Analysis Overview
SHA256
2ca6bbdb40c8c7df583f451f1638ee7b3ea1c844f3d805f294f623fa93a20a28
Threat Level: Known bad
The file 2ca6bbdb40c8c7df583f451f1638ee7b3ea1c844f3d805f294f623fa93a20a28 was found to be: Known bad.
Malicious Activity Summary
Gh0strat
Gh0st RAT payload
Sets DLL path for service in the registry
Loads dropped DLL
Executes dropped EXE
Drops file in System32 directory
Drops file in Program Files directory
Enumerates physical storage devices
Unsigned PE
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-05 12:30
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-05 12:30
Reported
2024-06-05 12:36
Platform
win7-20240221-en
Max time kernel
106s
Max time network
158s
Command Line
Signatures
Gh0st RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Gh0strat
Sets DLL path for service in the registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\svchcst\Parameters\ServiceDll = "C:\\Windows\\system32\\259426339.bat" | C:\Users\Admin\AppData\Local\Temp\look2.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\look2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\HD_2ca6bbdb40c8c7df583f451f1638ee7b3ea1c844f3d805f294f623fa93a20a28.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-JBDC1.tmp\HD_2ca6bbdb40c8c7df583f451f1638ee7b3ea1c844f3d805f294f623fa93a20a28.tmp | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchcst.exe | N/A |
Loads dropped DLL
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\259426339.bat | C:\Users\Admin\AppData\Local\Temp\look2.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ini.ini | C:\Users\Admin\AppData\Local\Temp\look2.exe | N/A |
| File created | C:\Windows\SysWOW64\svchcst.exe | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\svchcst.exe | C:\Windows\SysWOW64\svchost.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | C:\Users\Admin\AppData\Local\Temp\2ca6bbdb40c8c7df583f451f1638ee7b3ea1c844f3d805f294f623fa93a20a28.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2ca6bbdb40c8c7df583f451f1638ee7b3ea1c844f3d805f294f623fa93a20a28.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2ca6bbdb40c8c7df583f451f1638ee7b3ea1c844f3d805f294f623fa93a20a28.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2ca6bbdb40c8c7df583f451f1638ee7b3ea1c844f3d805f294f623fa93a20a28.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2ca6bbdb40c8c7df583f451f1638ee7b3ea1c844f3d805f294f623fa93a20a28.exe
"C:\Users\Admin\AppData\Local\Temp\2ca6bbdb40c8c7df583f451f1638ee7b3ea1c844f3d805f294f623fa93a20a28.exe"
C:\Users\Admin\AppData\Local\Temp\look2.exe
C:\Users\Admin\AppData\Local\Temp\\look2.exe
C:\Users\Admin\AppData\Local\Temp\HD_2ca6bbdb40c8c7df583f451f1638ee7b3ea1c844f3d805f294f623fa93a20a28.exe
C:\Users\Admin\AppData\Local\Temp\HD_2ca6bbdb40c8c7df583f451f1638ee7b3ea1c844f3d805f294f623fa93a20a28.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "svchcst"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "svchcst"
C:\Users\Admin\AppData\Local\Temp\is-JBDC1.tmp\HD_2ca6bbdb40c8c7df583f451f1638ee7b3ea1c844f3d805f294f623fa93a20a28.tmp
"C:\Users\Admin\AppData\Local\Temp\is-JBDC1.tmp\HD_2ca6bbdb40c8c7df583f451f1638ee7b3ea1c844f3d805f294f623fa93a20a28.tmp" /SL5="$40172,1110397,179200,C:\Users\Admin\AppData\Local\Temp\HD_2ca6bbdb40c8c7df583f451f1638ee7b3ea1c844f3d805f294f623fa93a20a28.exe"
C:\Windows\SysWOW64\svchcst.exe
C:\Windows\system32\svchcst.exe "c:\windows\system32\259426339.bat",MainThread
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
Files
\Users\Admin\AppData\Local\Temp\look2.exe
| MD5 | 2f3b6f16e33e28ad75f3fdaef2567807 |
| SHA1 | 85e907340faf1edfc9210db85a04abd43d21b741 |
| SHA256 | 86492ebf2d6f471a5ee92977318d099b3ea86175b5b7ae522237ae01d07a4857 |
| SHA512 | db17e99e2df918cfc9ccbe934adfe73f0777ce1ce9f28b57a4b24ecd821efe2e0b976a634853247b77b16627d2bb3af4ba20306059d1d25ef38ffada7da3e3a4 |
\Windows\SysWOW64\259426339.bat
| MD5 | 2b2cab888e75457167b1dd81ff0a39dd |
| SHA1 | a06433e15ed74c87254ba87090e3f7d1bba1e486 |
| SHA256 | 3b2f39609bc733286412da568e10f630aaa624ace69f99a0daab7fdb1aea7014 |
| SHA512 | 355f1551d22ac29dff1cc20e0ae7a39cea43c35e7dc9659bd67eabad09587f611bdc27c4bfdd064a6abe8160ee8aef61746bb57dad442b5fdbea41f265c45450 |
\Users\Admin\AppData\Local\Temp\HD_2ca6bbdb40c8c7df583f451f1638ee7b3ea1c844f3d805f294f623fa93a20a28.exe
| MD5 | fc82bffaedac9a735d2abdfed3e20843 |
| SHA1 | 8a782efa2eb830785ac09690ca1fc9b13b7b9b39 |
| SHA256 | f83c599649b92be000220a63ae3e98e081efabdabb4449965832ab212c802cd2 |
| SHA512 | 8ca9b9e30b62e1e9207c263855144358d7272145099cc64c74afcf4da199993de1b5db00a236adff338bfdb8446bccc0992124ba09e98b3cb686a91b367c2b25 |
memory/2684-17-0x0000000000401000-0x0000000000417000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-JBDC1.tmp\HD_2ca6bbdb40c8c7df583f451f1638ee7b3ea1c844f3d805f294f623fa93a20a28.tmp
| MD5 | d7d4116cc40ad6c8c261114c9d25a009 |
| SHA1 | 1bf6653af8bfec61841c85b7dab09610e5c1c04a |
| SHA256 | ae86d5ffe70763e6c16535010e23319f7ec947f6d4fc90db90c5cb6800fbc246 |
| SHA512 | 48b293a6494a43f11cf59895fc0bba4f5d0375b204e1215389ec94ab6669bcc7c4dd2daf6dfa793d62ee3dc3c6c50b400e6f0d6da840fa76f898deba8eba976b |
C:\Users\Admin\AppData\Local\Temp\HD_X.dat
| MD5 | 3d2ace4d383b9460521ab9bcf7007bd9 |
| SHA1 | e3eb2157d3f9aa1c730256a8b6ecfe2ce6c501d1 |
| SHA256 | fda48416d561902bf1883d3683f996a0fff43e3aba1113e63fce17aa92fd2309 |
| SHA512 | 070bd3b3249874986558fb9ff00e89599654571071b94417bcd60e69fb24797de11139f7976d11d78821dba583d696d65bc87183637601548bf5ecfaac5b0c2f |
\Users\Admin\AppData\Local\Temp\is-1C0CU.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
\Users\Admin\AppData\Local\Temp\is-1C0CU.tmp\idp.dll
| MD5 | 55c310c0319260d798757557ab3bf636 |
| SHA1 | 0892eb7ed31d8bb20a56c6835990749011a2d8de |
| SHA256 | 54e7e0ad32a22b775131a6288f083ed3286a9a436941377fc20f85dd9ad983ed |
| SHA512 | e0082109737097658677d7963cbf28d412dca3fa8f5812c2567e53849336ce45ebae2c0430df74bfe16c0f3eebb46961bc1a10f32ca7947692a900162128ae57 |
memory/2540-53-0x0000000001FE0000-0x0000000001FF5000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-1C0CU.tmp\innocallback.dll
| MD5 | 1c55ae5ef9980e3b1028447da6105c75 |
| SHA1 | f85218e10e6aa23b2f5a3ed512895b437e41b45c |
| SHA256 | 6afa2d104be6efe3d9a2ab96dbb75db31565dad64dd0b791e402ecc25529809f |
| SHA512 | 1ec4d52f49747b29cfd83e1a75fc6ae4101add68ada0b9add5770c10be6dffb004bb47d0854d50871ed8d77acf67d4e0445e97f0548a95c182e83b94ddf2eb6b |
memory/2684-15-0x0000000000400000-0x0000000000436000-memory.dmp
memory/2540-58-0x0000000002000000-0x000000000200E000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-1C0CU.tmp\botva2.dll
| MD5 | 0177746573eed407f8dca8a9e441aa49 |
| SHA1 | 6b462adf78059d26cbc56b3311e3b97fcb8d05f7 |
| SHA256 | a4b61626a1626fdabec794e4f323484aa0644baa1c905a5dcf785dc34564f008 |
| SHA512 | d4ac96da2d72e121d1d63d64e78bcea155d62af828324b81889a3cd3928ceeb12f7a22e87e264e34498d100b57cdd3735d2ab2316e1a3bf7fa099ddb75c5071a |
C:\Users\Admin\AppData\Local\Temp\is-1C0CU.tmp\btn_close.png
| MD5 | 684a1fe844a84f7f83682b2a197b3597 |
| SHA1 | 132cfffa79237b3466299b41eece06c2cb8a96c3 |
| SHA256 | 5e1450f7f6a8f27e55cd61c775ba3901fd8fe0844f514187fad399a1f814ca4d |
| SHA512 | 700be65de1a40715709895f55315b1b5d133b0b5250fcccbad05f715bdce1b4e20c918593c620aa90e1fed2b9793a5047e460322dfa982a5314109bd2dbf2c95 |
C:\Users\Admin\AppData\Local\Temp\is-1C0CU.tmp\btn_n.png
| MD5 | ae55da6af3d875ae8be8def9123dcad4 |
| SHA1 | 9dccceaa003cad7829313d18e42235e615f18bc5 |
| SHA256 | 7b371f1ebb1e3d63341f09002ceaf070e3db865ffeb8e13da89749f8836655da |
| SHA512 | 06dcdd3a6b78882bbf2e93132a4995daeb690e966e08b3686382201486d2cf53081aef0f7b60af99261c4ba16aea2f6f9e7c578f0ff0eb9b268f1450660160bf |
C:\Users\Admin\AppData\Local\Temp\is-1C0CU.tmp\btn_Browser.png
| MD5 | a4c938229252d5e12c4acd36233ae433 |
| SHA1 | bc765e8c232667815394fda329bfbd8efce3315a |
| SHA256 | 27d9aa4f44f75e37f74a4c9a9c08b0b5cc24b2f10da5d59a635e08ff21b7f0db |
| SHA512 | 8b15fb457f8d9ddd0a3edb45e7be252b533c5c6f8695ce079a3458bd4ffbe92151c732ef194afa369e468f0aec04bbbc9239347ff9a1b7009b700157044495da |
C:\Users\Admin\AppData\Local\Temp\is-1C0CU.tmp\back.png
| MD5 | 58e38e7f83a055af72eb9b690727bba1 |
| SHA1 | cd146465433b50ef7045d29e047f7078dd4830f8 |
| SHA256 | 97a307fada06d941311934016961dd022f929c290eb566503d1f027b74f4ddf3 |
| SHA512 | 4327fead8ef651273ea98d74da37b178a78478bf49f8eeff2edcd78f5320520a360895977544510a6377e7f14f7fa242862c4555c26b596e8b49e107139030e9 |
C:\Users\Admin\AppData\Local\Temp\is-1C0CU.tmp\checkboxdeep.png
| MD5 | 9e693f05d0ed1a24e7ced0e5bc45f21f |
| SHA1 | 1ada5d34ebba6e54cfb68a899e64f78e56529ae6 |
| SHA256 | 7bcd9a1ec59f46c694a1f1c8d61d4e14012a8497d33ff11b13fa951f712557ea |
| SHA512 | d6ada4bf49c30b4bed6645e73c11bae28fcba6dee77372db842e5884393e866013586ede5084418e91c3cb3a0fad6c7f8c18a65a73f3b3c0fbce989d42bb2a9e |
C:\Users\Admin\AppData\Local\Temp\is-1C0CU.tmp\license.png
| MD5 | c9eeca6b0551598f0f6eb3e3e45c1a8f |
| SHA1 | 0555af84be67ba5cfba64d4799ef50692c2c64a4 |
| SHA256 | 3e38c35c1f6c11bc435855b7b7d6ad3632e23c7a5cb1a65f05d6b4c9f72d0c45 |
| SHA512 | 2cbdb479436ec7a298e6b89f5e5eb09a8ae497b597c88fdcc94c3bdcb1633b6f510c67a3ad217acc7d6716b2ba2feb4b5119183e90d1544bedab48cbf17a7f62 |
C:\Users\Admin\AppData\Local\Temp\is-1C0CU.tmp\xy.png
| MD5 | 4a94e49806b7f6ef37b473869ac9233a |
| SHA1 | 83821dda7cd06aec9260fa37435eacfc0a25af82 |
| SHA256 | a01b9b45286135719f37fbb66494fa2812253df6853e0b077db2e7d21910df72 |
| SHA512 | 6a169347c61dcca40e399fbaaa48897dd625088b313c313c6a595794dae1c5cf0e4b7f90f37b77f269334dfa4cd73f11f20f029345ad0a8945d26a69c2505fa7 |
C:\Users\Admin\AppData\Local\Temp\is-1C0CU.tmp\btn_setup.png
| MD5 | 8cb9c1bf91ecc37b2d27cf8579a33777 |
| SHA1 | 42cc9b00fff70da1ef6368f83c56ae3c8ea9c589 |
| SHA256 | 63ccdbfe6850beda039df71a9945c5aa0f85d424b9c5fc2080b60fe73e2c0a4d |
| SHA512 | 331c5c834829893584d5de25adcfb04e778a4495db9fb9176d3e2baa67c87b00f1b8a801476791e51c63a2d89cdb8b6b3af18074ac673d478b732ae8977e1e6b |
C:\Users\Admin\AppData\Local\Temp\is-1C0CU.tmp\btn_min.png
| MD5 | b6a2f534203abef2c3c390bdae124e09 |
| SHA1 | 9485a9d05acc9f0a3f4d7bdeae477af0a2770988 |
| SHA256 | 1b9bf803361bea6ab8744ba177db27d74c6fd82ebf05c610b34940c5085f096d |
| SHA512 | 6b3d080828dc142dbfc2d325bfe4e0d7ad69c8c30a851ea7039ba7308a2701f2b668204e69b34577d150f65403a901edd98a3293d70556e8e0855394a417a9ae |
\Windows\SysWOW64\svchcst.exe
| MD5 | 51138beea3e2c21ec44d0932c71762a8 |
| SHA1 | 8939cf35447b22dd2c6e6f443446acc1bf986d58 |
| SHA256 | 5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124 |
| SHA512 | 794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d |
memory/2684-159-0x0000000000400000-0x0000000000436000-memory.dmp
memory/2540-162-0x0000000002000000-0x000000000200E000-memory.dmp
memory/2540-160-0x0000000000400000-0x0000000000586000-memory.dmp
memory/2540-161-0x0000000001FE0000-0x0000000001FF5000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-05 12:30
Reported
2024-06-05 12:36
Platform
win10v2004-20240426-en
Max time kernel
0s
Max time network
156s
Command Line
Signatures
Gh0st RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Gh0strat
Sets DLL path for service in the registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\svchcst\Parameters\ServiceDll = "C:\\Windows\\system32\\240600906.bat" | C:\Users\Admin\AppData\Local\Temp\look2.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\look2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\HD_2ca6bbdb40c8c7df583f451f1638ee7b3ea1c844f3d805f294f623fa93a20a28.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-4RE0V.tmp\HD_2ca6bbdb40c8c7df583f451f1638ee7b3ea1c844f3d805f294f623fa93a20a28.tmp | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\look2.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\240600906.bat | C:\Users\Admin\AppData\Local\Temp\look2.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ini.ini | C:\Users\Admin\AppData\Local\Temp\look2.exe | N/A |
| File created | C:\Windows\SysWOW64\svchcst.exe | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\svchcst.exe | C:\Windows\SysWOW64\svchost.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | C:\Users\Admin\AppData\Local\Temp\2ca6bbdb40c8c7df583f451f1638ee7b3ea1c844f3d805f294f623fa93a20a28.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2ca6bbdb40c8c7df583f451f1638ee7b3ea1c844f3d805f294f623fa93a20a28.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2ca6bbdb40c8c7df583f451f1638ee7b3ea1c844f3d805f294f623fa93a20a28.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2ca6bbdb40c8c7df583f451f1638ee7b3ea1c844f3d805f294f623fa93a20a28.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2ca6bbdb40c8c7df583f451f1638ee7b3ea1c844f3d805f294f623fa93a20a28.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2ca6bbdb40c8c7df583f451f1638ee7b3ea1c844f3d805f294f623fa93a20a28.exe
"C:\Users\Admin\AppData\Local\Temp\2ca6bbdb40c8c7df583f451f1638ee7b3ea1c844f3d805f294f623fa93a20a28.exe"
C:\Users\Admin\AppData\Local\Temp\look2.exe
C:\Users\Admin\AppData\Local\Temp\\look2.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "svchcst"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "svchcst"
C:\Users\Admin\AppData\Local\Temp\HD_2ca6bbdb40c8c7df583f451f1638ee7b3ea1c844f3d805f294f623fa93a20a28.exe
C:\Users\Admin\AppData\Local\Temp\HD_2ca6bbdb40c8c7df583f451f1638ee7b3ea1c844f3d805f294f623fa93a20a28.exe
C:\Users\Admin\AppData\Local\Temp\is-4RE0V.tmp\HD_2ca6bbdb40c8c7df583f451f1638ee7b3ea1c844f3d805f294f623fa93a20a28.tmp
"C:\Users\Admin\AppData\Local\Temp\is-4RE0V.tmp\HD_2ca6bbdb40c8c7df583f451f1638ee7b3ea1c844f3d805f294f623fa93a20a28.tmp" /SL5="$5016E,1110397,179200,C:\Users\Admin\AppData\Local\Temp\HD_2ca6bbdb40c8c7df583f451f1638ee7b3ea1c844f3d805f294f623fa93a20a28.exe"
C:\Windows\SysWOW64\svchcst.exe
C:\Windows\system32\svchcst.exe "c:\windows\system32\240600906.bat",MainThread
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
Files
C:\Windows\SysWOW64\240600906.bat
| MD5 | 2b2cab888e75457167b1dd81ff0a39dd |
| SHA1 | a06433e15ed74c87254ba87090e3f7d1bba1e486 |
| SHA256 | 3b2f39609bc733286412da568e10f630aaa624ace69f99a0daab7fdb1aea7014 |
| SHA512 | 355f1551d22ac29dff1cc20e0ae7a39cea43c35e7dc9659bd67eabad09587f611bdc27c4bfdd064a6abe8160ee8aef61746bb57dad442b5fdbea41f265c45450 |
C:\Users\Admin\AppData\Local\Temp\look2.exe
| MD5 | 2f3b6f16e33e28ad75f3fdaef2567807 |
| SHA1 | 85e907340faf1edfc9210db85a04abd43d21b741 |
| SHA256 | 86492ebf2d6f471a5ee92977318d099b3ea86175b5b7ae522237ae01d07a4857 |
| SHA512 | db17e99e2df918cfc9ccbe934adfe73f0777ce1ce9f28b57a4b24ecd821efe2e0b976a634853247b77b16627d2bb3af4ba20306059d1d25ef38ffada7da3e3a4 |
C:\Users\Admin\AppData\Local\Temp\HD_2ca6bbdb40c8c7df583f451f1638ee7b3ea1c844f3d805f294f623fa93a20a28.exe
| MD5 | fc82bffaedac9a735d2abdfed3e20843 |
| SHA1 | 8a782efa2eb830785ac09690ca1fc9b13b7b9b39 |
| SHA256 | f83c599649b92be000220a63ae3e98e081efabdabb4449965832ab212c802cd2 |
| SHA512 | 8ca9b9e30b62e1e9207c263855144358d7272145099cc64c74afcf4da199993de1b5db00a236adff338bfdb8446bccc0992124ba09e98b3cb686a91b367c2b25 |
memory/1900-20-0x0000000000401000-0x0000000000417000-memory.dmp
memory/1900-18-0x0000000000400000-0x0000000000436000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-4RE0V.tmp\HD_2ca6bbdb40c8c7df583f451f1638ee7b3ea1c844f3d805f294f623fa93a20a28.tmp
| MD5 | d7d4116cc40ad6c8c261114c9d25a009 |
| SHA1 | 1bf6653af8bfec61841c85b7dab09610e5c1c04a |
| SHA256 | ae86d5ffe70763e6c16535010e23319f7ec947f6d4fc90db90c5cb6800fbc246 |
| SHA512 | 48b293a6494a43f11cf59895fc0bba4f5d0375b204e1215389ec94ab6669bcc7c4dd2daf6dfa793d62ee3dc3c6c50b400e6f0d6da840fa76f898deba8eba976b |
C:\Users\Admin\AppData\Local\Temp\HD_X.dat
| MD5 | 3d2ace4d383b9460521ab9bcf7007bd9 |
| SHA1 | e3eb2157d3f9aa1c730256a8b6ecfe2ce6c501d1 |
| SHA256 | fda48416d561902bf1883d3683f996a0fff43e3aba1113e63fce17aa92fd2309 |
| SHA512 | 070bd3b3249874986558fb9ff00e89599654571071b94417bcd60e69fb24797de11139f7976d11d78821dba583d696d65bc87183637601548bf5ecfaac5b0c2f |
C:\Users\Admin\AppData\Local\Temp\is-JV4O6.tmp\innocallback.dll
| MD5 | 1c55ae5ef9980e3b1028447da6105c75 |
| SHA1 | f85218e10e6aa23b2f5a3ed512895b437e41b45c |
| SHA256 | 6afa2d104be6efe3d9a2ab96dbb75db31565dad64dd0b791e402ecc25529809f |
| SHA512 | 1ec4d52f49747b29cfd83e1a75fc6ae4101add68ada0b9add5770c10be6dffb004bb47d0854d50871ed8d77acf67d4e0445e97f0548a95c182e83b94ddf2eb6b |
C:\Users\Admin\AppData\Local\Temp\is-JV4O6.tmp\botva2.dll
| MD5 | 0177746573eed407f8dca8a9e441aa49 |
| SHA1 | 6b462adf78059d26cbc56b3311e3b97fcb8d05f7 |
| SHA256 | a4b61626a1626fdabec794e4f323484aa0644baa1c905a5dcf785dc34564f008 |
| SHA512 | d4ac96da2d72e121d1d63d64e78bcea155d62af828324b81889a3cd3928ceeb12f7a22e87e264e34498d100b57cdd3735d2ab2316e1a3bf7fa099ddb75c5071a |
memory/3672-59-0x0000000007640000-0x000000000764E000-memory.dmp
memory/3672-51-0x0000000007520000-0x0000000007535000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-JV4O6.tmp\idp.dll
| MD5 | 55c310c0319260d798757557ab3bf636 |
| SHA1 | 0892eb7ed31d8bb20a56c6835990749011a2d8de |
| SHA256 | 54e7e0ad32a22b775131a6288f083ed3286a9a436941377fc20f85dd9ad983ed |
| SHA512 | e0082109737097658677d7963cbf28d412dca3fa8f5812c2567e53849336ce45ebae2c0430df74bfe16c0f3eebb46961bc1a10f32ca7947692a900162128ae57 |
C:\Users\Admin\AppData\Local\Temp\is-JV4O6.tmp\btn_close.png
| MD5 | 684a1fe844a84f7f83682b2a197b3597 |
| SHA1 | 132cfffa79237b3466299b41eece06c2cb8a96c3 |
| SHA256 | 5e1450f7f6a8f27e55cd61c775ba3901fd8fe0844f514187fad399a1f814ca4d |
| SHA512 | 700be65de1a40715709895f55315b1b5d133b0b5250fcccbad05f715bdce1b4e20c918593c620aa90e1fed2b9793a5047e460322dfa982a5314109bd2dbf2c95 |
C:\Users\Admin\AppData\Local\Temp\is-JV4O6.tmp\btn_n.png
| MD5 | ae55da6af3d875ae8be8def9123dcad4 |
| SHA1 | 9dccceaa003cad7829313d18e42235e615f18bc5 |
| SHA256 | 7b371f1ebb1e3d63341f09002ceaf070e3db865ffeb8e13da89749f8836655da |
| SHA512 | 06dcdd3a6b78882bbf2e93132a4995daeb690e966e08b3686382201486d2cf53081aef0f7b60af99261c4ba16aea2f6f9e7c578f0ff0eb9b268f1450660160bf |
C:\Users\Admin\AppData\Local\Temp\is-JV4O6.tmp\btn_Browser.png
| MD5 | a4c938229252d5e12c4acd36233ae433 |
| SHA1 | bc765e8c232667815394fda329bfbd8efce3315a |
| SHA256 | 27d9aa4f44f75e37f74a4c9a9c08b0b5cc24b2f10da5d59a635e08ff21b7f0db |
| SHA512 | 8b15fb457f8d9ddd0a3edb45e7be252b533c5c6f8695ce079a3458bd4ffbe92151c732ef194afa369e468f0aec04bbbc9239347ff9a1b7009b700157044495da |
C:\Users\Admin\AppData\Local\Temp\is-JV4O6.tmp\back.png
| MD5 | 58e38e7f83a055af72eb9b690727bba1 |
| SHA1 | cd146465433b50ef7045d29e047f7078dd4830f8 |
| SHA256 | 97a307fada06d941311934016961dd022f929c290eb566503d1f027b74f4ddf3 |
| SHA512 | 4327fead8ef651273ea98d74da37b178a78478bf49f8eeff2edcd78f5320520a360895977544510a6377e7f14f7fa242862c4555c26b596e8b49e107139030e9 |
C:\Users\Admin\AppData\Local\Temp\is-JV4O6.tmp\btn_setup.png
| MD5 | 8cb9c1bf91ecc37b2d27cf8579a33777 |
| SHA1 | 42cc9b00fff70da1ef6368f83c56ae3c8ea9c589 |
| SHA256 | 63ccdbfe6850beda039df71a9945c5aa0f85d424b9c5fc2080b60fe73e2c0a4d |
| SHA512 | 331c5c834829893584d5de25adcfb04e778a4495db9fb9176d3e2baa67c87b00f1b8a801476791e51c63a2d89cdb8b6b3af18074ac673d478b732ae8977e1e6b |
C:\Users\Admin\AppData\Local\Temp\is-JV4O6.tmp\btn_min.png
| MD5 | b6a2f534203abef2c3c390bdae124e09 |
| SHA1 | 9485a9d05acc9f0a3f4d7bdeae477af0a2770988 |
| SHA256 | 1b9bf803361bea6ab8744ba177db27d74c6fd82ebf05c610b34940c5085f096d |
| SHA512 | 6b3d080828dc142dbfc2d325bfe4e0d7ad69c8c30a851ea7039ba7308a2701f2b668204e69b34577d150f65403a901edd98a3293d70556e8e0855394a417a9ae |
C:\Users\Admin\AppData\Local\Temp\is-JV4O6.tmp\checkboxdeep.png
| MD5 | 9e693f05d0ed1a24e7ced0e5bc45f21f |
| SHA1 | 1ada5d34ebba6e54cfb68a899e64f78e56529ae6 |
| SHA256 | 7bcd9a1ec59f46c694a1f1c8d61d4e14012a8497d33ff11b13fa951f712557ea |
| SHA512 | d6ada4bf49c30b4bed6645e73c11bae28fcba6dee77372db842e5884393e866013586ede5084418e91c3cb3a0fad6c7f8c18a65a73f3b3c0fbce989d42bb2a9e |
C:\Users\Admin\AppData\Local\Temp\is-JV4O6.tmp\license.png
| MD5 | c9eeca6b0551598f0f6eb3e3e45c1a8f |
| SHA1 | 0555af84be67ba5cfba64d4799ef50692c2c64a4 |
| SHA256 | 3e38c35c1f6c11bc435855b7b7d6ad3632e23c7a5cb1a65f05d6b4c9f72d0c45 |
| SHA512 | 2cbdb479436ec7a298e6b89f5e5eb09a8ae497b597c88fdcc94c3bdcb1633b6f510c67a3ad217acc7d6716b2ba2feb4b5119183e90d1544bedab48cbf17a7f62 |
C:\Users\Admin\AppData\Local\Temp\is-JV4O6.tmp\xy.png
| MD5 | 4a94e49806b7f6ef37b473869ac9233a |
| SHA1 | 83821dda7cd06aec9260fa37435eacfc0a25af82 |
| SHA256 | a01b9b45286135719f37fbb66494fa2812253df6853e0b077db2e7d21910df72 |
| SHA512 | 6a169347c61dcca40e399fbaaa48897dd625088b313c313c6a595794dae1c5cf0e4b7f90f37b77f269334dfa4cd73f11f20f029345ad0a8945d26a69c2505fa7 |
C:\Windows\SysWOW64\svchcst.exe
| MD5 | 889b99c52a60dd49227c5e485a016679 |
| SHA1 | 8fa889e456aa646a4d0a4349977430ce5fa5e2d7 |
| SHA256 | 6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910 |
| SHA512 | 08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641 |
memory/3672-158-0x0000000000400000-0x0000000000586000-memory.dmp
memory/3672-160-0x0000000007640000-0x000000000764E000-memory.dmp
memory/3672-159-0x0000000007520000-0x0000000007535000-memory.dmp
memory/1900-157-0x0000000000400000-0x0000000000436000-memory.dmp
memory/3672-168-0x0000000007640000-0x000000000764E000-memory.dmp
memory/3672-167-0x0000000007520000-0x0000000007535000-memory.dmp