Malware Analysis Report

2024-12-07 13:54

Sample ID 241119-y3psfa1phw
Target f2b1d838e92540f58d6038f3eadedcd37f29aaa82fa8dad8a1b6aac50644fb96
SHA256 f2b1d838e92540f58d6038f3eadedcd37f29aaa82fa8dad8a1b6aac50644fb96
Tags
vmprotect gh0strat purplefox discovery persistence rat rootkit trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f2b1d838e92540f58d6038f3eadedcd37f29aaa82fa8dad8a1b6aac50644fb96

Threat Level: Known bad

The file f2b1d838e92540f58d6038f3eadedcd37f29aaa82fa8dad8a1b6aac50644fb96 was found to be: Known bad.

Malicious Activity Summary

vmprotect gh0strat purplefox discovery persistence rat rootkit trojan upx

Gh0st RAT payload

Detect PurpleFox Rootkit

PurpleFox

Gh0strat family

Purplefox family

Gh0strat

Sets service image path in registry

Server Software Component: Terminal Services DLL

Drops file in Drivers directory

VMProtect packed file

Checks computer location settings

Drops startup file

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Drops file in System32 directory

UPX packed file

Program crash

Enumerates physical storage devices

System Network Configuration Discovery: Internet Connection Discovery

System Location Discovery: System Language Discovery

Suspicious behavior: RenamesItself

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: LoadsDriver

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Runs ping.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-19 20:18

Signatures

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-19 20:18

Reported

2024-11-19 20:21

Platform

win7-20241010-en

Max time kernel

150s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f2b1d838e92540f58d6038f3eadedcd37f29aaa82fa8dad8a1b6aac50644fb96.exe"

Signatures

Detect PurpleFox Rootkit

rootkit
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0strat

rat gh0strat

Gh0strat family

gh0strat

PurpleFox

rootkit trojan purplefox

Purplefox family

purplefox

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\system32\drivers\QAssist.sys C:\Windows\SysWOW64\Ghiya.exe N/A

Server Software Component: Terminal Services DLL

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259479286.txt" C:\Users\Admin\AppData\Local\Temp\AK47.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" C:\Windows\SysWOW64\Ghiya.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\win.lnk C:\Users\Admin\AppData\Local\Temp\f2b1d838e92540f58d6038f3eadedcd37f29aaa82fa8dad8a1b6aac50644fb96.exe N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\360safo = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\svchcst.exe" C:\Users\Admin\AppData\Local\Temp\f2b1d838e92540f58d6038f3eadedcd37f29aaa82fa8dad8a1b6aac50644fb96.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe C:\Windows\SysWOW64\svchost.exe N/A
File created C:\Windows\SysWOW64\259479286.txt C:\Users\Admin\AppData\Local\Temp\AK47.exe N/A
File created C:\Windows\SysWOW64\259479286.txt C:\Users\Admin\AppData\Local\Temp\AK47.exe N/A
File created C:\Windows\SysWOW64\Ghiya.exe C:\Users\Admin\AppData\Local\Temp\AK74.exe N/A
File opened for modification C:\Windows\SysWOW64\Ghiya.exe C:\Users\Admin\AppData\Local\Temp\AK74.exe N/A
File opened for modification C:\Windows\SysWOW64\ini.ini C:\Users\Admin\AppData\Local\Temp\AK47.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\AK74.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ghiya.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f2b1d838e92540f58d6038f3eadedcd37f29aaa82fa8dad8a1b6aac50644fb96.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\AK47.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\AK47.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Ghiya.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f2b1d838e92540f58d6038f3eadedcd37f29aaa82fa8dad8a1b6aac50644fb96.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\AK74.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Ghiya.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Ghiya.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Ghiya.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Ghiya.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Ghiya.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2808 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\f2b1d838e92540f58d6038f3eadedcd37f29aaa82fa8dad8a1b6aac50644fb96.exe C:\Users\Admin\AppData\Local\Temp\AK47.exe
PID 2808 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\f2b1d838e92540f58d6038f3eadedcd37f29aaa82fa8dad8a1b6aac50644fb96.exe C:\Users\Admin\AppData\Local\Temp\AK47.exe
PID 2808 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\f2b1d838e92540f58d6038f3eadedcd37f29aaa82fa8dad8a1b6aac50644fb96.exe C:\Users\Admin\AppData\Local\Temp\AK47.exe
PID 2808 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\f2b1d838e92540f58d6038f3eadedcd37f29aaa82fa8dad8a1b6aac50644fb96.exe C:\Users\Admin\AppData\Local\Temp\AK47.exe
PID 2808 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\f2b1d838e92540f58d6038f3eadedcd37f29aaa82fa8dad8a1b6aac50644fb96.exe C:\Users\Admin\AppData\Local\Temp\AK47.exe
PID 2808 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\f2b1d838e92540f58d6038f3eadedcd37f29aaa82fa8dad8a1b6aac50644fb96.exe C:\Users\Admin\AppData\Local\Temp\AK47.exe
PID 2808 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\f2b1d838e92540f58d6038f3eadedcd37f29aaa82fa8dad8a1b6aac50644fb96.exe C:\Users\Admin\AppData\Local\Temp\AK47.exe
PID 2808 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\f2b1d838e92540f58d6038f3eadedcd37f29aaa82fa8dad8a1b6aac50644fb96.exe C:\Users\Admin\AppData\Local\Temp\AK47.exe
PID 2808 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\f2b1d838e92540f58d6038f3eadedcd37f29aaa82fa8dad8a1b6aac50644fb96.exe C:\Users\Admin\AppData\Local\Temp\AK74.exe
PID 2808 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\f2b1d838e92540f58d6038f3eadedcd37f29aaa82fa8dad8a1b6aac50644fb96.exe C:\Users\Admin\AppData\Local\Temp\AK74.exe
PID 2808 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\f2b1d838e92540f58d6038f3eadedcd37f29aaa82fa8dad8a1b6aac50644fb96.exe C:\Users\Admin\AppData\Local\Temp\AK74.exe
PID 2808 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\f2b1d838e92540f58d6038f3eadedcd37f29aaa82fa8dad8a1b6aac50644fb96.exe C:\Users\Admin\AppData\Local\Temp\AK74.exe
PID 2808 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\f2b1d838e92540f58d6038f3eadedcd37f29aaa82fa8dad8a1b6aac50644fb96.exe C:\Users\Admin\AppData\Local\Temp\AK74.exe
PID 2808 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\f2b1d838e92540f58d6038f3eadedcd37f29aaa82fa8dad8a1b6aac50644fb96.exe C:\Users\Admin\AppData\Local\Temp\AK74.exe
PID 2808 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\f2b1d838e92540f58d6038f3eadedcd37f29aaa82fa8dad8a1b6aac50644fb96.exe C:\Users\Admin\AppData\Local\Temp\AK74.exe
PID 2932 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\AK74.exe C:\Windows\SysWOW64\cmd.exe
PID 2932 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\AK74.exe C:\Windows\SysWOW64\cmd.exe
PID 2932 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\AK74.exe C:\Windows\SysWOW64\cmd.exe
PID 2932 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\AK74.exe C:\Windows\SysWOW64\cmd.exe
PID 2740 wrote to memory of 1172 N/A C:\Windows\SysWOW64\Ghiya.exe C:\Windows\SysWOW64\Ghiya.exe
PID 2740 wrote to memory of 1172 N/A C:\Windows\SysWOW64\Ghiya.exe C:\Windows\SysWOW64\Ghiya.exe
PID 2740 wrote to memory of 1172 N/A C:\Windows\SysWOW64\Ghiya.exe C:\Windows\SysWOW64\Ghiya.exe
PID 2740 wrote to memory of 1172 N/A C:\Windows\SysWOW64\Ghiya.exe C:\Windows\SysWOW64\Ghiya.exe
PID 2740 wrote to memory of 1172 N/A C:\Windows\SysWOW64\Ghiya.exe C:\Windows\SysWOW64\Ghiya.exe
PID 2740 wrote to memory of 1172 N/A C:\Windows\SysWOW64\Ghiya.exe C:\Windows\SysWOW64\Ghiya.exe
PID 2740 wrote to memory of 1172 N/A C:\Windows\SysWOW64\Ghiya.exe C:\Windows\SysWOW64\Ghiya.exe
PID 2404 wrote to memory of 3068 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2404 wrote to memory of 3068 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2404 wrote to memory of 3068 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2404 wrote to memory of 3068 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2808 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\f2b1d838e92540f58d6038f3eadedcd37f29aaa82fa8dad8a1b6aac50644fb96.exe C:\Windows\SysWOW64\WScript.exe
PID 2808 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\f2b1d838e92540f58d6038f3eadedcd37f29aaa82fa8dad8a1b6aac50644fb96.exe C:\Windows\SysWOW64\WScript.exe
PID 2808 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\f2b1d838e92540f58d6038f3eadedcd37f29aaa82fa8dad8a1b6aac50644fb96.exe C:\Windows\SysWOW64\WScript.exe
PID 2808 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\f2b1d838e92540f58d6038f3eadedcd37f29aaa82fa8dad8a1b6aac50644fb96.exe C:\Windows\SysWOW64\WScript.exe
PID 2808 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\f2b1d838e92540f58d6038f3eadedcd37f29aaa82fa8dad8a1b6aac50644fb96.exe C:\Windows\SysWOW64\WScript.exe
PID 2808 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\f2b1d838e92540f58d6038f3eadedcd37f29aaa82fa8dad8a1b6aac50644fb96.exe C:\Windows\SysWOW64\WScript.exe
PID 2808 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\f2b1d838e92540f58d6038f3eadedcd37f29aaa82fa8dad8a1b6aac50644fb96.exe C:\Windows\SysWOW64\WScript.exe
PID 2808 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\f2b1d838e92540f58d6038f3eadedcd37f29aaa82fa8dad8a1b6aac50644fb96.exe C:\Windows\SysWOW64\WScript.exe
PID 2724 wrote to memory of 1136 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
PID 2724 wrote to memory of 1136 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
PID 2724 wrote to memory of 1136 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
PID 2724 wrote to memory of 1136 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f2b1d838e92540f58d6038f3eadedcd37f29aaa82fa8dad8a1b6aac50644fb96.exe

"C:\Users\Admin\AppData\Local\Temp\f2b1d838e92540f58d6038f3eadedcd37f29aaa82fa8dad8a1b6aac50644fb96.exe"

C:\Users\Admin\AppData\Local\Temp\AK47.exe

"C:\Users\Admin\AppData\Local\Temp\AK47.exe"

C:\Users\Admin\AppData\Local\Temp\AK47.exe

C:\Users\Admin\AppData\Local\Temp\\AK47.exe

C:\Users\Admin\AppData\Local\Temp\AK74.exe

C:\Users\Admin\AppData\Local\Temp\\AK74.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"

C:\Windows\SysWOW64\Ghiya.exe

C:\Windows\SysWOW64\Ghiya.exe -auto

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul

C:\Windows\SysWOW64\Ghiya.exe

C:\Windows\SysWOW64\Ghiya.exe -acsi

C:\Windows\SysWOW64\PING.EXE

ping -n 2 127.0.0.1

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe

C:\Windows\system32\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe "c:\windows\system32\259479286.txt",MainThread

Network

Country Destination Domain Proto
US 8.8.8.8:53 cf1549064127.f3322.net udp
CN 43.249.193.73:54997 tcp
CN 43.249.193.73:54997 tcp
CN 43.249.193.73:54997 tcp
CN 43.249.193.73:54997 tcp
CN 43.249.193.73:54997 tcp
CN 43.249.193.73:54997 tcp
CN 43.249.193.73:54997 tcp

Files

memory/2808-0-0x0000000000400000-0x0000000000760000-memory.dmp

memory/2808-1-0x0000000000400000-0x0000000000760000-memory.dmp

\Users\Admin\AppData\Local\Temp\AK47.exe

MD5 423eb994ed553294f8a6813619b8da87
SHA1 eca6a16ccd13adcfc27bc1041ddef97ec8081255
SHA256 050b4f2d5ae8eaecd414318dc8e222a56f169626da6ca8feb7edd78e8b1f0218
SHA512 fab0a9af8031c242c486de373df7277c8b0e39f7a0c9c2ac2e385dbd3ea67be16e91b128287634f76131e5264149ab1b452cd21df4c4895e8c4efc8d8cf99095

\Windows\SysWOW64\259479286.txt

MD5 f7fb4cb997e26d65be0fe5b537653382
SHA1 74bcde3ceb75dd1ae9d9d1a3dc880d2167199a14
SHA256 452a5196c622427292ef2143731c5f2c4ba7be09df516a041233f80a2e5be721
SHA512 3b16d06b32fec715d0bfe52d6b6d18e5f2b05cd7620a319b277e0762bb166ffea4e29184e0644d641b33190a44d484bcbf1867a55498265e5119c670fb627a0f

\Users\Admin\AppData\Local\Temp\AK74.exe

MD5 b0998aa7d5071d33daa5b60b9c3c9735
SHA1 9365a1ff0c6de244d6f36c8d84072cc916665d3c
SHA256 3080b6bb456564899b0d99d4131bd6a0b284d31f7d80ef773e4872d94048d49a
SHA512 308c13cda9fea39b980ae686f44afd9090e9cb8970fffc4436320e0d09a31aee5e656914e0121fe888098a14c52749716fa04980396fd6ac70a88c11cbb6b850

memory/2932-22-0x0000000010000000-0x00000000101BA000-memory.dmp

memory/2932-24-0x0000000010000000-0x00000000101BA000-memory.dmp

memory/2932-23-0x0000000010000000-0x00000000101BA000-memory.dmp

memory/1172-49-0x0000000010000000-0x00000000101BA000-memory.dmp

memory/1172-53-0x0000000010000000-0x00000000101BA000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

MD5 70a1ac291409027ee505b1eaf15cbd15
SHA1 2ba28e9c3da8306c492e61a54a101968804d7b7f
SHA256 daa76685d6ac024c7a69c799b43403a5fb767e9d4e6dd4533b65661dfc24baec
SHA512 76baddae8eca52e1d7eacb9cafcb80139fd32936b29de60391725b85f9e9feffc8469ee3d507b07c7b480ef9119e2f4dc80cc019f10b35dbaa8f7bbda89e8f45

memory/1172-59-0x0000000010000000-0x00000000101BA000-memory.dmp

\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

MD5 ef76818c727e78728d0118d1ee14ac01
SHA1 37439f7df625c8e32ac0ddf17e41be1eed1e5eac
SHA256 113db83836ec0a95f3f5633c21aa36f5bf25d6a48e492db0452de72a21d6a2a8
SHA512 36961eece9bb126a6ebf09d5786b8013311aa256c5b934da841b537c2defe0f12001a79e2504ca17fc3754d2ba32699b776dca5a1a207d0df965cc6b85702df3

memory/2808-67-0x0000000000A70000-0x0000000000A80000-memory.dmp

memory/2808-66-0x0000000000A70000-0x0000000000A80000-memory.dmp

\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe

MD5 51138beea3e2c21ec44d0932c71762a8
SHA1 8939cf35447b22dd2c6e6f443446acc1bf986d58
SHA256 5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124
SHA512 794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

memory/2808-76-0x0000000000400000-0x0000000000760000-memory.dmp

memory/2808-79-0x0000000000A70000-0x0000000000A80000-memory.dmp

memory/2808-78-0x0000000000A70000-0x0000000000A80000-memory.dmp

memory/2808-82-0x0000000000400000-0x0000000000760000-memory.dmp

memory/2808-85-0x0000000000400000-0x0000000000760000-memory.dmp

memory/2808-89-0x0000000000400000-0x0000000000760000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

MD5 29ce53e2a4a446614ccc8d64d346bde4
SHA1 39a7aa5cc1124842aa0c25abb16ea94452125cbe
SHA256 56225be6838bc6e93ea215891eacf28844ae27a9f8b2b29bf19d3a8c2b1f58df
SHA512 b2c5a2708c427171a5715801f8ea733ffe88d73aaaaf59c5c752ea32cbe7aae8526cc26eabe84ad5043174c0c69b1d6b15a9fb125c15accfac3462d5d08a0faa

memory/2808-92-0x0000000000400000-0x0000000000760000-memory.dmp

memory/2808-95-0x0000000000400000-0x0000000000760000-memory.dmp

memory/2808-98-0x0000000000400000-0x0000000000760000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-19 20:18

Reported

2024-11-19 20:21

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f2b1d838e92540f58d6038f3eadedcd37f29aaa82fa8dad8a1b6aac50644fb96.exe"

Signatures

Detect PurpleFox Rootkit

rootkit
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0strat

rat gh0strat

Gh0strat family

gh0strat

PurpleFox

rootkit trojan purplefox

Purplefox family

purplefox

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\system32\drivers\QAssist.sys C:\Windows\SysWOW64\Ghiya.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" C:\Windows\SysWOW64\Ghiya.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\f2b1d838e92540f58d6038f3eadedcd37f29aaa82fa8dad8a1b6aac50644fb96.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\win.lnk C:\Users\Admin\AppData\Local\Temp\f2b1d838e92540f58d6038f3eadedcd37f29aaa82fa8dad8a1b6aac50644fb96.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\AK47.exe N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\360safo = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\svchcst.exe" C:\Users\Admin\AppData\Local\Temp\f2b1d838e92540f58d6038f3eadedcd37f29aaa82fa8dad8a1b6aac50644fb96.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\240639078.txt C:\Users\Admin\AppData\Local\Temp\AK47.exe N/A
File created C:\Windows\SysWOW64\Ghiya.exe C:\Users\Admin\AppData\Local\Temp\AK74.exe N/A
File opened for modification C:\Windows\SysWOW64\Ghiya.exe C:\Users\Admin\AppData\Local\Temp\AK74.exe N/A
File created C:\Windows\SysWOW64\240639078.txt C:\Users\Admin\AppData\Local\Temp\AK47.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\AK47.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\AK47.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\AK74.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ghiya.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f2b1d838e92540f58d6038f3eadedcd37f29aaa82fa8dad8a1b6aac50644fb96.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\f2b1d838e92540f58d6038f3eadedcd37f29aaa82fa8dad8a1b6aac50644fb96.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f2b1d838e92540f58d6038f3eadedcd37f29aaa82fa8dad8a1b6aac50644fb96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f2b1d838e92540f58d6038f3eadedcd37f29aaa82fa8dad8a1b6aac50644fb96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f2b1d838e92540f58d6038f3eadedcd37f29aaa82fa8dad8a1b6aac50644fb96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f2b1d838e92540f58d6038f3eadedcd37f29aaa82fa8dad8a1b6aac50644fb96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f2b1d838e92540f58d6038f3eadedcd37f29aaa82fa8dad8a1b6aac50644fb96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f2b1d838e92540f58d6038f3eadedcd37f29aaa82fa8dad8a1b6aac50644fb96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f2b1d838e92540f58d6038f3eadedcd37f29aaa82fa8dad8a1b6aac50644fb96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f2b1d838e92540f58d6038f3eadedcd37f29aaa82fa8dad8a1b6aac50644fb96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f2b1d838e92540f58d6038f3eadedcd37f29aaa82fa8dad8a1b6aac50644fb96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f2b1d838e92540f58d6038f3eadedcd37f29aaa82fa8dad8a1b6aac50644fb96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f2b1d838e92540f58d6038f3eadedcd37f29aaa82fa8dad8a1b6aac50644fb96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f2b1d838e92540f58d6038f3eadedcd37f29aaa82fa8dad8a1b6aac50644fb96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f2b1d838e92540f58d6038f3eadedcd37f29aaa82fa8dad8a1b6aac50644fb96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f2b1d838e92540f58d6038f3eadedcd37f29aaa82fa8dad8a1b6aac50644fb96.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Ghiya.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f2b1d838e92540f58d6038f3eadedcd37f29aaa82fa8dad8a1b6aac50644fb96.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\AK74.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Ghiya.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Ghiya.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Ghiya.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Ghiya.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Ghiya.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3352 wrote to memory of 3388 N/A C:\Users\Admin\AppData\Local\Temp\f2b1d838e92540f58d6038f3eadedcd37f29aaa82fa8dad8a1b6aac50644fb96.exe C:\Users\Admin\AppData\Local\Temp\AK47.exe
PID 3352 wrote to memory of 3388 N/A C:\Users\Admin\AppData\Local\Temp\f2b1d838e92540f58d6038f3eadedcd37f29aaa82fa8dad8a1b6aac50644fb96.exe C:\Users\Admin\AppData\Local\Temp\AK47.exe
PID 3352 wrote to memory of 3388 N/A C:\Users\Admin\AppData\Local\Temp\f2b1d838e92540f58d6038f3eadedcd37f29aaa82fa8dad8a1b6aac50644fb96.exe C:\Users\Admin\AppData\Local\Temp\AK47.exe
PID 3352 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\f2b1d838e92540f58d6038f3eadedcd37f29aaa82fa8dad8a1b6aac50644fb96.exe C:\Users\Admin\AppData\Local\Temp\AK47.exe
PID 3352 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\f2b1d838e92540f58d6038f3eadedcd37f29aaa82fa8dad8a1b6aac50644fb96.exe C:\Users\Admin\AppData\Local\Temp\AK47.exe
PID 3352 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\f2b1d838e92540f58d6038f3eadedcd37f29aaa82fa8dad8a1b6aac50644fb96.exe C:\Users\Admin\AppData\Local\Temp\AK47.exe
PID 3352 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\f2b1d838e92540f58d6038f3eadedcd37f29aaa82fa8dad8a1b6aac50644fb96.exe C:\Users\Admin\AppData\Local\Temp\AK74.exe
PID 3352 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\f2b1d838e92540f58d6038f3eadedcd37f29aaa82fa8dad8a1b6aac50644fb96.exe C:\Users\Admin\AppData\Local\Temp\AK74.exe
PID 3352 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\f2b1d838e92540f58d6038f3eadedcd37f29aaa82fa8dad8a1b6aac50644fb96.exe C:\Users\Admin\AppData\Local\Temp\AK74.exe
PID 4960 wrote to memory of 4912 N/A C:\Users\Admin\AppData\Local\Temp\AK74.exe C:\Windows\SysWOW64\cmd.exe
PID 4960 wrote to memory of 4912 N/A C:\Users\Admin\AppData\Local\Temp\AK74.exe C:\Windows\SysWOW64\cmd.exe
PID 4960 wrote to memory of 4912 N/A C:\Users\Admin\AppData\Local\Temp\AK74.exe C:\Windows\SysWOW64\cmd.exe
PID 1768 wrote to memory of 3196 N/A C:\Windows\SysWOW64\Ghiya.exe C:\Windows\SysWOW64\Ghiya.exe
PID 1768 wrote to memory of 3196 N/A C:\Windows\SysWOW64\Ghiya.exe C:\Windows\SysWOW64\Ghiya.exe
PID 1768 wrote to memory of 3196 N/A C:\Windows\SysWOW64\Ghiya.exe C:\Windows\SysWOW64\Ghiya.exe
PID 3352 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\f2b1d838e92540f58d6038f3eadedcd37f29aaa82fa8dad8a1b6aac50644fb96.exe C:\Windows\SysWOW64\WScript.exe
PID 3352 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\f2b1d838e92540f58d6038f3eadedcd37f29aaa82fa8dad8a1b6aac50644fb96.exe C:\Windows\SysWOW64\WScript.exe
PID 3352 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\f2b1d838e92540f58d6038f3eadedcd37f29aaa82fa8dad8a1b6aac50644fb96.exe C:\Windows\SysWOW64\WScript.exe
PID 4912 wrote to memory of 3396 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4912 wrote to memory of 3396 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4912 wrote to memory of 3396 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\f2b1d838e92540f58d6038f3eadedcd37f29aaa82fa8dad8a1b6aac50644fb96.exe

"C:\Users\Admin\AppData\Local\Temp\f2b1d838e92540f58d6038f3eadedcd37f29aaa82fa8dad8a1b6aac50644fb96.exe"

C:\Users\Admin\AppData\Local\Temp\AK47.exe

"C:\Users\Admin\AppData\Local\Temp\AK47.exe"

C:\Users\Admin\AppData\Local\Temp\AK47.exe

C:\Users\Admin\AppData\Local\Temp\\AK47.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3388 -ip 3388

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2944 -ip 2944

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3388 -s 452

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2944 -s 348

C:\Users\Admin\AppData\Local\Temp\AK74.exe

C:\Users\Admin\AppData\Local\Temp\\AK74.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3388 -ip 3388

C:\Windows\SysWOW64\Ghiya.exe

C:\Windows\SysWOW64\Ghiya.exe -auto

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3388 -s 392

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul

C:\Windows\SysWOW64\Ghiya.exe

C:\Windows\SysWOW64\Ghiya.exe -acsi

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Windows\SysWOW64\PING.EXE

ping -n 2 127.0.0.1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 cf1549064127.f3322.net udp
CN 43.249.193.73:54997 tcp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
CN 43.249.193.73:54997 tcp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 cf1549064127.f3322.net udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
CN 43.249.193.73:54997 tcp
US 8.8.8.8:53 cf1549064127.f3322.net udp
CN 43.249.193.73:54997 tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
CN 43.249.193.73:54997 tcp
US 8.8.8.8:53 cf1549064127.f3322.net udp
CN 43.249.193.73:54997 tcp
US 8.8.8.8:53 cf1549064127.f3322.net udp
CN 43.249.193.73:54997 tcp
US 8.8.8.8:53 66.112.168.52.in-addr.arpa udp

Files

memory/3352-0-0x0000000000400000-0x0000000000760000-memory.dmp

memory/3352-1-0x0000000000400000-0x0000000000760000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AK47.exe

MD5 423eb994ed553294f8a6813619b8da87
SHA1 eca6a16ccd13adcfc27bc1041ddef97ec8081255
SHA256 050b4f2d5ae8eaecd414318dc8e222a56f169626da6ca8feb7edd78e8b1f0218
SHA512 fab0a9af8031c242c486de373df7277c8b0e39f7a0c9c2ac2e385dbd3ea67be16e91b128287634f76131e5264149ab1b452cd21df4c4895e8c4efc8d8cf99095

C:\Windows\SysWOW64\240639078.txt

MD5 f7fb4cb997e26d65be0fe5b537653382
SHA1 74bcde3ceb75dd1ae9d9d1a3dc880d2167199a14
SHA256 452a5196c622427292ef2143731c5f2c4ba7be09df516a041233f80a2e5be721
SHA512 3b16d06b32fec715d0bfe52d6b6d18e5f2b05cd7620a319b277e0762bb166ffea4e29184e0644d641b33190a44d484bcbf1867a55498265e5119c670fb627a0f

C:\Users\Admin\AppData\Local\Temp\AK74.exe

MD5 b0998aa7d5071d33daa5b60b9c3c9735
SHA1 9365a1ff0c6de244d6f36c8d84072cc916665d3c
SHA256 3080b6bb456564899b0d99d4131bd6a0b284d31f7d80ef773e4872d94048d49a
SHA512 308c13cda9fea39b980ae686f44afd9090e9cb8970fffc4436320e0d09a31aee5e656914e0121fe888098a14c52749716fa04980396fd6ac70a88c11cbb6b850

memory/4960-24-0x0000000010000000-0x00000000101BA000-memory.dmp

memory/4960-27-0x0000000010000000-0x00000000101BA000-memory.dmp

memory/4960-26-0x0000000010000000-0x00000000101BA000-memory.dmp

memory/1768-35-0x0000000010000000-0x00000000101BA000-memory.dmp

memory/3196-37-0x0000000010000000-0x00000000101BA000-memory.dmp

memory/1768-34-0x0000000010000000-0x00000000101BA000-memory.dmp

memory/1768-32-0x0000000010000000-0x00000000101BA000-memory.dmp

memory/3196-44-0x0000000010000000-0x00000000101BA000-memory.dmp

memory/3196-43-0x0000000010000000-0x00000000101BA000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

MD5 583401fb012e8faa4a1e1c3f58098941
SHA1 5fe3d39ec2175ecb3aba0d7f3df9b21d57b51578
SHA256 71243628f8581dd71b13156fe6fa733d126688b47900af5957dd14a476a3f421
SHA512 97bd5c28a850d94b046b65c3f03b684b8c4bc567ee66ab35672a9dd3d6f317fe73f8b6078849b01764bb7a52c93ff6e904c17699034d875f98fb4a58ce974fb8

memory/3196-51-0x0000000010000000-0x00000000101BA000-memory.dmp

memory/3196-56-0x0000000010000000-0x00000000101BA000-memory.dmp

memory/3196-58-0x0000000010000000-0x00000000101BA000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

MD5 8df7c415a07d30e312021a86379e3075
SHA1 3a9fb2d5306f03d7d6699960af726f6a5ca202a4
SHA256 742d216f1fbb6e3e256ce45b44393c4e22dfa159b523e610ab1b0047ddefcf1d
SHA512 f315a2ec4567b7a7ba6ebe34ff221202f312926487c2144ca3562fc9461abbb1b659e76a853e7a826478e0f0e8e9385b5c905debb680d715a8d2823c572c3a1b

memory/3352-60-0x0000000000400000-0x0000000000760000-memory.dmp

memory/3352-63-0x0000000000400000-0x0000000000760000-memory.dmp

memory/3352-66-0x0000000000400000-0x0000000000760000-memory.dmp

memory/3352-70-0x0000000000400000-0x0000000000760000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

MD5 29ce53e2a4a446614ccc8d64d346bde4
SHA1 39a7aa5cc1124842aa0c25abb16ea94452125cbe
SHA256 56225be6838bc6e93ea215891eacf28844ae27a9f8b2b29bf19d3a8c2b1f58df
SHA512 b2c5a2708c427171a5715801f8ea733ffe88d73aaaaf59c5c752ea32cbe7aae8526cc26eabe84ad5043174c0c69b1d6b15a9fb125c15accfac3462d5d08a0faa

memory/3352-73-0x0000000000400000-0x0000000000760000-memory.dmp

memory/3352-76-0x0000000000400000-0x0000000000760000-memory.dmp

memory/3352-79-0x0000000000400000-0x0000000000760000-memory.dmp