Malware Analysis Report

2025-06-16 05:30

Sample ID 211208-ajqcvsggc8
Target 5ad77e2c0157b1d07fbee143775c4e0ab30a0a8982e2ded212403beaad3f4f69
SHA256 5ad77e2c0157b1d07fbee143775c4e0ab30a0a8982e2ded212403beaad3f4f69
Tags
amadey bazarloader raccoon redline smokeloader f797145799b7b1b77b35d81de942eee0908da519 fd4f23250443a724a3d1548e6ab07c481dfc2814 backdoor dropper infostealer loader stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5ad77e2c0157b1d07fbee143775c4e0ab30a0a8982e2ded212403beaad3f4f69

Threat Level: Known bad

The file 5ad77e2c0157b1d07fbee143775c4e0ab30a0a8982e2ded212403beaad3f4f69 was found to be: Known bad.

Malicious Activity Summary

amadey bazarloader raccoon redline smokeloader f797145799b7b1b77b35d81de942eee0908da519 fd4f23250443a724a3d1548e6ab07c481dfc2814 backdoor dropper infostealer loader stealer trojan

Bazar Loader

Amadey

Raccoon

RedLine Payload

SmokeLoader

RedLine

Bazar/Team9 Loader payload

Downloads MZ/PE file

Executes dropped EXE

Deletes itself

Loads dropped DLL

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Checks SCSI registry key(s)

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-12-08 00:14

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-12-08 00:14

Reported

2021-12-08 00:17

Platform

win10-en-20211014

Max time kernel

151s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5ad77e2c0157b1d07fbee143775c4e0ab30a0a8982e2ded212403beaad3f4f69.exe"

Signatures

Amadey

trojan amadey

Bazar Loader

loader dropper bazarloader

Raccoon

stealer raccoon

RedLine

infostealer redline

RedLine Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Bazar/Team9 Loader payload

Description Indicator Process Target
N/A N/A N/A N/A

Downloads MZ/PE file

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\system32\regsvr32.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\C0CD.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\616.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\5ad77e2c0157b1d07fbee143775c4e0ab30a0a8982e2ded212403beaad3f4f69.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\48EC.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\48EC.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\48EC.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\5ad77e2c0157b1d07fbee143775c4e0ab30a0a8982e2ded212403beaad3f4f69.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\5ad77e2c0157b1d07fbee143775c4e0ab30a0a8982e2ded212403beaad3f4f69.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5ad77e2c0157b1d07fbee143775c4e0ab30a0a8982e2ded212403beaad3f4f69.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5ad77e2c0157b1d07fbee143775c4e0ab30a0a8982e2ded212403beaad3f4f69.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4056 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\5ad77e2c0157b1d07fbee143775c4e0ab30a0a8982e2ded212403beaad3f4f69.exe C:\Users\Admin\AppData\Local\Temp\5ad77e2c0157b1d07fbee143775c4e0ab30a0a8982e2ded212403beaad3f4f69.exe
PID 4056 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\5ad77e2c0157b1d07fbee143775c4e0ab30a0a8982e2ded212403beaad3f4f69.exe C:\Users\Admin\AppData\Local\Temp\5ad77e2c0157b1d07fbee143775c4e0ab30a0a8982e2ded212403beaad3f4f69.exe
PID 4056 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\5ad77e2c0157b1d07fbee143775c4e0ab30a0a8982e2ded212403beaad3f4f69.exe C:\Users\Admin\AppData\Local\Temp\5ad77e2c0157b1d07fbee143775c4e0ab30a0a8982e2ded212403beaad3f4f69.exe
PID 4056 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\5ad77e2c0157b1d07fbee143775c4e0ab30a0a8982e2ded212403beaad3f4f69.exe C:\Users\Admin\AppData\Local\Temp\5ad77e2c0157b1d07fbee143775c4e0ab30a0a8982e2ded212403beaad3f4f69.exe
PID 4056 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\5ad77e2c0157b1d07fbee143775c4e0ab30a0a8982e2ded212403beaad3f4f69.exe C:\Users\Admin\AppData\Local\Temp\5ad77e2c0157b1d07fbee143775c4e0ab30a0a8982e2ded212403beaad3f4f69.exe
PID 4056 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\5ad77e2c0157b1d07fbee143775c4e0ab30a0a8982e2ded212403beaad3f4f69.exe C:\Users\Admin\AppData\Local\Temp\5ad77e2c0157b1d07fbee143775c4e0ab30a0a8982e2ded212403beaad3f4f69.exe
PID 2800 wrote to memory of 2068 N/A N/A C:\Users\Admin\AppData\Local\Temp\48EC.exe
PID 2800 wrote to memory of 2068 N/A N/A C:\Users\Admin\AppData\Local\Temp\48EC.exe
PID 2800 wrote to memory of 2068 N/A N/A C:\Users\Admin\AppData\Local\Temp\48EC.exe
PID 2068 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\48EC.exe C:\Users\Admin\AppData\Local\Temp\48EC.exe
PID 2068 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\48EC.exe C:\Users\Admin\AppData\Local\Temp\48EC.exe
PID 2068 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\48EC.exe C:\Users\Admin\AppData\Local\Temp\48EC.exe
PID 2068 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\48EC.exe C:\Users\Admin\AppData\Local\Temp\48EC.exe
PID 2068 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\48EC.exe C:\Users\Admin\AppData\Local\Temp\48EC.exe
PID 2068 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\48EC.exe C:\Users\Admin\AppData\Local\Temp\48EC.exe
PID 2800 wrote to memory of 2720 N/A N/A C:\Users\Admin\AppData\Local\Temp\BE0D.exe
PID 2800 wrote to memory of 2720 N/A N/A C:\Users\Admin\AppData\Local\Temp\BE0D.exe
PID 2800 wrote to memory of 2720 N/A N/A C:\Users\Admin\AppData\Local\Temp\BE0D.exe
PID 2800 wrote to memory of 2552 N/A N/A C:\Users\Admin\AppData\Local\Temp\C0CD.exe
PID 2800 wrote to memory of 2552 N/A N/A C:\Users\Admin\AppData\Local\Temp\C0CD.exe
PID 2800 wrote to memory of 2552 N/A N/A C:\Users\Admin\AppData\Local\Temp\C0CD.exe
PID 2800 wrote to memory of 1200 N/A N/A C:\Windows\system32\regsvr32.exe
PID 2800 wrote to memory of 1200 N/A N/A C:\Windows\system32\regsvr32.exe
PID 2800 wrote to memory of 2276 N/A N/A C:\Users\Admin\AppData\Local\Temp\616.exe
PID 2800 wrote to memory of 2276 N/A N/A C:\Users\Admin\AppData\Local\Temp\616.exe
PID 2800 wrote to memory of 2276 N/A N/A C:\Users\Admin\AppData\Local\Temp\616.exe
PID 2800 wrote to memory of 2004 N/A N/A C:\Users\Admin\AppData\Local\Temp\146F.exe
PID 2800 wrote to memory of 2004 N/A N/A C:\Users\Admin\AppData\Local\Temp\146F.exe
PID 2800 wrote to memory of 2004 N/A N/A C:\Users\Admin\AppData\Local\Temp\146F.exe
PID 2004 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\146F.exe C:\Windows\SysWOW64\cmd.exe
PID 2004 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\146F.exe C:\Windows\SysWOW64\cmd.exe
PID 2004 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\146F.exe C:\Windows\SysWOW64\cmd.exe
PID 3548 wrote to memory of 2940 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3548 wrote to memory of 2940 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3548 wrote to memory of 2940 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3548 wrote to memory of 3468 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3548 wrote to memory of 3468 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3548 wrote to memory of 3468 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2004 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\146F.exe C:\Windows\SysWOW64\cmd.exe
PID 2004 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\146F.exe C:\Windows\SysWOW64\cmd.exe
PID 2004 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\146F.exe C:\Windows\SysWOW64\cmd.exe
PID 2384 wrote to memory of 3400 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2384 wrote to memory of 3400 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2384 wrote to memory of 3400 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2004 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\146F.exe C:\Windows\SysWOW64\cmd.exe
PID 2004 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\146F.exe C:\Windows\SysWOW64\cmd.exe
PID 2004 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\146F.exe C:\Windows\SysWOW64\cmd.exe
PID 2428 wrote to memory of 2840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2428 wrote to memory of 2840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2428 wrote to memory of 2840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2428 wrote to memory of 3524 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2428 wrote to memory of 3524 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2428 wrote to memory of 3524 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2800 wrote to memory of 3532 N/A N/A C:\Users\Admin\AppData\Local\Temp\2DF3.exe
PID 2800 wrote to memory of 3532 N/A N/A C:\Users\Admin\AppData\Local\Temp\2DF3.exe
PID 2800 wrote to memory of 3532 N/A N/A C:\Users\Admin\AppData\Local\Temp\2DF3.exe
PID 2004 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\146F.exe C:\Windows\SysWOW64\cmd.exe
PID 2004 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\146F.exe C:\Windows\SysWOW64\cmd.exe
PID 2004 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\146F.exe C:\Windows\SysWOW64\cmd.exe
PID 2004 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Local\Temp\146F.exe C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe
PID 2004 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Local\Temp\146F.exe C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe
PID 2004 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Local\Temp\146F.exe C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe
PID 3492 wrote to memory of 2064 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3492 wrote to memory of 2064 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5ad77e2c0157b1d07fbee143775c4e0ab30a0a8982e2ded212403beaad3f4f69.exe

"C:\Users\Admin\AppData\Local\Temp\5ad77e2c0157b1d07fbee143775c4e0ab30a0a8982e2ded212403beaad3f4f69.exe"

C:\Users\Admin\AppData\Local\Temp\5ad77e2c0157b1d07fbee143775c4e0ab30a0a8982e2ded212403beaad3f4f69.exe

"C:\Users\Admin\AppData\Local\Temp\5ad77e2c0157b1d07fbee143775c4e0ab30a0a8982e2ded212403beaad3f4f69.exe"

C:\Users\Admin\AppData\Local\Temp\48EC.exe

C:\Users\Admin\AppData\Local\Temp\48EC.exe

C:\Users\Admin\AppData\Local\Temp\48EC.exe

C:\Users\Admin\AppData\Local\Temp\48EC.exe

C:\Users\Admin\AppData\Local\Temp\BE0D.exe

C:\Users\Admin\AppData\Local\Temp\BE0D.exe

C:\Users\Admin\AppData\Local\Temp\C0CD.exe

C:\Users\Admin\AppData\Local\Temp\C0CD.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\21D.dll

C:\Users\Admin\AppData\Local\Temp\616.exe

C:\Users\Admin\AppData\Local\Temp\616.exe

C:\Users\Admin\AppData\Local\Temp\146F.exe

C:\Users\Admin\AppData\Local\Temp\146F.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c echo Y|CACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c CACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c echo Y|CACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e" /P "Admin:N"

C:\Users\Admin\AppData\Local\Temp\2DF3.exe

C:\Users\Admin\AppData\Local\Temp\2DF3.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c CACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe

"C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe"

C:\Windows\SysWOW64\cacls.exe

CACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\60bb09348e\

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN tkools.exe /TR "C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe" /F

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\60bb09348e\

C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe

C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 time.windows.com udp
NL 40.119.148.38:123 time.windows.com udp
US 8.8.8.8:53 host-data-coin-11.com udp
NL 37.0.10.199:80 host-data-coin-11.com tcp
NL 37.0.10.199:80 host-data-coin-11.com tcp
US 8.8.8.8:53 privacy-tools-for-you-777.com udp
NL 37.0.10.199:80 privacy-tools-for-you-777.com tcp
NL 37.0.10.199:80 privacy-tools-for-you-777.com tcp
NL 37.0.10.199:80 privacy-tools-for-you-777.com tcp
NL 37.0.10.199:80 privacy-tools-for-you-777.com tcp
NL 37.0.10.199:80 privacy-tools-for-you-777.com tcp
NL 37.0.10.199:80 privacy-tools-for-you-777.com tcp
NL 37.0.10.199:80 privacy-tools-for-you-777.com tcp
NL 37.0.10.199:80 privacy-tools-for-you-777.com tcp
NL 37.0.10.199:80 privacy-tools-for-you-777.com tcp
NL 37.0.10.199:80 privacy-tools-for-you-777.com tcp
NL 37.0.10.199:80 privacy-tools-for-you-777.com tcp
NL 37.0.10.199:80 privacy-tools-for-you-777.com tcp
NL 37.0.10.199:80 privacy-tools-for-you-777.com tcp
NL 37.0.10.199:80 privacy-tools-for-you-777.com tcp
NL 37.0.10.199:80 privacy-tools-for-you-777.com tcp
RU 185.186.142.166:80 tcp
NL 37.0.10.199:80 privacy-tools-for-you-777.com tcp
NL 37.0.10.199:80 privacy-tools-for-you-777.com tcp
US 8.8.8.8:53 file-coin-data-5.com udp
NL 37.0.10.199:80 file-coin-data-5.com tcp
NL 37.0.10.199:80 file-coin-data-5.com tcp
NL 37.0.10.199:80 file-coin-data-5.com tcp
DE 185.233.81.115:443 tcp
NL 37.0.10.199:80 file-coin-data-5.com tcp
NL 37.0.10.199:80 file-coin-data-5.com tcp
NL 37.0.10.199:80 file-coin-data-5.com tcp
NL 37.0.10.199:80 file-coin-data-5.com tcp
NL 37.0.10.199:80 file-coin-data-5.com tcp
NL 37.0.10.199:80 file-coin-data-5.com tcp
NL 37.0.10.199:80 file-coin-data-5.com tcp
NL 37.0.10.199:80 file-coin-data-5.com tcp
NL 37.0.10.199:80 file-coin-data-5.com tcp
US 8.8.8.8:53 unicupload.top udp
DE 8.209.106.57:80 unicupload.top tcp
NL 37.0.10.199:80 file-coin-data-5.com tcp
NL 37.0.10.199:80 file-coin-data-5.com tcp
NL 37.0.10.199:80 file-coin-data-5.com tcp
HU 91.219.236.27:80 tcp
NL 109.234.38.101:25717 tcp
HU 91.219.236.27:80 tcp
MD 94.158.245.167:80 tcp
MD 94.158.245.167:80 tcp
HU 185.163.204.216:80 185.163.204.216 tcp
MD 94.158.245.147:80 tcp
NL 37.0.10.199:80 file-coin-data-5.com tcp
NL 37.0.10.199:80 file-coin-data-5.com tcp
NL 37.0.10.199:80 file-coin-data-5.com tcp
NL 37.0.10.199:80 file-coin-data-5.com tcp
NL 37.0.10.199:80 file-coin-data-5.com tcp
NL 37.0.10.199:80 file-coin-data-5.com tcp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
NL 37.0.10.199:80 file-coin-data-5.com tcp
NL 37.0.10.199:80 file-coin-data-5.com tcp
US 8.8.8.8:53 infinity-cheats.com udp
NL 45.141.159.64:80 infinity-cheats.com tcp
NL 37.0.10.199:80 file-coin-data-5.com tcp
NL 37.0.10.199:80 file-coin-data-5.com tcp
DE 194.85.248.229:30260 tcp
NL 37.0.10.199:80 file-coin-data-5.com tcp
NL 37.0.10.199:80 file-coin-data-5.com tcp
NL 37.0.10.199:80 file-coin-data-5.com tcp
NL 37.0.10.199:80 file-coin-data-5.com tcp
NL 37.0.10.199:80 file-coin-data-5.com tcp
NL 37.0.10.199:80 file-coin-data-5.com tcp
NL 37.0.10.199:80 file-coin-data-5.com tcp
NL 37.0.10.199:80 file-coin-data-5.com tcp
NL 37.0.10.199:80 file-coin-data-5.com tcp
NL 37.0.10.199:80 file-coin-data-5.com tcp
NL 109.234.38.101:25717 tcp
SC 185.215.113.35:80 185.215.113.35 tcp
SC 185.215.113.35:80 185.215.113.35 tcp
DE 194.85.248.229:30260 tcp
MD 94.158.245.147:80 tcp
NL 109.234.38.101:25717 tcp
DE 194.85.248.229:30260 tcp
NL 109.234.38.101:25717 tcp
MD 94.158.245.147:80 tcp

Files

memory/1148-115-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1148-116-0x0000000000402F47-mapping.dmp

memory/4056-118-0x0000000002CE0000-0x0000000002CE9000-memory.dmp

memory/4056-117-0x0000000002B80000-0x0000000002C2E000-memory.dmp

memory/2800-119-0x0000000000A50000-0x0000000000A66000-memory.dmp

memory/2068-120-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\48EC.exe

MD5 09b5b0a7b9cc8ee3c0bef59dc3efeb12
SHA1 f0a81ebac233bda1421f490e4bfb8838cf7dbb4f
SHA256 5ad77e2c0157b1d07fbee143775c4e0ab30a0a8982e2ded212403beaad3f4f69
SHA512 d5e8444f46da02db5aafabc86e19cb6bd2a313a501b4704d2ac10831d9359b2f638612810722dc67a0d3eb668f8907b46fa852042ea27e096d83dbfaabe09df9

C:\Users\Admin\AppData\Local\Temp\48EC.exe

MD5 09b5b0a7b9cc8ee3c0bef59dc3efeb12
SHA1 f0a81ebac233bda1421f490e4bfb8838cf7dbb4f
SHA256 5ad77e2c0157b1d07fbee143775c4e0ab30a0a8982e2ded212403beaad3f4f69
SHA512 d5e8444f46da02db5aafabc86e19cb6bd2a313a501b4704d2ac10831d9359b2f638612810722dc67a0d3eb668f8907b46fa852042ea27e096d83dbfaabe09df9

memory/676-124-0x0000000000402F47-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\48EC.exe

MD5 09b5b0a7b9cc8ee3c0bef59dc3efeb12
SHA1 f0a81ebac233bda1421f490e4bfb8838cf7dbb4f
SHA256 5ad77e2c0157b1d07fbee143775c4e0ab30a0a8982e2ded212403beaad3f4f69
SHA512 d5e8444f46da02db5aafabc86e19cb6bd2a313a501b4704d2ac10831d9359b2f638612810722dc67a0d3eb668f8907b46fa852042ea27e096d83dbfaabe09df9

memory/2068-126-0x0000000002B80000-0x0000000002CCA000-memory.dmp

memory/2068-127-0x0000000002B80000-0x0000000002CCA000-memory.dmp

memory/2800-128-0x0000000002AD0000-0x0000000002AE6000-memory.dmp

memory/2720-129-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\BE0D.exe

MD5 bce50d5b17bb88f22f0000511026520d
SHA1 599aaed4ee72ec0e0fc4cada844a1c210e332961
SHA256 77e40ca1c6001b2c01ef50b84585d68127eeb5691c899b049a9948fb60b13455
SHA512 c7dea899ed181efd0474a8b181b8fd8e91c734703a03ac71381e072684c93dd6d002629ffcfeefb15b6ca79ba1cf8cc62acd2b16fe7e0faed444c6f3eebb7536

C:\Users\Admin\AppData\Local\Temp\BE0D.exe

MD5 bce50d5b17bb88f22f0000511026520d
SHA1 599aaed4ee72ec0e0fc4cada844a1c210e332961
SHA256 77e40ca1c6001b2c01ef50b84585d68127eeb5691c899b049a9948fb60b13455
SHA512 c7dea899ed181efd0474a8b181b8fd8e91c734703a03ac71381e072684c93dd6d002629ffcfeefb15b6ca79ba1cf8cc62acd2b16fe7e0faed444c6f3eebb7536

memory/2552-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\C0CD.exe

MD5 0cefed061e2a2241ecd302d7790a2f80
SHA1 5f119195af2db118c5fbac21634bea00f5d5b8da
SHA256 014ad60fd2c294dd8fb63c022961e17df1ba74bb1209a64634112913edc44983
SHA512 7b7e4460dad4f176b11a66a37bbc1b2fd2c7e042c5e949c72edcc3c93d9bb9d210d8ecc95d8aad533c761947958e008c4ced8b5faef9319ebb5bf29752381cba

C:\Users\Admin\AppData\Local\Temp\C0CD.exe

MD5 0cefed061e2a2241ecd302d7790a2f80
SHA1 5f119195af2db118c5fbac21634bea00f5d5b8da
SHA256 014ad60fd2c294dd8fb63c022961e17df1ba74bb1209a64634112913edc44983
SHA512 7b7e4460dad4f176b11a66a37bbc1b2fd2c7e042c5e949c72edcc3c93d9bb9d210d8ecc95d8aad533c761947958e008c4ced8b5faef9319ebb5bf29752381cba

memory/2552-136-0x0000000000890000-0x00000000008F9000-memory.dmp

memory/2552-137-0x0000000001390000-0x0000000001391000-memory.dmp

memory/2552-138-0x0000000075530000-0x00000000756F2000-memory.dmp

memory/2552-139-0x0000000075AF0000-0x0000000075BE1000-memory.dmp

memory/2552-140-0x0000000000890000-0x0000000000891000-memory.dmp

memory/2552-142-0x00000000720F0000-0x0000000072170000-memory.dmp

memory/2552-143-0x0000000005F70000-0x0000000005F71000-memory.dmp

memory/2552-144-0x0000000005910000-0x0000000005911000-memory.dmp

memory/2552-145-0x0000000005A70000-0x0000000005A71000-memory.dmp

memory/2720-146-0x0000000000550000-0x00000000005FE000-memory.dmp

memory/2720-148-0x0000000000400000-0x0000000000491000-memory.dmp

memory/2552-150-0x0000000005950000-0x0000000005951000-memory.dmp

memory/2552-149-0x00000000059A0000-0x00000000059A1000-memory.dmp

memory/2552-147-0x0000000002F00000-0x0000000002F45000-memory.dmp

memory/2552-151-0x0000000074F10000-0x0000000075494000-memory.dmp

memory/2552-152-0x0000000076760000-0x0000000077AA8000-memory.dmp

memory/2552-153-0x00000000059E0000-0x00000000059E1000-memory.dmp

memory/2552-154-0x0000000070360000-0x00000000703AB000-memory.dmp

memory/1200-155-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\21D.dll

MD5 a49d28798147cc039e3ac341044fe612
SHA1 b950324092db34ad2940560d85f07744dd9e5b0c
SHA256 17b8dbb794a05333446fc5eddff69ef061fea63ff3a7aeb1a7b5e1d87337584b
SHA512 6ba8410d56bd64115da7cee0afd70a5e88699fccacbb42fcbd9990575a132828ecab630bdbf2349bbb4f7db97b9900eb765781e3654af3beadb884aba565723a

\Users\Admin\AppData\Local\Temp\21D.dll

MD5 a49d28798147cc039e3ac341044fe612
SHA1 b950324092db34ad2940560d85f07744dd9e5b0c
SHA256 17b8dbb794a05333446fc5eddff69ef061fea63ff3a7aeb1a7b5e1d87337584b
SHA512 6ba8410d56bd64115da7cee0afd70a5e88699fccacbb42fcbd9990575a132828ecab630bdbf2349bbb4f7db97b9900eb765781e3654af3beadb884aba565723a

memory/2276-158-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\616.exe

MD5 6beb00521639f19ea32c64a0799c79b4
SHA1 2d1993a460759b547655480c6aa1f709ca398f34
SHA256 7ee5247dc27418f26e7efe0e84b82e0962d3989851fbae2954f62468e8c7e96b
SHA512 6a59f050fe30ec2c2d7bb427b315b737c56a8143b23f340799e95ba3c8057a813b442f8eb88d03048cc36bba7d0b4cdf15306c896959fefe264ed874267f99cc

C:\Users\Admin\AppData\Local\Temp\616.exe

MD5 6beb00521639f19ea32c64a0799c79b4
SHA1 2d1993a460759b547655480c6aa1f709ca398f34
SHA256 7ee5247dc27418f26e7efe0e84b82e0962d3989851fbae2954f62468e8c7e96b
SHA512 6a59f050fe30ec2c2d7bb427b315b737c56a8143b23f340799e95ba3c8057a813b442f8eb88d03048cc36bba7d0b4cdf15306c896959fefe264ed874267f99cc

memory/2276-161-0x0000000000FD0000-0x0000000001082000-memory.dmp

memory/2276-162-0x00000000005D0000-0x00000000005D1000-memory.dmp

memory/2276-164-0x0000000075AF0000-0x0000000075BE1000-memory.dmp

memory/2276-163-0x0000000075530000-0x00000000756F2000-memory.dmp

memory/2276-165-0x0000000000FD0000-0x0000000000FD1000-memory.dmp

memory/2276-167-0x00000000720F0000-0x0000000072170000-memory.dmp

memory/2276-172-0x0000000074F10000-0x0000000075494000-memory.dmp

memory/2276-173-0x0000000000F00000-0x0000000000FAE000-memory.dmp

memory/2276-175-0x0000000004EB0000-0x0000000004EB1000-memory.dmp

memory/2276-174-0x0000000076760000-0x0000000077AA8000-memory.dmp

memory/2276-177-0x0000000070360000-0x00000000703AB000-memory.dmp

memory/2004-178-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\146F.exe

MD5 2a03cd34f26826a94fde4103644c4223
SHA1 b86cbf66e1087ee7e0fb5244e3a046e5aa3fdb21
SHA256 bf5b55dd90d317000bdbdc2eb08bb3ce3c0263cac10aedb67d65f01fd39c95fd
SHA512 7b01998bc2547ff48eb861b76552844369f5532416764bad0d4f98fc5cad3e56a4a69c9be28b5e9adc2db054eda30382d133e7c03c1fedec88456f1374c37ebe

C:\Users\Admin\AppData\Local\Temp\146F.exe

MD5 2a03cd34f26826a94fde4103644c4223
SHA1 b86cbf66e1087ee7e0fb5244e3a046e5aa3fdb21
SHA256 bf5b55dd90d317000bdbdc2eb08bb3ce3c0263cac10aedb67d65f01fd39c95fd
SHA512 7b01998bc2547ff48eb861b76552844369f5532416764bad0d4f98fc5cad3e56a4a69c9be28b5e9adc2db054eda30382d133e7c03c1fedec88456f1374c37ebe

memory/2004-182-0x00000000004E0000-0x000000000058E000-memory.dmp

memory/2004-183-0x0000000000400000-0x000000000045E000-memory.dmp

memory/3548-184-0x0000000000000000-mapping.dmp

memory/2940-185-0x0000000000000000-mapping.dmp

memory/3468-186-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe

MD5 2a03cd34f26826a94fde4103644c4223
SHA1 b86cbf66e1087ee7e0fb5244e3a046e5aa3fdb21
SHA256 bf5b55dd90d317000bdbdc2eb08bb3ce3c0263cac10aedb67d65f01fd39c95fd
SHA512 7b01998bc2547ff48eb861b76552844369f5532416764bad0d4f98fc5cad3e56a4a69c9be28b5e9adc2db054eda30382d133e7c03c1fedec88456f1374c37ebe

memory/2384-188-0x0000000000000000-mapping.dmp

memory/3400-189-0x0000000000000000-mapping.dmp

memory/2428-190-0x0000000000000000-mapping.dmp

memory/2840-191-0x0000000000000000-mapping.dmp

memory/3524-192-0x0000000000000000-mapping.dmp

memory/3492-194-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\2DF3.exe

MD5 104143b29cdac7bbbdb533e036a7279c
SHA1 982211603b7708ea73dea6275230f1bbe2bcb340
SHA256 0b8eca673c3b5c7663349c87a4830dea3ee44cdf93c0634554d8baff1cacf92f
SHA512 780cb10d34c5b809ebc82b3fbd546840cb73e14d6733333d1203f8ef239c623526aeb63023867a7c8eff653ee4029595eedce4f8864dafe9f113a1ac651d9047

memory/3532-193-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\2DF3.exe

MD5 104143b29cdac7bbbdb533e036a7279c
SHA1 982211603b7708ea73dea6275230f1bbe2bcb340
SHA256 0b8eca673c3b5c7663349c87a4830dea3ee44cdf93c0634554d8baff1cacf92f
SHA512 780cb10d34c5b809ebc82b3fbd546840cb73e14d6733333d1203f8ef239c623526aeb63023867a7c8eff653ee4029595eedce4f8864dafe9f113a1ac651d9047

memory/3128-197-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe

MD5 2a03cd34f26826a94fde4103644c4223
SHA1 b86cbf66e1087ee7e0fb5244e3a046e5aa3fdb21
SHA256 bf5b55dd90d317000bdbdc2eb08bb3ce3c0263cac10aedb67d65f01fd39c95fd
SHA512 7b01998bc2547ff48eb861b76552844369f5532416764bad0d4f98fc5cad3e56a4a69c9be28b5e9adc2db054eda30382d133e7c03c1fedec88456f1374c37ebe

C:\Users\Admin\AppData\Local\Temp\03795181499162622812

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2064-201-0x0000000000000000-mapping.dmp

memory/1320-202-0x0000000000000000-mapping.dmp

memory/732-203-0x0000000000000000-mapping.dmp

memory/3128-205-0x0000000000400000-0x000000000045E000-memory.dmp

memory/3128-204-0x00000000004B0000-0x00000000004E9000-memory.dmp

memory/2744-206-0x0000000000000000-mapping.dmp

memory/3532-207-0x0000000002BC0000-0x0000000002D0A000-memory.dmp

memory/3532-208-0x0000000002E70000-0x0000000002EFF000-memory.dmp

memory/3532-209-0x0000000000400000-0x0000000002BBD000-memory.dmp

memory/1200-211-0x0000000001220000-0x0000000001222000-memory.dmp

memory/1200-210-0x0000000001220000-0x0000000001222000-memory.dmp

memory/1200-212-0x0000000002B40000-0x0000000002B80000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe

MD5 2a03cd34f26826a94fde4103644c4223
SHA1 b86cbf66e1087ee7e0fb5244e3a046e5aa3fdb21
SHA256 bf5b55dd90d317000bdbdc2eb08bb3ce3c0263cac10aedb67d65f01fd39c95fd
SHA512 7b01998bc2547ff48eb861b76552844369f5532416764bad0d4f98fc5cad3e56a4a69c9be28b5e9adc2db054eda30382d133e7c03c1fedec88456f1374c37ebe

memory/1952-214-0x000000000081E000-0x000000000083C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\03795181499162622812

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1952-216-0x0000000000460000-0x00000000005AA000-memory.dmp

memory/1952-217-0x0000000000400000-0x000000000045E000-memory.dmp