Malware Analysis Report

2024-10-24 19:57

Sample ID 231106-b7cmcahb66
Target b3e6175584617c6236965596d691714dc7b85397d812c24270c5e08cefecadd7
SHA256 b3e6175584617c6236965596d691714dc7b85397d812c24270c5e08cefecadd7
Tags
amadey healer redline smokeloader maxik backdoor dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b3e6175584617c6236965596d691714dc7b85397d812c24270c5e08cefecadd7

Threat Level: Known bad

The file b3e6175584617c6236965596d691714dc7b85397d812c24270c5e08cefecadd7 was found to be: Known bad.

Malicious Activity Summary

amadey healer redline smokeloader maxik backdoor dropper evasion infostealer persistence trojan

Detects Healer an antivirus disabler dropper

Healer

Modifies Windows Defender Real-time Protection settings

Amadey

SmokeLoader

RedLine

Executes dropped EXE

Checks computer location settings

Windows security modification

Adds Run key to start application

Launches sc.exe

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of FindShellTrayWindow

Checks SCSI registry key(s)

Creates scheduled task(s)

Modifies registry class

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-11-06 01:46

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-11-06 01:46

Reported

2023-11-06 01:49

Platform

win10v2004-20231023-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b3e6175584617c6236965596d691714dc7b85397d812c24270c5e08cefecadd7.exe"

Signatures

Amadey

trojan amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8731385.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8731385.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8731385.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8731385.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8731385.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8731385.exe N/A

RedLine

infostealer redline

SmokeLoader

trojan backdoor smokeloader

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b9927685.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8731385.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3736350.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\b3e6175584617c6236965596d691714dc7b85397d812c24270c5e08cefecadd7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1213141.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c8717609.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c8717609.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c8717609.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ N/A N/A
Key created \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8731385.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8731385.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c8717609.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c8717609.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c8717609.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8731385.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b9927685.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4772 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\b3e6175584617c6236965596d691714dc7b85397d812c24270c5e08cefecadd7.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1213141.exe
PID 4772 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\b3e6175584617c6236965596d691714dc7b85397d812c24270c5e08cefecadd7.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1213141.exe
PID 4772 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\b3e6175584617c6236965596d691714dc7b85397d812c24270c5e08cefecadd7.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1213141.exe
PID 4520 wrote to memory of 3704 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1213141.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3736350.exe
PID 4520 wrote to memory of 3704 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1213141.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3736350.exe
PID 4520 wrote to memory of 3704 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1213141.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3736350.exe
PID 3704 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3736350.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8731385.exe
PID 3704 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3736350.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8731385.exe
PID 3704 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3736350.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b9927685.exe
PID 3704 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3736350.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b9927685.exe
PID 3704 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3736350.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b9927685.exe
PID 3624 wrote to memory of 3560 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b9927685.exe C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
PID 3624 wrote to memory of 3560 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b9927685.exe C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
PID 3624 wrote to memory of 3560 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b9927685.exe C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
PID 4520 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1213141.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c8717609.exe
PID 4520 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1213141.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c8717609.exe
PID 4520 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1213141.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c8717609.exe
PID 3560 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\schtasks.exe
PID 3560 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\schtasks.exe
PID 3560 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\schtasks.exe
PID 3560 wrote to memory of 3700 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\cmd.exe
PID 3560 wrote to memory of 3700 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\cmd.exe
PID 3560 wrote to memory of 3700 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\cmd.exe
PID 3700 wrote to memory of 2912 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3700 wrote to memory of 2912 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3700 wrote to memory of 2912 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3700 wrote to memory of 4932 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3700 wrote to memory of 4932 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3700 wrote to memory of 4932 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3700 wrote to memory of 2492 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3700 wrote to memory of 2492 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3700 wrote to memory of 2492 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3700 wrote to memory of 4180 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3700 wrote to memory of 4180 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3700 wrote to memory of 4180 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3700 wrote to memory of 2500 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3700 wrote to memory of 2500 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3700 wrote to memory of 2500 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3700 wrote to memory of 4128 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3700 wrote to memory of 4128 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3700 wrote to memory of 4128 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4772 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\b3e6175584617c6236965596d691714dc7b85397d812c24270c5e08cefecadd7.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d8393944.exe
PID 4772 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\b3e6175584617c6236965596d691714dc7b85397d812c24270c5e08cefecadd7.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d8393944.exe
PID 4772 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\b3e6175584617c6236965596d691714dc7b85397d812c24270c5e08cefecadd7.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d8393944.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b3e6175584617c6236965596d691714dc7b85397d812c24270c5e08cefecadd7.exe

"C:\Users\Admin\AppData\Local\Temp\b3e6175584617c6236965596d691714dc7b85397d812c24270c5e08cefecadd7.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1213141.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1213141.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3736350.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3736350.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8731385.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8731385.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b9927685.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b9927685.exe

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

"C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c8717609.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c8717609.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "pdates.exe" /P "Admin:N"&&CACLS "pdates.exe" /P "Admin:R" /E&&echo Y|CACLS "..\925e7e99c5" /P "Admin:N"&&CACLS "..\925e7e99c5" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "pdates.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "pdates.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\925e7e99c5" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\925e7e99c5" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d8393944.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d8393944.exe

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start wuauserv

Network

Country Destination Domain Proto
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 39.142.81.104.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
FI 77.91.68.61:80 tcp
US 8.8.8.8:53 61.68.91.77.in-addr.arpa udp
FI 77.91.124.156:19071 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
FI 77.91.68.29:80 tcp
FI 77.91.68.29:80 tcp
US 8.8.8.8:53 29.68.91.77.in-addr.arpa udp
FI 77.91.124.156:19071 tcp
US 8.8.8.8:53 126.209.247.8.in-addr.arpa udp
FI 77.91.68.61:80 tcp
FI 77.91.124.156:19071 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
FI 77.91.68.61:80 tcp
FI 77.91.124.156:19071 tcp
FI 77.91.124.156:19071 tcp
US 8.8.8.8:53 6.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1213141.exe

MD5 8c07c86f52ecfb20629068799e98f450
SHA1 623c3c3c10b331dd10dbf95e98d96839b1e6bc70
SHA256 1bd037b3b5cd45e3bea6daefdbc3343bb68b9976e6aee1a78a0d9cd58a3481ee
SHA512 80b5ed7a130291bfbce3f2849e521f9b116b923b242734aee124bacc01c31668390727aa2cb1664b574b514df8f613e8670bcc1656d9b0733999f4062fd5c416

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1213141.exe

MD5 8c07c86f52ecfb20629068799e98f450
SHA1 623c3c3c10b331dd10dbf95e98d96839b1e6bc70
SHA256 1bd037b3b5cd45e3bea6daefdbc3343bb68b9976e6aee1a78a0d9cd58a3481ee
SHA512 80b5ed7a130291bfbce3f2849e521f9b116b923b242734aee124bacc01c31668390727aa2cb1664b574b514df8f613e8670bcc1656d9b0733999f4062fd5c416

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3736350.exe

MD5 ecb8f8c10f30347a2ad9d6950c54d015
SHA1 ab86462ffe94ccc00b7a18b3ea8e6f49cf0cbad6
SHA256 54103ee96fea7cdce1396e2f5df2e394424e056c9a6c2dd7ebdc757307d66343
SHA512 050d326401b40d3af20488856a02e9a8df1bd447906c59119430b94cdd1c585b49a062f77cda826df305ba5eb705232dedb5c89e1c0bd06e0070c4de3eefe0f4

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3736350.exe

MD5 ecb8f8c10f30347a2ad9d6950c54d015
SHA1 ab86462ffe94ccc00b7a18b3ea8e6f49cf0cbad6
SHA256 54103ee96fea7cdce1396e2f5df2e394424e056c9a6c2dd7ebdc757307d66343
SHA512 050d326401b40d3af20488856a02e9a8df1bd447906c59119430b94cdd1c585b49a062f77cda826df305ba5eb705232dedb5c89e1c0bd06e0070c4de3eefe0f4

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8731385.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8731385.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/4672-21-0x0000000000B50000-0x0000000000B5A000-memory.dmp

memory/4672-22-0x00007FFECBA30000-0x00007FFECC4F1000-memory.dmp

memory/4672-24-0x00007FFECBA30000-0x00007FFECC4F1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b9927685.exe

MD5 d4b37d46b09b686c1a273104c7f001bf
SHA1 cc781288e43f74f4d9a4edac582227a05ee20981
SHA256 f67bed2e61881f4b99a93569fcb57eba7926b8525e6d53bd9092c2e163951efc
SHA512 30746b849ffff7216eb74525051ce7ba6331bd07d5c274d3141cedee69432e99924c709029ab0d3c46d828a6e37a11905ca2cd6d70db3dbcf97f3dd2adb34ecf

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b9927685.exe

MD5 d4b37d46b09b686c1a273104c7f001bf
SHA1 cc781288e43f74f4d9a4edac582227a05ee20981
SHA256 f67bed2e61881f4b99a93569fcb57eba7926b8525e6d53bd9092c2e163951efc
SHA512 30746b849ffff7216eb74525051ce7ba6331bd07d5c274d3141cedee69432e99924c709029ab0d3c46d828a6e37a11905ca2cd6d70db3dbcf97f3dd2adb34ecf

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

MD5 d4b37d46b09b686c1a273104c7f001bf
SHA1 cc781288e43f74f4d9a4edac582227a05ee20981
SHA256 f67bed2e61881f4b99a93569fcb57eba7926b8525e6d53bd9092c2e163951efc
SHA512 30746b849ffff7216eb74525051ce7ba6331bd07d5c274d3141cedee69432e99924c709029ab0d3c46d828a6e37a11905ca2cd6d70db3dbcf97f3dd2adb34ecf

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

MD5 d4b37d46b09b686c1a273104c7f001bf
SHA1 cc781288e43f74f4d9a4edac582227a05ee20981
SHA256 f67bed2e61881f4b99a93569fcb57eba7926b8525e6d53bd9092c2e163951efc
SHA512 30746b849ffff7216eb74525051ce7ba6331bd07d5c274d3141cedee69432e99924c709029ab0d3c46d828a6e37a11905ca2cd6d70db3dbcf97f3dd2adb34ecf

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

MD5 d4b37d46b09b686c1a273104c7f001bf
SHA1 cc781288e43f74f4d9a4edac582227a05ee20981
SHA256 f67bed2e61881f4b99a93569fcb57eba7926b8525e6d53bd9092c2e163951efc
SHA512 30746b849ffff7216eb74525051ce7ba6331bd07d5c274d3141cedee69432e99924c709029ab0d3c46d828a6e37a11905ca2cd6d70db3dbcf97f3dd2adb34ecf

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c8717609.exe

MD5 236684de3c3868f7f2bac405cdc80912
SHA1 3d9561899082781f073210f85674ff6ceef544a4
SHA256 0f198b1220cd9596530798d00499c113b66e8fe90955661f4eceef0befc90562
SHA512 44fa2885e8cc507ea0ab1634c2b48e236c25e3bfbf2dd6268a3d7471a279189838a7d278662f42e4c6cc00b23b621e33babceca811337743d237c36caa5ef267

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c8717609.exe

MD5 236684de3c3868f7f2bac405cdc80912
SHA1 3d9561899082781f073210f85674ff6ceef544a4
SHA256 0f198b1220cd9596530798d00499c113b66e8fe90955661f4eceef0befc90562
SHA512 44fa2885e8cc507ea0ab1634c2b48e236c25e3bfbf2dd6268a3d7471a279189838a7d278662f42e4c6cc00b23b621e33babceca811337743d237c36caa5ef267

memory/5024-40-0x0000000000400000-0x0000000000409000-memory.dmp

memory/5024-43-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3440-42-0x0000000000910000-0x0000000000926000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d8393944.exe

MD5 1eb5d499370c238ca969bdd792339096
SHA1 f519724fc630355849ad45b1f6a163e5d5f1428c
SHA256 346d11c168ff98eb489e1d52377014a8e7611274bb94dba24358f6d129159d80
SHA512 6e5cf63fbaf3733dea307ad53cf90e22990646b060dd96e991fac4c624c7e50f0b6caaeb7f76155192f5da1b9f75331a844c9ba89938bebd9eb5618b5427a078

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d8393944.exe

MD5 1eb5d499370c238ca969bdd792339096
SHA1 f519724fc630355849ad45b1f6a163e5d5f1428c
SHA256 346d11c168ff98eb489e1d52377014a8e7611274bb94dba24358f6d129159d80
SHA512 6e5cf63fbaf3733dea307ad53cf90e22990646b060dd96e991fac4c624c7e50f0b6caaeb7f76155192f5da1b9f75331a844c9ba89938bebd9eb5618b5427a078

memory/5040-49-0x00000000008C0000-0x00000000008F0000-memory.dmp

memory/5040-50-0x00000000726B0000-0x0000000072E60000-memory.dmp

memory/5040-51-0x0000000007570000-0x0000000007576000-memory.dmp

memory/5040-52-0x0000000005810000-0x0000000005E28000-memory.dmp

memory/5040-53-0x0000000005300000-0x000000000540A000-memory.dmp

memory/5040-54-0x0000000005240000-0x0000000005252000-memory.dmp

memory/5040-55-0x00000000050E0000-0x00000000050F0000-memory.dmp

memory/5040-56-0x00000000052A0000-0x00000000052DC000-memory.dmp

memory/5040-57-0x0000000005410000-0x000000000545C000-memory.dmp

memory/3440-58-0x0000000000970000-0x0000000000980000-memory.dmp

memory/3440-60-0x0000000000970000-0x0000000000980000-memory.dmp

memory/3440-61-0x0000000000980000-0x0000000000990000-memory.dmp

memory/3440-62-0x0000000000970000-0x0000000000980000-memory.dmp

memory/3440-63-0x0000000000970000-0x0000000000980000-memory.dmp

memory/3440-65-0x0000000000970000-0x0000000000980000-memory.dmp

memory/3440-64-0x0000000000970000-0x0000000000980000-memory.dmp

memory/3440-66-0x0000000000970000-0x0000000000980000-memory.dmp

memory/5040-67-0x00000000726B0000-0x0000000072E60000-memory.dmp

memory/3440-68-0x0000000000970000-0x0000000000980000-memory.dmp

memory/5040-69-0x00000000050E0000-0x00000000050F0000-memory.dmp

memory/3440-70-0x0000000002940000-0x0000000002950000-memory.dmp

memory/3440-71-0x0000000000970000-0x0000000000980000-memory.dmp

memory/3440-72-0x0000000000970000-0x0000000000980000-memory.dmp

memory/3440-74-0x0000000000970000-0x0000000000980000-memory.dmp

memory/3440-73-0x0000000002920000-0x0000000002930000-memory.dmp

memory/3440-78-0x0000000000970000-0x0000000000980000-memory.dmp

memory/3440-76-0x0000000000970000-0x0000000000980000-memory.dmp

memory/3440-80-0x0000000000970000-0x0000000000980000-memory.dmp

memory/3440-82-0x0000000000970000-0x0000000000980000-memory.dmp

memory/3440-83-0x0000000000980000-0x0000000000990000-memory.dmp

memory/3440-84-0x0000000000970000-0x0000000000980000-memory.dmp

memory/3440-85-0x0000000000970000-0x0000000000980000-memory.dmp

memory/3440-86-0x0000000002920000-0x0000000002930000-memory.dmp

memory/3440-87-0x0000000000970000-0x0000000000980000-memory.dmp

memory/3440-89-0x0000000000970000-0x0000000000980000-memory.dmp

memory/3440-88-0x0000000000970000-0x0000000000980000-memory.dmp

memory/3440-90-0x0000000000970000-0x0000000000980000-memory.dmp

memory/3440-93-0x0000000000970000-0x0000000000980000-memory.dmp

memory/3440-92-0x0000000000970000-0x0000000000980000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

MD5 d4b37d46b09b686c1a273104c7f001bf
SHA1 cc781288e43f74f4d9a4edac582227a05ee20981
SHA256 f67bed2e61881f4b99a93569fcb57eba7926b8525e6d53bd9092c2e163951efc
SHA512 30746b849ffff7216eb74525051ce7ba6331bd07d5c274d3141cedee69432e99924c709029ab0d3c46d828a6e37a11905ca2cd6d70db3dbcf97f3dd2adb34ecf

memory/3440-95-0x0000000000970000-0x0000000000980000-memory.dmp

memory/3440-96-0x0000000000970000-0x0000000000980000-memory.dmp

memory/3440-97-0x0000000000970000-0x0000000000980000-memory.dmp

memory/3440-99-0x0000000000970000-0x0000000000980000-memory.dmp

memory/3440-100-0x00000000009A0000-0x00000000009A2000-memory.dmp

memory/3440-101-0x0000000000970000-0x0000000000980000-memory.dmp

memory/3440-98-0x0000000000970000-0x0000000000980000-memory.dmp

memory/3440-102-0x0000000000970000-0x0000000000980000-memory.dmp

memory/3440-104-0x0000000000970000-0x0000000000980000-memory.dmp

memory/3440-106-0x0000000000970000-0x0000000000980000-memory.dmp

memory/3440-107-0x0000000000970000-0x0000000000980000-memory.dmp

memory/3440-108-0x00000000028A0000-0x00000000028B0000-memory.dmp

memory/3440-109-0x0000000000970000-0x0000000000980000-memory.dmp

memory/3440-110-0x0000000000970000-0x0000000000980000-memory.dmp

memory/3440-112-0x0000000000970000-0x0000000000980000-memory.dmp

memory/3440-114-0x0000000000970000-0x0000000000980000-memory.dmp

memory/3440-111-0x00000000028A0000-0x00000000028B0000-memory.dmp

memory/3440-118-0x00000000009A0000-0x00000000009A2000-memory.dmp

memory/3440-116-0x0000000000970000-0x0000000000980000-memory.dmp

memory/3440-117-0x0000000000970000-0x0000000000980000-memory.dmp

memory/3440-120-0x0000000000970000-0x0000000000980000-memory.dmp

memory/3440-121-0x0000000000970000-0x0000000000980000-memory.dmp

memory/3440-122-0x00000000028A0000-0x00000000028B0000-memory.dmp

memory/3440-123-0x0000000000970000-0x0000000000980000-memory.dmp

memory/3440-125-0x0000000000970000-0x0000000000980000-memory.dmp

memory/3440-124-0x0000000000970000-0x0000000000980000-memory.dmp

memory/3440-126-0x0000000000970000-0x0000000000980000-memory.dmp

memory/3440-127-0x0000000000970000-0x0000000000980000-memory.dmp

memory/3440-130-0x0000000000970000-0x0000000000980000-memory.dmp

memory/3440-129-0x0000000000970000-0x0000000000980000-memory.dmp

memory/3440-131-0x0000000000970000-0x0000000000980000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

MD5 d4b37d46b09b686c1a273104c7f001bf
SHA1 cc781288e43f74f4d9a4edac582227a05ee20981
SHA256 f67bed2e61881f4b99a93569fcb57eba7926b8525e6d53bd9092c2e163951efc
SHA512 30746b849ffff7216eb74525051ce7ba6331bd07d5c274d3141cedee69432e99924c709029ab0d3c46d828a6e37a11905ca2cd6d70db3dbcf97f3dd2adb34ecf

memory/3440-133-0x0000000000970000-0x0000000000980000-memory.dmp

memory/3440-134-0x0000000000970000-0x0000000000980000-memory.dmp

memory/3440-135-0x00000000009A0000-0x00000000009B0000-memory.dmp

memory/3440-136-0x0000000000970000-0x0000000000980000-memory.dmp

memory/3440-137-0x0000000000970000-0x0000000000980000-memory.dmp

memory/3440-138-0x0000000000970000-0x0000000000980000-memory.dmp

memory/3440-139-0x0000000000970000-0x0000000000980000-memory.dmp

memory/3440-140-0x0000000000970000-0x0000000000980000-memory.dmp

memory/3440-142-0x0000000000970000-0x0000000000980000-memory.dmp

memory/3440-144-0x0000000000970000-0x0000000000980000-memory.dmp

memory/3440-145-0x0000000000970000-0x0000000000980000-memory.dmp

memory/3440-146-0x00000000028F0000-0x0000000002900000-memory.dmp

memory/3440-147-0x0000000000970000-0x0000000000980000-memory.dmp

memory/3440-148-0x0000000000970000-0x0000000000980000-memory.dmp

memory/3440-150-0x0000000000970000-0x0000000000980000-memory.dmp

memory/3440-161-0x0000000000970000-0x0000000000980000-memory.dmp

memory/3440-163-0x0000000000970000-0x0000000000980000-memory.dmp

memory/3440-166-0x0000000000970000-0x0000000000980000-memory.dmp