Malware Analysis Report

2024-10-24 17:02

Sample ID 240619-yg7q5ayelb
Target 0033b46b2d76ea3aad5e1cef55648e99_JaffaCakes118
SHA256 a571cbff7518319ff7a3177fd480ccbcf7bec4a8e6694b07b4cb2e8d267e1a7c
Tags
gh0strat persistence rat upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a571cbff7518319ff7a3177fd480ccbcf7bec4a8e6694b07b4cb2e8d267e1a7c

Threat Level: Known bad

The file 0033b46b2d76ea3aad5e1cef55648e99_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

gh0strat persistence rat upx

Gh0strat family

Gh0st RAT payload

Gh0strat

Executes dropped EXE

UPX packed file

ACProtect 1.3x - 1.4x DLL software

Loads dropped DLL

Checks computer location settings

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Program crash

NSIS installer

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-19 19:46

Signatures

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Gh0strat family

gh0strat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-19 19:46

Reported

2024-06-19 19:49

Platform

win7-20240611-en

Max time kernel

126s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2011529111153.exe"

Signatures

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Gh0strat

rat gh0strat

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ball = "C:\\WINDOWS\\Ball.exe" C:\Users\Admin\AppData\Local\Temp\2011529111153.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\WINDOWS\Ball.exe C:\Users\Admin\AppData\Local\Temp\2011529111153.exe N/A
File opened for modification C:\WINDOWS\Ball.exe C:\Users\Admin\AppData\Local\Temp\2011529111153.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2011529111153.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2011529111153.exe

"C:\Users\Admin\AppData\Local\Temp\2011529111153.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 baike2011.3322.org udp

Files

C:\Windows\Temp\zk.exe

MD5 7d86edf22313fa5d5eb1c54be6f6a324
SHA1 8eeb4548895910fbc7075dda25361ce959c95bdf
SHA256 e45adc891873e7f3de969313430c494ed6d1e07086208bf5a01094ffe9046c4f
SHA512 64f88917cf394de7ee603f7acf00e9d6b0cafb7083a46669ad106a776a60443898a906a5a05c917a31fc24780f94149d2628a541a645ac8d4f094c67055de69c

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-19 19:46

Reported

2024-06-19 19:49

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2011529111153.exe"

Signatures

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Gh0strat

rat gh0strat

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ball = "C:\\WINDOWS\\Ball.exe" C:\Users\Admin\AppData\Local\Temp\2011529111153.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\WINDOWS\Ball.exe C:\Users\Admin\AppData\Local\Temp\2011529111153.exe N/A
File opened for modification C:\WINDOWS\Ball.exe C:\Users\Admin\AppData\Local\Temp\2011529111153.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2011529111153.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2011529111153.exe

"C:\Users\Admin\AppData\Local\Temp\2011529111153.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 baike2011.3322.org udp
US 8.8.8.8:53 baike2011.3322.org udp
US 8.8.8.8:53 baike2011.3322.org udp

Files

C:\Windows\Temp\zk.exe

MD5 7d86edf22313fa5d5eb1c54be6f6a324
SHA1 8eeb4548895910fbc7075dda25361ce959c95bdf
SHA256 e45adc891873e7f3de969313430c494ed6d1e07086208bf5a01094ffe9046c4f
SHA512 64f88917cf394de7ee603f7acf00e9d6b0cafb7083a46669ad106a776a60443898a906a5a05c917a31fc24780f94149d2628a541a645ac8d4f094c67055de69c

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-19 19:46

Reported

2024-06-19 19:49

Platform

win7-20240508-en

Max time kernel

140s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2011529111155.exe"

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2011529111155.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2011529111155.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2011529111155.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2011529111155.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2011529111155.exe

"C:\Users\Admin\AppData\Local\Temp\2011529111155.exe"

Network

N/A

Files

memory/1600-4-0x0000000010000000-0x000000001003D000-memory.dmp

\Users\Admin\AppData\Local\Temp\SkinH_EL.dll

MD5 147127382e001f495d1842ee7a9e7912
SHA1 92d1ed56032183c75d4b57d7ce30b1c4ae11dc9b
SHA256 edf679c02ea2e170e67ab20dfc18558e2bfb4ee5d59eceeaea4b1ad1a626c3cc
SHA512 97f5ae90a1bbacfe39b9e0f2954c24f9896cc9dca9d14364c438862996f3bbc04a4aa515742fccb3679d222c1302f5bb40c7eaddd6b5859d2d6ef79490243a4d

memory/1600-8-0x0000000010009000-0x000000001000A000-memory.dmp

memory/1600-10-0x0000000010000000-0x000000001003D000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-19 19:46

Reported

2024-06-19 19:49

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2011529111155.exe"

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2011529111155.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2011529111155.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2011529111155.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2011529111155.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2011529111155.exe

"C:\Users\Admin\AppData\Local\Temp\2011529111155.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4588 -ip 4588

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4588 -s 708

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4588 -ip 4588

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4588 -s 728

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 45.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 101.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 99.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 26.178.89.13.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\SkinH_EL.dll

MD5 147127382e001f495d1842ee7a9e7912
SHA1 92d1ed56032183c75d4b57d7ce30b1c4ae11dc9b
SHA256 edf679c02ea2e170e67ab20dfc18558e2bfb4ee5d59eceeaea4b1ad1a626c3cc
SHA512 97f5ae90a1bbacfe39b9e0f2954c24f9896cc9dca9d14364c438862996f3bbc04a4aa515742fccb3679d222c1302f5bb40c7eaddd6b5859d2d6ef79490243a4d

memory/4588-7-0x0000000010009000-0x000000001000A000-memory.dmp

memory/4588-6-0x0000000010000000-0x000000001003D000-memory.dmp

memory/4588-8-0x0000000010000000-0x000000001003D000-memory.dmp

memory/4588-9-0x0000000010000000-0x000000001003D000-memory.dmp

memory/4588-10-0x0000000010000000-0x000000001003D000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-19 19:46

Reported

2024-06-19 19:49

Platform

win7-20240508-en

Max time kernel

141s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0033b46b2d76ea3aad5e1cef55648e99_JaffaCakes118.exe"

Signatures

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Gh0strat

rat gh0strat

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\temp\2011529111153.exe N/A
N/A N/A C:\Windows\temp\2011529111155.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ball = "C:\\WINDOWS\\Ball.exe" C:\Windows\temp\2011529111153.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\WINDOWS\Ball.exe C:\Windows\temp\2011529111153.exe N/A
File opened for modification C:\WINDOWS\Ball.exe C:\Windows\temp\2011529111153.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\temp\2011529111153.exe N/A
N/A N/A C:\Windows\temp\2011529111153.exe N/A
N/A N/A C:\Windows\temp\2011529111153.exe N/A
N/A N/A C:\Windows\temp\2011529111153.exe N/A
N/A N/A C:\Windows\temp\2011529111153.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\temp\2011529111153.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\temp\2011529111155.exe N/A
N/A N/A C:\Windows\temp\2011529111155.exe N/A
N/A N/A C:\Windows\temp\2011529111155.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1488 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\0033b46b2d76ea3aad5e1cef55648e99_JaffaCakes118.exe C:\Windows\temp\2011529111153.exe
PID 1488 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\0033b46b2d76ea3aad5e1cef55648e99_JaffaCakes118.exe C:\Windows\temp\2011529111153.exe
PID 1488 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\0033b46b2d76ea3aad5e1cef55648e99_JaffaCakes118.exe C:\Windows\temp\2011529111153.exe
PID 1488 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\0033b46b2d76ea3aad5e1cef55648e99_JaffaCakes118.exe C:\Windows\temp\2011529111153.exe
PID 1488 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\0033b46b2d76ea3aad5e1cef55648e99_JaffaCakes118.exe C:\Windows\temp\2011529111153.exe
PID 1488 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\0033b46b2d76ea3aad5e1cef55648e99_JaffaCakes118.exe C:\Windows\temp\2011529111153.exe
PID 1488 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\0033b46b2d76ea3aad5e1cef55648e99_JaffaCakes118.exe C:\Windows\temp\2011529111153.exe
PID 1488 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\0033b46b2d76ea3aad5e1cef55648e99_JaffaCakes118.exe C:\Windows\temp\2011529111155.exe
PID 1488 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\0033b46b2d76ea3aad5e1cef55648e99_JaffaCakes118.exe C:\Windows\temp\2011529111155.exe
PID 1488 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\0033b46b2d76ea3aad5e1cef55648e99_JaffaCakes118.exe C:\Windows\temp\2011529111155.exe
PID 1488 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\0033b46b2d76ea3aad5e1cef55648e99_JaffaCakes118.exe C:\Windows\temp\2011529111155.exe
PID 1488 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\0033b46b2d76ea3aad5e1cef55648e99_JaffaCakes118.exe C:\Windows\temp\2011529111155.exe
PID 1488 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\0033b46b2d76ea3aad5e1cef55648e99_JaffaCakes118.exe C:\Windows\temp\2011529111155.exe
PID 1488 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\0033b46b2d76ea3aad5e1cef55648e99_JaffaCakes118.exe C:\Windows\temp\2011529111155.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0033b46b2d76ea3aad5e1cef55648e99_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\0033b46b2d76ea3aad5e1cef55648e99_JaffaCakes118.exe"

C:\Windows\temp\2011529111153.exe

"C:\Windows\temp\2011529111153.exe"

C:\Windows\temp\2011529111155.exe

"C:\Windows\temp\2011529111155.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 baike2011.3322.org udp

Files

\Windows\Temp\2011529111153.exe

MD5 7d86edf22313fa5d5eb1c54be6f6a324
SHA1 8eeb4548895910fbc7075dda25361ce959c95bdf
SHA256 e45adc891873e7f3de969313430c494ed6d1e07086208bf5a01094ffe9046c4f
SHA512 64f88917cf394de7ee603f7acf00e9d6b0cafb7083a46669ad106a776a60443898a906a5a05c917a31fc24780f94149d2628a541a645ac8d4f094c67055de69c

\Windows\Temp\2011529111155.exe

MD5 88c3255b87af2fbc78529daac66d02c1
SHA1 8215823855a427ba69a4ca8edab8f340e8a9bfde
SHA256 dd87e30afab371f9be168cbdb0bed2496b12e4631c388bddfe57a232071df227
SHA512 b0740b2e401aa629099a6a0b099ba9ea6cf9c59bc2f96e493adbca8db0d541ab987df70eff4257afebe33edb5d3be2362bf28fc4809da27499a092de7cc158c5

\Windows\Temp\SkinH_EL.dll

MD5 147127382e001f495d1842ee7a9e7912
SHA1 92d1ed56032183c75d4b57d7ce30b1c4ae11dc9b
SHA256 edf679c02ea2e170e67ab20dfc18558e2bfb4ee5d59eceeaea4b1ad1a626c3cc
SHA512 97f5ae90a1bbacfe39b9e0f2954c24f9896cc9dca9d14364c438862996f3bbc04a4aa515742fccb3679d222c1302f5bb40c7eaddd6b5859d2d6ef79490243a4d

memory/2556-35-0x0000000010000000-0x000000001003D000-memory.dmp

memory/2556-39-0x0000000010000000-0x000000001003D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-19 19:46

Reported

2024-06-19 19:49

Platform

win10v2004-20240508-en

Max time kernel

126s

Max time network

134s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0033b46b2d76ea3aad5e1cef55648e99_JaffaCakes118.exe"

Signatures

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Gh0strat

rat gh0strat

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0033b46b2d76ea3aad5e1cef55648e99_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\temp\2011529111153.exe N/A
N/A N/A C:\Windows\temp\2011529111155.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\temp\2011529111155.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ball = "C:\\WINDOWS\\Ball.exe" C:\Windows\temp\2011529111153.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\WINDOWS\Ball.exe C:\Windows\temp\2011529111153.exe N/A
File opened for modification C:\WINDOWS\Ball.exe C:\Windows\temp\2011529111153.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\temp\2011529111153.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\temp\2011529111155.exe N/A
N/A N/A C:\Windows\temp\2011529111155.exe N/A
N/A N/A C:\Windows\temp\2011529111155.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0033b46b2d76ea3aad5e1cef55648e99_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\0033b46b2d76ea3aad5e1cef55648e99_JaffaCakes118.exe"

C:\Windows\temp\2011529111153.exe

"C:\Windows\temp\2011529111153.exe"

C:\Windows\temp\2011529111155.exe

"C:\Windows\temp\2011529111155.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 176 -p 1628 -ip 1628

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1628 -s 700

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1628 -ip 1628

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1628 -s 748

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4240,i,18168883380598738769,14202261231630113808,262144 --variations-seed-version --mojo-platform-channel-handle=3988 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 baike2011.3322.org udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 138.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 baike2011.3322.org udp

Files

C:\Windows\Temp\2011529111153.exe

MD5 7d86edf22313fa5d5eb1c54be6f6a324
SHA1 8eeb4548895910fbc7075dda25361ce959c95bdf
SHA256 e45adc891873e7f3de969313430c494ed6d1e07086208bf5a01094ffe9046c4f
SHA512 64f88917cf394de7ee603f7acf00e9d6b0cafb7083a46669ad106a776a60443898a906a5a05c917a31fc24780f94149d2628a541a645ac8d4f094c67055de69c

C:\Windows\Temp\2011529111155.exe

MD5 88c3255b87af2fbc78529daac66d02c1
SHA1 8215823855a427ba69a4ca8edab8f340e8a9bfde
SHA256 dd87e30afab371f9be168cbdb0bed2496b12e4631c388bddfe57a232071df227
SHA512 b0740b2e401aa629099a6a0b099ba9ea6cf9c59bc2f96e493adbca8db0d541ab987df70eff4257afebe33edb5d3be2362bf28fc4809da27499a092de7cc158c5

C:\Windows\Temp\SkinH_EL.dll

MD5 147127382e001f495d1842ee7a9e7912
SHA1 92d1ed56032183c75d4b57d7ce30b1c4ae11dc9b
SHA256 edf679c02ea2e170e67ab20dfc18558e2bfb4ee5d59eceeaea4b1ad1a626c3cc
SHA512 97f5ae90a1bbacfe39b9e0f2954c24f9896cc9dca9d14364c438862996f3bbc04a4aa515742fccb3679d222c1302f5bb40c7eaddd6b5859d2d6ef79490243a4d

memory/1628-34-0x0000000010009000-0x000000001000A000-memory.dmp

memory/1628-33-0x0000000010000000-0x000000001003D000-memory.dmp

memory/1628-35-0x0000000010000000-0x000000001003D000-memory.dmp

memory/1628-36-0x0000000010000000-0x000000001003D000-memory.dmp