Analysis Overview
SHA256
9af94a43aedb15650dadc1092ba67ecd24c19931f496af5954e9aa9d548f9d64
Threat Level: Known bad
The file 9af94a43aedb15650dadc1092ba67ecd24c19931f496af5954e9aa9d548f9d64 was found to be: Known bad.
Malicious Activity Summary
Modifies visiblity of hidden/system files in Explorer
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Adds Run key to start application
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-06 23:41
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-06 23:41
Reported
2024-04-06 23:43
Platform
win7-20240221-en
Max time kernel
153s
Max time network
130s
Command Line
Signatures
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Local\Temp\9af94a43aedb15650dadc1092ba67ecd24c19931f496af5954e9aa9d548f9d64.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\doout.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\doout.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9af94a43aedb15650dadc1092ba67ecd24c19931f496af5954e9aa9d548f9d64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9af94a43aedb15650dadc1092ba67ecd24c19931f496af5954e9aa9d548f9d64.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\doout = "C:\\Users\\Admin\\doout.exe /i" | C:\Users\Admin\doout.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\doout = "C:\\Users\\Admin\\doout.exe /c" | C:\Users\Admin\doout.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\doout = "C:\\Users\\Admin\\doout.exe /o" | C:\Users\Admin\doout.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\doout = "C:\\Users\\Admin\\doout.exe /p" | C:\Users\Admin\doout.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\doout = "C:\\Users\\Admin\\doout.exe /v" | C:\Users\Admin\doout.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\doout = "C:\\Users\\Admin\\doout.exe /y" | C:\Users\Admin\doout.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\doout = "C:\\Users\\Admin\\doout.exe /x" | C:\Users\Admin\doout.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\doout = "C:\\Users\\Admin\\doout.exe /m" | C:\Users\Admin\doout.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\doout = "C:\\Users\\Admin\\doout.exe /n" | C:\Users\Admin\doout.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\doout = "C:\\Users\\Admin\\doout.exe /h" | C:\Users\Admin\doout.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\doout = "C:\\Users\\Admin\\doout.exe /f" | C:\Users\Admin\doout.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\doout = "C:\\Users\\Admin\\doout.exe /l" | C:\Users\Admin\doout.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\doout = "C:\\Users\\Admin\\doout.exe /q" | C:\Users\Admin\doout.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\doout = "C:\\Users\\Admin\\doout.exe /j" | C:\Users\Admin\doout.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\doout = "C:\\Users\\Admin\\doout.exe /e" | C:\Users\Admin\doout.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\doout = "C:\\Users\\Admin\\doout.exe /t" | C:\Users\Admin\doout.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\doout = "C:\\Users\\Admin\\doout.exe /b" | C:\Users\Admin\doout.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\doout = "C:\\Users\\Admin\\doout.exe /s" | C:\Users\Admin\doout.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\doout = "C:\\Users\\Admin\\doout.exe /r" | C:\Users\Admin\doout.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\doout = "C:\\Users\\Admin\\doout.exe /k" | C:\Users\Admin\doout.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\doout = "C:\\Users\\Admin\\doout.exe /u" | C:\Users\Admin\doout.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\doout = "C:\\Users\\Admin\\doout.exe /a" | C:\Users\Admin\doout.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\doout = "C:\\Users\\Admin\\doout.exe /i" | C:\Users\Admin\AppData\Local\Temp\9af94a43aedb15650dadc1092ba67ecd24c19931f496af5954e9aa9d548f9d64.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\doout = "C:\\Users\\Admin\\doout.exe /z" | C:\Users\Admin\doout.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\doout = "C:\\Users\\Admin\\doout.exe /d" | C:\Users\Admin\doout.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\doout = "C:\\Users\\Admin\\doout.exe /w" | C:\Users\Admin\doout.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\doout = "C:\\Users\\Admin\\doout.exe /g" | C:\Users\Admin\doout.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9af94a43aedb15650dadc1092ba67ecd24c19931f496af5954e9aa9d548f9d64.exe | N/A |
| N/A | N/A | C:\Users\Admin\doout.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3024 wrote to memory of 2776 | N/A | C:\Users\Admin\AppData\Local\Temp\9af94a43aedb15650dadc1092ba67ecd24c19931f496af5954e9aa9d548f9d64.exe | C:\Users\Admin\doout.exe |
| PID 3024 wrote to memory of 2776 | N/A | C:\Users\Admin\AppData\Local\Temp\9af94a43aedb15650dadc1092ba67ecd24c19931f496af5954e9aa9d548f9d64.exe | C:\Users\Admin\doout.exe |
| PID 3024 wrote to memory of 2776 | N/A | C:\Users\Admin\AppData\Local\Temp\9af94a43aedb15650dadc1092ba67ecd24c19931f496af5954e9aa9d548f9d64.exe | C:\Users\Admin\doout.exe |
| PID 3024 wrote to memory of 2776 | N/A | C:\Users\Admin\AppData\Local\Temp\9af94a43aedb15650dadc1092ba67ecd24c19931f496af5954e9aa9d548f9d64.exe | C:\Users\Admin\doout.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\9af94a43aedb15650dadc1092ba67ecd24c19931f496af5954e9aa9d548f9d64.exe
"C:\Users\Admin\AppData\Local\Temp\9af94a43aedb15650dadc1092ba67ecd24c19931f496af5954e9aa9d548f9d64.exe"
C:\Users\Admin\doout.exe
"C:\Users\Admin\doout.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ns1.musiczipz.com | udp |
| US | 8.8.8.8:53 | ns1.musicmixa.net | udp |
| US | 8.8.8.8:53 | ns1.musicmixa.org | udp |
| US | 8.8.8.8:53 | ns1.musicmixb.co | udp |
| US | 8.8.8.8:53 | ns1.musicmixc.com | udp |
Files
\Users\Admin\doout.exe
| MD5 | 8e0ad41b1ea1c83c3a22c6c632b051da |
| SHA1 | edf1aa37a5899aca8ec18f96595e972648ed6e8d |
| SHA256 | 7f3dd3398aa80e06dbab1923ff3c5367fbab6f87f2fe1b76b9a2e6100e2bc4b2 |
| SHA512 | cca8c9a84ae2fa9212cc3a8781bad3920a8aea37722947677516f4ac507e8f83ac387350fb3e1392e28ea2374a85fc5730a260160a129504fddba1db7239a30c |
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-06 23:41
Reported
2024-04-06 23:43
Platform
win10v2004-20240319-en
Max time kernel
150s
Max time network
154s
Command Line
Signatures
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Local\Temp\9af94a43aedb15650dadc1092ba67ecd24c19931f496af5954e9aa9d548f9d64.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\koiha.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\9af94a43aedb15650dadc1092ba67ecd24c19931f496af5954e9aa9d548f9d64.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\koiha.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\koiha = "C:\\Users\\Admin\\koiha.exe /f" | C:\Users\Admin\koiha.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\koiha = "C:\\Users\\Admin\\koiha.exe /a" | C:\Users\Admin\koiha.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\koiha = "C:\\Users\\Admin\\koiha.exe /y" | C:\Users\Admin\koiha.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\koiha = "C:\\Users\\Admin\\koiha.exe /l" | C:\Users\Admin\koiha.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\koiha = "C:\\Users\\Admin\\koiha.exe /q" | C:\Users\Admin\AppData\Local\Temp\9af94a43aedb15650dadc1092ba67ecd24c19931f496af5954e9aa9d548f9d64.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\koiha = "C:\\Users\\Admin\\koiha.exe /c" | C:\Users\Admin\koiha.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\koiha = "C:\\Users\\Admin\\koiha.exe /d" | C:\Users\Admin\koiha.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\koiha = "C:\\Users\\Admin\\koiha.exe /r" | C:\Users\Admin\koiha.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\koiha = "C:\\Users\\Admin\\koiha.exe /k" | C:\Users\Admin\koiha.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\koiha = "C:\\Users\\Admin\\koiha.exe /z" | C:\Users\Admin\koiha.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\koiha = "C:\\Users\\Admin\\koiha.exe /n" | C:\Users\Admin\koiha.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\koiha = "C:\\Users\\Admin\\koiha.exe /g" | C:\Users\Admin\koiha.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\koiha = "C:\\Users\\Admin\\koiha.exe /v" | C:\Users\Admin\koiha.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\koiha = "C:\\Users\\Admin\\koiha.exe /o" | C:\Users\Admin\koiha.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\koiha = "C:\\Users\\Admin\\koiha.exe /t" | C:\Users\Admin\koiha.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\koiha = "C:\\Users\\Admin\\koiha.exe /m" | C:\Users\Admin\koiha.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\koiha = "C:\\Users\\Admin\\koiha.exe /h" | C:\Users\Admin\koiha.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\koiha = "C:\\Users\\Admin\\koiha.exe /i" | C:\Users\Admin\koiha.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\koiha = "C:\\Users\\Admin\\koiha.exe /s" | C:\Users\Admin\koiha.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\koiha = "C:\\Users\\Admin\\koiha.exe /x" | C:\Users\Admin\koiha.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\koiha = "C:\\Users\\Admin\\koiha.exe /w" | C:\Users\Admin\koiha.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\koiha = "C:\\Users\\Admin\\koiha.exe /u" | C:\Users\Admin\koiha.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\koiha = "C:\\Users\\Admin\\koiha.exe /q" | C:\Users\Admin\koiha.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\koiha = "C:\\Users\\Admin\\koiha.exe /j" | C:\Users\Admin\koiha.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\koiha = "C:\\Users\\Admin\\koiha.exe /e" | C:\Users\Admin\koiha.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\koiha = "C:\\Users\\Admin\\koiha.exe /p" | C:\Users\Admin\koiha.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\koiha = "C:\\Users\\Admin\\koiha.exe /b" | C:\Users\Admin\koiha.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9af94a43aedb15650dadc1092ba67ecd24c19931f496af5954e9aa9d548f9d64.exe | N/A |
| N/A | N/A | C:\Users\Admin\koiha.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2576 wrote to memory of 1828 | N/A | C:\Users\Admin\AppData\Local\Temp\9af94a43aedb15650dadc1092ba67ecd24c19931f496af5954e9aa9d548f9d64.exe | C:\Users\Admin\koiha.exe |
| PID 2576 wrote to memory of 1828 | N/A | C:\Users\Admin\AppData\Local\Temp\9af94a43aedb15650dadc1092ba67ecd24c19931f496af5954e9aa9d548f9d64.exe | C:\Users\Admin\koiha.exe |
| PID 2576 wrote to memory of 1828 | N/A | C:\Users\Admin\AppData\Local\Temp\9af94a43aedb15650dadc1092ba67ecd24c19931f496af5954e9aa9d548f9d64.exe | C:\Users\Admin\koiha.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\9af94a43aedb15650dadc1092ba67ecd24c19931f496af5954e9aa9d548f9d64.exe
"C:\Users\Admin\AppData\Local\Temp\9af94a43aedb15650dadc1092ba67ecd24c19931f496af5954e9aa9d548f9d64.exe"
C:\Users\Admin\koiha.exe
"C:\Users\Admin\koiha.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4048 --field-trial-handle=2252,i,11231798169170618717,17890004712654885282,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.2.37.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ns1.musiczipz.com | udp |
| US | 8.8.8.8:53 | ns1.musicmixa.net | udp |
| US | 8.8.8.8:53 | ns1.musicmixa.org | udp |
| US | 8.8.8.8:53 | ns1.musicmixb.co | udp |
| US | 8.8.8.8:53 | ns1.musicmixc.com | udp |
| GB | 13.87.96.169:443 | tcp | |
| IE | 94.245.104.56:443 | tcp | |
| GB | 172.165.69.228:443 | tcp | |
| IE | 94.245.104.56:443 | tcp | |
| NL | 172.217.23.202:443 | tcp | |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 13.107.246.64:443 | tcp | |
| US | 8.8.8.8:53 | 45.19.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.65.42.20.in-addr.arpa | udp |
Files
C:\Users\Admin\koiha.exe
| MD5 | 3b64716bc7076e740c75d256557578f1 |
| SHA1 | 2bb12c60b3232f9eafcd4d67a7a290a2c84e807d |
| SHA256 | a366071161b36f0248cc7466ede425197b3606ef86ba411dd65f2bd14f9884c7 |
| SHA512 | c439d1b4609fb92d4bc47bbd64aea5fa32bf01cbacf39ccf5e4550dfc1325e0980a7740d47631ea52c7347f948cb28337d3344374a879ab676715299b6513509 |