Malware Analysis Report

2024-10-19 01:10

Sample ID 230801-rsv35sgc85
Target 223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5eexe_JC.exe
SHA256 223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5e
Tags
themida laplas redline 300723_rc clipper infostealer persistence spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5e

Threat Level: Known bad

The file 223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5eexe_JC.exe was found to be: Known bad.

Malicious Activity Summary

themida laplas redline 300723_rc clipper infostealer persistence spyware stealer

RedLine

Laplas Clipper

Downloads MZ/PE file

Loads dropped DLL

Themida packer

Executes dropped EXE

Adds Run key to start application

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

GoLang User-Agent

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-08-01 14:27

Signatures

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-08-01 14:27

Reported

2023-08-01 14:30

Platform

win7-20230712-en

Max time kernel

117s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5eexe_JC.exe"

Signatures

Laplas Clipper

stealer clipper laplas

RedLine

infostealer redline

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Notepod.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Notepod.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" C:\Users\Admin\AppData\Local\Temp\Notepod.exe N/A

GoLang User-Agent

Description Indicator Process Target
HTTP User-Agent header Go-http-client/1.1 N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5eexe_JC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2016 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5eexe_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2016 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5eexe_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2016 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5eexe_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2016 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5eexe_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2016 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5eexe_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2016 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5eexe_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2016 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5eexe_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2016 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5eexe_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2016 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5eexe_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2016 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5eexe_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2016 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5eexe_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2016 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5eexe_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2836 wrote to memory of 1100 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Users\Admin\AppData\Local\Temp\Notepod.exe
PID 2836 wrote to memory of 1100 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Users\Admin\AppData\Local\Temp\Notepod.exe
PID 2836 wrote to memory of 1100 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Users\Admin\AppData\Local\Temp\Notepod.exe
PID 2836 wrote to memory of 1100 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Users\Admin\AppData\Local\Temp\Notepod.exe
PID 1100 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\Notepod.exe C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
PID 1100 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\Notepod.exe C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
PID 1100 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\Notepod.exe C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5eexe_JC.exe

"C:\Users\Admin\AppData\Local\Temp\223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5eexe_JC.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\Notepod.exe

"C:\Users\Admin\AppData\Local\Temp\Notepod.exe"

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 rc3007.tuktuk.ug udp
NL 85.209.3.9:11290 rc3007.tuktuk.ug tcp
NL 45.66.230.149:80 45.66.230.149 tcp
US 8.8.8.8:53 lpls.tuktuk.ug udp
NL 45.66.230.149:80 lpls.tuktuk.ug tcp

Files

memory/2016-54-0x0000000000010000-0x00000000006B4000-memory.dmp

memory/2016-55-0x0000000075B20000-0x0000000075C30000-memory.dmp

memory/2016-56-0x0000000075B20000-0x0000000075C30000-memory.dmp

memory/2016-57-0x0000000075B20000-0x0000000075C30000-memory.dmp

memory/2016-59-0x0000000075B20000-0x0000000075C30000-memory.dmp

memory/2016-62-0x0000000075CA0000-0x0000000075CE7000-memory.dmp

memory/2016-63-0x0000000000010000-0x00000000006B4000-memory.dmp

memory/2016-64-0x0000000000930000-0x000000000094C000-memory.dmp

memory/2016-65-0x0000000000930000-0x0000000000945000-memory.dmp

memory/2016-66-0x0000000000930000-0x0000000000945000-memory.dmp

memory/2016-68-0x0000000000930000-0x0000000000945000-memory.dmp

memory/2016-70-0x0000000000930000-0x0000000000945000-memory.dmp

memory/2016-72-0x0000000000930000-0x0000000000945000-memory.dmp

memory/2016-74-0x0000000000930000-0x0000000000945000-memory.dmp

memory/2016-76-0x0000000000930000-0x0000000000945000-memory.dmp

memory/2016-78-0x0000000000930000-0x0000000000945000-memory.dmp

memory/2016-80-0x0000000000930000-0x0000000000945000-memory.dmp

memory/2016-82-0x0000000000930000-0x0000000000945000-memory.dmp

memory/2016-84-0x0000000000930000-0x0000000000945000-memory.dmp

memory/2016-86-0x0000000000930000-0x0000000000945000-memory.dmp

memory/2016-88-0x0000000000930000-0x0000000000945000-memory.dmp

memory/2836-89-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2836-91-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2836-93-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2836-95-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2836-97-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2836-98-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2836-100-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2836-103-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2016-104-0x0000000075B20000-0x0000000075C30000-memory.dmp

memory/2016-105-0x0000000075CA0000-0x0000000075CE7000-memory.dmp

memory/2016-106-0x0000000000010000-0x00000000006B4000-memory.dmp

memory/2836-107-0x00000000003D0000-0x00000000003D6000-memory.dmp

\Users\Admin\AppData\Local\Temp\Notepod.exe

MD5 b30e29bccabab032c27910210d9ccf76
SHA1 caa3927738b66c3ecc553943eabedcbbfbe4c0da
SHA256 b6e2f26fea81267dc7b39b4f919083c8c8be5ff233a5c3acca6e1339d5bb21e2
SHA512 ce8348d0547de624b1bf19804c87b1e0379d29c5fe585d0ac602f51dd1bab90649654b87ebd236eef593829757d182ae16facbd5c2710bfecc87837c63a495a8

C:\Users\Admin\AppData\Local\Temp\Notepod.exe

MD5 b30e29bccabab032c27910210d9ccf76
SHA1 caa3927738b66c3ecc553943eabedcbbfbe4c0da
SHA256 b6e2f26fea81267dc7b39b4f919083c8c8be5ff233a5c3acca6e1339d5bb21e2
SHA512 ce8348d0547de624b1bf19804c87b1e0379d29c5fe585d0ac602f51dd1bab90649654b87ebd236eef593829757d182ae16facbd5c2710bfecc87837c63a495a8

memory/1100-113-0x00000000013D0000-0x0000000001C6B000-memory.dmp

memory/1100-114-0x00000000013D0000-0x0000000001C6B000-memory.dmp

memory/1100-115-0x00000000013D0000-0x0000000001C6B000-memory.dmp

memory/1100-116-0x00000000013D0000-0x0000000001C6B000-memory.dmp

memory/1100-117-0x00000000013D0000-0x0000000001C6B000-memory.dmp

memory/1100-118-0x00000000013D0000-0x0000000001C6B000-memory.dmp

memory/1100-119-0x00000000013D0000-0x0000000001C6B000-memory.dmp

memory/1100-120-0x00000000013D0000-0x0000000001C6B000-memory.dmp

memory/1100-121-0x00000000013D0000-0x0000000001C6B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Notepod.exe

MD5 b30e29bccabab032c27910210d9ccf76
SHA1 caa3927738b66c3ecc553943eabedcbbfbe4c0da
SHA256 b6e2f26fea81267dc7b39b4f919083c8c8be5ff233a5c3acca6e1339d5bb21e2
SHA512 ce8348d0547de624b1bf19804c87b1e0379d29c5fe585d0ac602f51dd1bab90649654b87ebd236eef593829757d182ae16facbd5c2710bfecc87837c63a495a8

memory/2836-123-0x00000000730A0000-0x000000007378E000-memory.dmp

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

MD5 1e5676f77b996fd6a8927b4d0398ff23
SHA1 3b8208c8d5b4abc7bf04631def871e5d34496766
SHA256 45236eb7d0905ebb55970293104b821bccf67a55c4ad5e8e8b21b72d497a051b
SHA512 d1f5bc7ceb702081738ba0bc3d050e9e17c8d743f275bc3ac2711fe73d37951971ed76a1597c98b0cb1b205787e37fb494e6f4a861d15e2a25abf4bf79007df1

\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

MD5 502bea4159626b5bacfd5c26357a9c26
SHA1 06606f30f3c5aee514bd48833640b716570e79ea
SHA256 9f28605bca758ceb642a54b2cfb98585b8f77207c95e9844f44b684906828595
SHA512 aa08156e102d49636fd8a51c1d67748d3c8c243cfbfba8720dc6a35c4a3b03a1776b82fc0efa0678f32732493eb1b62ef0060cec38be1867e0b8e4dacd785746

memory/1100-128-0x00000000013D0000-0x0000000001C6B000-memory.dmp

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

MD5 5551def12056fd40462b1249399c9366
SHA1 7eed68ca127436fd6fbbae1cab5a8df27cdc404d
SHA256 0169fa3e464fbf7e7d116d8c10b8a6fdea8421d18671792945b74e375834aab9
SHA512 d9c9efd2a0c048a88b2a8c733d57d4216413bc4623b6670cfb3852e8806a25ff79181c8b0bf37c8890ded2172c48512deb16792893523455a001080264f4e8da

memory/1100-129-0x00000000770F0000-0x0000000077299000-memory.dmp

memory/1988-130-0x0000000000380000-0x0000000000C1B000-memory.dmp

memory/1988-131-0x0000000000380000-0x0000000000C1B000-memory.dmp

memory/1988-132-0x0000000000380000-0x0000000000C1B000-memory.dmp

memory/1988-133-0x0000000000380000-0x0000000000C1B000-memory.dmp

memory/1988-134-0x0000000000380000-0x0000000000C1B000-memory.dmp

memory/1988-135-0x0000000000380000-0x0000000000C1B000-memory.dmp

memory/1988-136-0x0000000000380000-0x0000000000C1B000-memory.dmp

memory/1988-137-0x0000000000380000-0x0000000000C1B000-memory.dmp

memory/1988-138-0x0000000000380000-0x0000000000C1B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-08-01 14:27

Reported

2023-08-01 14:30

Platform

win10v2004-20230703-en

Max time kernel

147s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5eexe_JC.exe"

Signatures

Laplas Clipper

stealer clipper laplas

RedLine

infostealer redline

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Notepod.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" C:\Users\Admin\AppData\Local\Temp\Notepod.exe N/A

GoLang User-Agent

Description Indicator Process Target
HTTP User-Agent header Go-http-client/1.1 N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5eexe_JC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4844 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5eexe_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4844 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5eexe_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4844 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5eexe_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4844 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5eexe_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4844 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5eexe_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4844 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5eexe_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4844 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5eexe_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4844 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5eexe_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 856 wrote to memory of 3504 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Users\Admin\AppData\Local\Temp\Notepod.exe
PID 856 wrote to memory of 3504 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Users\Admin\AppData\Local\Temp\Notepod.exe
PID 3504 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\Notepod.exe C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
PID 3504 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\Notepod.exe C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5eexe_JC.exe

"C:\Users\Admin\AppData\Local\Temp\223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5eexe_JC.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\Notepod.exe

"C:\Users\Admin\AppData\Local\Temp\Notepod.exe"

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 rc3007.tuktuk.ug udp
NL 85.209.3.9:11290 rc3007.tuktuk.ug tcp
US 8.8.8.8:53 9.3.209.85.in-addr.arpa udp
NL 45.66.230.149:80 45.66.230.149 tcp
US 8.8.8.8:53 149.230.66.45.in-addr.arpa udp
US 8.8.8.8:53 lpls.tuktuk.ug udp
NL 45.66.230.149:80 lpls.tuktuk.ug tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 203.151.224.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 161.252.72.23.in-addr.arpa udp

Files

memory/4844-133-0x00000000007C0000-0x0000000000E64000-memory.dmp

memory/4844-134-0x0000000076E60000-0x0000000076F50000-memory.dmp

memory/4844-135-0x0000000076E60000-0x0000000076F50000-memory.dmp

memory/4844-136-0x0000000076E60000-0x0000000076F50000-memory.dmp

memory/4844-137-0x0000000076E60000-0x0000000076F50000-memory.dmp

memory/4844-138-0x0000000076E60000-0x0000000076F50000-memory.dmp

memory/4844-139-0x0000000077454000-0x0000000077456000-memory.dmp

memory/4844-143-0x00000000007C0000-0x0000000000E64000-memory.dmp

memory/4844-144-0x00000000053C0000-0x000000000545C000-memory.dmp

memory/4844-145-0x00000000007C0000-0x0000000000E64000-memory.dmp

memory/4844-147-0x0000000076E60000-0x0000000076F50000-memory.dmp

memory/4844-148-0x0000000076E60000-0x0000000076F50000-memory.dmp

memory/4844-149-0x0000000076E60000-0x0000000076F50000-memory.dmp

memory/4844-150-0x0000000076E60000-0x0000000076F50000-memory.dmp

memory/4844-151-0x0000000076E60000-0x0000000076F50000-memory.dmp

memory/4844-153-0x0000000005360000-0x0000000005375000-memory.dmp

memory/4844-152-0x0000000005360000-0x0000000005375000-memory.dmp

memory/4844-155-0x0000000005360000-0x0000000005375000-memory.dmp

memory/4844-157-0x0000000005360000-0x0000000005375000-memory.dmp

memory/4844-159-0x0000000005360000-0x0000000005375000-memory.dmp

memory/4844-161-0x0000000005360000-0x0000000005375000-memory.dmp

memory/4844-163-0x0000000005360000-0x0000000005375000-memory.dmp

memory/4844-165-0x0000000005360000-0x0000000005375000-memory.dmp

memory/4844-167-0x0000000005360000-0x0000000005375000-memory.dmp

memory/4844-169-0x0000000005360000-0x0000000005375000-memory.dmp

memory/4844-171-0x0000000005360000-0x0000000005375000-memory.dmp

memory/4844-173-0x0000000005360000-0x0000000005375000-memory.dmp

memory/4844-175-0x0000000005360000-0x0000000005375000-memory.dmp

memory/856-176-0x0000000000400000-0x0000000000430000-memory.dmp

memory/856-178-0x0000000074940000-0x00000000750F0000-memory.dmp

memory/4844-180-0x0000000076E60000-0x0000000076F50000-memory.dmp

memory/4844-181-0x00000000007C0000-0x0000000000E64000-memory.dmp

memory/856-182-0x000000000A950000-0x000000000AF68000-memory.dmp

memory/856-183-0x000000000A450000-0x000000000A55A000-memory.dmp

memory/856-184-0x0000000004FA0000-0x0000000004FB0000-memory.dmp

memory/856-185-0x000000000A390000-0x000000000A3A2000-memory.dmp

memory/856-186-0x000000000A3F0000-0x000000000A42C000-memory.dmp

memory/856-187-0x000000000A720000-0x000000000A796000-memory.dmp

memory/856-188-0x000000000A840000-0x000000000A8D2000-memory.dmp

memory/856-189-0x000000000B520000-0x000000000BAC4000-memory.dmp

memory/856-190-0x000000000A8E0000-0x000000000A946000-memory.dmp

memory/856-191-0x0000000074940000-0x00000000750F0000-memory.dmp

memory/856-192-0x0000000004FA0000-0x0000000004FB0000-memory.dmp

memory/856-193-0x000000000BCA0000-0x000000000BE62000-memory.dmp

memory/856-194-0x000000000C3A0000-0x000000000C8CC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Notepod.exe

MD5 b30e29bccabab032c27910210d9ccf76
SHA1 caa3927738b66c3ecc553943eabedcbbfbe4c0da
SHA256 b6e2f26fea81267dc7b39b4f919083c8c8be5ff233a5c3acca6e1339d5bb21e2
SHA512 ce8348d0547de624b1bf19804c87b1e0379d29c5fe585d0ac602f51dd1bab90649654b87ebd236eef593829757d182ae16facbd5c2710bfecc87837c63a495a8

C:\Users\Admin\AppData\Local\Temp\Notepod.exe

MD5 b30e29bccabab032c27910210d9ccf76
SHA1 caa3927738b66c3ecc553943eabedcbbfbe4c0da
SHA256 b6e2f26fea81267dc7b39b4f919083c8c8be5ff233a5c3acca6e1339d5bb21e2
SHA512 ce8348d0547de624b1bf19804c87b1e0379d29c5fe585d0ac602f51dd1bab90649654b87ebd236eef593829757d182ae16facbd5c2710bfecc87837c63a495a8

C:\Users\Admin\AppData\Local\Temp\Notepod.exe

MD5 b30e29bccabab032c27910210d9ccf76
SHA1 caa3927738b66c3ecc553943eabedcbbfbe4c0da
SHA256 b6e2f26fea81267dc7b39b4f919083c8c8be5ff233a5c3acca6e1339d5bb21e2
SHA512 ce8348d0547de624b1bf19804c87b1e0379d29c5fe585d0ac602f51dd1bab90649654b87ebd236eef593829757d182ae16facbd5c2710bfecc87837c63a495a8

memory/3504-206-0x0000000000420000-0x0000000000CBB000-memory.dmp

memory/856-208-0x0000000074940000-0x00000000750F0000-memory.dmp

memory/3504-209-0x00007FF9203B0000-0x00007FF9205A5000-memory.dmp

memory/3504-210-0x0000000000420000-0x0000000000CBB000-memory.dmp

memory/3504-211-0x0000000000420000-0x0000000000CBB000-memory.dmp

memory/3504-212-0x0000000000420000-0x0000000000CBB000-memory.dmp

memory/3504-213-0x0000000000420000-0x0000000000CBB000-memory.dmp

memory/3504-214-0x0000000000420000-0x0000000000CBB000-memory.dmp

memory/3504-215-0x0000000000420000-0x0000000000CBB000-memory.dmp

memory/3504-216-0x0000000000420000-0x0000000000CBB000-memory.dmp

memory/3504-217-0x0000000000420000-0x0000000000CBB000-memory.dmp

memory/3504-218-0x0000000000420000-0x0000000000CBB000-memory.dmp

memory/3504-219-0x0000000000420000-0x0000000000CBB000-memory.dmp

memory/3504-221-0x0000000000420000-0x0000000000CBB000-memory.dmp

memory/3504-222-0x00007FF9203B0000-0x00007FF9205A5000-memory.dmp

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

MD5 f7ed847450ee312167ca641281f0e4cf
SHA1 ad9761e90de7dfff97f8d5e70484df2bf864898b
SHA256 8171aef1dc82403c154ab99c2d95afca44d07f4678c9325b7a47f3efd41b7313
SHA512 bfb34cf55f964639f72ee1128885a511286f3a90d258d74b4d0950dde8d432203f256cf7c8fbc97b0be94e412232627401c36e8e43303f14d245649e993cf008

memory/3516-227-0x0000000000CC0000-0x000000000155B000-memory.dmp

memory/3504-225-0x0000000000420000-0x0000000000CBB000-memory.dmp

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

MD5 1ce984e6c0c12a63475169ceabf793df
SHA1 e36605eb6af7648ee20d6a0bb37f0c693b207441
SHA256 2951805fc76eaae60fb684933cee28b49b75da9fd3cc5c0a444bea7850108ed4
SHA512 fe1f7049cd8b3ca7e66a2641b8244ff113adb1d95d11ba598d24a4c8242c865edd0fad2b184338d7a1b59499f1cd249a1ea0c67ab5a1c29b92586092725ea048

memory/3504-228-0x00007FF9203B0000-0x00007FF9205A5000-memory.dmp

memory/3516-229-0x00007FF9203B0000-0x00007FF9205A5000-memory.dmp

memory/3516-230-0x0000000000CC0000-0x000000000155B000-memory.dmp

memory/3516-231-0x0000000000CC0000-0x000000000155B000-memory.dmp

memory/3516-232-0x0000000000CC0000-0x000000000155B000-memory.dmp

memory/3516-233-0x0000000000CC0000-0x000000000155B000-memory.dmp

memory/3516-234-0x0000000000CC0000-0x000000000155B000-memory.dmp

memory/3516-235-0x0000000000CC0000-0x000000000155B000-memory.dmp

memory/3516-236-0x0000000000CC0000-0x000000000155B000-memory.dmp

memory/3516-238-0x0000000000CC0000-0x000000000155B000-memory.dmp

memory/3516-239-0x0000000000CC0000-0x000000000155B000-memory.dmp

memory/3516-240-0x0000000000CC0000-0x000000000155B000-memory.dmp

memory/3516-241-0x0000000000CC0000-0x000000000155B000-memory.dmp

memory/3516-242-0x00007FF9203B0000-0x00007FF9205A5000-memory.dmp

memory/3516-243-0x0000000000CC0000-0x000000000155B000-memory.dmp

memory/3516-244-0x0000000000CC0000-0x000000000155B000-memory.dmp

memory/3516-245-0x0000000000CC0000-0x000000000155B000-memory.dmp

memory/3516-246-0x0000000000CC0000-0x000000000155B000-memory.dmp

memory/3516-247-0x0000000000CC0000-0x000000000155B000-memory.dmp

memory/3516-248-0x0000000000CC0000-0x000000000155B000-memory.dmp

memory/3516-249-0x0000000000CC0000-0x000000000155B000-memory.dmp

memory/3516-251-0x0000000000CC0000-0x000000000155B000-memory.dmp

memory/3516-252-0x0000000000CC0000-0x000000000155B000-memory.dmp