Malware Analysis Report

2025-08-05 10:15

Sample ID 241109-fw4c5syclr
Target 234d1b4d01870354f0a7a173da477d07c9b3eca7dd6c6fcd7a00827f4506c206
SHA256 234d1b4d01870354f0a7a173da477d07c9b3eca7dd6c6fcd7a00827f4506c206
Tags
amadey healer redline 8c4642 discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

234d1b4d01870354f0a7a173da477d07c9b3eca7dd6c6fcd7a00827f4506c206

Threat Level: Known bad

The file 234d1b4d01870354f0a7a173da477d07c9b3eca7dd6c6fcd7a00827f4506c206 was found to be: Known bad.

Malicious Activity Summary

amadey healer redline 8c4642 discovery dropper evasion infostealer persistence trojan

Amadey family

Healer

Healer family

Modifies Windows Defender Real-time Protection settings

Amadey

Redline family

RedLine payload

RedLine

Detects Healer an antivirus disabler dropper

Executes dropped EXE

Windows security modification

Checks computer location settings

Adds Run key to start application

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Scheduled Task/Job: Scheduled Task

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 05:14

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 05:14

Reported

2024-11-09 05:16

Platform

win10v2004-20241007-en

Max time kernel

142s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\234d1b4d01870354f0a7a173da477d07c9b3eca7dd6c6fcd7a00827f4506c206.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az980630.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az980630.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az980630.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az980630.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az980630.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az980630.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu757899.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az980630.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\234d1b4d01870354f0a7a173da477d07c9b3eca7dd6c6fcd7a00827f4506c206.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki147456.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki826708.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki096675.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\234d1b4d01870354f0a7a173da477d07c9b3eca7dd6c6fcd7a00827f4506c206.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki147456.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki826708.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki096675.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu757899.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dFr68t97.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az980630.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az980630.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az980630.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dFr68t97.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5028 wrote to memory of 3396 N/A C:\Users\Admin\AppData\Local\Temp\234d1b4d01870354f0a7a173da477d07c9b3eca7dd6c6fcd7a00827f4506c206.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki147456.exe
PID 5028 wrote to memory of 3396 N/A C:\Users\Admin\AppData\Local\Temp\234d1b4d01870354f0a7a173da477d07c9b3eca7dd6c6fcd7a00827f4506c206.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki147456.exe
PID 5028 wrote to memory of 3396 N/A C:\Users\Admin\AppData\Local\Temp\234d1b4d01870354f0a7a173da477d07c9b3eca7dd6c6fcd7a00827f4506c206.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki147456.exe
PID 3396 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki147456.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki826708.exe
PID 3396 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki147456.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki826708.exe
PID 3396 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki147456.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki826708.exe
PID 4408 wrote to memory of 368 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki826708.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki096675.exe
PID 4408 wrote to memory of 368 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki826708.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki096675.exe
PID 4408 wrote to memory of 368 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki826708.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki096675.exe
PID 368 wrote to memory of 3248 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki096675.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az980630.exe
PID 368 wrote to memory of 3248 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki096675.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az980630.exe
PID 368 wrote to memory of 520 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki096675.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu757899.exe
PID 368 wrote to memory of 520 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki096675.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu757899.exe
PID 368 wrote to memory of 520 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki096675.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu757899.exe
PID 520 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu757899.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 520 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu757899.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 520 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu757899.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 4408 wrote to memory of 3320 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki826708.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dFr68t97.exe
PID 4408 wrote to memory of 3320 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki826708.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dFr68t97.exe
PID 4408 wrote to memory of 3320 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki826708.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dFr68t97.exe
PID 5060 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 5060 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 5060 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 5060 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 5060 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 5060 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 4812 wrote to memory of 3520 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4812 wrote to memory of 3520 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4812 wrote to memory of 3520 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4812 wrote to memory of 4660 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4812 wrote to memory of 4660 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4812 wrote to memory of 4660 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4812 wrote to memory of 4940 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4812 wrote to memory of 4940 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4812 wrote to memory of 4940 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4812 wrote to memory of 2620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4812 wrote to memory of 2620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4812 wrote to memory of 2620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4812 wrote to memory of 2552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4812 wrote to memory of 2552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4812 wrote to memory of 2552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4812 wrote to memory of 1688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4812 wrote to memory of 1688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4812 wrote to memory of 1688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe

Processes

C:\Users\Admin\AppData\Local\Temp\234d1b4d01870354f0a7a173da477d07c9b3eca7dd6c6fcd7a00827f4506c206.exe

"C:\Users\Admin\AppData\Local\Temp\234d1b4d01870354f0a7a173da477d07c9b3eca7dd6c6fcd7a00827f4506c206.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki147456.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki147456.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki826708.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki826708.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki096675.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki096675.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az980630.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az980630.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu757899.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu757899.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dFr68t97.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dFr68t97.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
RU 193.201.9.240:80 tcp
RU 185.161.248.152:38452 tcp
RU 185.161.248.152:38452 tcp
RU 185.161.248.152:38452 tcp
RU 193.201.9.240:80 tcp
RU 185.161.248.152:38452 tcp
RU 193.201.9.240:80 tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
RU 185.161.248.152:38452 tcp
RU 193.201.9.240:80 tcp
RU 185.161.248.152:38452 tcp
RU 185.161.248.152:38452 tcp
RU 193.201.9.240:80 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki147456.exe

MD5 92ba6b1ba4db9332f38a46e7beda41d1
SHA1 0483aed0fac26bdc9509b81188a447fde3946d40
SHA256 2eec4a855b269e916dd8b2f2466449951dc82d19a6c7b48e8c97ac98f3cb7be7
SHA512 695119d0d0d1fc86caa9beb3dd45b0b587a6ba3d3e7de1af0945d03f76a45aca101a5d8dbd5dfa8bb72891c18e96248fc01c3f65b0fcda3431b8f47171bb191e

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki826708.exe

MD5 d1392db14b923002fd1bc30c316433df
SHA1 37057a65853e6020df7cf2e533c014c08cb36224
SHA256 9d90a6954f2352bf655907802c0e9d9c29ec0dcb6a815ed7bfdde471c1cec5f5
SHA512 223835090c2d9d5b0d2ce17262fbf43a33ee17d4467c71df956e41f8f2e735543ec7ff1470c21e2de55be059de3e5d4c70c90b6ba0d57825a4fec81c3603e7fa

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki096675.exe

MD5 42a90a457c9a8625307705c3cd310b74
SHA1 fba7936092a9e9696d0248114e1e0ee9c588e4dd
SHA256 1c6883045456c8ee39a7d8367aeecbb59e9d5f097bcfc6d775096c84cf151a08
SHA512 05f55030fbe20b3269b56713d3b4c05de23eac063439fa7b8c30d6fc0c0ae96710a5640113211dcff8a3121a0efc3e8652dedfe65e0c9b683d947bc3ea39a0e3

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az980630.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/3248-28-0x0000000000EA0000-0x0000000000EAA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu757899.exe

MD5 d2622752e39ebe03e48351887e7ba2c7
SHA1 8377db1a7994b5101d4285126cbb2e8e7e4e82e3
SHA256 c74dad9fa19bf79777746674fef33c0ad16d55c0e2ecf1991ceff3d8d7fa27c0
SHA512 f8b3a3b666e27b5f945b4ad9e44c4eeb3e0a62ba171dcc4729480c85aa6fbcf784f8990dee1fd5020a86a3a802e204e2b1b77a622125bb78c70e551e0df4742c

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dFr68t97.exe

MD5 4abd086fdc3e51d9b6adeee3dbe2622f
SHA1 a11efbfe0ef8c3b7099a48b593bacc53d3102e8c
SHA256 d91c783916f5b5f59a5576fc4f9fc8de1485a8a17b048b96cfe2c7f0e10377b6
SHA512 22eaa9be540f5a22f807bc91fa6d8e54634314188e41bacb7a6f222fecf94a64ac376519299b945c62ba40beffd256ed2b326ed541d33b3a853113f28739a1c8

memory/3320-47-0x0000000002740000-0x000000000277C000-memory.dmp

memory/3320-48-0x0000000005020000-0x00000000055C4000-memory.dmp

memory/3320-49-0x0000000004F40000-0x0000000004F7A000-memory.dmp

memory/3320-59-0x0000000004F40000-0x0000000004F75000-memory.dmp

memory/3320-113-0x0000000004F40000-0x0000000004F75000-memory.dmp

memory/3320-111-0x0000000004F40000-0x0000000004F75000-memory.dmp

memory/3320-109-0x0000000004F40000-0x0000000004F75000-memory.dmp

memory/3320-107-0x0000000004F40000-0x0000000004F75000-memory.dmp

memory/3320-105-0x0000000004F40000-0x0000000004F75000-memory.dmp

memory/3320-103-0x0000000004F40000-0x0000000004F75000-memory.dmp

memory/3320-101-0x0000000004F40000-0x0000000004F75000-memory.dmp

memory/3320-99-0x0000000004F40000-0x0000000004F75000-memory.dmp

memory/3320-95-0x0000000004F40000-0x0000000004F75000-memory.dmp

memory/3320-93-0x0000000004F40000-0x0000000004F75000-memory.dmp

memory/3320-91-0x0000000004F40000-0x0000000004F75000-memory.dmp

memory/3320-89-0x0000000004F40000-0x0000000004F75000-memory.dmp

memory/3320-87-0x0000000004F40000-0x0000000004F75000-memory.dmp

memory/3320-85-0x0000000004F40000-0x0000000004F75000-memory.dmp

memory/3320-83-0x0000000004F40000-0x0000000004F75000-memory.dmp

memory/3320-81-0x0000000004F40000-0x0000000004F75000-memory.dmp

memory/3320-79-0x0000000004F40000-0x0000000004F75000-memory.dmp

memory/3320-77-0x0000000004F40000-0x0000000004F75000-memory.dmp

memory/3320-75-0x0000000004F40000-0x0000000004F75000-memory.dmp

memory/3320-73-0x0000000004F40000-0x0000000004F75000-memory.dmp

memory/3320-71-0x0000000004F40000-0x0000000004F75000-memory.dmp

memory/3320-69-0x0000000004F40000-0x0000000004F75000-memory.dmp

memory/3320-67-0x0000000004F40000-0x0000000004F75000-memory.dmp

memory/3320-65-0x0000000004F40000-0x0000000004F75000-memory.dmp

memory/3320-63-0x0000000004F40000-0x0000000004F75000-memory.dmp

memory/3320-61-0x0000000004F40000-0x0000000004F75000-memory.dmp

memory/3320-57-0x0000000004F40000-0x0000000004F75000-memory.dmp

memory/3320-55-0x0000000004F40000-0x0000000004F75000-memory.dmp

memory/3320-97-0x0000000004F40000-0x0000000004F75000-memory.dmp

memory/3320-53-0x0000000004F40000-0x0000000004F75000-memory.dmp

memory/3320-51-0x0000000004F40000-0x0000000004F75000-memory.dmp

memory/3320-50-0x0000000004F40000-0x0000000004F75000-memory.dmp

memory/3320-842-0x0000000008070000-0x0000000008688000-memory.dmp

memory/3320-843-0x0000000007AC0000-0x0000000007AD2000-memory.dmp

memory/3320-844-0x0000000007AE0000-0x0000000007BEA000-memory.dmp

memory/3320-845-0x0000000007C00000-0x0000000007C3C000-memory.dmp

memory/3320-846-0x00000000049F0000-0x0000000004A3C000-memory.dmp