Malware Analysis Report

2025-04-14 02:03

Sample ID 240603-mqbjhabf5x
Target 2024-06-03_dcea9ddaa24bc1c50eda1bca9b6ab849_mafia_nionspy
SHA256 02874dafe44a7f2ad7e4f9c7b2806d585909dfb2fac8454007da8317ce8443aa
Tags
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

02874dafe44a7f2ad7e4f9c7b2806d585909dfb2fac8454007da8317ce8443aa

Threat Level: Shows suspicious behavior

The file 2024-06-03_dcea9ddaa24bc1c50eda1bca9b6ab849_mafia_nionspy was found to be: Shows suspicious behavior.

Malicious Activity Summary


Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Unsigned PE

Enumerates physical storage devices

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 10:39

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 10:39

Reported

2024-06-03 10:42

Platform

win7-20240220-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-03_dcea9ddaa24bc1c50eda1bca9b6ab849_mafia_nionspy.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\winit32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\winit32.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.exe\shell\runas\command C:\Users\Admin\AppData\Local\Temp\2024-06-03_dcea9ddaa24bc1c50eda1bca9b6ab849_mafia_nionspy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\ntdriver\shell\open\command\IsolatedCommand = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\2024-06-03_dcea9ddaa24bc1c50eda1bca9b6ab849_mafia_nionspy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\ntdriver\shell\runas C:\Users\Admin\AppData\Local\Temp\2024-06-03_dcea9ddaa24bc1c50eda1bca9b6ab849_mafia_nionspy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.exe\Content-Type = "application/x-msdownload" C:\Users\Admin\AppData\Local\Temp\2024-06-03_dcea9ddaa24bc1c50eda1bca9b6ab849_mafia_nionspy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.exe\DefaultIcon C:\Users\Admin\AppData\Local\Temp\2024-06-03_dcea9ddaa24bc1c50eda1bca9b6ab849_mafia_nionspy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\2024-06-03_dcea9ddaa24bc1c50eda1bca9b6ab849_mafia_nionspy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\2024-06-03_dcea9ddaa24bc1c50eda1bca9b6ab849_mafia_nionspy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\ntdriver\ = "Application" C:\Users\Admin\AppData\Local\Temp\2024-06-03_dcea9ddaa24bc1c50eda1bca9b6ab849_mafia_nionspy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\ntdriver\shell C:\Users\Admin\AppData\Local\Temp\2024-06-03_dcea9ddaa24bc1c50eda1bca9b6ab849_mafia_nionspy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\ntdriver\shell\runas\command C:\Users\Admin\AppData\Local\Temp\2024-06-03_dcea9ddaa24bc1c50eda1bca9b6ab849_mafia_nionspy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.exe\shell\runas\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\2024-06-03_dcea9ddaa24bc1c50eda1bca9b6ab849_mafia_nionspy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\ntdriver\DefaultIcon\ = "%1" C:\Users\Admin\AppData\Local\Temp\2024-06-03_dcea9ddaa24bc1c50eda1bca9b6ab849_mafia_nionspy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\ntdriver\shell\open\command C:\Users\Admin\AppData\Local\Temp\2024-06-03_dcea9ddaa24bc1c50eda1bca9b6ab849_mafia_nionspy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.exe\shell C:\Users\Admin\AppData\Local\Temp\2024-06-03_dcea9ddaa24bc1c50eda1bca9b6ab849_mafia_nionspy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.exe\shell\open\command C:\Users\Admin\AppData\Local\Temp\2024-06-03_dcea9ddaa24bc1c50eda1bca9b6ab849_mafia_nionspy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\ntdriver\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Sys32\\winit32.exe\" /START \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\2024-06-03_dcea9ddaa24bc1c50eda1bca9b6ab849_mafia_nionspy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\ntdriver\shell\runas\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\2024-06-03_dcea9ddaa24bc1c50eda1bca9b6ab849_mafia_nionspy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\ntdriver\shell\runas\command\IsolatedCommand = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\2024-06-03_dcea9ddaa24bc1c50eda1bca9b6ab849_mafia_nionspy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.exe\ = "ntdriver" C:\Users\Admin\AppData\Local\Temp\2024-06-03_dcea9ddaa24bc1c50eda1bca9b6ab849_mafia_nionspy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.exe\DefaultIcon\ = "%1" C:\Users\Admin\AppData\Local\Temp\2024-06-03_dcea9ddaa24bc1c50eda1bca9b6ab849_mafia_nionspy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\ntdriver C:\Users\Admin\AppData\Local\Temp\2024-06-03_dcea9ddaa24bc1c50eda1bca9b6ab849_mafia_nionspy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\ntdriver\DefaultIcon C:\Users\Admin\AppData\Local\Temp\2024-06-03_dcea9ddaa24bc1c50eda1bca9b6ab849_mafia_nionspy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\ntdriver\shell\open C:\Users\Admin\AppData\Local\Temp\2024-06-03_dcea9ddaa24bc1c50eda1bca9b6ab849_mafia_nionspy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.exe\shell\runas C:\Users\Admin\AppData\Local\Temp\2024-06-03_dcea9ddaa24bc1c50eda1bca9b6ab849_mafia_nionspy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.exe C:\Users\Admin\AppData\Local\Temp\2024-06-03_dcea9ddaa24bc1c50eda1bca9b6ab849_mafia_nionspy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.exe\shell\open C:\Users\Admin\AppData\Local\Temp\2024-06-03_dcea9ddaa24bc1c50eda1bca9b6ab849_mafia_nionspy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Sys32\\winit32.exe\" /START \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\2024-06-03_dcea9ddaa24bc1c50eda1bca9b6ab849_mafia_nionspy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\ntdriver\Content-Type = "application/x-msdownload" C:\Users\Admin\AppData\Local\Temp\2024-06-03_dcea9ddaa24bc1c50eda1bca9b6ab849_mafia_nionspy.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\winit32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-03_dcea9ddaa24bc1c50eda1bca9b6ab849_mafia_nionspy.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-03_dcea9ddaa24bc1c50eda1bca9b6ab849_mafia_nionspy.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\winit32.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\winit32.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\winit32.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\winit32.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\winit32.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 nwoccs.zapto.org udp

Files

C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\winit32.exe

MD5 5f9e26bfae81d928e75ed202cc823f57
SHA1 2402bee3182d34d8f1040cd9928d8e5fd5869fe3
SHA256 d31ca6869bfcad98d3434cd3fe5a17cabc6f880ca71ea2baf4b5975490b86e81
SHA512 679e0f3b59d3b4735f432f156755baffc642e4b9c8e9fda9496e3f5e633da742e8edeaac951e0c0526c8ec230bd2f3dbd80994d7a01d23f6de170568be5f4dac

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 10:39

Reported

2024-06-03 10:42

Platform

win10v2004-20240426-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-03_dcea9ddaa24bc1c50eda1bca9b6ab849_mafia_nionspy.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2024-06-03_dcea9ddaa24bc1c50eda1bca9b6ab849_mafia_nionspy.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\haldriver\Content-Type = "application/x-msdownload" C:\Users\Admin\AppData\Local\Temp\2024-06-03_dcea9ddaa24bc1c50eda1bca9b6ab849_mafia_nionspy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\haldriver\shell\runas\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\2024-06-03_dcea9ddaa24bc1c50eda1bca9b6ab849_mafia_nionspy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SysWOW_32\\wlogon32.exe\" /START \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\2024-06-03_dcea9ddaa24bc1c50eda1bca9b6ab849_mafia_nionspy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\.exe\shell\runas C:\Users\Admin\AppData\Local\Temp\2024-06-03_dcea9ddaa24bc1c50eda1bca9b6ab849_mafia_nionspy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\haldriver\DefaultIcon C:\Users\Admin\AppData\Local\Temp\2024-06-03_dcea9ddaa24bc1c50eda1bca9b6ab849_mafia_nionspy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\.exe C:\Users\Admin\AppData\Local\Temp\2024-06-03_dcea9ddaa24bc1c50eda1bca9b6ab849_mafia_nionspy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\.exe\ = "haldriver" C:\Users\Admin\AppData\Local\Temp\2024-06-03_dcea9ddaa24bc1c50eda1bca9b6ab849_mafia_nionspy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\haldriver C:\Users\Admin\AppData\Local\Temp\2024-06-03_dcea9ddaa24bc1c50eda1bca9b6ab849_mafia_nionspy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\haldriver\shell\runas C:\Users\Admin\AppData\Local\Temp\2024-06-03_dcea9ddaa24bc1c50eda1bca9b6ab849_mafia_nionspy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\2024-06-03_dcea9ddaa24bc1c50eda1bca9b6ab849_mafia_nionspy.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\2024-06-03_dcea9ddaa24bc1c50eda1bca9b6ab849_mafia_nionspy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\haldriver\shell\open\command C:\Users\Admin\AppData\Local\Temp\2024-06-03_dcea9ddaa24bc1c50eda1bca9b6ab849_mafia_nionspy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\haldriver\shell C:\Users\Admin\AppData\Local\Temp\2024-06-03_dcea9ddaa24bc1c50eda1bca9b6ab849_mafia_nionspy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\haldriver\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SysWOW_32\\wlogon32.exe\" /START \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\2024-06-03_dcea9ddaa24bc1c50eda1bca9b6ab849_mafia_nionspy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\haldriver\shell\runas\command\IsolatedCommand = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\2024-06-03_dcea9ddaa24bc1c50eda1bca9b6ab849_mafia_nionspy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\.exe\shell\open C:\Users\Admin\AppData\Local\Temp\2024-06-03_dcea9ddaa24bc1c50eda1bca9b6ab849_mafia_nionspy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\haldriver\shell\open C:\Users\Admin\AppData\Local\Temp\2024-06-03_dcea9ddaa24bc1c50eda1bca9b6ab849_mafia_nionspy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\haldriver\shell\runas\command C:\Users\Admin\AppData\Local\Temp\2024-06-03_dcea9ddaa24bc1c50eda1bca9b6ab849_mafia_nionspy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\.exe\Content-Type = "application/x-msdownload" C:\Users\Admin\AppData\Local\Temp\2024-06-03_dcea9ddaa24bc1c50eda1bca9b6ab849_mafia_nionspy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\.exe\DefaultIcon\ = "%1" C:\Users\Admin\AppData\Local\Temp\2024-06-03_dcea9ddaa24bc1c50eda1bca9b6ab849_mafia_nionspy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\.exe\shell\open\command C:\Users\Admin\AppData\Local\Temp\2024-06-03_dcea9ddaa24bc1c50eda1bca9b6ab849_mafia_nionspy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\haldriver\DefaultIcon\ = "%1" C:\Users\Admin\AppData\Local\Temp\2024-06-03_dcea9ddaa24bc1c50eda1bca9b6ab849_mafia_nionspy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\.exe\DefaultIcon C:\Users\Admin\AppData\Local\Temp\2024-06-03_dcea9ddaa24bc1c50eda1bca9b6ab849_mafia_nionspy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\.exe\shell C:\Users\Admin\AppData\Local\Temp\2024-06-03_dcea9ddaa24bc1c50eda1bca9b6ab849_mafia_nionspy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\.exe\shell\runas\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\2024-06-03_dcea9ddaa24bc1c50eda1bca9b6ab849_mafia_nionspy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\2024-06-03_dcea9ddaa24bc1c50eda1bca9b6ab849_mafia_nionspy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\2024-06-03_dcea9ddaa24bc1c50eda1bca9b6ab849_mafia_nionspy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\haldriver\ = "Application" C:\Users\Admin\AppData\Local\Temp\2024-06-03_dcea9ddaa24bc1c50eda1bca9b6ab849_mafia_nionspy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\haldriver\shell\open\command\IsolatedCommand = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\2024-06-03_dcea9ddaa24bc1c50eda1bca9b6ab849_mafia_nionspy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\.exe\shell\runas\command C:\Users\Admin\AppData\Local\Temp\2024-06-03_dcea9ddaa24bc1c50eda1bca9b6ab849_mafia_nionspy.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\wlogon32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-03_dcea9ddaa24bc1c50eda1bca9b6ab849_mafia_nionspy.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-03_dcea9ddaa24bc1c50eda1bca9b6ab849_mafia_nionspy.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\wlogon32.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\wlogon32.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\wlogon32.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\wlogon32.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\wlogon32.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 nwoccs.zapto.org udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 nwoccs.zapto.org udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 nwoccs.zapto.org udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 nwoccs.zapto.org udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 nwoccs.zapto.org udp

Files

C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\wlogon32.exe

MD5 ef8e3b18485647620e27324494dff9b5
SHA1 4bba9bfc1787bc084ccf839a20c7e4784023ffc7
SHA256 8d9a3c34a10796d58f0f629d9a6b54d656f861af7347f728e2090d8877bade36
SHA512 726522af3bd64ba5e887a39343b326e8981fd513db944fb96e01b674753ee4575078bb907e4eec99cd4336336d17720a1f5c868ba721c8b6108558cceb22fedb