Malware Analysis Report

2024-11-30 15:52

Sample ID 220924-ndvbhscedq
Target ICEY LOADER 2022.exe
SHA256 c23e8f61e677667f91254417a9dcd50bb07ba2675e0f011e34f36d977c57dbf2
Tags
mercurialgrabber nanocore evasion keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c23e8f61e677667f91254417a9dcd50bb07ba2675e0f011e34f36d977c57dbf2

Threat Level: Known bad

The file ICEY LOADER 2022.exe was found to be: Known bad.

Malicious Activity Summary

mercurialgrabber nanocore evasion keylogger persistence spyware stealer trojan

Mercurialgrabber family

Nanocore family

Mercurial Grabber Stealer

NanoCore

Looks for VirtualBox Guest Additions in registry

Executes dropped EXE

Looks for VMWare Tools registry key

Checks BIOS information in registry

Reads user/profile data of web browsers

Checks computer location settings

Checks whether UAC is enabled

Maps connected drives based on registry

Looks up external IP address via web service

Legitimate hosting services abused for malware hosting/C2

Adds Run key to start application

Drops file in Program Files directory

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Enumerates system info in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-09-24 11:17

Signatures

Mercurialgrabber family

mercurialgrabber

Nanocore family

nanocore

Analysis: behavioral1

Detonation Overview

Submitted

2022-09-24 11:17

Reported

2022-09-24 11:20

Platform

win10-20220812-en

Max time kernel

141s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ICEY LOADER 2022.exe"

Signatures

Mercurial Grabber Stealer

stealer mercurialgrabber

NanoCore

keylogger trojan stealer spyware nanocore

Looks for VirtualBox Guest Additions in registry

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions C:\Users\Admin\AppData\Roaming\OUTPUT.EXE N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\ICEY.EXE N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OUTPUT.EXE N/A

Looks for VMWare Tools registry key

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools C:\Users\Admin\AppData\Roaming\OUTPUT.EXE N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\OUTPUT.EXE N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UDP Subsystem = "C:\\Program Files (x86)\\UDP Subsystem\\udpss.exe" C:\Users\Admin\AppData\Roaming\ICEY.EXE N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Roaming\ICEY.EXE N/A

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A ip4.seeip.org N/A N/A
N/A ip4.seeip.org N/A N/A
N/A ip-api.com N/A N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Roaming\OUTPUT.EXE N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 C:\Users\Admin\AppData\Roaming\OUTPUT.EXE N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\UDP Subsystem\udpss.exe C:\Users\Admin\AppData\Roaming\ICEY.EXE N/A
File created C:\Program Files (x86)\UDP Subsystem\udpss.exe C:\Users\Admin\AppData\Roaming\ICEY.EXE N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S C:\Users\Admin\AppData\Roaming\OUTPUT.EXE N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Roaming\OUTPUT.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Roaming\OUTPUT.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer C:\Users\Admin\AppData\Roaming\OUTPUT.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName C:\Users\Admin\AppData\Roaming\OUTPUT.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0 C:\Users\Admin\AppData\Roaming\OUTPUT.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation C:\Users\Admin\AppData\Roaming\OUTPUT.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\ICEY.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\OUTPUT.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\ICEY.EXE N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ICEY LOADER 2022.exe

"C:\Users\Admin\AppData\Local\Temp\ICEY LOADER 2022.exe"

C:\Users\Admin\AppData\Roaming\ICEY.EXE

"C:\Users\Admin\AppData\Roaming\ICEY.EXE"

C:\Users\Admin\AppData\Roaming\OUTPUT.EXE

"C:\Users\Admin\AppData\Roaming\OUTPUT.EXE"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip4.seeip.org udp
US 23.128.64.141:443 ip4.seeip.org tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.137.232:443 discord.com tcp
US 162.159.137.232:443 discord.com tcp
US 8.8.8.8:53 hackenamin.duckdns.org udp
DE 95.91.228.253:8080 hackenamin.duckdns.org tcp
US 8.8.8.8:53 hackenamin.duckdns.org udp
DE 95.91.228.253:8080 hackenamin.duckdns.org tcp
US 20.42.72.131:443 tcp
US 8.8.8.8:53 hackenamin.duckdns.org udp
DE 95.91.228.253:8080 hackenamin.duckdns.org tcp
US 8.238.20.254:80 tcp
N/A 127.0.0.1:8080 tcp
N/A 127.0.0.1:8080 tcp
N/A 127.0.0.1:8080 tcp
US 8.8.8.8:53 hackenamin.duckdns.org udp
DE 95.91.228.253:8080 hackenamin.duckdns.org tcp
US 8.8.8.8:53 hackenamin.duckdns.org udp
DE 95.91.228.253:8080 hackenamin.duckdns.org tcp
US 8.8.8.8:53 hackenamin.duckdns.org udp
DE 95.91.228.253:8080 hackenamin.duckdns.org tcp
N/A 127.0.0.1:8080 tcp
N/A 127.0.0.1:8080 tcp
N/A 127.0.0.1:8080 tcp
US 8.8.8.8:53 hackenamin.duckdns.org udp
DE 95.91.228.253:8080 hackenamin.duckdns.org tcp

Files

memory/2772-116-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/2772-117-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/2772-118-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/2772-119-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/2772-120-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/2772-121-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/2772-122-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/2772-123-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/2772-124-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/2772-125-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/2772-126-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/2772-127-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/2772-128-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/2772-129-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/2772-130-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/2772-131-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/2772-132-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/2772-133-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/2772-134-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/2772-135-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/2772-136-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/2772-137-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/2772-138-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/2772-139-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/2772-140-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/2772-142-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/2772-143-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/2772-144-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/2772-146-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/2772-145-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/2772-141-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/2772-147-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/2772-148-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/2772-149-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/2772-150-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/2772-151-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/2772-152-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/2772-153-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/2772-154-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/2772-155-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/2772-156-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/2772-157-0x00000000779B0000-0x0000000077B3E000-memory.dmp

C:\Users\Admin\AppData\Roaming\ICEY.EXE

MD5 149e0f200d7c8cb4a68c481c9d8f0665
SHA1 b478e1f92ea85edeb436b4f96d4eac4ffa958ce4
SHA256 3f8dd41671c3b19a4c40951582e22189f7c7157061901a61bfb2e81cea18f0f7
SHA512 510b2996ceefa32ef6f682226c49845b7b5e70732dc1d635f70abf9f6b333e5513d29b156d86869e0dd43ebf1682c54a1da7b09f250948038ecf36b4fb8fe489

memory/4776-161-0x0000000000000000-mapping.dmp

memory/2144-162-0x00000000779B0000-0x0000000077B3E000-memory.dmp

C:\Users\Admin\AppData\Roaming\OUTPUT.EXE

MD5 0c8ac4b0c3a0f0e690a9710428937449
SHA1 0c85c9c54e8a74b96420bc928c1c0241ad4f0ce1
SHA256 7aa6077865dd7845b51a14260492d6f68f76a47498059ee92d015cba2079ff1b
SHA512 fa22a9601207c23065b13f4754a97ab8f5d42b8b878f5a4032be4dcc94bde2f65d2b51e958b111618b8487a88ea65e341950f51ec216f18377bdc06062460006

memory/2144-160-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/2144-158-0x0000000000000000-mapping.dmp

memory/2144-164-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/2144-165-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/2144-166-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/2144-167-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/2144-168-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/2144-169-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/4776-173-0x0000000000C90000-0x0000000000CA0000-memory.dmp

memory/2144-174-0x00000000779B0000-0x0000000077B3E000-memory.dmp

C:\Users\Admin\AppData\Roaming\OUTPUT.EXE

MD5 0c8ac4b0c3a0f0e690a9710428937449
SHA1 0c85c9c54e8a74b96420bc928c1c0241ad4f0ce1
SHA256 7aa6077865dd7845b51a14260492d6f68f76a47498059ee92d015cba2079ff1b
SHA512 fa22a9601207c23065b13f4754a97ab8f5d42b8b878f5a4032be4dcc94bde2f65d2b51e958b111618b8487a88ea65e341950f51ec216f18377bdc06062460006

memory/2144-171-0x00000000779B0000-0x0000000077B3E000-memory.dmp

C:\Users\Admin\AppData\Roaming\ICEY.EXE

MD5 149e0f200d7c8cb4a68c481c9d8f0665
SHA1 b478e1f92ea85edeb436b4f96d4eac4ffa958ce4
SHA256 3f8dd41671c3b19a4c40951582e22189f7c7157061901a61bfb2e81cea18f0f7
SHA512 510b2996ceefa32ef6f682226c49845b7b5e70732dc1d635f70abf9f6b333e5513d29b156d86869e0dd43ebf1682c54a1da7b09f250948038ecf36b4fb8fe489

memory/2144-175-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/2144-176-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/2144-177-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/2144-178-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/2144-179-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/2144-180-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/2144-181-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/2144-182-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/2144-183-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/2144-184-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/2144-185-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/2144-186-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/2144-211-0x0000000073D90000-0x0000000074340000-memory.dmp

memory/2144-231-0x0000000073D90000-0x0000000074340000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-09-24 11:17

Reported

2022-09-24 11:20

Platform

win10v2004-20220812-en

Max time kernel

148s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ICEY LOADER 2022.exe"

Signatures

Mercurial Grabber Stealer

stealer mercurialgrabber

NanoCore

keylogger trojan stealer spyware nanocore

Looks for VirtualBox Guest Additions in registry

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions C:\Users\Admin\AppData\Roaming\OUTPUT.EXE N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\ICEY.EXE N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OUTPUT.EXE N/A

Looks for VMWare Tools registry key

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools C:\Users\Admin\AppData\Roaming\OUTPUT.EXE N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\OUTPUT.EXE N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ICEY LOADER 2022.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DDP Host = "C:\\Program Files (x86)\\DDP Host\\ddphost.exe" C:\Users\Admin\AppData\Roaming\ICEY.EXE N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Roaming\ICEY.EXE N/A

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A ip4.seeip.org N/A N/A
N/A ip4.seeip.org N/A N/A
N/A ip-api.com N/A N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Roaming\OUTPUT.EXE N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Users\Admin\AppData\Roaming\OUTPUT.EXE N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\DDP Host\ddphost.exe C:\Users\Admin\AppData\Roaming\ICEY.EXE N/A
File opened for modification C:\Program Files (x86)\DDP Host\ddphost.exe C:\Users\Admin\AppData\Roaming\ICEY.EXE N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S C:\Users\Admin\AppData\Roaming\OUTPUT.EXE N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Roaming\OUTPUT.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Roaming\OUTPUT.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation C:\Users\Admin\AppData\Roaming\OUTPUT.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer C:\Users\Admin\AppData\Roaming\OUTPUT.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName C:\Users\Admin\AppData\Roaming\OUTPUT.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0 C:\Users\Admin\AppData\Roaming\OUTPUT.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\ICEY.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\OUTPUT.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\ICEY.EXE N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ICEY LOADER 2022.exe

"C:\Users\Admin\AppData\Local\Temp\ICEY LOADER 2022.exe"

C:\Users\Admin\AppData\Roaming\ICEY.EXE

"C:\Users\Admin\AppData\Roaming\ICEY.EXE"

C:\Users\Admin\AppData\Roaming\OUTPUT.EXE

"C:\Users\Admin\AppData\Roaming\OUTPUT.EXE"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip4.seeip.org udp
US 23.128.64.141:443 ip4.seeip.org tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 93.184.220.29:80 tcp
US 8.8.8.8:53 discord.com udp
US 162.159.137.232:443 discord.com tcp
US 162.159.137.232:443 discord.com tcp
US 8.8.8.8:53 hackenamin.duckdns.org udp
DE 95.91.228.253:8080 hackenamin.duckdns.org tcp
US 93.184.220.29:80 tcp
US 8.8.8.8:53 hackenamin.duckdns.org udp
DE 95.91.228.253:8080 hackenamin.duckdns.org tcp
US 8.253.208.113:80 tcp
US 8.253.208.113:80 tcp
US 8.253.208.113:80 tcp
US 8.253.208.113:80 tcp
US 8.8.8.8:53 hackenamin.duckdns.org udp
DE 95.91.228.253:8080 hackenamin.duckdns.org tcp
N/A 127.0.0.1:8080 tcp
NL 104.80.225.205:443 tcp
N/A 127.0.0.1:8080 tcp
N/A 127.0.0.1:8080 tcp
US 8.8.8.8:53 hackenamin.duckdns.org udp
DE 95.91.228.253:8080 hackenamin.duckdns.org tcp
US 8.8.8.8:53 hackenamin.duckdns.org udp
DE 95.91.228.253:8080 hackenamin.duckdns.org tcp
US 8.8.8.8:53 hackenamin.duckdns.org udp
DE 95.91.228.253:8080 hackenamin.duckdns.org tcp
N/A 127.0.0.1:8080 tcp
N/A 127.0.0.1:8080 tcp
N/A 127.0.0.1:8080 tcp
US 8.8.8.8:53 hackenamin.duckdns.org udp
DE 95.91.228.253:8080 hackenamin.duckdns.org tcp

Files

memory/5012-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\ICEY.EXE

MD5 149e0f200d7c8cb4a68c481c9d8f0665
SHA1 b478e1f92ea85edeb436b4f96d4eac4ffa958ce4
SHA256 3f8dd41671c3b19a4c40951582e22189f7c7157061901a61bfb2e81cea18f0f7
SHA512 510b2996ceefa32ef6f682226c49845b7b5e70732dc1d635f70abf9f6b333e5513d29b156d86869e0dd43ebf1682c54a1da7b09f250948038ecf36b4fb8fe489

C:\Users\Admin\AppData\Roaming\ICEY.EXE

MD5 149e0f200d7c8cb4a68c481c9d8f0665
SHA1 b478e1f92ea85edeb436b4f96d4eac4ffa958ce4
SHA256 3f8dd41671c3b19a4c40951582e22189f7c7157061901a61bfb2e81cea18f0f7
SHA512 510b2996ceefa32ef6f682226c49845b7b5e70732dc1d635f70abf9f6b333e5513d29b156d86869e0dd43ebf1682c54a1da7b09f250948038ecf36b4fb8fe489

memory/4928-135-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\OUTPUT.EXE

MD5 0c8ac4b0c3a0f0e690a9710428937449
SHA1 0c85c9c54e8a74b96420bc928c1c0241ad4f0ce1
SHA256 7aa6077865dd7845b51a14260492d6f68f76a47498059ee92d015cba2079ff1b
SHA512 fa22a9601207c23065b13f4754a97ab8f5d42b8b878f5a4032be4dcc94bde2f65d2b51e958b111618b8487a88ea65e341950f51ec216f18377bdc06062460006

C:\Users\Admin\AppData\Roaming\OUTPUT.EXE

MD5 0c8ac4b0c3a0f0e690a9710428937449
SHA1 0c85c9c54e8a74b96420bc928c1c0241ad4f0ce1
SHA256 7aa6077865dd7845b51a14260492d6f68f76a47498059ee92d015cba2079ff1b
SHA512 fa22a9601207c23065b13f4754a97ab8f5d42b8b878f5a4032be4dcc94bde2f65d2b51e958b111618b8487a88ea65e341950f51ec216f18377bdc06062460006

memory/4928-138-0x0000000000970000-0x0000000000980000-memory.dmp

memory/5012-139-0x0000000073770000-0x0000000073D21000-memory.dmp

memory/4928-140-0x00007FFFCEC30000-0x00007FFFCF6F1000-memory.dmp

memory/4928-141-0x00007FFFCEC30000-0x00007FFFCF6F1000-memory.dmp

memory/5012-142-0x0000000073770000-0x0000000073D21000-memory.dmp