Malware Analysis Report

2025-04-03 14:17

Sample ID 241109-1s85fatbja
Target 70650118e442653e05170a57144576e0fb6ecaf86e69a483d7b7d2468c40d2f9
SHA256 70650118e442653e05170a57144576e0fb6ecaf86e69a483d7b7d2468c40d2f9
Tags
amadey healer redline 5d3738 lenor soft discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

70650118e442653e05170a57144576e0fb6ecaf86e69a483d7b7d2468c40d2f9

Threat Level: Known bad

The file 70650118e442653e05170a57144576e0fb6ecaf86e69a483d7b7d2468c40d2f9 was found to be: Known bad.

Malicious Activity Summary

amadey healer redline 5d3738 lenor soft discovery dropper evasion infostealer persistence trojan

Detects Healer an antivirus disabler dropper

RedLine payload

RedLine

Modifies Windows Defender Real-time Protection settings

Amadey

Amadey family

Healer

Healer family

Redline family

Windows security modification

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Program crash

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Scheduled Task/Job: Scheduled Task

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 21:55

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 21:55

Reported

2024-11-09 21:58

Platform

win10v2004-20241007-en

Max time kernel

129s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\70650118e442653e05170a57144576e0fb6ecaf86e69a483d7b7d2468c40d2f9.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6791Ds.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz7024.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz7024.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6791Ds.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6791Ds.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6791Ds.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6791Ds.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6791Ds.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz7024.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz7024.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz7024.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz7024.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w91uT36.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y53Xg84.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz7024.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6791Ds.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6791Ds.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za617263.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\70650118e442653e05170a57144576e0fb6ecaf86e69a483d7b7d2468c40d2f9.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za171614.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za663828.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za663828.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w91uT36.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xcGHY96.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6791Ds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Temp\1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y53Xg84.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\70650118e442653e05170a57144576e0fb6ecaf86e69a483d7b7d2468c40d2f9.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za171614.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za617263.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz7024.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6791Ds.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w91uT36.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1876 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\70650118e442653e05170a57144576e0fb6ecaf86e69a483d7b7d2468c40d2f9.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za171614.exe
PID 1876 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\70650118e442653e05170a57144576e0fb6ecaf86e69a483d7b7d2468c40d2f9.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za171614.exe
PID 1876 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\70650118e442653e05170a57144576e0fb6ecaf86e69a483d7b7d2468c40d2f9.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za171614.exe
PID 2648 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za171614.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za663828.exe
PID 2648 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za171614.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za663828.exe
PID 2648 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za171614.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za663828.exe
PID 4612 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za663828.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za617263.exe
PID 4612 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za663828.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za617263.exe
PID 4612 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za663828.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za617263.exe
PID 3472 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za617263.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz7024.exe
PID 3472 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za617263.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz7024.exe
PID 3472 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za617263.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6791Ds.exe
PID 3472 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za617263.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6791Ds.exe
PID 3472 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za617263.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6791Ds.exe
PID 4612 wrote to memory of 3304 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za663828.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w91uT36.exe
PID 4612 wrote to memory of 3304 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za663828.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w91uT36.exe
PID 4612 wrote to memory of 3304 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za663828.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w91uT36.exe
PID 3304 wrote to memory of 6092 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w91uT36.exe C:\Windows\Temp\1.exe
PID 3304 wrote to memory of 6092 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w91uT36.exe C:\Windows\Temp\1.exe
PID 3304 wrote to memory of 6092 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w91uT36.exe C:\Windows\Temp\1.exe
PID 2648 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za171614.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xcGHY96.exe
PID 2648 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za171614.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xcGHY96.exe
PID 2648 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za171614.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xcGHY96.exe
PID 1876 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Local\Temp\70650118e442653e05170a57144576e0fb6ecaf86e69a483d7b7d2468c40d2f9.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y53Xg84.exe
PID 1876 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Local\Temp\70650118e442653e05170a57144576e0fb6ecaf86e69a483d7b7d2468c40d2f9.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y53Xg84.exe
PID 1876 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Local\Temp\70650118e442653e05170a57144576e0fb6ecaf86e69a483d7b7d2468c40d2f9.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y53Xg84.exe
PID 4884 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y53Xg84.exe C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe
PID 4884 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y53Xg84.exe C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe
PID 4884 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y53Xg84.exe C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe
PID 4424 wrote to memory of 5868 N/A C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 4424 wrote to memory of 5868 N/A C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 4424 wrote to memory of 5868 N/A C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\70650118e442653e05170a57144576e0fb6ecaf86e69a483d7b7d2468c40d2f9.exe

"C:\Users\Admin\AppData\Local\Temp\70650118e442653e05170a57144576e0fb6ecaf86e69a483d7b7d2468c40d2f9.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za171614.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za171614.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za663828.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za663828.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za617263.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za617263.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz7024.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz7024.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6791Ds.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6791Ds.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2592 -ip 2592

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2592 -s 972

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w91uT36.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w91uT36.exe

C:\Windows\Temp\1.exe

"C:\Windows\Temp\1.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3304 -ip 3304

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3304 -s 1360

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xcGHY96.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xcGHY96.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2456 -ip 2456

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2456 -s 916

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y53Xg84.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y53Xg84.exe

C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe" /F

C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 99.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
FI 77.91.124.146:4121 tcp
AT 212.113.119.255:80 tcp
FI 77.91.124.146:4121 tcp
US 8.8.8.8:53 105.209.201.84.in-addr.arpa udp
AT 212.113.119.255:80 tcp
FI 77.91.124.146:4121 tcp
AT 212.113.119.255:80 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
AT 212.113.119.255:80 tcp
FI 77.91.124.146:4121 tcp
AT 212.113.119.255:80 tcp
AT 212.113.119.255:80 tcp
AT 212.113.119.255:80 tcp
FI 77.91.124.146:4121 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za171614.exe

MD5 6c2a1441b06dc7c720b25029e7a82d5b
SHA1 16b5e2109781039e652736c8d80e86964b314d5f
SHA256 2da928d901e4b4863a8e6d0c9abd93c49a826e51badda1bfc5b4714880d4613d
SHA512 2b99d0137928c7f02ee56ec5099a990b350b3b26243d696be514d115980e1c5dc473fb3340384538db827f85ce55c4c9b51c78a702433445f2e07cd85a570222

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za663828.exe

MD5 174679af6acc83c97faf9c7702fe72ad
SHA1 867401b34b58c8d8feb8721ddf2a66a3d750ee92
SHA256 f73f8d75ce6c9ff687cfbaa49903ece86f65f92b09027d22ac724866b05f942f
SHA512 c9853ed7a49bacc600a32588dfbf697011bb6d0abc2ea2816959ce95613d182631563de8f52f0f8cba2bccfee5fedb7550d56364c67386bdfb067cbc588804c9

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za617263.exe

MD5 1d1e0599cc93470a10e5122e4902b13e
SHA1 bbb8d624d7d53cccf4b0e56f9f0fb8d0b71dc138
SHA256 c805ebd94aed3fd8b009130a57f6cc12569c5ad19ed1bce3510e7d6c4174d78e
SHA512 bbd8e1b32ead76cef4c5939efab504ae42a2dfedc72114981b6ab95647fcd636f84a1291e9ff3449cb0193d049d2631225e38c3cc5beee24e51a569a3a8e8548

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz7024.exe

MD5 642377b5de019d773408064ec1e1f04c
SHA1 dff912e15d670066d80b8ac8da841ea2dd1baef8
SHA256 28333858d408966ad797a0ec919d1df4ed50795006babf0d7fd787b4cf1c534e
SHA512 e843a4c78f19021e4b737a68170fbdf701489fd0c3d10d51a9b2e2832550d1147e1c6991ff28e6fb130c272abfe293a073befb4ca130bc01aaf43517d0de6fe5

memory/5056-28-0x0000000000380000-0x000000000038A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6791Ds.exe

MD5 d04289e78b43e0c09a6908e70bf8077e
SHA1 2dc5701a90f2d3c1895d8e024e283405d1951b28
SHA256 a061acd83b8bec626a256cb8e07ec51be9b2ce45cd6fda7ab04f81244ff5d7e0
SHA512 8d85f4ad74ea85262afac599a9ca32545962117d332cc297425cdd071f7c43adce9b60226d72ae1fb8fc95cbe41c6fffa33f13c2c9267fd5bfa0ba90d115cb28

memory/2592-34-0x0000000002540000-0x000000000255A000-memory.dmp

memory/2592-35-0x0000000004F20000-0x00000000054C4000-memory.dmp

memory/2592-36-0x0000000002840000-0x0000000002858000-memory.dmp

memory/2592-64-0x0000000002840000-0x0000000002852000-memory.dmp

memory/2592-62-0x0000000002840000-0x0000000002852000-memory.dmp

memory/2592-60-0x0000000002840000-0x0000000002852000-memory.dmp

memory/2592-58-0x0000000002840000-0x0000000002852000-memory.dmp

memory/2592-56-0x0000000002840000-0x0000000002852000-memory.dmp

memory/2592-54-0x0000000002840000-0x0000000002852000-memory.dmp

memory/2592-52-0x0000000002840000-0x0000000002852000-memory.dmp

memory/2592-50-0x0000000002840000-0x0000000002852000-memory.dmp

memory/2592-48-0x0000000002840000-0x0000000002852000-memory.dmp

memory/2592-46-0x0000000002840000-0x0000000002852000-memory.dmp

memory/2592-44-0x0000000002840000-0x0000000002852000-memory.dmp

memory/2592-42-0x0000000002840000-0x0000000002852000-memory.dmp

memory/2592-40-0x0000000002840000-0x0000000002852000-memory.dmp

memory/2592-38-0x0000000002840000-0x0000000002852000-memory.dmp

memory/2592-37-0x0000000002840000-0x0000000002852000-memory.dmp

memory/2592-65-0x0000000000400000-0x0000000000809000-memory.dmp

memory/2592-67-0x0000000000400000-0x0000000000809000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w91uT36.exe

MD5 35798514666cbd463c0aa2d2ec287159
SHA1 9ea54ecb207f40e38afc41dd9fb8a119c4bf594e
SHA256 8eed1bd48c0aed66f44cb4bfd88203f34d7c51b015479c60d296635d897bd221
SHA512 3350c7b54b22744159cacf32f2c2f5952abb11d6141f010c308cb1b84bfcc245ee33c215af87abb59d22133931182fa55dc051d3e8c1cddce91cc124ab9ea9d5

memory/3304-72-0x0000000002840000-0x00000000028A8000-memory.dmp

memory/3304-73-0x0000000005570000-0x00000000055D6000-memory.dmp

memory/3304-93-0x0000000005570000-0x00000000055D0000-memory.dmp

memory/3304-95-0x0000000005570000-0x00000000055D0000-memory.dmp

memory/3304-107-0x0000000005570000-0x00000000055D0000-memory.dmp

memory/3304-105-0x0000000005570000-0x00000000055D0000-memory.dmp

memory/3304-101-0x0000000005570000-0x00000000055D0000-memory.dmp

memory/3304-99-0x0000000005570000-0x00000000055D0000-memory.dmp

memory/3304-97-0x0000000005570000-0x00000000055D0000-memory.dmp

memory/3304-91-0x0000000005570000-0x00000000055D0000-memory.dmp

memory/3304-89-0x0000000005570000-0x00000000055D0000-memory.dmp

memory/3304-87-0x0000000005570000-0x00000000055D0000-memory.dmp

memory/3304-85-0x0000000005570000-0x00000000055D0000-memory.dmp

memory/3304-83-0x0000000005570000-0x00000000055D0000-memory.dmp

memory/3304-81-0x0000000005570000-0x00000000055D0000-memory.dmp

memory/3304-79-0x0000000005570000-0x00000000055D0000-memory.dmp

memory/3304-77-0x0000000005570000-0x00000000055D0000-memory.dmp

memory/3304-103-0x0000000005570000-0x00000000055D0000-memory.dmp

memory/3304-75-0x0000000005570000-0x00000000055D0000-memory.dmp

memory/3304-74-0x0000000005570000-0x00000000055D0000-memory.dmp

memory/3304-2202-0x0000000005760000-0x0000000005792000-memory.dmp

C:\Windows\Temp\1.exe

MD5 1eed54a048b387471d40ab1094221ef1
SHA1 5004d555d2e74a72b07a7fe1e512cb8f8ee5ba98
SHA256 c97ba12c976ee628111a13331099e868c64bff78b392fe156662235ce9c4dc19
SHA512 e781886c99944ef136036514f5773eb3566cb0b4f331bd013492ee2cd36fbb6decc1a88d25f21a86ad9205dbac5c53cacd145c9b10b638e3ac04742795c43c13

memory/6092-2215-0x0000000000D60000-0x0000000000D8E000-memory.dmp

memory/6092-2216-0x0000000005580000-0x0000000005586000-memory.dmp

memory/6092-2217-0x0000000005D80000-0x0000000006398000-memory.dmp

memory/6092-2218-0x0000000005870000-0x000000000597A000-memory.dmp

memory/6092-2219-0x00000000055D0000-0x00000000055E2000-memory.dmp

memory/6092-2220-0x0000000005760000-0x000000000579C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xcGHY96.exe

MD5 ac6f64288ceab1b2a24d88a839d70e9e
SHA1 50d3dee6d7783b4bb4056fc842b788e2130a6eab
SHA256 0e9787c2a1ee055259de190788c7dce078d2174a2100b0f6580e2d023087447c
SHA512 27414a3542dc12e7f31cdaa996ade3346c54b0797962f9a3638a370f3ca8558dd5cae24f602c0089b715c95aef3d6e48dc18ce2096f9908a809891f1b7307d50

memory/6092-2224-0x00000000057A0000-0x00000000057EC000-memory.dmp

memory/2456-2226-0x00000000000B0000-0x00000000000DE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y53Xg84.exe

MD5 3308051ded87b1863a8d92925202c4b3
SHA1 7834ddc23e7976b07118fb580ae38234466dbdfb
SHA256 13b4b17671c12fd3f9db5491efb7fb389601b57ac7f89fd78638625c1ef201e4
SHA512 f8e016a2f9cd7851048811fa2846b1853f175916c32dc593e0c469614e87e4f6b07e3dee1f13c662fe9bb6865dc67837a1ab8036e238202e9353e3120f633ddc