Analysis Overview
SHA256
ef1a6cee5d32e4bf1e38cc51c84c34255c6488f7190c0d1aac982c092a6d903b
Threat Level: Known bad
The file ef1a6cee5d32e4bf1e38cc51c84c34255c6488f7190c0d1aac982c092a6d903b was found to be: Known bad.
Malicious Activity Summary
Gh0st RAT payload
Gh0strat
Sets DLL path for service in the registry
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Drops file in Program Files directory
Enumerates physical storage devices
Unsigned PE
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-05 12:30
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-05 12:30
Reported
2024-06-05 12:36
Platform
win7-20240508-en
Max time kernel
150s
Max time network
153s
Command Line
Signatures
Gh0st RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Gh0strat
Sets DLL path for service in the registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\svchcst\Parameters\ServiceDll = "C:\\Windows\\system32\\259396122.bat" | C:\Users\Admin\AppData\Local\Temp\look2.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\look2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\HD_ef1a6cee5d32e4bf1e38cc51c84c34255c6488f7190c0d1aac982c092a6d903b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-6DOGD.tmp\HD_ef1a6cee5d32e4bf1e38cc51c84c34255c6488f7190c0d1aac982c092a6d903b.tmp | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchcst.exe | N/A |
Loads dropped DLL
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\259396122.bat | C:\Users\Admin\AppData\Local\Temp\look2.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ini.ini | C:\Users\Admin\AppData\Local\Temp\look2.exe | N/A |
| File created | C:\Windows\SysWOW64\svchcst.exe | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\svchcst.exe | C:\Windows\SysWOW64\svchost.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | C:\Users\Admin\AppData\Local\Temp\ef1a6cee5d32e4bf1e38cc51c84c34255c6488f7190c0d1aac982c092a6d903b.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ef1a6cee5d32e4bf1e38cc51c84c34255c6488f7190c0d1aac982c092a6d903b.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ef1a6cee5d32e4bf1e38cc51c84c34255c6488f7190c0d1aac982c092a6d903b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ef1a6cee5d32e4bf1e38cc51c84c34255c6488f7190c0d1aac982c092a6d903b.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ef1a6cee5d32e4bf1e38cc51c84c34255c6488f7190c0d1aac982c092a6d903b.exe
"C:\Users\Admin\AppData\Local\Temp\ef1a6cee5d32e4bf1e38cc51c84c34255c6488f7190c0d1aac982c092a6d903b.exe"
C:\Users\Admin\AppData\Local\Temp\look2.exe
C:\Users\Admin\AppData\Local\Temp\\look2.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "svchcst"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "svchcst"
C:\Users\Admin\AppData\Local\Temp\HD_ef1a6cee5d32e4bf1e38cc51c84c34255c6488f7190c0d1aac982c092a6d903b.exe
C:\Users\Admin\AppData\Local\Temp\HD_ef1a6cee5d32e4bf1e38cc51c84c34255c6488f7190c0d1aac982c092a6d903b.exe
C:\Users\Admin\AppData\Local\Temp\is-6DOGD.tmp\HD_ef1a6cee5d32e4bf1e38cc51c84c34255c6488f7190c0d1aac982c092a6d903b.tmp
"C:\Users\Admin\AppData\Local\Temp\is-6DOGD.tmp\HD_ef1a6cee5d32e4bf1e38cc51c84c34255c6488f7190c0d1aac982c092a6d903b.tmp" /SL5="$6011E,722930,481792,C:\Users\Admin\AppData\Local\Temp\HD_ef1a6cee5d32e4bf1e38cc51c84c34255c6488f7190c0d1aac982c092a6d903b.exe"
C:\Windows\SysWOW64\svchcst.exe
C:\Windows\system32\svchcst.exe "c:\windows\system32\259396122.bat",MainThread
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
Files
\Users\Admin\AppData\Local\Temp\look2.exe
| MD5 | 2f3b6f16e33e28ad75f3fdaef2567807 |
| SHA1 | 85e907340faf1edfc9210db85a04abd43d21b741 |
| SHA256 | 86492ebf2d6f471a5ee92977318d099b3ea86175b5b7ae522237ae01d07a4857 |
| SHA512 | db17e99e2df918cfc9ccbe934adfe73f0777ce1ce9f28b57a4b24ecd821efe2e0b976a634853247b77b16627d2bb3af4ba20306059d1d25ef38ffada7da3e3a4 |
\Windows\SysWOW64\259396122.bat
| MD5 | 2b2cab888e75457167b1dd81ff0a39dd |
| SHA1 | a06433e15ed74c87254ba87090e3f7d1bba1e486 |
| SHA256 | 3b2f39609bc733286412da568e10f630aaa624ace69f99a0daab7fdb1aea7014 |
| SHA512 | 355f1551d22ac29dff1cc20e0ae7a39cea43c35e7dc9659bd67eabad09587f611bdc27c4bfdd064a6abe8160ee8aef61746bb57dad442b5fdbea41f265c45450 |
\Users\Admin\AppData\Local\Temp\HD_ef1a6cee5d32e4bf1e38cc51c84c34255c6488f7190c0d1aac982c092a6d903b.exe
| MD5 | c89ff57c06641d96dba039045a97a9fa |
| SHA1 | acead909f1550cfcfcfacd3332e549b47a0b26ec |
| SHA256 | 7f6c00ac2c65d32041048bbe799ec31f8dcad5b0ab9d63af24c68df9c88f56e6 |
| SHA512 | 7eb7836641c08e088fc4f733784e5d9eeb2b4400911594647f798e7ba0ac57e3473119a819cf32717803da7f03efb693fba2e592be1f04b9406f4e4a79acfafe |
memory/2656-19-0x0000000000400000-0x000000000047D000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-6DOGD.tmp\HD_ef1a6cee5d32e4bf1e38cc51c84c34255c6488f7190c0d1aac982c092a6d903b.tmp
| MD5 | 1e36bedca082114bfd93cbbf6cb14d0d |
| SHA1 | 30925b1bcef050ef0de771689df6828ad5c21997 |
| SHA256 | 37045229c7e32b66a3194ca7a8ef1645412a8151da71c7e3e3186525008a4376 |
| SHA512 | 1cfdb257b6590a6e139df2d32c1e36a7fae97b5cbbfdb982d66030012fb2aa56c81875ac2a7f42e9880791817cdc334d582c95511aeed6b74990d2b898b73884 |
\Users\Admin\AppData\Local\Temp\is-HCSR6.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
C:\Users\Admin\AppData\Local\Temp\HD_X.dat
| MD5 | 0251ec0048c99b54d913a0901bd3bd0a |
| SHA1 | a9d1a3c20279121fe94f427ea902ff2804f22ce2 |
| SHA256 | 6a0539c9ba6b61a0ab27245624502718ba6cbf9d7a89bc8e26c6e2ea962c570a |
| SHA512 | 0eb4931326e849bbd19bbc6589bae7e6e4644365373649821f7134152f3998c7280be6bb89536885c1ed2a72e0b3b51d1dbf6f60d79dba106d070091a2e5f4fb |
\Users\Admin\AppData\Local\Temp\is-HCSR6.tmp\idp.dll
| MD5 | b37377d34c8262a90ff95a9a92b65ed8 |
| SHA1 | faeef415bd0bc2a08cf9fe1e987007bf28e7218d |
| SHA256 | e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f |
| SHA512 | 69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc |
\Users\Admin\AppData\Local\Temp\is-HCSR6.tmp\innocallback.dll
| MD5 | 1c55ae5ef9980e3b1028447da6105c75 |
| SHA1 | f85218e10e6aa23b2f5a3ed512895b437e41b45c |
| SHA256 | 6afa2d104be6efe3d9a2ab96dbb75db31565dad64dd0b791e402ecc25529809f |
| SHA512 | 1ec4d52f49747b29cfd83e1a75fc6ae4101add68ada0b9add5770c10be6dffb004bb47d0854d50871ed8d77acf67d4e0445e97f0548a95c182e83b94ddf2eb6b |
memory/2740-53-0x00000000002F0000-0x0000000000305000-memory.dmp
memory/2740-80-0x00000000003C0000-0x00000000003CE000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-HCSR6.tmp\botva2.dll
| MD5 | 0177746573eed407f8dca8a9e441aa49 |
| SHA1 | 6b462adf78059d26cbc56b3311e3b97fcb8d05f7 |
| SHA256 | a4b61626a1626fdabec794e4f323484aa0644baa1c905a5dcf785dc34564f008 |
| SHA512 | d4ac96da2d72e121d1d63d64e78bcea155d62af828324b81889a3cd3928ceeb12f7a22e87e264e34498d100b57cdd3735d2ab2316e1a3bf7fa099ddb75c5071a |
C:\Users\Admin\AppData\Local\Temp\is-HCSR6.tmp\Image_mask1.png
| MD5 | 1e605b620e9de03dd4d767ddfb6dfbee |
| SHA1 | fab8cb8e7792d76fefddbe54b9febe968b5d20d1 |
| SHA256 | f6d0c98195ba217aaf61298588f82428dc205a8ef5e0996b2aaca3b091ab7050 |
| SHA512 | e07f2d692935cf9e4942db270394a436c4976486de393eb79a26710397703a7809f48b4847acc8cbb253545afa748219462a3ad1e13e1e99a982c3cdf8c471b4 |
C:\Users\Admin\AppData\Local\Temp\is-HCSR6.tmp\btn_setup.png
| MD5 | e16eff9264960b0dd83c7a699108e420 |
| SHA1 | 4386668def40ca4aa6d634f63a7e3b8a93e33e56 |
| SHA256 | 4f408e400abd3e6610089673010c6c52cbfdf5f06200d9a32ecaad40f04bf36b |
| SHA512 | 6fe24549c15c8718c891f3f623ce8dbdaee67d18732332026af32a6df938af0fa95e46499b75c8534077461162eafc6d4a14785abc4d6d6a2a630f3665bddf6a |
C:\Users\Admin\AppData\Local\Temp\is-HCSR6.tmp\btn_close.png
| MD5 | 727e23bfbcf5800a73c0818960dccd3d |
| SHA1 | 5416c2b2bce9dfc81c8c64bcaebdd384bf06a983 |
| SHA256 | 8a1323d7888dbfeb90f6eabdd078c46c734d3a035868553f7791eb82f227e186 |
| SHA512 | 4db597aa5db4bc05c7f3fcad3fc1069ddd073ceb3cc66b12ef87cadc545ceef5566e317475637e00fc726bc6f9c0a3150f3e88efc8bf90ed8ae61e4cc7417544 |
C:\Users\Admin\AppData\Local\Temp\is-HCSR6.tmp\btn_min.png
| MD5 | 227edb694df377a492f85c08a366b018 |
| SHA1 | 64bdd4ad92d98b98ece9f71c8bee662494c965c5 |
| SHA256 | 38321769a1a4e26851f972f3e39ad0a36c0a189fe9af33d14bf71ba49bc688e1 |
| SHA512 | a92400cfb03a5e7518aacfce41002750b27caa53fb3644c0182c8c419968261d38e27c9df38b96167b0087107c2e680f1cb4b7ca8384b408a360934414ecbefe |
C:\Users\Admin\AppData\Local\Temp\is-HCSR6.tmp\btn_checkbox.png
| MD5 | 5e1ca714d427650a75f1b8710d465c3e |
| SHA1 | 7aaf8644295346793d3568bd6536fc734b6ca135 |
| SHA256 | 968268dc459dbd6ad165f5fc00aa24a3e0698c2d2efe6895a104493e8ead2318 |
| SHA512 | e5c949c57ec36023b65096cbeafa2506b92a0fc59cc0e786ba50097c8790b82b7600a40fad8b36be790432010af6a625af383677b26c550ab936bc8a157f715e |
C:\Users\Admin\AppData\Local\Temp\is-HCSR6.tmp\Btn_Custom.png
| MD5 | f352e8381ab402faff97e06fcf6a83af |
| SHA1 | 6436e7200a2ef4e2a47a07f63ceec46d94afb818 |
| SHA256 | 1217c0dcdb17d89f2ce9fe5090072991dec5075e8334ddb03371e30f1d0bbe12 |
| SHA512 | db260c38d0e45735ce4261358cd8aeb2c1caf44c535bf4a01b74332ffde7960dd0d9f33476fce2b15404b43d870b4c6ba23e127a08b1e9628ebf95ae87223962 |
C:\Users\Admin\AppData\Local\Temp\is-HCSR6.tmp\btn_browse.png
| MD5 | d405e27c6de33709c25ed0881f993d4a |
| SHA1 | dd46d543b393b7375f38fb1cf4a577bdd4a14230 |
| SHA256 | db009908242c720d81b6a8dfe22b091faf83f6bc5ba4477fc0c76a5e36a88344 |
| SHA512 | dc191d8c5b4022a2f5a19ba0c11ce7b5278d6c54788a27c8dcfca691de48246d93ab4062d3495d3933ecf0e861e0fb4528d430fa5db7eceab4671e5f8b79094e |
C:\Users\Admin\AppData\Local\Temp\is-HCSR6.tmp\Image_Background2.png
| MD5 | 95b23919f21db924fabdaf9b425ac2b7 |
| SHA1 | e44ce3991b6a77a78abece9d8154d10e51758f3d |
| SHA256 | 20eb17f29accccfac0f8a7100fc05ec79936ae35eeff7d81a38738aa45f13d09 |
| SHA512 | 92152af14549a9a2b5917f07cae112e6657475945f071c94917dd3bea22f9f44a844f854d2a86f4b830b05c147c28ca36e9d526189f49e9957901b18eb8624e8 |
C:\Users\Admin\AppData\Local\Temp\is-HCSR6.tmp\Image_mask2.png
| MD5 | cc44e7e0623778cb0e1c90047d9f5bd5 |
| SHA1 | 323a01d7e33a52bb452f437f2d1a8640efcb8aed |
| SHA256 | 7c8ea8780bd2fff7578776eb0b002973fc93435eb35c9380d94949c5008d9556 |
| SHA512 | f5d7abf8e407a48698ddabaf59a9f561ef9476be3eda84014377f1d71902c04c32541451ee392ef13d16f662033eaa2296d339d7a93fa80677f2cab6be23e0b9 |
\Windows\SysWOW64\svchcst.exe
| MD5 | 51138beea3e2c21ec44d0932c71762a8 |
| SHA1 | 8939cf35447b22dd2c6e6f443446acc1bf986d58 |
| SHA256 | 5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124 |
| SHA512 | 794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d |
memory/2740-142-0x00000000002F0000-0x0000000000305000-memory.dmp
memory/2740-141-0x0000000000400000-0x0000000000560000-memory.dmp
memory/2740-143-0x00000000003C0000-0x00000000003CE000-memory.dmp
memory/2656-140-0x0000000000400000-0x000000000047D000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-05 12:30
Reported
2024-06-05 12:36
Platform
win10v2004-20240426-en
Max time kernel
0s
Max time network
160s
Command Line
Signatures
Gh0st RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Gh0strat
Sets DLL path for service in the registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\svchcst\Parameters\ServiceDll = "C:\\Windows\\system32\\240596343.bat" | C:\Users\Admin\AppData\Local\Temp\look2.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\look2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\HD_ef1a6cee5d32e4bf1e38cc51c84c34255c6488f7190c0d1aac982c092a6d903b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-3JOH4.tmp\HD_ef1a6cee5d32e4bf1e38cc51c84c34255c6488f7190c0d1aac982c092a6d903b.tmp | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\look2.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\240596343.bat | C:\Users\Admin\AppData\Local\Temp\look2.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ini.ini | C:\Users\Admin\AppData\Local\Temp\look2.exe | N/A |
| File created | C:\Windows\SysWOW64\svchcst.exe | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\svchcst.exe | C:\Windows\SysWOW64\svchost.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | C:\Users\Admin\AppData\Local\Temp\ef1a6cee5d32e4bf1e38cc51c84c34255c6488f7190c0d1aac982c092a6d903b.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ef1a6cee5d32e4bf1e38cc51c84c34255c6488f7190c0d1aac982c092a6d903b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ef1a6cee5d32e4bf1e38cc51c84c34255c6488f7190c0d1aac982c092a6d903b.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ef1a6cee5d32e4bf1e38cc51c84c34255c6488f7190c0d1aac982c092a6d903b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ef1a6cee5d32e4bf1e38cc51c84c34255c6488f7190c0d1aac982c092a6d903b.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ef1a6cee5d32e4bf1e38cc51c84c34255c6488f7190c0d1aac982c092a6d903b.exe
"C:\Users\Admin\AppData\Local\Temp\ef1a6cee5d32e4bf1e38cc51c84c34255c6488f7190c0d1aac982c092a6d903b.exe"
C:\Users\Admin\AppData\Local\Temp\look2.exe
C:\Users\Admin\AppData\Local\Temp\\look2.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "svchcst"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "svchcst"
C:\Users\Admin\AppData\Local\Temp\HD_ef1a6cee5d32e4bf1e38cc51c84c34255c6488f7190c0d1aac982c092a6d903b.exe
C:\Users\Admin\AppData\Local\Temp\HD_ef1a6cee5d32e4bf1e38cc51c84c34255c6488f7190c0d1aac982c092a6d903b.exe
C:\Users\Admin\AppData\Local\Temp\is-3JOH4.tmp\HD_ef1a6cee5d32e4bf1e38cc51c84c34255c6488f7190c0d1aac982c092a6d903b.tmp
"C:\Users\Admin\AppData\Local\Temp\is-3JOH4.tmp\HD_ef1a6cee5d32e4bf1e38cc51c84c34255c6488f7190c0d1aac982c092a6d903b.tmp" /SL5="$9017E,722930,481792,C:\Users\Admin\AppData\Local\Temp\HD_ef1a6cee5d32e4bf1e38cc51c84c34255c6488f7190c0d1aac982c092a6d903b.exe"
C:\Windows\SysWOW64\svchcst.exe
C:\Windows\system32\svchcst.exe "c:\windows\system32\240596343.bat",MainThread
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | 25.173.189.20.in-addr.arpa | udp |
Files
C:\Windows\SysWOW64\240596343.bat
| MD5 | 2b2cab888e75457167b1dd81ff0a39dd |
| SHA1 | a06433e15ed74c87254ba87090e3f7d1bba1e486 |
| SHA256 | 3b2f39609bc733286412da568e10f630aaa624ace69f99a0daab7fdb1aea7014 |
| SHA512 | 355f1551d22ac29dff1cc20e0ae7a39cea43c35e7dc9659bd67eabad09587f611bdc27c4bfdd064a6abe8160ee8aef61746bb57dad442b5fdbea41f265c45450 |
C:\Users\Admin\AppData\Local\Temp\HD_ef1a6cee5d32e4bf1e38cc51c84c34255c6488f7190c0d1aac982c092a6d903b.exe
| MD5 | cfc2b30e7b1d55961079400781e4b260 |
| SHA1 | df2d5f86b3ccdf19c56b2a0df53e9e437cb7f6d1 |
| SHA256 | e3d0cd3ccbf8266c44a2f1cab1ff8f8f8fdc98641cd877cb1b1b507c7b94a3e8 |
| SHA512 | d0761e9e9abc61c8babb639a7022962aaf787e93f896e10bde6a288ea82775385ffa7a22da975869283d15006402c9a455dd49b4b4363f2c8b66e59ea6f9632c |
memory/3504-20-0x0000000000401000-0x000000000040B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-3JOH4.tmp\HD_ef1a6cee5d32e4bf1e38cc51c84c34255c6488f7190c0d1aac982c092a6d903b.tmp
| MD5 | 8c23e9e6f81d9d23a06f41cacc6e8102 |
| SHA1 | 84eb7a8490a38d20a91d13c7af1ac4550e5aa7a4 |
| SHA256 | b25c8706a402c6531a04368089c65261a5238ddbe07c9950e7a3e6e55ea54098 |
| SHA512 | 961b0b276a8ec9b2e763b618712d9dc1503bb5a9a116d407f6e6df9d1ea2566ec8f6818f3d2fa3611910fecaac9b66c7960f65b130827d35afa7751e49a11681 |
C:\Users\Admin\AppData\Local\Temp\is-3JOH4.tmp\HD_ef1a6cee5d32e4bf1e38cc51c84c34255c6488f7190c0d1aac982c092a6d903b.tmp
| MD5 | 1e36bedca082114bfd93cbbf6cb14d0d |
| SHA1 | 30925b1bcef050ef0de771689df6828ad5c21997 |
| SHA256 | 37045229c7e32b66a3194ca7a8ef1645412a8151da71c7e3e3186525008a4376 |
| SHA512 | 1cfdb257b6590a6e139df2d32c1e36a7fae97b5cbbfdb982d66030012fb2aa56c81875ac2a7f42e9880791817cdc334d582c95511aeed6b74990d2b898b73884 |
C:\Users\Admin\AppData\Local\Temp\HD_X.dat
| MD5 | 0251ec0048c99b54d913a0901bd3bd0a |
| SHA1 | a9d1a3c20279121fe94f427ea902ff2804f22ce2 |
| SHA256 | 6a0539c9ba6b61a0ab27245624502718ba6cbf9d7a89bc8e26c6e2ea962c570a |
| SHA512 | 0eb4931326e849bbd19bbc6589bae7e6e4644365373649821f7134152f3998c7280be6bb89536885c1ed2a72e0b3b51d1dbf6f60d79dba106d070091a2e5f4fb |
memory/3184-52-0x0000000003B40000-0x0000000003B55000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-GAKSA.tmp\innocallback.dll
| MD5 | 1c55ae5ef9980e3b1028447da6105c75 |
| SHA1 | f85218e10e6aa23b2f5a3ed512895b437e41b45c |
| SHA256 | 6afa2d104be6efe3d9a2ab96dbb75db31565dad64dd0b791e402ecc25529809f |
| SHA512 | 1ec4d52f49747b29cfd83e1a75fc6ae4101add68ada0b9add5770c10be6dffb004bb47d0854d50871ed8d77acf67d4e0445e97f0548a95c182e83b94ddf2eb6b |
C:\Users\Admin\AppData\Local\Temp\is-GAKSA.tmp\Image_mask1.png
| MD5 | 1e605b620e9de03dd4d767ddfb6dfbee |
| SHA1 | fab8cb8e7792d76fefddbe54b9febe968b5d20d1 |
| SHA256 | f6d0c98195ba217aaf61298588f82428dc205a8ef5e0996b2aaca3b091ab7050 |
| SHA512 | e07f2d692935cf9e4942db270394a436c4976486de393eb79a26710397703a7809f48b4847acc8cbb253545afa748219462a3ad1e13e1e99a982c3cdf8c471b4 |
C:\Users\Admin\AppData\Local\Temp\is-GAKSA.tmp\btn_close.png
| MD5 | 727e23bfbcf5800a73c0818960dccd3d |
| SHA1 | 5416c2b2bce9dfc81c8c64bcaebdd384bf06a983 |
| SHA256 | 8a1323d7888dbfeb90f6eabdd078c46c734d3a035868553f7791eb82f227e186 |
| SHA512 | 4db597aa5db4bc05c7f3fcad3fc1069ddd073ceb3cc66b12ef87cadc545ceef5566e317475637e00fc726bc6f9c0a3150f3e88efc8bf90ed8ae61e4cc7417544 |
C:\Users\Admin\AppData\Local\Temp\is-GAKSA.tmp\btn_browse.png
| MD5 | d405e27c6de33709c25ed0881f993d4a |
| SHA1 | dd46d543b393b7375f38fb1cf4a577bdd4a14230 |
| SHA256 | db009908242c720d81b6a8dfe22b091faf83f6bc5ba4477fc0c76a5e36a88344 |
| SHA512 | dc191d8c5b4022a2f5a19ba0c11ce7b5278d6c54788a27c8dcfca691de48246d93ab4062d3495d3933ecf0e861e0fb4528d430fa5db7eceab4671e5f8b79094e |
C:\Users\Admin\AppData\Local\Temp\is-GAKSA.tmp\Image_Background2.png
| MD5 | 95b23919f21db924fabdaf9b425ac2b7 |
| SHA1 | e44ce3991b6a77a78abece9d8154d10e51758f3d |
| SHA256 | 20eb17f29accccfac0f8a7100fc05ec79936ae35eeff7d81a38738aa45f13d09 |
| SHA512 | 92152af14549a9a2b5917f07cae112e6657475945f071c94917dd3bea22f9f44a844f854d2a86f4b830b05c147c28ca36e9d526189f49e9957901b18eb8624e8 |
C:\Users\Admin\AppData\Local\Temp\is-GAKSA.tmp\Image_mask2.png
| MD5 | cc44e7e0623778cb0e1c90047d9f5bd5 |
| SHA1 | 323a01d7e33a52bb452f437f2d1a8640efcb8aed |
| SHA256 | 7c8ea8780bd2fff7578776eb0b002973fc93435eb35c9380d94949c5008d9556 |
| SHA512 | f5d7abf8e407a48698ddabaf59a9f561ef9476be3eda84014377f1d71902c04c32541451ee392ef13d16f662033eaa2296d339d7a93fa80677f2cab6be23e0b9 |
C:\Users\Admin\AppData\Local\Temp\is-GAKSA.tmp\Btn_Custom.png
| MD5 | f352e8381ab402faff97e06fcf6a83af |
| SHA1 | 6436e7200a2ef4e2a47a07f63ceec46d94afb818 |
| SHA256 | 1217c0dcdb17d89f2ce9fe5090072991dec5075e8334ddb03371e30f1d0bbe12 |
| SHA512 | db260c38d0e45735ce4261358cd8aeb2c1caf44c535bf4a01b74332ffde7960dd0d9f33476fce2b15404b43d870b4c6ba23e127a08b1e9628ebf95ae87223962 |
C:\Users\Admin\AppData\Local\Temp\is-GAKSA.tmp\btn_checkbox.png
| MD5 | 5e1ca714d427650a75f1b8710d465c3e |
| SHA1 | 7aaf8644295346793d3568bd6536fc734b6ca135 |
| SHA256 | 968268dc459dbd6ad165f5fc00aa24a3e0698c2d2efe6895a104493e8ead2318 |
| SHA512 | e5c949c57ec36023b65096cbeafa2506b92a0fc59cc0e786ba50097c8790b82b7600a40fad8b36be790432010af6a625af383677b26c550ab936bc8a157f715e |
C:\Users\Admin\AppData\Local\Temp\is-GAKSA.tmp\btn_min.png
| MD5 | 227edb694df377a492f85c08a366b018 |
| SHA1 | 64bdd4ad92d98b98ece9f71c8bee662494c965c5 |
| SHA256 | 38321769a1a4e26851f972f3e39ad0a36c0a189fe9af33d14bf71ba49bc688e1 |
| SHA512 | a92400cfb03a5e7518aacfce41002750b27caa53fb3644c0182c8c419968261d38e27c9df38b96167b0087107c2e680f1cb4b7ca8384b408a360934414ecbefe |
C:\Users\Admin\AppData\Local\Temp\is-GAKSA.tmp\btn_setup.png
| MD5 | e16eff9264960b0dd83c7a699108e420 |
| SHA1 | 4386668def40ca4aa6d634f63a7e3b8a93e33e56 |
| SHA256 | 4f408e400abd3e6610089673010c6c52cbfdf5f06200d9a32ecaad40f04bf36b |
| SHA512 | 6fe24549c15c8718c891f3f623ce8dbdaee67d18732332026af32a6df938af0fa95e46499b75c8534077461162eafc6d4a14785abc4d6d6a2a630f3665bddf6a |
C:\Users\Admin\AppData\Local\Temp\is-GAKSA.tmp\botva2.dll
| MD5 | 0177746573eed407f8dca8a9e441aa49 |
| SHA1 | 6b462adf78059d26cbc56b3311e3b97fcb8d05f7 |
| SHA256 | a4b61626a1626fdabec794e4f323484aa0644baa1c905a5dcf785dc34564f008 |
| SHA512 | d4ac96da2d72e121d1d63d64e78bcea155d62af828324b81889a3cd3928ceeb12f7a22e87e264e34498d100b57cdd3735d2ab2316e1a3bf7fa099ddb75c5071a |
memory/3184-82-0x00000000060E0000-0x00000000060EE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-GAKSA.tmp\idp.dll
| MD5 | b37377d34c8262a90ff95a9a92b65ed8 |
| SHA1 | faeef415bd0bc2a08cf9fe1e987007bf28e7218d |
| SHA256 | e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f |
| SHA512 | 69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc |
memory/3504-19-0x0000000000400000-0x000000000047D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\HD_ef1a6cee5d32e4bf1e38cc51c84c34255c6488f7190c0d1aac982c092a6d903b.exe
| MD5 | c89ff57c06641d96dba039045a97a9fa |
| SHA1 | acead909f1550cfcfcfacd3332e549b47a0b26ec |
| SHA256 | 7f6c00ac2c65d32041048bbe799ec31f8dcad5b0ab9d63af24c68df9c88f56e6 |
| SHA512 | 7eb7836641c08e088fc4f733784e5d9eeb2b4400911594647f798e7ba0ac57e3473119a819cf32717803da7f03efb693fba2e592be1f04b9406f4e4a79acfafe |
C:\Users\Admin\AppData\Local\Temp\look2.exe
| MD5 | 2f3b6f16e33e28ad75f3fdaef2567807 |
| SHA1 | 85e907340faf1edfc9210db85a04abd43d21b741 |
| SHA256 | 86492ebf2d6f471a5ee92977318d099b3ea86175b5b7ae522237ae01d07a4857 |
| SHA512 | db17e99e2df918cfc9ccbe934adfe73f0777ce1ce9f28b57a4b24ecd821efe2e0b976a634853247b77b16627d2bb3af4ba20306059d1d25ef38ffada7da3e3a4 |
C:\Windows\SysWOW64\svchcst.exe
| MD5 | 889b99c52a60dd49227c5e485a016679 |
| SHA1 | 8fa889e456aa646a4d0a4349977430ce5fa5e2d7 |
| SHA256 | 6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910 |
| SHA512 | 08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641 |
memory/3184-144-0x00000000060E0000-0x00000000060EE000-memory.dmp
memory/3184-142-0x0000000000400000-0x0000000000560000-memory.dmp
memory/3184-143-0x0000000003B40000-0x0000000003B55000-memory.dmp
memory/3504-141-0x0000000000400000-0x000000000047D000-memory.dmp
memory/3184-152-0x00000000060E0000-0x00000000060EE000-memory.dmp
memory/3184-151-0x0000000003B40000-0x0000000003B55000-memory.dmp