Malware Analysis Report

2024-11-13 16:48

Sample ID 200707-tj716dsz42
Target df6e1e72261d4741c7ab841b098ab497.exe
SHA256 2026e97bd58d8848dbd55664417790d5ee804bc2fe86ad054cb6a304d2d39a6b
Tags
buer loader persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2026e97bd58d8848dbd55664417790d5ee804bc2fe86ad054cb6a304d2d39a6b

Threat Level: Known bad

The file df6e1e72261d4741c7ab841b098ab497.exe was found to be: Known bad.

Malicious Activity Summary

buer loader persistence

Buer

Modifies WinLogon for persistence

Executes dropped EXE

Loads dropped DLL

Deletes itself

Enumerates connected drives

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2020-07-07 08:32

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2020-07-07 08:32

Reported

2020-07-07 08:34

Platform

win7

Max time kernel

140s

Max time network

104s

Command Line

"C:\Users\Admin\AppData\Local\Temp\df6e1e72261d4741c7ab841b098ab497.exe"

Signatures

Buer

loader buer

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\5dc6e8761a7428be2fa5\\gennt.exe\"" C:\ProgramData\5dc6e8761a7428be2fa5\gennt.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\5dc6e8761a7428be2fa5\gennt.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\ProgramData\5dc6e8761a7428be2fa5\gennt.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Q: C:\ProgramData\5dc6e8761a7428be2fa5\gennt.exe N/A
File opened (read-only) \??\X: C:\ProgramData\5dc6e8761a7428be2fa5\gennt.exe N/A
File opened (read-only) \??\I: C:\ProgramData\5dc6e8761a7428be2fa5\gennt.exe N/A
File opened (read-only) \??\J: C:\ProgramData\5dc6e8761a7428be2fa5\gennt.exe N/A
File opened (read-only) \??\S: C:\ProgramData\5dc6e8761a7428be2fa5\gennt.exe N/A
File opened (read-only) \??\T: C:\ProgramData\5dc6e8761a7428be2fa5\gennt.exe N/A
File opened (read-only) \??\V: C:\ProgramData\5dc6e8761a7428be2fa5\gennt.exe N/A
File opened (read-only) \??\Y: C:\ProgramData\5dc6e8761a7428be2fa5\gennt.exe N/A
File opened (read-only) \??\Z: C:\ProgramData\5dc6e8761a7428be2fa5\gennt.exe N/A
File opened (read-only) \??\E: C:\ProgramData\5dc6e8761a7428be2fa5\gennt.exe N/A
File opened (read-only) \??\N: C:\ProgramData\5dc6e8761a7428be2fa5\gennt.exe N/A
File opened (read-only) \??\M: C:\ProgramData\5dc6e8761a7428be2fa5\gennt.exe N/A
File opened (read-only) \??\P: C:\ProgramData\5dc6e8761a7428be2fa5\gennt.exe N/A
File opened (read-only) \??\R: C:\ProgramData\5dc6e8761a7428be2fa5\gennt.exe N/A
File opened (read-only) \??\W: C:\ProgramData\5dc6e8761a7428be2fa5\gennt.exe N/A
File opened (read-only) \??\F: C:\ProgramData\5dc6e8761a7428be2fa5\gennt.exe N/A
File opened (read-only) \??\L: C:\ProgramData\5dc6e8761a7428be2fa5\gennt.exe N/A
File opened (read-only) \??\G: C:\ProgramData\5dc6e8761a7428be2fa5\gennt.exe N/A
File opened (read-only) \??\H: C:\ProgramData\5dc6e8761a7428be2fa5\gennt.exe N/A
File opened (read-only) \??\K: C:\ProgramData\5dc6e8761a7428be2fa5\gennt.exe N/A
File opened (read-only) \??\O: C:\ProgramData\5dc6e8761a7428be2fa5\gennt.exe N/A
File opened (read-only) \??\U: C:\ProgramData\5dc6e8761a7428be2fa5\gennt.exe N/A
File opened (read-only) \??\A: C:\ProgramData\5dc6e8761a7428be2fa5\gennt.exe N/A
File opened (read-only) \??\B: C:\ProgramData\5dc6e8761a7428be2fa5\gennt.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\ProgramData\5dc6e8761a7428be2fa5\gennt.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1424 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\df6e1e72261d4741c7ab841b098ab497.exe C:\ProgramData\5dc6e8761a7428be2fa5\gennt.exe
PID 1424 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\df6e1e72261d4741c7ab841b098ab497.exe C:\ProgramData\5dc6e8761a7428be2fa5\gennt.exe
PID 1424 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\df6e1e72261d4741c7ab841b098ab497.exe C:\ProgramData\5dc6e8761a7428be2fa5\gennt.exe
PID 1424 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\df6e1e72261d4741c7ab841b098ab497.exe C:\ProgramData\5dc6e8761a7428be2fa5\gennt.exe
PID 1236 wrote to memory of 1760 N/A C:\ProgramData\5dc6e8761a7428be2fa5\gennt.exe C:\Windows\SysWOW64\secinit.exe
PID 1236 wrote to memory of 1760 N/A C:\ProgramData\5dc6e8761a7428be2fa5\gennt.exe C:\Windows\SysWOW64\secinit.exe
PID 1236 wrote to memory of 1760 N/A C:\ProgramData\5dc6e8761a7428be2fa5\gennt.exe C:\Windows\SysWOW64\secinit.exe
PID 1236 wrote to memory of 1760 N/A C:\ProgramData\5dc6e8761a7428be2fa5\gennt.exe C:\Windows\SysWOW64\secinit.exe
PID 1236 wrote to memory of 1760 N/A C:\ProgramData\5dc6e8761a7428be2fa5\gennt.exe C:\Windows\SysWOW64\secinit.exe
PID 1236 wrote to memory of 1760 N/A C:\ProgramData\5dc6e8761a7428be2fa5\gennt.exe C:\Windows\SysWOW64\secinit.exe
PID 1236 wrote to memory of 1760 N/A C:\ProgramData\5dc6e8761a7428be2fa5\gennt.exe C:\Windows\SysWOW64\secinit.exe
PID 1236 wrote to memory of 1760 N/A C:\ProgramData\5dc6e8761a7428be2fa5\gennt.exe C:\Windows\SysWOW64\secinit.exe
PID 1236 wrote to memory of 1760 N/A C:\ProgramData\5dc6e8761a7428be2fa5\gennt.exe C:\Windows\SysWOW64\secinit.exe
PID 1236 wrote to memory of 1760 N/A C:\ProgramData\5dc6e8761a7428be2fa5\gennt.exe C:\Windows\SysWOW64\secinit.exe
PID 1236 wrote to memory of 1760 N/A C:\ProgramData\5dc6e8761a7428be2fa5\gennt.exe C:\Windows\SysWOW64\secinit.exe
PID 1236 wrote to memory of 1760 N/A C:\ProgramData\5dc6e8761a7428be2fa5\gennt.exe C:\Windows\SysWOW64\secinit.exe
PID 1236 wrote to memory of 1576 N/A C:\ProgramData\5dc6e8761a7428be2fa5\gennt.exe C:\Windows\SysWOW64\cmd.exe
PID 1236 wrote to memory of 1576 N/A C:\ProgramData\5dc6e8761a7428be2fa5\gennt.exe C:\Windows\SysWOW64\cmd.exe
PID 1236 wrote to memory of 1576 N/A C:\ProgramData\5dc6e8761a7428be2fa5\gennt.exe C:\Windows\SysWOW64\cmd.exe
PID 1236 wrote to memory of 1576 N/A C:\ProgramData\5dc6e8761a7428be2fa5\gennt.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\df6e1e72261d4741c7ab841b098ab497.exe

"C:\Users\Admin\AppData\Local\Temp\df6e1e72261d4741c7ab841b098ab497.exe"

C:\ProgramData\5dc6e8761a7428be2fa5\gennt.exe

C:\ProgramData\5dc6e8761a7428be2fa5\gennt.exe "C:\Users\Admin\AppData\Local\Temp\df6e1e72261d4741c7ab841b098ab497.exe" ensgJJ

C:\Windows\SysWOW64\secinit.exe

C:\ProgramData\5dc6e8761a7428be2fa5\gennt.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" powershell.exe -Command "& {Add-MpPreference -ExclusionPath C:\ProgramData\5dc6e8761a7428be2fa5}"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 mesoplano.com udp
N/A 84.38.181.209:443 mesoplano.com tcp
N/A 8.8.8.8:53 www.download.windowsupdate.com udp
N/A 84.38.181.209:443 mesoplano.com tcp
N/A 84.38.181.209:443 mesoplano.com tcp

Files

\ProgramData\5dc6e8761a7428be2fa5\gennt.exe

MD5 df6e1e72261d4741c7ab841b098ab497
SHA1 f3f84f9a10315f95a73871a53452cf38ef32d9ac
SHA256 2026e97bd58d8848dbd55664417790d5ee804bc2fe86ad054cb6a304d2d39a6b
SHA512 70f9e5e2492bdb33ca85274455093d1bc8331b47e31dfdaec9cd47298d7834281c5f93b1b25379ee2aa51d68be320282e36f28ce6004fd9caae4905fc101078b

\ProgramData\5dc6e8761a7428be2fa5\gennt.exe

MD5 df6e1e72261d4741c7ab841b098ab497
SHA1 f3f84f9a10315f95a73871a53452cf38ef32d9ac
SHA256 2026e97bd58d8848dbd55664417790d5ee804bc2fe86ad054cb6a304d2d39a6b
SHA512 70f9e5e2492bdb33ca85274455093d1bc8331b47e31dfdaec9cd47298d7834281c5f93b1b25379ee2aa51d68be320282e36f28ce6004fd9caae4905fc101078b

memory/1236-2-0x0000000000000000-mapping.dmp

C:\ProgramData\5dc6e8761a7428be2fa5\gennt.exe

MD5 df6e1e72261d4741c7ab841b098ab497
SHA1 f3f84f9a10315f95a73871a53452cf38ef32d9ac
SHA256 2026e97bd58d8848dbd55664417790d5ee804bc2fe86ad054cb6a304d2d39a6b
SHA512 70f9e5e2492bdb33ca85274455093d1bc8331b47e31dfdaec9cd47298d7834281c5f93b1b25379ee2aa51d68be320282e36f28ce6004fd9caae4905fc101078b

C:\ProgramData\5dc6e8761a7428be2fa5\gennt.exe

MD5 df6e1e72261d4741c7ab841b098ab497
SHA1 f3f84f9a10315f95a73871a53452cf38ef32d9ac
SHA256 2026e97bd58d8848dbd55664417790d5ee804bc2fe86ad054cb6a304d2d39a6b
SHA512 70f9e5e2492bdb33ca85274455093d1bc8331b47e31dfdaec9cd47298d7834281c5f93b1b25379ee2aa51d68be320282e36f28ce6004fd9caae4905fc101078b

memory/1760-5-0x0000000000000000-mapping.dmp

memory/1576-6-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2020-07-07 08:32

Reported

2020-07-07 08:34

Platform

win10

Max time kernel

150s

Max time network

134s

Command Line

"C:\Users\Admin\AppData\Local\Temp\df6e1e72261d4741c7ab841b098ab497.exe"

Signatures

Buer

loader buer

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\60c85a4d4ecb90012faa\\gennt.exe\"" C:\ProgramData\60c85a4d4ecb90012faa\gennt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\60c85a4d4ecb90012faa\\gennt.exe\"" C:\Windows\SysWOW64\secinit.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\60c85a4d4ecb90012faa\gennt.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\ProgramData\60c85a4d4ecb90012faa\gennt.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\G: C:\ProgramData\60c85a4d4ecb90012faa\gennt.exe N/A
File opened (read-only) \??\N: C:\ProgramData\60c85a4d4ecb90012faa\gennt.exe N/A
File opened (read-only) \??\W: C:\ProgramData\60c85a4d4ecb90012faa\gennt.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\secinit.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\secinit.exe N/A
File opened (read-only) \??\F: C:\Windows\SysWOW64\secinit.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\secinit.exe N/A
File opened (read-only) \??\F: C:\ProgramData\60c85a4d4ecb90012faa\gennt.exe N/A
File opened (read-only) \??\P: C:\ProgramData\60c85a4d4ecb90012faa\gennt.exe N/A
File opened (read-only) \??\T: C:\ProgramData\60c85a4d4ecb90012faa\gennt.exe N/A
File opened (read-only) \??\X: C:\ProgramData\60c85a4d4ecb90012faa\gennt.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\secinit.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\secinit.exe N/A
File opened (read-only) \??\Y: C:\ProgramData\60c85a4d4ecb90012faa\gennt.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\secinit.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\secinit.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\secinit.exe N/A
File opened (read-only) \??\H: C:\ProgramData\60c85a4d4ecb90012faa\gennt.exe N/A
File opened (read-only) \??\I: C:\ProgramData\60c85a4d4ecb90012faa\gennt.exe N/A
File opened (read-only) \??\O: C:\ProgramData\60c85a4d4ecb90012faa\gennt.exe N/A
File opened (read-only) \??\Q: C:\ProgramData\60c85a4d4ecb90012faa\gennt.exe N/A
File opened (read-only) \??\U: C:\ProgramData\60c85a4d4ecb90012faa\gennt.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\secinit.exe N/A
File opened (read-only) \??\A: C:\ProgramData\60c85a4d4ecb90012faa\gennt.exe N/A
File opened (read-only) \??\R: C:\ProgramData\60c85a4d4ecb90012faa\gennt.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\secinit.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\secinit.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\secinit.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\secinit.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\secinit.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\secinit.exe N/A
File opened (read-only) \??\K: C:\ProgramData\60c85a4d4ecb90012faa\gennt.exe N/A
File opened (read-only) \??\L: C:\ProgramData\60c85a4d4ecb90012faa\gennt.exe N/A
File opened (read-only) \??\M: C:\ProgramData\60c85a4d4ecb90012faa\gennt.exe N/A
File opened (read-only) \??\V: C:\ProgramData\60c85a4d4ecb90012faa\gennt.exe N/A
File opened (read-only) \??\Z: C:\ProgramData\60c85a4d4ecb90012faa\gennt.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\secinit.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\secinit.exe N/A
File opened (read-only) \??\B: C:\ProgramData\60c85a4d4ecb90012faa\gennt.exe N/A
File opened (read-only) \??\S: C:\ProgramData\60c85a4d4ecb90012faa\gennt.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\secinit.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\secinit.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\secinit.exe N/A
File opened (read-only) \??\E: C:\ProgramData\60c85a4d4ecb90012faa\gennt.exe N/A
File opened (read-only) \??\J: C:\ProgramData\60c85a4d4ecb90012faa\gennt.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\secinit.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\secinit.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\secinit.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\ProgramData\60c85a4d4ecb90012faa\gennt.exe N/A
N/A N/A C:\ProgramData\60c85a4d4ecb90012faa\gennt.exe N/A
N/A N/A C:\Windows\SysWOW64\secinit.exe N/A
N/A N/A C:\Windows\SysWOW64\secinit.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2460 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\df6e1e72261d4741c7ab841b098ab497.exe C:\ProgramData\60c85a4d4ecb90012faa\gennt.exe
PID 2460 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\df6e1e72261d4741c7ab841b098ab497.exe C:\ProgramData\60c85a4d4ecb90012faa\gennt.exe
PID 2460 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\df6e1e72261d4741c7ab841b098ab497.exe C:\ProgramData\60c85a4d4ecb90012faa\gennt.exe
PID 2116 wrote to memory of 764 N/A C:\ProgramData\60c85a4d4ecb90012faa\gennt.exe C:\Windows\SysWOW64\secinit.exe
PID 2116 wrote to memory of 764 N/A C:\ProgramData\60c85a4d4ecb90012faa\gennt.exe C:\Windows\SysWOW64\secinit.exe
PID 2116 wrote to memory of 764 N/A C:\ProgramData\60c85a4d4ecb90012faa\gennt.exe C:\Windows\SysWOW64\secinit.exe
PID 2116 wrote to memory of 764 N/A C:\ProgramData\60c85a4d4ecb90012faa\gennt.exe C:\Windows\SysWOW64\secinit.exe
PID 2116 wrote to memory of 764 N/A C:\ProgramData\60c85a4d4ecb90012faa\gennt.exe C:\Windows\SysWOW64\secinit.exe
PID 2116 wrote to memory of 764 N/A C:\ProgramData\60c85a4d4ecb90012faa\gennt.exe C:\Windows\SysWOW64\secinit.exe
PID 2116 wrote to memory of 764 N/A C:\ProgramData\60c85a4d4ecb90012faa\gennt.exe C:\Windows\SysWOW64\secinit.exe
PID 2116 wrote to memory of 764 N/A C:\ProgramData\60c85a4d4ecb90012faa\gennt.exe C:\Windows\SysWOW64\secinit.exe
PID 2116 wrote to memory of 764 N/A C:\ProgramData\60c85a4d4ecb90012faa\gennt.exe C:\Windows\SysWOW64\secinit.exe
PID 2116 wrote to memory of 764 N/A C:\ProgramData\60c85a4d4ecb90012faa\gennt.exe C:\Windows\SysWOW64\secinit.exe
PID 2116 wrote to memory of 764 N/A C:\ProgramData\60c85a4d4ecb90012faa\gennt.exe C:\Windows\SysWOW64\secinit.exe
PID 2116 wrote to memory of 3720 N/A C:\ProgramData\60c85a4d4ecb90012faa\gennt.exe C:\Windows\SysWOW64\cmd.exe
PID 2116 wrote to memory of 3720 N/A C:\ProgramData\60c85a4d4ecb90012faa\gennt.exe C:\Windows\SysWOW64\cmd.exe
PID 2116 wrote to memory of 3720 N/A C:\ProgramData\60c85a4d4ecb90012faa\gennt.exe C:\Windows\SysWOW64\cmd.exe
PID 764 wrote to memory of 484 N/A C:\Windows\SysWOW64\secinit.exe C:\Windows\SysWOW64\cmd.exe
PID 764 wrote to memory of 484 N/A C:\Windows\SysWOW64\secinit.exe C:\Windows\SysWOW64\cmd.exe
PID 764 wrote to memory of 484 N/A C:\Windows\SysWOW64\secinit.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\df6e1e72261d4741c7ab841b098ab497.exe

"C:\Users\Admin\AppData\Local\Temp\df6e1e72261d4741c7ab841b098ab497.exe"

C:\ProgramData\60c85a4d4ecb90012faa\gennt.exe

C:\ProgramData\60c85a4d4ecb90012faa\gennt.exe "C:\Users\Admin\AppData\Local\Temp\df6e1e72261d4741c7ab841b098ab497.exe" ensgJJ

C:\Windows\SysWOW64\secinit.exe

C:\ProgramData\60c85a4d4ecb90012faa\gennt.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" powershell.exe -Command "& {Add-MpPreference -ExclusionPath C:\ProgramData\60c85a4d4ecb90012faa}"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" powershell.exe -Command "& {Add-MpPreference -ExclusionPath C:\ProgramData\60c85a4d4ecb90012faa}"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 mesoplano.com udp
N/A 84.38.181.209:443 mesoplano.com tcp
N/A 67.26.111.254:80 ctldl.windowsupdate.com tcp
N/A 84.38.181.209:443 mesoplano.com tcp
N/A 84.38.181.209:443 mesoplano.com tcp
N/A 84.38.181.209:443 mesoplano.com tcp
N/A 84.38.181.209:443 mesoplano.com tcp
N/A 84.38.181.209:443 mesoplano.com tcp
N/A 84.38.181.209:443 mesoplano.com tcp
N/A 84.38.181.209:443 tcp

Files

memory/2116-0-0x0000000000000000-mapping.dmp

C:\ProgramData\60c85a4d4ecb90012faa\gennt.exe

MD5 df6e1e72261d4741c7ab841b098ab497
SHA1 f3f84f9a10315f95a73871a53452cf38ef32d9ac
SHA256 2026e97bd58d8848dbd55664417790d5ee804bc2fe86ad054cb6a304d2d39a6b
SHA512 70f9e5e2492bdb33ca85274455093d1bc8331b47e31dfdaec9cd47298d7834281c5f93b1b25379ee2aa51d68be320282e36f28ce6004fd9caae4905fc101078b

C:\ProgramData\60c85a4d4ecb90012faa\gennt.exe

MD5 df6e1e72261d4741c7ab841b098ab497
SHA1 f3f84f9a10315f95a73871a53452cf38ef32d9ac
SHA256 2026e97bd58d8848dbd55664417790d5ee804bc2fe86ad054cb6a304d2d39a6b
SHA512 70f9e5e2492bdb33ca85274455093d1bc8331b47e31dfdaec9cd47298d7834281c5f93b1b25379ee2aa51d68be320282e36f28ce6004fd9caae4905fc101078b

memory/764-3-0x0000000000000000-mapping.dmp

memory/3720-4-0x0000000000000000-mapping.dmp

memory/484-5-0x0000000000000000-mapping.dmp