gh0strat | 144d23c7ff003cb38e44dd814105e7a02306c7d7afeaa5a0836834f7769b5561

Analysis

max time kernel
150s
max time network
135s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11-10-2024 12:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-11_cda135f1512e01e2a92a5691f952c5bb_hijackloader_icedid.exe
Size

4.3MB
MD5

cda135f1512e01e2a92a5691f952c5bb
SHA1

89f31846a0614c57732c61619e2e10e57ffd2534
SHA256

144d23c7ff003cb38e44dd814105e7a02306c7d7afeaa5a0836834f7769b5561
SHA512

1e6158f1eafc88b532589b0d7015267454973db8bdfae8d3d2b797d4509782315f61aecce4b187322c6fe34456c437cdc137e8dddea740f2a35ab7df3c32a754
SSDEEP

49152:LCwsbCANnKXferL7Vwe/Gg0P+WhB+LnRuQ5fnDtTOgnmuKcwGFqV+DO+2a38VhQa:Ows2ANnKXOaeOgmhcYQ/KgnocFPO+S

Score

10^/10

gh0strat purplefox discovery persistence rat rootkit trojan upx

Malware Config

Signatures

Detect PurpleFox Rootkit 7 IoCs

Detect PurpleFox Rootkit.

rootkit

resource	yara_rule
behavioral1/memory/2776-21-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2776-20-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2548-40-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2548-41-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2548-42-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2548-45-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2548-47-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 8 IoCs

resource	yara_rule
behavioral1/files/0x000800000001658c-6.dat	family_gh0strat
behavioral1/memory/2776-21-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2776-20-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2548-40-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2548-41-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2548-42-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2548-45-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2548-47-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\QAssist.sys	TXPlatfor.exe

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Remote Data\Parameters\ServiceDll = "C:\\Windows\\system32\\259479598.txt"	R.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys"	TXPlatfor.exe

Executes dropped EXE 7 IoCs

pid	Process
2652	R.exe
2776	N.exe
2580	TXPlatfor.exe
2548	TXPlatfor.exe
2668	HD_2024-10-11_cda135f1512e01e2a92a5691f952c5bb_hijackloader_icedid.exe
1236	Process not Found
932	Remote Data.exe

Loads dropped DLL 9 IoCs

pid	Process
2372	2024-10-11_cda135f1512e01e2a92a5691f952c5bb_hijackloader_icedid.exe
2652	R.exe
2812	svchost.exe
2372	2024-10-11_cda135f1512e01e2a92a5691f952c5bb_hijackloader_icedid.exe
2580	TXPlatfor.exe
2372	2024-10-11_cda135f1512e01e2a92a5691f952c5bb_hijackloader_icedid.exe
1236	Process not Found
2812	svchost.exe
932	Remote Data.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\259479598.txt	R.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	R.exe
File created	C:\Windows\SysWOW64\Remote Data.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\Remote Data.exe	svchost.exe
File created	C:\Windows\SysWOW64\TXPlatfor.exe	N.exe
File opened for modification	C:\Windows\SysWOW64\TXPlatfor.exe	N.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2776-18-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2776-21-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2776-20-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2548-40-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2548-38-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2548-41-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2548-42-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2548-45-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2548-47-0x0000000010000000-0x00000000101B6000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-11_cda135f1512e01e2a92a5691f952c5bb_hijackloader_icedid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Remote Data.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	R.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TXPlatfor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2592	cmd.exe
1844	PING.EXE

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d052dcb5d91bdb01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "434811815"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d793ad506ece624c80bd99362738d90700000000020000000000106600000001000020000000dc76373b72d352c752e6c5fd2da06a5b13da77f92de67e08d15df8dac9043d2d000000000e8000000002000020000000289d72aac48a7967f958ec8bc86d18c4b783d657123e4ad33b98a92682894e30900000009c0ea2d3283d16c3f40da7d620682bb6e28a20fd8b17805cf40c32b406d254f70d04462c49c942d61e06b55ac236f348ce16d4900f8bbbbcd9f3d7d29868dfea07cbe15f1099772f31231affe955ec1a5d88ce5df2c6af9794c578a1e4e516292f2237f1af16a17a29757aaffb608a44dd4458cb75c39dd83e48ddbc1f0e8153a3fdd7e1bd34c637c7b4cbb7a562a60640000000b2c31fab76fc63b560b1a881d5ca12a183b2558b5e094408380bfbb8b445c035b8c68f01d4d4089e53c3af029c8df2c47450a399812f4975d968b5b4d2f5a65f	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E04996E1-87CC-11EF-9F7F-EAF82BEC9AF0} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d793ad506ece624c80bd99362738d907000000000200000000001066000000010000200000003e00cee99a30f05953a001f27c088c56a582472f8a493177ad9799b23e40bc27000000000e80000000020000200000003432c497abd68914574645d97a893c868131aa3757818c982ef45a78f396df262000000021b44c2702a0edde6e2e51cb906fa3553dfb45e55577c8e7a6aff36ba21848f340000000e008b34e665f6742b76fb8dc59dfb7a45ae9920c4b2e8491754cb1d03cb756df514f245cdae9572888e78bfdde62b6170f39ad7d35913cdf5f5529389203bb5d	iexplore.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	HD_2024-10-11_cda135f1512e01e2a92a5691f952c5bb_hijackloader_icedid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	HD_2024-10-11_cda135f1512e01e2a92a5691f952c5bb_hijackloader_icedid.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	HD_2024-10-11_cda135f1512e01e2a92a5691f952c5bb_hijackloader_icedid.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	HD_2024-10-11_cda135f1512e01e2a92a5691f952c5bb_hijackloader_icedid.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1844	PING.EXE

Script User-Agent 3 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	3	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	4	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	11	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2372	2024-10-11_cda135f1512e01e2a92a5691f952c5bb_hijackloader_icedid.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
2548	TXPlatfor.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2776	N.exe
Token: SeLoadDriverPrivilege	2548	TXPlatfor.exe
Token: 33	2548	TXPlatfor.exe
Token: SeIncBasePriorityPrivilege	2548	TXPlatfor.exe
Token: 33	2548	TXPlatfor.exe
Token: SeIncBasePriorityPrivilege	2548	TXPlatfor.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2972	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2372	2024-10-11_cda135f1512e01e2a92a5691f952c5bb_hijackloader_icedid.exe
2372	2024-10-11_cda135f1512e01e2a92a5691f952c5bb_hijackloader_icedid.exe
2972	iexplore.exe
2972	iexplore.exe
996	IEXPLORE.EXE
996	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 41 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 2652	2372	2024-10-11_cda135f1512e01e2a92a5691f952c5bb_hijackloader_icedid.exe	30
PID 2372 wrote to memory of 2652	2372	2024-10-11_cda135f1512e01e2a92a5691f952c5bb_hijackloader_icedid.exe	30
PID 2372 wrote to memory of 2652	2372	2024-10-11_cda135f1512e01e2a92a5691f952c5bb_hijackloader_icedid.exe	30
PID 2372 wrote to memory of 2652	2372	2024-10-11_cda135f1512e01e2a92a5691f952c5bb_hijackloader_icedid.exe	30
PID 2372 wrote to memory of 2776	2372	2024-10-11_cda135f1512e01e2a92a5691f952c5bb_hijackloader_icedid.exe	33
PID 2372 wrote to memory of 2776	2372	2024-10-11_cda135f1512e01e2a92a5691f952c5bb_hijackloader_icedid.exe	33
PID 2372 wrote to memory of 2776	2372	2024-10-11_cda135f1512e01e2a92a5691f952c5bb_hijackloader_icedid.exe	33
PID 2372 wrote to memory of 2776	2372	2024-10-11_cda135f1512e01e2a92a5691f952c5bb_hijackloader_icedid.exe	33
PID 2372 wrote to memory of 2776	2372	2024-10-11_cda135f1512e01e2a92a5691f952c5bb_hijackloader_icedid.exe	33
PID 2372 wrote to memory of 2776	2372	2024-10-11_cda135f1512e01e2a92a5691f952c5bb_hijackloader_icedid.exe	33
PID 2372 wrote to memory of 2776	2372	2024-10-11_cda135f1512e01e2a92a5691f952c5bb_hijackloader_icedid.exe	33
PID 2776 wrote to memory of 2592	2776	N.exe	35
PID 2776 wrote to memory of 2592	2776	N.exe	35
PID 2776 wrote to memory of 2592	2776	N.exe	35
PID 2776 wrote to memory of 2592	2776	N.exe	35
PID 2580 wrote to memory of 2548	2580	TXPlatfor.exe	37
PID 2580 wrote to memory of 2548	2580	TXPlatfor.exe	37
PID 2580 wrote to memory of 2548	2580	TXPlatfor.exe	37
PID 2580 wrote to memory of 2548	2580	TXPlatfor.exe	37
PID 2580 wrote to memory of 2548	2580	TXPlatfor.exe	37
PID 2580 wrote to memory of 2548	2580	TXPlatfor.exe	37
PID 2580 wrote to memory of 2548	2580	TXPlatfor.exe	37
PID 2372 wrote to memory of 2668	2372	2024-10-11_cda135f1512e01e2a92a5691f952c5bb_hijackloader_icedid.exe	38
PID 2372 wrote to memory of 2668	2372	2024-10-11_cda135f1512e01e2a92a5691f952c5bb_hijackloader_icedid.exe	38
PID 2372 wrote to memory of 2668	2372	2024-10-11_cda135f1512e01e2a92a5691f952c5bb_hijackloader_icedid.exe	38
PID 2372 wrote to memory of 2668	2372	2024-10-11_cda135f1512e01e2a92a5691f952c5bb_hijackloader_icedid.exe	38
PID 2592 wrote to memory of 1844	2592	cmd.exe	39
PID 2592 wrote to memory of 1844	2592	cmd.exe	39
PID 2592 wrote to memory of 1844	2592	cmd.exe	39
PID 2592 wrote to memory of 1844	2592	cmd.exe	39
PID 2812 wrote to memory of 932	2812	svchost.exe	41
PID 2812 wrote to memory of 932	2812	svchost.exe	41
PID 2812 wrote to memory of 932	2812	svchost.exe	41
PID 2812 wrote to memory of 932	2812	svchost.exe	41
PID 2668 wrote to memory of 2972	2668	HD_2024-10-11_cda135f1512e01e2a92a5691f952c5bb_hijackloader_icedid.exe	42
PID 2668 wrote to memory of 2972	2668	HD_2024-10-11_cda135f1512e01e2a92a5691f952c5bb_hijackloader_icedid.exe	42
PID 2668 wrote to memory of 2972	2668	HD_2024-10-11_cda135f1512e01e2a92a5691f952c5bb_hijackloader_icedid.exe	42
PID 2972 wrote to memory of 996	2972	iexplore.exe	43
PID 2972 wrote to memory of 996	2972	iexplore.exe	43
PID 2972 wrote to memory of 996	2972	iexplore.exe	43
PID 2972 wrote to memory of 996	2972	iexplore.exe	43

C:\Users\Admin\AppData\Local\Temp\2024-10-11_cda135f1512e01e2a92a5691f952c5bb_hijackloader_icedid.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-11_cda135f1512e01e2a92a5691f952c5bb_hijackloader_icedid.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Users\Admin\AppData\Local\Temp\R.exe
  C:\Users\Admin\AppData\Local\Temp\\R.exe
  2⤵
  - Server Software Component: Terminal Services DLL
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:2652
- C:\Users\Admin\AppData\Local\Temp\N.exe
  C:\Users\Admin\AppData\Local\Temp\\N.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2776
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\N.exe > nul
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:2592
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 2 127.0.0.1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1844
- C:\Users\Admin\AppData\Local\Temp\HD_2024-10-11_cda135f1512e01e2a92a5691f952c5bb_hijackloader_icedid.exe
  C:\Users\Admin\AppData\Local\Temp\HD_2024-10-11_cda135f1512e01e2a92a5691f952c5bb_hijackloader_icedid.exe
  2⤵
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of WriteProcessMemory
  PID:2668
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://dotnet.microsoft.com/download/dotnet-framework/thank-you/net48-web-installer
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2972
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2972 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:996

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "Remote Data"
1⤵
PID:2796

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "Remote Data"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2812
- C:\Windows\SysWOW64\Remote Data.exe
  "C:\Windows\system32\Remote Data.exe" "c:\windows\system32\259479598.txt",MainThread
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:932

C:\Windows\SysWOW64\TXPlatfor.exe
C:\Windows\SysWOW64\TXPlatfor.exe -auto
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2580
- C:\Windows\SysWOW64\TXPlatfor.exe
  C:\Windows\SysWOW64\TXPlatfor.exe -acsi
  2⤵
  - Drops file in Drivers directory
  - Sets service image path in registry
  - Executes dropped EXE
  - Suspicious behavior: LoadsDriver
  - Suspicious use of AdjustPrivilegeToken
  PID:2548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Remote System Discovery

T1018

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e2924a6b6c7011eaa7afc09013f320e5

SHA1
0ad275fa9b27c0c37f6d13aa9041b036008f13b8

SHA256
508ef4eee809d83032ba2ab7e389afc14e4cd5dc3ee6de89b4fc2b56f32c740e

SHA512
96bad9c36f657c8408b75439d149e6279b6c1c036c1682d9dbe83dd3c92d03394e6d7bad2c22f31978e8ae99885d3383f6743424f4040656ad7206371551dd75

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8b9e3a740105ead99f97746b99b46c29

SHA1
5e421fca4a2e4b4ecdf0aa900190e0f050de8443

SHA256
d875683fe2b8cd4bd52fee01987aca8b7563ac5a4801ef40ff544339a4ad98e2

SHA512
04e8bea20d6fb98ce9c7e36bae3786bcd0413dff86ecc3515ea00027be05050d72a77c465ad1dcffde5b75e071e6a5a3340a14637bc41cd01ad501f4e0e44aae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
508a33532b856aec2e67c5143dc0ce60

SHA1
503135550ebbb6ade673873a429165109ea7b3dd

SHA256
e4ff249af47dce30f3e97b972745b11bd604e1b656b7bf9a166966ee3696a4ee

SHA512
9830f3e916abb17ed3b8af15adb855cc6d0cf18c3ce76ce813aa6ac3fc2c52b1b004b4a49c1e3df86d23a21a6eec611fad3e17155d8e4ee0ebdf30b5b1001247

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e26f1bbbc99049c1a76f8cac1398e374

SHA1
f4e59d55ea1275183b2ead2bd8a95171a5fac9e7

SHA256
d2a6d5c871eeec99370f4b047098d3384ea582c098f2ca760eb5221c895155b6

SHA512
bc8c2a3421db56e127d04a68d22cd574184c8c6712bd57f85dae7a4a40ec6e9d71de0a59d165b8d083eaa1c68ae8c3b4a33e69fc9d4a4d83d126d54600d3018b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0f2608bbb13bba1e95ee000405064c06

SHA1
71206628c72fbf9880fdf5d46eb96a22e65e9a30

SHA256
6278a85ac3a55adbf5d25b6d218f78ae196b6178fe4a39aa809392cbf8870581

SHA512
9a95ccf3adcc3bf8076d939964cff5dfbf9a540206ef4b8a61526f8f1c5d7308e89a12d666f40496d1a9593e6b5c1a1616626f9b120b603eb85a2100138e94c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
536518096db7df210fe92097892ac35d

SHA1
f2b5617f88a3a62afc0773c5e62dc806b2da75c4

SHA256
6270a0ce8c75cb9449caba524fdc3314d78c68207404e7240645932f23a03b3b

SHA512
b2ce896cba9f16da09bb0c2de2a96b6b5dd913379017a94e81ef40018428937694e5ea37deb4dfd3166a5480c1cd8c6deb7c14da4b92e05d011cca949df40813

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0cf059f92b0e4b842e97b0a819e27fa0

SHA1
159ac6a92f25db8aab7844941f8d1cdc92a4c5e8

SHA256
a96c02ebbae5dba38fbd903107c7f27d9bab44148e88e2410069c18aa10c2a3e

SHA512
41595596076880973692d85169cedc68b45cb0bd985f5fb6f066778f37e7bf0281fec86f77137f4b6e196ef897b4781b1c0a6efe09bb114720bc768b8daa5e5a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
45fb2105835b5cba6b75b542ee534d29

SHA1
abf8bf210d9b472e88d50e9becac6e0848412678

SHA256
b03a1df7da73fac7890c7ab036c267c82329952e0ab38fb9defeb30224a886cf

SHA512
1a9ff6bfa972b5f4669c4b28669aa42804bccc3916c9fd298bcb7b6c25cd506b7577ea22c4dcb658c8792534a92a33573c5044b858959a546aaaa839999f1e6d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d7fcd53c20a8d6b38315cdcaa9541ce5

SHA1
3bbe8db5156f10cd08f1608d15be20199507c876

SHA256
e2e556f46d7a74558c875e718cbc5467b051e153ea994b07ce7ffd0b8b0ce285

SHA512
e634ba96be9cb23dee37d651144006475985a0f90745bfc8e56a003d9f49eaf17ebab53e0977e7e9cc1c758d87163eb63b10f4c0e6b1d96f73fd8e2be2fda160

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
579046e430018055c1e3a2f498dffbc3

SHA1
77bc4183490c3334531343628209ec67a6b0b73f

SHA256
36c29567a76691bc538efa742d81978f99024348f0db7f2c68e10a7b6f2e8db8

SHA512
062d2703ce93269c92d77380918fcdaf7ecabdb158ca8688bd29f75c71928713d39463102e569e82642a9943ff80ffc9754bb482b27ed13ba9a740460bee2b4d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cb1e8b398bb310ed322a409e41dcac76

SHA1
39391e7673b0e1c2a528b92b0170365806b05034

SHA256
717bdf11117175faa49281e090d5ce619fce8bd95682d4c549cbafdae5741a62

SHA512
bc5ede69f13a64bb8fb290abac020839f20058247587c3b8f3a45cc609074322fe6f3437823125b1a129a2f5648039bca5f8dbf252b68b376f49161887f1cc55

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2642fe770bb8003c51b71d518e9b4768

SHA1
2d4b1dda89a3c0ae4a19a7edfb6d01954d87f33f

SHA256
b99924e6bbd69e0bc8d2fa8c514035480fb95069309d84ce1a292fda4387df9b

SHA512
4eb488a73ad41a854a654f9449f9adc1ef5f06151d38bfdd7935e75e6984e3231dc685deaec4592d3e1a6943ced4cdfbccbeccce5bffb736923fc9202d34c210

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2ab453bb6f91d44b9d464b9285b0fdde

SHA1
d32e0dabed1979bfa7b0e3bda32839b4b0101f1f

SHA256
c3296741221462febb5d4f86c88117736c159160decf8f2a97454fa1903d453b

SHA512
03b082832103e6612ed72bbdfac18bae1c4aa43585be95e3ad5959b2a96e51eb722f87c7cbd5807f00d62edc73e39bec39fde10c64e383826ec440a85fc7a32f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
917bf8b8cf00e80c94af55b2b348b833

SHA1
413fcbab43ac7a0ce0e86ebaa737f310ddaf584f

SHA256
1dc6bd2a7ac759d5e0961fa12d92c8a4a5e68509e3e3530a3d550f02d9efdd36

SHA512
e2dca111de4ef499cf7d5c1017a57a70d7e081316c71bd86a0657756154968471a6723fbff27ceab50af48dce6696845267ab5debec0e8ddd535d48c05093dd0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
08a42394edc25610956eca0f6da07d77

SHA1
818bf5005b10908a9ec3f8023595201dd63d7819

SHA256
1b1bc23f0365cb803fe5a61a06dccdf7c1cc7a510359aae2bceebc20745a97bb

SHA512
3b83a1813ac4aabab28807bfe3ee603a90ce8ab07c3f001388b2a2000c8dc463980b4846847a296ab21e1b7b70ea9d46e1b11cf7ba470d25f738169a981ad797

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c76cf30187741bc8324c4c46a0f0343e

SHA1
9b8fcd2d91941abbc02bee5d539fa29f112addaf

SHA256
8da0e4461654fc62ac5bb5a7aef1dc405a070aed6349ac0fe2883aaa6b6e0caa

SHA512
a90c9d0643681d55ce5947f5ddede40775cf02d47e850f161ad760530fa5595c3c2a49806a139731247fa5ae8386f8c389fdfa1dbfd3aa3b64a77950ed4817e7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fc1f09047c9ec5ba1a094a20cfe5fbe0

SHA1
92f5f2b192082b82f110d80ecb665afb624b70dc

SHA256
41b2011c369e47b7bf36bba09a126e1de6055c1da141cd862e15b9e7a51d9349

SHA512
7a6e743663224de2ca78bc4f486c907e9bd2eb48cc622c456d016534631f14a47d0a21bdf89f6b7d4fc484f01dfb20b0c31eef53dba85dd05b4a97b6fe79fa8f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8a31e339ea607691333ec4fc89fb41de

SHA1
6cd51284adb2104f0a077ba1d926c982bc9704e2

SHA256
ffca33a8298481a0ea6f7b305b5822bae02b9a0d0826bbace523bdc4d7a8e7ba

SHA512
bda5aa0c04f565968922edfd94b896bc276759ac3a0328529b9a9c752e0a9c94b93921d0608112ae094eaa9c56a22f93fb58682d66e9600a9f11065593197a86

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
58968732227555d043ef932e6b35a45d

SHA1
90a2ed59755fae9963d793f31f574e6efd5dd219

SHA256
cb1ca64fde1231a49146d1e0e5b04171b47cf885dbdc002f8cb0f01d729831cb

SHA512
73eacdfd21371f7a5b46a8216223d37f76755f2fe8697261ea1f5fa21b264072b3c079ce74b472700f804b7762e0532881c233c1765ea1c1f52c561352b7f9b7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
638f0b9bdd9b00231e914fa36f390f98

SHA1
625748e406f59f0ac883eb8279e2439a035d3f30

SHA256
500ec0673cdfc07cc489b4f29a417f55f743423692bfe763717265b37c3bf326

SHA512
141f272f87b08b8d5c0497949aeb6a0f8ab8fa988a3dca6760cb5f1152856302d54af227912c6861818f3333836f7fb3ab82541e2a965c9f29308a8e8c7f75cd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ca4e7f4fd76178e7dc86ea8e9543e661

SHA1
17684b791be65ce037aaf7a9007014c29acaf98d

SHA256
61b5664a2ecd13be713b39edcf9d508920c63fb3cdcf21d6d4da5416119eb893

SHA512
cb7b43c6ad2a01404b71e28ad020542abc981236e60380365fbc2608e06d52359514f53c1caef14d10ea93657f98f9d858507f9e27c0f097761662febba1f36e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b376a0a4e86532344044dcd40a9bd518

SHA1
21d6274d0052f6afeff1dfeb289c0336b2b4b03c

SHA256
557fe420a1deb37790249278642239dcb8e614001876e43660cb6a6b216aff07

SHA512
771434a68097d27e02b1adf3b44630a902c09e601d2a4c4673ec495cedbbfe2d7a0682e00e7c73eb44c3043130397cc10f4e93120c0978a170cd845ffa9ae4a3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
75682c43a05a5de0b92ee6aa690e3b37

SHA1
3ec98f50f77e2ee76b041ea43aec480a74b0b2b9

SHA256
402a33165696031aeb05d7c520794ef9bfd42de2c84c7afd507ae91dac2640bc

SHA512
c253d3e4f8908274e0e282e0cd9c60072508d3b2dacc158a69d5da8d7ef1f680d26bde5b0d899155863f1c250cbcb870e8b6fa54f2ba39761c7616ae6ce373f9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b6a0e5262618d6817a9fd173e653ee68

SHA1
1f323b3ba97d5788cca08ffc6c1b1e74d767c715

SHA256
36d8219112029629c9ede9f15fec8ba8300d608cfadae78f7bad9bd23dda4854

SHA512
99a603c0df4c033f68be9d8682b45aa9eeaa3d9468dd8c5e33f7eeae938e4ab49fcf61af69ec50b187cb9c55c710488913a25713b6c63eac20e824500f0fd83f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
641cf1f18ac7e815d2ebd98e13f2d7ba

SHA1
82fe7b0d47ee64adea9e5b3ff673365eeaf8a894

SHA256
dc9329b1b5ca4d4e47098ec31f6eae7bfd509cd3b6a87a7494f5f3c998b1b78e

SHA512
843165d903d20671956d39c24177c82a5f11765cdb7ea242a5284797117da635c811fa3b5f2c4f793ad492c58c4931f72d0e11503cdb3c076b9da2c0393c2bd9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e1ece63f693d879df44d055f5a8871c6

SHA1
baed845a2b1f1f67a37e61f87880f557ed8e76af

SHA256
231a0dacbb294240d9404bc0396b747b4e868b9bd6f3c497419565c6c4a08526

SHA512
5cf7cb0df97e9171cf73136e168ebe0b206a765f723136a351c7c0bf63e5361d37433b59e2680634fc75cbf5ed0936aef841c8ed806699a3055d8d253d536d2d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c8d0935b9595cef91bd8941b8e895d2d

SHA1
fdac75a59115a1bebe8c81664d36f66afaed79d2

SHA256
fc2699fc0b182b976295a275a57db41e5ec5a14258842c737ad592ea5103a84d

SHA512
29d74204c9351f6c9b65e4d837920c7cefc7220fcc94a2351ee73d4be319786e9b8f67961f0aff4bd96f249c966c70043b4c9932bc6a9168d58413cd34b03b7a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
902f0c9a04dded584d3617fcc34193bc

SHA1
a5893eb6fe0bd4324d2cb57b2e53c5a4636d9f2b

SHA256
f6f5363d183790f770f3cb26b7de9accd13600b61331f2938c10a296b9e57390

SHA512
e24c326e678f273f0db1a8e413d3bd9b4da8af9c68b1419bc9683bb8f24646d6b84fe9cda1a18607e51bdbddcfaa7e644271eda25aa4ae465683aed537eb23b0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4f407f67e8ebb77523c154c0e2f4a7ac

SHA1
9622aae0301d69429cb68ea5654dae6d01e4bd6e

SHA256
148ff2297f3d0c5f4be040840420ea2801643246efd858818cf725da72d9e1fb

SHA512
7bf0fcecefb54dfdc5178d2b5dccd34d3066b3fd9811322f24afe6d174df6dead8e9768e8eb32a230931e6da047f31405c6ecb1dd25e101a0b658340a281de9b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
681dcc1cb3362c4a8b6f38abdc36b4f8

SHA1
a450c8fca721e413dd1b02113ff7f44efe485311

SHA256
6e4d94c4436198256574fdb0a094c34125a43009201f27e0c19f491da187e722

SHA512
679b1e94dcb918399cd00569e3465836a7f6cb5b0486151764e6e797df5306753dba937be40f133ad8f3656dcbf2787b8db176be2c7e23b626fb08f0abb45a7d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3ca37f27b858c2091f499a324f3fde6b

SHA1
9e44e5697ce4a39bdcd52a6ba23bd057010b47e2

SHA256
3e1fba1406b06293ad3205cff7b6af9226549c5d62d449198e3449a5f06ba8e5

SHA512
eedcab527eaa68f76a866c04d0fa598cd433fccf363d66da9581f78b02ceba4dfdee9ed315ad8e9127c227355302cb366a78fce094368393db1bf75be19d434f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab5D4F.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD_2024-10-11_cda135f1512e01e2a92a5691f952c5bb_hijackloader_icedid.exe

Filesize
1.8MB

MD5
6323fbef5cc8da8432d255023b8b40bb

SHA1
2b48504458cc9dad72b201141518c7a1025b57eb

SHA256
dd08db1a66a341858aee10e1f3b6ffb7d2c2a6e75a484fd47ac765e6eb980ccb

SHA512
30f5433dfc2b3162606c66523af94e730f7422894a619a44335c45cf61bcbd29f93a091ae5c9b9c7d7c5b87552b0a7daa75995a02b49ad7d71956e5838b690ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\N.exe

Filesize
377KB

MD5
4a36a48e58829c22381572b2040b6fe0

SHA1
f09d30e44ff7e3f20a5de307720f3ad148c6143b

SHA256
3de6c02f52a661b8f934f59541d0cf297bb489eb2155e346b63c7338e09aeaf8

SHA512
5d0ea398792f6b9eb3f188813c50b7f43929183b5733d2b595b2fd1c78722764fd15f62db1086b5c7edfb157661a6dcd544ddd80907ee7699dddbca1ef4022d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar5D71.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\Desktop\ResolveDebug.exe

Filesize
2.8MB

MD5
f45f25e0b59444bcb22391e260846cdc

SHA1
7bd7b64c0296c81397847e498cad87101a99235e

SHA256
c566e42dd2398a18c66d6cb059801d225edcae23df86c3c1650267efcd5f7975

SHA512
7a6aeca65a6a7caabaad136686b43456bf61fc836d23eac7441afd3548a2dd4bcc302fb31388204fbe8e0dbfca09f9981c1ea886b5eadff6394c8e77c3c83eaf

Download Submit
\Users\Admin\AppData\Local\Temp\R.exe

Filesize
941KB

MD5
8dc3adf1c490211971c1e2325f1424d2

SHA1
4eec4a4e7cb97c5efa6c72e0731cd090c0c4adc5

SHA256
bc29f2022ab3b812e50c8681ff196f090c038b5ab51e37daffac4469a8c2eb2c

SHA512
ae92ea20b359849dcdba4808119b154e3af5ef3687ee09de1797610fe8c4d3eb9065b068074d35adddb4b225d17c619baff3944cb137ad196bcef7a6507f920d

Download Submit
\Windows\SysWOW64\259479598.txt

Filesize
899KB

MD5
fb33d208d63e22e22151a50f76307ab4

SHA1
4f9f95dc794b0252449eae231feeae2898f5a0a2

SHA256
ba67fe58d4413dc00dbe2cb228befce10a33ce0056307f2b323dd8d5ccaa73ec

SHA512
e7f14b2c39dd9bd3318992b9204eb2b07eb5ad4449ce431ef196d89689db7edb36522858c7459ea906bef513381cf46c2e077b5ce279d6366bb2c7a9b61ca923

Download Submit
\Windows\SysWOW64\Remote Data.exe

Filesize
43KB

MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit
memory/2548-41-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2548-38-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2548-40-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2548-42-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2548-45-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2548-47-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2776-20-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2776-21-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2776-18-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download