Malware Analysis Report

2024-12-01 01:56

Sample ID 241110-bv5scsyrgm
Target 2024-11-10_4abd651810dd4d88824e660abce5ac13_mafia_nionspy
SHA256 a689bcddefaa226f246d6d4c0fa296d2f9a7c85124a7fda1bc15367c028a93bf
Tags
discovery
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

a689bcddefaa226f246d6d4c0fa296d2f9a7c85124a7fda1bc15367c028a93bf

Threat Level: Shows suspicious behavior

The file 2024-11-10_4abd651810dd4d88824e660abce5ac13_mafia_nionspy was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 01:28

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 01:28

Reported

2024-11-10 01:31

Platform

win7-20240708-en

Max time kernel

123s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-11-10_4abd651810dd4d88824e660abce5ac13_mafia_nionspy.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\wlogon32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\wlogon32.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-10_4abd651810dd4d88824e660abce5ac13_mafia_nionspy.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\wlogon32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\.exe\Content-Type = "application/x-msdownload" C:\Users\Admin\AppData\Local\Temp\2024-11-10_4abd651810dd4d88824e660abce5ac13_mafia_nionspy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\haldriver\shell\runas C:\Users\Admin\AppData\Local\Temp\2024-11-10_4abd651810dd4d88824e660abce5ac13_mafia_nionspy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\.exe\ = "haldriver" C:\Users\Admin\AppData\Local\Temp\2024-11-10_4abd651810dd4d88824e660abce5ac13_mafia_nionspy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\haldriver\shell\open\command\IsolatedCommand = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\2024-11-10_4abd651810dd4d88824e660abce5ac13_mafia_nionspy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\.exe\DefaultIcon\ = "%1" C:\Users\Admin\AppData\Local\Temp\2024-11-10_4abd651810dd4d88824e660abce5ac13_mafia_nionspy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\.exe\shell C:\Users\Admin\AppData\Local\Temp\2024-11-10_4abd651810dd4d88824e660abce5ac13_mafia_nionspy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\.exe\shell\runas\command C:\Users\Admin\AppData\Local\Temp\2024-11-10_4abd651810dd4d88824e660abce5ac13_mafia_nionspy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\haldriver\shell\runas\command\IsolatedCommand = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\2024-11-10_4abd651810dd4d88824e660abce5ac13_mafia_nionspy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\haldriver\ = "Application" C:\Users\Admin\AppData\Local\Temp\2024-11-10_4abd651810dd4d88824e660abce5ac13_mafia_nionspy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\haldriver\shell\open\command C:\Users\Admin\AppData\Local\Temp\2024-11-10_4abd651810dd4d88824e660abce5ac13_mafia_nionspy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\.exe\shell\open C:\Users\Admin\AppData\Local\Temp\2024-11-10_4abd651810dd4d88824e660abce5ac13_mafia_nionspy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\XMMC\\wlogon32.exe\" /START \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\2024-11-10_4abd651810dd4d88824e660abce5ac13_mafia_nionspy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\.exe\shell\runas C:\Users\Admin\AppData\Local\Temp\2024-11-10_4abd651810dd4d88824e660abce5ac13_mafia_nionspy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\haldriver C:\Users\Admin\AppData\Local\Temp\2024-11-10_4abd651810dd4d88824e660abce5ac13_mafia_nionspy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\haldriver\shell\runas\command C:\Users\Admin\AppData\Local\Temp\2024-11-10_4abd651810dd4d88824e660abce5ac13_mafia_nionspy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\.exe C:\Users\Admin\AppData\Local\Temp\2024-11-10_4abd651810dd4d88824e660abce5ac13_mafia_nionspy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\.exe\shell\open\command C:\Users\Admin\AppData\Local\Temp\2024-11-10_4abd651810dd4d88824e660abce5ac13_mafia_nionspy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\haldriver\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\XMMC\\wlogon32.exe\" /START \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\2024-11-10_4abd651810dd4d88824e660abce5ac13_mafia_nionspy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\haldriver\shell\runas\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\2024-11-10_4abd651810dd4d88824e660abce5ac13_mafia_nionspy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\.exe\DefaultIcon C:\Users\Admin\AppData\Local\Temp\2024-11-10_4abd651810dd4d88824e660abce5ac13_mafia_nionspy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\.exe\shell\runas\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\2024-11-10_4abd651810dd4d88824e660abce5ac13_mafia_nionspy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\haldriver\DefaultIcon C:\Users\Admin\AppData\Local\Temp\2024-11-10_4abd651810dd4d88824e660abce5ac13_mafia_nionspy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\haldriver\DefaultIcon\ = "%1" C:\Users\Admin\AppData\Local\Temp\2024-11-10_4abd651810dd4d88824e660abce5ac13_mafia_nionspy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\haldriver\shell\open C:\Users\Admin\AppData\Local\Temp\2024-11-10_4abd651810dd4d88824e660abce5ac13_mafia_nionspy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\2024-11-10_4abd651810dd4d88824e660abce5ac13_mafia_nionspy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\2024-11-10_4abd651810dd4d88824e660abce5ac13_mafia_nionspy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\haldriver\Content-Type = "application/x-msdownload" C:\Users\Admin\AppData\Local\Temp\2024-11-10_4abd651810dd4d88824e660abce5ac13_mafia_nionspy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\haldriver\shell C:\Users\Admin\AppData\Local\Temp\2024-11-10_4abd651810dd4d88824e660abce5ac13_mafia_nionspy.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\wlogon32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-11-10_4abd651810dd4d88824e660abce5ac13_mafia_nionspy.exe

"C:\Users\Admin\AppData\Local\Temp\2024-11-10_4abd651810dd4d88824e660abce5ac13_mafia_nionspy.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\wlogon32.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\wlogon32.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\wlogon32.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\wlogon32.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\wlogon32.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 nwoccs.zapto.org udp

Files

\Users\Admin\AppData\Roaming\Microsoft\XMMC\wlogon32.exe

MD5 553ca60f6308ae27e95ae4e9b1ab6073
SHA1 817c0515f391a77bb432c2587fd9e997481992c5
SHA256 e37310d25d5248300a88f0a83c365080c1fffa39cee1fcd6b7db295da8039303
SHA512 d4f12662c39be2800a6dd5d5d11e6b5d03840038a4645661deff64d31063e546692d4ac7938dddfbdb612a2bb1db801f4f9f38be31bb5a21fcc88a7f319bdbd0

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-10 01:28

Reported

2024-11-10 01:31

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-11-10_4abd651810dd4d88824e660abce5ac13_mafia_nionspy.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2024-11-10_4abd651810dd4d88824e660abce5ac13_mafia_nionspy.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-10_4abd651810dd4d88824e660abce5ac13_mafia_nionspy.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\lsassys.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\.exe\shell\runas C:\Users\Admin\AppData\Local\Temp\2024-11-10_4abd651810dd4d88824e660abce5ac13_mafia_nionspy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\halnt\DefaultIcon C:\Users\Admin\AppData\Local\Temp\2024-11-10_4abd651810dd4d88824e660abce5ac13_mafia_nionspy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\halnt\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SysWOW_32\\lsassys.exe\" /START \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\2024-11-10_4abd651810dd4d88824e660abce5ac13_mafia_nionspy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\halnt\shell\open\command\IsolatedCommand = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\2024-11-10_4abd651810dd4d88824e660abce5ac13_mafia_nionspy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\.exe\shell\open C:\Users\Admin\AppData\Local\Temp\2024-11-10_4abd651810dd4d88824e660abce5ac13_mafia_nionspy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\2024-11-10_4abd651810dd4d88824e660abce5ac13_mafia_nionspy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\halnt\shell\open\command C:\Users\Admin\AppData\Local\Temp\2024-11-10_4abd651810dd4d88824e660abce5ac13_mafia_nionspy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\halnt\shell\runas C:\Users\Admin\AppData\Local\Temp\2024-11-10_4abd651810dd4d88824e660abce5ac13_mafia_nionspy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\.exe\shell\open\command C:\Users\Admin\AppData\Local\Temp\2024-11-10_4abd651810dd4d88824e660abce5ac13_mafia_nionspy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\halnt\Content-Type = "application/x-msdownload" C:\Users\Admin\AppData\Local\Temp\2024-11-10_4abd651810dd4d88824e660abce5ac13_mafia_nionspy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\.exe\Content-Type = "application/x-msdownload" C:\Users\Admin\AppData\Local\Temp\2024-11-10_4abd651810dd4d88824e660abce5ac13_mafia_nionspy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\.exe\DefaultIcon C:\Users\Admin\AppData\Local\Temp\2024-11-10_4abd651810dd4d88824e660abce5ac13_mafia_nionspy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\.exe\DefaultIcon\ = "%1" C:\Users\Admin\AppData\Local\Temp\2024-11-10_4abd651810dd4d88824e660abce5ac13_mafia_nionspy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\.exe\shell\runas\command C:\Users\Admin\AppData\Local\Temp\2024-11-10_4abd651810dd4d88824e660abce5ac13_mafia_nionspy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\.exe\shell\runas\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\2024-11-10_4abd651810dd4d88824e660abce5ac13_mafia_nionspy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\halnt\ = "Application" C:\Users\Admin\AppData\Local\Temp\2024-11-10_4abd651810dd4d88824e660abce5ac13_mafia_nionspy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\halnt\shell\runas\command C:\Users\Admin\AppData\Local\Temp\2024-11-10_4abd651810dd4d88824e660abce5ac13_mafia_nionspy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\halnt\shell\runas\command\IsolatedCommand = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\2024-11-10_4abd651810dd4d88824e660abce5ac13_mafia_nionspy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\halnt\DefaultIcon\ = "%1" C:\Users\Admin\AppData\Local\Temp\2024-11-10_4abd651810dd4d88824e660abce5ac13_mafia_nionspy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\.exe C:\Users\Admin\AppData\Local\Temp\2024-11-10_4abd651810dd4d88824e660abce5ac13_mafia_nionspy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\2024-11-10_4abd651810dd4d88824e660abce5ac13_mafia_nionspy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\halnt\shell\runas\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\2024-11-10_4abd651810dd4d88824e660abce5ac13_mafia_nionspy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\.exe\shell C:\Users\Admin\AppData\Local\Temp\2024-11-10_4abd651810dd4d88824e660abce5ac13_mafia_nionspy.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\2024-11-10_4abd651810dd4d88824e660abce5ac13_mafia_nionspy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\halnt\shell C:\Users\Admin\AppData\Local\Temp\2024-11-10_4abd651810dd4d88824e660abce5ac13_mafia_nionspy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\halnt\shell\open C:\Users\Admin\AppData\Local\Temp\2024-11-10_4abd651810dd4d88824e660abce5ac13_mafia_nionspy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\2024-11-10_4abd651810dd4d88824e660abce5ac13_mafia_nionspy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\halnt C:\Users\Admin\AppData\Local\Temp\2024-11-10_4abd651810dd4d88824e660abce5ac13_mafia_nionspy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\.exe\ = "halnt" C:\Users\Admin\AppData\Local\Temp\2024-11-10_4abd651810dd4d88824e660abce5ac13_mafia_nionspy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SysWOW_32\\lsassys.exe\" /START \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\2024-11-10_4abd651810dd4d88824e660abce5ac13_mafia_nionspy.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\lsassys.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-11-10_4abd651810dd4d88824e660abce5ac13_mafia_nionspy.exe

"C:\Users\Admin\AppData\Local\Temp\2024-11-10_4abd651810dd4d88824e660abce5ac13_mafia_nionspy.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\lsassys.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\lsassys.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\lsassys.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\lsassys.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\lsassys.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 nwoccs.zapto.org udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 nwoccs.zapto.org udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 nwoccs.zapto.org udp
US 8.8.8.8:53 72.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 nwoccs.zapto.org udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 105.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 nwoccs.zapto.org udp
US 8.8.8.8:53 udp

Files

C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\lsassys.exe

MD5 736876af27776ae3239ade5a227aaf32
SHA1 2fdc66b903d184835f0be183163df1605ec00c5a
SHA256 b3c3fd7b831a10dacbfa94b30325d89849275f45a2452200bbac5ef7d30a995a
SHA512 797f1e3ff033bc747579352347b05babb699159a1d6dcb7651364d3659ba9ed31221e0f8c0591532399d37d073bb5a177dc1b97a72307e3ea78a7630164451ab