Malware Analysis Report

2025-01-23 06:01

Sample ID 241107-m6rwes1epn
Target dae793c621b0e03b6809ab37d5b6c4623a02e31725806a00c42f99ddbcb6fdd3
SHA256 dae793c621b0e03b6809ab37d5b6c4623a02e31725806a00c42f99ddbcb6fdd3
Tags
amadey healer redline 47f88f lada masi discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

dae793c621b0e03b6809ab37d5b6c4623a02e31725806a00c42f99ddbcb6fdd3

Threat Level: Known bad

The file dae793c621b0e03b6809ab37d5b6c4623a02e31725806a00c42f99ddbcb6fdd3 was found to be: Known bad.

Malicious Activity Summary

amadey healer redline 47f88f lada masi discovery dropper evasion infostealer persistence trojan

RedLine payload

Amadey family

Modifies Windows Defender Real-time Protection settings

Detects Healer an antivirus disabler dropper

Redline family

Amadey

Healer

RedLine

Healer family

Executes dropped EXE

Checks computer location settings

Windows security modification

Adds Run key to start application

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Scheduled Task/Job: Scheduled Task

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-07 11:04

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-07 11:04

Reported

2024-11-07 11:07

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dae793c621b0e03b6809ab37d5b6c4623a02e31725806a00c42f99ddbcb6fdd3.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az542338.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az542338.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu972355.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu972355.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu972355.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az542338.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az542338.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az542338.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az542338.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu972355.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu972355.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu972355.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\co429243.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dbm83t83.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az542338.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu972355.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu972355.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki812707.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki760411.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\dae793c621b0e03b6809ab37d5b6c4623a02e31725806a00c42f99ddbcb6fdd3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki450253.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki257120.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\co429243.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Temp\1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\dae793c621b0e03b6809ab37d5b6c4623a02e31725806a00c42f99ddbcb6fdd3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki257120.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki760411.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu972355.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ft890341.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki450253.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki812707.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dbm83t83.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az542338.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu972355.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\co429243.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dbm83t83.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5032 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\dae793c621b0e03b6809ab37d5b6c4623a02e31725806a00c42f99ddbcb6fdd3.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki450253.exe
PID 5032 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\dae793c621b0e03b6809ab37d5b6c4623a02e31725806a00c42f99ddbcb6fdd3.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki450253.exe
PID 5032 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\dae793c621b0e03b6809ab37d5b6c4623a02e31725806a00c42f99ddbcb6fdd3.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki450253.exe
PID 2116 wrote to memory of 900 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki450253.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki257120.exe
PID 2116 wrote to memory of 900 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki450253.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki257120.exe
PID 2116 wrote to memory of 900 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki450253.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki257120.exe
PID 900 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki257120.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki812707.exe
PID 900 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki257120.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki812707.exe
PID 900 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki257120.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki812707.exe
PID 2588 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki812707.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki760411.exe
PID 2588 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki812707.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki760411.exe
PID 2588 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki812707.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki760411.exe
PID 4376 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki760411.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az542338.exe
PID 4376 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki760411.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az542338.exe
PID 4376 wrote to memory of 4052 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki760411.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu972355.exe
PID 4376 wrote to memory of 4052 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki760411.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu972355.exe
PID 4376 wrote to memory of 4052 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki760411.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu972355.exe
PID 2588 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki812707.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\co429243.exe
PID 2588 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki812707.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\co429243.exe
PID 2588 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki812707.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\co429243.exe
PID 4960 wrote to memory of 6356 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\co429243.exe C:\Windows\Temp\1.exe
PID 4960 wrote to memory of 6356 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\co429243.exe C:\Windows\Temp\1.exe
PID 4960 wrote to memory of 6356 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\co429243.exe C:\Windows\Temp\1.exe
PID 900 wrote to memory of 6412 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki257120.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dbm83t83.exe
PID 900 wrote to memory of 6412 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki257120.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dbm83t83.exe
PID 900 wrote to memory of 6412 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki257120.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dbm83t83.exe
PID 6412 wrote to memory of 6736 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dbm83t83.exe C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
PID 6412 wrote to memory of 6736 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dbm83t83.exe C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
PID 6412 wrote to memory of 6736 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dbm83t83.exe C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
PID 2116 wrote to memory of 6788 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki450253.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ft890341.exe
PID 2116 wrote to memory of 6788 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki450253.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ft890341.exe
PID 2116 wrote to memory of 6788 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki450253.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ft890341.exe
PID 6736 wrote to memory of 6848 N/A C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 6736 wrote to memory of 6848 N/A C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 6736 wrote to memory of 6848 N/A C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\dae793c621b0e03b6809ab37d5b6c4623a02e31725806a00c42f99ddbcb6fdd3.exe

"C:\Users\Admin\AppData\Local\Temp\dae793c621b0e03b6809ab37d5b6c4623a02e31725806a00c42f99ddbcb6fdd3.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki450253.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki450253.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki257120.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki257120.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki812707.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki812707.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki760411.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki760411.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az542338.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az542338.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu972355.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu972355.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\co429243.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\co429243.exe

C:\Windows\Temp\1.exe

"C:\Windows\Temp\1.exe"

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dbm83t83.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dbm83t83.exe

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ft890341.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ft890341.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe" /F

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 185.161.248.90:4125 tcp
RU 193.201.9.43:80 tcp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
RU 193.201.9.43:80 tcp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
RU 193.201.9.43:80 tcp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
RU 193.201.9.43:80 tcp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki450253.exe

MD5 5298b26b552ce8a4c0895b1514e71379
SHA1 0d9424422051970fcc300c197a1633f2ae1c2e4d
SHA256 92c911b81afcdcd248f2bd11f104f010c7864458ec5f8d3b065a5cf01a49a981
SHA512 1f9b8d9bebaf3911ad2735644758bed4630736ce7340363a9a2fbfde8445f63b9cc1a0b10fceb9d985f015661a2a8aa51088839f1f7d9309845f7de88c90f414

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki257120.exe

MD5 a5ea4d7f2fb88d512cf5ab10594605f8
SHA1 2911f77e02df2a3e5e8c6ec3cfc3f4cdfa9ce7c7
SHA256 e87e2a198db32bce706ffca7d3665d4303339085fd651021e47ba3a32e06eee4
SHA512 ba128ffec65b8f4b3e6dec9e3e94858ee38c290dd3ccc112910adf4539d2154ecd0e5494a3ed7ee93a5fea36ea6b296b36aff3fcd2c64623d135c757ab0603ab

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki812707.exe

MD5 0119e2f22de92d2e6e291e20ab174680
SHA1 67192c76e75c21decb458c15549aba0595099e9c
SHA256 fcd2bda38e1a54197d5ee0f6899d2e80969f51159b6da39a9a989e20ae7dc192
SHA512 38f17a1267ac6888c6805637fc507eb97b6bb96ca4ecdcf7e2b483364469bf5c50f90b9c584aee6a5252ba7dd0a135c5497039441b4105edaf22243205e13dc9

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki760411.exe

MD5 d1afc98df4e8322595419a16ceb60b70
SHA1 ef2fbbc2933f3efc7ecdaf64d7dd66669cb6880b
SHA256 ea855e230813cf3bfad7ba6abef50afe8e3762f648e5efe52c44ec15472dffe1
SHA512 9d5ee435b7aa89e657d2da689f14915ba4dc837e194e516350298d89e2b7ff129f2907e08ee24ce193329236f9f5f9f8f6476e722844052acb557ed0a9f13e0a

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az542338.exe

MD5 8d81e111cd05bea98c0b430e1cc3a382
SHA1 485eeefc15c6dfc9f929cb92870a6bcd30979590
SHA256 cd59155f0f491654a54dfd0abf0820f2baaab9f37dac537963a6902e37afbb6a
SHA512 debaeb28a53cc19eccfdabc5c70c0315a4b4137d905c77b51023dfbfe474710fbf0a2ac0c7f9b44caa1fb6437610ad568edc893a281f548ccff56d2b86c865d8

memory/1564-35-0x0000000000810000-0x000000000081A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu972355.exe

MD5 7f105ed7d964a96083418e124f878f1b
SHA1 7764a9dd850e79d2f257ed7317579d418078ff76
SHA256 aaad0ab7ac82e0a0ce011310db8b35997c26eb447ea02e346c9349affa63290e
SHA512 9ac08407b1624761a604e43f9f174dc379aae37a9e1d6c13e1240a22f5b9d4198fdabdfa81d2e6c43532ccff56247c7093929c2cc4be84aedd9f48d77eda84f9

memory/4052-41-0x00000000025A0000-0x00000000025BA000-memory.dmp

memory/4052-42-0x0000000004EF0000-0x0000000005494000-memory.dmp

memory/4052-43-0x0000000002710000-0x0000000002728000-memory.dmp

memory/4052-45-0x0000000002710000-0x0000000002722000-memory.dmp

memory/4052-69-0x0000000002710000-0x0000000002722000-memory.dmp

memory/4052-68-0x0000000002710000-0x0000000002722000-memory.dmp

memory/4052-65-0x0000000002710000-0x0000000002722000-memory.dmp

memory/4052-63-0x0000000002710000-0x0000000002722000-memory.dmp

memory/4052-61-0x0000000002710000-0x0000000002722000-memory.dmp

memory/4052-59-0x0000000002710000-0x0000000002722000-memory.dmp

memory/4052-57-0x0000000002710000-0x0000000002722000-memory.dmp

memory/4052-55-0x0000000002710000-0x0000000002722000-memory.dmp

memory/4052-53-0x0000000002710000-0x0000000002722000-memory.dmp

memory/4052-51-0x0000000002710000-0x0000000002722000-memory.dmp

memory/4052-71-0x0000000002710000-0x0000000002722000-memory.dmp

memory/4052-49-0x0000000002710000-0x0000000002722000-memory.dmp

memory/4052-47-0x0000000002710000-0x0000000002722000-memory.dmp

memory/4052-44-0x0000000002710000-0x0000000002722000-memory.dmp

memory/4052-72-0x0000000000400000-0x000000000080A000-memory.dmp

memory/4052-74-0x0000000000400000-0x000000000080A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\co429243.exe

MD5 c57ac7697f1336927451092dceb526ba
SHA1 a630b97eeaddf956336cbb7afdfa330c77516733
SHA256 e256bea7ffe193c5fbefbcd3a15de762fc994606bec9228c2d0543074f9667da
SHA512 18c66b948dd9cdb2a4f7f8e71b95d123969931a906cc2c61f27214444db209af4de3b465e625fff4512f0428408b56e76490275baca6f315f7f9e01ac2adc996

memory/4960-79-0x0000000002630000-0x0000000002698000-memory.dmp

memory/4960-80-0x0000000004F50000-0x0000000004FB6000-memory.dmp

memory/4960-88-0x0000000004F50000-0x0000000004FB0000-memory.dmp

memory/4960-82-0x0000000004F50000-0x0000000004FB0000-memory.dmp

memory/4960-81-0x0000000004F50000-0x0000000004FB0000-memory.dmp

memory/4960-104-0x0000000004F50000-0x0000000004FB0000-memory.dmp

memory/4960-114-0x0000000004F50000-0x0000000004FB0000-memory.dmp

memory/4960-112-0x0000000004F50000-0x0000000004FB0000-memory.dmp

memory/4960-110-0x0000000004F50000-0x0000000004FB0000-memory.dmp

memory/4960-108-0x0000000004F50000-0x0000000004FB0000-memory.dmp

memory/4960-106-0x0000000004F50000-0x0000000004FB0000-memory.dmp

memory/4960-102-0x0000000004F50000-0x0000000004FB0000-memory.dmp

memory/4960-100-0x0000000004F50000-0x0000000004FB0000-memory.dmp

memory/4960-98-0x0000000004F50000-0x0000000004FB0000-memory.dmp

memory/4960-96-0x0000000004F50000-0x0000000004FB0000-memory.dmp

memory/4960-94-0x0000000004F50000-0x0000000004FB0000-memory.dmp

memory/4960-92-0x0000000004F50000-0x0000000004FB0000-memory.dmp

memory/4960-90-0x0000000004F50000-0x0000000004FB0000-memory.dmp

memory/4960-86-0x0000000004F50000-0x0000000004FB0000-memory.dmp

memory/4960-84-0x0000000004F50000-0x0000000004FB0000-memory.dmp

memory/4960-2223-0x0000000005760000-0x0000000005792000-memory.dmp

C:\Windows\Temp\1.exe

MD5 03728fed675bcde5256342183b1d6f27
SHA1 d13eace7d3d92f93756504b274777cc269b222a2
SHA256 f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0
SHA512 6e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1

memory/6356-2237-0x0000000000930000-0x000000000095E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dbm83t83.exe

MD5 ee1f5f0e1168ce5938997c932b4dcd27
SHA1 b8c0928da3a41d579c19f44b9e1fef6014d06452
SHA256 dea01b17d6e06c3bdf6f5387faa77a788ce9726a3110db90294b2e207b3d51ed
SHA512 bacc2d22b71bc5bc73c0699aaf4e2271effa4fe47c3ac63f3ee3ae3385d963eb6f93db082a9530d75d5c6f13884f30b0375d41badfe540f31ef747003a36c0a8

memory/6356-2240-0x0000000005110000-0x0000000005116000-memory.dmp

memory/6356-2242-0x00000000058E0000-0x0000000005EF8000-memory.dmp

memory/6356-2244-0x00000000052C0000-0x00000000052D2000-memory.dmp

memory/6356-2243-0x00000000053D0000-0x00000000054DA000-memory.dmp

memory/6356-2247-0x00000000052E0000-0x000000000531C000-memory.dmp

memory/6356-2253-0x0000000005360000-0x00000000053AC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ft890341.exe

MD5 17647abadaca4ab0dd441e8eb8442d4a
SHA1 d836f1f172a25e40b401474536cf9307119f38c0
SHA256 fd23566b3f6659d57a690facb06144c0ce45e497bf6c60d380f075656e1acf46
SHA512 3a19b9c7681c204c83e83eeb9345567f893b92ca8a0a76354ee79423369f15b071b9f783b5405c0d9ff67efefa459d63e65c132a3652308cb8c4598411a60d3c

memory/6788-2260-0x0000000000960000-0x000000000098E000-memory.dmp

memory/6788-2261-0x0000000002A00000-0x0000000002A06000-memory.dmp