gh0strat | 57994a855c707100ddc40b45c03a23f290042ad600440a0f460a1d328231cc23

Analysis

max time kernel
150s
max time network
152s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19-02-2025 21:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-02-19_f3049f2a4f46e8f02481084c85998542_hijackloader_icedid_luca-stealer.exe
Size

4.7MB
MD5

f3049f2a4f46e8f02481084c85998542
SHA1

13987bb5bc3c02f9dd430e08c2d57b69afaf5076
SHA256

57994a855c707100ddc40b45c03a23f290042ad600440a0f460a1d328231cc23
SHA512

5e4c21b5f1d862877ecac196e97a951d9548d3a415a3362e6dfbf19871404057ae649ab051a1237f4415f402a74daea6fb25b57ea2b9095e9a4c246246f6d9df
SSDEEP

98304:uws2ANnKXOaeOgmhzX161EjL8BfT558AV/20V5hkgkwd:8KXbeO7J16D2YV

Score

10^/10

gh0strat purplefox discovery persistence rat rootkit trojan upx

Malware Config

Signatures

Detect PurpleFox Rootkit 5 IoCs

Detect PurpleFox Rootkit.

rootkit

resource	yara_rule
behavioral1/memory/2972-20-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2972-21-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2744-44-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2744-46-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2744-50-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 6 IoCs

resource	yara_rule
behavioral1/files/0x000900000001658c-6.dat	family_gh0strat
behavioral1/memory/2972-20-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2972-21-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2744-44-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2744-46-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2744-50-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox
Purplefox family
purplefox

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\QAssist.sys	TXPlatfor.exe

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Remote Data\Parameters\ServiceDll = "C:\\Windows\\system32\\259430442.txt"	R.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys"	TXPlatfor.exe

Executes dropped EXE 6 IoCs

pid	Process
2372	R.exe
2972	N.exe
2736	TXPlatfor.exe
2744	TXPlatfor.exe
2880	HD_2025-02-19_f3049f2a4f46e8f02481084c85998542_hijackloader_icedid_luca-stealer.exe
3064	Remote Data.exe

Loads dropped DLL 9 IoCs

pid	Process
2380	2025-02-19_f3049f2a4f46e8f02481084c85998542_hijackloader_icedid_luca-stealer.exe
2372	R.exe
2560	svchost.exe
2380	2025-02-19_f3049f2a4f46e8f02481084c85998542_hijackloader_icedid_luca-stealer.exe
2736	TXPlatfor.exe
2380	2025-02-19_f3049f2a4f46e8f02481084c85998542_hijackloader_icedid_luca-stealer.exe
2560	svchost.exe
3064	Remote Data.exe
2880	HD_2025-02-19_f3049f2a4f46e8f02481084c85998542_hijackloader_icedid_luca-stealer.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\TXPlatfor.exe	N.exe
File created	C:\Windows\SysWOW64\259430442.txt	R.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	R.exe
File created	C:\Windows\SysWOW64\Remote Data.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\Remote Data.exe	svchost.exe
File created	C:\Windows\SysWOW64\TXPlatfor.exe	N.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2972-20-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2972-21-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2972-18-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2744-44-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2744-46-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2744-50-0x0000000010000000-0x00000000101B6000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	R.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HD_2025-02-19_f3049f2a4f46e8f02481084c85998542_hijackloader_icedid_luca-stealer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TXPlatfor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Remote Data.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-02-19_f3049f2a4f46e8f02481084c85998542_hijackloader_icedid_luca-stealer.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2860	cmd.exe
2704	PING.EXE

Modifies Internet Explorer settings 1 TTPs 30 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "446163177"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{533BAD11-EF0A-11EF-9C13-E699F793024F} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2704	PING.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2380	2025-02-19_f3049f2a4f46e8f02481084c85998542_hijackloader_icedid_luca-stealer.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
2744	TXPlatfor.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2972	N.exe
Token: SeLoadDriverPrivilege	2744	TXPlatfor.exe
Token: 33	2744	TXPlatfor.exe
Token: SeIncBasePriorityPrivilege	2744	TXPlatfor.exe
Token: 33	2744	TXPlatfor.exe
Token: SeIncBasePriorityPrivilege	2744	TXPlatfor.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
376	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2380	2025-02-19_f3049f2a4f46e8f02481084c85998542_hijackloader_icedid_luca-stealer.exe
2380	2025-02-19_f3049f2a4f46e8f02481084c85998542_hijackloader_icedid_luca-stealer.exe
376	IEXPLORE.EXE
376	IEXPLORE.EXE
2924	IEXPLORE.EXE
2924	IEXPLORE.EXE
2924	IEXPLORE.EXE
2924	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 46 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 2372	2380	2025-02-19_f3049f2a4f46e8f02481084c85998542_hijackloader_icedid_luca-stealer.exe	30
PID 2380 wrote to memory of 2372	2380	2025-02-19_f3049f2a4f46e8f02481084c85998542_hijackloader_icedid_luca-stealer.exe	30
PID 2380 wrote to memory of 2372	2380	2025-02-19_f3049f2a4f46e8f02481084c85998542_hijackloader_icedid_luca-stealer.exe	30
PID 2380 wrote to memory of 2372	2380	2025-02-19_f3049f2a4f46e8f02481084c85998542_hijackloader_icedid_luca-stealer.exe	30
PID 2380 wrote to memory of 2972	2380	2025-02-19_f3049f2a4f46e8f02481084c85998542_hijackloader_icedid_luca-stealer.exe	33
PID 2380 wrote to memory of 2972	2380	2025-02-19_f3049f2a4f46e8f02481084c85998542_hijackloader_icedid_luca-stealer.exe	33
PID 2380 wrote to memory of 2972	2380	2025-02-19_f3049f2a4f46e8f02481084c85998542_hijackloader_icedid_luca-stealer.exe	33
PID 2380 wrote to memory of 2972	2380	2025-02-19_f3049f2a4f46e8f02481084c85998542_hijackloader_icedid_luca-stealer.exe	33
PID 2380 wrote to memory of 2972	2380	2025-02-19_f3049f2a4f46e8f02481084c85998542_hijackloader_icedid_luca-stealer.exe	33
PID 2380 wrote to memory of 2972	2380	2025-02-19_f3049f2a4f46e8f02481084c85998542_hijackloader_icedid_luca-stealer.exe	33
PID 2380 wrote to memory of 2972	2380	2025-02-19_f3049f2a4f46e8f02481084c85998542_hijackloader_icedid_luca-stealer.exe	33
PID 2972 wrote to memory of 2860	2972	N.exe	35
PID 2972 wrote to memory of 2860	2972	N.exe	35
PID 2972 wrote to memory of 2860	2972	N.exe	35
PID 2972 wrote to memory of 2860	2972	N.exe	35
PID 2736 wrote to memory of 2744	2736	TXPlatfor.exe	36
PID 2736 wrote to memory of 2744	2736	TXPlatfor.exe	36
PID 2736 wrote to memory of 2744	2736	TXPlatfor.exe	36
PID 2736 wrote to memory of 2744	2736	TXPlatfor.exe	36
PID 2736 wrote to memory of 2744	2736	TXPlatfor.exe	36
PID 2736 wrote to memory of 2744	2736	TXPlatfor.exe	36
PID 2736 wrote to memory of 2744	2736	TXPlatfor.exe	36
PID 2380 wrote to memory of 2880	2380	2025-02-19_f3049f2a4f46e8f02481084c85998542_hijackloader_icedid_luca-stealer.exe	38
PID 2380 wrote to memory of 2880	2380	2025-02-19_f3049f2a4f46e8f02481084c85998542_hijackloader_icedid_luca-stealer.exe	38
PID 2380 wrote to memory of 2880	2380	2025-02-19_f3049f2a4f46e8f02481084c85998542_hijackloader_icedid_luca-stealer.exe	38
PID 2380 wrote to memory of 2880	2380	2025-02-19_f3049f2a4f46e8f02481084c85998542_hijackloader_icedid_luca-stealer.exe	38
PID 2860 wrote to memory of 2704	2860	cmd.exe	39
PID 2860 wrote to memory of 2704	2860	cmd.exe	39
PID 2860 wrote to memory of 2704	2860	cmd.exe	39
PID 2860 wrote to memory of 2704	2860	cmd.exe	39
PID 2560 wrote to memory of 3064	2560	svchost.exe	40
PID 2560 wrote to memory of 3064	2560	svchost.exe	40
PID 2560 wrote to memory of 3064	2560	svchost.exe	40
PID 2560 wrote to memory of 3064	2560	svchost.exe	40
PID 2880 wrote to memory of 1004	2880	HD_2025-02-19_f3049f2a4f46e8f02481084c85998542_hijackloader_icedid_luca-stealer.exe	41
PID 2880 wrote to memory of 1004	2880	HD_2025-02-19_f3049f2a4f46e8f02481084c85998542_hijackloader_icedid_luca-stealer.exe	41
PID 2880 wrote to memory of 1004	2880	HD_2025-02-19_f3049f2a4f46e8f02481084c85998542_hijackloader_icedid_luca-stealer.exe	41
PID 2880 wrote to memory of 1004	2880	HD_2025-02-19_f3049f2a4f46e8f02481084c85998542_hijackloader_icedid_luca-stealer.exe	41
PID 1004 wrote to memory of 376	1004	iexplore.exe	42
PID 1004 wrote to memory of 376	1004	iexplore.exe	42
PID 1004 wrote to memory of 376	1004	iexplore.exe	42
PID 1004 wrote to memory of 376	1004	iexplore.exe	42
PID 376 wrote to memory of 2924	376	IEXPLORE.EXE	43
PID 376 wrote to memory of 2924	376	IEXPLORE.EXE	43
PID 376 wrote to memory of 2924	376	IEXPLORE.EXE	43
PID 376 wrote to memory of 2924	376	IEXPLORE.EXE	43

C:\Users\Admin\AppData\Local\Temp\2025-02-19_f3049f2a4f46e8f02481084c85998542_hijackloader_icedid_luca-stealer.exe
"C:\Users\Admin\AppData\Local\Temp\2025-02-19_f3049f2a4f46e8f02481084c85998542_hijackloader_icedid_luca-stealer.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Users\Admin\AppData\Local\Temp\R.exe
  C:\Users\Admin\AppData\Local\Temp\\R.exe
  2⤵
  - Server Software Component: Terminal Services DLL
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:2372
- C:\Users\Admin\AppData\Local\Temp\N.exe
  C:\Users\Admin\AppData\Local\Temp\\N.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2972
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\N.exe > nul
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:2860
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 2 127.0.0.1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2704
- C:\Users\Admin\AppData\Local\Temp\HD_2025-02-19_f3049f2a4f46e8f02481084c85998542_hijackloader_icedid_luca-stealer.exe
  C:\Users\Admin\AppData\Local\Temp\HD_2025-02-19_f3049f2a4f46e8f02481084c85998542_hijackloader_icedid_luca-stealer.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2880
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://se.360.cn/
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1004
  - - C:\Program Files\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://se.360.cn/
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:376
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:376 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2924

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "Remote Data"
1⤵
PID:1616

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "Remote Data"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2560
- C:\Windows\SysWOW64\Remote Data.exe
  "C:\Windows\system32\Remote Data.exe" "c:\windows\system32\259430442.txt",MainThread
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3064

C:\Windows\SysWOW64\TXPlatfor.exe
C:\Windows\SysWOW64\TXPlatfor.exe -auto
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2736
- C:\Windows\SysWOW64\TXPlatfor.exe
  C:\Windows\SysWOW64\TXPlatfor.exe -acsi
  2⤵
  - Drops file in Drivers directory
  - Sets service image path in registry
  - Executes dropped EXE
  - Suspicious behavior: LoadsDriver
  - Suspicious use of AdjustPrivilegeToken
  PID:2744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2D993E9BDDFC2D49E19866F11A7E662_C9782FAF26A2227EDDDA02E545F51576

Filesize
472B

MD5
f248b37b31621688c561d6ccf5a7ec13

SHA1
293bf0f49494ca235b51b85c77560fb23fb6fad0

SHA256
16f32862b4561618eb26b6caed943361fa0c89d8ee25b467dd804698c32df7cd

SHA512
5496774f6d1dd319e846ba624323703557943e6d9e51c3d10b22951e04f1ee585bbc19b075d325796caffaa17ef521eafc65ac847d79200dab2cf4fe16991dea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
695be6d5527a12c43a83126df2ed468a

SHA1
397310a818cff79a3991af29de3fbcf61db18b89

SHA256
174273f0da85787ff65ba5b5876d3f36b164a89027c3d91db2ad18d5800de3df

SHA512
f5c55752e12b8b93fd622a0888a10cabdf5cb8a13f9a4d8356f246d72b4be2b208918f58ae521089ba09169b19fcc7c725bbd41d610cb9ad46b56980e996fa2f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4e0d7846ce2c1b462891e5396d4ca44a

SHA1
69635ea853f49c691489096eb85cb39aa82a08f7

SHA256
b15c685259de751f15e88fcc75d03686c0762e0228323e9547e12298f4ea6677

SHA512
da2237bd65bd6efc960ff4d57177acbeacf0c0f91d345d6d28ec8256ce3b8bc876617a0cad058fef922c83071993f1fdd20a03055c7b56c6ac2f887c239c7b35

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d5ff1f0c56c83987840d19f51b29101f

SHA1
c9dd4c78dc4525a51d746bf1582a421204148983

SHA256
f2e107f5e77fc15e2e04ed9ab1095186be3fe58d15852bb9ffaa5e0f68fd1c04

SHA512
9da7f8600b0676e8c5105345978524f06e424998f3ddc66dd9228edc43ed28ceb96ffb0fad84c4ff292b5a8f80e3fac8a7bc276cb4ba2fffd24fa9cc88967a17

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
539ab6ae50ca1ea0d084e27c39989193

SHA1
556dd91434388a70e53556a3f5270b32ee4470ec

SHA256
d8f9bd1ac19653a2406ac8aa1b69d42c513d48993b4f6ae0663b23824d62e49d

SHA512
7314c884f1a73b590ef45c57f2db7a7f1809ad12e5e7c9112582bb164521c12968d9b60f8c8ab854b986710fbc8eb1d310863297e1ca6126b7bb004e47c8e4a8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
08da4b764dfdf3914d6c0b35487e4791

SHA1
f4b7e2bae3b9a26c066f496e789c4b9b7540ff60

SHA256
76b69a49def564946a9eb88bc6583b6ee94ca5f1275824caf2f5878e8c00e0a1

SHA512
9babe88ca752f8e47b8321f449f9f45174bb9731fa402828b4b731b23de69fc0381407c3b7aa89a05302877c41c7e407b00d14e9634ef3a44117efacfed6fd52

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ffb2e103a55970fd6661b6fe8b0465d8

SHA1
19458572aef4995ccc01adc77a69c741e03a0173

SHA256
f844cd8caa92af55c4606a655b62c3656ed4adec827534409a7afbacedfefced

SHA512
cf442b135c6b1b1cef54394611defa76a6ab34d7a13bdd338bed2389d97fd03b40a47904e12f2f9693d01fab01ee19ec1a7ce3c6077d2d90863e3dd935636160

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c9efb00401223041e11e0c7180421403

SHA1
3879aeb3bd0fa382afa153befe8d112ef6ddc686

SHA256
ebbfaec44112c9c2bd67a90819ddc68d2e893089247be8a23449ed456b5b5d7d

SHA512
d7dd854f9dddd103457327e19bd5c763e9d7845dabe4a2de14c9c87a5d6a3de2020fb9543c6e194f99490de98b1fdb375c5e07b39f753b137bb581add58bbf05

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9345c9304117a38a42305f1cf8ffc807

SHA1
202506045f15bebaebfed8e2af007caa0ef3e868

SHA256
c600dc3c407fe07d66447da7451731e5f30c71e2c2ae8d3a7e116125541f69ee

SHA512
138927f634097abbdfa83ccd9fe052c9de2164ea13c9a5530cfc692dabf8d8dc22c93b94b29ac9f450f8535bfe6dfc628123b39cd162e2d868efaed4f9fca6a7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d993d2f2c9c3e7be10d55dd9a876106e

SHA1
07274b68f7fb9ba4a72ed3d281b5e27d262c265b

SHA256
9c8ed0551e8c530c17e8c0c5a44b6d6e0878b227a17ee1ed37bb786737fe469e

SHA512
3c0d873a820d1f536daac79544138a7d8a27927ddad085e7a8d2c0836f474889c6831606d4de4ba069d686e13f74844bf84ac4d95d1487f33f3b8263b69d232f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a731c9b35fac09a069dcaeb1ad67acfe

SHA1
00cbdacc06ba8d9abd56714e92f40699765ff5e5

SHA256
b0888a21704a4e90d799c695eac11425069803a490cb8903872084877a545a62

SHA512
5f13e49888c9e42254e43dd143aca26631efc415d686a583edc931714e99f375725af475d13c644d04ed4d06e46c776b8a68a95947b14ee19670d7058eb3d851

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
985da92ebc6cc23a2048c7d1f0bb644f

SHA1
4ae6e8a9f7608900eaad29a360c8dbeeaf533903

SHA256
9df312961647bbecd9252001045de367b4f9b4764dfef639e1500661bdc012b1

SHA512
e0f9ac8169c9c2f94a543b42cf08c1886b1cb6b6f50d0425c0c7311aa099bb02055ca1d57be03ed7f044067283a34575ddd9735210d892605343130c14ab9b43

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
535896e7c6e4cf9269c148d8fe3d2f5e

SHA1
d30181afa679aa0afea24e75ada06a1c319affe2

SHA256
38560d7e3c108297c8ce7ec6b733b1edea8ce9446f6ac51daffb09601d08c6e6

SHA512
18d4e9b0f1d197409651627173d79b4e95ca860758c17dff9d069a119d1fada9eed5be04eba3e388e545a541b524e7bd2fc1a53a195ef56cadab014d7d06d63e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
47c8dfe4b37c534211f47dd4736cb6d1

SHA1
d3cf36dbfb979de095d1abe7bb7311bbf4b40830

SHA256
94be12be6b0ff87708e5f9178f956a476755d7134df6e8d838919ed98ea5cf6b

SHA512
d85935f005a4c1e05f47d852e32517e61f86ab25967a3bfccbcaa112ac5878c1101f67a1165750103a1a05df3a7d52bf4d6f71a5d7ef5c4e79dcdca19237479c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
22aadfb0db95e119628f13a04b13a29d

SHA1
ad5371a16c02673994e943666d7b736e3b89d2e8

SHA256
238df95a672d1aa0ea71d41e24b80128ba67dd5311c4bff34f328706dabdf9f8

SHA512
de9248252ecdc1fd59da242317ea7cd0dcce03e6afbffdb41060a0600de1ae202157f9fe236774171e5e4b721315c289bf84e0696fa23e94449b729bad53c382

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
987e831c97aeffd0735e825f29ff4ff0

SHA1
3b4d6d7e8964bc708bb3d19f7c4dfe7c04ab6775

SHA256
032e7576305e9f2f0ffc363807085e65b58388ef9e0beffc906c11918a0e5430

SHA512
d5c33ccfe710f67d616ee0a8577892362c9876d1eeeb88229465d5465d6795b41cbb6bc22d8b47bd47680a3db122fba9328d7bbadd24f66b9071c7bba2aea1e3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4565c1dc55c45730be45ca72e4b40ced

SHA1
12f5e2f2af396e3e33ff83414ddab62cadf5dc46

SHA256
39700cb26cba9db5109ab1430e14b51f579ac39c726c93ddeb186af0f4fc5aed

SHA512
20c927d7a2649711713887d4059469d860a6bfd72fc2d18f524d35c08c6c4b212f4607d1a10c6f3c7c97f13533d8f68e07f5f66d8e2697a7ee36aa7559f60f33

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dbad46a42a87623ea2c472b32861b26e

SHA1
5424498dc32ea2101ca0d1215fe3d674b9d07792

SHA256
6b7926dac67ee8ae6a6a417367617e37cc8a5f8a79de266ab04484abeb35bdc6

SHA512
fca7b8c544f2d47d91c78b6ddfd154c5f5f4becb6480e7c0a3cfcc2a2ae4f698266e27114724be79288a1e302d83c93ce7ae13d6435c3e23f424c328bd74cd33

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5a0dcca4feab94214d4cfd1b2ab8aa5b

SHA1
803f81a12e9737fd29ced4242571c5392f3b863c

SHA256
3a4f5a7ac4035a7eda8b5dcf1a0d3efb9691fe0c4841086f15acd492d00bb486

SHA512
9894a557f1e3fb74900e8488e84fcb77c73221501b7883aea668465dd7600e1f9a7eb4243e939af7fe941de820436c8dadc86f2399b0a6aeb8f5f353e3377ecd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b15dceb320ab6ebdd30554ed8a56e5d9

SHA1
593c94245eacdbda149c71eecb2acdbb0814def2

SHA256
a471f23c6e481677124778e498da237caef7d05516b1046761b4f76ef42cc843

SHA512
c5d341242af325775bc56b25dc2510f887f40129296f5285d655d3f9b590cda0e3ea6d8a2c27b9a4806d0e40add07639208774ec51325051cd2dbd548a0b5921

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6302f51048752af114ce15782f386971

SHA1
5697848aa5bdfd3f1227c641c7d2c616d87e8ff7

SHA256
e9f83791e5e5f82cc686515a96cf6b2f932bee6d5f5881c1069509e9e9a71d13

SHA512
34898800bd81e98685e42e3d94d5ed889428f3fd57bea3e014353f35ff7ff7e41dd9948a34e1d7b2f61c867bef8d0da1eab543d9cee5e91454889ba0d0c3113a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
875a6df022c82e7f7929771cb9583879

SHA1
4ad1e08a5f42978496c860d21b0f7431779b220e

SHA256
04642364123ffc985901f5a8b3e8d9422b197c9f728c9aba04111f2e7ac19892

SHA512
085fa9350297cfa4facf5583de977cc78868334a37d812f910746d97c05e2525bf5f47d01d92c2ad7f07d0e30f2324bac3231eea27874f81056260e372bc6f59

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
860e7e2de6c0f82ceb26d57e73474321

SHA1
28d3e90e340bcd5849bd16d6fc63af1791fd52c5

SHA256
6805f8f5682ae077c14f5c5ee8cdc3f8d034ee263219ae63255b6491c4090e3b

SHA512
af39e6c6fdbce627df6a941266e437c1e66c12a7d22410ed16177339813cd87abe4ee8f8b79fa3dcbde6d37dc2bb11068c862b555cdb46353c0822e0a32cd6af

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1500dfe411d8d21334c469b28ac054b4

SHA1
19c341a30d28f9c7f5c1a4c02481ddfa2e0ade28

SHA256
12315c27338d8b5503f15ab06789cc5d4aac96be508b83dab40b3c49883e805e

SHA512
34fb04c3318d93991180de3fa226a31c58f3bb04a898d60149475b5dc6cf64aec122b326ba304d538d9d79ac9f237864bb46cc4c36a7de732ef326595e32f54b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
32da62a62b355aab44404c89d747a2ab

SHA1
6236795e1705dbeb6a99c654a71175a60b11c70e

SHA256
7a430655cf0f8d7f39764825be06b685171ae89786960bf19785a77ee7e5a99f

SHA512
74d5960c7da4078e2831468643c2a23cb8a6ebd8790ae45604e5a4c8e95c06e34b286ca1e2a22a4084b15205f54c0eeea9564e8419d227084a293bf1f378186a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2D993E9BDDFC2D49E19866F11A7E662_C9782FAF26A2227EDDDA02E545F51576

Filesize
498B

MD5
fbba34a6a27c799bd6b7628fec046439

SHA1
b2d5b7479959fb5cae7f8854597f13e0e1e2ad07

SHA256
226f045d95bb70aeeabe3992b9f46e9e380527c76159b584d05ee7e878dd543d

SHA512
042063be5718d907fba9eab7fdb0ed9e239d0b828a404113b66443290ae7792bf5b030f79f60d0d5655849f9540bca724daa19d0c8d5ddd6a1495b0d36372a6a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
455e7acc4e42a79e1c5ce3bb88bfec1a

SHA1
0725fac9bab596983aa70c07b0f0ba9e43b698b9

SHA256
fb4d1bbcca0b52495769fef41863c2c3dff4c48d54a8a0831c84fdfd13959804

SHA512
4356a711749d3b4882ff20e630e745a5a9e1f95359282625fa17e93f218472ed31517f7765f42f02ea799bec3390a26feec3b51e290aa4765cfad485dcb33927

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\9fajjbh\imagestore.dat

Filesize
1KB

MD5
618e50725076524e352235e3a6612e4f

SHA1
53bd48e8ec18ba58dbcfb5c5905eb96f55e2d669

SHA256
79771417c0736358f5538463cdfcf4f1b705d34dd0e4bfef587a3eda093fee99

SHA512
b1e24eab2faadf414ab1a8c933a5b0f9b2f1f7866ec64f485c4ab6587bd32fd8858d86ba73f7318e34d250af8f1824ebb606a93071144da735031aba2b236320

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0I0VVMWQ\favicon[1].ico

Filesize
1KB

MD5
9666d7d69681361c8f1ee6e1352b37a1

SHA1
026d01b3e9a1c8752be75f348484713f64099551

SHA256
2a40e46debd9a2139f8d6bfd02b2fb15039373d67965a352c9a2c9cbe45257b0

SHA512
ca6ce9f0c7cec6a409d0a5ac05df757e90fd8812c6df12fbb09144d00bca10ab3a091120f0b10de584d966e5eafba14ca8823103c594b868dce0858c9ab6d9f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabC238.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD_X.dat

Filesize
2.5MB

MD5
e3b7145562f03d8f0b08d865656b39a6

SHA1
f43a9ba7b3a2ca9a91f330d77d05d0e032c0e478

SHA256
e914901d16f7e51ccb594dfb366ecef153ca9b0bbeb92a34d976f8be0b7ac77d

SHA512
855640d6f438fc1bd75b19d719ae788ffc7880fca9fa26925e349e160eadb8cb8fd151cbc2fbc9eb43ee589bf1244dc06d81bf80bfcca3cc63c02db86ed72fcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\N.exe

Filesize
377KB

MD5
4a36a48e58829c22381572b2040b6fe0

SHA1
f09d30e44ff7e3f20a5de307720f3ad148c6143b

SHA256
3de6c02f52a661b8f934f59541d0cf297bb489eb2155e346b63c7338e09aeaf8

SHA512
5d0ea398792f6b9eb3f188813c50b7f43929183b5733d2b595b2fd1c78722764fd15f62db1086b5c7edfb157661a6dcd544ddd80907ee7699dddbca1ef4022d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC2C8.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\SysWOW64\Remote Data.exe

Filesize
43KB

MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit
\Users\Admin\AppData\Local\Temp\HD_2025-02-19_f3049f2a4f46e8f02481084c85998542_hijackloader_icedid_luca-stealer.exe

Filesize
2.2MB

MD5
6e98d1966cfb66bc48deb6673dd4be08

SHA1
8fae232b4f7bb5214edb0f35b924265a8aecd03c

SHA256
823394a6498d637a964241d728481872f5666baf2ea6288a56be088b4f6c334a

SHA512
49db0ac4253d1a819dfd1fc19151b378f8b0711e3b968100058adbf3ca3f6a9b24f00f9eefd6e932254549a93d068b986d65470efdb9c5a40ca21ca3ae27509c

Download Submit
\Users\Admin\AppData\Local\Temp\R.exe

Filesize
941KB

MD5
8dc3adf1c490211971c1e2325f1424d2

SHA1
4eec4a4e7cb97c5efa6c72e0731cd090c0c4adc5

SHA256
bc29f2022ab3b812e50c8681ff196f090c038b5ab51e37daffac4469a8c2eb2c

SHA512
ae92ea20b359849dcdba4808119b154e3af5ef3687ee09de1797610fe8c4d3eb9065b068074d35adddb4b225d17c619baff3944cb137ad196bcef7a6507f920d

Download Submit
\Windows\SysWOW64\259430442.txt

Filesize
899KB

MD5
fbd4d9b7921a207222c49c2045ea7c9e

SHA1
628edfe48c7024d3fd7ba6deb735c059b2b40d6a

SHA256
563b4f6319ad0b4658fa9ec09f6ba6084787efdf51f5fd6e0c66749f6f97dd6a

SHA512
65bb04c9f93f8a8d83477769be01980c28fb4fd7a3d5a0b10dd60af9dd0a966fc8a91e0f8f7a10a97475e133f2e5aea79713eb09f6e85e7132b4c05c842d402c

Download Submit
memory/2744-44-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2744-46-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2744-50-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2972-18-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2972-21-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2972-20-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download