Malware Analysis Report

2025-08-10 21:19

Sample ID 241031-llzj4axlak
Target ORDERREF47806798PSMCO.exe
SHA256 76af8cf5846c6addfc9049cde063bbee8c0353bc0870c5080ad37a41a9aab1a3
Tags
modiloader discovery trojan persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

76af8cf5846c6addfc9049cde063bbee8c0353bc0870c5080ad37a41a9aab1a3

Threat Level: Known bad

The file ORDERREF47806798PSMCO.exe was found to be: Known bad.

Malicious Activity Summary

modiloader discovery trojan persistence

ModiLoader, DBatLoader

Modiloader family

ModiLoader Second Stage

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Program crash

System Network Configuration Discovery: Internet Connection Discovery

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

Script User-Agent

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-31 09:37

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-31 09:37

Reported

2024-10-31 09:41

Platform

win7-20240903-en

Max time kernel

117s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ORDERREF47806798PSMCO.exe"

Signatures

ModiLoader, DBatLoader

trojan modiloader

Modiloader family

modiloader

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ORDERREF47806798PSMCO.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ORDERREF47806798PSMCO.exe

"C:\Users\Admin\AppData\Local\Temp\ORDERREF47806798PSMCO.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2568 -s 684

Network

Country Destination Domain Proto
US 8.8.8.8:53 sierrassinfinusadas.com.ar udp
AR 167.250.5.91:443 sierrassinfinusadas.com.ar tcp
AR 167.250.5.91:443 sierrassinfinusadas.com.ar tcp
AR 167.250.5.91:443 sierrassinfinusadas.com.ar tcp

Files

memory/2568-0-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2568-2-0x0000000003290000-0x0000000004290000-memory.dmp

memory/2568-1-0x0000000003290000-0x0000000004290000-memory.dmp

memory/2568-4-0x0000000000400000-0x000000000050A000-memory.dmp

memory/2568-5-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2568-7-0x0000000003290000-0x0000000004290000-memory.dmp

memory/2568-16-0x0000000003290000-0x0000000004290000-memory.dmp

memory/2568-15-0x0000000003290000-0x0000000004290000-memory.dmp

memory/2568-14-0x0000000003290000-0x0000000004290000-memory.dmp

memory/2568-39-0x0000000003290000-0x0000000004290000-memory.dmp

memory/2568-38-0x0000000003290000-0x0000000004290000-memory.dmp

memory/2568-35-0x0000000003290000-0x0000000004290000-memory.dmp

memory/2568-32-0x0000000003290000-0x0000000004290000-memory.dmp

memory/2568-29-0x0000000003290000-0x0000000004290000-memory.dmp

memory/2568-17-0x0000000003290000-0x0000000004290000-memory.dmp

memory/2568-79-0x0000000003290000-0x0000000004290000-memory.dmp

memory/2568-76-0x0000000003290000-0x0000000004290000-memory.dmp

memory/2568-73-0x0000000003290000-0x0000000004290000-memory.dmp

memory/2568-70-0x0000000003290000-0x0000000004290000-memory.dmp

memory/2568-67-0x0000000003290000-0x0000000004290000-memory.dmp

memory/2568-64-0x0000000003290000-0x0000000004290000-memory.dmp

memory/2568-60-0x0000000003290000-0x0000000004290000-memory.dmp

memory/2568-57-0x0000000003290000-0x0000000004290000-memory.dmp

memory/2568-54-0x0000000003290000-0x0000000004290000-memory.dmp

memory/2568-51-0x0000000003290000-0x0000000004290000-memory.dmp

memory/2568-48-0x0000000003290000-0x0000000004290000-memory.dmp

memory/2568-44-0x0000000003290000-0x0000000004290000-memory.dmp

memory/2568-41-0x0000000003290000-0x0000000004290000-memory.dmp

memory/2568-36-0x0000000003290000-0x0000000004290000-memory.dmp

memory/2568-33-0x0000000003290000-0x0000000004290000-memory.dmp

memory/2568-30-0x0000000003290000-0x0000000004290000-memory.dmp

memory/2568-27-0x0000000003290000-0x0000000004290000-memory.dmp

memory/2568-24-0x0000000003290000-0x0000000004290000-memory.dmp

memory/2568-23-0x0000000003290000-0x0000000004290000-memory.dmp

memory/2568-21-0x0000000003290000-0x0000000004290000-memory.dmp

memory/2568-20-0x0000000003290000-0x0000000004290000-memory.dmp

memory/2568-18-0x0000000003290000-0x0000000004290000-memory.dmp

memory/2568-78-0x0000000003290000-0x0000000004290000-memory.dmp

memory/2568-74-0x0000000003290000-0x0000000004290000-memory.dmp

memory/2568-71-0x0000000003290000-0x0000000004290000-memory.dmp

memory/2568-68-0x0000000003290000-0x0000000004290000-memory.dmp

memory/2568-65-0x0000000003290000-0x0000000004290000-memory.dmp

memory/2568-61-0x0000000003290000-0x0000000004290000-memory.dmp

memory/2568-58-0x0000000003290000-0x0000000004290000-memory.dmp

memory/2568-55-0x0000000003290000-0x0000000004290000-memory.dmp

memory/2568-53-0x0000000003290000-0x0000000004290000-memory.dmp

memory/2568-50-0x0000000003290000-0x0000000004290000-memory.dmp

memory/2568-47-0x0000000003290000-0x0000000004290000-memory.dmp

memory/2568-45-0x0000000003290000-0x0000000004290000-memory.dmp

memory/2568-42-0x0000000003290000-0x0000000004290000-memory.dmp

memory/2568-40-0x0000000003290000-0x0000000004290000-memory.dmp

memory/2568-37-0x0000000003290000-0x0000000004290000-memory.dmp

memory/2568-34-0x0000000003290000-0x0000000004290000-memory.dmp

memory/2568-31-0x0000000003290000-0x0000000004290000-memory.dmp

memory/2568-28-0x0000000003290000-0x0000000004290000-memory.dmp

memory/2568-26-0x0000000003290000-0x0000000004290000-memory.dmp

memory/2568-25-0x0000000003290000-0x0000000004290000-memory.dmp

memory/2568-22-0x0000000003290000-0x0000000004290000-memory.dmp

memory/2568-19-0x0000000003290000-0x0000000004290000-memory.dmp

memory/2568-13-0x0000000003290000-0x0000000004290000-memory.dmp

memory/2568-12-0x0000000003290000-0x0000000004290000-memory.dmp

memory/2568-11-0x0000000003290000-0x0000000004290000-memory.dmp

memory/2568-10-0x0000000003290000-0x0000000004290000-memory.dmp

memory/2568-9-0x0000000003290000-0x0000000004290000-memory.dmp

memory/2568-8-0x0000000003290000-0x0000000004290000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-31 09:37

Reported

2024-10-31 09:41

Platform

win10v2004-20241007-en

Max time kernel

134s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ORDERREF47806798PSMCO.exe"

Signatures

ModiLoader, DBatLoader

trojan modiloader

Modiloader family

modiloader

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Zipkzypj = "C:\\Users\\Public\\Zipkzypj.url" C:\Users\Admin\AppData\Local\Temp\ORDERREF47806798PSMCO.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2420 set thread context of 4548 N/A C:\Users\Admin\AppData\Local\Temp\ORDERREF47806798PSMCO.exe C:\Users\Public\Libraries\jpyzkpiZ.pif

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Public\Libraries\jpyzkpiZ.pif

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ORDERREF47806798PSMCO.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Public\alpha.pif N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Public\alpha.pif N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Public\alpha.pif N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Public\alpha.pif N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Public\xpha.pif N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Public\alpha.pif N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Public\alpha.pif N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\esentutl.exe N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2420 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\ORDERREF47806798PSMCO.exe C:\Windows\SysWOW64\cmd.exe
PID 2420 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\ORDERREF47806798PSMCO.exe C:\Windows\SysWOW64\cmd.exe
PID 2420 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\ORDERREF47806798PSMCO.exe C:\Windows\SysWOW64\cmd.exe
PID 4236 wrote to memory of 1296 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\esentutl.exe
PID 4236 wrote to memory of 1296 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\esentutl.exe
PID 4236 wrote to memory of 1296 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\esentutl.exe
PID 4236 wrote to memory of 3552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\esentutl.exe
PID 4236 wrote to memory of 3552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\esentutl.exe
PID 4236 wrote to memory of 3552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\esentutl.exe
PID 4236 wrote to memory of 2236 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Public\alpha.pif
PID 4236 wrote to memory of 2236 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Public\alpha.pif
PID 4236 wrote to memory of 2236 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Public\alpha.pif
PID 4236 wrote to memory of 4320 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Public\alpha.pif
PID 4236 wrote to memory of 4320 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Public\alpha.pif
PID 4236 wrote to memory of 4320 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Public\alpha.pif
PID 4236 wrote to memory of 4748 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Public\alpha.pif
PID 4236 wrote to memory of 4748 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Public\alpha.pif
PID 4236 wrote to memory of 4748 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Public\alpha.pif
PID 4748 wrote to memory of 2328 N/A C:\Users\Public\alpha.pif C:\Users\Public\xpha.pif
PID 4748 wrote to memory of 2328 N/A C:\Users\Public\alpha.pif C:\Users\Public\xpha.pif
PID 4748 wrote to memory of 2328 N/A C:\Users\Public\alpha.pif C:\Users\Public\xpha.pif
PID 4236 wrote to memory of 4224 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Public\alpha.pif
PID 4236 wrote to memory of 4224 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Public\alpha.pif
PID 4236 wrote to memory of 4224 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Public\alpha.pif
PID 4236 wrote to memory of 1464 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Public\alpha.pif
PID 4236 wrote to memory of 1464 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Public\alpha.pif
PID 4236 wrote to memory of 1464 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Public\alpha.pif
PID 4236 wrote to memory of 3784 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Public\alpha.pif
PID 4236 wrote to memory of 3784 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Public\alpha.pif
PID 4236 wrote to memory of 3784 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Public\alpha.pif
PID 2420 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Local\Temp\ORDERREF47806798PSMCO.exe C:\Windows\SysWOW64\esentutl.exe
PID 2420 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Local\Temp\ORDERREF47806798PSMCO.exe C:\Windows\SysWOW64\esentutl.exe
PID 2420 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Local\Temp\ORDERREF47806798PSMCO.exe C:\Windows\SysWOW64\esentutl.exe
PID 2420 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Temp\ORDERREF47806798PSMCO.exe C:\Users\Public\Libraries\jpyzkpiZ.pif
PID 2420 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Temp\ORDERREF47806798PSMCO.exe C:\Users\Public\Libraries\jpyzkpiZ.pif
PID 2420 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Temp\ORDERREF47806798PSMCO.exe C:\Users\Public\Libraries\jpyzkpiZ.pif
PID 2420 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Temp\ORDERREF47806798PSMCO.exe C:\Users\Public\Libraries\jpyzkpiZ.pif
PID 2420 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Temp\ORDERREF47806798PSMCO.exe C:\Users\Public\Libraries\jpyzkpiZ.pif

Processes

C:\Users\Admin\AppData\Local\Temp\ORDERREF47806798PSMCO.exe

"C:\Users\Admin\AppData\Local\Temp\ORDERREF47806798PSMCO.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\jpyzkpiZ.cmd" "

C:\Windows\SysWOW64\esentutl.exe

C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o

C:\Windows\SysWOW64\esentutl.exe

C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\ping.exe /d C:\\Users\\Public\\xpha.pif /o

C:\Users\Public\alpha.pif

C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows "

C:\Users\Public\alpha.pif

C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows \SysWOW64"

C:\Users\Public\alpha.pif

C:\\Users\\Public\\alpha.pif /c C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 10

C:\Users\Public\xpha.pif

C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 10

C:\Users\Public\alpha.pif

C:\\Users\\Public\\alpha.pif /c del "C:\Users\Public\xpha.pif"

C:\Users\Public\alpha.pif

C:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \SysWOW64

C:\Users\Public\alpha.pif

C:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \"

C:\Windows\SysWOW64\esentutl.exe

C:\\Windows\\System32\\esentutl.exe /y C:\Users\Admin\AppData\Local\Temp\ORDERREF47806798PSMCO.exe /d C:\\Users\\Public\\Libraries\\Zipkzypj.PIF /o

C:\Users\Public\Libraries\jpyzkpiZ.pif

C:\Users\Public\Libraries\jpyzkpiZ.pif

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4548 -ip 4548

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4548 -s 12

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 sierrassinfinusadas.com.ar udp
AR 167.250.5.91:443 sierrassinfinusadas.com.ar tcp
US 8.8.8.8:53 91.5.250.167.in-addr.arpa udp
AR 167.250.5.91:443 sierrassinfinusadas.com.ar tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

memory/2420-0-0x00000000006F0000-0x00000000006F1000-memory.dmp

memory/2420-1-0x0000000002C30000-0x0000000003C30000-memory.dmp

memory/2420-2-0x0000000002C30000-0x0000000003C30000-memory.dmp

memory/2420-5-0x00000000006F0000-0x00000000006F1000-memory.dmp

memory/2420-4-0x0000000000400000-0x000000000050A000-memory.dmp

memory/2420-10-0x0000000002C30000-0x0000000003C30000-memory.dmp

memory/2420-9-0x0000000002C30000-0x0000000003C30000-memory.dmp

memory/2420-8-0x0000000002C30000-0x0000000003C30000-memory.dmp

memory/2420-14-0x0000000002C30000-0x0000000003C30000-memory.dmp

memory/2420-38-0x0000000002C30000-0x0000000003C30000-memory.dmp

memory/2420-22-0x0000000002C30000-0x0000000003C30000-memory.dmp

memory/2420-37-0x0000000002C30000-0x0000000003C30000-memory.dmp

memory/2420-25-0x0000000002C30000-0x0000000003C30000-memory.dmp

memory/2420-42-0x0000000002C30000-0x0000000003C30000-memory.dmp

memory/2420-24-0x0000000002C30000-0x0000000003C30000-memory.dmp

memory/2420-41-0x0000000002C30000-0x0000000003C30000-memory.dmp

memory/2420-40-0x0000000002C30000-0x0000000003C30000-memory.dmp

memory/2420-39-0x0000000002C30000-0x0000000003C30000-memory.dmp

memory/2420-23-0x0000000002C30000-0x0000000003C30000-memory.dmp

memory/2420-34-0x0000000002C30000-0x0000000003C30000-memory.dmp

memory/2420-61-0x0000000002C30000-0x0000000003C30000-memory.dmp

memory/2420-32-0x0000000002C30000-0x0000000003C30000-memory.dmp

memory/2420-58-0x0000000002C30000-0x0000000003C30000-memory.dmp

memory/2420-31-0x0000000002C30000-0x0000000003C30000-memory.dmp

memory/2420-30-0x0000000002C30000-0x0000000003C30000-memory.dmp

memory/2420-54-0x0000000002C30000-0x0000000003C30000-memory.dmp

memory/2420-18-0x0000000002C30000-0x0000000003C30000-memory.dmp

memory/2420-50-0x0000000002C30000-0x0000000003C30000-memory.dmp

memory/2420-29-0x0000000002C30000-0x0000000003C30000-memory.dmp

memory/2420-27-0x0000000002C30000-0x0000000003C30000-memory.dmp

memory/2420-45-0x0000000002C30000-0x0000000003C30000-memory.dmp

memory/2420-15-0x0000000002C30000-0x0000000003C30000-memory.dmp

memory/2420-21-0x0000000002C30000-0x0000000003C30000-memory.dmp

memory/2420-36-0x0000000002C30000-0x0000000003C30000-memory.dmp

memory/2420-35-0x0000000002C30000-0x0000000003C30000-memory.dmp

memory/2420-13-0x0000000002C30000-0x0000000003C30000-memory.dmp

memory/2420-20-0x0000000002C30000-0x0000000003C30000-memory.dmp

memory/2420-33-0x0000000002C30000-0x0000000003C30000-memory.dmp

memory/2420-19-0x0000000002C30000-0x0000000003C30000-memory.dmp

memory/2420-12-0x0000000002C30000-0x0000000003C30000-memory.dmp

memory/2420-17-0x0000000002C30000-0x0000000003C30000-memory.dmp

memory/2420-11-0x0000000002C30000-0x0000000003C30000-memory.dmp

memory/2420-16-0x0000000002C30000-0x0000000003C30000-memory.dmp

memory/2420-7-0x0000000002C30000-0x0000000003C30000-memory.dmp

memory/2420-63-0x0000000002C30000-0x0000000003C30000-memory.dmp

memory/2420-66-0x0000000002C30000-0x0000000003C30000-memory.dmp

memory/2420-65-0x0000000002C30000-0x0000000003C30000-memory.dmp

memory/2420-64-0x0000000002C30000-0x0000000003C30000-memory.dmp

memory/2420-62-0x0000000002C30000-0x0000000003C30000-memory.dmp

memory/2420-60-0x0000000002C30000-0x0000000003C30000-memory.dmp

memory/2420-59-0x0000000002C30000-0x0000000003C30000-memory.dmp

memory/2420-57-0x0000000002C30000-0x0000000003C30000-memory.dmp

memory/2420-56-0x0000000002C30000-0x0000000003C30000-memory.dmp

memory/2420-55-0x0000000002C30000-0x0000000003C30000-memory.dmp

memory/2420-53-0x0000000002C30000-0x0000000003C30000-memory.dmp

memory/2420-52-0x0000000002C30000-0x0000000003C30000-memory.dmp

memory/2420-51-0x0000000002C30000-0x0000000003C30000-memory.dmp

memory/2420-28-0x0000000002C30000-0x0000000003C30000-memory.dmp

memory/2420-49-0x0000000002C30000-0x0000000003C30000-memory.dmp

memory/2420-48-0x0000000002C30000-0x0000000003C30000-memory.dmp

memory/2420-47-0x0000000002C30000-0x0000000003C30000-memory.dmp

memory/2420-46-0x0000000002C30000-0x0000000003C30000-memory.dmp

memory/2420-26-0x0000000002C30000-0x0000000003C30000-memory.dmp

memory/2420-44-0x0000000002C30000-0x0000000003C30000-memory.dmp

memory/2420-43-0x0000000002C30000-0x0000000003C30000-memory.dmp

C:\Users\Public\Libraries\jpyzkpiZ.cmd

MD5 b87f096cbc25570329e2bb59fee57580
SHA1 d281d1bf37b4fb46f90973afc65eece3908532b2
SHA256 d08ccc9b1e3acc205fe754bad8416964e9711815e9ceed5e6af73d8e9035ec9e
SHA512 72901adde38f50cf6d74743c0a546c0fea8b1cd4a18449048a0758a7593a176fc33aad1ebfd955775eefc2b30532bcc18e4f2964b3731b668dd87d94405951f7

C:\Users\Public\xpha.pif

MD5 b3624dd758ccecf93a1226cef252ca12
SHA1 fcf4dad8c4ad101504b1bf47cbbddbac36b558a7
SHA256 4aaa74f294c15aeb37ada8185d0dead58bd87276a01a814abc0c4b40545bf2ef
SHA512 c613d18511b00fa25fc7b1bdde10d96debb42a99b5aaab9e9826538d0e229085bb371f0197f6b1086c4f9c605f01e71287ffc5442f701a95d67c232a5f031838

C:\Users\Public\alpha.pif

MD5 d0fce3afa6aa1d58ce9fa336cc2b675b
SHA1 4048488de6ba4bfef9edf103755519f1f762668f
SHA256 4d89fc34d5f0f9babd022271c585a9477bf41e834e46b991deaa0530fdb25e22
SHA512 80e127ef81752cd50f9ea2d662dc4d3bf8db8d29680e75fa5fc406ca22cafa5c4d89ef2eac65b486413d3cdd57a2c12a1cb75f65d1e312a717d262265736d1c2

C:\Users\Public\Libraries\jpyzkpiZ.pif

MD5 c116d3604ceafe7057d77ff27552c215
SHA1 452b14432fb5758b46f2897aeccd89f7c82a727d
SHA256 7bcdc2e607abc65ef93afd009c3048970d9e8d1c2a18fc571562396b13ebb301
SHA512 9202a00eeaf4c5be94de32fd41bfea40fc32d368955d49b7bad2b5c23c4ebc92dccb37d99f5a14e53ad674b63f1baa6efb1feb27225c86693ead3262a26d66c6