Malware Analysis Report

2024-11-13 16:32

Sample ID 241106-ez2haaxjdq
Target 2024-11-06_d5c151a1b87b4c1964149ba51b284112_poet-rat_snatch
SHA256 bfc8c61db414e9edbcd5d6ccbfa742481a53b6da1fc3b8a209adc01fa76a253c
Tags
lumma meduza stealc 7122819010 collection defense_evasion discovery spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bfc8c61db414e9edbcd5d6ccbfa742481a53b6da1fc3b8a209adc01fa76a253c

Threat Level: Known bad

The file 2024-11-06_d5c151a1b87b4c1964149ba51b284112_poet-rat_snatch was found to be: Known bad.

Malicious Activity Summary

lumma meduza stealc 7122819010 collection defense_evasion discovery spyware stealer

Lumma family

Meduza Stealer payload

Meduza family

Meduza

Stealc family

Stealc

Lumma Stealer, LummaC

Downloads MZ/PE file

System Binary Proxy Execution: Rundll32

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Reads user/profile data of web browsers

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Checks installed software on the system

Suspicious use of SetThreadContext

Unsigned PE

Browser Information Discovery

Enumerates physical storage devices

Program crash

System Network Configuration Discovery: Internet Connection Discovery

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

outlook_win_path

outlook_office_path

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

Runs ping.exe

GoLang User-Agent

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-06 04:23

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-06 04:23

Reported

2024-11-06 04:26

Platform

win7-20241010-en

Max time kernel

64s

Max time network

19s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-11-06_d5c151a1b87b4c1964149ba51b284112_poet-rat_snatch.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-11-06_d5c151a1b87b4c1964149ba51b284112_poet-rat_snatch.exe

"C:\Users\Admin\AppData\Local\Temp\2024-11-06_d5c151a1b87b4c1964149ba51b284112_poet-rat_snatch.exe"

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-06 04:23

Reported

2024-11-06 04:26

Platform

win10v2004-20241007-en

Max time kernel

134s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-11-06_d5c151a1b87b4c1964149ba51b284112_poet-rat_snatch.exe"

Signatures

Lumma Stealer, LummaC

stealer lumma

Lumma family

lumma

Meduza

stealer meduza

Meduza Stealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Meduza family

meduza

Stealc

stealer stealc

Stealc family

stealc

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2.exe N/A

Reads user/profile data of web browsers

spyware stealer

System Binary Proxy Execution: Rundll32

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\3.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\3.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\3.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Office\12.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\3.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\3.exe N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-06_d5c151a1b87b4c1964149ba51b284112_poet-rat_snatch.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\System32\cmd.exe N/A
N/A N/A C:\Windows\system32\PING.EXE N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe N/A

GoLang User-Agent

Description Indicator Process Target
HTTP User-Agent header Go-http-client/1.1 N/A N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3660 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-06_d5c151a1b87b4c1964149ba51b284112_poet-rat_snatch.exe C:\Windows\SysWOW64\rundll32.exe
PID 3660 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-06_d5c151a1b87b4c1964149ba51b284112_poet-rat_snatch.exe C:\Windows\SysWOW64\rundll32.exe
PID 3660 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-06_d5c151a1b87b4c1964149ba51b284112_poet-rat_snatch.exe C:\Windows\SysWOW64\rundll32.exe
PID 5116 wrote to memory of 1988 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\1.exe
PID 5116 wrote to memory of 1988 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\1.exe
PID 5116 wrote to memory of 1988 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\1.exe
PID 1988 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
PID 1988 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
PID 1988 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
PID 1988 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
PID 1988 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
PID 1988 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
PID 1988 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
PID 1988 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
PID 1988 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
PID 1988 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
PID 1988 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
PID 1988 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
PID 1988 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
PID 3660 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-06_d5c151a1b87b4c1964149ba51b284112_poet-rat_snatch.exe C:\Windows\SysWOW64\rundll32.exe
PID 3660 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-06_d5c151a1b87b4c1964149ba51b284112_poet-rat_snatch.exe C:\Windows\SysWOW64\rundll32.exe
PID 3660 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-06_d5c151a1b87b4c1964149ba51b284112_poet-rat_snatch.exe C:\Windows\SysWOW64\rundll32.exe
PID 1164 wrote to memory of 4368 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\2.exe
PID 1164 wrote to memory of 4368 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\2.exe
PID 1164 wrote to memory of 4368 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\2.exe
PID 4368 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
PID 4368 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
PID 4368 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
PID 4368 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
PID 4368 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
PID 4368 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
PID 4368 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
PID 4368 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
PID 4368 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
PID 4368 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
PID 4368 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
PID 4368 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
PID 4368 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
PID 3660 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-06_d5c151a1b87b4c1964149ba51b284112_poet-rat_snatch.exe C:\Windows\SysWOW64\rundll32.exe
PID 3660 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-06_d5c151a1b87b4c1964149ba51b284112_poet-rat_snatch.exe C:\Windows\SysWOW64\rundll32.exe
PID 3660 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-06_d5c151a1b87b4c1964149ba51b284112_poet-rat_snatch.exe C:\Windows\SysWOW64\rundll32.exe
PID 3876 wrote to memory of 4480 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\3.exe
PID 3876 wrote to memory of 4480 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\3.exe
PID 4480 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\3.exe C:\Users\Admin\AppData\Local\Temp\3.exe
PID 4480 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\3.exe C:\Users\Admin\AppData\Local\Temp\3.exe
PID 4480 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\3.exe C:\Users\Admin\AppData\Local\Temp\3.exe
PID 4480 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\3.exe C:\Users\Admin\AppData\Local\Temp\3.exe
PID 4480 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\3.exe C:\Users\Admin\AppData\Local\Temp\3.exe
PID 4480 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\3.exe C:\Users\Admin\AppData\Local\Temp\3.exe
PID 4480 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\3.exe C:\Users\Admin\AppData\Local\Temp\3.exe
PID 4480 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\3.exe C:\Users\Admin\AppData\Local\Temp\3.exe
PID 4480 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\3.exe C:\Users\Admin\AppData\Local\Temp\3.exe
PID 4480 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\3.exe C:\Users\Admin\AppData\Local\Temp\3.exe
PID 3268 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\3.exe C:\Windows\System32\cmd.exe
PID 3268 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\3.exe C:\Windows\System32\cmd.exe
PID 3056 wrote to memory of 3628 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 3056 wrote to memory of 3628 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\3.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\3.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-11-06_d5c151a1b87b4c1964149ba51b284112_poet-rat_snatch.exe

"C:\Users\Admin\AppData\Local\Temp\2024-11-06_d5c151a1b87b4c1964149ba51b284112_poet-rat_snatch.exe"

C:\Windows\SysWOW64\rundll32.exe

rundll32 url.dll,FileProtocolHandler C:\Users\Admin\AppData\Local\Temp\1.exe

C:\Users\Admin\AppData\Local\Temp\1.exe

"C:\Users\Admin\AppData\Local\Temp\1.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"

C:\Windows\SysWOW64\rundll32.exe

rundll32 url.dll,FileProtocolHandler C:\Users\Admin\AppData\Local\Temp\2.exe

C:\Users\Admin\AppData\Local\Temp\2.exe

"C:\Users\Admin\AppData\Local\Temp\2.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"

C:\Windows\SysWOW64\rundll32.exe

rundll32 url.dll,FileProtocolHandler C:\Users\Admin\AppData\Local\Temp\3.exe

C:\Users\Admin\AppData\Local\Temp\3.exe

"C:\Users\Admin\AppData\Local\Temp\3.exe"

C:\Users\Admin\AppData\Local\Temp\3.exe

C:\Users\Admin\AppData\Local\Temp\3.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2860 -ip 2860

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2860 -s 1232

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\3.exe"

C:\Windows\system32\PING.EXE

ping 1.1.1.1 -n 1 -w 3000

Network

Country Destination Domain Proto
RU 89.23.96.109:80 89.23.96.109 tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 109.96.23.89.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 83.217.209.11:80 tcp
US 8.8.8.8:53 geerkenmsu.shop udp
US 172.67.201.7:443 geerkenmsu.shop tcp
US 8.8.8.8:53 worddosofrm.shop udp
US 104.21.16.142:443 worddosofrm.shop tcp
US 8.8.8.8:53 mutterissuen.shop udp
US 104.21.11.225:443 mutterissuen.shop tcp
US 8.8.8.8:53 7.201.67.172.in-addr.arpa udp
US 8.8.8.8:53 142.16.21.104.in-addr.arpa udp
US 8.8.8.8:53 standartedby.shop udp
US 172.67.220.135:443 standartedby.shop tcp
US 8.8.8.8:53 nightybinybz.shop udp
US 172.67.219.152:443 nightybinybz.shop tcp
US 8.8.8.8:53 225.11.21.104.in-addr.arpa udp
US 8.8.8.8:53 conceszustyb.shop udp
US 104.21.17.229:443 conceszustyb.shop tcp
US 8.8.8.8:53 bakedstusteeb.shop udp
US 104.21.45.184:443 bakedstusteeb.shop tcp
US 8.8.8.8:53 135.220.67.172.in-addr.arpa udp
US 8.8.8.8:53 152.219.67.172.in-addr.arpa udp
US 8.8.8.8:53 229.17.21.104.in-addr.arpa udp
US 8.8.8.8:53 respectabosiz.shop udp
US 104.21.4.29:443 respectabosiz.shop tcp
US 8.8.8.8:53 moutheventushz.shop udp
US 172.67.157.139:443 moutheventushz.shop tcp
US 8.8.8.8:53 steamcommunity.com udp
GB 104.82.234.109:443 steamcommunity.com tcp
US 8.8.8.8:53 184.45.21.104.in-addr.arpa udp
US 8.8.8.8:53 29.4.21.104.in-addr.arpa udp
US 8.8.8.8:53 139.157.67.172.in-addr.arpa udp
US 8.8.8.8:53 109.234.82.104.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
DE 109.107.181.162:15666 tcp
US 8.8.8.8:53 api.ipify.org udp
US 104.26.12.205:443 api.ipify.org tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.187.227:80 c.pki.goog tcp
US 8.8.8.8:53 162.181.107.109.in-addr.arpa udp
US 8.8.8.8:53 205.12.26.104.in-addr.arpa udp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

C:\Users\Admin\AppData\Local\Temp\1.exe

MD5 b38dc2ab97f5cd458a79101eebf61abd
SHA1 51b055431950a9060ae596780bd980adffd970c6
SHA256 00f37d516fa294a2f427c65cc204e671387c6f6ee4f533fea02cd240238e2ae6
SHA512 9449079f5d4a764b772540924085af6ab862877bac2b6f6031c5ee775aa0626088a63f2bf709dcd1e68839881a6ef23411a53d5ddee161876c1c2f0b9f283a31

memory/1988-3-0x000000007413E000-0x000000007413F000-memory.dmp

memory/1988-4-0x0000000000F90000-0x0000000001020000-memory.dmp

memory/1988-5-0x0000000005940000-0x0000000005946000-memory.dmp

C:\Users\Admin\AppData\Roaming\gdi32.dll

MD5 620be184e3b841379369141e21ef846f
SHA1 9657fd75f1a9ef3eb41acdb26f083f949bc48eac
SHA256 5e152875bda58c94cbff53e7fda99582d327f2c5c26db9ce6c9e0dcb5d21d08f
SHA512 a0b301d02b3e80c7552f71b0f39fe0606ef4a0dc38e94e0b32de68e92422eb1b34f68211ab34e67ad42417a64be2e46e46d0755cd71908c47d198d401bbb35cd

memory/2860-16-0x0000000003450000-0x0000000003742000-memory.dmp

memory/2860-19-0x0000000003450000-0x0000000003742000-memory.dmp

memory/1988-20-0x0000000074130000-0x00000000748E0000-memory.dmp

memory/2860-21-0x0000000003450000-0x0000000003742000-memory.dmp

memory/1988-17-0x0000000074130000-0x00000000748E0000-memory.dmp

memory/2860-12-0x0000000003450000-0x0000000003742000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2.exe

MD5 f3722ca3549113a8636ed6df95c707c1
SHA1 b99a53e33983169c2f5eb17344444a8d9afc9aad
SHA256 9f16012a1fdf7ff2efc29284d687072089659e0d6fefbbeb9cf2116c52ddc7a1
SHA512 dcefcca50cc5429eb1aa4545b24d92b853085412b49a993b2ee53246dac5fd575f79106aabf179ffd06191feb731c1e96385aa914bbee4c0ac81c197182645c1

memory/4368-25-0x00000000003D0000-0x0000000000420000-memory.dmp

memory/4368-26-0x0000000004C00000-0x0000000004C06000-memory.dmp

C:\Users\Admin\AppData\Roaming\gdi32.dll

MD5 1a4d15d0bcfe5b97e5cf6015efc23157
SHA1 9413817ca10fe4351b358ff4cbc6527b06d74221
SHA256 9717abc44094665a940dd6b73d52ab22404e248533366135191a7a6f95f2be48
SHA512 e615af6c15238150aed37cd24eb6d73b092f4579e15dbb3539f3949aa3d7e4e04f60346caa5a8bee245e7ac8ed943408c6dd03a275f4549a492d19df0d990703

memory/4380-34-0x0000000002750000-0x00000000027B0000-memory.dmp

memory/4380-39-0x0000000002750000-0x00000000027B0000-memory.dmp

memory/4380-36-0x0000000002750000-0x00000000027B0000-memory.dmp

memory/2860-40-0x0000000003450000-0x0000000003742000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3.exe

MD5 7053a5df81a5ef855d1ca5a1e2a67c29
SHA1 5030fd814b639d7650d368ebcd6b920b6c719e7b
SHA256 b1a33532e26c7128e521428b10b2fb7e068da79b41d9fb3ed471cb50e43b5463
SHA512 7ddd3d8dd5374a32e0a16f74bb360387e48b35c02dd536e528fed2d83a3fcd7ed16d0d49a210da44f686d9d687ab20e7bbb63f203b0f602fd4f4ab0449a51f60

memory/3268-46-0x0000000140000000-0x000000014013E000-memory.dmp

memory/3268-44-0x0000000140000000-0x000000014013E000-memory.dmp

memory/2860-53-0x0000000003450000-0x0000000003742000-memory.dmp