be4ec24e21712717596a9a533e174cf58e2a719208b92a90b.exe
2688	HD_04edc9338ad0f32be4ec24e21712717596a9a533e174cf58e2a719208b92a90b.exe
2688	HD_04edc9338ad0f32be4ec24e21712717596a9a533e174cf58e2a719208b92a90b.exe
2688	HD_04edc9338ad0f32be4ec24e21712717596a9a533e174cf58e2a719208b92a90b.exe
2688	HD_04edc9338ad0f32be4ec24e21712717596a9a533e174cf58e2a719208b92a90b.exe
2688	HD_04edc9338ad0f32be4ec24e21712717596a9a533e174cf58e2a719208b92a90b.exe
2688	HD_04edc9338ad0f32be4ec24e21712717596a9a533e174cf58e2a719208b92a90b.exe
2688	HD_04edc9338ad0f32be4ec24e21712717596a9a533e174cf58e2a719208b92a90b.exe
2688	HD_04edc9338ad0f32be4ec24e21712717596a9a533e174cf58e2a719208b92a90b.exe
2688	HD_04edc9338ad0f32be4ec24e21712717596a9a533e174cf58e2a719208b92a90b.exe
2688	HD_04edc9338ad0f32be4ec24e21712717596a9a533e174cf58e2a719208b92a90b.exe
2688	HD_04edc9338ad0f32be4ec24e21712717596a9a533e174cf58e2a719208b92a90b.exe
2688	HD_04edc9338ad0f32be4ec24e21712717596a9a533e174cf58e2a719208b92a90b.exe
2688	HD_04edc9338ad0f32be4ec24e21712717596a9a533e174cf58e2a719208b92a90b.exe
2688	HD_04edc9338ad0f32be4ec24e21712717596a9a533e174cf58e2a719208b92a90b.exe
2688	HD_04edc9338ad0f32be4ec24e21712717596a9a533e174cf58e2a719208b92a90b.exe
2688	HD_04edc9338ad0f32be4ec24e21712717596a9a533e174cf58e2a719208b92a90b.exe
2688	HD_04edc9338ad0f32be4ec24e21712717596a9a533e174cf58e2a719208b92a90b.exe
2688	HD_04edc9338ad0f32be4ec24e21712717596a9a533e174cf58e2a719208b92a90b.exe
2688	HD_04edc9338ad0f32be4ec24e21712717596a9a533e174cf58e2a719208b92a90b.exe
2688	HD_04edc9338ad0f32be4ec24e21712717596a9a533e174cf58e2a719208b92a90b.exe
2688	HD_04edc9338ad0f32be4ec24e21712717596a9a533e174cf58e2a719208b92a90b.exe
2688	HD_04edc9338ad0f32be4ec24e21712717596a9a533e174cf58e2a719208b92a90b.exe
2688	HD_04edc9338ad0f32be4ec24e21712717596a9a533e174cf58e2a719208b92a90b.exe
2688	HD_04edc9338ad0f32be4ec24e21712717596a9a533e174cf58e2a719208b92a90b.exe
2688	HD_04edc9338ad0f32be4ec24e21712717596a9a533e174cf58e2a719208b92a90b.exe
2688	HD_04edc9338ad0f32be4ec24e21712717596a9a533e174cf58e2a719208b92a90b.exe
2688	HD_04edc9338ad0f32be4ec24e21712717596a9a533e174cf58e2a719208b92a90b.exe
2688	HD_04edc9338ad0f32be4ec24e21712717596a9a533e174cf58e2a719208b92a90b.exe
2688	HD_04edc9338ad0f32be4ec24e21712717596a9a533e174cf58e2a719208b92a90b.exe
2688	HD_04edc9338ad0f32be4ec24e21712717596a9a533e174cf58e2a719208b92a90b.exe
2688	HD_04edc9338ad0f32be4ec24e21712717596a9a533e174cf58e2a719208b92a90b.exe
2688	HD_04edc9338ad0f32be4ec24e21712717596a9a533e174cf58e2a719208b92a90b.exe
2688	HD_04edc9338ad0f32be4ec24e21712717596a9a533e174cf58e2a719208b92a90b.exe
2688	HD_04edc9338ad0f32be4ec24e21712717596a9a533e174cf58e2a719208b92a90b.exe
2688	HD_04edc9338ad0f32be4ec24e21712717596a9a533e174cf58e2a719208b92a90b.exe
2688	HD_04edc9338ad0f32be4ec24e21712717596a9a533e174cf58e2a719208b92a90b.exe
2688	HD_04edc9338ad0f32be4ec24e21712717596a9a533e174cf58e2a719208b92a90b.exe
2688	HD_04edc9338ad0f32be4ec24e21712717596a9a533e174cf58e2a719208b92a90b.exe
2688	HD_04edc9338ad0f32be4ec24e21712717596a9a533e174cf58e2a719208b92a90b.exe
2688	HD_04edc9338ad0f32be4ec24e21712717596a9a533e174cf58e2a719208b92a90b.exe
2688	HD_04edc9338ad0f32be4ec24e21712717596a9a533e174cf58e2a719208b92a90b.exe
2688	HD_04edc9338ad0f32be4ec24e21712717596a9a533e174cf58e2a719208b92a90b.exe
2688	HD_04edc9338ad0f32be4ec24e21712717596a9a533e174cf58e2a719208b92a90b.exe
2688	HD_04edc9338ad0f32be4ec24e21712717596a9a533e174cf58e2a719208b92a90b.exe
2688	HD_04edc9338ad0f32be4ec24e21712717596a9a533e174cf58e2a719208b92a90b.exe
2688	HD_04edc9338ad0f32be4ec24e21712717596a9a533e174cf58e2a719208b92a90b.exe
2688	HD_04edc9338ad0f32be4ec24e21712717596a9a533e174cf58e2a719208b92a90b.exe
2688	HD_04edc9338ad0f32be4ec24e21712717596a9a533e174cf58e2a719208b92a90b.exe
2688	HD_04edc9338ad0f32be4ec24e21712717596a9a533e174cf58e2a719208b92a90b.exe
2688	HD_04edc9338ad0f32be4ec24e21712717596a9a533e174cf58e2a719208b92a90b.exe
2688	HD_04edc9338ad0f32be4ec24e21712717596a9a533e174cf58e2a719208b92a90b.exe
2688	HD_04edc9338ad0f32be4ec24e21712717596a9a533e174cf58e2a719208b92a90b.exe
2688	HD_04edc9338ad0f32be4ec24e21712717596a9a533e174cf58e2a719208b92a90b.exe
2688	HD_04edc9338ad0f32be4ec24e21712717596a9a533e174cf58e2a719208b92a90b.exe
2688	HD_04edc9338ad0f32be4ec24e21712717596a9a533e174cf58e2a719208b92a90b.exe
2688	HD_04edc9338ad0f32be4ec24e21712717596a9a533e174cf58e2a719208b92a90b.exe
2688	HD_04edc9338ad0f32be4ec24e21712717596a9a533e174cf58e2a719208b92a90b.exe
2688	HD_04edc9338ad0f32be4ec24e21712717596a9a533e174cf58e2a719208b92a90b.exe
2688	HD_04edc9338ad0f32be4ec24e21712717596a9a533e174cf58e2a719208b92a90b.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2300 wrote to memory of 380	2300	04edc9338ad0f32be4ec24e21712717596a9a533e174cf58e2a719208b92a90b.exe	30
PID 2300 wrote to memory of 380	2300	04edc9338ad0f32be4ec24e21712717596a9a533e174cf58e2a719208b92a90b.exe	30
PID 2300 wrote to memory of 380	2300	04edc9338ad0f32be4ec24e21712717596a9a533e174cf58e2a719208b92a90b.exe	30
PID 2300 wrote to memory of 380	2300	04edc9338ad0f32be4ec24e21712717596a9a533e174cf58e2a719208b92a90b.exe	30
PID 2300 wrote to memory of 1908	2300	04edc9338ad0f32be4ec24e21712717596a9a533e174cf58e2a719208b92a90b.exe	33
PID 2300 wrote to memory of 1908	2300	04edc9338ad0f32be4ec24e21712717596a9a533e174cf58e2a719208b92a90b.exe	33
PID 2300 wrote to memory of 1908	2300	04edc9338ad0f32be4ec24e21712717596a9a533e174cf58e2a719208b92a90b.exe	33
PID 2300 wrote to memory of 1908	2300	04edc9338ad0f32be4ec24e21712717596a9a533e174cf58e2a719208b92a90b.exe	33
PID 2300 wrote to memory of 1908	2300	04edc9338ad0f32be4ec24e21712717596a9a533e174cf58e2a719208b92a90b.exe	33
PID 2300 wrote to memory of 1908	2300	04edc9338ad0f32be4ec24e21712717596a9a533e174cf58e2a719208b92a90b.exe	33
PID 2300 wrote to memory of 1908	2300	04edc9338ad0f32be4ec24e21712717596a9a533e174cf58e2a719208b92a90b.exe	33
PID 1908 wrote to memory of 580	1908	N.exe	35
PID 1908 wrote to memory of 580	1908	N.exe	35
PID 1908 wrote to memory of 580	1908	N.exe	35
PID 1908 wrote to memory of 580	1908	N.exe	35
PID 3060 wrote to memory of 2768	3060	TXPlatfor.exe	37
PID 3060 wrote to memory of 2768	3060	TXPlatfor.exe	37
PID 3060 wrote to memory of 2768	3060	TXPlatfor.exe	37
PID 3060 wrote to memory of 2768	3060	TXPlatfor.exe	37
PID 3060 wrote to memory of 2768	3060	TXPlatfor.exe	37
PID 3060 wrote to memory of 2768	3060	TXPlatfor.exe	37
PID 3060 wrote to memory of 2768	3060	TXPlatfor.exe	37
PID 2300 wrote to memory of 2688	2300	04edc9338ad0f32be4ec24e21712717596a9a533e174cf58e2a719208b92a90b.exe	38
PID 2300 wrote to memory of 2688	2300	04edc9338ad0f32be4ec24e21712717596a9a533e174cf58e2a719208b92a90b.exe	38
PID 2300 wrote to memory of 2688	2300	04edc9338ad0f32be4ec24e21712717596a9a533e174cf58e2a719208b92a90b.exe	38
PID 2300 wrote to memory of 2688	2300	04edc9338ad0f32be4ec24e21712717596a9a533e174cf58e2a719208b92a90b.exe	38
PID 580 wrote to memory of 2764	580	cmd.exe	39
PID 580 wrote to memory of 2764	580	cmd.exe	39
PID 580 wrote to memory of 2764	580	cmd.exe	39
PID 580 wrote to memory of 2764	580	cmd.exe	39
PID 2840 wrote to memory of 2880	2840	svchost.exe	40
PID 2840 wrote to memory of 2880	2840	svchost.exe	40
PID 2840 wrote to memory of 2880	2840	svchost.exe	40
PID 2840 wrote to memory of 2880	2840	svchost.exe	40
PID 2688 wrote to memory of 1560	2688	HD_04edc9338ad0f32be4ec24e21712717596a9a533e174cf58e2a719208b92a90b.exe	41
PID 2688 wrote to memory of 1560	2688	HD_04edc9338ad0f32be4ec24e21712717596a9a533e174cf58e2a719208b92a90b.exe	41
PID 2688 wrote to memory of 1560	2688	HD_04edc9338ad0f32be4ec24e21712717596a9a533e174cf58e2a719208b92a90b.exe	41
PID 2688 wrote to memory of 1560	2688	HD_04edc9338ad0f32be4ec24e21712717596a9a533e174cf58e2a719208b92a90b.exe	41
PID 1560 wrote to memory of 2176	1560	iexplore.exe	42
PID 1560 wrote to memory of 2176	1560	iexplore.exe	42
PID 1560 wrote to memory of 2176	1560	iexplore.exe	42
PID 1560 wrote to memory of 2176	1560	iexplore.exe	42

C:\Users\Admin\AppData\Local\Temp\04edc9338ad0f32be4ec24e21712717596a9a533e174cf58e2a719208b92a90b.exe
"C:\Users\Admin\AppData\Local\Temp\04edc9338ad0f32be4ec24e21712717596a9a533e174cf58e2a719208b92a90b.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2300
- C:\Users\Admin\AppData\Local\Temp\R.exe
  C:\Users\Admin\AppData\Local\Temp\\R.exe
  2⤵
  - Server Software Component: Terminal Services DLL
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:380
- C:\Users\Admin\AppData\Local\Temp\N.exe
  C:\Users\Admin\AppData\Local\Temp\\N.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1908
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\N.exe > nul
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:580
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 2 127.0.0.1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2764
- C:\Users\Admin\AppData\Local\Temp\HD_04edc9338ad0f32be4ec24e21712717596a9a533e174cf58e2a719208b92a90b.exe
  C:\Users\Admin\AppData\Local\Temp\HD_04edc9338ad0f32be4ec24e21712717596a9a533e174cf58e2a719208b92a90b.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2688
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://qm.qq.com/cgi-bin/qm/qr?_wv=1027&k=YvcaPdSaGP2PMI3QygFPThsPJ02Zt5B2&authKey=PJ3Gq2FEgeB6fN4EcibTZU8Bm5iV2Vkyd%2FLjUQtyK1qtZp%2BNClXoG1%2BQDg8yeBG5&noverify=0&group_code=758890997
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:1560
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1560 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      PID:2176

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "Remote Data"
1⤵
PID:484

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "Remote Data"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2840
- C:\Windows\SysWOW64\Remote Data.exe
  "C:\Windows\system32\Remote Data.exe" "c:\windows\system32\259507897.txt",MainThread
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2880

C:\Windows\SysWOW64\TXPlatfor.exe
C:\Windows\SysWOW64\TXPlatfor.exe -auto
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3060
- C:\Windows\SysWOW64\TXPlatfor.exe
  C:\Windows\SysWOW64\TXPlatfor.exe -acsi
  2⤵
  - Drops file in Drivers directory
  - Sets service image path in registry
  - Executes dropped EXE
  - Suspicious behavior: LoadsDriver
  - Suspicious use of AdjustPrivilegeToken
  PID:2768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
b19a3e15544bb1f31daabe2939dae3d6

SHA1
3939da8849c035bcff127763bf4f13d681fef6cf

SHA256
6c6521532df9d2774edf4db5574514188b7211462c20774cfcee6008d3223668

SHA512
d4f9495ecc1cffe060aaffc48741de6a1154ea19e6648b1b165ff5c4eeda04828b2b8d2232b60c752adfbc7524b52fb86542e01dbab11a606b92b5b60535abf2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
72198cc8115901bfcb98f6dfec6049f8

SHA1
add8a340f8e70563664ff60f482d26d4e25dbd02

SHA256
d466090a6ce63e68f64a9972a5f779cb0c86752e876d24b0dd466036aa6dbe5a

SHA512
a7e3abf9cae8c66c741128b1567302ca2c972fe306fd5924fa807594faa07286563b1feed698257452b0710e2929247d7a5c976bd671bc228735f72dc01d75eb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
517cdc2e6ff314192d20221226df78ea

SHA1
481902b719a21a6e18e3f8e98fcd653267e71a6e

SHA256
2792cc293501f021d8906f7847e605d7c12ab154fe2579b6b45f53a3f7f5c027

SHA512
77d67bda840f38133c4acafba9e99d4e55c47492445f309093280842db0ff64d57dad269d558819817b88bbd896c7456b03d0914485de36e8d97e600a552ac3b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5000a9a6230b7c074be5f699fd8bb3c3

SHA1
db9e92185a7ab139de41650889b6c5b3181c7dd2

SHA256
22930a1474422c6eab588678739726d68e4a3e535bcb989889642cfc10e75b8b

SHA512
5adb27324567f8535a12f3648c23bc757d6356e6528fbbcaf84061a089761da82bc6dd6752a1bf3e6a3d6851e416105d7ffd77ea840bf2b9ee0fa6d3959a83d3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
86af3a359e3c09f8352e58f797fb4991

SHA1
59da6c1adb2619df2fa4e80586a8c5f54b7d3aa7

SHA256
e93717f8f3623a2a4d92c4ba60d978853e87216a97765594d63578c9bd3b7d53

SHA512
be49c13caadc9db1b42917780372f792b05ff1b6b1a8d0b336036aedf869279a775dbab0ffabce5657d857a6d4029765851206fe213fb72e2408799f166254f9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
df34bbd6e2a76592c5d432013a06807f

SHA1
3cf0c30755850f697274edbca599993c2af72708

SHA256
0dddb4b80cf69a44fc27186151b233396d39375fb742ba06c0e6719fa9e8bf85

SHA512
2646b9c00d86c72337240945beb937235c1747c757e40f0678c3954378b637ee7c706f2832a81b4ad46343050d8cbcc01203d6ccd9e9c533aa7e783757d6d840

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
acba570faee9eaafe83d1a2496288e64

SHA1
cca23e41fa3bd456f7cca5444e9f4e55cfc06673

SHA256
f3a588a20197d81e5342a02a1925b190bd11368068069d2857595f5255d2319b

SHA512
c39efeeffce20ca9cca69dfc51811a4f1d6ec24d0e05e09a913fdd27bc6632421f8b28294c5062262729978fff9d4182086093b4abe3de5caccef9eac20c13ea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
968584fc2e2bd024eea51b4287b35022

SHA1
31c33499bc0d190c0afb897eea7b13faa48e1932

SHA256
cda7dbb76ff18123df04ae12385837688f90c39c4de252ed5641403ac59aa9ef

SHA512
51c043e89fa18b85f66771486d9aa1bf7deac3570b5cd0cd21b125084b4da222e025f58dd3612e3627572756967fac7890a99212636ea77ce3e9cba8bc98a6e5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0c36fcc40e2a05b33119c43aa58d47f7

SHA1
3381343233763a762041bfbef40bd9968c904cf6

SHA256
e1fa19305c7fb94ac918a920ea2443204f5fb09bcd68ed889a88159bfa086851

SHA512
5b816bfe10320f9bc1674794604a10c77d0807d4622bcde941af1d360513f34d0c1bb872fa0701de51fdf261903c5f8a22b20c64e097ddbd714dd7fe1e9cb4f0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
523382ae7cadf8d08eec99cf0fddf67a

SHA1
30452e0b3d4b738af6e7a018bae100c129562f8a

SHA256
9902a85b5e5fff5126d30410ba69f3593ffa2c3d95abc6ebabc3895146e7d274

SHA512
fd7998c9c8caa8aa99492d55a02bef4250832c13755cbf6d54149ffd1875536c8b2e96cd3deb0725babfba9c6f50e70b14c37e1da6a1913de0fd4d448c50fe06

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c251df0c1bfc230ee0d6d79121fc6f53

SHA1
dda91ec95fd7922f0e6842f4bda24cdc463f07b3

SHA256
9ab8ac3d93e367cbdfbd3d1bcca00592adad37e8245f694cae4a4b6a02c78763

SHA512
798647c517dd1bfe8004b7795194608fbc1b226bc0c0e017813e1ba7fb1076ef2e8c3e9b7e818421b4d6faa92d070e5ebc4e9372ecb6a9d2c56bd7b7a6a84064

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
90ae41743f502e981cdb612ce07548d2

SHA1
5acb852db51efd714d6c34591c18dfffb558ad26

SHA256
262ed2b58e1de5eba4123eb757a799e322cec4cebd24dd771b739119a64aa2ff

SHA512
5c9b508b3fb758791982e75caffc7fed0f615c81efb12db8dcfe918b3561e7b4dd922cedc523a822c623335dd72c1adbe88e61a1602e8d5cbf56e6768c35884e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4addd5d28a7e745ac102b95b963aa37a

SHA1
7c5776a7fb526f024944ddce2236a3129ee21b20

SHA256
a7e5fb40265e9c6fd901acb0a0073fc64e904b694b12a051d62f6446a6ccfd57

SHA512
65a780033b87a4dbc3c85bd6184192ddbd091d876a03bd8989da5f76f9fd9a21d4ce7965faf4443c1fa32a70b71ae7c8c585dcbe07f8cc72948ba49e55eee7f4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a5b7e5171a94f79b3498ae6040d9c256

SHA1
3b565ff9823ff1701485c4b25fd5c586280d51de

SHA256
f246f017144cfeece5d170cbf9b3f78fd50bfa4796af506bbdc99c830f3eb867

SHA512
b68f4effb5b689ebb5419c587902340dd96b1b06c220515b9e4b86b2dc8c18a13ebfc746ba009c9bf58c7a502a23a36b5be0fa877c5848998b362ab214842ab7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
139f469447e90d39efa70c651a1042e9

SHA1
e1c099c1ae05c4d344101d3938a1f26bd4488017

SHA256
65ac556d90f981ac8c397f4faf6efa7ffad47ac529d3e09b4038a5578e45111f

SHA512
c5023f38cbd5745ca1180d5dbfa7172167b5b5f28aa0f95d0e2142f46e1521b3f3d9f387193ce816ae49d540d6306c9b512c56c96ec8bcdc21fca9a6f40bfb5c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3b6ec0df090119b164d3d39b54608511

SHA1
4c4179da325b5c7e8081f912a5f5eb93c88bbde9

SHA256
3c7791e0ea6b3188f24132c95f05e0fa004db2a63d14773973ed68484104c5b9

SHA512
7e1a3911eabf5a292cfaee94389b65be2db2ca24e80bd04c0c1dd69b8a842e500ad40ba598192d740e2056ef1dd2aafb1bba165c67ea5596428965b1d0b1d893

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2cf79527350af361982731eea2f5663c

SHA1
08dac6526295b8d29ddd8b66181b294265a6d7cd

SHA256
b7d6026c93bf19f527d3d349ce3c2743913a185552ba294dd180ab02acd645dc

SHA512
dea00401f0f13e03df1ba41a46f40b6cc84c24f5d0a83ceef843a09b5a8c8c05e88d210c19608e15103d2dd9a4dce66f6c2594bab014a44c400b71bd55f33e68

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7f4f65ae8c9609f9d623b2ac19506fb8

SHA1
8ee116a798c604139b861c812fbe971d9aa5b3ff

SHA256
0fb360333187967c1111efc75cd472149d2695bb866bbf305b9fb6a15f26d978

SHA512
480c517a87ae82c76e75826ba000eb6b654d3b5e068d95e7a6083b9f55c75099c32f0bed13e441e07c4443c9192f8884c3a92ce8981b62bb34dc02c91a08d256

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
645216b5a4a028f2f3b8f68546c0e2de

SHA1
cba602d9f8ec9685f589d885b648fd8d9daa2869

SHA256
0ea4e382800b7b530feebada3922e0b38d07c048a710acbbfcd79e954aaa5dbd

SHA512
7b3768e665c52308201f3a35740110313244dc74be162648b85d977783a94addd9e6c9f3eaac7898128688a78262a4d6eae8ffbfdfa3501c35eb1b56c755ad37

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
556236a82c23a651c10c622fa91a8f20

SHA1
e1f2c89ee6d9a4f68e6d8ce79651a47ff7ac9fb8

SHA256
64abbe45c938fdc58d108dc786549deea7e8aebd281a99ffa647d1777a3f708e

SHA512
87c3f32096f36e161df6131f04a61d30319fd1a0314522ba8f09cb02091b2b74588e4de4e587fe34bf28481f6cad6b3ab1bc24dc073ea3e662dbb089988286ca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
29aec82d0f717c8fa217171b3193705f

SHA1
fa3ef618bedd35f730d700669efca4c8ea1bc475

SHA256
19579ea4c8e7e0eaeed62c033f56e1da93f9634433bc8e71d8a932cb309b8bec

SHA512
6fa2efb1471cefef6cb9d105364a2e87fd91bbbdd25251bbd2a85d38800e94254d7e5e29c590105c055165e3da7ab56e72a451fa9690088bf5190ef50652e41c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
49e3221663233d7e5b455f80f046f376

SHA1
03ba1b028daea60d8af1c4e012f2197ccc314745

SHA256
1a8bc389b22332c08e0a77fbc808fc4d8f35072f121778a567d0692cf68b04dd

SHA512
86f6c295b028c97638ac15efb618e732464da9191d7eb5cab3d0127877518efaa07f8c44f1a8f9a6ad526b8b3c9b909338f17f5d3e54bcf57aeb396975e5a432

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
627744d3821b7e65a57c23cf4d9ed819

SHA1
72ef482aedcbaa63263c15b973fc3d0235edf976

SHA256
c82a3c20e60681f094900139f5fff49c8619dd2139a4efea098b12212fd388ff

SHA512
138c3a0414deb48355e24049444f42a996e2531dd5012703931cec48be36b8d5b4bb9e9db94bc30d26d851b9f0b2d6a0bbc501c5bbddb36ec2e745cd9c099434

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c22a13f46d68904deab96b6b8f3873a5

SHA1
bb6b906acde20470bb06926fe9393eb6b3513f37

SHA256
5701623214097ab786454df7a0fdb09fa922d1306a7f7aa05833bb27313b603f

SHA512
9569df1bb4e0b3e1379fe783e010e116eae18d8fb177bd8e6e5b793fe3ec748a2a32f254fecb8291e3d2348a689c741db97b2c3eb8d0a6cf847e5d244ce63bba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
862bcc7f32396d17e2f2cc83fc6bead7

SHA1
b598f07a18c730f34f688f937fab29cc75b8864d

SHA256
bac5ad74e905afa212239f7c2e34dfaf9425e0863647650842d790c89613b6c5

SHA512
454f7839e82e108dda5ec57e509937e4690b841837b19ab319345b5cdd12df540d50a34729e0953d3d080a2c51fe27b5b03a87d733bca48ae86c55fdc7b1d776

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a78a32944f316659039ac7bf1af0ea25

SHA1
e4d96e4fe044e31b97dffc53fe5af0c50022107d

SHA256
647b23371547065557a107f008efcbb0eaaef36895d5caf6dd5d955e8f204d01

SHA512
0c496ed49ecfa03887b0021eb62b156f535a9e46bbff63ae32447a6b3635d3c7b1700bae8ef212cade6a4ddb3c4c64f0b742792e61cee9be218f9bded189e075

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
29613997f3b59969d0e7ee4af77b4bdd

SHA1
8a862fd902989087782aa130f8e20a97f2225603

SHA256
bd826f8e4bec12b9a6047c93e16b2cc520b61d2696dd6e654c79339983f21f99

SHA512
8b70118a17a1fcbf6122400cb76bcd15c7b5dbc2197b596c9cd7c17d0e604fab6722fc1268fdd0038a5b3496ae01c556e5ad32022332bdb0852257ce40d396a1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3724188a0b16fc15e7fc3d0eb760e0c5

SHA1
e4fd25fcd2d8735bc422f110c7611f44da98b476

SHA256
2df49d3d36ef5e1bea16dbbfed1dd4f6ce2329625db5d302e1a746c147aad853

SHA512
3d9434d74594cbbe8eef94801b4d3f0758436d9e5e757c96ebf7d1571f48870b2ea5d2a241f40aaa62c448b7cdf970bb63a70cf3724629142ff0c13dc9c9fc16

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
11c2330a70c0e2f6cef5bf6b669441af

SHA1
2381ee51569657e0553116c20ee6d300c92b523b

SHA256
3725767f3f1914790aed7056eaaefeb8c3355c2173ed95a9836c9a9376c64579

SHA512
03ac259e0e99131db06a6518515532a9551e7528eeb8aad8e4e6b49778c32206305952ee44f0c875a9f052875d524750d91a8fe534e417dedade5ca8e6ef6331

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0015242c50d86d3d1b915a53fd4b1df9

SHA1
088e25b99a4e39f414e54193a2fe06530f1c87ff

SHA256
138343e82638bab9a020ea78c12bde34c220bb0ac38755033ca8b7ddafdbcac1

SHA512
21b7f1f8f3900e748658ad92df5668e07549be5a3288f92d48baaa9a797b04ca7af7a50bad1b2b4ed84d0a6a2cc3a4275ded06c616d8be1bf2707f0305198bb2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
070409ebbfeca996aa245e5d12ca28cb

SHA1
8142c16025c74e32810eb6f50099a3dd32408c93

SHA256
6da81dc27f6d35af1471d1343b8a136fb70c6d20a5f05d11d14771a7f1adcbc2

SHA512
f42ea77c1054a5f3db5accfb113af5df12be7cdfd7c9274e3f9babb53f855e3a5c5fe4aeefd33a23ba79359f1bfcd6a651c2df9a562f13853b09f6c41ce46eb9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
25f5c52bd3e12f53975204d0b570eb0b

SHA1
df05ad02acee5ce25ce26b057442d651337baf05

SHA256
8d06d1b92471b8da7960c6777c7ccfc8faa4cd95f3dfcaf15c6d3b16727863a1

SHA512
25e1d7e49f84e60afc873429f211c8ed3cc7f498aabe1f20b8cd861495ae2023bc36694ce6c72ecb7e1d759e7c9246c29058c096226abe84e310a6bbc5eae4e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabB49.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD_04edc9338ad0f32be4ec24e21712717596a9a533e174cf58e2a719208b92a90b.exe

Filesize
1.8MB

MD5
1998fc1203ebfd3c12ff9498e10e45af

SHA1
838f5566295ab75d9793db808946bd4948145b34

SHA256
3787392e06a0197ab080e448aa38106bbeedbe1ef3892ce40be2fced7935fd5d

SHA512
0f5232c3a21c387f86ea3aeea825908ebcdaad67ddad7568218f2de428014d02b93369a7f5f9aad84b2a5857196eb227e8847dbea2d17268c27b695204afa89e

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD_X.dat

Filesize
2.6MB

MD5
a5bff7a5628d8b0e96de59b66f254037

SHA1
7a0de2ece695589e94130128c21d7bfb36372cb7

SHA256
32336a774f198be9bc5fa107e712a427b64ab1ac25fd3f0995d2c5da6669755a

SHA512
63e8863bcfa17e38a25ed3f13939a19084f7a971379b702870a23a499107d0883e4a46bbd8f2dff6f3d4efd13dfaec8e853ffd7b5be4931f60caab5bdc1d4480

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarB4C.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\SysWOW64\Remote Data.exe

Filesize
43KB

MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit
\Users\Admin\AppData\Local\Temp\N.exe

Filesize
377KB

MD5
4a36a48e58829c22381572b2040b6fe0

SHA1
f09d30e44ff7e3f20a5de307720f3ad148c6143b

SHA256
3de6c02f52a661b8f934f59541d0cf297bb489eb2155e346b63c7338e09aeaf8

SHA512
5d0ea398792f6b9eb3f188813c50b7f43929183b5733d2b595b2fd1c78722764fd15f62db1086b5c7edfb157661a6dcd544ddd80907ee7699dddbca1ef4022d0

Download Submit
\Users\Admin\AppData\Local\Temp\R.exe

Filesize
941KB

MD5
8dc3adf1c490211971c1e2325f1424d2

SHA1
4eec4a4e7cb97c5efa6c72e0731cd090c0c4adc5

SHA256
bc29f2022ab3b812e50c8681ff196f090c038b5ab51e37daffac4469a8c2eb2c

SHA512
ae92ea20b359849dcdba4808119b154e3af5ef3687ee09de1797610fe8c4d3eb9065b068074d35adddb4b225d17c619baff3944cb137ad196bcef7a6507f920d

Download Submit
\Users\Admin\AppData\Local\Temp\·ÊÒ×Í¨1.0.4\EThread.fne

Filesize
60KB

MD5
206396257b97bd275a90ce6c2c0c37fd

SHA1
3cae4506a033cf7e97156d5261f2a247c6270f42

SHA256
64eef86745d7ae0168fec357099e2e952ce74ee19576d06cc8c8c65f210cc22c

SHA512
4c23e52b5b23b305c3172e01dd205e15fda8f20f8b60776ba59d080bf05bbbca456a0ed232f2e2a2bf01d32efb913063f89fb4928bc4d5d1c1eb4c4979803455

Download Submit
\Users\Admin\AppData\Local\Temp\·ÊÒ×Í¨1.0.4\eAPI.fne

Filesize
308KB

MD5
7c1ff88991f5eafab82b1beaefc33a42

SHA1
5ea338434c4c070aaf4e4e3952b4b08b551267bc

SHA256
53483523c316ad8c022c2b07a5cabfff3339bc5cb5e4ac24c3260eea4f4d9731

SHA512
310c90c82b545160420375c940b4d6176400e977f74048bfe2e0d0784bc167b361dc7aac149b8379f6e24050a253f321a6606295414ea9b68a563d59d0d17a48

Download Submit
\Users\Admin\AppData\Local\Temp\·ÊÒ×Í¨1.0.4\edroptarget.fne

Filesize
156KB

MD5
ca77aec89bd2f81bbef77ff26b88148a

SHA1
27e8eb70f218d5d085344fce21653dc31e0dda29

SHA256
1eaf42e6c734eb332f0edf7d3cf7c408f72b3267ae5408675d3604a6b23319d2

SHA512
985592f5a0c5916b1dc83079f17abb0fb4fb20aeb8b9a9d6ffd1b196eeda45d5d2393654cee3e6c1405d431f2fd55403ce734d75a948fdc56fea2d67217067cf

Download Submit
\Users\Admin\AppData\Local\Temp\·ÊÒ×Í¨1.0.4\iext.fnr

Filesize
204KB

MD5
856495a1605bfc7f62086d482b502c6f

SHA1
86ecc67a784bc69157d664850d489aab64f5f912

SHA256
8c8254cb49f7287b97c7f952c81edabc9f11f3fa3f02f265e67d5741998cf0bf

SHA512
35a6e580cd362c64f1e1f9c3439660bd980ec437bd8cabbdc49479ceb833cd8cb6c82d2fb747516d5cfcf2af0ba540bc01640171fbe3b4d0e0a3eeeaa69dd1d9

Download Submit
\Users\Admin\AppData\Local\Temp\·ÊÒ×Í¨1.0.4\iext3.fne

Filesize
384KB

MD5
d2a9c02acb735872261d2abc6aff7e45

SHA1
fce6c2cf2465856168ea55ccd806155199a6f181

SHA256
0216a0f6d6d5360ab487e696b26a39eb81a1e2c8cd7f59c054c90ab99a858daf

SHA512
c29a0669630ddf217d0a0dcd88272d1ec05b6e5cd7ab2eb9379bdc16efbc40a6c17cfd8a5dba21ce07060d54a2a3d8944aaa36a3b92e8025112a751d264a897d

Download Submit
\Users\Admin\AppData\Local\Temp\·ÊÒ×Í¨1.0.4\krnln.fnr

Filesize
1.2MB

MD5
1eece63319e7c5f6718562129b1572f1

SHA1
089ea3a605639eb1292f6a2a9720f0b2801b0b6e

SHA256
4bed8a6e4e1548fddee40927b438132b47ef2aca6e9beb06b89fcf7714726310

SHA512
13537d1dd80fa87b6b908361957e8c434ca547a575c8c8aab43423063e60cb5523fb1843a467ae73db4a64d278c06b831551e78ae6d895201f7ef0c5b162c1ab

Download Submit
\Users\Admin\AppData\Local\Temp\·ÊÒ×Í¨1.0.4\sock.fne

Filesize
40KB

MD5
71f62c3fa63521b90bcec93d988eea7d

SHA1
9abf04048357b03481b40d8aeb4fbc995f6c5c28

SHA256
dc64aefb6fbb939a8da4dd37ef8eb9ae324285546347bc1a130d73a6f60ac55d

SHA512
8d31026777e6a94d179045650dc283be0c31dbed9c512ff1318316b190ae9806293d31939ca348639b41d07eaf2723281740071a941737484c2dc7cce8b4d94f

Download Submit
\Windows\SysWOW64\259507897.txt

Filesize
899KB

MD5
a752356ad4cd006502fa6fe783145e61

SHA1
6b096d0b584d39ec8dc7ea05b40e8adf1279cc3b

SHA256
0a59d4e7dcca4a4d2a1de78b7586e042ec7242de9e84fe7452c27171501dfc7b

SHA512
b74295d8eb74908e08b3413de9328b7dc1f9845a581ad94c142a099f07f303b178d2d0a4e8e013f560e8243f73577b7709c9b1c35194d5182c363d21c07d7840

Download Submit
memory/1908-20-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/1908-21-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/1908-18-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2300-46-0x0000000002120000-0x000000000219C000-memory.dmp

Filesize
496KB

Download
memory/2688-132-0x0000000004730000-0x000000000476E000-memory.dmp

Filesize
248KB

Download
memory/2688-96-0x0000000004600000-0x000000000465D000-memory.dmp

Filesize
372KB

Download
memory/2688-110-0x0000000004730000-0x000000000476E000-memory.dmp

Filesize
248KB

Download
memory/2688-112-0x0000000004730000-0x000000000476E000-memory.dmp

Filesize
248KB

Download
memory/2688-114-0x0000000004730000-0x000000000476E000-memory.dmp

Filesize
248KB

Download
memory/2688-116-0x0000000004730000-0x000000000476E000-memory.dmp

Filesize
248KB

Download
memory/2688-118-0x0000000004730000-0x000000000476E000-memory.dmp

Filesize
248KB

Download
memory/2688-120-0x0000000004730000-0x000000000476E000-memory.dmp

Filesize
248KB

Download
memory/2688-122-0x0000000004730000-0x000000000476E000-memory.dmp

Filesize
248KB

Download
memory/2688-124-0x0000000004730000-0x000000000476E000-memory.dmp

Filesize
248KB

Download
memory/2688-126-0x0000000004730000-0x000000000476E000-memory.dmp

Filesize
248KB

Download
memory/2688-128-0x0000000004730000-0x000000000476E000-memory.dmp

Filesize
248KB

Download
memory/2688-130-0x0000000004730000-0x000000000476E000-memory.dmp

Filesize
248KB

Download
memory/2688-99-0x0000000004730000-0x000000000476E000-memory.dmp

Filesize
248KB

Download
memory/2688-134-0x0000000004730000-0x000000000476E000-memory.dmp

Filesize
248KB

Download
memory/2688-108-0x0000000004730000-0x000000000476E000-memory.dmp

Filesize
248KB

Download
memory/2688-94-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2688-83-0x0000000003FB0000-0x0000000003FCC000-memory.dmp

Filesize
112KB

Download
memory/2688-86-0x00000000021D0000-0x00000000021DA000-memory.dmp

Filesize
40KB

Download
memory/2688-78-0x0000000001FF0000-0x000000000201A000-memory.dmp

Filesize
168KB

Download
memory/2688-74-0x0000000000580000-0x00000000005C1000-memory.dmp

Filesize
260KB

Download
memory/2688-70-0x00000000002A0000-0x000000000030F000-memory.dmp

Filesize
444KB

Download
memory/2688-101-0x0000000004730000-0x000000000476E000-memory.dmp

Filesize
248KB

Download
memory/2688-102-0x0000000004730000-0x000000000476E000-memory.dmp

Filesize
248KB

Download
memory/2688-103-0x0000000004730000-0x000000000476E000-memory.dmp

Filesize
248KB

Download
memory/2688-106-0x0000000004730000-0x000000000476E000-memory.dmp

Filesize
248KB

Download
memory/2688-48-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2688-104-0x0000000004730000-0x000000000476E000-memory.dmp

Filesize
248KB

Download
memory/2768-49-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2768-53-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2768-54-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download