Malware Analysis Report

2024-12-07 13:43

Sample ID 241109-zb9h7s1hqa
Target 41a9b05b5ad76c82220e55b8b07adbbe7876aaa5b4ce0a74f644d34d4f853f53
SHA256 41a9b05b5ad76c82220e55b8b07adbbe7876aaa5b4ce0a74f644d34d4f853f53
Tags
gh0strat purplefox discovery persistence rat rootkit trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

41a9b05b5ad76c82220e55b8b07adbbe7876aaa5b4ce0a74f644d34d4f853f53

Threat Level: Known bad

The file 41a9b05b5ad76c82220e55b8b07adbbe7876aaa5b4ce0a74f644d34d4f853f53 was found to be: Known bad.

Malicious Activity Summary

gh0strat purplefox discovery persistence rat rootkit trojan upx

Gh0strat family

PurpleFox

Purplefox family

Gh0strat

Detect PurpleFox Rootkit

Gh0st RAT payload

Sets service image path in registry

Drops file in Drivers directory

Executes dropped EXE

Loads dropped DLL

UPX packed file

Drops file in System32 directory

Unsigned PE

System Location Discovery: System Language Discovery

System Network Configuration Discovery: Internet Connection Discovery

Suspicious behavior: LoadsDriver

Runs ping.exe

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 20:33

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 20:33

Reported

2024-11-09 20:36

Platform

win7-20240903-en

Max time kernel

150s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\41a9b05b5ad76c82220e55b8b07adbbe7876aaa5b4ce0a74f644d34d4f853f53.exe"

Signatures

Detect PurpleFox Rootkit

rootkit
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0strat

rat gh0strat

Gh0strat family

gh0strat

PurpleFox

rootkit trojan purplefox

Purplefox family

purplefox

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\system32\drivers\QAssist.sys C:\Windows\SysWOW64\TXPlatforn.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" C:\Windows\SysWOW64\TXPlatforn.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RVN.exe N/A
N/A N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
N/A N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\TXPlatforn.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe N/A
File opened for modification C:\Windows\SysWOW64\TXPlatforn.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\41a9b05b5ad76c82220e55b8b07adbbe7876aaa5b4ce0a74f644d34d4f853f53.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RVN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\TXPlatforn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RVN.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\41a9b05b5ad76c82220e55b8b07adbbe7876aaa5b4ce0a74f644d34d4f853f53.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2888 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\41a9b05b5ad76c82220e55b8b07adbbe7876aaa5b4ce0a74f644d34d4f853f53.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe
PID 2888 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\41a9b05b5ad76c82220e55b8b07adbbe7876aaa5b4ce0a74f644d34d4f853f53.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe
PID 2888 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\41a9b05b5ad76c82220e55b8b07adbbe7876aaa5b4ce0a74f644d34d4f853f53.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe
PID 2888 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\41a9b05b5ad76c82220e55b8b07adbbe7876aaa5b4ce0a74f644d34d4f853f53.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe
PID 2888 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\41a9b05b5ad76c82220e55b8b07adbbe7876aaa5b4ce0a74f644d34d4f853f53.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe
PID 2888 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\41a9b05b5ad76c82220e55b8b07adbbe7876aaa5b4ce0a74f644d34d4f853f53.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe
PID 2888 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\41a9b05b5ad76c82220e55b8b07adbbe7876aaa5b4ce0a74f644d34d4f853f53.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe
PID 2828 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\RVN.exe C:\Windows\SysWOW64\cmd.exe
PID 2828 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\RVN.exe C:\Windows\SysWOW64\cmd.exe
PID 2828 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\RVN.exe C:\Windows\SysWOW64\cmd.exe
PID 2828 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\RVN.exe C:\Windows\SysWOW64\cmd.exe
PID 2648 wrote to memory of 2620 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 2648 wrote to memory of 2620 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 2648 wrote to memory of 2620 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 2648 wrote to memory of 2620 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 2648 wrote to memory of 2620 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 2648 wrote to memory of 2620 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 2648 wrote to memory of 2620 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 2676 wrote to memory of 380 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2676 wrote to memory of 380 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2676 wrote to memory of 380 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2676 wrote to memory of 380 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\41a9b05b5ad76c82220e55b8b07adbbe7876aaa5b4ce0a74f644d34d4f853f53.exe

"C:\Users\Admin\AppData\Local\Temp\41a9b05b5ad76c82220e55b8b07adbbe7876aaa5b4ce0a74f644d34d4f853f53.exe"

C:\Users\Admin\AppData\Local\Temp\RVN.exe

C:\Users\Admin\AppData\Local\Temp\\RVN.exe

C:\Windows\SysWOW64\TXPlatforn.exe

C:\Windows\SysWOW64\TXPlatforn.exe -auto

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\RVN.exe > nul

C:\Windows\SysWOW64\TXPlatforn.exe

C:\Windows\SysWOW64\TXPlatforn.exe -acsi

C:\Windows\SysWOW64\PING.EXE

ping -n 2 127.0.0.1

Network

Country Destination Domain Proto
US 8.8.8.8:53 hackerinvasion.f3322.net udp

Files

\Users\Admin\AppData\Local\Temp\RVN.exe

MD5 80ade1893dec9cab7f2e63538a464fcc
SHA1 c06614da33a65eddb506db00a124a3fc3f5be02e
SHA256 57a920389c044e3f5cf93dabff67070b4511e79779b6f874e08f92d8b0d7afbd
SHA512 fffd4f3fccb5301b3c7a5b3bd92747f31549fbd9d0803fe5d502d1bb0ef979140988718c2ee1406ed3e755790d275185e120a56cbcb5ed2eadf62b5cdbfc4cc4

memory/2828-8-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2828-15-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2828-10-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2828-11-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2648-21-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2648-29-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2620-30-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2620-31-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2620-35-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2620-36-0x0000000010000000-0x00000000101B6000-memory.dmp

C:\Users\Admin\Desktop\InitializeDismount.exe

MD5 a92ea5e0b50394f6048c4de5be0815ca
SHA1 cda5dde133710c536c107902843e95bcf9194dea
SHA256 0c905e3080131f22ad7fa3db4b15ab99b1c38419ab9e3ada9cfef6ef4001d998
SHA512 338d1f36069ed3d8e2ed2fa64629554adae1e3899d22c3730331bd8c3c22f81575597c138fbff0c8f5d992467be0ac8934e0b5be4efc1c4bac947ed3a7b4e9c1

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-09 20:33

Reported

2024-11-09 20:36

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\41a9b05b5ad76c82220e55b8b07adbbe7876aaa5b4ce0a74f644d34d4f853f53.exe"

Signatures

Detect PurpleFox Rootkit

rootkit
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0strat

rat gh0strat

Gh0strat family

gh0strat

PurpleFox

rootkit trojan purplefox

Purplefox family

purplefox

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\system32\drivers\QAssist.sys C:\Windows\SysWOW64\TXPlatforn.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" C:\Windows\SysWOW64\TXPlatforn.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RVN.exe N/A
N/A N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
N/A N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\TXPlatforn.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe N/A
File opened for modification C:\Windows\SysWOW64\TXPlatforn.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RVN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\TXPlatforn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\41a9b05b5ad76c82220e55b8b07adbbe7876aaa5b4ce0a74f644d34d4f853f53.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RVN.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\41a9b05b5ad76c82220e55b8b07adbbe7876aaa5b4ce0a74f644d34d4f853f53.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4660 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\41a9b05b5ad76c82220e55b8b07adbbe7876aaa5b4ce0a74f644d34d4f853f53.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe
PID 4660 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\41a9b05b5ad76c82220e55b8b07adbbe7876aaa5b4ce0a74f644d34d4f853f53.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe
PID 4660 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\41a9b05b5ad76c82220e55b8b07adbbe7876aaa5b4ce0a74f644d34d4f853f53.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe
PID 3572 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\RVN.exe C:\Windows\SysWOW64\cmd.exe
PID 3572 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\RVN.exe C:\Windows\SysWOW64\cmd.exe
PID 3572 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\RVN.exe C:\Windows\SysWOW64\cmd.exe
PID 4764 wrote to memory of 2908 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 4764 wrote to memory of 2908 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 4764 wrote to memory of 2908 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 4484 wrote to memory of 264 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4484 wrote to memory of 264 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4484 wrote to memory of 264 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\41a9b05b5ad76c82220e55b8b07adbbe7876aaa5b4ce0a74f644d34d4f853f53.exe

"C:\Users\Admin\AppData\Local\Temp\41a9b05b5ad76c82220e55b8b07adbbe7876aaa5b4ce0a74f644d34d4f853f53.exe"

C:\Users\Admin\AppData\Local\Temp\RVN.exe

C:\Users\Admin\AppData\Local\Temp\\RVN.exe

C:\Windows\SysWOW64\TXPlatforn.exe

C:\Windows\SysWOW64\TXPlatforn.exe -auto

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\RVN.exe > nul

C:\Windows\SysWOW64\TXPlatforn.exe

C:\Windows\SysWOW64\TXPlatforn.exe -acsi

C:\Windows\SysWOW64\PING.EXE

ping -n 2 127.0.0.1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp

Files

C:\Users\Admin\AppData\Local\Temp\RVN.exe

MD5 80ade1893dec9cab7f2e63538a464fcc
SHA1 c06614da33a65eddb506db00a124a3fc3f5be02e
SHA256 57a920389c044e3f5cf93dabff67070b4511e79779b6f874e08f92d8b0d7afbd
SHA512 fffd4f3fccb5301b3c7a5b3bd92747f31549fbd9d0803fe5d502d1bb0ef979140988718c2ee1406ed3e755790d275185e120a56cbcb5ed2eadf62b5cdbfc4cc4

memory/3572-5-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/3572-7-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/3572-9-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/3572-8-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/4764-16-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/4764-17-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2908-24-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/4764-25-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/4764-18-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/4764-14-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2908-26-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2908-31-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2908-30-0x0000000010000000-0x00000000101B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HD_X.dat

MD5 2f8f7ae053c6bc790ec5c13b86eb1e3a
SHA1 6572ade871e91e54d44352f95ea40244e954e866
SHA256 41a9b05b5ad76c82220e55b8b07adbbe7876aaa5b4ce0a74f644d34d4f853f53
SHA512 e48ed77f14bb01b7b4ba397f35c21ea5861a501177e5c1aed1ca949125f36decf13b44756ae8c55e5283a4bb3ca40257dbb1e2e788a5d02e594942edae0bcd71