Unmasking Fake CAPTCHA Cases in MxDR Investigations
Indicators of Compromise

File Name				SHA256									Detection
Tech_House_Future.mp3			dd8c688c4366bb144136404af5d9e4568ecb632ce3f8468f9ad48c21e6fe3e5b	Trojan.JS.EMMENHTAL.SM
809e682faadb839aaf9e5e6b171dfa3e	f43b4138d5b60d8db05fc9c382f2e6430cf89e1f622a04186c0748b1be94cd3e	Trojan.PS1.RHADAMANTHYS.B
fg.exe					07253a1e6616775fcf3fa678512f2e18c0b557b043127b14b3446aa352e99d49	Trojan.MSIL.XWORM.E
goopdate.dll				cb33d8860e275ed1bb222f07e833c8e441369d7137bb29795a9db283b36b33fa	PUA.Win32.FakeGoop.A.component
lyricalsync.mp3				4628462f5deb22438e2eb96aa8352264c6001fb994f0b193ecd839ce5421e82a	Trojan.Win32.LUMMASTEALER.C
DPST_doc.mp3				f86259193d9e20a33d2d458cc1a2be1bd1448c939ffde9cceb1c0ad7bc24e9d6	Trojan.JS.EMMENHTAL.SM
D2F25ISN.mp3				41ece1dbce5dd8a737b47340e4289e09c7e2f29ebfecc82a987a4de64a1f5178	Trojan.JS.EMMENHTAL.AA
membes.exe				1d3ac3369ce2469bdeabdfb9ce770848e726295771187e8442aa83aa27d40040	Trojan.Win32.LUMMASTEALER.C
cr.dll					b39eec54e71b92dcbfed1241b2ec2e77bb1d99fc274903f16c974c64656edbbc	Trojan.Win32.LUMMASTEALER.C
cr.dll					75eb739508b633ec72600753b5f7848c2f02961a93251726a80ce0c0458355e0	Trojan.Win32.LUMMASTEALER.C
membes.exe				9ea6a61cec03421aa7e14aa9c78dc25491bb3169b002b6513e3c4c9dff249beb	Trojan.Win32.LUMMASTEALER.C
dub.txt					f25e6acd68c57b6116a048ab737c8d16527858d0c5ee3cd5c90e9b470c30c0b1	Trojan.Win32.LUMMASTEALER.C
baldaeb.zip				028ddb2442aa0387a66c2c02d650e2620b24a569fc4a8366a762431a11209f94	Trojan.Win32.LUMMASTEALER.C
AQMYDglrdW4sk55SwyquB-mWiyjXPtBx5gb
YQTJ3SMwOEa5ckmSPnP5KOVDQ-OunqkQIiObQ5
hvJnK47z8X0Qkwr.mp4			SHA-1: d9f3f678b853e270915dcc4ac0bf0cd37a448ebb	 			Trojan.Win32.LUMMASTEALER.C
 AQP2n4zLig_lG5QwBzg1rCvg-PEkchMORlX00Qf
AadPC4YMdallScZOhNDwYO9xsZUAiVu0lKVe8ern
GKU4LPzX0.mp4	 			SHA-1: df0417889347c822d5b643566a1565971c5450b2	 			Trojan.Win32.LUMMASTEALER.C

 	 	 

URL										Category
hxxps://pn3[.]gapdevoutlycitrus[.]shop:443/809e682faadb839aaf9e5e6b171dfa3e	Disease Vector
hxxps://yedik[.]shop:443/tech_house_future[.]mp3				Disease Vector
https://sns[.]XX[.]Xa/link[.]php?url=///guest-idreserve[.]com			Phishing
https://sns[.]XX[.]Xa/link[.]php?url=///guests-reservid[.]com			Phishing
hxxps://guests-reservid[.]com/							Phishing
hxxps://guest-idreserve[.]com/							Phishing
hxxps://idguset-reserve[.]com/							Phishing
hxxps://guestdocfound[.]com/							Phishing
hxxps://itemsfoundguest[.]com/							Phishing
hxxps://guestitemsfound[.]com/							Phishing
hxxps://x63-hello[.]live/J5a5WFr1sJBU7zvr[.]html				Phishing
hxxps://x63-hello[.]live/xkF66hfe3HwquFTY[.]html				Phishing
hxxps://x63-hello[.]live/4jj0zJALq7txS3qW[.]html				Phishing
hxxps://ernier[.]shop/lyricalsync[.]mp3						Disease Vector
hxxps://bi[.]youei[.]shop/750413b4s68716bc759e0459752a0be747830189873b[.]xlsm	Disease Vector
hxxps://pn2[.]gapdevoutlycitrus[.]shop/939e2f74d1743cbc2f9fab0130be1f38		Disease Vector
hxxps://zb-files[.]oss-ap-southeast-1[.]aliyuncs[.]com/DPST_doc[.]mp3		Phishing
hxxp://ok[.]fish-cloud-jar[.]us							Disease Vector
hxxps://b8t[.]watchcollision[.]xyz/7456f63a46cc318334a70159aa3c4291		Disease Vector
hxxp://fessoclick[.]com/clck/dub[.]txt						Disease Vector
hxxps://video-lga3-2[.]xx[.]fbcdn[.]net/o1/v/t2/f2/m69/AQMYDglrdW4sk55SwyquB
-mWiyjXPtBx5gbYQTJ3SMwOEa5ckmSPnP5KOVDQ-OunqkQIiObQ5hvJnK47z8X0Qkwr[.]mp4?strext
=1&_nc_cat=105&_nc_sid=5e9851&_nc_ht=video-lga3-2[.]xx[.]fbcdn[.]net&_nc_ohc=67r
U1lEncaEQ7kNvgHl3F55&efg=eyJ2ZW5jb2RlX3RhZyI6Inhwdl9wcm9ncmVzc2l2ZS5GQUNFQk9PSy4
uQzMuNzIwLmRhc2hfaDI2
NC1iYXNpYy1nZW4yXzcyMHAiLCJ4cHZfYXNzZXRfaWQiOjk2NDcyMjc2ODM0MzMzNSwiYXNzZXRfYWdl
X2RheXMiOjE4NzUsInZpX3VzZWNhc2VfaWQiOjEwMTIyLCJkdXJhdGlvbl9zIjoxLCJ1cmxnZW5fc291
cmNlIjoid3d3In0%3D&ccb=17-1&vs=13149a0c2f5eea9c&_nc_vs=HBksFQIYOnBhc3N0aHJvdWdoX
2V2ZXJzdG9yZS9HQkNPNFJ5N1pOTjEz
NllGQUdPeklHSGN5Wk02Ym1kakFBQUYVAALIAQAVAhg6cGFzc3Rocm91Z2hfZXZlcnN0b3JlL0dJdldC
QVg2cENOdC1UTUpBQUFBQUFBc254a3FidjRHQUFBRhUCAsgBACgAGAAbAogHdXNlX29pbAExEnByb2dy
ZXNzaXZlX3JlY2lwZQExFQAAJs7Ez96g2rYDFQIoAkMzLBc_8Mi0OVgQYhgZZGFzaF9oMjY0LWJhc2lj
LWdlbjJfNzIwcBEAdQIA&_nc_zt=28&oh=00_AYFv66-Sd7Jy-0lNvkKUg2Kb_jwG0eSqoP08p8i3q07
zaQ&oe=67DFDEAD&dl=1								Disease Vector
hxxps://viewer-vccpass[.]com/in.php?action=1					Disease Vector
hxxp://185[.]7[.]214[.]108/a[.]mp4						Disease Vector
hxxps://w19-seasalt[.]com/5yV847cNSBk97jya[.]html				Disease Vector
hxxps://w19-seasalt[.]com/mbDjBsRmxM1LreEp[.]html				Disease Vector  
hxxps://check[.]symad[.]icu/gkcxv[.]google?i=f3f04e08-9474-4aa2-bc7f-911bc3916134 
REM ✅ Human, not a robot: Verification САРTCHA ID:982824			Disease Vector
hxxps://check[.]symad[.]icu/gkcxv.google?i=6f8502e1-2fca-4663-9562-e39aadcdf072 
REM ✅ Human, not a robot: Verification САРTCHA ID:136410			Disease Vector
hxxps://kajec[.]icu/f04b18c2f7ff48bdbf0670138f9eb24f[.]txt			Disease Vector
	
	
	

IP/Domain			Category
x63-hello[.]live		Phishing
buyvault[.]shop			Disease Vector
tool-back[.]com			Malware Accomplice
vapotrust[.]com			Malware Accomplice
bi[.]yuoei[.]shop		Disease Vector
185[.]7[.]214[.]108		C&C Server
check[.]symad[.]icu		Disease Vector 
Kajec[.]icu			Disease Vector