Malware Analysis Report

2024-10-16 03:44

Sample ID 240508-m359mshb2x
Target 73d68c52c799495637a7ea3b3b4a9b20_NEIKI
SHA256 0655d16e9a5566cd065f65ab31cab51ac2dea2c4201b967bf4438fe8c7d75e8a
Tags
amadey healer redline zgrat dropper evasion infostealer persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0655d16e9a5566cd065f65ab31cab51ac2dea2c4201b967bf4438fe8c7d75e8a

Threat Level: Known bad

The file 73d68c52c799495637a7ea3b3b4a9b20_NEIKI was found to be: Known bad.

Malicious Activity Summary

amadey healer redline zgrat dropper evasion infostealer persistence rat trojan

Detect ZGRat V1

ZGRat

Healer

Amadey

Detects Healer an antivirus disabler dropper

RedLine

RedLine payload

Modifies Windows Defender Real-time Protection settings

Executes dropped EXE

Checks computer location settings

Windows security modification

Adds Run key to start application

Enumerates physical storage devices

Program crash

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-08 11:00

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-08 11:00

Reported

2024-05-08 11:02

Platform

win10v2004-20240419-en

Max time kernel

147s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\73d68c52c799495637a7ea3b3b4a9b20_NEIKI.exe"

Signatures

Amadey

trojan amadey

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\257341906.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\144105729.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\144105729.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\144105729.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\144105729.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\257341906.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\257341906.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\144105729.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\144105729.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\257341906.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\257341906.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

ZGRat

rat zgrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\326468569.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\144105729.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\144105729.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\257341906.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CH988882.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yf412220.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fn668898.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\73d68c52c799495637a7ea3b3b4a9b20_NEIKI.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\144105729.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\257341906.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\404469749.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4660 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\73d68c52c799495637a7ea3b3b4a9b20_NEIKI.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CH988882.exe
PID 4660 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\73d68c52c799495637a7ea3b3b4a9b20_NEIKI.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CH988882.exe
PID 4660 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\73d68c52c799495637a7ea3b3b4a9b20_NEIKI.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CH988882.exe
PID 5040 wrote to memory of 4648 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CH988882.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yf412220.exe
PID 5040 wrote to memory of 4648 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CH988882.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yf412220.exe
PID 5040 wrote to memory of 4648 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CH988882.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yf412220.exe
PID 4648 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yf412220.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fn668898.exe
PID 4648 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yf412220.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fn668898.exe
PID 4648 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yf412220.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fn668898.exe
PID 2164 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fn668898.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\144105729.exe
PID 2164 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fn668898.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\144105729.exe
PID 2164 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fn668898.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\144105729.exe
PID 2164 wrote to memory of 3556 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fn668898.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\257341906.exe
PID 2164 wrote to memory of 3556 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fn668898.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\257341906.exe
PID 2164 wrote to memory of 3556 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fn668898.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\257341906.exe
PID 4648 wrote to memory of 3324 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yf412220.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\326468569.exe
PID 4648 wrote to memory of 3324 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yf412220.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\326468569.exe
PID 4648 wrote to memory of 3324 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yf412220.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\326468569.exe
PID 3324 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\326468569.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 3324 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\326468569.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 3324 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\326468569.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 5040 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CH988882.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\404469749.exe
PID 5040 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CH988882.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\404469749.exe
PID 5040 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CH988882.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\404469749.exe
PID 748 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 748 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 748 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 748 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 748 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 748 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 2976 wrote to memory of 3748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2976 wrote to memory of 3748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2976 wrote to memory of 3748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2976 wrote to memory of 4164 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2976 wrote to memory of 4164 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2976 wrote to memory of 4164 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2976 wrote to memory of 3444 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2976 wrote to memory of 3444 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2976 wrote to memory of 3444 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2976 wrote to memory of 3532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2976 wrote to memory of 3532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2976 wrote to memory of 3532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2976 wrote to memory of 4476 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2976 wrote to memory of 4476 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2976 wrote to memory of 4476 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2976 wrote to memory of 2236 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2976 wrote to memory of 2236 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2976 wrote to memory of 2236 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe

Processes

C:\Users\Admin\AppData\Local\Temp\73d68c52c799495637a7ea3b3b4a9b20_NEIKI.exe

"C:\Users\Admin\AppData\Local\Temp\73d68c52c799495637a7ea3b3b4a9b20_NEIKI.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CH988882.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CH988882.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yf412220.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yf412220.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fn668898.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fn668898.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\144105729.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\144105729.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\257341906.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\257341906.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3556 -ip 3556

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3556 -s 1020

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\326468569.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\326468569.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\404469749.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\404469749.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.99:443 www.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 99.61.62.23.in-addr.arpa udp
RU 193.3.19.154:80 tcp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 48.251.17.2.in-addr.arpa udp
RU 193.3.19.154:80 tcp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
RU 193.3.19.154:80 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.143:38452 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CH988882.exe

MD5 dfe434a69f2348ebf90b85c207c02ef8
SHA1 9b12b8825afc0e37f0bad0f22f8f0de317d9e247
SHA256 c95e9f67bc68689910dc07b3ed80d0cd23c2a65adcc865a5482789b44a851023
SHA512 1911e79174058bc2e6b2ae409ca238cf9f5603a04b49a8cf294706a7bb310ab63d2b2f649d41f0fd1caec88b9f983923cf31fa6b1ce441f6082bb988844ffbaa

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yf412220.exe

MD5 b9caa9de272c1785c900a5735bebea09
SHA1 00a49290df5123d222a6390033d0c8ea13d01344
SHA256 126968089982cace9207987f9a1dcf85cb09f830b0f3e22fca99195de7bd3dfe
SHA512 fde2b945dcd99b0d4f9cc55a8ba61a290310b47d69ab8a3071b0369dcfd9cff4c7a9f4f24320fe68301530c7f33e23a6bccefbe30efd24a38fc103bb56455462

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fn668898.exe

MD5 c15bdaf4b089ace62138eb9c3fa2e9b5
SHA1 4c6fd1ad3245063b34e01e0346f572ae37caeae9
SHA256 80e4f8805a09874cb112214f2fe585471e228071f89178e7b37227b8db2b0e79
SHA512 b474220096c242ef5201a5043feb7f7870a800fa9fc1d3156efddaebaa1f66a142767343a27b90f313deef8682bc7d7b7e63210f0442961db3a272085383502b

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\144105729.exe

MD5 a165b5f6b0a4bdf808b71de57bf9347d
SHA1 39a7b301e819e386c162a47e046fa384bb5ab437
SHA256 68349ed349ed7bbb9a279ac34ea4984206a1a1b3b73587fd1b109d55391af09a
SHA512 3dd6ca63a2aecb2a0599f0b918329e75b92eb5259d6986bd8d41cb8ebcf7b965bbd12786929d61743ae8613c2e180078f2eed2835ccb54378cd343c4a048c1a1

memory/5080-28-0x0000000002050000-0x000000000206A000-memory.dmp

memory/5080-29-0x0000000004A60000-0x0000000005004000-memory.dmp

memory/5080-30-0x0000000002430000-0x0000000002448000-memory.dmp

memory/5080-31-0x0000000002430000-0x0000000002443000-memory.dmp

memory/5080-52-0x0000000002430000-0x0000000002443000-memory.dmp

memory/5080-58-0x0000000002430000-0x0000000002443000-memory.dmp

memory/5080-56-0x0000000002430000-0x0000000002443000-memory.dmp

memory/5080-54-0x0000000002430000-0x0000000002443000-memory.dmp

memory/5080-50-0x0000000002430000-0x0000000002443000-memory.dmp

memory/5080-46-0x0000000002430000-0x0000000002443000-memory.dmp

memory/5080-44-0x0000000002430000-0x0000000002443000-memory.dmp

memory/5080-42-0x0000000002430000-0x0000000002443000-memory.dmp

memory/5080-40-0x0000000002430000-0x0000000002443000-memory.dmp

memory/5080-38-0x0000000002430000-0x0000000002443000-memory.dmp

memory/5080-36-0x0000000002430000-0x0000000002443000-memory.dmp

memory/5080-34-0x0000000002430000-0x0000000002443000-memory.dmp

memory/5080-32-0x0000000002430000-0x0000000002443000-memory.dmp

memory/5080-48-0x0000000002430000-0x0000000002443000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\257341906.exe

MD5 8527975d775cb7bad819b513e23cc188
SHA1 45cefaee9740f544108e1bc0abd0ee6d6a347912
SHA256 a4a924435ec820400a5a9afd180d6423c1d54481d764f9b0d85eae90ce26edfd
SHA512 4204ec5386e1b7f2292026cb82f70dde7ab27bbe97037897f18fb13b285f381649b017181a5b928708c023bdfb17ea6e5f7ddb1b87918f959210c595266d26b9

memory/3556-92-0x0000000000400000-0x0000000000455000-memory.dmp

memory/3556-94-0x0000000000400000-0x0000000000455000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\326468569.exe

MD5 1304f384653e08ae497008ff13498608
SHA1 d9a76ed63d74d4217c5027757cb9a7a0d0093080
SHA256 2a9dabab35fb09085750e1cc762e32b0fe4cbd7ed4276ef7e68ba159ae330eaa
SHA512 4138217fd538e827c89db5c0cd4ea21bd8c8d3a7196d2eabf10412caf7b929479e768747df5fd92fc022d758f1840474530ba82dcb7e8672cc6eb88caeaf38c1

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\404469749.exe

MD5 c7f65640e61c71e4258fbc5b9992d3a2
SHA1 c6bbdd037abcb025def5ffb9dc9f941b7e13fa98
SHA256 dd565a1874687e6232cffc7cd91b8e230bbc01db92948687f54094023daaee66
SHA512 3178ba3584a7205844befb2b828b30bf7d971aaaed84915713a9cc3adc392b0f7aec4ea7df7be68aa87793ea1548ba64fd1a2d547b6e9c9545286a81013e1192

memory/932-112-0x0000000004A20000-0x0000000004A5C000-memory.dmp

memory/932-113-0x0000000005050000-0x000000000508A000-memory.dmp

memory/932-114-0x0000000005050000-0x0000000005085000-memory.dmp

memory/932-119-0x0000000005050000-0x0000000005085000-memory.dmp

memory/932-117-0x0000000005050000-0x0000000005085000-memory.dmp

memory/932-115-0x0000000005050000-0x0000000005085000-memory.dmp

memory/932-906-0x0000000007B70000-0x0000000008188000-memory.dmp

memory/932-907-0x00000000075D0000-0x00000000075E2000-memory.dmp

memory/932-908-0x00000000075F0000-0x00000000076FA000-memory.dmp

memory/932-909-0x0000000007710000-0x000000000774C000-memory.dmp

memory/932-910-0x0000000002420000-0x000000000246C000-memory.dmp