Analysis Overview
SHA256
d843c6f394af2638f72501c5bb4aee7aaf6bf1a102f7879c36714d2c2ab3502a
Threat Level: Likely malicious
The file d843c6f394af2638f72501c5bb4aee7aaf6bf1a102f7879c36714d2c2ab3502aN was found to be: Likely malicious.
Malicious Activity Summary
Blocklisted process makes network request
Deletes itself
Loads dropped DLL
Executes dropped EXE
Reads user/profile data of web browsers
Writes to the Master Boot Record (MBR)
Adds Run key to start application
Enumerates connected drives
UPX packed file
Unsigned PE
System Network Configuration Discovery: Internet Connection Discovery
System Location Discovery: System Language Discovery
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Kills process with taskkill
Checks processor information in registry
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 21:50
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 21:50
Reported
2024-11-09 21:52
Platform
win7-20241023-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\gctkbnm.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\gctkbnm.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\EvtMgr = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\qekyw\\xdqqbtz.dqx\",ShowModalDialog" | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\n: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\o: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\p: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\r: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\s: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\x: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\e: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\k: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\l: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\q: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\v: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\y: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\b: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\h: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\i: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\m: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\u: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\w: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\a: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\g: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\j: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\t: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\z: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PHYSICALDRIVE0 | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\gctkbnm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\d843c6f394af2638f72501c5bb4aee7aaf6bf1a102f7879c36714d2c2ab3502aN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\windows\SysWOW64\taskkill.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| Token: SeDebugPrivilege | N/A | \??\c:\windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d843c6f394af2638f72501c5bb4aee7aaf6bf1a102f7879c36714d2c2ab3502aN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\gctkbnm.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\d843c6f394af2638f72501c5bb4aee7aaf6bf1a102f7879c36714d2c2ab3502aN.exe
"C:\Users\Admin\AppData\Local\Temp\d843c6f394af2638f72501c5bb4aee7aaf6bf1a102f7879c36714d2c2ab3502aN.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\gctkbnm.exe "C:\Users\Admin\AppData\Local\Temp\d843c6f394af2638f72501c5bb4aee7aaf6bf1a102f7879c36714d2c2ab3502aN.exe"
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 2
C:\Users\Admin\AppData\Local\Temp\gctkbnm.exe
C:\Users\Admin\AppData\Local\Temp\\gctkbnm.exe "C:\Users\Admin\AppData\Local\Temp\d843c6f394af2638f72501c5bb4aee7aaf6bf1a102f7879c36714d2c2ab3502aN.exe"
\??\c:\windows\SysWOW64\rundll32.exe
c:\windows\system32\rundll32.exe "c:\qekyw\xdqqbtz.dqx",ShowModalDialog C:\Users\Admin\AppData\Local\Temp\gctkbnm.exe
\??\c:\windows\SysWOW64\taskkill.exe
taskkill /f /im attrib.exe
Network
| Country | Destination | Domain | Proto |
| US | 142.0.137.76:803 | tcp | |
| US | 142.0.137.76:803 | tcp | |
| US | 142.0.137.66:3201 | tcp | |
| US | 142.0.137.75:805 | tcp | |
| US | 142.0.137.75:805 | tcp | |
| US | 142.0.137.75:805 | tcp | |
| US | 142.0.137.66:3201 | tcp | |
| US | 142.0.137.66:3201 | tcp | |
| US | 142.0.137.66:3201 | tcp | |
| US | 142.0.137.66:3201 | tcp | |
| US | 142.0.137.66:3201 | tcp | |
| US | 142.0.137.66:3201 | tcp |
Files
memory/2536-0-0x0000000000400000-0x0000000000428208-memory.dmp
memory/2536-2-0x0000000000400000-0x0000000000428208-memory.dmp
\Users\Admin\AppData\Local\Temp\gctkbnm.exe
| MD5 | 220157b3940afcfb9cfdae54f5d15236 |
| SHA1 | 31df1001c0aacc7dbd9798e267190ed881fd75a4 |
| SHA256 | 9c81aa01e22881a30654a170c63ce3882291661898d02f72ac598e90f1e3afb6 |
| SHA512 | 92dd8dc966b2f7ea1772660d43c41c6c22c610c510fa2c6f0d7ea5e833ed12c8edd1af4ad03ad35ad8287071332883caf6eba76210656b2c05067230ddfdcf77 |
memory/836-7-0x0000000000130000-0x0000000000159000-memory.dmp
memory/836-6-0x0000000000130000-0x0000000000159000-memory.dmp
memory/904-11-0x0000000000400000-0x0000000000428208-memory.dmp
\??\c:\qekyw\xdqqbtz.dqx
| MD5 | 4b27ac9d5bcf039b63d01e808de1ab3e |
| SHA1 | e5cf9870ce6cb7869b0b27e7115f886ca10241aa |
| SHA256 | 592e0464cff8b91353b9510a63487c40451af914fcd063b62de2fbbb41b94d91 |
| SHA512 | 5f2e91e29c743f5016d7575dd895b0562245ebc100dda816b953b06776cbe7ab67158722289d61ffbd8a5f5c59e059b47ae1f2c35012bc71aa9fc90931c6633e |
memory/2504-14-0x0000000010000000-0x000000001002A000-memory.dmp
memory/2504-15-0x0000000010000000-0x000000001002A000-memory.dmp
memory/2504-17-0x0000000010000000-0x000000001002A000-memory.dmp
memory/2504-19-0x0000000010000000-0x000000001002A000-memory.dmp
memory/2504-20-0x0000000010000000-0x000000001002A000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-09 21:50
Reported
2024-11-09 21:52
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
115s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nrino.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nrino.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EvtMgr = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\ugexdi\\hoazt.ozh\",ShowModalDialog" | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\y: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\k: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\t: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\o: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\q: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\s: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\u: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\v: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\w: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\j: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\l: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\g: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\i: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\n: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\r: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\z: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\b: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\e: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\m: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\p: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\x: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\a: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\h: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PHYSICALDRIVE0 | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\d843c6f394af2638f72501c5bb4aee7aaf6bf1a102f7879c36714d2c2ab3502aN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\nrino.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\SysWOW64\taskkill.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\windows\SysWOW64\taskkill.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| Token: SeDebugPrivilege | N/A | \??\c:\windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d843c6f394af2638f72501c5bb4aee7aaf6bf1a102f7879c36714d2c2ab3502aN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nrino.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\d843c6f394af2638f72501c5bb4aee7aaf6bf1a102f7879c36714d2c2ab3502aN.exe
"C:\Users\Admin\AppData\Local\Temp\d843c6f394af2638f72501c5bb4aee7aaf6bf1a102f7879c36714d2c2ab3502aN.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\nrino.exe "C:\Users\Admin\AppData\Local\Temp\d843c6f394af2638f72501c5bb4aee7aaf6bf1a102f7879c36714d2c2ab3502aN.exe"
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 2
C:\Users\Admin\AppData\Local\Temp\nrino.exe
C:\Users\Admin\AppData\Local\Temp\\nrino.exe "C:\Users\Admin\AppData\Local\Temp\d843c6f394af2638f72501c5bb4aee7aaf6bf1a102f7879c36714d2c2ab3502aN.exe"
\??\c:\windows\SysWOW64\rundll32.exe
c:\windows\system32\rundll32.exe "c:\ugexdi\hoazt.ozh",ShowModalDialog C:\Users\Admin\AppData\Local\Temp\nrino.exe
\??\c:\windows\SysWOW64\taskkill.exe
taskkill /f /im attrib.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.209.201.84.in-addr.arpa | udp |
| US | 142.0.137.76:803 | tcp | |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 142.0.137.66:3201 | tcp | |
| US | 142.0.137.75:805 | tcp | |
| US | 142.0.137.75:805 | tcp | |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 142.0.137.75:805 | tcp | |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| US | 142.0.137.66:3201 | tcp | |
| US | 142.0.137.66:3201 | tcp | |
| US | 142.0.137.66:3201 | tcp | |
| US | 8.8.8.8:53 | 100.209.201.84.in-addr.arpa | udp |
| US | 142.0.137.66:3201 | tcp | |
| US | 142.0.137.66:3201 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.208.201.84.in-addr.arpa | udp |
| US | 142.0.137.66:3201 | tcp |
Files
memory/3288-0-0x0000000000400000-0x0000000000428208-memory.dmp
memory/3288-2-0x0000000000400000-0x0000000000428208-memory.dmp
memory/1988-6-0x0000000000400000-0x0000000000428208-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nrino.exe
| MD5 | 79bbc920e4f4c339f1380ba7eab424ed |
| SHA1 | f7408c4fa82e39251f622fe9bdfd24c93d01d8ee |
| SHA256 | f64c18f4166e1ebb82a9dd708a79d78dcbdd5bce7a4b715363f9aa88b5dd28f4 |
| SHA512 | f1805041c21d3dbfcb478b1ac9935c7b0699f1c199194f735f538e6884a2ec8e698e772fa37f6cdfab494b8e063d8171a123299be9ae3ea2abc43efbb7aa3eb3 |
memory/1988-9-0x0000000000400000-0x0000000000428208-memory.dmp
\??\c:\ugexdi\hoazt.ozh
| MD5 | 4b27ac9d5bcf039b63d01e808de1ab3e |
| SHA1 | e5cf9870ce6cb7869b0b27e7115f886ca10241aa |
| SHA256 | 592e0464cff8b91353b9510a63487c40451af914fcd063b62de2fbbb41b94d91 |
| SHA512 | 5f2e91e29c743f5016d7575dd895b0562245ebc100dda816b953b06776cbe7ab67158722289d61ffbd8a5f5c59e059b47ae1f2c35012bc71aa9fc90931c6633e |
memory/2420-12-0x0000000010000000-0x000000001002A000-memory.dmp
memory/2420-13-0x0000000010000000-0x000000001002A000-memory.dmp
memory/2420-15-0x0000000010000000-0x000000001002A000-memory.dmp
memory/2420-18-0x0000000010000000-0x000000001002A000-memory.dmp