Analysis Overview
SHA256
3475fefc871df0b71f329e5c4f1e5b5d61b54d87a8451e1bc47a83e779dbf887
Threat Level: Known bad
The file 3475fefc871df0b71f329e5c4f1e5b5d61b54d87a8451e1bc47a83e779dbf887 was found to be: Known bad.
Malicious Activity Summary
Gh0st RAT payload
Gh0strat
Sets DLL path for service in the registry
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Drops file in Program Files directory
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-05 12:30
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-05 12:30
Reported
2024-06-05 12:36
Platform
win7-20240221-en
Max time kernel
149s
Max time network
153s
Command Line
Signatures
Gh0st RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Gh0strat
Sets DLL path for service in the registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\svchcst\Parameters\ServiceDll = "C:\\Windows\\system32\\259402128.bat" | C:\Users\Admin\AppData\Local\Temp\look2.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\look2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\HD_3475fefc871df0b71f329e5c4f1e5b5d61b54d87a8451e1bc47a83e779dbf887.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-O2OE1.tmp\HD_3475fefc871df0b71f329e5c4f1e5b5d61b54d87a8451e1bc47a83e779dbf887.tmp | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchcst.exe | N/A |
Loads dropped DLL
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\259402128.bat | C:\Users\Admin\AppData\Local\Temp\look2.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ini.ini | C:\Users\Admin\AppData\Local\Temp\look2.exe | N/A |
| File created | C:\Windows\SysWOW64\svchcst.exe | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\svchcst.exe | C:\Windows\SysWOW64\svchost.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | C:\Users\Admin\AppData\Local\Temp\3475fefc871df0b71f329e5c4f1e5b5d61b54d87a8451e1bc47a83e779dbf887.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3475fefc871df0b71f329e5c4f1e5b5d61b54d87a8451e1bc47a83e779dbf887.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3475fefc871df0b71f329e5c4f1e5b5d61b54d87a8451e1bc47a83e779dbf887.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3475fefc871df0b71f329e5c4f1e5b5d61b54d87a8451e1bc47a83e779dbf887.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3475fefc871df0b71f329e5c4f1e5b5d61b54d87a8451e1bc47a83e779dbf887.exe
"C:\Users\Admin\AppData\Local\Temp\3475fefc871df0b71f329e5c4f1e5b5d61b54d87a8451e1bc47a83e779dbf887.exe"
C:\Users\Admin\AppData\Local\Temp\look2.exe
C:\Users\Admin\AppData\Local\Temp\\look2.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "svchcst"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "svchcst"
C:\Users\Admin\AppData\Local\Temp\HD_3475fefc871df0b71f329e5c4f1e5b5d61b54d87a8451e1bc47a83e779dbf887.exe
C:\Users\Admin\AppData\Local\Temp\HD_3475fefc871df0b71f329e5c4f1e5b5d61b54d87a8451e1bc47a83e779dbf887.exe
C:\Users\Admin\AppData\Local\Temp\is-O2OE1.tmp\HD_3475fefc871df0b71f329e5c4f1e5b5d61b54d87a8451e1bc47a83e779dbf887.tmp
"C:\Users\Admin\AppData\Local\Temp\is-O2OE1.tmp\HD_3475fefc871df0b71f329e5c4f1e5b5d61b54d87a8451e1bc47a83e779dbf887.tmp" /SL5="$60124,1179169,182272,C:\Users\Admin\AppData\Local\Temp\HD_3475fefc871df0b71f329e5c4f1e5b5d61b54d87a8451e1bc47a83e779dbf887.exe"
C:\Windows\SysWOW64\svchcst.exe
C:\Windows\system32\svchcst.exe "c:\windows\system32\259402128.bat",MainThread
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
Files
\Users\Admin\AppData\Local\Temp\look2.exe
| MD5 | 2f3b6f16e33e28ad75f3fdaef2567807 |
| SHA1 | 85e907340faf1edfc9210db85a04abd43d21b741 |
| SHA256 | 86492ebf2d6f471a5ee92977318d099b3ea86175b5b7ae522237ae01d07a4857 |
| SHA512 | db17e99e2df918cfc9ccbe934adfe73f0777ce1ce9f28b57a4b24ecd821efe2e0b976a634853247b77b16627d2bb3af4ba20306059d1d25ef38ffada7da3e3a4 |
\Windows\SysWOW64\259402128.bat
| MD5 | 2b2cab888e75457167b1dd81ff0a39dd |
| SHA1 | a06433e15ed74c87254ba87090e3f7d1bba1e486 |
| SHA256 | 3b2f39609bc733286412da568e10f630aaa624ace69f99a0daab7fdb1aea7014 |
| SHA512 | 355f1551d22ac29dff1cc20e0ae7a39cea43c35e7dc9659bd67eabad09587f611bdc27c4bfdd064a6abe8160ee8aef61746bb57dad442b5fdbea41f265c45450 |
\Users\Admin\AppData\Local\Temp\HD_3475fefc871df0b71f329e5c4f1e5b5d61b54d87a8451e1bc47a83e779dbf887.exe
| MD5 | aea5bf1109feb93aec0b4a0808ee054e |
| SHA1 | 28c8bb5eb3cea7b3e3da919753b43916909bd652 |
| SHA256 | 1400af59b04d10c0f2896652a35b4eb073578709d7c0909930c4aca78617bfef |
| SHA512 | 0ff39f51577e808aae668d6b967718b892b3e1e01616ee17df14e95bfbb58129e00f616147df0ef475ce2496d63ca3554accc91e47e8edd59bfe65fdb09f6cd4 |
memory/2576-22-0x0000000000401000-0x0000000000417000-memory.dmp
memory/2576-19-0x0000000000400000-0x0000000000437000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-O2OE1.tmp\HD_3475fefc871df0b71f329e5c4f1e5b5d61b54d87a8451e1bc47a83e779dbf887.tmp
| MD5 | 8833727ebfd1264787f81e16658f9450 |
| SHA1 | b0977c48020c14d2bbac5c7c1aa73765eb283956 |
| SHA256 | 06ecce7ef1f1d8278c130a8085ff86685f20b9fef4b3ac620e615e36ecd629b7 |
| SHA512 | d9df6e7e8a94095b6349e707801be9a9c6e51212355e1cca076ba40bb57c1e2cb600f387bd540cb97dbab998ecc9233b50e7700244a54eccc5e5b39966a1913a |
C:\Users\Admin\AppData\Local\Temp\HD_X.dat
| MD5 | 254efb0b5866be052de111ace90567cb |
| SHA1 | 964821ed6863613ac2711629cfa0f48ac1d7ff9d |
| SHA256 | a3f131a67bfa11c16a98d567e51aba3bef20099ba1ae79a3dcd5cd56a9ec9124 |
| SHA512 | da8fd33aa482f84160f8524724b13d9aa92d85999c0a7f16cd6bf551bd7fc54addbbfea532039f612d50325dcedfb7256953507d55f19f7a192f78ba825d98ac |
\Users\Admin\AppData\Local\Temp\is-T2ALG.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
\Users\Admin\AppData\Local\Temp\is-T2ALG.tmp\idp.dll
| MD5 | 55c310c0319260d798757557ab3bf636 |
| SHA1 | 0892eb7ed31d8bb20a56c6835990749011a2d8de |
| SHA256 | 54e7e0ad32a22b775131a6288f083ed3286a9a436941377fc20f85dd9ad983ed |
| SHA512 | e0082109737097658677d7963cbf28d412dca3fa8f5812c2567e53849336ce45ebae2c0430df74bfe16c0f3eebb46961bc1a10f32ca7947692a900162128ae57 |
memory/2648-58-0x0000000002070000-0x000000000207E000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-T2ALG.tmp\botva2.dll
| MD5 | 0177746573eed407f8dca8a9e441aa49 |
| SHA1 | 6b462adf78059d26cbc56b3311e3b97fcb8d05f7 |
| SHA256 | a4b61626a1626fdabec794e4f323484aa0644baa1c905a5dcf785dc34564f008 |
| SHA512 | d4ac96da2d72e121d1d63d64e78bcea155d62af828324b81889a3cd3928ceeb12f7a22e87e264e34498d100b57cdd3735d2ab2316e1a3bf7fa099ddb75c5071a |
memory/2648-53-0x00000000073D0000-0x00000000073E5000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-T2ALG.tmp\innocallback.dll
| MD5 | 1c55ae5ef9980e3b1028447da6105c75 |
| SHA1 | f85218e10e6aa23b2f5a3ed512895b437e41b45c |
| SHA256 | 6afa2d104be6efe3d9a2ab96dbb75db31565dad64dd0b791e402ecc25529809f |
| SHA512 | 1ec4d52f49747b29cfd83e1a75fc6ae4101add68ada0b9add5770c10be6dffb004bb47d0854d50871ed8d77acf67d4e0445e97f0548a95c182e83b94ddf2eb6b |
C:\Users\Admin\AppData\Local\Temp\is-T2ALG.tmp\btn_close.png
| MD5 | 7028bcf9a5b8590aed967810a6ec2876 |
| SHA1 | a21a20212dd141b52ccfe5474db87867e86f1450 |
| SHA256 | 2ddba2bc9b928eb58a934f690a57b9be7d2e781338735b9c854fbf4e9b4d291a |
| SHA512 | 78746a8c7fcaf34ad436eaf81182d36c17ab2462cb2541c7064393a3e758c1c70328c25cb66ab44bb302780f8fe0a64f82c2e749f811c68303018a3cfa1ad6e4 |
C:\Users\Admin\AppData\Local\Temp\is-T2ALG.tmp\btn_Browser.png
| MD5 | 6ef5ac510ea87d854d4e593f00b7faa9 |
| SHA1 | 7ffb75b6516c6bcdf61975a31d64ee89f90a6dd6 |
| SHA256 | 7ef58ffbbcae80e855125fb3ad7e5bc2b71e361b3024fc06c9c3e62120fde879 |
| SHA512 | ed8813e221676bf48bfbfd50fe7b500a5a89eec850b8c66d3bc647888eddc4ed927e70b5025ba9d8ddadad5616e27e52b857369b31381ca00c6679354b39cd60 |
C:\Users\Admin\AppData\Local\Temp\is-T2ALG.tmp\back.png
| MD5 | a3db6160a784b8d37493e21213e71d16 |
| SHA1 | de8763b71b90f9de05e4de11220c8404e765ee07 |
| SHA256 | a1d005b22042c6111f91c62e1336c720b921d356ff2ae739a61b3dee25237736 |
| SHA512 | bd58180268d44c075dbf1afe7e14b0334667abc5e1c2c1d58cbc89f973e24488aa80a0aab5961b1bc47f3db3bf05f570af3dfe250fa6f77b50bda64f222f664e |
C:\Users\Admin\AppData\Local\Temp\is-T2ALG.tmp\btn_n.png
| MD5 | 9d996568e415ac4aefed00a586ad9954 |
| SHA1 | 2e56c1bff8c6f6b2ca65348cdbb79f3dc8526049 |
| SHA256 | 4b436df0da832222da79fb9a6cd54f3344aa6ab66f61a280f8c95822dbd2f1f0 |
| SHA512 | 5a2e8ed95e0facc35577f2a182ade8cc3af58e3d2d098fd4b85541fd6cd4c8a6bb9b2aa93e33ff5e5aa6547d4c55442f291a825d87875eb291f2a35d2e06f9d3 |
C:\Users\Admin\AppData\Local\Temp\is-T2ALG.tmp\btn_setup.png
| MD5 | 3c390e1f00847c63c44b5d3f75f4b015 |
| SHA1 | b6925e1a5f4d31e314a019bb7e313d5625b4e6db |
| SHA256 | a79dfdd5d4b6262d606fd905162b79de9e91b1c2a39907832b18a2723eb57306 |
| SHA512 | 1411f807dfa6cd053783ecf25d7603ffb18e3d125c056ea6dd66999d818550801dbd804b9958beccf7b2a7eec0c516a2bb630c72ac87978a8c23ad295a5d949e |
C:\Users\Admin\AppData\Local\Temp\is-T2ALG.tmp\btn_min.png
| MD5 | 387d3d3c9e2fba5470b53064187230d8 |
| SHA1 | 326a785aa9429afb4d4097cb4527aca0b5cbb0c1 |
| SHA256 | 9315067dff0ab80dc6d03950b4f281f02ba658727ad51098c083d09fd0011d0f |
| SHA512 | 5b81154157f326c04b167510cc1f3c272af4ebc6f0ec393c80d2b340b6aebf4ea130ab8b21949147831b91541f722d8d7810bcae55c6836d440984712eecae6a |
C:\Users\Admin\AppData\Local\Temp\is-T2ALG.tmp\checkboxdeep.png
| MD5 | f61d05867df096a954ff4bc18bfccffe |
| SHA1 | 28e52d13b41ec0d5f4e1df74cef91d46161a93dd |
| SHA256 | f080cdcabeef8ce0e78b64e9fdfb75b77018224c72fccc47ecc5b7857d78621f |
| SHA512 | c25a538ad39a64fb56ecc809b27462bebcb6e2f5cb8732d4c109238059fb668ae3fef202de540cc452078bb1944bdef1efd3cb6bff3c4789c92dc16c01ecc551 |
C:\Users\Admin\AppData\Local\Temp\is-T2ALG.tmp\license.png
| MD5 | f277a257878c5cbdde1660a5783ef260 |
| SHA1 | 8a1607a6f6693840e5878c94e8010b5d95819724 |
| SHA256 | 54ab740185e274ccf6bd436069c912ed2e671377e2a7a1271d70d97b55458d88 |
| SHA512 | 0d7f5d0eebef43d6582ac4488b2801e2bbc24138949a316972eb1d2ea286c45a77be3ff2b2d56ef6780b1f844a2d82cefd74337cbdb5a1f7241dc2135338ba52 |
C:\Users\Admin\AppData\Local\Temp\is-T2ALG.tmp\xy.png
| MD5 | 0b88d63d20edc1796d4ac2a77a7acc5b |
| SHA1 | 7c5b7d042b6a286b6136f10dfc6d11501ec9a0db |
| SHA256 | dde7df96a7e49c8ec1cecaa31746c0fdfe42b3e528ed41a0cf971ba254ac7e73 |
| SHA512 | 7f02d2110a2231d352b9637f9d76838a28567a1d8085e8d2b572351d1f1ae9ab5486e2f837eed9206e7f20ea015a59ca72bb249f5e340c8fa1206890d3ee6383 |
C:\Windows\SysWOW64\svchcst.exe
| MD5 | 51138beea3e2c21ec44d0932c71762a8 |
| SHA1 | 8939cf35447b22dd2c6e6f443446acc1bf986d58 |
| SHA256 | 5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124 |
| SHA512 | 794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d |
memory/2648-160-0x0000000000400000-0x0000000000587000-memory.dmp
memory/2648-162-0x0000000002070000-0x000000000207E000-memory.dmp
memory/2648-161-0x00000000073D0000-0x00000000073E5000-memory.dmp
memory/2576-159-0x0000000000400000-0x0000000000437000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-05 12:30
Reported
2024-06-05 12:36
Platform
win10v2004-20240226-en
Max time kernel
17s
Max time network
158s
Command Line
Signatures
Gh0st RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Gh0strat
Sets DLL path for service in the registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\svchcst\Parameters\ServiceDll = "C:\\Windows\\system32\\240663921.bat" | C:\Users\Admin\AppData\Local\Temp\look2.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\look2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\HD_3475fefc871df0b71f329e5c4f1e5b5d61b54d87a8451e1bc47a83e779dbf887.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-EAE5U.tmp\HD_3475fefc871df0b71f329e5c4f1e5b5d61b54d87a8451e1bc47a83e779dbf887.tmp | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\look2.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\240663921.bat | C:\Users\Admin\AppData\Local\Temp\look2.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ini.ini | C:\Users\Admin\AppData\Local\Temp\look2.exe | N/A |
| File created | C:\Windows\SysWOW64\svchcst.exe | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\svchcst.exe | C:\Windows\SysWOW64\svchost.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | C:\Users\Admin\AppData\Local\Temp\3475fefc871df0b71f329e5c4f1e5b5d61b54d87a8451e1bc47a83e779dbf887.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3475fefc871df0b71f329e5c4f1e5b5d61b54d87a8451e1bc47a83e779dbf887.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3475fefc871df0b71f329e5c4f1e5b5d61b54d87a8451e1bc47a83e779dbf887.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3475fefc871df0b71f329e5c4f1e5b5d61b54d87a8451e1bc47a83e779dbf887.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3475fefc871df0b71f329e5c4f1e5b5d61b54d87a8451e1bc47a83e779dbf887.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3475fefc871df0b71f329e5c4f1e5b5d61b54d87a8451e1bc47a83e779dbf887.exe
"C:\Users\Admin\AppData\Local\Temp\3475fefc871df0b71f329e5c4f1e5b5d61b54d87a8451e1bc47a83e779dbf887.exe"
C:\Users\Admin\AppData\Local\Temp\look2.exe
C:\Users\Admin\AppData\Local\Temp\\look2.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "svchcst"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "svchcst"
C:\Users\Admin\AppData\Local\Temp\HD_3475fefc871df0b71f329e5c4f1e5b5d61b54d87a8451e1bc47a83e779dbf887.exe
C:\Users\Admin\AppData\Local\Temp\HD_3475fefc871df0b71f329e5c4f1e5b5d61b54d87a8451e1bc47a83e779dbf887.exe
C:\Users\Admin\AppData\Local\Temp\is-EAE5U.tmp\HD_3475fefc871df0b71f329e5c4f1e5b5d61b54d87a8451e1bc47a83e779dbf887.tmp
"C:\Users\Admin\AppData\Local\Temp\is-EAE5U.tmp\HD_3475fefc871df0b71f329e5c4f1e5b5d61b54d87a8451e1bc47a83e779dbf887.tmp" /SL5="$5016C,1179169,182272,C:\Users\Admin\AppData\Local\Temp\HD_3475fefc871df0b71f329e5c4f1e5b5d61b54d87a8451e1bc47a83e779dbf887.exe"
C:\Windows\SysWOW64\svchcst.exe
C:\Windows\system32\svchcst.exe "c:\windows\system32\240663921.bat",MainThread
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5240 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| GB | 96.16.110.114:80 | tcp | |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | 56.94.73.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| GB | 142.250.187.234:443 | tcp | |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 13.107.246.64:443 | tcp | |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | 14.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
Files
C:\Users\Admin\AppData\Local\Temp\look2.exe
| MD5 | 2f3b6f16e33e28ad75f3fdaef2567807 |
| SHA1 | 85e907340faf1edfc9210db85a04abd43d21b741 |
| SHA256 | 86492ebf2d6f471a5ee92977318d099b3ea86175b5b7ae522237ae01d07a4857 |
| SHA512 | db17e99e2df918cfc9ccbe934adfe73f0777ce1ce9f28b57a4b24ecd821efe2e0b976a634853247b77b16627d2bb3af4ba20306059d1d25ef38ffada7da3e3a4 |
C:\Windows\SysWOW64\240663921.bat
| MD5 | 2b2cab888e75457167b1dd81ff0a39dd |
| SHA1 | a06433e15ed74c87254ba87090e3f7d1bba1e486 |
| SHA256 | 3b2f39609bc733286412da568e10f630aaa624ace69f99a0daab7fdb1aea7014 |
| SHA512 | 355f1551d22ac29dff1cc20e0ae7a39cea43c35e7dc9659bd67eabad09587f611bdc27c4bfdd064a6abe8160ee8aef61746bb57dad442b5fdbea41f265c45450 |
C:\Users\Admin\AppData\Local\Temp\HD_3475fefc871df0b71f329e5c4f1e5b5d61b54d87a8451e1bc47a83e779dbf887.exe
| MD5 | aea5bf1109feb93aec0b4a0808ee054e |
| SHA1 | 28c8bb5eb3cea7b3e3da919753b43916909bd652 |
| SHA256 | 1400af59b04d10c0f2896652a35b4eb073578709d7c0909930c4aca78617bfef |
| SHA512 | 0ff39f51577e808aae668d6b967718b892b3e1e01616ee17df14e95bfbb58129e00f616147df0ef475ce2496d63ca3554accc91e47e8edd59bfe65fdb09f6cd4 |
memory/2788-18-0x0000000000400000-0x0000000000437000-memory.dmp
memory/2788-20-0x0000000000401000-0x0000000000417000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-EAE5U.tmp\HD_3475fefc871df0b71f329e5c4f1e5b5d61b54d87a8451e1bc47a83e779dbf887.tmp
| MD5 | 8833727ebfd1264787f81e16658f9450 |
| SHA1 | b0977c48020c14d2bbac5c7c1aa73765eb283956 |
| SHA256 | 06ecce7ef1f1d8278c130a8085ff86685f20b9fef4b3ac620e615e36ecd629b7 |
| SHA512 | d9df6e7e8a94095b6349e707801be9a9c6e51212355e1cca076ba40bb57c1e2cb600f387bd540cb97dbab998ecc9233b50e7700244a54eccc5e5b39966a1913a |
C:\Users\Admin\AppData\Local\Temp\HD_X.dat
| MD5 | 254efb0b5866be052de111ace90567cb |
| SHA1 | 964821ed6863613ac2711629cfa0f48ac1d7ff9d |
| SHA256 | a3f131a67bfa11c16a98d567e51aba3bef20099ba1ae79a3dcd5cd56a9ec9124 |
| SHA512 | da8fd33aa482f84160f8524724b13d9aa92d85999c0a7f16cd6bf551bd7fc54addbbfea532039f612d50325dcedfb7256953507d55f19f7a192f78ba825d98ac |
C:\Users\Admin\AppData\Local\Temp\is-0D637.tmp\idp.dll
| MD5 | 55c310c0319260d798757557ab3bf636 |
| SHA1 | 0892eb7ed31d8bb20a56c6835990749011a2d8de |
| SHA256 | 54e7e0ad32a22b775131a6288f083ed3286a9a436941377fc20f85dd9ad983ed |
| SHA512 | e0082109737097658677d7963cbf28d412dca3fa8f5812c2567e53849336ce45ebae2c0430df74bfe16c0f3eebb46961bc1a10f32ca7947692a900162128ae57 |
C:\Users\Admin\AppData\Local\Temp\is-0D637.tmp\innocallback.dll
| MD5 | 1c55ae5ef9980e3b1028447da6105c75 |
| SHA1 | f85218e10e6aa23b2f5a3ed512895b437e41b45c |
| SHA256 | 6afa2d104be6efe3d9a2ab96dbb75db31565dad64dd0b791e402ecc25529809f |
| SHA512 | 1ec4d52f49747b29cfd83e1a75fc6ae4101add68ada0b9add5770c10be6dffb004bb47d0854d50871ed8d77acf67d4e0445e97f0548a95c182e83b94ddf2eb6b |
memory/4004-50-0x00000000034F0000-0x0000000003505000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-0D637.tmp\botva2.dll
| MD5 | 0177746573eed407f8dca8a9e441aa49 |
| SHA1 | 6b462adf78059d26cbc56b3311e3b97fcb8d05f7 |
| SHA256 | a4b61626a1626fdabec794e4f323484aa0644baa1c905a5dcf785dc34564f008 |
| SHA512 | d4ac96da2d72e121d1d63d64e78bcea155d62af828324b81889a3cd3928ceeb12f7a22e87e264e34498d100b57cdd3735d2ab2316e1a3bf7fa099ddb75c5071a |
memory/4004-58-0x0000000003520000-0x000000000352E000-memory.dmp
C:\Windows\SysWOW64\svchcst.exe
| MD5 | 889b99c52a60dd49227c5e485a016679 |
| SHA1 | 8fa889e456aa646a4d0a4349977430ce5fa5e2d7 |
| SHA256 | 6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910 |
| SHA512 | 08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641 |
C:\Users\Admin\AppData\Local\Temp\is-0D637.tmp\btn_close.png
| MD5 | 7028bcf9a5b8590aed967810a6ec2876 |
| SHA1 | a21a20212dd141b52ccfe5474db87867e86f1450 |
| SHA256 | 2ddba2bc9b928eb58a934f690a57b9be7d2e781338735b9c854fbf4e9b4d291a |
| SHA512 | 78746a8c7fcaf34ad436eaf81182d36c17ab2462cb2541c7064393a3e758c1c70328c25cb66ab44bb302780f8fe0a64f82c2e749f811c68303018a3cfa1ad6e4 |
C:\Users\Admin\AppData\Local\Temp\is-0D637.tmp\btn_setup.png
| MD5 | 3c390e1f00847c63c44b5d3f75f4b015 |
| SHA1 | b6925e1a5f4d31e314a019bb7e313d5625b4e6db |
| SHA256 | a79dfdd5d4b6262d606fd905162b79de9e91b1c2a39907832b18a2723eb57306 |
| SHA512 | 1411f807dfa6cd053783ecf25d7603ffb18e3d125c056ea6dd66999d818550801dbd804b9958beccf7b2a7eec0c516a2bb630c72ac87978a8c23ad295a5d949e |
C:\Users\Admin\AppData\Local\Temp\is-0D637.tmp\btn_n.png
| MD5 | 9d996568e415ac4aefed00a586ad9954 |
| SHA1 | 2e56c1bff8c6f6b2ca65348cdbb79f3dc8526049 |
| SHA256 | 4b436df0da832222da79fb9a6cd54f3344aa6ab66f61a280f8c95822dbd2f1f0 |
| SHA512 | 5a2e8ed95e0facc35577f2a182ade8cc3af58e3d2d098fd4b85541fd6cd4c8a6bb9b2aa93e33ff5e5aa6547d4c55442f291a825d87875eb291f2a35d2e06f9d3 |
C:\Users\Admin\AppData\Local\Temp\is-0D637.tmp\btn_Browser.png
| MD5 | 6ef5ac510ea87d854d4e593f00b7faa9 |
| SHA1 | 7ffb75b6516c6bcdf61975a31d64ee89f90a6dd6 |
| SHA256 | 7ef58ffbbcae80e855125fb3ad7e5bc2b71e361b3024fc06c9c3e62120fde879 |
| SHA512 | ed8813e221676bf48bfbfd50fe7b500a5a89eec850b8c66d3bc647888eddc4ed927e70b5025ba9d8ddadad5616e27e52b857369b31381ca00c6679354b39cd60 |
C:\Users\Admin\AppData\Local\Temp\is-0D637.tmp\back.png
| MD5 | a3db6160a784b8d37493e21213e71d16 |
| SHA1 | de8763b71b90f9de05e4de11220c8404e765ee07 |
| SHA256 | a1d005b22042c6111f91c62e1336c720b921d356ff2ae739a61b3dee25237736 |
| SHA512 | bd58180268d44c075dbf1afe7e14b0334667abc5e1c2c1d58cbc89f973e24488aa80a0aab5961b1bc47f3db3bf05f570af3dfe250fa6f77b50bda64f222f664e |
C:\Users\Admin\AppData\Local\Temp\is-0D637.tmp\btn_min.png
| MD5 | 387d3d3c9e2fba5470b53064187230d8 |
| SHA1 | 326a785aa9429afb4d4097cb4527aca0b5cbb0c1 |
| SHA256 | 9315067dff0ab80dc6d03950b4f281f02ba658727ad51098c083d09fd0011d0f |
| SHA512 | 5b81154157f326c04b167510cc1f3c272af4ebc6f0ec393c80d2b340b6aebf4ea130ab8b21949147831b91541f722d8d7810bcae55c6836d440984712eecae6a |
C:\Users\Admin\AppData\Local\Temp\is-0D637.tmp\xy.png
| MD5 | 0b88d63d20edc1796d4ac2a77a7acc5b |
| SHA1 | 7c5b7d042b6a286b6136f10dfc6d11501ec9a0db |
| SHA256 | dde7df96a7e49c8ec1cecaa31746c0fdfe42b3e528ed41a0cf971ba254ac7e73 |
| SHA512 | 7f02d2110a2231d352b9637f9d76838a28567a1d8085e8d2b572351d1f1ae9ab5486e2f837eed9206e7f20ea015a59ca72bb249f5e340c8fa1206890d3ee6383 |
C:\Users\Admin\AppData\Local\Temp\is-0D637.tmp\checkboxdeep.png
| MD5 | f61d05867df096a954ff4bc18bfccffe |
| SHA1 | 28e52d13b41ec0d5f4e1df74cef91d46161a93dd |
| SHA256 | f080cdcabeef8ce0e78b64e9fdfb75b77018224c72fccc47ecc5b7857d78621f |
| SHA512 | c25a538ad39a64fb56ecc809b27462bebcb6e2f5cb8732d4c109238059fb668ae3fef202de540cc452078bb1944bdef1efd3cb6bff3c4789c92dc16c01ecc551 |
C:\Users\Admin\AppData\Local\Temp\is-0D637.tmp\license.png
| MD5 | f277a257878c5cbdde1660a5783ef260 |
| SHA1 | 8a1607a6f6693840e5878c94e8010b5d95819724 |
| SHA256 | 54ab740185e274ccf6bd436069c912ed2e671377e2a7a1271d70d97b55458d88 |
| SHA512 | 0d7f5d0eebef43d6582ac4488b2801e2bbc24138949a316972eb1d2ea286c45a77be3ff2b2d56ef6780b1f844a2d82cefd74337cbdb5a1f7241dc2135338ba52 |
memory/2788-156-0x0000000000400000-0x0000000000437000-memory.dmp
memory/4004-158-0x00000000034F0000-0x0000000003505000-memory.dmp
memory/4004-159-0x0000000003520000-0x000000000352E000-memory.dmp
memory/4004-157-0x0000000000400000-0x0000000000587000-memory.dmp
memory/4004-167-0x0000000003520000-0x000000000352E000-memory.dmp
memory/4004-166-0x00000000034F0000-0x0000000003505000-memory.dmp