Malware Analysis Report

2024-11-13 16:32

Sample ID 241106-es4ztsvfmj
Target 2024-11-06_d5c151a1b87b4c1964149ba51b284112_poet-rat_snatch
SHA256 bfc8c61db414e9edbcd5d6ccbfa742481a53b6da1fc3b8a209adc01fa76a253c
Tags
lumma meduza stealc 7122819010 collection defense_evasion discovery spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bfc8c61db414e9edbcd5d6ccbfa742481a53b6da1fc3b8a209adc01fa76a253c

Threat Level: Known bad

The file 2024-11-06_d5c151a1b87b4c1964149ba51b284112_poet-rat_snatch was found to be: Known bad.

Malicious Activity Summary

lumma meduza stealc 7122819010 collection defense_evasion discovery spyware stealer

Meduza Stealer payload

Stealc

Stealc family

Lumma Stealer, LummaC

Meduza family

Lumma family

Meduza

Downloads MZ/PE file

System Binary Proxy Execution: Rundll32

Executes dropped EXE

Checks computer location settings

Reads user/profile data of web browsers

Loads dropped DLL

Looks up external IP address via web service

Checks installed software on the system

Accesses Microsoft Outlook profiles

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

System Network Configuration Discovery: Internet Connection Discovery

Program crash

Browser Information Discovery

GoLang User-Agent

Runs ping.exe

outlook_office_path

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

outlook_win_path

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-06 04:13

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-06 04:13

Reported

2024-11-06 04:15

Platform

win7-20240903-en

Max time kernel

117s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-11-06_d5c151a1b87b4c1964149ba51b284112_poet-rat_snatch.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-11-06_d5c151a1b87b4c1964149ba51b284112_poet-rat_snatch.exe

"C:\Users\Admin\AppData\Local\Temp\2024-11-06_d5c151a1b87b4c1964149ba51b284112_poet-rat_snatch.exe"

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-06 04:13

Reported

2024-11-06 04:15

Platform

win10v2004-20241007-en

Max time kernel

135s

Max time network

136s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-11-06_d5c151a1b87b4c1964149ba51b284112_poet-rat_snatch.exe"

Signatures

Lumma Stealer, LummaC

stealer lumma

Lumma family

lumma

Meduza

stealer meduza

Meduza Stealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Meduza family

meduza

Stealc

stealer stealc

Stealc family

stealc

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2.exe N/A

Reads user/profile data of web browsers

spyware stealer

System Binary Proxy Execution: Rundll32

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\3.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Office\12.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\3.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\3.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\3.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\3.exe N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-06_d5c151a1b87b4c1964149ba51b284112_poet-rat_snatch.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\System32\cmd.exe N/A
N/A N/A C:\Windows\system32\PING.EXE N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe N/A

GoLang User-Agent

Description Indicator Process Target
HTTP User-Agent header Go-http-client/1.1 N/A N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1960 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-06_d5c151a1b87b4c1964149ba51b284112_poet-rat_snatch.exe C:\Windows\SysWOW64\rundll32.exe
PID 1960 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-06_d5c151a1b87b4c1964149ba51b284112_poet-rat_snatch.exe C:\Windows\SysWOW64\rundll32.exe
PID 1960 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-06_d5c151a1b87b4c1964149ba51b284112_poet-rat_snatch.exe C:\Windows\SysWOW64\rundll32.exe
PID 1656 wrote to memory of 4688 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\1.exe
PID 1656 wrote to memory of 4688 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\1.exe
PID 1656 wrote to memory of 4688 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\1.exe
PID 4688 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
PID 4688 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
PID 4688 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
PID 4688 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
PID 4688 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
PID 4688 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
PID 4688 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
PID 4688 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
PID 4688 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
PID 4688 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
PID 4688 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
PID 4688 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
PID 4688 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
PID 1960 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-06_d5c151a1b87b4c1964149ba51b284112_poet-rat_snatch.exe C:\Windows\SysWOW64\rundll32.exe
PID 1960 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-06_d5c151a1b87b4c1964149ba51b284112_poet-rat_snatch.exe C:\Windows\SysWOW64\rundll32.exe
PID 1960 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-06_d5c151a1b87b4c1964149ba51b284112_poet-rat_snatch.exe C:\Windows\SysWOW64\rundll32.exe
PID 2040 wrote to memory of 4720 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\2.exe
PID 2040 wrote to memory of 4720 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\2.exe
PID 2040 wrote to memory of 4720 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\2.exe
PID 4720 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
PID 4720 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
PID 4720 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
PID 4720 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
PID 4720 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
PID 4720 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
PID 4720 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
PID 4720 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
PID 4720 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
PID 4720 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
PID 4720 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
PID 4720 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
PID 4720 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
PID 1960 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-06_d5c151a1b87b4c1964149ba51b284112_poet-rat_snatch.exe C:\Windows\SysWOW64\rundll32.exe
PID 1960 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-06_d5c151a1b87b4c1964149ba51b284112_poet-rat_snatch.exe C:\Windows\SysWOW64\rundll32.exe
PID 1960 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-06_d5c151a1b87b4c1964149ba51b284112_poet-rat_snatch.exe C:\Windows\SysWOW64\rundll32.exe
PID 2392 wrote to memory of 3624 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\3.exe
PID 2392 wrote to memory of 3624 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\3.exe
PID 3624 wrote to memory of 3304 N/A C:\Users\Admin\AppData\Local\Temp\3.exe C:\Users\Admin\AppData\Local\Temp\3.exe
PID 3624 wrote to memory of 3304 N/A C:\Users\Admin\AppData\Local\Temp\3.exe C:\Users\Admin\AppData\Local\Temp\3.exe
PID 3624 wrote to memory of 3304 N/A C:\Users\Admin\AppData\Local\Temp\3.exe C:\Users\Admin\AppData\Local\Temp\3.exe
PID 3624 wrote to memory of 3304 N/A C:\Users\Admin\AppData\Local\Temp\3.exe C:\Users\Admin\AppData\Local\Temp\3.exe
PID 3624 wrote to memory of 3304 N/A C:\Users\Admin\AppData\Local\Temp\3.exe C:\Users\Admin\AppData\Local\Temp\3.exe
PID 3624 wrote to memory of 3304 N/A C:\Users\Admin\AppData\Local\Temp\3.exe C:\Users\Admin\AppData\Local\Temp\3.exe
PID 3624 wrote to memory of 3304 N/A C:\Users\Admin\AppData\Local\Temp\3.exe C:\Users\Admin\AppData\Local\Temp\3.exe
PID 3624 wrote to memory of 3304 N/A C:\Users\Admin\AppData\Local\Temp\3.exe C:\Users\Admin\AppData\Local\Temp\3.exe
PID 3624 wrote to memory of 3304 N/A C:\Users\Admin\AppData\Local\Temp\3.exe C:\Users\Admin\AppData\Local\Temp\3.exe
PID 3624 wrote to memory of 3304 N/A C:\Users\Admin\AppData\Local\Temp\3.exe C:\Users\Admin\AppData\Local\Temp\3.exe
PID 3304 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\3.exe C:\Windows\System32\cmd.exe
PID 3304 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\3.exe C:\Windows\System32\cmd.exe
PID 5076 wrote to memory of 4952 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 5076 wrote to memory of 4952 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\3.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\3.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-11-06_d5c151a1b87b4c1964149ba51b284112_poet-rat_snatch.exe

"C:\Users\Admin\AppData\Local\Temp\2024-11-06_d5c151a1b87b4c1964149ba51b284112_poet-rat_snatch.exe"

C:\Windows\SysWOW64\rundll32.exe

rundll32 url.dll,FileProtocolHandler C:\Users\Admin\AppData\Local\Temp\1.exe

C:\Users\Admin\AppData\Local\Temp\1.exe

"C:\Users\Admin\AppData\Local\Temp\1.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"

C:\Windows\SysWOW64\rundll32.exe

rundll32 url.dll,FileProtocolHandler C:\Users\Admin\AppData\Local\Temp\2.exe

C:\Users\Admin\AppData\Local\Temp\2.exe

"C:\Users\Admin\AppData\Local\Temp\2.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"

C:\Windows\SysWOW64\rundll32.exe

rundll32 url.dll,FileProtocolHandler C:\Users\Admin\AppData\Local\Temp\3.exe

C:\Users\Admin\AppData\Local\Temp\3.exe

"C:\Users\Admin\AppData\Local\Temp\3.exe"

C:\Users\Admin\AppData\Local\Temp\3.exe

C:\Users\Admin\AppData\Local\Temp\3.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\3.exe"

C:\Windows\system32\PING.EXE

ping 1.1.1.1 -n 1 -w 3000

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 2024 -ip 2024

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2024 -s 1240

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
RU 89.23.96.109:80 89.23.96.109 tcp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 109.96.23.89.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp
RU 83.217.209.11:80 tcp
US 8.8.8.8:53 geerkenmsu.shop udp
US 172.67.201.7:443 geerkenmsu.shop tcp
US 8.8.8.8:53 worddosofrm.shop udp
US 172.67.212.246:443 worddosofrm.shop tcp
US 8.8.8.8:53 mutterissuen.shop udp
US 172.67.192.220:443 mutterissuen.shop tcp
US 8.8.8.8:53 7.201.67.172.in-addr.arpa udp
US 8.8.8.8:53 246.212.67.172.in-addr.arpa udp
US 8.8.8.8:53 standartedby.shop udp
US 104.21.24.204:443 standartedby.shop tcp
US 8.8.8.8:53 nightybinybz.shop udp
US 104.21.24.161:443 nightybinybz.shop tcp
US 8.8.8.8:53 conceszustyb.shop udp
US 104.21.17.229:443 conceszustyb.shop tcp
US 8.8.8.8:53 220.192.67.172.in-addr.arpa udp
US 8.8.8.8:53 204.24.21.104.in-addr.arpa udp
US 8.8.8.8:53 161.24.21.104.in-addr.arpa udp
US 8.8.8.8:53 bakedstusteeb.shop udp
US 172.67.218.30:443 bakedstusteeb.shop tcp
US 8.8.8.8:53 respectabosiz.shop udp
US 172.67.131.150:443 respectabosiz.shop tcp
US 8.8.8.8:53 moutheventushz.shop udp
US 172.67.157.139:443 moutheventushz.shop tcp
US 8.8.8.8:53 229.17.21.104.in-addr.arpa udp
US 8.8.8.8:53 30.218.67.172.in-addr.arpa udp
US 8.8.8.8:53 150.131.67.172.in-addr.arpa udp
US 8.8.8.8:53 steamcommunity.com udp
GB 104.82.234.109:443 steamcommunity.com tcp
DE 109.107.181.162:15666 tcp
US 8.8.8.8:53 api.ipify.org udp
US 172.67.74.152:443 api.ipify.org tcp
US 8.8.8.8:53 c.pki.goog udp
US 8.8.8.8:53 139.157.67.172.in-addr.arpa udp
US 8.8.8.8:53 162.181.107.109.in-addr.arpa udp
US 8.8.8.8:53 109.234.82.104.in-addr.arpa udp
US 8.8.8.8:53 152.74.67.172.in-addr.arpa udp
GB 142.250.187.227:80 c.pki.goog tcp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

C:\Users\Admin\AppData\Local\Temp\1.exe

MD5 b38dc2ab97f5cd458a79101eebf61abd
SHA1 51b055431950a9060ae596780bd980adffd970c6
SHA256 00f37d516fa294a2f427c65cc204e671387c6f6ee4f533fea02cd240238e2ae6
SHA512 9449079f5d4a764b772540924085af6ab862877bac2b6f6031c5ee775aa0626088a63f2bf709dcd1e68839881a6ef23411a53d5ddee161876c1c2f0b9f283a31

memory/4688-3-0x000000007476E000-0x000000007476F000-memory.dmp

memory/4688-4-0x0000000000100000-0x0000000000190000-memory.dmp

memory/4688-5-0x0000000004AB0000-0x0000000004AB6000-memory.dmp

C:\Users\Admin\AppData\Roaming\gdi32.dll

MD5 620be184e3b841379369141e21ef846f
SHA1 9657fd75f1a9ef3eb41acdb26f083f949bc48eac
SHA256 5e152875bda58c94cbff53e7fda99582d327f2c5c26db9ce6c9e0dcb5d21d08f
SHA512 a0b301d02b3e80c7552f71b0f39fe0606ef4a0dc38e94e0b32de68e92422eb1b34f68211ab34e67ad42417a64be2e46e46d0755cd71908c47d198d401bbb35cd

memory/2024-12-0x0000000002630000-0x0000000002922000-memory.dmp

memory/2024-17-0x0000000002630000-0x0000000002922000-memory.dmp

memory/4688-15-0x0000000074760000-0x0000000074F10000-memory.dmp

memory/2024-19-0x0000000002630000-0x0000000002922000-memory.dmp

memory/2024-20-0x0000000002630000-0x0000000002922000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2.exe

MD5 f3722ca3549113a8636ed6df95c707c1
SHA1 b99a53e33983169c2f5eb17344444a8d9afc9aad
SHA256 9f16012a1fdf7ff2efc29284d687072089659e0d6fefbbeb9cf2116c52ddc7a1
SHA512 dcefcca50cc5429eb1aa4545b24d92b853085412b49a993b2ee53246dac5fd575f79106aabf179ffd06191feb731c1e96385aa914bbee4c0ac81c197182645c1

memory/4720-24-0x0000000000E60000-0x0000000000EB0000-memory.dmp

memory/4720-25-0x0000000001830000-0x0000000001836000-memory.dmp

C:\Users\Admin\AppData\Roaming\gdi32.dll

MD5 1a4d15d0bcfe5b97e5cf6015efc23157
SHA1 9413817ca10fe4351b358ff4cbc6527b06d74221
SHA256 9717abc44094665a940dd6b73d52ab22404e248533366135191a7a6f95f2be48
SHA512 e615af6c15238150aed37cd24eb6d73b092f4579e15dbb3539f3949aa3d7e4e04f60346caa5a8bee245e7ac8ed943408c6dd03a275f4549a492d19df0d990703

memory/2936-33-0x00000000033D0000-0x000000000342F000-memory.dmp

memory/2936-34-0x00000000033D0000-0x000000000342F000-memory.dmp

memory/2936-38-0x00000000033D0000-0x000000000342F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3.exe

MD5 7053a5df81a5ef855d1ca5a1e2a67c29
SHA1 5030fd814b639d7650d368ebcd6b920b6c719e7b
SHA256 b1a33532e26c7128e521428b10b2fb7e068da79b41d9fb3ed471cb50e43b5463
SHA512 7ddd3d8dd5374a32e0a16f74bb360387e48b35c02dd536e528fed2d83a3fcd7ed16d0d49a210da44f686d9d687ab20e7bbb63f203b0f602fd4f4ab0449a51f60

memory/3304-42-0x0000000140000000-0x000000014013E000-memory.dmp

memory/3304-44-0x0000000140000000-0x000000014013E000-memory.dmp

memory/4688-51-0x0000000074760000-0x0000000074F10000-memory.dmp

memory/2024-52-0x0000000002630000-0x0000000002922000-memory.dmp

memory/2024-53-0x0000000002630000-0x0000000002922000-memory.dmp