Analysis Overview
SHA256
2027a3fc488a5ecfa69e9a9057c8975e2d28cd6c937197ec69fc896c971285c3
Threat Level: Known bad
The file fe905ed17bcf3e53a9a38f0ace182e96 was found to be: Known bad.
Malicious Activity Summary
CryptBot payload
CryptBot
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Adds Run key to start application
Checks installed software on the system
Accesses cryptocurrency files/wallets, possible credential harvesting
Unsigned PE
Enumerates physical storage devices
Checks processor information in registry
Suspicious use of WriteProcessMemory
Runs ping.exe
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-28 23:01
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-28 23:01
Reported
2024-01-09 22:33
Platform
win7-20231215-en
Max time kernel
148s
Max time network
149s
Command Line
Signatures
CryptBot
CryptBot payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Poi.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Poi.exe.com | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Poi.exe.com | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\fe905ed17bcf3e53a9a38f0ace182e96.exe | N/A |
Checks installed software on the system
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Poi.exe.com | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Poi.exe.com | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Poi.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Poi.exe.com | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\fe905ed17bcf3e53a9a38f0ace182e96.exe
"C:\Users\Admin\AppData\Local\Temp\fe905ed17bcf3e53a9a38f0ace182e96.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c UcNzcjbM
C:\Windows\SysWOW64\cmd.exe
cmd
C:\Windows\SysWOW64\PING.EXE
ping localhost -n 30
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Poi.exe.com
Poi.exe.com o
C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^fEQJhwnKKuicpzjpscwvTJMvNeQkoysJJdDVeObWsMNmmUcuUwpUoKgFSxVlkhBEObLTPduDXttuWhWTGJsiVbAZwY$" Orti.sys
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Poi.exe.com
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Poi.exe.com o
C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < Amo.sys
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | UFXrFoIFneEBVxJsXMSQh.UFXrFoIFneEBVxJsXMSQh | udp |
| US | 8.8.8.8:53 | ewaqfe45.top | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Dov.sys
| MD5 | 05e66b1939889acce5eecc4cf792d683 |
| SHA1 | 31f073c4ff06b7fa89a54fb0313af2acc4088642 |
| SHA256 | a7532f39d502044bbc668cfd4d4a479d8c38fed9eeb0eccdcc2b3de286ee8a94 |
| SHA512 | d873b1353d4ee94de13f81653ae5b6738bcfbddc44c6fb6b1d2354adf8844b6ce9a8a2e5a0fd5f7e1570691f8468f1137398e979704a30dff7795e21c37de320 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Poi.exe.com
| MD5 | a47c61ddcbe27461e7eafcf45f98aed7 |
| SHA1 | c458e780c0d157cf65abd4174a96f4dc855af01c |
| SHA256 | 9e9d18b35a520d4d2beb61c6fed7a2438e3a15fd3c6b05692a7bbfc75d95d5c3 |
| SHA512 | c9741d765564c9dd259a443cdc4b9e8d38acf9f085174825ac66cfe7c315a9cd192e7975a04ba8348700e60ea7cd18dc6455ba3dd0096a27e730c2655cb7a56f |
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Poi.exe.com
| MD5 | 9c6ac7039da46878db35990a4494fad4 |
| SHA1 | c70b26005f1195a3ec96afb9b2e2a311e8865f5e |
| SHA256 | 73c9c1f3ea716234fd8946a99d32ad420699776af5df36803c396e63cf1a044b |
| SHA512 | 88d0a81ddc03b01bea0f0866b5be4f8a66440afb1249b6a3414df34d0b8598d9ae683c5b49e43e0c3103b34a2abb874817673b115bc6df9bad8aa825fe401ec8 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\o
| MD5 | ce6561957aa2ff202a8fd131dcc2865b |
| SHA1 | 1f3a5b9cd166f72539e45e3b3cb4302c3569f8e8 |
| SHA256 | 787682588d67b0de45595288ce9e39b37023b1a1573118155e9f2691d59c083f |
| SHA512 | d6701afc6d20211d7fdf2741c91024f9edbf787e8566d2011a1c47a72d3b5bfec24f21847fdffbb56f221258efa6c15ce5944e9b1c7c010458eae6a3af56cf6a |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Orti.sys
| MD5 | e2547dcf55d47ffb69ae8badf09571ac |
| SHA1 | b11e27e5e436e34929b5d84deb29972de1e4495b |
| SHA256 | 5298a1ae13f4409c8ef3e019692338b3d6545a494f813f6d35c88cdbd2c9ebc1 |
| SHA512 | 5ed197d9301e0fc615eadb12af5d8eb1ea735f0f84c21bc7a88dcb41f146c9db8213c9679ddf08346af3899a56919f23085ee2e8e7286fdcbb661cca806d349d |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Amo.sys
| MD5 | 66712fc92a4d05bfc412b18541a1e8df |
| SHA1 | bf4fb00e6b894338aea687cbf537c90fc255710a |
| SHA256 | 750eed4b135f1ea433781bc4b9bb26029b2c49dbc647248460b3409329d30e0f |
| SHA512 | a792210dacd9018a16b3071deb823d0a9d66ec86d043d7dae5049bbec74dbf7446565d4262b01cf3acefa7088e344d15651339e7a831f96c3b68aa88e3bd8049 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Poi.exe.com
| MD5 | 24aba0addcef79e931696f40a65f22b8 |
| SHA1 | efe8ae3a32dac73d4f60518b879d1be8c2119916 |
| SHA256 | de4ac324ac73d439e9ec7d2f1e31d592e036bd8400299549569967f5d619232f |
| SHA512 | 2d1a2a765b099180e81725798e0aca118885004a34a231ae8236c36ed53f50cde15220121368d2fbf1666b9e51115e2f3a5d453b6eef37418e3ab6234d287fb1 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Poi.exe.com
| MD5 | d75189a31a054571e9d3c4e289ab5de0 |
| SHA1 | e210cb44dfc18de4ba14a7177d97545759ea32b5 |
| SHA256 | 6b9181fdd9783c22f06a07d48c256a7e1e61b6dea96b9dbfe7fba073dc226192 |
| SHA512 | 427ea62044db3cd9b68afc6862aad3395f1920e847b70869175cdeb287d40c1a878f016d72e66146ca56e1aeb739d6cbb1b17899d09cd68a12a3e73cd8debf09 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Cancellato.sys
| MD5 | a19f25da97e5d39ef4ce2251eb5814ab |
| SHA1 | afda12d873a40cecd1cb51422cd71efb41372072 |
| SHA256 | 6638a728543e9ed47f24925f30dc491332736a9a42e7ba0270a87db57a134523 |
| SHA512 | 4793da9fe84158d914fafcae92d41ecf39b904ebff7e0c1b62c7c9a6d31e33e2be7d71e2c5dcc7725718e494c863f97a53806fa0753d86b6c3e50a3de1860dca |
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Poi.exe.com
| MD5 | 68e2367febb72a998b89e4afff55e5a7 |
| SHA1 | 30754bf92feb3fab87cf307dcdfbd354edfee270 |
| SHA256 | c80dac88e33e54a15bcc1cf8c0da425317cc2ec59522799933133ee702c4e379 |
| SHA512 | 1756fe5cbb3cef53362ae1fe44386c4177206a8be673375d26bbe9f0a486f6957de3219485a027f1d6862c90f09e29ab802904a79ab5a572aad2ffc568c82efb |
memory/2888-24-0x0000000000150000-0x0000000000151000-memory.dmp
memory/2888-26-0x0000000003890000-0x0000000003933000-memory.dmp
memory/2888-27-0x0000000003890000-0x0000000003933000-memory.dmp
memory/2888-25-0x0000000003890000-0x0000000003933000-memory.dmp
memory/2888-30-0x0000000003890000-0x0000000003933000-memory.dmp
memory/2888-29-0x0000000003890000-0x0000000003933000-memory.dmp
memory/2888-28-0x0000000003890000-0x0000000003933000-memory.dmp
memory/2888-31-0x0000000003890000-0x0000000003933000-memory.dmp
memory/2888-32-0x0000000001230000-0x0000000001231000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ko5sY8lS6\_Files\_Information.txt
| MD5 | ab076fcf100fce5f09c71ef0b866a00f |
| SHA1 | ca1a0c85a5e7c9f5ee158d84e8fbd9538ea1bb12 |
| SHA256 | d9add941d40fbbb19624e7f04498dc335485949421e6e95c9272b8b08283bc24 |
| SHA512 | 10be64488502a21af5e488be525816cd9b58ae40a2a8176c4d85baf6498ec606540571b8e95275fbb92e8230e8c0b2ccb4ec5844ad6fc66dbdc8100aff0e4098 |
C:\Users\Admin\AppData\Local\Temp\ko5sY8lS6\_Files\_Information.txt
| MD5 | 8a2dcc256282bc2e83af7bd38c1c3e26 |
| SHA1 | d854a11599532f7eb2c084051817b45b02418807 |
| SHA256 | c66e222beabcf3e575b79d1f8e1f209bc5689579bd120076626d8885d835d86d |
| SHA512 | af08c1263d06c4e2beee05157d9ee6f469f71316b3407ff742c7dcad5ded55ca0605435b3c195fa8d3a58eee1215c047020d85f110c7f3cc14dff8448d210fa2 |
C:\Users\Admin\AppData\Local\Temp\ko5sY8lS6\_Files\_Information.txt
| MD5 | 505eb04cba71c5b64c28c90775164605 |
| SHA1 | 07969d39187c7c1ac18ce66bb3e9a244c9583d8e |
| SHA256 | ced40fbc5bc5d15212ebbd1688801ef4448254d9e78be974a59f8ac32271c8ce |
| SHA512 | aa708ecdd659f02814f47761885dcd068bf4ff6cc28e6710d1dd25e4e7ed62fa3d85444111f4624a925638eedd6dac6d33fbf9cc93cdcad24872623c3b9edc4a |
C:\Users\Admin\AppData\Local\Temp\ko5sY8lS6\_Files\_Information.txt
| MD5 | 2eb97898ea7b5ba70a54b48e116ebc5e |
| SHA1 | dd1f77c1b084b638ed9d7a9764bd3e5137fe9192 |
| SHA256 | 4296a005ee525c2e9fae850f95f8b022d7613db797ec9a88ff6af0939059787d |
| SHA512 | 724dc735e439a103de9fa7ca92ffb858c332d62084edcc0d6bfb14f6c33415ad48e24850c77e43d7198e65da955f4b8a2a8d8865613205dee2d80986a615d476 |
C:\Users\Admin\AppData\Local\Temp\ko5sY8lS6\_Files\_Screen_Desktop.jpeg
| MD5 | 0cc1ba97471bdd798850320490346a89 |
| SHA1 | ea5ae006cb80e16e33a8fcbe9d6cb24394be589f |
| SHA256 | e26bf2e797121b4602be9a517604fdb59dcfaa5d778843d4d3ec1ee836b78334 |
| SHA512 | b25242f517588f5d2b0b145c209fe13199d89c7a7df9f35051329b6535e26ff63ca86e2f885e0770e1d343b06528bfb68de945a55018fecd4a7356d9f2b16dda |
C:\Users\Admin\AppData\Local\Temp\ko5sY8lS6\files_\system_info.txt
| MD5 | bc24221700edfc74ca9d6217a9635108 |
| SHA1 | c763992ed47c122607a6ef6eb75e29b08c7cf084 |
| SHA256 | deec0cf52e37a9bb05c0131438c1817f64b423d9b45ec767997587c32bf00b7e |
| SHA512 | f942f35811bf1cc75dd7c7477370a543eb9f85464886567a26b23f981a18f837122a4319a9ca4bc25334bcb4c72e323ef778f8110cb86858e38616fdcb8d3a49 |
C:\Users\Admin\AppData\Local\Temp\ko5sY8lS6\files_\system_info.txt
| MD5 | 00272f530355ed9a808822cd5004f36e |
| SHA1 | ee2f54c1d1a85f243891a03f66f9bff91509ceec |
| SHA256 | a335153f5ca25fdcbe0b8f41225f26f2189876121af0df9efc023a9faff04572 |
| SHA512 | afeda1fd0f4df247555a1ca3bb5e2ed439d4a2428130e34650090695bcb3de63d1c9e885efbe6d3cb30cbabc8a39d9dcf5f12178fedd6d245b963f5e3af0ec52 |
C:\Users\Admin\AppData\Local\Temp\ko5sY8lS6\files_\system_info.txt
| MD5 | 9ec3aa377780a9f88cf728cc3d50f8ec |
| SHA1 | 8e3d24b8725f0f0c64bae65e2ea8abf6845a1ffd |
| SHA256 | 3983ffa8e35af2358b7dd50addec054ce5132feb595ed51b7ca1b7f6c17c2003 |
| SHA512 | f686ece883d7d0f4a1984b3a0c626d424d66892c26224848809dcbffb3aeb9141b6de2e133f74d4dc5ece315b4036d128e57c0e74969c9813d319c3a6e3acca5 |
C:\Users\Admin\AppData\Local\Temp\ko5sY8lS6\files_\system_info.txt
| MD5 | 78de8c73a6192a07859b85d12ba75674 |
| SHA1 | b13f5055f141a49aa69c0738a95e7cfa857f9452 |
| SHA256 | aa31fa5d173a25de2981456705d28440ac7d8599defc838ce86e00f88920fc27 |
| SHA512 | 120383574de8a0ca7bb6c19b0bc0ba12938d2ba39e9d0e47762db2dfb72055a9915751f81a69d9767766c0461390928e38771aecb5a95809ce16d7536f53f032 |
C:\Users\Admin\AppData\Local\Temp\ko5sY8lS6\files_\system_info.txt
| MD5 | bef5842ff3438a6d7db4fae5749f5400 |
| SHA1 | 266d53bd91ab1a08a813ae12e3830c534f04400c |
| SHA256 | 999978604573788d308a43faac42a0f73f3b89f2d4594c607494a8a59cbb9193 |
| SHA512 | f920c030e3c530f259dabf3b14fd0099584d86cece828d2f30f43252705da61e50efbc828401c51f0c0f757dabc49c5526066eae80aa4fe8ec164ef5c21adb7f |
memory/2888-251-0x0000000003890000-0x0000000003933000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ko5sY8lS6\LWnvpACPGyWrwu.zip
| MD5 | 32b9f026d02bd7ac6d2ecb09c286351c |
| SHA1 | 370b322cbb15ef49ef9a50e190df89d784219848 |
| SHA256 | 4dae7532d66c035509af4ac0b2a3f52394d414ef5c674413d43ced351fb84249 |
| SHA512 | ec83a43ee35addb761912b445566efd965f9f299c06a4d99cd9b5787acd10543470d3292a5cd80b89813d135226ef34c5c58d0ed9562bb105f2f0f3888c95dba |
memory/2888-253-0x0000000001230000-0x0000000001231000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-28 23:01
Reported
2024-01-09 22:33
Platform
win10v2004-20231222-en
Max time kernel
148s
Max time network
149s
Command Line
Signatures
CryptBot
CryptBot payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Poi.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Poi.exe.com | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\fe905ed17bcf3e53a9a38f0ace182e96.exe | N/A |
Checks installed software on the system
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Poi.exe.com | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Poi.exe.com | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Poi.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Poi.exe.com | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\fe905ed17bcf3e53a9a38f0ace182e96.exe
"C:\Users\Admin\AppData\Local\Temp\fe905ed17bcf3e53a9a38f0ace182e96.exe"
C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^fEQJhwnKKuicpzjpscwvTJMvNeQkoysJJdDVeObWsMNmmUcuUwpUoKgFSxVlkhBEObLTPduDXttuWhWTGJsiVbAZwY$" Orti.sys
C:\Windows\SysWOW64\PING.EXE
ping localhost -n 30
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Poi.exe.com
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Poi.exe.com o
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Poi.exe.com
Poi.exe.com o
C:\Windows\SysWOW64\cmd.exe
cmd
C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < Amo.sys
C:\Windows\SysWOW64\cmd.exe
cmd /c UcNzcjbM
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 23.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | UFXrFoIFneEBVxJsXMSQh.UFXrFoIFneEBVxJsXMSQh | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 177.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ewaqfe45.top | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ewaqfe45.top | udp |
| US | 8.8.8.8:53 | 183.1.37.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ewaqfe45.top | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ewaqfe45.top | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ewaqfe45.top | udp |
| US | 93.184.221.240:80 | tcp | |
| US | 8.8.8.8:53 | ewaqfe45.top | udp |
| US | 8.8.8.8:53 | ewaqfe45.top | udp |
| US | 8.8.8.8:53 | ewaqfe45.top | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ewaqfe45.top | udp |
| US | 8.8.8.8:53 | udp | |
| GB | 88.221.135.83:80 | tcp | |
| GB | 88.221.135.83:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| GB | 96.17.178.173:80 | tcp | |
| GB | 96.17.178.173:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 204.79.197.200:443 | tcp | |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 204.79.197.200:443 | tcp | |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | udp | |
| GB | 96.17.178.173:80 | tcp | |
| US | 8.8.8.8:53 | ewaqfe45.top | udp |
| US | 8.8.8.8:53 | morjau04.top | udp |
| GB | 96.17.178.173:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| GB | 96.17.178.173:80 | tcp | |
| GB | 96.17.178.173:80 | tcp | |
| GB | 96.17.178.173:80 | tcp | |
| US | 8.8.8.8:53 | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Dov.sys
| MD5 | 12ff8e0efd9f2562d16b1e80732199d6 |
| SHA1 | 72bee424ae31db9d44af600d3ed7efe2fd302feb |
| SHA256 | 04e8cb2989a65eba72595910983a478060804d0574f7601e63ca2a2019ea2f6d |
| SHA512 | 31e5fb89c6b1e8cf8d5880cd7be02bd211621fa9173f2e809565d050b019ff04926e12a2520c404fbf7d4ae1df9dcb52e2c6da6d68abbbaecdff6ebc7032a489 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Poi.exe.com
| MD5 | c56b5f0201a3b3de53e561fe76912bfd |
| SHA1 | 2a4062e10a5de813f5688221dbeb3f3ff33eb417 |
| SHA256 | 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d |
| SHA512 | 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Cancellato.sys
| MD5 | 54f0e73b5a88d409599b7e3e750d7b3e |
| SHA1 | 505d7e828d731229a6de916484cab7dedb46b514 |
| SHA256 | 34ab271f23045173ce6aba259cc4a4e4c865bad16f477e6835a8bc5b7b522dbe |
| SHA512 | 1c351347ba9a1a14f9d115f62e79817e33e8029eae9f41096d082d2edd3faec7ced9fb6757750cd72d300c7b10f651f2466899cbb1586e0014a308f2aa874d9a |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Orti.sys
| MD5 | 6204adb9ff1ab1b352c0d002898066f8 |
| SHA1 | 187a0baa6edf36c368228803ca848ff936d960f0 |
| SHA256 | 286df8487ecbacbd539fe964823253f8d0a8f515079b44938b09a1a1bee2e6ee |
| SHA512 | eb9478ff389a6e392d8db73240c0f917ad004ca685f35f74a36e5f779530b5f707eabb28f64be1c283c74e640817acf85b266508ee0d3360b43abfe08fc4ef32 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Amo.sys
| MD5 | 66712fc92a4d05bfc412b18541a1e8df |
| SHA1 | bf4fb00e6b894338aea687cbf537c90fc255710a |
| SHA256 | 750eed4b135f1ea433781bc4b9bb26029b2c49dbc647248460b3409329d30e0f |
| SHA512 | a792210dacd9018a16b3071deb823d0a9d66ec86d043d7dae5049bbec74dbf7446565d4262b01cf3acefa7088e344d15651339e7a831f96c3b68aa88e3bd8049 |
memory/3380-21-0x0000000004A20000-0x0000000004A21000-memory.dmp
memory/3380-24-0x0000000004B90000-0x0000000004C33000-memory.dmp
memory/3380-23-0x0000000004B90000-0x0000000004C33000-memory.dmp
memory/3380-22-0x0000000004B90000-0x0000000004C33000-memory.dmp
memory/3380-27-0x0000000004B90000-0x0000000004C33000-memory.dmp
memory/3380-26-0x0000000004B90000-0x0000000004C33000-memory.dmp
memory/3380-25-0x0000000004B90000-0x0000000004C33000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Poi.exe.com
| MD5 | 1947dc50b35f5fa74d801e6e603606da |
| SHA1 | 3e273830197f729a0d95a04e3f468c042791feea |
| SHA256 | 1a05861ffaff6a3e871203d69e21916bca3664674516d938fdc2394d2216c6f5 |
| SHA512 | 06b7660b32f283d8c015007d7f8b857dae18128aa357569b4e608db3c8031ea517c43d8dcaba3b3ad530cdcf4f53b32e2b25a6f3fef88d94edd2ceb52365e9a8 |
memory/3380-29-0x0000000004B90000-0x0000000004C33000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TlJhrsicrHUr\_Files\_Information.txt
| MD5 | bed5729b972fc84784fee00f37b1a3ba |
| SHA1 | 279d15739db61ba6b1342ac9bcc13f35f4be63ef |
| SHA256 | 4a41eaed64a71d756be26ca15fdb9a8166982300f8a6f2676d6bc5a624a558a5 |
| SHA512 | f637fc660c5b741d7df53b31c0b9bcdf45249d2381f0da18123a929d5c8265d28a6d5b6e94d8b601490965359a7f3f51375d99fd9cdbdc74343a576a5c1dde5e |
C:\Users\Admin\AppData\Local\Temp\TlJhrsicrHUr\_Files\_Screen_Desktop.jpeg
| MD5 | 72bd4cd78cf511412e7ff5b1e9c2cab0 |
| SHA1 | 9506acc465154ba16a270116deef0a21d2e59671 |
| SHA256 | 0dd1f3acd39897d2b8014ca6f8374f9bd22d03d6e5ab8fe8f47b06a673915b5c |
| SHA512 | 9a87f47576748be24adbf58f9479e16314edfd96482b1381a89e6c43e225ebf1ea570c956f912cbb1d7f27dff2850a28e6398cf9d518e1125557410771b5918c |
C:\Users\Admin\AppData\Local\Temp\TlJhrsicrHUr\_Files\_Information.txt
| MD5 | 462ae8f6c55fe9f902a166e3195d26cb |
| SHA1 | 4aa75d7e3f59e730c1894ebb800fd7733bb558b8 |
| SHA256 | 12fcfe636fc86ae93c7dea0b88afd91862944da26732f96727c9e9f6738f7f1a |
| SHA512 | 427d2281061f4c675ee7d331a4c3d108ede1991cdd7f33eb16c57da01726ac4461c11da267b18aace69dd39a3ea5cd04794073a97e609ab67c6929c08a245fb9 |
C:\Users\Admin\AppData\Local\Temp\TlJhrsicrHUr\_Files\_Information.txt
| MD5 | 0a8477621b9c8e3c29af1bef6de5af4b |
| SHA1 | 62659149c21c4b89aaa2f5925f605ab2760a620c |
| SHA256 | d6a5deccfd9f8054c330218118c39d9a0dc3d86e07ae3b3ed028ff30b1013fee |
| SHA512 | 9c49759d580af62549b0c3799b01330067dd919b1bdf9e598d03af0956c98491a6ecb5889d135246f66128dfe6eb64db82de06ca90b185fa5a4fe9546fe53b42 |
C:\Users\Admin\AppData\Local\Temp\TlJhrsicrHUr\files_\system_info.txt
| MD5 | 388f28603075fd048569dd2193027c5a |
| SHA1 | aeadf409ddd10eae410f288679febdc8e0cecb69 |
| SHA256 | 8ed7d23b3cebc31f7edacdbef77c3171e9f5a54faf44cd795e019840449c05d5 |
| SHA512 | e22f761ac6ee5b598ded81dfe85796254643af395e071df74df21203636040ac3c0164b84e0fa7b7c00c385e3cc40a8893e492d0b419481a9555fad13ece92ca |
C:\Users\Admin\AppData\Local\Temp\TlJhrsicrHUr\files_\system_info.txt
| MD5 | 7f1dbdf77e6e19b6de4a449731940250 |
| SHA1 | 8147f1e55532cb16ec18533bc96d98a4bba0b8e9 |
| SHA256 | 5d55f3be7f56b5c683ddcbd8bf07ce7f49ee94de8f12acf88e7886bbe2ea76ca |
| SHA512 | 3d9604e6ff8e4a705a7a53276cad9a3847151b0bfda9f3c28a2766785dc8f78a6606d443463a6d3efcf668ef52c8706874ee37d0e11bac1ff9fe5e82dcd12cbe |
C:\Users\Admin\AppData\Local\Temp\TlJhrsicrHUr\gThomeFTnYDdfx.zip
| MD5 | 709e38c165791c0c77619cc62455707b |
| SHA1 | 60dbb775be4a83915bac31f669fdbda8f9db1d90 |
| SHA256 | 0aebb247d2ad28f347d3b90b8d4a4367cd4b644227cf96c3c1bc0295601f02f6 |
| SHA512 | 43464b16117f36a7c85bb75d713232303222a18b0e4503960942894562f68565432fef13e0f6e3bcaad395cac6809e7c470beee01834f5d00bd7cdfe8d01b803 |
memory/3380-237-0x0000000004B90000-0x0000000004C33000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TlJhrsicrHUr\RgjASIq4oE.zip
| MD5 | 1f3d3651b297133747d9fb40e815628e |
| SHA1 | a0707e4b04d1b74e62f8b29baa65820cac4793c4 |
| SHA256 | 2ca85bbbacbaccda2c2638e8f572566bc334f139f6dab35e37e90445c9f8f06d |
| SHA512 | 6e52855ac3bd9bdd8f60f8ffa4f0390c6dc9e8666708f440efe9af1156b96d079b96024262483f19f15eda4c678c1602299c42728b18469e073254df10769beb |