Resubmissions

08-12-2024 19:05

241208-xrpgvsslct 10

08-12-2024 18:57

241208-xl4plaxjdr 10

Analysis

  • max time kernel
    44s
  • max time network
    42s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    08-12-2024 19:05

General

  • Target

    2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exe

  • Size

    3.0MB

  • MD5

    7091ef9191eae2ef9fba1acd659f916d

  • SHA1

    3d2cd6a23c64fb57b07e517d00854bbde43bf0ea

  • SHA256

    7f68f7239f7f8ea8d9be6de86e869a508096d6da0c2e02f57520f0959018930c

  • SHA512

    faac00de734b6d85150570c648e29057b3e80811e3415732b7d65c039109a6bb5cb0b68bb345ae32f6f510ae2d283094879b9a10a5c99eaba456bf318c4c3437

  • SSDEEP

    49152:oQZAdVyVT9n/Gg0P+WhognG/wNCYnTC+vOuCsJwJ2k+s9pk+mcnG/wVUNQ3u:BGdVyVT9nOgmhvnG/wNbTC+vipJ2bsQr

Malware Config

Signatures

  • Detect PurpleFox Rootkit 12 IoCs

    Detect PurpleFox Rootkit.

  • Gh0st RAT payload 13 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

  • Gh0strat family
  • PurpleFox

    PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

  • Purplefox family
  • Drops file in Drivers directory 1 IoCs
  • Server Software Component: Terminal Services DLL 1 TTPs 2 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
  • Executes dropped EXE 23 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Checks system information in the registry 2 TTPs 2 IoCs

    System information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 6 IoCs
  • UPX packed file 14 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Program Files directory 7 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 26 IoCs
  • Suspicious use of SendNotifyMessage 12 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exe"
    1⤵
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4456
    • C:\Users\Admin\AppData\Local\Temp\svchost.exe
      C:\Users\Admin\AppData\Local\Temp\\svchost.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3744
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\svchost.exe > nul
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Suspicious use of WriteProcessMemory
        PID:3300
        • C:\Windows\SysWOW64\PING.EXE
          ping -n 2 127.0.0.1
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:2760
    • C:\Users\Admin\AppData\Local\Temp\svchos.exe
      C:\Users\Admin\AppData\Local\Temp\\svchos.exe
      2⤵
      • Server Software Component: Terminal Services DLL
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      PID:4504
    • C:\Users\Admin\AppData\Local\Temp\HD_2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exe
      C:\Users\Admin\AppData\Local\Temp\HD_2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1404
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://uu.163.com/
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:696
        • C:\Users\Admin\AppData\Local\Temp\svchost.exe
          C:\Users\Admin\AppData\Local\Temp\\svchost.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4004
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\svchost.exe > nul
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Suspicious use of WriteProcessMemory
            PID:824
            • C:\Windows\SysWOW64\PING.EXE
              ping -n 2 127.0.0.1
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:2436
        • C:\Users\Admin\AppData\Local\Temp\svchos.exe
          C:\Users\Admin\AppData\Local\Temp\\svchos.exe
          4⤵
          • Server Software Component: Terminal Services DLL
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          PID:4444
        • C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"
          4⤵
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Checks system information in the registry
          • Enumerates system info in registry
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:3992
          • C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8eae13cb8,0x7ff8eae13cc8,0x7ff8eae13cd8
            5⤵
            • Executes dropped EXE
            PID:1928
          • C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=gpu-process --field-trial-handle=1912,2348189737740247116,13808863374551284565,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1924 /prefetch:2
            5⤵
            • Executes dropped EXE
            PID:416
          • C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1912,2348189737740247116,13808863374551284565,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2328 /prefetch:3
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            PID:3320
          • C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1912,2348189737740247116,13808863374551284565,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2808 /prefetch:8
            5⤵
            • Executes dropped EXE
            PID:4424
          • C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=1912,2348189737740247116,13808863374551284565,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
            5⤵
            • Executes dropped EXE
            PID:1972
          • C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=1912,2348189737740247116,13808863374551284565,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
            5⤵
            • Executes dropped EXE
            PID:576
          • C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=1912,2348189737740247116,13808863374551284565,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4572 /prefetch:1
            5⤵
            • Executes dropped EXE
            PID:4712
          • C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=1912,2348189737740247116,13808863374551284565,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4504 /prefetch:1
            5⤵
            • Executes dropped EXE
            PID:3100
          • C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=1912,2348189737740247116,13808863374551284565,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4544 /prefetch:1
            5⤵
            • Executes dropped EXE
            PID:2440
          • C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=1912,2348189737740247116,13808863374551284565,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4524 /prefetch:1
            5⤵
            • Executes dropped EXE
            PID:1776
          • C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1912,2348189737740247116,13808863374551284565,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4736 /prefetch:8
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            PID:4408
          • C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=1912,2348189737740247116,13808863374551284565,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:1
            5⤵
            • Executes dropped EXE
            PID:4600
          • C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1912,2348189737740247116,13808863374551284565,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3892 /prefetch:8
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:3164
  • C:\Windows\SysWOW64\TXPlatforn.exe
    C:\Windows\SysWOW64\TXPlatforn.exe -auto
    1⤵
    • Executes dropped EXE
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:444
    • C:\Windows\SysWOW64\TXPlatforn.exe
      C:\Windows\SysWOW64\TXPlatforn.exe -acsi
      2⤵
      • Drops file in Drivers directory
      • Sets service image path in registry
      • Executes dropped EXE
      • Suspicious behavior: LoadsDriver
      • Suspicious use of AdjustPrivilegeToken
      PID:2564
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"
    1⤵
      PID:3832
    • C:\Windows\SysWOW64\svchost.exe
      C:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"
      1⤵
        PID:4152
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
        1⤵
          PID:3892
        • C:\Windows\SysWOW64\TXPlatforn.exe
          C:\Windows\SysWOW64\TXPlatforn.exe -auto
          1⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3400
          • C:\Windows\SysWOW64\TXPlatforn.exe
            C:\Windows\SysWOW64\TXPlatforn.exe -acsi
            2⤵
            • Executes dropped EXE
            PID:3452
        • C:\Windows\System32\CompPkgSrv.exe
          C:\Windows\System32\CompPkgSrv.exe -Embedding
          1⤵
            PID:3980
          • C:\Windows\System32\CompPkgSrv.exe
            C:\Windows\System32\CompPkgSrv.exe -Embedding
            1⤵
              PID:2844
            • C:\Windows\System32\rundll32.exe
              C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
              1⤵
                PID:4180

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe

                Filesize

                3.2MB

                MD5

                7faa5ffa86c7629b995db9db9de5840e

                SHA1

                a5b83fe6745288cb6fa18450b3f9ad918fe90970

                SHA256

                ddda6f7397e8ebe11981b6ba137af2d99a72fe3ac1b14afee00737eca6738ed3

                SHA512

                7aa8e32117951be916c8f829f1f7ebae999292edf45abd4dc8ffab5a21a87ffdc956246b1c2aa62ece63fc39ef9eb7ee0d51fc1a797d0f5051ce0b9216e2633c

              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

                Filesize

                4.5MB

                MD5

                12567ad252eb17f4a94a15e151b6678c

                SHA1

                738660587ac13547c539cc88808276724d696659

                SHA256

                fc90a03b853b85641ddd7c8fccfaea566e4fe6df42e0da3e84f0130a0fffed08

                SHA512

                d246283b73e54bd0f534c16d1bfa1b47c87f56d8796309bf7899213e0179350f953348be166636d9f656c0595c9969813a65f635098b4604526ebeee0bd619e5

              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                Filesize

                152B

                MD5

                e11c77d0fa99af6b1b282a22dcb1cf4a

                SHA1

                2593a41a6a63143d837700d01aa27b1817d17a4d

                SHA256

                d96f9bfcc81ba66db49a3385266a631899a919ed802835e6fb6b9f7759476ea0

                SHA512

                c8f69f503ab070a758e8e3ae57945c0172ead1894fdbfa2d853e5bb976ed3817ecc8f188eefd5092481effd4ef650788c8ff9a8d9a5ee4526f090952d7c859f3

              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                Filesize

                152B

                MD5

                c0a1774f8079fe496e694f35dfdcf8bc

                SHA1

                da3b4b9fca9a3f81b6be5b0cd6dd700603d448d3

                SHA256

                c041da0b90a5343ede7364ccf0428852103832c4efa8065a0cd1e8ce1ff181cb

                SHA512

                60d9e87f8383fe3afa2c8935f0e5a842624bb24b03b2d8057e0da342b08df18cf70bf55e41fa3ae54f73bc40a274cf6393d79ae01f6a1784273a25fa2761728b

              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                Filesize

                5KB

                MD5

                0bdcdb0d73a30a34d9741e4f8c15dd3d

                SHA1

                6a9cef88f7f8aa5e5df7f5c35da071effccf796d

                SHA256

                976dbbdbaa8c40a3f14acf7ea6481576bf142d043a5fb021905bdd60c5f386aa

                SHA512

                3d936fcbd1b3c64aaad655789b615f28cdf7e4780946072cc321a3a909db14445fae0127e9409141321115bb04e42b147d99abe571571646906919a94bb9b3cb

              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                Filesize

                5KB

                MD5

                dd5ba867dac30dc811045d950e603614

                SHA1

                e2a2db3286cf8054afaa632df135c6b2c72d9491

                SHA256

                f0a6a06db147878996c0626b346e849ff3651cf873316c35777b0adaca227a1e

                SHA512

                d258fdccbc3b5c97c5d3c84d669f796d180d0ed886f6b0c76a0766eb8d49f4928e1ad8f5cbba7bef6cf2e98265da4a64d86027d8e2bdead89b64a69cef310601

              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                Filesize

                5KB

                MD5

                c93d493c22511ae7c2ac2730ae9d8feb

                SHA1

                a982dbd10907d8dfabc23dfb90027ea52b37069c

                SHA256

                0150dec13565bfcfb4a788aedd0bfd244d84352f8213af90f0870c8d5822e960

                SHA512

                f3e9caf10809051f7cdfaf2d2e2c514535ee3e8aa81fe844334dfe539faf88cfbc85c6539dcfe59dea115aa9b0434f08ea5b6cafd7becb478b565f2601cb3dc6

              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                Filesize

                16B

                MD5

                46295cac801e5d4857d09837238a6394

                SHA1

                44e0fa1b517dbf802b18faf0785eeea6ac51594b

                SHA256

                0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                SHA512

                8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                Filesize

                16B

                MD5

                206702161f94c5cd39fadd03f4014d98

                SHA1

                bd8bfc144fb5326d21bd1531523d9fb50e1b600a

                SHA256

                1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

                SHA512

                0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                Filesize

                10KB

                MD5

                71afb0d9617a768addf1fdb46214b333

                SHA1

                2510ba447fd0b8287da3a54635556fc072b99235

                SHA256

                10d34a05d95dde6d4341f4d86d0d8be7da804478fe34b673b9d30c35b6e99227

                SHA512

                cbe4a196fd2897c2ddf89db99355ef6bc2b243b96f7fcf979ba51316b445e808d290a5782361d9d85e1788ba6eb20c350a6f49264d12fa8e7091054857a32ecc

              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                Filesize

                10KB

                MD5

                23ce94e5ff680c6e1871834e6e711342

                SHA1

                7de561e8d548c32a647f5c96a3a835ed79f64ebc

                SHA256

                835e928078344d953995d6ee20c1174980dd1b9b03e4bafd80950c179be72878

                SHA512

                e26d9d5e89d5dcc4594ca47683004058a6d5ad50cc8a00c59a087d4b744bbcf99c720883e9d9fdf73262b757db16917456587890fe99aadf7a8e5fdde827d82a

              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

                Filesize

                264KB

                MD5

                f50f89a0a91564d0b8a211f8921aa7de

                SHA1

                112403a17dd69d5b9018b8cede023cb3b54eab7d

                SHA256

                b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

                SHA512

                bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

              • C:\Users\Admin\AppData\Local\Temp\HD_2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exe

                Filesize

                1.7MB

                MD5

                41d1320b270d52fc54f88851b045fd4d

                SHA1

                652b67083bcae6db3ce156a13e33657ce026a74f

                SHA256

                98a3e9f2d4313e78bd7cab53070d2a26f292129edd53fa329394eb4e793c104a

                SHA512

                03d5ecf5f3de36001fbf9cae283c7db474124ead885c4c45837400f0bc3d86f903417f92b5e1094fedfefcbaf82ace12104c7b6d8bfe9fd2527854f2808e9354

              • C:\Users\Admin\AppData\Local\Temp\HD_X.dat

                Filesize

                1.3MB

                MD5

                f220d9369aebfed8404cfeadd8f3a818

                SHA1

                86c0095799f2937a9296d030c5b00475424779de

                SHA256

                c4af430a63b0c6576f38440dca4f25286ac0fc16f017c86701f31d10449c8e88

                SHA512

                3937316c9279274eeefbd8aef410d3cd72c784d9cf4981319bdd91eca8ff37dcf69e266b1b99bf5dfd0b7b0a2ba582d07eff1e21f753590ebf25a03ec960a13e

              • C:\Users\Admin\AppData\Local\Temp\svchos.exe

                Filesize

                93KB

                MD5

                3b377ad877a942ec9f60ea285f7119a2

                SHA1

                60b23987b20d913982f723ab375eef50fafa6c70

                SHA256

                62954fdf65e629b39a29f539619d20691332184c6b6be5a826128a8e759bfa84

                SHA512

                af3a71f867ad9d28772c48b521097f9bf8931eb89fd2974e8de10990241419a39ddc3c0b36dd38aac4fdf14e1f0c5e228692618e93adce958d5b5dab8940e46f

              • C:\Users\Admin\AppData\Local\Temp\svchost.exe

                Filesize

                377KB

                MD5

                a4329177954d4104005bce3020e5ef59

                SHA1

                23c29e295e2dbb8454012d619ca3f81e4c16e85a

                SHA256

                6156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd

                SHA512

                81e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208

              • C:\Windows\SysWOW64\240630000.txt

                Filesize

                50KB

                MD5

                27d8d2bfaaf31924097e4d9f65121f47

                SHA1

                ba3b7ae931246c8631570936e4cb302b564658a7

                SHA256

                a3c1f22ee797ef5010963e28820fb9fbde98ea2513189caa55fcb2f05a4c5ab2

                SHA512

                e53ba22e714aab8afaf07d4bc6ed73fec9370de3386d33810a2166dafa38dff6bb9f78ff041b07ce0aef9202f0a5899279acace12f20d42a9c4f5cf1d88931a5

              • C:\Windows\SysWOW64\ini.ini

                Filesize

                41B

                MD5

                4a70d325c46cdf4dd383545895bdc129

                SHA1

                6f4d670f68aaf438c2643a188504b4cc40acc275

                SHA256

                84d28d4ed7f549533f97a71259398b507a0f4ea580564907cd5ef8ec38169fb8

                SHA512

                cd06e6e8a1bca0db70d8a29af4093d28c9331349c49efec2d90d666303badbf9c66f3bbe2e5c21e9f06fe7cd720bbb958619b26ce4c0ab03eae9467b82c299c7

              • memory/416-205-0x0000021907ED0000-0x0000021907F01000-memory.dmp

                Filesize

                196KB

              • memory/416-137-0x00007FF90A7E0000-0x00007FF90A7E1000-memory.dmp

                Filesize

                4KB

              • memory/444-16-0x0000000010000000-0x00000000101B6000-memory.dmp

                Filesize

                1.7MB

              • memory/444-23-0x0000000010000000-0x00000000101B6000-memory.dmp

                Filesize

                1.7MB

              • memory/444-13-0x0000000010000000-0x00000000101B6000-memory.dmp

                Filesize

                1.7MB

              • memory/444-17-0x0000000010000000-0x00000000101B6000-memory.dmp

                Filesize

                1.7MB

              • memory/444-15-0x0000000010000000-0x00000000101B6000-memory.dmp

                Filesize

                1.7MB

              • memory/2564-34-0x0000000010000000-0x00000000101B6000-memory.dmp

                Filesize

                1.7MB

              • memory/2564-32-0x0000000010000000-0x00000000101B6000-memory.dmp

                Filesize

                1.7MB

              • memory/2564-31-0x0000000010000000-0x00000000101B6000-memory.dmp

                Filesize

                1.7MB

              • memory/2564-30-0x0000000010000000-0x00000000101B6000-memory.dmp

                Filesize

                1.7MB

              • memory/2564-37-0x0000000010000000-0x00000000101B6000-memory.dmp

                Filesize

                1.7MB

              • memory/3744-10-0x0000000010000000-0x00000000101B6000-memory.dmp

                Filesize

                1.7MB

              • memory/3744-7-0x0000000010000000-0x00000000101B6000-memory.dmp

                Filesize

                1.7MB

              • memory/3744-6-0x0000000010000000-0x00000000101B6000-memory.dmp

                Filesize

                1.7MB

              • memory/3744-4-0x0000000010000000-0x00000000101B6000-memory.dmp

                Filesize

                1.7MB

              • memory/3992-319-0x000001D686540000-0x000001D6867B8000-memory.dmp

                Filesize

                2.5MB

              • memory/4424-206-0x000002472D7B0000-0x000002472D7E1000-memory.dmp

                Filesize

                196KB