gh0strat | b8c2b9c681b675f6ad5d62b2d22bd978cb004b5b40d2b93857c54f326a2a2efa

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03-12-2024 15:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b8c2b9c681b675f6ad5d62b2d22bd978cb004b5b40d2b93857c54f326a2a2efa.exe
Size

3.9MB
MD5

d121f72dc5396879b62ee8c9448dabbc
SHA1

d4048054f1c669e7e7048152e8545476882cb2a4
SHA256

b8c2b9c681b675f6ad5d62b2d22bd978cb004b5b40d2b93857c54f326a2a2efa
SHA512

a1e30b7311448751d770d716567af309674ba8e5c50e0c73b58a50ed392d198afb7a4388100fc9d36f71b15072f0ba15c5a1c1c83d1bb7ebeb22af33cb0b442a
SSDEEP

49152:OCwsbCANnKXferL7Vwe/Gg0P+WhRBPWORjsizxAoo7QrvgXEW6+:pws2ANnKXOaeOgmhRBpW37kuM+

Score

10^/10

gh0strat purplefox discovery evasion persistence rat rootkit spyware stealer trojan upx

Malware Config

Signatures

Detect PurpleFox Rootkit 8 IoCs

Detect PurpleFox Rootkit.

rootkit

Processes:

resource	yara_rule
behavioral2/memory/1068-19-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/1068-20-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/1068-23-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/4688-28-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/4688-29-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/2892-39-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/2892-43-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/2892-56-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 9 IoCs

Processes:

resource	yara_rule
behavioral2/files/0x0008000000023c9d-5.dat	family_gh0strat
behavioral2/memory/1068-19-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/1068-20-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/1068-23-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/4688-28-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/4688-29-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/2892-39-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/2892-43-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/2892-56-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox
Purplefox family
purplefox

Drops file in Drivers directory 1 IoCs

Processes:

TXPlatfor.exe

description	ioc	Process
File created	C:\Windows\system32\drivers\QAssist.sys	TXPlatfor.exe

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

Processes:

R.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Remote Data\Parameters\ServiceDll = "C:\\Windows\\system32\\240629859.txt"	R.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

TXPlatfor.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys"	TXPlatfor.exe

Checks computer location settings 2 TTPs 8 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

HD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	HD_msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	HD_msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	HD_msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	HD_msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	HD_msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	HD_msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	HD_msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	HD_msedge.exe

Executes dropped EXE 24 IoCs

Processes:

R.exeN.exeTXPlatfor.exeTXPlatfor.exeHD_b8c2b9c681b675f6ad5d62b2d22bd978cb004b5b40d2b93857c54f326a2a2efa.exeRemote Data.exemsedge.exeR.exeN.exeTXPlatfor.exeTXPlatfor.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exe

pid	Process
1364	R.exe
1068	N.exe
4688	TXPlatfor.exe
2892	TXPlatfor.exe
1252	HD_b8c2b9c681b675f6ad5d62b2d22bd978cb004b5b40d2b93857c54f326a2a2efa.exe
4112	Remote Data.exe
3408	msedge.exe
3720	R.exe
4912	N.exe
2116	TXPlatfor.exe
1732	TXPlatfor.exe
808	HD_msedge.exe
4608	HD_msedge.exe
904	HD_msedge.exe
1028	HD_msedge.exe
224	HD_msedge.exe
3488	HD_msedge.exe
264	HD_msedge.exe
4956	HD_msedge.exe
2988	HD_msedge.exe
648	HD_msedge.exe
2928	HD_msedge.exe
264	HD_msedge.exe
1152	HD_msedge.exe

Loads dropped DLL 3 IoCs

Processes:

R.exesvchost.exeRemote Data.exe

pid	Process
1364	R.exe
724	svchost.exe
4112	Remote Data.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

HD_msedge.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	HD_msedge.exe

Checks system information in the registry 2 TTPs 2 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

HD_msedge.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	HD_msedge.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	HD_msedge.exe

Drops file in System32 directory 6 IoCs

Processes:

R.exesvchost.exeN.exe

description	ioc	Process
File created	C:\Windows\SysWOW64\240629859.txt	R.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	R.exe
File created	C:\Windows\SysWOW64\Remote Data.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\Remote Data.exe	svchost.exe
File created	C:\Windows\SysWOW64\TXPlatfor.exe	N.exe
File opened for modification	C:\Windows\SysWOW64\TXPlatfor.exe	N.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1068-19-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/1068-20-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/1068-23-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/1068-17-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/4688-28-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/4688-29-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/4688-27-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/2892-39-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/2892-43-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/2892-56-0x0000000010000000-0x00000000101B6000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

Processes:

b8c2b9c681b675f6ad5d62b2d22bd978cb004b5b40d2b93857c54f326a2a2efa.exemsedge.exe

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	b8c2b9c681b675f6ad5d62b2d22bd978cb004b5b40d2b93857c54f326a2a2efa.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

R.exePING.EXEmsedge.exeR.exeTXPlatfor.exeTXPlatfor.exeN.exeb8c2b9c681b675f6ad5d62b2d22bd978cb004b5b40d2b93857c54f326a2a2efa.exeN.exeRemote Data.execmd.exesvchost.execmd.exePING.EXE

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	R.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msedge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	R.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TXPlatfor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TXPlatfor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b8c2b9c681b675f6ad5d62b2d22bd978cb004b5b40d2b93857c54f326a2a2efa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Remote Data.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

Processes:

cmd.exePING.EXEcmd.exePING.EXE

pid	Process
4256	cmd.exe
3144	PING.EXE
1444	cmd.exe
1888	PING.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

HD_msedge.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	HD_msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	HD_msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	HD_msedge.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXE

pid	Process
1888	PING.EXE
3144	PING.EXE

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

b8c2b9c681b675f6ad5d62b2d22bd978cb004b5b40d2b93857c54f326a2a2efa.exemsedge.exeHD_msedge.exeHD_msedge.exeidentity_helper.exeHD_msedge.exe

pid	Process
4396	b8c2b9c681b675f6ad5d62b2d22bd978cb004b5b40d2b93857c54f326a2a2efa.exe
4396	b8c2b9c681b675f6ad5d62b2d22bd978cb004b5b40d2b93857c54f326a2a2efa.exe
3408	msedge.exe
3408	msedge.exe
1028	HD_msedge.exe
1028	HD_msedge.exe
808	HD_msedge.exe
808	HD_msedge.exe
468	identity_helper.exe
468	identity_helper.exe
1152	HD_msedge.exe
1152	HD_msedge.exe
1152	HD_msedge.exe
1152	HD_msedge.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

TXPlatfor.exe

pid	Process
2892	TXPlatfor.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

N.exeTXPlatfor.exeN.exe

description	pid	Process
Token: SeIncBasePriorityPrivilege	1068	N.exe
Token: SeLoadDriverPrivilege	2892	TXPlatfor.exe
Token: SeIncBasePriorityPrivilege	4912	N.exe
Token: 33	2892	TXPlatfor.exe
Token: SeIncBasePriorityPrivilege	2892	TXPlatfor.exe
Token: 33	2892	TXPlatfor.exe
Token: SeIncBasePriorityPrivilege	2892	TXPlatfor.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

HD_msedge.exe

pid	Process
808	HD_msedge.exe
808	HD_msedge.exe
808	HD_msedge.exe
808	HD_msedge.exe
808	HD_msedge.exe
808	HD_msedge.exe
808	HD_msedge.exe
808	HD_msedge.exe
808	HD_msedge.exe
808	HD_msedge.exe
808	HD_msedge.exe
808	HD_msedge.exe
808	HD_msedge.exe
808	HD_msedge.exe
808	HD_msedge.exe
808	HD_msedge.exe
808	HD_msedge.exe
808	HD_msedge.exe
808	HD_msedge.exe
808	HD_msedge.exe
808	HD_msedge.exe
808	HD_msedge.exe
808	HD_msedge.exe
808	HD_msedge.exe
808	HD_msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

HD_msedge.exe

pid	Process
808	HD_msedge.exe
808	HD_msedge.exe
808	HD_msedge.exe
808	HD_msedge.exe
808	HD_msedge.exe
808	HD_msedge.exe
808	HD_msedge.exe
808	HD_msedge.exe
808	HD_msedge.exe
808	HD_msedge.exe
808	HD_msedge.exe
808	HD_msedge.exe
808	HD_msedge.exe
808	HD_msedge.exe
808	HD_msedge.exe
808	HD_msedge.exe
808	HD_msedge.exe
808	HD_msedge.exe
808	HD_msedge.exe
808	HD_msedge.exe
808	HD_msedge.exe
808	HD_msedge.exe
808	HD_msedge.exe
808	HD_msedge.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

b8c2b9c681b675f6ad5d62b2d22bd978cb004b5b40d2b93857c54f326a2a2efa.exemsedge.exe

pid	Process
4396	b8c2b9c681b675f6ad5d62b2d22bd978cb004b5b40d2b93857c54f326a2a2efa.exe
4396	b8c2b9c681b675f6ad5d62b2d22bd978cb004b5b40d2b93857c54f326a2a2efa.exe
3408	msedge.exe
3408	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

b8c2b9c681b675f6ad5d62b2d22bd978cb004b5b40d2b93857c54f326a2a2efa.exeN.exeTXPlatfor.execmd.exesvchost.exeHD_b8c2b9c681b675f6ad5d62b2d22bd978cb004b5b40d2b93857c54f326a2a2efa.exemsedge.exeN.exeTXPlatfor.exeHD_msedge.execmd.exe

description	pid	Process	procid_target
PID 4396 wrote to memory of 1364	4396	b8c2b9c681b675f6ad5d62b2d22bd978cb004b5b40d2b93857c54f326a2a2efa.exe	83
PID 4396 wrote to memory of 1364	4396	b8c2b9c681b675f6ad5d62b2d22bd978cb004b5b40d2b93857c54f326a2a2efa.exe	83
PID 4396 wrote to memory of 1364	4396	b8c2b9c681b675f6ad5d62b2d22bd978cb004b5b40d2b93857c54f326a2a2efa.exe	83
PID 4396 wrote to memory of 1068	4396	b8c2b9c681b675f6ad5d62b2d22bd978cb004b5b40d2b93857c54f326a2a2efa.exe	86
PID 4396 wrote to memory of 1068	4396	b8c2b9c681b675f6ad5d62b2d22bd978cb004b5b40d2b93857c54f326a2a2efa.exe	86
PID 4396 wrote to memory of 1068	4396	b8c2b9c681b675f6ad5d62b2d22bd978cb004b5b40d2b93857c54f326a2a2efa.exe	86
PID 1068 wrote to memory of 1444	1068	N.exe	88
PID 1068 wrote to memory of 1444	1068	N.exe	88
PID 1068 wrote to memory of 1444	1068	N.exe	88
PID 4688 wrote to memory of 2892	4688	TXPlatfor.exe	90
PID 4688 wrote to memory of 2892	4688	TXPlatfor.exe	90
PID 4688 wrote to memory of 2892	4688	TXPlatfor.exe	90
PID 4396 wrote to memory of 1252	4396	b8c2b9c681b675f6ad5d62b2d22bd978cb004b5b40d2b93857c54f326a2a2efa.exe	91
PID 4396 wrote to memory of 1252	4396	b8c2b9c681b675f6ad5d62b2d22bd978cb004b5b40d2b93857c54f326a2a2efa.exe	91
PID 1444 wrote to memory of 1888	1444	cmd.exe	92
PID 1444 wrote to memory of 1888	1444	cmd.exe	92
PID 1444 wrote to memory of 1888	1444	cmd.exe	92
PID 724 wrote to memory of 4112	724	svchost.exe	93
PID 724 wrote to memory of 4112	724	svchost.exe	93
PID 724 wrote to memory of 4112	724	svchost.exe	93
PID 1252 wrote to memory of 3408	1252	HD_b8c2b9c681b675f6ad5d62b2d22bd978cb004b5b40d2b93857c54f326a2a2efa.exe	95
PID 1252 wrote to memory of 3408	1252	HD_b8c2b9c681b675f6ad5d62b2d22bd978cb004b5b40d2b93857c54f326a2a2efa.exe	95
PID 1252 wrote to memory of 3408	1252	HD_b8c2b9c681b675f6ad5d62b2d22bd978cb004b5b40d2b93857c54f326a2a2efa.exe	95
PID 3408 wrote to memory of 3720	3408	msedge.exe	96
PID 3408 wrote to memory of 3720	3408	msedge.exe	96
PID 3408 wrote to memory of 3720	3408	msedge.exe	96
PID 3408 wrote to memory of 4912	3408	msedge.exe	97
PID 3408 wrote to memory of 4912	3408	msedge.exe	97
PID 3408 wrote to memory of 4912	3408	msedge.exe	97
PID 4912 wrote to memory of 4256	4912	N.exe	99
PID 4912 wrote to memory of 4256	4912	N.exe	99
PID 4912 wrote to memory of 4256	4912	N.exe	99
PID 2116 wrote to memory of 1732	2116	TXPlatfor.exe	100
PID 2116 wrote to memory of 1732	2116	TXPlatfor.exe	100
PID 2116 wrote to memory of 1732	2116	TXPlatfor.exe	100
PID 3408 wrote to memory of 808	3408	msedge.exe	101
PID 3408 wrote to memory of 808	3408	msedge.exe	101
PID 808 wrote to memory of 4608	808	HD_msedge.exe	103
PID 808 wrote to memory of 4608	808	HD_msedge.exe	103
PID 4256 wrote to memory of 3144	4256	cmd.exe	104
PID 4256 wrote to memory of 3144	4256	cmd.exe	104
PID 4256 wrote to memory of 3144	4256	cmd.exe	104
PID 808 wrote to memory of 904	808	HD_msedge.exe	105
PID 808 wrote to memory of 904	808	HD_msedge.exe	105
PID 808 wrote to memory of 904	808	HD_msedge.exe	105
PID 808 wrote to memory of 904	808	HD_msedge.exe	105
PID 808 wrote to memory of 904	808	HD_msedge.exe	105
PID 808 wrote to memory of 904	808	HD_msedge.exe	105
PID 808 wrote to memory of 904	808	HD_msedge.exe	105
PID 808 wrote to memory of 904	808	HD_msedge.exe	105
PID 808 wrote to memory of 904	808	HD_msedge.exe	105
PID 808 wrote to memory of 904	808	HD_msedge.exe	105
PID 808 wrote to memory of 904	808	HD_msedge.exe	105
PID 808 wrote to memory of 904	808	HD_msedge.exe	105
PID 808 wrote to memory of 904	808	HD_msedge.exe	105
PID 808 wrote to memory of 904	808	HD_msedge.exe	105
PID 808 wrote to memory of 904	808	HD_msedge.exe	105
PID 808 wrote to memory of 904	808	HD_msedge.exe	105
PID 808 wrote to memory of 904	808	HD_msedge.exe	105
PID 808 wrote to memory of 904	808	HD_msedge.exe	105
PID 808 wrote to memory of 904	808	HD_msedge.exe	105
PID 808 wrote to memory of 904	808	HD_msedge.exe	105
PID 808 wrote to memory of 904	808	HD_msedge.exe	105
PID 808 wrote to memory of 904	808	HD_msedge.exe	105

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

Processes:

HD_msedge.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection	HD_msedge.exe

C:\Users\Admin\AppData\Local\Temp\b8c2b9c681b675f6ad5d62b2d22bd978cb004b5b40d2b93857c54f326a2a2efa.exe
"C:\Users\Admin\AppData\Local\Temp\b8c2b9c681b675f6ad5d62b2d22bd978cb004b5b40d2b93857c54f326a2a2efa.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4396
- C:\Users\Admin\AppData\Local\Temp\R.exe
  C:\Users\Admin\AppData\Local\Temp\\R.exe
  2⤵
  - Server Software Component: Terminal Services DLL
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:1364
- C:\Users\Admin\AppData\Local\Temp\N.exe
  C:\Users\Admin\AppData\Local\Temp\\N.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1068
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\N.exe > nul
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:1444
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 2 127.0.0.1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1888
- C:\Users\Admin\AppData\Local\Temp\HD_b8c2b9c681b675f6ad5d62b2d22bd978cb004b5b40d2b93857c54f326a2a2efa.exe
  C:\Users\Admin\AppData\Local\Temp\HD_b8c2b9c681b675f6ad5d62b2d22bd978cb004b5b40d2b93857c54f326a2a2efa.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1252
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://im.qq.com/
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3408
  - - C:\Users\Admin\AppData\Local\Temp\R.exe
      C:\Users\Admin\AppData\Local\Temp\\R.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3720
  - - C:\Users\Admin\AppData\Local\Temp\N.exe
      C:\Users\Admin\AppData\Local\Temp\\N.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4912
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\N.exe > nul
        5⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4256
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3144
  - - C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Checks whether UAC is enabled
      Checks system information in the registry
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:808
    - - C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffefdc546f8,0x7ffefdc54708,0x7ffefdc54718
        5⤵
        Executes dropped EXE
        
        PID:4608
    - - C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=gpu-process --field-trial-handle=2088,10851263768936635300,12079281866918745019,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:2
        5⤵
        Executes dropped EXE
        
        PID:904
    - - C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,10851263768936635300,12079281866918745019,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 /prefetch:3
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1028
    - - C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,10851263768936635300,12079281866918745019,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2904 /prefetch:8
        5⤵
        Executes dropped EXE
        
        PID:224
    - - C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2088,10851263768936635300,12079281866918745019,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3488
    - - C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2088,10851263768936635300,12079281866918745019,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:264
    - - C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2088,10851263768936635300,12079281866918745019,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4724 /prefetch:1
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2988
    - - C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2088,10851263768936635300,12079281866918745019,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4828 /prefetch:1
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4956
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,10851263768936635300,12079281866918745019,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5288 /prefetch:8
        5⤵
        
        PID:2064
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,10851263768936635300,12079281866918745019,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5288 /prefetch:8
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:468
    - - C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2088,10851263768936635300,12079281866918745019,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2236 /prefetch:1
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2928
    - - C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2088,10851263768936635300,12079281866918745019,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:1
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:648
    - - C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2088,10851263768936635300,12079281866918745019,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5672 /prefetch:1
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:264
    - - C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=gpu-process --field-trial-handle=2088,10851263768936635300,12079281866918745019,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5268 /prefetch:2
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1152

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "Remote Data"
1⤵
PID:1156

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "Remote Data"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:724
- C:\Windows\SysWOW64\Remote Data.exe
  "C:\Windows\system32\Remote Data.exe" "c:\windows\system32\240629859.txt",MainThread
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4112

C:\Windows\SysWOW64\TXPlatfor.exe
C:\Windows\SysWOW64\TXPlatfor.exe -auto
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4688
- C:\Windows\SysWOW64\TXPlatfor.exe
  C:\Windows\SysWOW64\TXPlatfor.exe -acsi
  2⤵
  - Drops file in Drivers directory
  - Sets service image path in registry
  - Executes dropped EXE
  - Suspicious behavior: LoadsDriver
  - Suspicious use of AdjustPrivilegeToken
  PID:2892

C:\Windows\SysWOW64\TXPlatfor.exe
C:\Windows\SysWOW64\TXPlatfor.exe -auto
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2116
- C:\Windows\SysWOW64\TXPlatfor.exe
  C:\Windows\SysWOW64\TXPlatfor.exe -acsi
  2⤵
  - Executes dropped EXE
  PID:1732

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3472

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe

Filesize
3.2MB

MD5
ad8536c7440638d40156e883ac25086e

SHA1
fa9e8b7fb10473a01b8925c4c5b0888924a1147c

SHA256
73d84d249f16b943d1d3f9dd9e516fadd323e70939c29b4a640693eb8818ee9a

SHA512
b5f368be8853aa142dba614dcca7e021aba92b337fe36cfc186714092a4dab1c7a2181954cd737923edd351149980182a090dbde91081c81d83f471ff18888fe

Download Submit
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Filesize
5.6MB

MD5
781ba72fa1fd498e7a677f65dbf32852

SHA1
3458b939f489f158bc5af5d0af4dc8a4f3db50eb

SHA256
5d50364a1b964921e0a035efae5faa92c268e3f21162f512f0f765aa4c70f5da

SHA512
b6881722094ecdbc6a285fb0c7555d994b134172d2299a4c439ecf64ffff8ab9ed8cf9aa40c58a45ce52a5b3ab8746494314ce176520db4c2cd29972c6eb8025

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0a9dc42e4013fc47438e96d24beb8eff

SHA1
806ab26d7eae031a58484188a7eb1adab06457fc

SHA256
58d66151799526b3fa372552cd99b385415d9e9a119302b99aadc34dd51dd151

SHA512
868d6b421ae2501a519595d0c34ddef25b2a98b082c5203da8349035f1f6764ddf183197f1054e7e86a752c71eccbc0649e515b63c55bc18cf5f0592397e258f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
61cef8e38cd95bf003f5fdd1dc37dae1

SHA1
11f2f79ecb349344c143eea9a0fed41891a3467f

SHA256
ae671613623b4477fbd5daf1fd2d148ae2a09ddcc3804b2b6d4ffcb60b317e3e

SHA512
6fb9b333fe0e8fde19fdd0bd01a1990a4e60a87c0a02bc8297da1206e42f8690d06b030308e58c862e9e77714a585eed7cc1627590d99a10aeb77fc0dd3d864d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
dd2f0fdb6ed8957a1fb5ca219c315fe3

SHA1
795f2027d4b0d0c805f9beb8a01c13deaf11bd6a

SHA256
bcdfc0393fc217e3a71551953490e010ae1ffca686b6afaa3639e8949ddd5292

SHA512
53691a06cd642fcebd9f88b6e7b14c2da56f6ff1f52f55b8f8913ea48abfd6be27750d730fecf4106e3a112c98b4e0107153213475e375b568d95275ee30f5ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0f81a086e8d9070150c1d3137d3e82be

SHA1
21c2c2f5eb4063e7111e63cc1712fa84f122b0bf

SHA256
5575c822371c5da1a61fb3809e6aec6d0716d8f98e254ccb51de816c4c63f750

SHA512
f5e964b150e4be672d67f2cf8d0489a42efdf160b4d4cb2a51d8df5ca152886395d8dc350120a7bba3e64d2a61b21f9f8e4bece33a6fe2386a5ae33fec20f338

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
ecb27347302a8799128465498ec2d04d

SHA1
30bc9b0cb3f44052c9e3c65779ebbf965c59514b

SHA256
d9e8b9a96e1c55599fe327e44800cd7ff57401ed68815bd6754a6739f5470cec

SHA512
6aa5d3c2c4fbbd0bcc12554e0db18775c4158924b36bb10a5a0936dd5b0e784705b12a7a7debe63354498d04ff26e3989fe5d2f1d1faaa4f3bf3946da5a5fb88

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD_X.dat

Filesize
2.4MB

MD5
64b847b71be177ba31a57629280cb3e9

SHA1
5107bdd2d735b3518dab42c33d5dfe8dd7e0a53d

SHA256
481a9a3a2154ceabf12e5f5a2bc241fdcb8006d452424ff550cf67e2da5901fa

SHA512
584020fc25439259d9f101bcaadb06c62f60e708af08e9437f68d3677a56bbdd3c76af1a3dd0fe6d43ddec1eb0feba0e98b5c9f48c6d75ed8f263f48dcc803fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD_b8c2b9c681b675f6ad5d62b2d22bd978cb004b5b40d2b93857c54f326a2a2efa.exe

Filesize
1.5MB

MD5
6fc19c07a651b0fd253e47134183f438

SHA1
ce3b4d0c46c3006691d2f6b2b43181816eb64a6d

SHA256
2cd7a981185adc81d5644ff6ae79a0657445038f837553e5e48ef2f1c943eb78

SHA512
a6bfa95c104099be93417767a5a0c963f8d0247786d4a86e883dcb4f8f09010e000c22397ee2bbb8524d8ef0ca6d44735e698c914b10f59482af4a5daec26e1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\N.exe

Filesize
377KB

MD5
4a36a48e58829c22381572b2040b6fe0

SHA1
f09d30e44ff7e3f20a5de307720f3ad148c6143b

SHA256
3de6c02f52a661b8f934f59541d0cf297bb489eb2155e346b63c7338e09aeaf8

SHA512
5d0ea398792f6b9eb3f188813c50b7f43929183b5733d2b595b2fd1c78722764fd15f62db1086b5c7edfb157661a6dcd544ddd80907ee7699dddbca1ef4022d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\R.exe

Filesize
941KB

MD5
8dc3adf1c490211971c1e2325f1424d2

SHA1
4eec4a4e7cb97c5efa6c72e0731cd090c0c4adc5

SHA256
bc29f2022ab3b812e50c8681ff196f090c038b5ab51e37daffac4469a8c2eb2c

SHA512
ae92ea20b359849dcdba4808119b154e3af5ef3687ee09de1797610fe8c4d3eb9065b068074d35adddb4b225d17c619baff3944cb137ad196bcef7a6507f920d

Download Submit
C:\Windows\SysWOW64\240629859.txt

Filesize
899KB

MD5
b593c0899953a236374325ad26a8085e

SHA1
420e21f8252c9bdaa659861a5acb8fafedd05a69

SHA256
5865972bb72e24a4e4519be91ca357c6fee516c6598dce2309feee662b438286

SHA512
b7c3f2b137cc7c9e9734d87644a22e0b65ac70f5fa4ec1eb850da7cf8da2d7e69f1ec690953a3f4992e4802161c620b87d84ffe50926de2daeb6181a43c2bc3c

Download Submit
C:\Windows\SysWOW64\Remote Data.exe

Filesize
60KB

MD5
889b99c52a60dd49227c5e485a016679

SHA1
8fa889e456aa646a4d0a4349977430ce5fa5e2d7

SHA256
6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910

SHA512
08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

Download Submit
\??\pipe\LOCAL\crashpad_808_RNYOTTDEULPZJLUC

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/904-106-0x00007FFF0BBD0000-0x00007FFF0BBD1000-memory.dmp

Filesize
4KB

Download
memory/1068-17-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/1068-23-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/1068-20-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/1068-19-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2892-56-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2892-43-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2892-39-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/4688-27-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/4688-29-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/4688-28-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download