Malware Analysis Report

2025-01-02 05:17

Sample ID 231111-c3cxzsfc9x
Target f2057621dafe3cf02981cb350fb8ad4d.bin
SHA256 ea8ecda6aaf0a6560b614a46a33112caf8ab6404be64ced23fa202737ddbacbf
Tags
mystic redline sectoprat smokeloader zgrat pixelnew2.0 taiga backdoor infostealer persistence rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ea8ecda6aaf0a6560b614a46a33112caf8ab6404be64ced23fa202737ddbacbf

Threat Level: Known bad

The file f2057621dafe3cf02981cb350fb8ad4d.bin was found to be: Known bad.

Malicious Activity Summary

mystic redline sectoprat smokeloader zgrat pixelnew2.0 taiga backdoor infostealer persistence rat stealer trojan

Mystic

ZGRat

SectopRAT payload

SectopRAT

Detect ZGRat V1

RedLine payload

SmokeLoader

Detect Mystic stealer payload

RedLine

Downloads MZ/PE file

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Unsigned PE

Program crash

Checks SCSI registry key(s)

Suspicious use of UnmapMainImage

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: MapViewOfSection

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-11-11 02:35

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-11-11 02:35

Reported

2023-11-11 02:39

Platform

win10v2004-20231023-en

Max time kernel

129s

Max time network

187s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f2057621dafe3cf02981cb350fb8ad4d.exe"

Signatures

Detect Mystic stealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A

Mystic

stealer mystic

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

ZGRat

rat zgrat

Downloads MZ/PE file

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\f2057621dafe3cf02981cb350fb8ad4d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OR9Ki82.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ou7mI12.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2eI0691.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2eI0691.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2eI0691.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2eI0691.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2eI0691.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2eI0691.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2508 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\f2057621dafe3cf02981cb350fb8ad4d.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OR9Ki82.exe
PID 2508 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\f2057621dafe3cf02981cb350fb8ad4d.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OR9Ki82.exe
PID 2508 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\f2057621dafe3cf02981cb350fb8ad4d.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OR9Ki82.exe
PID 2932 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OR9Ki82.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ou7mI12.exe
PID 2932 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OR9Ki82.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ou7mI12.exe
PID 2932 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OR9Ki82.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ou7mI12.exe
PID 3516 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ou7mI12.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1hA46tI1.exe
PID 3516 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ou7mI12.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1hA46tI1.exe
PID 3516 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ou7mI12.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1hA46tI1.exe
PID 4840 wrote to memory of 3812 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1hA46tI1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4840 wrote to memory of 3812 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1hA46tI1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4840 wrote to memory of 3812 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1hA46tI1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4840 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1hA46tI1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4840 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1hA46tI1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4840 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1hA46tI1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4840 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1hA46tI1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4840 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1hA46tI1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4840 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1hA46tI1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4840 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1hA46tI1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4840 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1hA46tI1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4840 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1hA46tI1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4840 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1hA46tI1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3516 wrote to memory of 4292 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ou7mI12.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2eI0691.exe
PID 3516 wrote to memory of 4292 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ou7mI12.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2eI0691.exe
PID 3516 wrote to memory of 4292 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ou7mI12.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2eI0691.exe
PID 2932 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OR9Ki82.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6cw7oj7.exe
PID 2932 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OR9Ki82.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6cw7oj7.exe
PID 2932 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OR9Ki82.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6cw7oj7.exe
PID 3448 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6cw7oj7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3448 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6cw7oj7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3448 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6cw7oj7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3448 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6cw7oj7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3448 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6cw7oj7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3448 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6cw7oj7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2260 wrote to memory of 440 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\SysWOW64\WerFault.exe
PID 2260 wrote to memory of 440 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\SysWOW64\WerFault.exe
PID 2260 wrote to memory of 440 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\SysWOW64\WerFault.exe
PID 3448 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6cw7oj7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3448 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6cw7oj7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3448 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6cw7oj7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3448 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6cw7oj7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3448 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6cw7oj7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2508 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\f2057621dafe3cf02981cb350fb8ad4d.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7zz9WB03.exe
PID 2508 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\f2057621dafe3cf02981cb350fb8ad4d.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7zz9WB03.exe
PID 2508 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\f2057621dafe3cf02981cb350fb8ad4d.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7zz9WB03.exe
PID 3260 wrote to memory of 3424 N/A N/A C:\Users\Admin\AppData\Local\Temp\D807.exe
PID 3260 wrote to memory of 3424 N/A N/A C:\Users\Admin\AppData\Local\Temp\D807.exe
PID 3260 wrote to memory of 4864 N/A N/A C:\Users\Admin\AppData\Local\Temp\E6CD.exe
PID 3260 wrote to memory of 4864 N/A N/A C:\Users\Admin\AppData\Local\Temp\E6CD.exe
PID 3260 wrote to memory of 4864 N/A N/A C:\Users\Admin\AppData\Local\Temp\E6CD.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f2057621dafe3cf02981cb350fb8ad4d.exe

"C:\Users\Admin\AppData\Local\Temp\f2057621dafe3cf02981cb350fb8ad4d.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OR9Ki82.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OR9Ki82.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ou7mI12.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ou7mI12.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1hA46tI1.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1hA46tI1.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2260 -ip 2260

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2eI0691.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2eI0691.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6cw7oj7.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6cw7oj7.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2260 -s 540

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7zz9WB03.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7zz9WB03.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2260 -s 540

C:\Users\Admin\AppData\Local\Temp\D807.exe

C:\Users\Admin\AppData\Local\Temp\D807.exe

C:\Users\Admin\AppData\Local\Temp\E6CD.exe

C:\Users\Admin\AppData\Local\Temp\E6CD.exe

C:\Users\Admin\AppData\Local\Temp\EBC0.exe

C:\Users\Admin\AppData\Local\Temp\EBC0.exe

C:\Users\Admin\AppData\Local\Temp\B30.exe

C:\Users\Admin\AppData\Local\Temp\B30.exe

C:\Users\Admin\AppData\Local\Temp\DE0.exe

C:\Users\Admin\AppData\Local\Temp\DE0.exe

C:\Users\Admin\AppData\Local\Temp\1256.exe

C:\Users\Admin\AppData\Local\Temp\1256.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 121.252.72.23.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 39.142.81.104.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 121.175.53.84.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 163.252.72.23.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 254.178.238.8.in-addr.arpa udp
RU 5.42.92.190:80 5.42.92.190 tcp
US 194.49.94.72:80 194.49.94.72 tcp
US 8.8.8.8:53 190.92.42.5.in-addr.arpa udp
US 8.8.8.8:53 72.94.49.194.in-addr.arpa udp
RU 5.42.92.190:80 5.42.92.190 tcp
NL 194.169.175.118:80 194.169.175.118 tcp
US 8.8.8.8:53 118.175.169.194.in-addr.arpa udp
US 8.8.8.8:53 1.173.189.20.in-addr.arpa udp
RU 5.42.65.80:80 5.42.65.80 tcp
RU 5.42.92.190:80 5.42.92.190 tcp
IT 185.196.9.161:80 185.196.9.161 tcp
US 8.8.8.8:53 161.9.196.185.in-addr.arpa udp
RU 185.174.136.219:443 tcp
RU 5.42.92.190:80 5.42.92.190 tcp
RU 5.42.64.16:443 tcp
US 8.8.8.8:53 16.64.42.5.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OR9Ki82.exe

MD5 53e3d7f256fba648ef59ca0021c58305
SHA1 125f02ca07f09513b226a85ccbd7ec0c99658a34
SHA256 cfa5cb889924899fc5331bf7c7ae2391d9dd33171eb08f368b69b52ed4502b54
SHA512 4526699112f29fe1ab14962b5b65c15a716540a6485aa8ccb4d5b3447d381f8dfbaa51ba42f198da0fc4f1fbefd5f5442ac09a6a9e94ee336ad552e2ff27deec

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OR9Ki82.exe

MD5 53e3d7f256fba648ef59ca0021c58305
SHA1 125f02ca07f09513b226a85ccbd7ec0c99658a34
SHA256 cfa5cb889924899fc5331bf7c7ae2391d9dd33171eb08f368b69b52ed4502b54
SHA512 4526699112f29fe1ab14962b5b65c15a716540a6485aa8ccb4d5b3447d381f8dfbaa51ba42f198da0fc4f1fbefd5f5442ac09a6a9e94ee336ad552e2ff27deec

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ou7mI12.exe

MD5 21814dae68da51c7551de838872f3d88
SHA1 7c891b62a59937c92502880d4d57de8c92dc533a
SHA256 436300a43d42fd20930d95ae14eb6388d558623679bf44a1c7ecbc5691373958
SHA512 b9f952b55d94e0590a2e88637d71aa3d7880da20cc5dc204dbc9468264dd3a5a9aed012a04c1a89c8bd2f9312c547fcf3f9317f44c1e3c8170f099337edb71d3

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ou7mI12.exe

MD5 21814dae68da51c7551de838872f3d88
SHA1 7c891b62a59937c92502880d4d57de8c92dc533a
SHA256 436300a43d42fd20930d95ae14eb6388d558623679bf44a1c7ecbc5691373958
SHA512 b9f952b55d94e0590a2e88637d71aa3d7880da20cc5dc204dbc9468264dd3a5a9aed012a04c1a89c8bd2f9312c547fcf3f9317f44c1e3c8170f099337edb71d3

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1hA46tI1.exe

MD5 784667bb96ccb30c4cf44f2c5f493769
SHA1 28185165ab4dbbb4a139ae1af0bb6934ebe05c04
SHA256 1025fb084bca865df30e69eea7a9a4a3c852626e148b340de661e6f5b63bc1c9
SHA512 62c9def097f132cdb26b11e586f3e15407b9eb9e9e32f79460a3be1bd4c8e046db8488f754cd1c1cc4fe4025a3f9bc9484e94eae0c7d273050f8e6548d12bc20

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1hA46tI1.exe

MD5 784667bb96ccb30c4cf44f2c5f493769
SHA1 28185165ab4dbbb4a139ae1af0bb6934ebe05c04
SHA256 1025fb084bca865df30e69eea7a9a4a3c852626e148b340de661e6f5b63bc1c9
SHA512 62c9def097f132cdb26b11e586f3e15407b9eb9e9e32f79460a3be1bd4c8e046db8488f754cd1c1cc4fe4025a3f9bc9484e94eae0c7d273050f8e6548d12bc20

memory/2260-21-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2260-22-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2260-23-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2260-25-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2eI0691.exe

MD5 b938034561ab089d7047093d46deea8f
SHA1 d778c32cc46be09b107fa47cf3505ba5b748853d
SHA256 260784b1afd8b819cb6ccb91f01090942375e527abdc060dd835992d88c04161
SHA512 4909585c112fba3575e07428679fd7add07453e11169f33922faca2012d8e8fa6dfb763d991c68d3b4bbc6e78b6f37d2380c502daada325d73c7fff6c647769b

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2eI0691.exe

MD5 b938034561ab089d7047093d46deea8f
SHA1 d778c32cc46be09b107fa47cf3505ba5b748853d
SHA256 260784b1afd8b819cb6ccb91f01090942375e527abdc060dd835992d88c04161
SHA512 4909585c112fba3575e07428679fd7add07453e11169f33922faca2012d8e8fa6dfb763d991c68d3b4bbc6e78b6f37d2380c502daada325d73c7fff6c647769b

memory/4292-28-0x0000000000400000-0x000000000040B000-memory.dmp

memory/4292-32-0x0000000000400000-0x000000000040B000-memory.dmp

memory/3260-30-0x0000000003140000-0x0000000003156000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6cw7oj7.exe

MD5 14d9834611ad581afcfea061652ff6cb
SHA1 802f964d0be7858eb2f1e7c6fcda03501fd1b71c
SHA256 e6e9b3d830f2d7860a09d596576e8ab0131c527b47dda73fe727b71b44c8cf60
SHA512 cbef1f44eb76d719c60d857a567a3fc700d62751111337cd4f8d30deae6901dc361320f28dac5ec5468420419eed66cada20f4c90fe07db6a3f8cf959eba31b5

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6cw7oj7.exe

MD5 14d9834611ad581afcfea061652ff6cb
SHA1 802f964d0be7858eb2f1e7c6fcda03501fd1b71c
SHA256 e6e9b3d830f2d7860a09d596576e8ab0131c527b47dda73fe727b71b44c8cf60
SHA512 cbef1f44eb76d719c60d857a567a3fc700d62751111337cd4f8d30deae6901dc361320f28dac5ec5468420419eed66cada20f4c90fe07db6a3f8cf959eba31b5

memory/2332-37-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7zz9WB03.exe

MD5 1d71ef189dabc8c5abb381286f47cc85
SHA1 93c4c272d017af943205b54719ab51553a43ade8
SHA256 6f7aaa2c7e4418b4e280c82fdb6b8684f7e653b9584f7be4b05bf2a9fb70ca41
SHA512 93eb68da6bb99dc5d77fece799f0a9c221eedabad73449806ba0e48a29bc51bf83635129c578477d8c867ce177e2e30a1c3a34e0ff2e72355a326fc11e35fa64

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7zz9WB03.exe

MD5 1d71ef189dabc8c5abb381286f47cc85
SHA1 93c4c272d017af943205b54719ab51553a43ade8
SHA256 6f7aaa2c7e4418b4e280c82fdb6b8684f7e653b9584f7be4b05bf2a9fb70ca41
SHA512 93eb68da6bb99dc5d77fece799f0a9c221eedabad73449806ba0e48a29bc51bf83635129c578477d8c867ce177e2e30a1c3a34e0ff2e72355a326fc11e35fa64

C:\Users\Admin\AppData\Local\Temp\D807.exe

MD5 211097310dfd7c551035a38baae5f637
SHA1 e376bd625016637fc68ee4b22280c26edc6594d2
SHA256 733e2c2b9b6f626b4395f5b12a9920b5f6d0e59fb9b61e28c85c7476da942436
SHA512 73316cb83ede1431c0759eb8c03ccead213ad9d1ac8e7fa3c80501475305e7e40e621efd27a97da83bd072bb70a7e9e7e9629953f8b1970abdf71c57e3f7aee9

C:\Users\Admin\AppData\Local\Temp\E6CD.exe

MD5 00b8992b81895399705febca26261d2f
SHA1 cad8070a0a9d26c5157af0430f3c6e4cfd507dc4
SHA256 ecaa0c2607027b807cd7092124f7e3ce4982fb7a05436ede18e2fb3b66a48528
SHA512 7bbb1e9f73b9f0c5aa1df89839c7affc59609deb483cc93b733707cb8248ed27f9c1cef6a0f12f5b50caf8ec6243c8d1114283d4fd5dbbbd7fef9cd16345f4c1

C:\Users\Admin\AppData\Local\Temp\E6CD.exe

MD5 00b8992b81895399705febca26261d2f
SHA1 cad8070a0a9d26c5157af0430f3c6e4cfd507dc4
SHA256 ecaa0c2607027b807cd7092124f7e3ce4982fb7a05436ede18e2fb3b66a48528
SHA512 7bbb1e9f73b9f0c5aa1df89839c7affc59609deb483cc93b733707cb8248ed27f9c1cef6a0f12f5b50caf8ec6243c8d1114283d4fd5dbbbd7fef9cd16345f4c1

memory/4864-52-0x0000000000400000-0x000000000046F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EBC0.exe

MD5 0592c6d7674c77b053080c5b6e79fdcb
SHA1 693339ede19093e2b4593fda93be0b140be69141
SHA256 fe19cdb149ecd8fd116f048852dcc10e46a3521351102685ce25c61a7d962a14
SHA512 37f2ff110b0702229b888280c8c2dff7885e6b1e583ccc47c36e74f44adfa491f70d6d6ab95d79149437d6fd9400448f1046eee3676ea98dffe99bc28e4783cb

memory/4864-55-0x0000000000540000-0x000000000059A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EBC0.exe

MD5 0592c6d7674c77b053080c5b6e79fdcb
SHA1 693339ede19093e2b4593fda93be0b140be69141
SHA256 fe19cdb149ecd8fd116f048852dcc10e46a3521351102685ce25c61a7d962a14
SHA512 37f2ff110b0702229b888280c8c2dff7885e6b1e583ccc47c36e74f44adfa491f70d6d6ab95d79149437d6fd9400448f1046eee3676ea98dffe99bc28e4783cb

memory/2332-60-0x00000000738C0000-0x0000000074070000-memory.dmp

memory/3588-61-0x00000000738C0000-0x0000000074070000-memory.dmp

memory/4864-62-0x00000000738C0000-0x0000000074070000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B30.exe

MD5 c6efb8a96d16975e226f757619892d09
SHA1 fe1d7fc49e6ca211930347334eb27b0d64d9b5dc
SHA256 2f831895016ec2f255ca65fb3fb7b7aac1c5f8bd07569fd170bba8dabca86f7c
SHA512 d373614d6d4fb31449212936d62f4584b8023a9c4776e7fc94634b0c494137287f7bf9b2296a4f8e1b43055fd73377322a4bae01407ea95615723f7a2e4cd8ec

C:\Users\Admin\AppData\Local\Temp\B30.exe

MD5 c6efb8a96d16975e226f757619892d09
SHA1 fe1d7fc49e6ca211930347334eb27b0d64d9b5dc
SHA256 2f831895016ec2f255ca65fb3fb7b7aac1c5f8bd07569fd170bba8dabca86f7c
SHA512 d373614d6d4fb31449212936d62f4584b8023a9c4776e7fc94634b0c494137287f7bf9b2296a4f8e1b43055fd73377322a4bae01407ea95615723f7a2e4cd8ec

memory/3160-67-0x00000000738C0000-0x0000000074070000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DE0.exe

MD5 d497d6f5d3b74379d1ca2e1abde20281
SHA1 937aac5cf9191e833724edda2742ed115a5237c7
SHA256 a1765648a41eea21fd942776cba9b50705673d8f7564ae7f8c9751eda9e2e564
SHA512 bdb28622542e3b34e40b37a189a967b6136963200fec616c6147fd36bb543b94a7d64128d5fbd65a5358b1131dc265c7cbdb1240fece3e8c09652b97c4c025a6

C:\Users\Admin\AppData\Local\Temp\DE0.exe

MD5 d497d6f5d3b74379d1ca2e1abde20281
SHA1 937aac5cf9191e833724edda2742ed115a5237c7
SHA256 a1765648a41eea21fd942776cba9b50705673d8f7564ae7f8c9751eda9e2e564
SHA512 bdb28622542e3b34e40b37a189a967b6136963200fec616c6147fd36bb543b94a7d64128d5fbd65a5358b1131dc265c7cbdb1240fece3e8c09652b97c4c025a6

memory/2940-73-0x000001A69BF60000-0x000001A69C04E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1256.exe

MD5 73ae6c3b85c619aa3fb06de545597251
SHA1 eb1aebe3b76ca3a2b5075880a307c7da2a7d4526
SHA256 622b9f4f5d1eb80a8d6c0384d4c2cc62db85499005cbc5efb35e0fd343db7427
SHA512 912a6aac98a5e83d9519b9bb40efebe843d5265768a702c5523161ba2edd422d7c7d743eaac8c5ddab6719f2500a9826979baab2ed22d0bd7d6be66f56d59923

C:\Users\Admin\AppData\Local\Temp\1256.exe

MD5 73ae6c3b85c619aa3fb06de545597251
SHA1 eb1aebe3b76ca3a2b5075880a307c7da2a7d4526
SHA256 622b9f4f5d1eb80a8d6c0384d4c2cc62db85499005cbc5efb35e0fd343db7427
SHA512 912a6aac98a5e83d9519b9bb40efebe843d5265768a702c5523161ba2edd422d7c7d743eaac8c5ddab6719f2500a9826979baab2ed22d0bd7d6be66f56d59923

memory/3100-77-0x00000239578D0000-0x0000023957972000-memory.dmp

memory/3424-78-0x00007FF7EA3A0000-0x00007FF7EAD48000-memory.dmp

memory/3100-80-0x0000023971DF0000-0x0000023971EF0000-memory.dmp

memory/2940-79-0x000001A69DDD0000-0x000001A69DEB0000-memory.dmp

memory/3588-81-0x0000000000F10000-0x0000000000F2E000-memory.dmp

memory/3160-82-0x0000000000BD0000-0x000000000186A000-memory.dmp

memory/2940-83-0x000001A6B6620000-0x000001A6B6700000-memory.dmp

memory/2940-85-0x00007FFFA9300000-0x00007FFFA9DC1000-memory.dmp

memory/3424-86-0x00007FF7EA3A0000-0x00007FF7EAD48000-memory.dmp

memory/2940-87-0x000001A6B6700000-0x000001A6B67C8000-memory.dmp

memory/3100-88-0x00007FFFA9300000-0x00007FFFA9DC1000-memory.dmp

memory/3424-89-0x00007FF7EA3A0000-0x00007FF7EAD48000-memory.dmp

memory/2940-90-0x000001A69DD50000-0x000001A69DD60000-memory.dmp

memory/3100-92-0x0000023957DB0000-0x0000023957DC0000-memory.dmp

memory/3100-94-0x0000023971EF0000-0x0000023971F3C000-memory.dmp

memory/2940-93-0x000001A6B68D0000-0x000001A6B6998000-memory.dmp

memory/3100-91-0x0000023957DF0000-0x0000023957E46000-memory.dmp

memory/3100-95-0x00000239727F0000-0x0000023972844000-memory.dmp

memory/4864-96-0x0000000007130000-0x00000000076D4000-memory.dmp

memory/3424-97-0x00007FF7EA3A0000-0x00007FF7EAD48000-memory.dmp