← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
CREDIT Q.VASHTI [clone: ET Malware Playtech Downloader for Online Gaming]
WHITE msudosos 2026-05-09 Modified: 2026-05-09
710
IOCs
HIGH VOLUME
installer.exeprocess32nextwregsetvalueexaregopenkeyexwregdwordmediumregbinarypupadwarehttp headerregsetvalueexwloadersuspiciouspersistenceexecutionmalwarewin32 exepe32intelms windowswin32 dynamiclink librarywin16 neos2 executablepe32 compilerltcgctechniques ynonescripting interegistryelevati t1548hijack executy noneinfoabuse elevationcontrol mecflow lpluginsplugxbackdoortrojanautoitcrossridermodifybootkitabusecasinobetaharmysabeyahmanndora truepersistenceinjectiongraham techdangergamblingintellectual propertytheftbonu$dagocolorado
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
MALWARE FAMILIES
Trojan.Playtech/Crossrider Trojan.Winterlove-28 TEL:Backdoor:Win32/PlugX Trojan:Win32/Zbot.SIBG!MTB #Lowfi:LUA:AutoItLargeFile TELPER:HSTR:CLEAN:Ninite #VirTool:Win32|Obfuscator.ADB Worm:Win32/Mofksys.RND!MTB Trojan:Win32/Blihan.A
Indicators of Compromise (160 / 710 total)
All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 URL hostname domain
TYPEINDICATORDESCRIPTIONCREATED
URL http://fallback.playtech-installer.com/playtech_compressed_assets/casino_casinocom/index.7ze 2026-05-09
URL http://fallback.playtech-installer.com/playtech_compressed_assets/casino_casinocom/templates/installer/casinocom_new_notif.7ze 2026-05-09
URL http://geo.web-installer-assets.com/ 2026-05-09
URL http://log.web-installer-assets.com/installer_logs 2026-05-09
URL http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA 2026-05-09
URL http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0 2026-05-09
URL http://cache.download2.casino.com/download/casino/client_update_urls.php 2026-05-09
URL http://logo.verisign.com/vslogo.gif0 2026-05-09
URL http://ns.adobe.com/xap/1.0/mm/ 2026-05-09
URL http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEDlyRDr5IrdR19NsEN0xNZU%3D 2026-05-09
URL http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJaiu8Zb34NbCEEshrmcCs%3D 2026-05-09
URL http://ocsp.sectigo.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRDC9IOTxN6GmyRjyTl2n4yTUczyAQUjYxexFStiuF36Zv5mwXhuAGNYeECEHSfdSPcp6pyLdnEz5lZ6ec%3D 2026-05-09
URL http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEH1bUSa0droR23QWC7xTDac%3D 2026-05-09
URL http://rb.symcb.com/rb.crt0 2026-05-09
URL http://status.thawte.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSFvn094QJ%2BcWGTwWWEy%2BBXPZkW8AQUo8heZVTlMHjBBeoHCmpZzLn%2B3loCEA2s%2B3c%2FCdGcl04Jq3rj0Vw%3D 2026-05-09
URL http://ts-aia.ws.symantec.com/sha256 2026-05-09
URL http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab 2026-05-09
URL http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt 2026-05-09
URL https://c6m7w2m9.ssl.hwcdn.net/playtech_compressed_assets/casino_casinocom/templates/installer/casinocom_new_notif.7ze 2026-05-09
URL https://cache.download2.casino.com/download/casino/126/casino[en].cab 2026-05-09
URL https://d.symcb.com/cps0% 2026-05-09
URL https://d.symcb.com/rpa06 2026-05-09
URL https://www.virusbtn.com/virusbulletin/archive/2015/09/vb201509-custom-packer.dkb 2026-05-09
URL http://geo.web-installer-assets.com/,onSuccessId:8,onFailureId:9 2026-05-09
URL http://geo.web-installer-assets.com/.hook_reg_dialog_skip_registration 2026-05-09
URL http://geo.web-installer-assets.com/H 2026-05-09
URL http://log.web-installer-assets.com/-5-21-1070296143-2877979003-364783958-1001 2026-05-09
URL http://log.web-installer-assets.com/017562359AA4EA7EA7F7B77 2026-05-09
URL http://log.web-installer-assets.com/40/ 2026-05-09
URL http://log.web-installer-assets.com/43-2877979003-364783958-1001 2026-05-09
URL http://log.web-installer-assets.com/installer_logs-B 2026-05-09
URL http://log.web-installer-assets.com/installer_logs6895304943DBEA8g 2026-05-09
URL http://log.web-installer-assets.com/installer_logs7ze 2026-05-09
URL http://log.web-installer-assets.com/installer_logs;r 2026-05-09
URL http://log.web-installer-assets.com/installer_logsIr 2026-05-09
URL http://log.web-installer-assets.com/installer_logsXk 2026-05-09
URL http://log.web-installer-assets.com/installer_logscN 2026-05-09
URL http://log.web-installer-assets.com/installer_logsej 2026-05-09
URL http://log.web-installer-assets.com/installer_logsjZ 2026-05-09
URL http://log.web-installer-assets.com/installer_logspS 2026-05-09
URL http://log.web-installer-assets.com/installer_logssL 2026-05-09
URL http://log.web-installer-assets.com/installer_logstime=75 2026-05-09
URL http://log.web-installer-assets.com/installer_logsvz 2026-05-09
URL http://log.web-installer-assets.com/installer_logszJ 2026-05-09
URL http://log.web-installer-assets.com/nstaller_logsEA54440883D6EB6BJC 2026-05-09
URL http://log.web-installer-assets.com/r 2026-05-09
URL http://17woo.tgbusdata.cn/month_1011/10110319022a91ca67dc88dbe2.jpg 2026-05-09
URL http://17woo.tgbusdata.cn/month_1011/101103190236be173f42df71e8.jpg 2026-05-09
URL http://17woo.tgbusdata.cn/month_1011/1011031902433a6b4513ba6b65.jpg 2026-05-09
URL http://17woo.tgbusdata.cn/month_1011/101103190247483869bfd0afdd.jpg 2026-05-09
URL http://17woo.tgbusdata.cn/month_1011/10110319025160567ce920237a.jpg 2026-05-09
URL http://17woo.tgbusdata.cn/month_1011/10110319029ed6ff19d5637815.jpg 2026-05-09
URL http://17woo.tgbusdata.cn/month_1011/1011031902a233f653e7933a76.jpg 2026-05-09
URL http://17woo.tgbusdata.cn/month_1011/1011031902a4394c9e09517361.jpg 2026-05-09
URL http://17woo.tgbusdata.cn/month_1011/1011031902baf43c753dd7a176.jpg 2026-05-09
URL http://17woo.tgbusdata.cn/month_1011/1011031902cf4a788b9ac2c0a5.jpg 2026-05-09
URL http://17woo.tgbusdata.cn/month_1011/1011031902db7d2fa53784aa38.jpg 2026-05-09
URL http://17woo.tgbusdata.cn/month_1011/1011031902fa94254e3725de88.jpg 2026-05-09
URL http://down.zhihuizhangyu.com/smartcloud/repair/online.dat 2026-05-09
URL http://down.zhihuizhangyu.com/smartcloud/repair/repair.dat 2026-05-09
URL http://velapower.com/glwh/UploadFile/file/2021120320530473499.pdf 2026-05-09
URL http://velapower.com/glwh/UploadFile/file/2021121313304473499.pdf 2026-05-09
URL http://velapower.com/glwh/UploadFile/file/2021121415434473499.pdf 2026-05-09
URL https://down.znshuru.com/gw/mj/f0/ea307288127eff692a47e3bfd954c15b.dat 2026-05-09
URL http://fallback.playtech-installer.com/playtech_compressed_assets/casino_casinocom/index.7ze4AB 2026-05-09
URL http://fallback.playtech-installer.com/playtech_compressed_assets/casino_casinocom/index.7zeource 2026-05-09
URL http://fallback.playtech-installer.com/playtech_compressed_assets/casino_winner/index.7zeAB9C 2026-05-09
URL http://fallback.playtech-installer.com/playtech_compressed_assets/casino_winner/index.7zeB 2026-05-09
URL http://fallback.playtech-installer.com/playtech_compressed_assets/casino_winner/index.7zeF 2026-05-09
URL http://fallback.playtech-installer.com/playtech_compressed_assets/casino_winner/index.7zeN 2026-05-09
URL http://fallback.playtech-installer.com/playtech_compressed_assets/casino_winner/index.7zeUsers 2026-05-09
URL http://fallback.playtech-installer.com/playtech_compressed_assets/casino_winner/index.7zeno 2026-05-09
URL http://fallback.playtech-installer.com/playtech_compressed_assets/casino_winner/index.7zetallerGener 2026-05-09
URL http://fallback.playtech-installer.com/playtech_compressed_assets/poker_betfred/index.7ze8 2026-05-09
URL http://fallback.playtech-installer.com/playtech_compressed_assets/poker_betfred/index.7zeB 2026-05-09
URL http://fallback.playtech-installer.com/playtech_compressed_assets/poker_betfred/index.7zeI 2026-05-09
URL http://fallback.playtech-installer.com/playtech_compressed_assets/poker_betfred/index.7zeUx 2026-05-09
URL http://fallback.playtech-installer.com/playtech_compressed_assets/poker_sportium/index.7zeH 2026-05-09
URL http://fallback.playtech-installer.com/playtech_compressed_assets/poker_sportium/index.7zeN 2026-05-09
URL http://fallback.playtech-installer.com/playtech_compressed_assets/poker_sportium/index.7zeP 2026-05-09
URL http://fallback.playtech-installer.com/playtech_compressed_assets/poker_sportium/index.7zedn.net 2026-05-09
URL http://fallback.playtech-installer.com/playtech_compressed_assets/poker_sportium/index.7zeeploy 2026-05-09
URL http://fallback.playtech-installer.com/playtech_compressed_assets/poker_sportium/index.7zeh 2026-05-09
URL http://fallback.playtech-installer.com/playtech_compressed_assets/poker_sportium/index.7zeo 2026-05-09
URL https://click.info.microsoftemail.com/?qs=dda8bfb6ad75551e51bc5579f95ee321b608f9a4f09dc430d740defbf2e8e2ad542367b3640e07ce2ff7afac3f98d720c0faee6af516df79 2026-05-09
URL https://click.microsoftstoreemail.com/?qs=a8547cd5eba20b27079022aaceb7203ec58b8268a1397eb9c8f5e57b06783c544e4b2515d8bd7b0e36f6b6927da2f467440005c1dcc50779d34b5efc9a24f2b8 2026-05-09
URL https://click.microsoftstoreemail.com/?qs=a8547cd5eba20b2779753cde67546c4b9c662ccb915c04280d6d64d7fc6cd760e0c4e7c47eed6144743ad6895947ff29af509214638f00f07c2042652fbe4951 2026-05-09
URL https://click.microsoftstoreemail.com/?qs=a8547cd5eba20b27a0ca353c7cc9cd563e3fa3749dcc54cd5c65f83d0e4b1b09354eac192bd74bb8ec67a0e95d1c1f58b74e94aab3847bb9f698b55c975eb0ae 2026-05-09
URL https://urlf.assomption.ca/?page=goto&mid=23535531&id=521d&tss=1686160408&h=6d2b75a1 2026-05-09
URL http://l2liberty.com/ 2026-05-09
URL https://l2liberty.com/ 2026-05-09
URL https://l2liberty.com/0 2026-05-09
URL https://l2liberty.com/sign/0 2026-05-09
URL http://www.adatum.com/kalendarze/ 2026-05-09
URL https://checkpoint.url-protection.com/v1/url?o=https://go.microsoft.com/fwlink/?LinkId=521839&g=YzYwNGE2NmU4OWQxMjdhZQ==&h=MjJkNmY1Y2Q0YzI1NmQ1N2Y4ZGY1NDk3YmVjZmQ2M2FkY2ZlMjAxZWQ1N2I4ZGM3ZjNlNThlN2VlNjRmMTA0NA==&p=Y3AxZTphaGxpdW5pdGVkYmFuazpjOm86YTk3MTY3NTY1YTE0ZTk2MmEwNTQ5MTAxNWNiZTdhMzU6djE6aDpU 2026-05-09
URL https://microsoft.msafflnk.net/c/1243925/433017/7593?sharedid=6ke7Y9EvOiY-ocyTLpRDxjRGhUp8VNbemQ&subid2=24542&subid3=3695969&u=https://www.microsoft.com/en-us/microsoft-365/try?ranMID=24542&ranEAID=6ke7Y9EvOiY&ranSiteID=6ke7Y9EvOiY-ocyTLpRDxjRGhUp8VNbemQ&epi=6ke7Y9EvOiY-ocyTLpRDxjRGhUp8VNbemQ 2026-05-09
URL http://212.29.254.236:389 2026-05-09
URL http://jitkahynkova.com/ 2026-05-09
URL http://marekkuhn.com 2026-05-09
URL http://o123176122.loterierigolote.com/ 2026-05-09
URL http://cdnfiles.pdf-suite.com 2026-05-09
URL http://storage.realsteel.works 2026-05-09
URL http://ns.aDobe.com/xap/1.0 2026-05-09
URL http://ns.aDobe.com/xat/1.0 2026-05-09
URL http://ns.aDobe.com/xat/1.0/ 2026-05-09
URL http://ns.adObe.com/8ap/1.0/ 2026-05-09
URL http://ns.adObe.com/thff/1.0/ 2026-05-09
URL http://ns.aDobe.com/tiff/1.0/b 2026-05-09
URL http://ns.Adobe.com/air/application/1.5.2 2026-05-09
URL http://ns.Adobe.com/xap/1.0/mm/ 2026-05-09
URL http://ns.aDobe.com/xap/1. 2026-05-09
URL http://ns.adObe.com/xap/1.0/ 2026-05-09
URL http://ns.adoBe.com/exif 2026-05-09
URL http://ns.adoBe.com/xap/1.0/ 2026-05-09
URL http://ns.adoBe.com/xap/1.0/mm/ 2026-05-09
URL http://ns.adoBe.com/xar/1.0/mM/ 2026-05-09
URL http://ns.adobe.Com/xap/ 2026-05-09
URL http://ns.adobe.Com/xap/1.0/mm/ 2026-05-09
URL http://ns.adobe.Com/xap/1.0/sType/ 2026-05-09
URL http://ns.adobe.cOm/ 2026-05-09
URL http://ns.adobe.coM/xap/1.0/mm/ 2026-05-09
URL http://ns.adobe.coM/xap/1.0/mmY 2026-05-09
URL http://ts-aia.ws.Symantec.com/tss 2026-05-09
URL http://ts-aia.ws.symAntec.com/tss 2026-05-09
URL http://163.171.129.134/9.php?safe=D 2026-05-09
URL http://163.171.129.134/9.php?safe=o 2026-05-09
URL http://lb.e-flypgs.com/eu/c/tq/12D6B1D3DA7B475CAD2D89FD3B70FAD6/6649b3ce9df30b07a568e3bcc3adbb22/?i=d683b5ab4780c579d13dcd762d61e96caf881d47bb33ae22ca59b56acda7080de6c2e453c3e61c60190ecc70cc72b5bd88b2fa41faacd07a91e68815b4c48fa4187c575c3c586f2f61059666eda39716bf0f9c2defce3d743ccfa69f7ae0cb29baac63d28015dd4622e18f5a1b333d2bd6fb665b84717d217160bcc5a85169a1 2026-05-09
URL http://lb.e-flypgs.com/eu/c/tq/34CE5DE4C6BC479ABC15862575BD3C7E/aeba4d7bbde7d633e1057131b42b766a/?i=d683b5ab4780c579d13dcd762d61e96caf881d47bb33ae22ca59b56acda7080de6c2e453c3e61c60190ecc70cc72b5bd88b2fa41faacd07a91e68815b4c48fa4187c575c3c586f2f61059666eda39716bf0f9c2defce3d743ccfa69f7ae0cb29baac63d28015dd4622e18f5a1b333d2bd6fb665b84717d217160bcc5a85169a1 2026-05-09
URL http://lb.e-flypgs.com/eu/c/tq/9993779F4CC44B72B3E3409555223158/c2e80b55ba68f6027e98b3e7607eceb8/?i=d683b5ab4780c579d13dcd762d61e96caf881d47bb33ae22ca59b56acda7080de6c2e453c3e61c60190ecc70cc72b5bd88b2fa41faacd07a91e68815b4c48fa4187c575c3c586f2f61059666eda39716bf0f9c2defce3d743ccfa69f7ae0cb29baac63d28015dd4622e18f5a1b333d2bd6fb665b84717d217160bcc5a85169a1 2026-05-09
URL https://odatv4.com/kultur-sanat/burada-mustehcenlige-sansur-yok-229558 2026-05-09
URL https://www.odatv4.com/guncel/bgy-yi-siyasi-parti-saninca-olanlar-oldu-275334 2026-05-09
URL https://www.odatv4.com/kultur-sanat/burada-mustehcenlige-sansur-yok-229558 2026-05-09
URL https://www.odatv4.com/siyaset/davutoglu-erdogan-la-o-konusmasini-acikladi-bahceli-buna-cok-kizacak-282005 2026-05-09
URL http://20.22.113.133:443/ 2026-05-09
URL http://c1.kgimg.com/games/20140317/13950450125630.png 2026-05-09
URL https://jp.akubela.com/ 2026-05-09
URL https://static.mdirector.com/files/campanias/13994/images/1765544577573_felicitaciones_end.png 2026-05-09
URL https://uat.certcloud.cn/audit/organizations/TsTHdywu 2026-05-09
URL https://www.fx168news.com/article/中美关系-976126 2026-05-09
URL http://cozcoworkspaceresrvation.page/ 2026-05-09
URL http://cronosplm.ca/ 2026-05-09
URL http://cybershroud.dev/ 2026-05-09
URL http://doodoobrown.org/ 2026-05-09
URL http://fernanda-e-tiago.com/ 2026-05-09
URL http://gafyytw.xn--elclubdeinversin-kvb.com/ 2026-05-09
URL http://ljuticrepair.com/ 2026-05-09
URL http://mobiletechwally.com/ 2026-05-09
URL http://riyadh365.com/ 2026-05-09
URL http://vintique.im/ 2026-05-09
URL http://www.betgenzouyeol.com/ 2026-05-09
URL http://www.doodoobrown.org/ 2026-05-09
URL http://www.fernanda-e-tiago.com/ 2026-05-09
URL https://doodoobrown.org/ 2026-05-09
URL https://fernanda-e-tiago.com/ 2026-05-09
URL https://ljuticrepair.com/ 2026-05-09
URL https://w7777dj.com/ 2026-05-09
URL https://www.betgenzouyeol.com/ 2026-05-09
URL https://www.doodoobrown.org/ 2026-05-09
URL https://www.fernanda-e-tiago.com/ 2026-05-09
URL http://hpemrashns.net/imgs/krewa/nqxa.php?id=2559jakw&s5=3159&lip=192.168.122.22&win=fWinS 2026-05-09
References (24)
↗ installer.exe | FileHash-SHA256 000002f7c809714f3dd89443c0b12d7f397c7dfe6108a448571e378b84c9f229 ↗ Christopher P ‘Buzz’ Ahman | Brian Sabey | Tulach | Graham Tech ↗ Yara: Detections: stack_string | ConventionEngine_Keyword_Install | ↗ Yara: research_pe_signed_outside_timestamp [anomaly] xor_0x20_xord_javascript [Obfuscation] ↗ IDS Detections: Playtech Installer PUP/Adware | Playtech Downloader Online Gaming Checkin ↗ IDS Detections: Suspicious User-Agent containing Loader | Observed C: \\ filepath observed in HTTP header ↗ CS Yara: Matches rule Adobe_XMP_Identifier from ruleset Adobe_XMP_Identifier by InQuest Labs ↗ CS IDS: Matches rule ET MALWARE Playtech Downloader Online Gaming Checkin ↗ CS IDS: Matches rule (http_inspect) HTTP Content-Length message body was truncated ↗ CS IDS: Matches rule SURICATA STREAM excessive retransmissions Unique rule identifier: This rule belongs to a private collection. ↗ http://fallback.playtech-installer.com/playtech_compressed_assets/casino_casinocom/index.7ze ↗ cache.download2.casino.com ↗ thebeautifulbet.com ↗ Trojan:Win32/Blihan.A -Yara Detections: KBysPacker028BetaShoooo ↗ http://geo.web-installer-assets.com/,onSuccessId:8,onFailureId:9 ↗ http://geo.web-installer-assets.com/H ↗ http://geo.web-installer-assets.com/.hook_reg_dialog_skip_registration ↗ authrootstl.cab ↗ ET MALWARE Playtech Downloader Online Gaming Checkin Malware ↗ Command and Control Activity Detected ↗ Proofpoint Emerging Threats Open X Context for the matching alerts ↗ Rule references https://www.virustotal.com/gui/search/00740d7d15862efb3 ↗ Destination IP: 157.185.156.194 Destination port: 80 Hostname: cache.download2.casino.com ↗ URL: http://cache.download2.casino.com/download/casino/client