Malware Analysis Report

2025-08-10 13:47

Sample ID 241109-ftjkysxncy
Target ea30446a6e138591fc3ba144d31a311b86a77a2dbc3638c26368b392643f18c6
SHA256 ea30446a6e138591fc3ba144d31a311b86a77a2dbc3638c26368b392643f18c6
Tags
healer redline gena discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ea30446a6e138591fc3ba144d31a311b86a77a2dbc3638c26368b392643f18c6

Threat Level: Known bad

The file ea30446a6e138591fc3ba144d31a311b86a77a2dbc3638c26368b392643f18c6 was found to be: Known bad.

Malicious Activity Summary

healer redline gena discovery dropper evasion infostealer persistence trojan

RedLine

Detects Healer an antivirus disabler dropper

Healer

Redline family

Healer family

RedLine payload

Modifies Windows Defender Real-time Protection settings

Windows security modification

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Unsigned PE

Program crash

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 05:09

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 05:09

Reported

2024-11-09 05:12

Platform

win7-20240903-en

Max time kernel

142s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ea30446a6e138591fc3ba144d31a311b86a77a2dbc3638c26368b392643f18c6.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con1165.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus7600.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus7600.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus7600.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con1165.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con1165.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus7600.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus7600.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus7600.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con1165.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con1165.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus7600.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con1165.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con1165.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus7600.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino4801.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\ea30446a6e138591fc3ba144d31a311b86a77a2dbc3638c26368b392643f18c6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino5628.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino6423.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino5628.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino6423.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino4801.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con1165.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dNT35s70.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ea30446a6e138591fc3ba144d31a311b86a77a2dbc3638c26368b392643f18c6.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus7600.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con1165.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dNT35s70.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1712 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\ea30446a6e138591fc3ba144d31a311b86a77a2dbc3638c26368b392643f18c6.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino5628.exe
PID 1712 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\ea30446a6e138591fc3ba144d31a311b86a77a2dbc3638c26368b392643f18c6.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino5628.exe
PID 1712 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\ea30446a6e138591fc3ba144d31a311b86a77a2dbc3638c26368b392643f18c6.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino5628.exe
PID 1712 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\ea30446a6e138591fc3ba144d31a311b86a77a2dbc3638c26368b392643f18c6.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino5628.exe
PID 1712 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\ea30446a6e138591fc3ba144d31a311b86a77a2dbc3638c26368b392643f18c6.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino5628.exe
PID 1712 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\ea30446a6e138591fc3ba144d31a311b86a77a2dbc3638c26368b392643f18c6.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino5628.exe
PID 1712 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\ea30446a6e138591fc3ba144d31a311b86a77a2dbc3638c26368b392643f18c6.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino5628.exe
PID 804 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino5628.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino6423.exe
PID 804 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino5628.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino6423.exe
PID 804 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino5628.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino6423.exe
PID 804 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino5628.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino6423.exe
PID 804 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino5628.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino6423.exe
PID 804 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino5628.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino6423.exe
PID 804 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino5628.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino6423.exe
PID 2160 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino6423.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino4801.exe
PID 2160 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino6423.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino4801.exe
PID 2160 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino6423.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino4801.exe
PID 2160 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino6423.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino4801.exe
PID 2160 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino6423.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino4801.exe
PID 2160 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino6423.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino4801.exe
PID 2160 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino6423.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino4801.exe
PID 1924 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino4801.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus7600.exe
PID 1924 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino4801.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus7600.exe
PID 1924 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino4801.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus7600.exe
PID 1924 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino4801.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus7600.exe
PID 1924 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino4801.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus7600.exe
PID 1924 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino4801.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus7600.exe
PID 1924 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino4801.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus7600.exe
PID 1924 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino4801.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con1165.exe
PID 1924 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino4801.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con1165.exe
PID 1924 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino4801.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con1165.exe
PID 1924 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino4801.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con1165.exe
PID 1924 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino4801.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con1165.exe
PID 1924 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino4801.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con1165.exe
PID 1924 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino4801.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con1165.exe
PID 2160 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino6423.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dNT35s70.exe
PID 2160 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino6423.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dNT35s70.exe
PID 2160 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino6423.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dNT35s70.exe
PID 2160 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino6423.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dNT35s70.exe
PID 2160 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino6423.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dNT35s70.exe
PID 2160 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino6423.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dNT35s70.exe
PID 2160 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino6423.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dNT35s70.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ea30446a6e138591fc3ba144d31a311b86a77a2dbc3638c26368b392643f18c6.exe

"C:\Users\Admin\AppData\Local\Temp\ea30446a6e138591fc3ba144d31a311b86a77a2dbc3638c26368b392643f18c6.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino5628.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino5628.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino6423.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino6423.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino4801.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino4801.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus7600.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus7600.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con1165.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con1165.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dNT35s70.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dNT35s70.exe

Network

Country Destination Domain Proto
RU 193.233.20.30:4125 tcp
RU 193.233.20.30:4125 tcp
RU 193.233.20.30:4125 tcp
RU 193.233.20.30:4125 tcp
RU 193.233.20.30:4125 tcp

Files

memory/1712-0-0x00000000044F0000-0x00000000045EA000-memory.dmp

memory/1712-1-0x00000000044F0000-0x00000000045EA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino5628.exe

MD5 51b7fe413501dc9dd84cf1fcbb4c4ba2
SHA1 4d55bf3929ed65e32bbd774b8c4aa112acf211e3
SHA256 e7161c00b03551d7a04e547110b71bc7cbc81b0cec26afec42323a0511f7f572
SHA512 246effefc9d395f83033dd9dee9b7c1b6d40723c1195fcca6dfdda1f60848a0dd6a5ba79a6e4dab1ae2eee059f9ef27aebef81304805183cab69cc2e0bab60c0

memory/1712-7-0x0000000000400000-0x0000000000507000-memory.dmp

memory/1712-4-0x00000000045F0000-0x00000000046F3000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino6423.exe

MD5 db27dcb2b593e449358cec94d3d257da
SHA1 9baf8ffca3b41d45510491be18b3c7925d3c2bbe
SHA256 211aeffae8c6c2e01adfa9fc68ee1383eba739f91e2e446f0015b46a5ce3ea7e
SHA512 931904ef2a1707dc53914c7eb26db142417e75461de76e27fba839bfda0eeaa5ffc49b8f73d0592dc71a82d11e9b2e917ff34b53d87b709a4126b6e8a29ff1dd

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino4801.exe

MD5 211103cf935c81941c9a7c527a99891e
SHA1 1f57c1b0e7784f36e6123bbd9f1f750c430ab7ad
SHA256 f5c28886725b88c1ae31fe02a8eb8b2a7d6e72ed41d8bfb80a5c468aa41a4dde
SHA512 5a4cca86c05d356d479e9df6a08bc98cd795234fccd4ab15109a2316033ee7ec6d26da04ce788e967acec07e32192dfe6e20a4cfa52839d6cb987a0d74328d4c

\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus7600.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/2844-42-0x0000000000890000-0x000000000089A000-memory.dmp

memory/1712-43-0x00000000044F0000-0x00000000045EA000-memory.dmp

memory/1712-44-0x00000000045F0000-0x00000000046F3000-memory.dmp

memory/1712-45-0x0000000000400000-0x0000000002BDF000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP003.TMP\con1165.exe

MD5 3930494c030bfef77c7c0624c1f6baeb
SHA1 3ffc69b116c370d6372a62e1c623ea8457808152
SHA256 76a3221e1dcef4cf9b0f8856db1e20d24d782c4bf068cf76e95a57eaa6b1516e
SHA512 ab2a772bc04db434af4d2c5cd5253a3634a9679e329ad7ce53fafde8e7c81cdcc53b3d00f5d2cbc47ead6bf4efd1a0d8bad81fd63e452d4401e3c82a757f7910

memory/2792-56-0x0000000002F00000-0x0000000002F1A000-memory.dmp

memory/2792-57-0x0000000004780000-0x0000000004798000-memory.dmp

memory/2792-58-0x0000000004780000-0x0000000004792000-memory.dmp

memory/2792-67-0x0000000004780000-0x0000000004792000-memory.dmp

memory/2792-69-0x0000000004780000-0x0000000004792000-memory.dmp

memory/2792-83-0x0000000004780000-0x0000000004792000-memory.dmp

memory/2792-81-0x0000000004780000-0x0000000004792000-memory.dmp

memory/2792-79-0x0000000004780000-0x0000000004792000-memory.dmp

memory/2792-77-0x0000000004780000-0x0000000004792000-memory.dmp

memory/2792-75-0x0000000004780000-0x0000000004792000-memory.dmp

memory/2792-73-0x0000000004780000-0x0000000004792000-memory.dmp

memory/2792-71-0x0000000004780000-0x0000000004792000-memory.dmp

memory/2792-65-0x0000000004780000-0x0000000004792000-memory.dmp

memory/2792-63-0x0000000004780000-0x0000000004792000-memory.dmp

memory/2792-61-0x0000000004780000-0x0000000004792000-memory.dmp

memory/2792-59-0x0000000004780000-0x0000000004792000-memory.dmp

memory/2792-85-0x0000000004780000-0x0000000004792000-memory.dmp

memory/2792-87-0x0000000000400000-0x0000000002B03000-memory.dmp

memory/2792-88-0x0000000000400000-0x0000000002B03000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dNT35s70.exe

MD5 685668f97d2248e1d69da6cc1553ec0b
SHA1 1a034138a90ecade47aa7fd6982cc2ae3cff7f03
SHA256 ae3faa7905d107e9209be0ea000ba94a09752ae5df064c86e662b2b1a75554ab
SHA512 dccc56807ca396489dcc3baa4ba5bead515427faaef074b9c4f72386d25cbbc8a4446ebce306d470ebaab4b31062fff1a2564b818778b3b09cefedc06d9f07e5

memory/2960-99-0x0000000002DD0000-0x0000000002E16000-memory.dmp

memory/2960-100-0x0000000003170000-0x00000000031B4000-memory.dmp

memory/2960-101-0x0000000003170000-0x00000000031AE000-memory.dmp

memory/2960-116-0x0000000003170000-0x00000000031AE000-memory.dmp

memory/2960-114-0x0000000003170000-0x00000000031AE000-memory.dmp

memory/2960-112-0x0000000003170000-0x00000000031AE000-memory.dmp

memory/2960-110-0x0000000003170000-0x00000000031AE000-memory.dmp

memory/2960-108-0x0000000003170000-0x00000000031AE000-memory.dmp

memory/2960-130-0x0000000003170000-0x00000000031AE000-memory.dmp

memory/2960-128-0x0000000003170000-0x00000000031AE000-memory.dmp

memory/2960-126-0x0000000003170000-0x00000000031AE000-memory.dmp

memory/2960-124-0x0000000003170000-0x00000000031AE000-memory.dmp

memory/2960-122-0x0000000003170000-0x00000000031AE000-memory.dmp

memory/2960-120-0x0000000003170000-0x00000000031AE000-memory.dmp

memory/2960-118-0x0000000003170000-0x00000000031AE000-memory.dmp

memory/2960-106-0x0000000003170000-0x00000000031AE000-memory.dmp

memory/2960-104-0x0000000003170000-0x00000000031AE000-memory.dmp

memory/2960-102-0x0000000003170000-0x00000000031AE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-09 05:09

Reported

2024-11-09 05:12

Platform

win10v2004-20241007-en

Max time kernel

144s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ea30446a6e138591fc3ba144d31a311b86a77a2dbc3638c26368b392643f18c6.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con1165.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con1165.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con1165.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus7600.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus7600.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus7600.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con1165.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con1165.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con1165.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus7600.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus7600.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus7600.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus7600.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con1165.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con1165.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\ea30446a6e138591fc3ba144d31a311b86a77a2dbc3638c26368b392643f18c6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino5628.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino6423.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino4801.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino4801.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con1165.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dNT35s70.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ea30446a6e138591fc3ba144d31a311b86a77a2dbc3638c26368b392643f18c6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino5628.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino6423.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus7600.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con1165.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dNT35s70.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4888 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\ea30446a6e138591fc3ba144d31a311b86a77a2dbc3638c26368b392643f18c6.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino5628.exe
PID 4888 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\ea30446a6e138591fc3ba144d31a311b86a77a2dbc3638c26368b392643f18c6.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino5628.exe
PID 4888 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\ea30446a6e138591fc3ba144d31a311b86a77a2dbc3638c26368b392643f18c6.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino5628.exe
PID 2156 wrote to memory of 3328 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino5628.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino6423.exe
PID 2156 wrote to memory of 3328 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino5628.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino6423.exe
PID 2156 wrote to memory of 3328 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino5628.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino6423.exe
PID 3328 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino6423.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino4801.exe
PID 3328 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino6423.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino4801.exe
PID 3328 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino6423.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino4801.exe
PID 2340 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino4801.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus7600.exe
PID 2340 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino4801.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus7600.exe
PID 2340 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino4801.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con1165.exe
PID 2340 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino4801.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con1165.exe
PID 2340 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino4801.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con1165.exe
PID 3328 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino6423.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dNT35s70.exe
PID 3328 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino6423.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dNT35s70.exe
PID 3328 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino6423.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dNT35s70.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ea30446a6e138591fc3ba144d31a311b86a77a2dbc3638c26368b392643f18c6.exe

"C:\Users\Admin\AppData\Local\Temp\ea30446a6e138591fc3ba144d31a311b86a77a2dbc3638c26368b392643f18c6.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino5628.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino5628.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino6423.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino6423.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino4801.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino4801.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus7600.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus7600.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con1165.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con1165.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4504 -ip 4504

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4504 -s 1080

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dNT35s70.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dNT35s70.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
RU 193.233.20.30:4125 tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
RU 193.233.20.30:4125 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
RU 193.233.20.30:4125 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
RU 193.233.20.30:4125 tcp
RU 193.233.20.30:4125 tcp

Files

memory/4888-1-0x0000000004990000-0x0000000004A8F000-memory.dmp

memory/4888-2-0x0000000004A90000-0x0000000004B93000-memory.dmp

memory/4888-3-0x0000000000400000-0x0000000000507000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino5628.exe

MD5 51b7fe413501dc9dd84cf1fcbb4c4ba2
SHA1 4d55bf3929ed65e32bbd774b8c4aa112acf211e3
SHA256 e7161c00b03551d7a04e547110b71bc7cbc81b0cec26afec42323a0511f7f572
SHA512 246effefc9d395f83033dd9dee9b7c1b6d40723c1195fcca6dfdda1f60848a0dd6a5ba79a6e4dab1ae2eee059f9ef27aebef81304805183cab69cc2e0bab60c0

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino6423.exe

MD5 db27dcb2b593e449358cec94d3d257da
SHA1 9baf8ffca3b41d45510491be18b3c7925d3c2bbe
SHA256 211aeffae8c6c2e01adfa9fc68ee1383eba739f91e2e446f0015b46a5ce3ea7e
SHA512 931904ef2a1707dc53914c7eb26db142417e75461de76e27fba839bfda0eeaa5ffc49b8f73d0592dc71a82d11e9b2e917ff34b53d87b709a4126b6e8a29ff1dd

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino4801.exe

MD5 211103cf935c81941c9a7c527a99891e
SHA1 1f57c1b0e7784f36e6123bbd9f1f750c430ab7ad
SHA256 f5c28886725b88c1ae31fe02a8eb8b2a7d6e72ed41d8bfb80a5c468aa41a4dde
SHA512 5a4cca86c05d356d479e9df6a08bc98cd795234fccd4ab15109a2316033ee7ec6d26da04ce788e967acec07e32192dfe6e20a4cfa52839d6cb987a0d74328d4c

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus7600.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/3960-32-0x0000000000D20000-0x0000000000D2A000-memory.dmp

memory/4888-33-0x0000000004990000-0x0000000004A8F000-memory.dmp

memory/4888-34-0x0000000004A90000-0x0000000004B93000-memory.dmp

memory/4888-36-0x0000000000400000-0x0000000000507000-memory.dmp

memory/4888-35-0x0000000000400000-0x0000000002BDF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con1165.exe

MD5 3930494c030bfef77c7c0624c1f6baeb
SHA1 3ffc69b116c370d6372a62e1c623ea8457808152
SHA256 76a3221e1dcef4cf9b0f8856db1e20d24d782c4bf068cf76e95a57eaa6b1516e
SHA512 ab2a772bc04db434af4d2c5cd5253a3634a9679e329ad7ce53fafde8e7c81cdcc53b3d00f5d2cbc47ead6bf4efd1a0d8bad81fd63e452d4401e3c82a757f7910

memory/4504-42-0x0000000004BC0000-0x0000000004BDA000-memory.dmp

memory/4504-43-0x0000000007260000-0x0000000007804000-memory.dmp

memory/4504-44-0x0000000007090000-0x00000000070A8000-memory.dmp

memory/4504-45-0x0000000007090000-0x00000000070A2000-memory.dmp

memory/4504-52-0x0000000007090000-0x00000000070A2000-memory.dmp

memory/4504-69-0x0000000007090000-0x00000000070A2000-memory.dmp

memory/4504-66-0x0000000007090000-0x00000000070A2000-memory.dmp

memory/4504-64-0x0000000007090000-0x00000000070A2000-memory.dmp

memory/4504-62-0x0000000007090000-0x00000000070A2000-memory.dmp

memory/4504-60-0x0000000007090000-0x00000000070A2000-memory.dmp

memory/4504-58-0x0000000007090000-0x00000000070A2000-memory.dmp

memory/4504-56-0x0000000007090000-0x00000000070A2000-memory.dmp

memory/4504-54-0x0000000007090000-0x00000000070A2000-memory.dmp

memory/4504-50-0x0000000007090000-0x00000000070A2000-memory.dmp

memory/4504-48-0x0000000007090000-0x00000000070A2000-memory.dmp

memory/4504-46-0x0000000007090000-0x00000000070A2000-memory.dmp

memory/4504-72-0x0000000007090000-0x00000000070A2000-memory.dmp

memory/4504-70-0x0000000007090000-0x00000000070A2000-memory.dmp

memory/4504-74-0x0000000000400000-0x0000000002B03000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dNT35s70.exe

MD5 685668f97d2248e1d69da6cc1553ec0b
SHA1 1a034138a90ecade47aa7fd6982cc2ae3cff7f03
SHA256 ae3faa7905d107e9209be0ea000ba94a09752ae5df064c86e662b2b1a75554ab
SHA512 dccc56807ca396489dcc3baa4ba5bead515427faaef074b9c4f72386d25cbbc8a4446ebce306d470ebaab4b31062fff1a2564b818778b3b09cefedc06d9f07e5

memory/4504-76-0x0000000000400000-0x0000000002B03000-memory.dmp

memory/5096-81-0x0000000004BD0000-0x0000000004C16000-memory.dmp

memory/5096-82-0x0000000004DA0000-0x0000000004DE4000-memory.dmp

memory/5096-114-0x0000000004DA0000-0x0000000004DDE000-memory.dmp

memory/5096-112-0x0000000004DA0000-0x0000000004DDE000-memory.dmp

memory/5096-111-0x0000000004DA0000-0x0000000004DDE000-memory.dmp

memory/5096-108-0x0000000004DA0000-0x0000000004DDE000-memory.dmp

memory/5096-106-0x0000000004DA0000-0x0000000004DDE000-memory.dmp

memory/5096-104-0x0000000004DA0000-0x0000000004DDE000-memory.dmp

memory/5096-102-0x0000000004DA0000-0x0000000004DDE000-memory.dmp

memory/5096-100-0x0000000004DA0000-0x0000000004DDE000-memory.dmp

memory/5096-98-0x0000000004DA0000-0x0000000004DDE000-memory.dmp

memory/5096-96-0x0000000004DA0000-0x0000000004DDE000-memory.dmp

memory/5096-94-0x0000000004DA0000-0x0000000004DDE000-memory.dmp

memory/5096-92-0x0000000004DA0000-0x0000000004DDE000-memory.dmp

memory/5096-90-0x0000000004DA0000-0x0000000004DDE000-memory.dmp

memory/5096-88-0x0000000004DA0000-0x0000000004DDE000-memory.dmp

memory/5096-86-0x0000000004DA0000-0x0000000004DDE000-memory.dmp

memory/5096-84-0x0000000004DA0000-0x0000000004DDE000-memory.dmp

memory/5096-83-0x0000000004DA0000-0x0000000004DDE000-memory.dmp

memory/5096-989-0x0000000007740000-0x0000000007D58000-memory.dmp

memory/5096-990-0x0000000007DE0000-0x0000000007EEA000-memory.dmp

memory/5096-991-0x0000000007F20000-0x0000000007F32000-memory.dmp

memory/5096-992-0x0000000007F40000-0x0000000007F7C000-memory.dmp

memory/5096-993-0x0000000008090000-0x00000000080DC000-memory.dmp