Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-01-2025 13:47

General

  • Target

    2025-01-28_9f1cd85b70d8c3269e48060d18da330f_icedid.exe

  • Size

    2.0MB

  • MD5

    9f1cd85b70d8c3269e48060d18da330f

  • SHA1

    df0bdeac12a722aa7df4748e9ca8b4d60706dfff

  • SHA256

    595be12ef59d0aa82f069540d4ff415522812bc5ffc5c5ef2b4b4320f647fc43

  • SHA512

    87451e851d349d45e672728c39c321c88e97de48c292abf2cba05840650c26fd801da6463abbe0b2be83382e80bfc85abea37be25527b4d3001b7257bbd7c9a1

  • SSDEEP

    24576:bQZoidOTdVZinacCET9Ecl1erdg0MCiVWhFU7cVVcQzww5fL0vXb:bQZAdVyVT9n/Gg0P+WhomcMD0vXb

Malware Config

Signatures

  • Detect PurpleFox Rootkit 10 IoCs

    Detect PurpleFox Rootkit.

  • Gh0st RAT payload 11 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

  • Gh0strat family
  • PurpleFox

    PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

  • Purplefox family
  • Drops file in Drivers directory 1 IoCs
  • Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 3 IoCs
  • Drops file in System32 directory 6 IoCs
  • UPX packed file 12 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Program Files directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-01-28_9f1cd85b70d8c3269e48060d18da330f_icedid.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-01-28_9f1cd85b70d8c3269e48060d18da330f_icedid.exe"
    1⤵
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3308
    • C:\Users\Admin\AppData\Local\Temp\svchost.exe
      C:\Users\Admin\AppData\Local\Temp\\svchost.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:544
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\svchost.exe > nul
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Suspicious use of WriteProcessMemory
        PID:624
        • C:\Windows\SysWOW64\PING.EXE
          ping -n 2 127.0.0.1
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:2260
    • C:\Users\Admin\AppData\Local\Temp\svchos.exe
      C:\Users\Admin\AppData\Local\Temp\\svchos.exe
      2⤵
      • Server Software Component: Terminal Services DLL
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      PID:3728
    • C:\Users\Admin\AppData\Local\Temp\HD_2025-01-28_9f1cd85b70d8c3269e48060d18da330f_icedid.exe
      C:\Users\Admin\AppData\Local\Temp\HD_2025-01-28_9f1cd85b70d8c3269e48060d18da330f_icedid.exe
      2⤵
      • Executes dropped EXE
      PID:920
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 920 -s 180
        3⤵
        • Program crash
        PID:4780
  • C:\Windows\SysWOW64\TXPlatforn.exe
    C:\Windows\SysWOW64\TXPlatforn.exe -auto
    1⤵
    • Executes dropped EXE
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2096
    • C:\Windows\SysWOW64\TXPlatforn.exe
      C:\Windows\SysWOW64\TXPlatforn.exe -acsi
      2⤵
      • Drops file in Drivers directory
      • Sets service image path in registry
      • Executes dropped EXE
      • Suspicious behavior: LoadsDriver
      • Suspicious use of AdjustPrivilegeToken
      PID:4344
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"
    1⤵
      PID:856
    • C:\Windows\SysWOW64\svchost.exe
      C:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"
      1⤵
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4228
      • C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
        C:\Windows\system32\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe "c:\windows\system32\240627750.txt",MainThread
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:2896
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 920 -ip 920
      1⤵
        PID:1832

      Network

      • flag-us
        DNS
        209.205.72.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        209.205.72.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        hackerinvasion.f3322.net
        Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
        Remote address:
        8.8.8.8:53
        Request
        hackerinvasion.f3322.net
        IN A
        Response
      • flag-us
        DNS
        11.153.16.2.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        11.153.16.2.in-addr.arpa
        IN PTR
        Response
        11.153.16.2.in-addr.arpa
        IN PTR
        a2-16-153-11deploystaticakamaitechnologiescom
      • flag-us
        DNS
        20.160.190.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        20.160.190.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        7.98.51.23.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        7.98.51.23.in-addr.arpa
        IN PTR
        Response
        7.98.51.23.in-addr.arpa
        IN PTR
        a23-51-98-7deploystaticakamaitechnologiescom
      • flag-us
        DNS
        hackerinvasion.f3322.net
        Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
        Remote address:
        8.8.8.8:53
        Request
        hackerinvasion.f3322.net
        IN A
        Response
      • flag-us
        DNS
        hackerinvasion.f3322.net
        Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
        Remote address:
        8.8.8.8:53
        Request
        hackerinvasion.f3322.net
        IN A
        Response
      • flag-us
        DNS
        149.220.183.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        149.220.183.52.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        hackerinvasion.f3322.net
        Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
        Remote address:
        8.8.8.8:53
        Request
        hackerinvasion.f3322.net
        IN A
        Response
      • flag-us
        DNS
        hackerinvasion.f3322.net
        Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
        Remote address:
        8.8.8.8:53
        Request
        hackerinvasion.f3322.net
        IN A
        Response
      • flag-us
        DNS
        hackerinvasion.f3322.net
        Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
        Remote address:
        8.8.8.8:53
        Request
        hackerinvasion.f3322.net
        IN A
        Response
      • flag-us
        DNS
        56.163.245.4.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        56.163.245.4.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        241.42.69.40.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        241.42.69.40.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        hackerinvasion.f3322.net
        Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
        Remote address:
        8.8.8.8:53
        Request
        hackerinvasion.f3322.net
        IN A
        Response
      • flag-us
        DNS
        hackerinvasion.f3322.net
        Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
        Remote address:
        8.8.8.8:53
        Request
        hackerinvasion.f3322.net
        IN A
        Response
      • flag-us
        DNS
        hackerinvasion.f3322.net
        Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
        Remote address:
        8.8.8.8:53
        Request
        hackerinvasion.f3322.net
        IN A
        Response
      • flag-us
        DNS
        hackerinvasion.f3322.net
        Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
        Remote address:
        8.8.8.8:53
        Request
        hackerinvasion.f3322.net
        IN A
        Response
      • flag-us
        DNS
        hackerinvasion.f3322.net
        Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
        Remote address:
        8.8.8.8:53
        Request
        hackerinvasion.f3322.net
        IN A
        Response
      • flag-us
        DNS
        hackerinvasion.f3322.net
        Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
        Remote address:
        8.8.8.8:53
        Request
        hackerinvasion.f3322.net
        IN A
        Response
      • flag-us
        DNS
        hackerinvasion.f3322.net
        Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
        Remote address:
        8.8.8.8:53
        Request
        hackerinvasion.f3322.net
        IN A
        Response
      • flag-us
        DNS
        hackerinvasion.f3322.net
        Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
        Remote address:
        8.8.8.8:53
        Request
        hackerinvasion.f3322.net
        IN A
      • flag-us
        DNS
        85.49.80.91.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        85.49.80.91.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        hackerinvasion.f3322.net
        Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
        Remote address:
        8.8.8.8:53
        Request
        hackerinvasion.f3322.net
        IN A
        Response
      • flag-us
        DNS
        hackerinvasion.f3322.net
        Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
        Remote address:
        8.8.8.8:53
        Request
        hackerinvasion.f3322.net
        IN A
        Response
      • flag-us
        DNS
        hackerinvasion.f3322.net
        Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
        Remote address:
        8.8.8.8:53
        Request
        hackerinvasion.f3322.net
        IN A
        Response
      • flag-us
        DNS
        hackerinvasion.f3322.net
        Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
        Remote address:
        8.8.8.8:53
        Request
        hackerinvasion.f3322.net
        IN A
        Response
      • flag-us
        DNS
        hackerinvasion.f3322.net
        Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
        Remote address:
        8.8.8.8:53
        Request
        hackerinvasion.f3322.net
        IN A
        Response
      • flag-us
        DNS
        172.210.232.199.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        172.210.232.199.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        172.210.232.199.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        172.210.232.199.in-addr.arpa
        IN PTR
      • flag-us
        DNS
        hackerinvasion.f3322.net
        Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
        Remote address:
        8.8.8.8:53
        Request
        hackerinvasion.f3322.net
        IN A
        Response
      • flag-us
        DNS
        hackerinvasion.f3322.net
        Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
        Remote address:
        8.8.8.8:53
        Request
        hackerinvasion.f3322.net
        IN A
        Response
      • flag-us
        DNS
        hackerinvasion.f3322.net
        Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
        Remote address:
        8.8.8.8:53
        Request
        hackerinvasion.f3322.net
        IN A
        Response
      • flag-us
        DNS
        hackerinvasion.f3322.net
        Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
        Remote address:
        8.8.8.8:53
        Request
        hackerinvasion.f3322.net
        IN A
      • flag-us
        DNS
        hackerinvasion.f3322.net
        Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
        Remote address:
        8.8.8.8:53
        Request
        hackerinvasion.f3322.net
        IN A
        Response
      • flag-us
        DNS
        hackerinvasion.f3322.net
        Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
        Remote address:
        8.8.8.8:53
        Request
        hackerinvasion.f3322.net
        IN A
        Response
      • flag-us
        DNS
        hackerinvasion.f3322.net
        Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
        Remote address:
        8.8.8.8:53
        Request
        hackerinvasion.f3322.net
        IN A
        Response
      • flag-us
        DNS
        hackerinvasion.f3322.net
        Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
        Remote address:
        8.8.8.8:53
        Request
        hackerinvasion.f3322.net
        IN A
        Response
      • flag-us
        DNS
        hackerinvasion.f3322.net
        Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
        Remote address:
        8.8.8.8:53
        Request
        hackerinvasion.f3322.net
        IN A
        Response
      • flag-us
        DNS
        hackerinvasion.f3322.net
        Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
        Remote address:
        8.8.8.8:53
        Request
        hackerinvasion.f3322.net
        IN A
        Response
      • flag-us
        DNS
        hackerinvasion.f3322.net
        Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
        Remote address:
        8.8.8.8:53
        Request
        hackerinvasion.f3322.net
        IN A
        Response
      • flag-us
        DNS
        hackerinvasion.f3322.net
        Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
        Remote address:
        8.8.8.8:53
        Request
        hackerinvasion.f3322.net
        IN A
        Response
      • flag-us
        DNS
        hackerinvasion.f3322.net
        Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
        Remote address:
        8.8.8.8:53
        Request
        hackerinvasion.f3322.net
        IN A
        Response
      No results found
      • 8.8.8.8:53
        209.205.72.20.in-addr.arpa
        dns
        72 B
        158 B
        1
        1

        DNS Request

        209.205.72.20.in-addr.arpa

      • 8.8.8.8:53
        hackerinvasion.f3322.net
        dns
        Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
        70 B
        131 B
        1
        1

        DNS Request

        hackerinvasion.f3322.net

      • 8.8.8.8:53
        11.153.16.2.in-addr.arpa
        dns
        70 B
        133 B
        1
        1

        DNS Request

        11.153.16.2.in-addr.arpa

      • 8.8.8.8:53
        20.160.190.20.in-addr.arpa
        dns
        72 B
        158 B
        1
        1

        DNS Request

        20.160.190.20.in-addr.arpa

      • 8.8.8.8:53
        7.98.51.23.in-addr.arpa
        dns
        69 B
        131 B
        1
        1

        DNS Request

        7.98.51.23.in-addr.arpa

      • 8.8.8.8:53
        hackerinvasion.f3322.net
        dns
        Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
        70 B
        131 B
        1
        1

        DNS Request

        hackerinvasion.f3322.net

      • 8.8.8.8:53
        hackerinvasion.f3322.net
        dns
        Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
        70 B
        131 B
        1
        1

        DNS Request

        hackerinvasion.f3322.net

      • 8.8.8.8:53
        149.220.183.52.in-addr.arpa
        dns
        73 B
        147 B
        1
        1

        DNS Request

        149.220.183.52.in-addr.arpa

      • 8.8.8.8:53
        hackerinvasion.f3322.net
        dns
        Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
        70 B
        131 B
        1
        1

        DNS Request

        hackerinvasion.f3322.net

      • 8.8.8.8:53
        hackerinvasion.f3322.net
        dns
        Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
        70 B
        131 B
        1
        1

        DNS Request

        hackerinvasion.f3322.net

      • 8.8.8.8:53
        hackerinvasion.f3322.net
        dns
        Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
        70 B
        131 B
        1
        1

        DNS Request

        hackerinvasion.f3322.net

      • 8.8.8.8:53
        56.163.245.4.in-addr.arpa
        dns
        71 B
        157 B
        1
        1

        DNS Request

        56.163.245.4.in-addr.arpa

      • 8.8.8.8:53
        241.42.69.40.in-addr.arpa
        dns
        71 B
        145 B
        1
        1

        DNS Request

        241.42.69.40.in-addr.arpa

      • 8.8.8.8:53
        hackerinvasion.f3322.net
        dns
        Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
        70 B
        131 B
        1
        1

        DNS Request

        hackerinvasion.f3322.net

      • 8.8.8.8:53
        hackerinvasion.f3322.net
        dns
        Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
        70 B
        131 B
        1
        1

        DNS Request

        hackerinvasion.f3322.net

      • 8.8.8.8:53
        hackerinvasion.f3322.net
        dns
        Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
        70 B
        131 B
        1
        1

        DNS Request

        hackerinvasion.f3322.net

      • 8.8.8.8:53
        hackerinvasion.f3322.net
        dns
        Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
        70 B
        131 B
        1
        1

        DNS Request

        hackerinvasion.f3322.net

      • 8.8.8.8:53
        hackerinvasion.f3322.net
        dns
        Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
        70 B
        131 B
        1
        1

        DNS Request

        hackerinvasion.f3322.net

      • 8.8.8.8:53
        hackerinvasion.f3322.net
        dns
        Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
        70 B
        131 B
        1
        1

        DNS Request

        hackerinvasion.f3322.net

      • 8.8.8.8:53
        hackerinvasion.f3322.net
        dns
        Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
        140 B
        131 B
        2
        1

        DNS Request

        hackerinvasion.f3322.net

        DNS Request

        hackerinvasion.f3322.net

      • 8.8.8.8:53
        85.49.80.91.in-addr.arpa
        dns
        70 B
        145 B
        1
        1

        DNS Request

        85.49.80.91.in-addr.arpa

      • 8.8.8.8:53
        hackerinvasion.f3322.net
        dns
        Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
        70 B
        131 B
        1
        1

        DNS Request

        hackerinvasion.f3322.net

      • 8.8.8.8:53
        hackerinvasion.f3322.net
        dns
        Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
        70 B
        131 B
        1
        1

        DNS Request

        hackerinvasion.f3322.net

      • 8.8.8.8:53
        hackerinvasion.f3322.net
        dns
        Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
        70 B
        131 B
        1
        1

        DNS Request

        hackerinvasion.f3322.net

      • 8.8.8.8:53
        hackerinvasion.f3322.net
        dns
        Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
        70 B
        131 B
        1
        1

        DNS Request

        hackerinvasion.f3322.net

      • 8.8.8.8:53
        hackerinvasion.f3322.net
        dns
        Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
        70 B
        131 B
        1
        1

        DNS Request

        hackerinvasion.f3322.net

      • 8.8.8.8:53
        172.210.232.199.in-addr.arpa
        dns
        148 B
        128 B
        2
        1

        DNS Request

        172.210.232.199.in-addr.arpa

        DNS Request

        172.210.232.199.in-addr.arpa

      • 8.8.8.8:53
        hackerinvasion.f3322.net
        dns
        Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
        70 B
        131 B
        1
        1

        DNS Request

        hackerinvasion.f3322.net

      • 8.8.8.8:53
        hackerinvasion.f3322.net
        dns
        Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
        70 B
        131 B
        1
        1

        DNS Request

        hackerinvasion.f3322.net

      • 8.8.8.8:53
        hackerinvasion.f3322.net
        dns
        Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
        140 B
        131 B
        2
        1

        DNS Request

        hackerinvasion.f3322.net

        DNS Request

        hackerinvasion.f3322.net

      • 8.8.8.8:53
        hackerinvasion.f3322.net
        dns
        Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
        70 B
        131 B
        1
        1

        DNS Request

        hackerinvasion.f3322.net

      • 8.8.8.8:53
        hackerinvasion.f3322.net
        dns
        Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
        70 B
        131 B
        1
        1

        DNS Request

        hackerinvasion.f3322.net

      • 8.8.8.8:53
        hackerinvasion.f3322.net
        dns
        Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
        70 B
        131 B
        1
        1

        DNS Request

        hackerinvasion.f3322.net

      • 8.8.8.8:53
        hackerinvasion.f3322.net
        dns
        Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
        70 B
        131 B
        1
        1

        DNS Request

        hackerinvasion.f3322.net

      • 8.8.8.8:53
        hackerinvasion.f3322.net
        dns
        Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
        70 B
        131 B
        1
        1

        DNS Request

        hackerinvasion.f3322.net

      • 8.8.8.8:53
        hackerinvasion.f3322.net
        dns
        Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
        70 B
        131 B
        1
        1

        DNS Request

        hackerinvasion.f3322.net

      • 8.8.8.8:53
        hackerinvasion.f3322.net
        dns
        Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
        70 B
        131 B
        1
        1

        DNS Request

        hackerinvasion.f3322.net

      • 8.8.8.8:53
        hackerinvasion.f3322.net
        dns
        Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
        70 B
        131 B
        1
        1

        DNS Request

        hackerinvasion.f3322.net

      • 8.8.8.8:53
        hackerinvasion.f3322.net
        dns
        Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
        70 B
        131 B
        1
        1

        DNS Request

        hackerinvasion.f3322.net

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\HD_2025-01-28_9f1cd85b70d8c3269e48060d18da330f_icedid.exe

        Filesize

        368KB

        MD5

        f1da948d11666e7f0464bb22f971169a

        SHA1

        6e32dbbcf9e94365654546f56b3fe7a3b2101bb3

        SHA256

        bb63196a2ddee8b3120f750908a7c75a3bfbf050a7947ac7657fabeda2a76074

        SHA512

        e8673a17a7b250b887ccb67024d6c722789d8cbe377252b8c166852cdef02fad5cbe73e8379ab78af02ab0e58993526cbbb75b93bc31dd7108a6270c0ae9d9d6

      • C:\Users\Admin\AppData\Local\Temp\HD_X.dat

        Filesize

        1.6MB

        MD5

        51c6690b6dc71fea663dfd2ae5a31660

        SHA1

        5d1a3987e9cc09ee5027544f94e8a96a5ee42d97

        SHA256

        f15677b84c17e0678d1a86b8ee11779654dd7636db94bac96e43dd1fc004327f

        SHA512

        e4d9d1b6547ddc6a12616c34b0d74fb0f6e1661f28d4a5d1cc29309ce92bb5da257688dd6663c4a99c22b9a0114609083b4f27fbe80e5bd55ee3ad051210789d

      • C:\Users\Admin\AppData\Local\Temp\svchos.exe

        Filesize

        93KB

        MD5

        3b377ad877a942ec9f60ea285f7119a2

        SHA1

        60b23987b20d913982f723ab375eef50fafa6c70

        SHA256

        62954fdf65e629b39a29f539619d20691332184c6b6be5a826128a8e759bfa84

        SHA512

        af3a71f867ad9d28772c48b521097f9bf8931eb89fd2974e8de10990241419a39ddc3c0b36dd38aac4fdf14e1f0c5e228692618e93adce958d5b5dab8940e46f

      • C:\Users\Admin\AppData\Local\Temp\svchost.exe

        Filesize

        377KB

        MD5

        a4329177954d4104005bce3020e5ef59

        SHA1

        23c29e295e2dbb8454012d619ca3f81e4c16e85a

        SHA256

        6156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd

        SHA512

        81e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208

      • C:\Windows\SysWOW64\240627750.txt

        Filesize

        50KB

        MD5

        77a9a9ac39635572ec4807c0a119cbdf

        SHA1

        b03b46ffd858479f0cd3e799856dc836d74358bc

        SHA256

        3039cf61f50f81a48c79bf747a5bbe6306ec420002ab02416e054ca5814a73d4

        SHA512

        6e5d3aa4d3b3eee26a238c63de761337c894f289ef9c8046b23648c24f603aeebba9c14e5981b7ca6f6cbc79705256b9468533be62e87b069c6084cac057c0ea

      • C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe

        Filesize

        60KB

        MD5

        889b99c52a60dd49227c5e485a016679

        SHA1

        8fa889e456aa646a4d0a4349977430ce5fa5e2d7

        SHA256

        6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910

        SHA512

        08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

      • memory/544-6-0x0000000010000000-0x00000000101B6000-memory.dmp

        Filesize

        1.7MB

      • memory/544-7-0x0000000010000000-0x00000000101B6000-memory.dmp

        Filesize

        1.7MB

      • memory/544-10-0x0000000010000000-0x00000000101B6000-memory.dmp

        Filesize

        1.7MB

      • memory/544-4-0x0000000010000000-0x00000000101B6000-memory.dmp

        Filesize

        1.7MB

      • memory/2096-16-0x0000000010000000-0x00000000101B6000-memory.dmp

        Filesize

        1.7MB

      • memory/2096-14-0x0000000010000000-0x00000000101B6000-memory.dmp

        Filesize

        1.7MB

      • memory/2096-17-0x0000000010000000-0x00000000101B6000-memory.dmp

        Filesize

        1.7MB

      • memory/2096-15-0x0000000010000000-0x00000000101B6000-memory.dmp

        Filesize

        1.7MB

      • memory/2096-21-0x0000000010000000-0x00000000101B6000-memory.dmp

        Filesize

        1.7MB

      • memory/4344-32-0x0000000010000000-0x00000000101B6000-memory.dmp

        Filesize

        1.7MB

      • memory/4344-39-0x0000000010000000-0x00000000101B6000-memory.dmp

        Filesize

        1.7MB

      • memory/4344-47-0x0000000010000000-0x00000000101B6000-memory.dmp

        Filesize

        1.7MB

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.