12b5ceacdbfe573ca70763838a3025f0460969204ffec34deb85e5d4a65ba5cb

Analysis

max time kernel
121s
max time network
125s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
29/01/2024, 06:44 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7f2a197f45fa04029ab8da23ea2a5931.exe
Size

1.1MB
MD5

7f2a197f45fa04029ab8da23ea2a5931
SHA1

6ff1e7cc06beb6a703f5239b3dd4288ae00eb1b7
SHA256

12b5ceacdbfe573ca70763838a3025f0460969204ffec34deb85e5d4a65ba5cb
SHA512

0da39847f60647fbffd1523576a28f6b499dbbb70f99f089bfb48389dfc3ad70aa554633b3416abed37293716ca870d68287f96c94cd19db5f615dea9a928f4b
SSDEEP

24576:D99fMLQ6gSy8Q7BiNL+VElHA1dHdQ0aKMrzws1Ztf3vG:59EUOQdiNiElHAbdoKUwsVf3vG

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2004	starter.exe
2696	ArcadeYum.exe

Loads dropped DLL 5 IoCs

pid	Process
2668	7f2a197f45fa04029ab8da23ea2a5931.exe
2668	7f2a197f45fa04029ab8da23ea2a5931.exe
2668	7f2a197f45fa04029ab8da23ea2a5931.exe
2668	7f2a197f45fa04029ab8da23ea2a5931.exe
2668	7f2a197f45fa04029ab8da23ea2a5931.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ArcadeYum.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	ArcadeYum.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ArcadeYum.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	ArcadeYum.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct	ArcadeYum.exe

Modifies system certificate store 2 TTPs 6 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	ArcadeYum.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	ArcadeYum.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	ArcadeYum.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	ArcadeYum.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	ArcadeYum.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	ArcadeYum.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2668	7f2a197f45fa04029ab8da23ea2a5931.exe
2696	ArcadeYum.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2696	ArcadeYum.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2696	ArcadeYum.exe
2696	ArcadeYum.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2668 wrote to memory of 2004	2668	7f2a197f45fa04029ab8da23ea2a5931.exe	28
PID 2668 wrote to memory of 2004	2668	7f2a197f45fa04029ab8da23ea2a5931.exe	28
PID 2668 wrote to memory of 2004	2668	7f2a197f45fa04029ab8da23ea2a5931.exe	28
PID 2668 wrote to memory of 2004	2668	7f2a197f45fa04029ab8da23ea2a5931.exe	28
PID 2668 wrote to memory of 2696	2668	7f2a197f45fa04029ab8da23ea2a5931.exe	29
PID 2668 wrote to memory of 2696	2668	7f2a197f45fa04029ab8da23ea2a5931.exe	29
PID 2668 wrote to memory of 2696	2668	7f2a197f45fa04029ab8da23ea2a5931.exe	29
PID 2668 wrote to memory of 2696	2668	7f2a197f45fa04029ab8da23ea2a5931.exe	29

C:\Users\Admin\AppData\Local\Temp\7f2a197f45fa04029ab8da23ea2a5931.exe
"C:\Users\Admin\AppData\Local\Temp\7f2a197f45fa04029ab8da23ea2a5931.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2668
- C:\Users\Public\Documents\{8C1A49E6-2F7F-40E3-923F-5DE549CAF021}\starter.exe
  "C:\Users\Public\Documents\{8C1A49E6-2F7F-40E3-923F-5DE549CAF021}\starter.exe" bgAPg0ONV5jgVSdenMBG 962
  2⤵
  - Executes dropped EXE
  PID:2004
- C:\Users\Public\Documents\{8C1A49E6-2F7F-40E3-923F-5DE549CAF021}\ArcadeYum.exe
  "C:\Users\Public\Documents\{8C1A49E6-2F7F-40E3-923F-5DE549CAF021}\ArcadeYum.exe" IC9UaWNrZXQ9YmdBUGcwT05WNWpnVlNkZW5NQkcgL0J1bmRsZXM9MTYzfDE0NXwxMzR8MTYyIC9PYmVyb249MjAgL0Jyb3dzZXI9MSAvQWRMb2M9OTYyIC90cGQ9aHR0cDovL2QxLmFyY2FkZXl1bS5jb20vYWovYnVuZGxlLzk2Mi8/cD1ZVEkwTmpjMU5qZzVNVEY0M0hjODFwdGh1U0J6VGhZYyUyQlRJTWJSZEpTRjdmc1dPS0RFbWpaenIzcXNaSUROOXR0UUM5UWdQRG5pb3pPeEV5Mm5maU8yWDFhT2Z2aHpvUDBGSzMgL29wdGltaXplR0M9MCAvdXNlck5hbWU9QWRtaW4gL3VzZXJTSUQ9Uy0xLTUtMjEtMzgxODA1NjUzMC05MzY2MTk2NTAtMzU1NDAyMTk1NS0xMDAwCg==
  2⤵
  - Executes dropped EXE
  - Checks processor information in registry
  - Enumerates system info in registry
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2696

Network

DNS

fagamesframework.com

ArcadeYum.exe

Remote address:

8.8.8.8:53

Request

fagamesframework.com

IN A

Response
DNS

d1.arcadeyum.com

ArcadeYum.exe

Remote address:

8.8.8.8:53

Request

d1.arcadeyum.com

IN A

Response

d1.arcadeyum.com

IN A

172.67.137.213

d1.arcadeyum.com

IN A

104.21.86.236
GET

http://d1.arcadeyum.com/aj/bundle/962/?p=YTI0Njc1Njg5MTF43Hc81pthuSBzThYc%2BTIMbRdJSF7fsWOKDEmjZzr3qsZIDN9ttQC9QgPDniozOxEy2nfiO2X1aOfvhzoP0FK3

ArcadeYum.exe

Remote address:

172.67.137.213:80

Request

GET /aj/bundle/962/?p=YTI0Njc1Njg5MTF43Hc81pthuSBzThYc%2BTIMbRdJSF7fsWOKDEmjZzr3qsZIDN9ttQC9QgPDniozOxEy2nfiO2X1aOfvhzoP0FK3 HTTP/1.1
Host: d1.arcadeyum.com
Connection: Keep-Alive

Response

HTTP/1.1 302 Found

Date: Mon, 29 Jan 2024 06:45:09 GMT
Content-Length: 0
Connection: keep-alive
Location: https://www.servicesrestriction.com/?p=d1.arcadeyum.com
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=5aREZ4dq7LR%2BA8mgurnEZ9WB4ryRmJI0MHD65Pp8CTKkTk%2BWuLSwIOU9rBkcT6cXPTcmb7L0FxxPCiNnMiEONKa9wCLrkVzwQxyX8MN%2BImEmkITsDAF9VszVGrNGRjXZF1Jh"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 84cf82bc5f336322-LHR
alt-svc: h3=":443"; ma=86400
DNS

www.servicesrestriction.com

ArcadeYum.exe

Remote address:

8.8.8.8:53

Request

www.servicesrestriction.com

IN A

Response

www.servicesrestriction.com

IN A

104.21.40.181

www.servicesrestriction.com

IN A

172.67.156.20
GET

https://www.servicesrestriction.com/?p=d1.arcadeyum.com

ArcadeYum.exe

Remote address:

104.21.40.181:443

Request

GET /?p=d1.arcadeyum.com HTTP/1.1
Host: www.servicesrestriction.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Mon, 29 Jan 2024 06:45:09 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
vary: Accept-Encoding
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=%2FjUzr6vg64cfJcSzCQv7L%2F%2BqxI0txzATiKwx%2B4tfUrLaCx7GZL9RVq9ebbR2U332kaEDawZY9mQuyALZ7MCuaBmYnK33xKG0ezLOYqwgkUJjSJ%2FYe46HxXo1HciEr8xxishzlXlclmUat%2BfTgD8%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 84cf82beec5f4065-LHR
alt-svc: h3=":443"; ma=86400
DNS

arcadeyum.com

ArcadeYum.exe

Remote address:

8.8.8.8:53

Request

arcadeyum.com

IN A

Response

arcadeyum.com

IN A

172.67.137.213

arcadeyum.com

IN A

104.21.86.236
GET

http://arcadeyum.com/aj/ireport.php?p=urWx%2F%2BHkwtPks8zN1bbp5NXQ5%2BbtzsHE%2F7HHsLa6x8LGwrDCt7GysbP%2F%2F%2F%2FFwsrPxsf%2F0Nfcx8zUzc%2FMwsfcxcLKz8bH%2F%2F%2F5%2Bdzi%2Buqjsa2yrbG1t7A%3D

ArcadeYum.exe

Remote address:

172.67.137.213:80

Request

GET /aj/ireport.php?p=urWx%2F%2BHkwtPks8zN1bbp5NXQ5%2BbtzsHE%2F7HHsLa6x8LGwrDCt7GysbP%2F%2F%2F%2FFwsrPxsf%2F0Nfcx8zUzc%2FMwsfcxcLKz8bH%2F%2F%2F5%2Bdzi%2Buqjsa2yrbG1t7A%3D HTTP/1.1
User-Agent: zz_ayi 2.1.2643
Host: arcadeyum.com
Connection: Keep-Alive

Response

HTTP/1.1 301 Moved Permanently

Date: Mon, 29 Jan 2024 06:45:10 GMT
Content-Type: text/html; charset=iso-8859-1
Transfer-Encoding: chunked
Connection: keep-alive
Location: https://www.arcadeyum.com
Vary: Accept-Encoding
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=vmAbawL5eaSHMBW3bTNEchzbHCD55p%2FJIA3kI%2FsiTu4RUUir1nwl%2BKKjImLpBiQY1RbnVNsS6m5CkcEhswBcjiWngg6iYv51M8oEiDCa7GsAOxploJ70g3q5vwd16ko1"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 84cf82c1cda863c5-LHR
alt-svc: h3=":443"; ma=86400
DNS

www.arcadeyum.com

ArcadeYum.exe

Remote address:

8.8.8.8:53

Request

www.arcadeyum.com

IN A

Response

www.arcadeyum.com

IN A

104.21.86.236

www.arcadeyum.com

IN A

172.67.137.213
GET

https://www.arcadeyum.com/

ArcadeYum.exe

Remote address:

104.21.86.236:443

Request

GET / HTTP/1.1
User-Agent: zz_ayi 2.1.2643
Host: www.arcadeyum.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Mon, 29 Jan 2024 06:45:11 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=ma105hp84mb2q8gjrh98aav7ei; path=/; HttpOnly
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
strict-transport-security: max-age=16070400
Vary: Accept-Encoding,User-Agent
Access-Control-Allow-Origin: *
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=WktXqtjd%2FiT9tviHHxG%2BwSe3nJosiRGuyng%2BumFxRHhUSV%2B%2BSVmId7Ul8%2F9lPolW7dAiu7VO%2F3jaIV1EkIalGyxP6RiEg%2BfYRJjvKOS0dOp6fYDxoaBcMI6qe9vTyWnng9KFpw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 84cf82c6fdd979b9-LHR
alt-svc: h3=":443"; ma=86400
DNS

apps.identrust.com

ArcadeYum.exe

Remote address:

8.8.8.8:53

Request

apps.identrust.com

IN A

Response

apps.identrust.com

IN CNAME

identrust.edgesuite.net

identrust.edgesuite.net

IN CNAME

a1952.dscq.akamai.net

a1952.dscq.akamai.net

IN A

96.17.179.205

a1952.dscq.akamai.net

IN A

96.17.179.184
GET

http://apps.identrust.com/roots/dstrootcax3.p7c

ArcadeYum.exe

Remote address:

96.17.179.205:80

Request

GET /roots/dstrootcax3.p7c HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: apps.identrust.com

Response

HTTP/1.1 200 OK

X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
X-Robots-Tag: noindex
Referrer-Policy: same-origin
Last-Modified: Fri, 13 Oct 2023 16:28:31 GMT
ETag: "37d-6079b8c0929c0"
Accept-Ranges: bytes
Content-Length: 893
X-Content-Type-Options: nosniff
X-Frame-Options: sameorigin
Content-Type: application/pkcs7-mime
Cache-Control: max-age=3600
Expires: Mon, 29 Jan 2024 07:45:10 GMT
Date: Mon, 29 Jan 2024 06:45:10 GMT
Connection: keep-alive

172.67.137.213:80

http://d1.arcadeyum.com/aj/bundle/962/?p=YTI0Njc1Njg5MTF43Hc81pthuSBzThYc%2BTIMbRdJSF7fsWOKDEmjZzr3qsZIDN9ttQC9QgPDniozOxEy2nfiO2X1aOfvhzoP0FK3

http

ArcadeYum.exe

513 B
1.4kB
7
5

HTTP Request

GET http://d1.arcadeyum.com/aj/bundle/962/?p=YTI0Njc1Njg5MTF43Hc81pthuSBzThYc%2BTIMbRdJSF7fsWOKDEmjZzr3qsZIDN9ttQC9QgPDniozOxEy2nfiO2X1aOfvhzoP0FK3

HTTP Response

302
104.21.40.181:443

https://www.servicesrestriction.com/?p=d1.arcadeyum.com

tls, http

ArcadeYum.exe

938 B
8.9kB
12
15

HTTP Request

GET https://www.servicesrestriction.com/?p=d1.arcadeyum.com

HTTP Response

200
172.67.137.213:80

http://arcadeyum.com/aj/ireport.php?p=urWx%2F%2BHkwtPks8zN1bbp5NXQ5%2BbtzsHE%2F7HHsLa6x8LGwrDCt7GysbP%2F%2F%2F%2FFwsrPxsf%2F0Nfcx8zUzc%2FMwsfcxcLKz8bH%2F%2F%2F5%2Bdzi%2Buqjsa2yrbG1t7A%3D

http

ArcadeYum.exe

533 B
1.1kB
6
5

HTTP Request

GET http://arcadeyum.com/aj/ireport.php?p=urWx%2F%2BHkwtPks8zN1bbp5NXQ5%2BbtzsHE%2F7HHsLa6x8LGwrDCt7GysbP%2F%2F%2F%2FFwsrPxsf%2F0Nfcx8zUzc%2FMwsfcxcLKz8bH%2F%2F%2F5%2Bdzi%2Buqjsa2yrbG1t7A%3D

HTTP Response

301
104.21.86.236:443

https://www.arcadeyum.com/

tls, http

ArcadeYum.exe

1.0kB
9.0kB
14
15

HTTP Request

GET https://www.arcadeyum.com/

HTTP Response

200
96.17.179.205:80

http://apps.identrust.com/roots/dstrootcax3.p7c

http

ArcadeYum.exe

421 B
1.6kB
6
5

HTTP Request

GET http://apps.identrust.com/roots/dstrootcax3.p7c

HTTP Response

200

8.8.8.8:53

fagamesframework.com

dns

ArcadeYum.exe

66 B
139 B
1
1

DNS Request

fagamesframework.com
8.8.8.8:53

d1.arcadeyum.com

dns

ArcadeYum.exe

62 B
94 B
1
1

DNS Request

d1.arcadeyum.com

DNS Response

172.67.137.213

104.21.86.236
8.8.8.8:53

www.servicesrestriction.com

dns

ArcadeYum.exe

73 B
105 B
1
1

DNS Request

www.servicesrestriction.com

DNS Response

104.21.40.181

172.67.156.20
8.8.8.8:53

arcadeyum.com

dns

ArcadeYum.exe

59 B
91 B
1
1

DNS Request

arcadeyum.com

DNS Response

172.67.137.213

104.21.86.236
8.8.8.8:53

www.arcadeyum.com

dns

ArcadeYum.exe

63 B
95 B
1
1

DNS Request

www.arcadeyum.com

DNS Response

104.21.86.236

172.67.137.213
8.8.8.8:53

apps.identrust.com

dns

ArcadeYum.exe

64 B
165 B
1
1

DNS Request

apps.identrust.com

DNS Response

96.17.179.205

96.17.179.184

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c3f99de15490c91f77864e510101fe44

SHA1
3d46acbfa498af49fe7422ab76fa37d733ec2f4c

SHA256
29de0fa1cfc6ca655fe6100d065ef229adce9e49c6b1490378f2dfcbb6a5005e

SHA512
15a87d70327942f27facd7b4aebd7dfe9a4ce88ca31a3c384bf0f9f8808e4af92e641a1b80ca75194dd0ee3c88c39fdc9fb4d2238ad60846dbc55f10ae953c19

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2780.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar280F.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Public\Documents\{8C1A49E6-2F7F-40E3-923F-5DE549CAF021}\ArcadeYum.exe

Filesize
883KB

MD5
1df9cb2785075f2738d8bdb876831731

SHA1
4a3048ba67f8b2529846e51cd0e7793f63f20ae3

SHA256
8459860387ea51a7d83e817f72d46f4eeaade8ec4414c89843676dc29d4496d9

SHA512
9209c7aac280b00905432be6d1f592c8fa99b6bbbc112297a0273d761d5c75d90e836bb66823181cf563df645b34e022f755e865f5d07b5588e1688d8476d330

Download Submit
C:\Users\Public\Documents\{8C1A49E6-2F7F-40E3-923F-5DE549CAF021}\ArcadeYum.exe.config

Filesize
231B

MD5
ae437dea18c61477cc2f17f46fb11d01

SHA1
94afba8148c6072ad60c6899ed717005681e9da5

SHA256
d8966d4c96ba3c910f86c44d6d7b6c298cc70cc3c5c61bb975861eed846b0754

SHA512
61ad33f07fbb65863f1eb02a14230c38766fbb5e1fe4263433ecd32375249e7af71e49f054e5f919884f5250dccf95fb6791ceeadf3c2d4cb468ba5af3e8902b

Download Submit
C:\Users\Public\Documents\{8C1A49E6-2F7F-40E3-923F-5DE549CAF021}\config.cfg

Filesize
73B

MD5
9f48223e72c07a29f7da2043b2a77c7e

SHA1
cdfc5fc42b47ae2a89e99347b61345e39d9e0526

SHA256
3d781804f0cd93d69d1d01a636aab3199b1b082eafaf485ec7a9ee24492b4b5c

SHA512
5ffdfb05f1cafb2c1b4be250be03eec4167ab1ed77d6d60cee5cbc3276668d161128c393f38ae0ad6966b2c00fde7810189f9d81060c14e02a275438d2a39fad

Download Submit
\Users\Public\Documents\{8C1A49E6-2F7F-40E3-923F-5DE549CAF021}\starter.exe

Filesize
1007KB

MD5
a0865a8429851042ede865187a5d6eeb

SHA1
1a71a4301d305a1cdacfd4c18acd6a057bd4cf44

SHA256
ebb4713a230340735681433fc87be0e46ab2db19ef395276a573086e45a631c2

SHA512
e20e286ca064ef84ac2f18450894c46d162af00c263b25a19f1d685769e1780a48961faf1397ff819bca2f2880759f7a7e86dc3d5b080b91e8afe164409bda42

Download Submit
\Users\Public\Documents\{8C1A49E6-2F7F-40E3-923F-5DE549CAF021}\starter.exe

Filesize
521KB

MD5
992afae26dad8c8dd426968663f67f79

SHA1
3e07d8ad827c9230434a3b595d71e9d7971ed544

SHA256
d47cab9af0e1ec58f859df06eebb19d10dbfeb26d4252a613a44d5dcd486909a

SHA512
fcbaf4ef20160cdcfdec8ca830c78adf1ec988c91eae1fbff3cbea6edc9af106ddfacbbe7510b0ff7ccd7a9768cf767605d9637559b8237e68c28295adfcb26f

Download Submit
memory/2696-23-0x00000000743B0000-0x0000000074A9E000-memory.dmp

Filesize
6.9MB

Download
memory/2696-25-0x0000000004B30000-0x0000000004B70000-memory.dmp

Filesize
256KB

Download
memory/2696-26-0x0000000004B30000-0x0000000004B70000-memory.dmp

Filesize
256KB

Download
memory/2696-24-0x0000000004B30000-0x0000000004B70000-memory.dmp

Filesize
256KB

Download
memory/2696-22-0x00000000010B0000-0x0000000001192000-memory.dmp

Filesize
904KB

Download
memory/2696-90-0x00000000743B0000-0x0000000074A9E000-memory.dmp

Filesize
6.9MB

Download
memory/2696-91-0x0000000004B30000-0x0000000004B70000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.