Malware Analysis Report

2025-06-15 22:33

Sample ID 241109-xz5ttazhka
Target 06dc9deb6904c7dddab5c24f17c295208bd64aaaf186cbd7322160c02868345a
SHA256 06dc9deb6904c7dddab5c24f17c295208bd64aaaf186cbd7322160c02868345a
Tags
amadey healer redline 9c0adb discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

06dc9deb6904c7dddab5c24f17c295208bd64aaaf186cbd7322160c02868345a

Threat Level: Known bad

The file 06dc9deb6904c7dddab5c24f17c295208bd64aaaf186cbd7322160c02868345a was found to be: Known bad.

Malicious Activity Summary

amadey healer redline 9c0adb discovery dropper evasion infostealer persistence trojan

RedLine

RedLine payload

Amadey

Redline family

Detects Healer an antivirus disabler dropper

Amadey family

Healer

Healer family

Modifies Windows Defender Real-time Protection settings

Checks computer location settings

Windows security modification

Executes dropped EXE

Adds Run key to start application

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Program crash

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Scheduled Task/Job: Scheduled Task

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 19:18

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 19:18

Reported

2024-11-09 19:21

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\06dc9deb6904c7dddab5c24f17c295208bd64aaaf186cbd7322160c02868345a.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\Temp\1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Windows\Temp\1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Windows\Temp\1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Windows\Temp\1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Windows\Temp\1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Windows\Temp\1.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\170382928.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\361103506.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Windows\Temp\1.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\06dc9deb6904c7dddab5c24f17c295208bd64aaaf186cbd7322160c02868345a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iI024552.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Fy476355.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iI024552.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\242840271.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\361103506.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\06dc9deb6904c7dddab5c24f17c295208bd64aaaf186cbd7322160c02868345a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\418229472.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Fy476355.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\170382928.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Temp\1.exe N/A
N/A N/A C:\Windows\Temp\1.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\170382928.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\242840271.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Temp\1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\418229472.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1292 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\06dc9deb6904c7dddab5c24f17c295208bd64aaaf186cbd7322160c02868345a.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iI024552.exe
PID 1292 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\06dc9deb6904c7dddab5c24f17c295208bd64aaaf186cbd7322160c02868345a.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iI024552.exe
PID 1292 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\06dc9deb6904c7dddab5c24f17c295208bd64aaaf186cbd7322160c02868345a.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iI024552.exe
PID 3096 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iI024552.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Fy476355.exe
PID 3096 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iI024552.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Fy476355.exe
PID 3096 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iI024552.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Fy476355.exe
PID 3992 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Fy476355.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\170382928.exe
PID 3992 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Fy476355.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\170382928.exe
PID 3992 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Fy476355.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\170382928.exe
PID 4692 wrote to memory of 324 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\170382928.exe C:\Windows\Temp\1.exe
PID 4692 wrote to memory of 324 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\170382928.exe C:\Windows\Temp\1.exe
PID 3992 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Fy476355.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\242840271.exe
PID 3992 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Fy476355.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\242840271.exe
PID 3992 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Fy476355.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\242840271.exe
PID 3096 wrote to memory of 5168 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iI024552.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\361103506.exe
PID 3096 wrote to memory of 5168 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iI024552.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\361103506.exe
PID 3096 wrote to memory of 5168 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iI024552.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\361103506.exe
PID 5168 wrote to memory of 5424 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\361103506.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 5168 wrote to memory of 5424 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\361103506.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 5168 wrote to memory of 5424 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\361103506.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 1292 wrote to memory of 5512 N/A C:\Users\Admin\AppData\Local\Temp\06dc9deb6904c7dddab5c24f17c295208bd64aaaf186cbd7322160c02868345a.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\418229472.exe
PID 1292 wrote to memory of 5512 N/A C:\Users\Admin\AppData\Local\Temp\06dc9deb6904c7dddab5c24f17c295208bd64aaaf186cbd7322160c02868345a.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\418229472.exe
PID 1292 wrote to memory of 5512 N/A C:\Users\Admin\AppData\Local\Temp\06dc9deb6904c7dddab5c24f17c295208bd64aaaf186cbd7322160c02868345a.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\418229472.exe
PID 5424 wrote to memory of 5720 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 5424 wrote to memory of 5720 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 5424 wrote to memory of 5720 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 5424 wrote to memory of 5828 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 5424 wrote to memory of 5828 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 5424 wrote to memory of 5828 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 5828 wrote to memory of 4112 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 5828 wrote to memory of 4112 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 5828 wrote to memory of 4112 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 5828 wrote to memory of 3288 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5828 wrote to memory of 3288 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5828 wrote to memory of 3288 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5828 wrote to memory of 2172 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5828 wrote to memory of 2172 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5828 wrote to memory of 2172 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5828 wrote to memory of 5472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 5828 wrote to memory of 5472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 5828 wrote to memory of 5472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 5828 wrote to memory of 5344 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5828 wrote to memory of 5344 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5828 wrote to memory of 5344 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5828 wrote to memory of 5248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5828 wrote to memory of 5248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5828 wrote to memory of 5248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe

Processes

C:\Users\Admin\AppData\Local\Temp\06dc9deb6904c7dddab5c24f17c295208bd64aaaf186cbd7322160c02868345a.exe

"C:\Users\Admin\AppData\Local\Temp\06dc9deb6904c7dddab5c24f17c295208bd64aaaf186cbd7322160c02868345a.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iI024552.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iI024552.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Fy476355.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Fy476355.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\170382928.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\170382928.exe

C:\Windows\Temp\1.exe

"C:\Windows\Temp\1.exe"

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\242840271.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\242840271.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2812 -ip 2812

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2812 -s 1192

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\361103506.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\361103506.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\418229472.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\418229472.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:R" /E

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5512 -ip 5512

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5512 -s 1220

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 193.3.19.154:80 tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
RU 193.3.19.154:80 tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
RU 193.3.19.154:80 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
RU 193.3.19.154:80 tcp
RU 193.3.19.154:80 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iI024552.exe

MD5 827ccbc4c11603646f8a3c69172e8a45
SHA1 2017a8048034862c7e92e2d3ece454ed3e927779
SHA256 525e8d353a3ec8dca403c848bb02e2f0f9cbbdc041f5ab6c7ff85aa2f14f0b67
SHA512 f32bf5eb824031eff1a497961cc6a3ad4de9eddab3944eadbefdd1d0e6f87f6a7abb4ab9794d96fc8f771ad60c9347cfe7ac3f44d74b04021ddcdaa5d28fa207

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Fy476355.exe

MD5 fbd51d7e7ef4b74311ada32235dad4a3
SHA1 cd77bc5d2d0c52f65ee8ca49e413fc04436a0951
SHA256 18a2596e9e9421902f25d1f2ff4b591f1489d8a716842c295b18c4bc5342abe6
SHA512 8aabcdbb6cfa9fd24c0f3dd92b48d6eaedbf5625dfc819d7d065db795e4104facaf2126401e39df235107c9ec697fdbf4895d50f8d7c8231ac4b514e4a50af95

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\170382928.exe

MD5 f6d59c97a0ed988291f29786087dc183
SHA1 b441493c234cb87c634ba56b170372ab7c6ae6e3
SHA256 8b77e63aa6736150639ebd0fd474f9c6fcf6cc7a4e6795e92e888b2ce52a14cb
SHA512 8ac6b127cec2616e637fef0bff71cc2360c48e3690958c66c9233844792276d912b8cfce0f63834b20d9a94fd2cadca9b0ced8846ec474686d91b3d402f21ea2

memory/4692-21-0x0000000004940000-0x0000000004998000-memory.dmp

memory/4692-22-0x0000000004B10000-0x00000000050B4000-memory.dmp

memory/4692-23-0x0000000004A20000-0x0000000004A76000-memory.dmp

memory/4692-25-0x0000000004A20000-0x0000000004A71000-memory.dmp

memory/4692-71-0x0000000004A20000-0x0000000004A71000-memory.dmp

memory/4692-87-0x0000000004A20000-0x0000000004A71000-memory.dmp

memory/4692-85-0x0000000004A20000-0x0000000004A71000-memory.dmp

memory/4692-83-0x0000000004A20000-0x0000000004A71000-memory.dmp

memory/4692-81-0x0000000004A20000-0x0000000004A71000-memory.dmp

memory/4692-79-0x0000000004A20000-0x0000000004A71000-memory.dmp

memory/4692-77-0x0000000004A20000-0x0000000004A71000-memory.dmp

memory/4692-75-0x0000000004A20000-0x0000000004A71000-memory.dmp

memory/4692-73-0x0000000004A20000-0x0000000004A71000-memory.dmp

memory/4692-69-0x0000000004A20000-0x0000000004A71000-memory.dmp

memory/4692-67-0x0000000004A20000-0x0000000004A71000-memory.dmp

memory/4692-65-0x0000000004A20000-0x0000000004A71000-memory.dmp

memory/4692-63-0x0000000004A20000-0x0000000004A71000-memory.dmp

memory/4692-61-0x0000000004A20000-0x0000000004A71000-memory.dmp

memory/4692-59-0x0000000004A20000-0x0000000004A71000-memory.dmp

memory/4692-57-0x0000000004A20000-0x0000000004A71000-memory.dmp

memory/4692-55-0x0000000004A20000-0x0000000004A71000-memory.dmp

memory/4692-53-0x0000000004A20000-0x0000000004A71000-memory.dmp

memory/4692-49-0x0000000004A20000-0x0000000004A71000-memory.dmp

memory/4692-47-0x0000000004A20000-0x0000000004A71000-memory.dmp

memory/4692-45-0x0000000004A20000-0x0000000004A71000-memory.dmp

memory/4692-41-0x0000000004A20000-0x0000000004A71000-memory.dmp

memory/4692-39-0x0000000004A20000-0x0000000004A71000-memory.dmp

memory/4692-38-0x0000000004A20000-0x0000000004A71000-memory.dmp

memory/4692-35-0x0000000004A20000-0x0000000004A71000-memory.dmp

memory/4692-31-0x0000000004A20000-0x0000000004A71000-memory.dmp

memory/4692-29-0x0000000004A20000-0x0000000004A71000-memory.dmp

memory/4692-28-0x0000000004A20000-0x0000000004A71000-memory.dmp

memory/4692-51-0x0000000004A20000-0x0000000004A71000-memory.dmp

memory/4692-43-0x0000000004A20000-0x0000000004A71000-memory.dmp

memory/4692-33-0x0000000004A20000-0x0000000004A71000-memory.dmp

memory/4692-24-0x0000000004A20000-0x0000000004A71000-memory.dmp

memory/4692-2152-0x0000000004AC0000-0x0000000004ACA000-memory.dmp

C:\Windows\Temp\1.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/324-2166-0x00000000003C0000-0x00000000003CA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\242840271.exe

MD5 cd22ce939659072b194a1fa34ad136e3
SHA1 e6fe1c548efc7fae64a6a6569ed4747df39999b8
SHA256 cb90776180a118ffd70a5e77dfcb25217e04ba16fc0813436d15b68dc1f63240
SHA512 70a29db233981f5800c9130626371bfee55973175e25b86a9f74832d03a38d47ee0e7d58e63e13e8410010062442334649a5c7f23f8c7391a36d2d2ab0dbeeaf

memory/2812-4298-0x0000000005740000-0x00000000057D2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\361103506.exe

MD5 c09473f87c87e6bd0ebab611067875bb
SHA1 b42294e8ce5804dec65735d142a4a29e8a861cd6
SHA256 d7e3a6c78044fb393ebbc9d262dbe7609eb07acff787d6b43f96dc8107d287d1
SHA512 c3ddb62d12a1d0ee584815faecf616e8a3884d8b13ed9f832308fbf57ebb770c2b1dd7df38d32da4ee072eb8d61bfc9b37607cf37e1b52dccb1a986c247476a6

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\418229472.exe

MD5 85648d9d3c25a9cae3d60bba38357e3e
SHA1 f319e778b59b4b81158f6433a9d19d0145472217
SHA256 dd05dc35b6c6320abc834b7624bd557e4961aa1564de949f6bc0c386ff11f57f
SHA512 cf8a4c68e50f17fd2000c11766656aa3a4162ea18a9cd51bb6027dae5604e3a48c1d555184cee656dc179a4a033fedcf78f04a5dff5fecadbf4ebd74e7341d15

memory/5512-4318-0x0000000002970000-0x00000000029D8000-memory.dmp

memory/5512-4319-0x0000000002B50000-0x0000000002BB6000-memory.dmp

memory/5512-6466-0x0000000005760000-0x0000000005792000-memory.dmp