Malware Analysis Report

2024-12-06 02:40

Sample ID 241110-bay43svpbs
Target 33eddd79d3f2bec1bb68c0ff890b6bdc35803243e46058309ab6d0e44062249d
SHA256 33eddd79d3f2bec1bb68c0ff890b6bdc35803243e46058309ab6d0e44062249d
Tags
healer redline mango discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

33eddd79d3f2bec1bb68c0ff890b6bdc35803243e46058309ab6d0e44062249d

Threat Level: Known bad

The file 33eddd79d3f2bec1bb68c0ff890b6bdc35803243e46058309ab6d0e44062249d was found to be: Known bad.

Malicious Activity Summary

healer redline mango discovery dropper evasion infostealer persistence trojan

RedLine

Detects Healer an antivirus disabler dropper

Modifies Windows Defender Real-time Protection settings

RedLine payload

Redline family

Healer

Healer family

Windows security modification

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Unsigned PE

Program crash

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 00:57

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 00:57

Reported

2024-11-10 00:59

Platform

win7-20240903-en

Max time kernel

142s

Max time network

137s

Command Line

"C:\Users\Admin\AppData\Local\Temp\33eddd79d3f2bec1bb68c0ff890b6bdc35803243e46058309ab6d0e44062249d.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus1247.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus1247.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con8568.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con8568.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con8568.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con8568.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con8568.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus1247.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus1247.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus1247.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus1247.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus1247.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus1247.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con8568.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con8568.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\33eddd79d3f2bec1bb68c0ff890b6bdc35803243e46058309ab6d0e44062249d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino8130.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino3054.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino0208.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino8130.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino3054.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino0208.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con8568.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dyj65s59.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\33eddd79d3f2bec1bb68c0ff890b6bdc35803243e46058309ab6d0e44062249d.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus1247.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con8568.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dyj65s59.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 276 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\33eddd79d3f2bec1bb68c0ff890b6bdc35803243e46058309ab6d0e44062249d.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino8130.exe
PID 276 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\33eddd79d3f2bec1bb68c0ff890b6bdc35803243e46058309ab6d0e44062249d.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino8130.exe
PID 276 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\33eddd79d3f2bec1bb68c0ff890b6bdc35803243e46058309ab6d0e44062249d.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino8130.exe
PID 276 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\33eddd79d3f2bec1bb68c0ff890b6bdc35803243e46058309ab6d0e44062249d.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino8130.exe
PID 276 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\33eddd79d3f2bec1bb68c0ff890b6bdc35803243e46058309ab6d0e44062249d.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino8130.exe
PID 276 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\33eddd79d3f2bec1bb68c0ff890b6bdc35803243e46058309ab6d0e44062249d.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino8130.exe
PID 276 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\33eddd79d3f2bec1bb68c0ff890b6bdc35803243e46058309ab6d0e44062249d.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino8130.exe
PID 2340 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino8130.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino3054.exe
PID 2340 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino8130.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino3054.exe
PID 2340 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino8130.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino3054.exe
PID 2340 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino8130.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino3054.exe
PID 2340 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino8130.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino3054.exe
PID 2340 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino8130.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino3054.exe
PID 2340 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino8130.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino3054.exe
PID 2324 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino3054.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino0208.exe
PID 2324 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino3054.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino0208.exe
PID 2324 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino3054.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino0208.exe
PID 2324 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino3054.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino0208.exe
PID 2324 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino3054.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino0208.exe
PID 2324 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino3054.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino0208.exe
PID 2324 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino3054.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino0208.exe
PID 1868 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino0208.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus1247.exe
PID 1868 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino0208.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus1247.exe
PID 1868 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino0208.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus1247.exe
PID 1868 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino0208.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus1247.exe
PID 1868 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino0208.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus1247.exe
PID 1868 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino0208.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus1247.exe
PID 1868 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino0208.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus1247.exe
PID 1868 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino0208.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con8568.exe
PID 1868 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino0208.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con8568.exe
PID 1868 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino0208.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con8568.exe
PID 1868 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino0208.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con8568.exe
PID 1868 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino0208.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con8568.exe
PID 1868 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino0208.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con8568.exe
PID 1868 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino0208.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con8568.exe
PID 2324 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino3054.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dyj65s59.exe
PID 2324 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino3054.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dyj65s59.exe
PID 2324 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino3054.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dyj65s59.exe
PID 2324 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino3054.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dyj65s59.exe
PID 2324 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino3054.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dyj65s59.exe
PID 2324 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino3054.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dyj65s59.exe
PID 2324 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino3054.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dyj65s59.exe

Processes

C:\Users\Admin\AppData\Local\Temp\33eddd79d3f2bec1bb68c0ff890b6bdc35803243e46058309ab6d0e44062249d.exe

"C:\Users\Admin\AppData\Local\Temp\33eddd79d3f2bec1bb68c0ff890b6bdc35803243e46058309ab6d0e44062249d.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino8130.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino8130.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino3054.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino3054.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino0208.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino0208.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus1247.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus1247.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con8568.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con8568.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dyj65s59.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dyj65s59.exe

Network

Country Destination Domain Proto
RU 193.233.20.28:4125 tcp
RU 193.233.20.28:4125 tcp
RU 193.233.20.28:4125 tcp
RU 193.233.20.28:4125 tcp
RU 193.233.20.28:4125 tcp

Files

memory/276-0-0x0000000004550000-0x0000000004648000-memory.dmp

memory/276-1-0x0000000004550000-0x0000000004648000-memory.dmp

memory/276-2-0x0000000004650000-0x0000000004752000-memory.dmp

memory/276-3-0x0000000000400000-0x0000000000505000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino8130.exe

MD5 856dd077cd7ab2ff18bc21cfcb433b7f
SHA1 1c3f81147cfc5668343c1a04dc89214fc1c63a23
SHA256 21b6c9639237b095f4ff32f54ae7790ce419f8a607443f234d11a8da8f0a4f49
SHA512 d289b0a68f87af28587fad1ff719c966aae55c4abd7a72d743c23fabc7d6d485f56c0d9195ea7a8212d0f310608283f7d1938e578a39fd8c8198e7b3b9f254f8

\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino3054.exe

MD5 572e3d67932761f71aa9fa66f2f6412e
SHA1 50f7586a5a493947247b2762a5b83146557683f5
SHA256 0c729989cb699f227214671d68aa3e9add92f670cb955b2f63045fdcfc6e6c0b
SHA512 633e4b188de85fbe70c5f05da30f7d64c1fc5524c32d43674720eee726ed10702f751c9b0adeede72b427018d3d089958fa13b78ec7e8a03d0576c1a21a33220

\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino0208.exe

MD5 bfc4d9091d7aab8fca7c342c522a086a
SHA1 19e83b3a193edb7f8848546c3626875b718b2f57
SHA256 ba58846c3008b5ea1e9c49ff433ef6dbbd68c12f5dfd858beaaf7d9e86dfc362
SHA512 79b63e61757b0a7d40f4b0f29ac68dd4146e24fbffbf4e8ad620acb307c5ea622644ccbdb0f812fc2e9e88c2d8c8b0dfd60b163a021448a6c77cf430d6e4f290

\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus1247.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/2684-42-0x0000000001290000-0x000000000129A000-memory.dmp

memory/276-43-0x0000000004550000-0x0000000004648000-memory.dmp

memory/276-44-0x0000000004650000-0x0000000004752000-memory.dmp

memory/276-46-0x0000000000400000-0x0000000000505000-memory.dmp

memory/276-45-0x0000000000400000-0x0000000002BE7000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP003.TMP\con8568.exe

MD5 6e8158adb9701e11d91308856283b4ee
SHA1 c9e2286d40fcaef9116414504c9ec14d6b4a80d7
SHA256 f04fd301a06b5f0d523569fd18053e2352373aa68330183b6b9de4385849d322
SHA512 8baba867b5f3bc4ba336b2454862cdeee4682c855e33ee4076bc9167f78f3be84992e764591e9092240c54decf761a52f1bc4e0235311afdb7739480c4d42bdc

memory/2664-57-0x0000000004B10000-0x0000000004B2A000-memory.dmp

memory/2664-58-0x0000000004B60000-0x0000000004B78000-memory.dmp

memory/2664-86-0x0000000004B60000-0x0000000004B72000-memory.dmp

memory/2664-84-0x0000000004B60000-0x0000000004B72000-memory.dmp

memory/2664-83-0x0000000004B60000-0x0000000004B72000-memory.dmp

memory/2664-80-0x0000000004B60000-0x0000000004B72000-memory.dmp

memory/2664-78-0x0000000004B60000-0x0000000004B72000-memory.dmp

memory/2664-76-0x0000000004B60000-0x0000000004B72000-memory.dmp

memory/2664-74-0x0000000004B60000-0x0000000004B72000-memory.dmp

memory/2664-73-0x0000000004B60000-0x0000000004B72000-memory.dmp

memory/2664-70-0x0000000004B60000-0x0000000004B72000-memory.dmp

memory/2664-68-0x0000000004B60000-0x0000000004B72000-memory.dmp

memory/2664-66-0x0000000004B60000-0x0000000004B72000-memory.dmp

memory/2664-64-0x0000000004B60000-0x0000000004B72000-memory.dmp

memory/2664-62-0x0000000004B60000-0x0000000004B72000-memory.dmp

memory/2664-60-0x0000000004B60000-0x0000000004B72000-memory.dmp

memory/2664-59-0x0000000004B60000-0x0000000004B72000-memory.dmp

memory/2664-88-0x0000000000400000-0x0000000002B05000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP002.TMP\dyj65s59.exe

MD5 cfd9fd906ad91a1f8e95e9629b589e4d
SHA1 1bd0d089b9c491f18cd738d73933b70ce2e35f6a
SHA256 35bd0e6db97e955e502ca62513ed082b9b8dc3f2972cd6b95c275a1f0b131af3
SHA512 611a5e0706b30016926c3296a9596ab46ae7ed684d5ba6e9013cc3beaf8a35f7802c15179cf6e76304380e1aa70f294fccf6bf56042f910d7d161f2188b9cf0c

memory/2664-89-0x0000000000400000-0x0000000002B05000-memory.dmp

memory/1952-100-0x0000000003350000-0x0000000003396000-memory.dmp

memory/1952-101-0x0000000004C70000-0x0000000004CB4000-memory.dmp

memory/1952-107-0x0000000004C70000-0x0000000004CAE000-memory.dmp

memory/1952-113-0x0000000004C70000-0x0000000004CAE000-memory.dmp

memory/1952-119-0x0000000004C70000-0x0000000004CAE000-memory.dmp

memory/1952-131-0x0000000004C70000-0x0000000004CAE000-memory.dmp

memory/1952-117-0x0000000004C70000-0x0000000004CAE000-memory.dmp

memory/1952-115-0x0000000004C70000-0x0000000004CAE000-memory.dmp

memory/1952-111-0x0000000004C70000-0x0000000004CAE000-memory.dmp

memory/1952-109-0x0000000004C70000-0x0000000004CAE000-memory.dmp

memory/1952-105-0x0000000004C70000-0x0000000004CAE000-memory.dmp

memory/1952-103-0x0000000004C70000-0x0000000004CAE000-memory.dmp

memory/1952-102-0x0000000004C70000-0x0000000004CAE000-memory.dmp

memory/1952-129-0x0000000004C70000-0x0000000004CAE000-memory.dmp

memory/1952-127-0x0000000004C70000-0x0000000004CAE000-memory.dmp

memory/1952-125-0x0000000004C70000-0x0000000004CAE000-memory.dmp

memory/1952-123-0x0000000004C70000-0x0000000004CAE000-memory.dmp

memory/1952-122-0x0000000004C70000-0x0000000004CAE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-10 00:57

Reported

2024-11-10 00:59

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\33eddd79d3f2bec1bb68c0ff890b6bdc35803243e46058309ab6d0e44062249d.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus1247.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con8568.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con8568.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus1247.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus1247.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus1247.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus1247.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus1247.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con8568.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con8568.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con8568.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con8568.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus1247.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con8568.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con8568.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\33eddd79d3f2bec1bb68c0ff890b6bdc35803243e46058309ab6d0e44062249d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino8130.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino3054.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino0208.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino0208.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con8568.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dyj65s59.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\33eddd79d3f2bec1bb68c0ff890b6bdc35803243e46058309ab6d0e44062249d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino8130.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino3054.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus1247.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con8568.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dyj65s59.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1796 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\33eddd79d3f2bec1bb68c0ff890b6bdc35803243e46058309ab6d0e44062249d.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino8130.exe
PID 1796 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\33eddd79d3f2bec1bb68c0ff890b6bdc35803243e46058309ab6d0e44062249d.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino8130.exe
PID 1796 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\33eddd79d3f2bec1bb68c0ff890b6bdc35803243e46058309ab6d0e44062249d.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino8130.exe
PID 1036 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino8130.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino3054.exe
PID 1036 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino8130.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino3054.exe
PID 1036 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino8130.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino3054.exe
PID 8 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino3054.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino0208.exe
PID 8 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino3054.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino0208.exe
PID 8 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino3054.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino0208.exe
PID 2852 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino0208.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus1247.exe
PID 2852 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino0208.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus1247.exe
PID 2852 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino0208.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con8568.exe
PID 2852 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino0208.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con8568.exe
PID 2852 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino0208.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con8568.exe
PID 8 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino3054.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dyj65s59.exe
PID 8 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino3054.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dyj65s59.exe
PID 8 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino3054.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dyj65s59.exe

Processes

C:\Users\Admin\AppData\Local\Temp\33eddd79d3f2bec1bb68c0ff890b6bdc35803243e46058309ab6d0e44062249d.exe

"C:\Users\Admin\AppData\Local\Temp\33eddd79d3f2bec1bb68c0ff890b6bdc35803243e46058309ab6d0e44062249d.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino8130.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino8130.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino3054.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino3054.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino0208.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino0208.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus1247.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus1247.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con8568.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con8568.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1140 -ip 1140

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1140 -s 1004

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dyj65s59.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dyj65s59.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 193.233.20.28:4125 tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
RU 193.233.20.28:4125 tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
RU 193.233.20.28:4125 tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
RU 193.233.20.28:4125 tcp
RU 193.233.20.28:4125 tcp
US 8.8.8.8:53 udp

Files

memory/1796-1-0x0000000004A90000-0x0000000004B91000-memory.dmp

memory/1796-2-0x0000000004BA0000-0x0000000004CA2000-memory.dmp

memory/1796-3-0x0000000000400000-0x0000000000505000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino8130.exe

MD5 856dd077cd7ab2ff18bc21cfcb433b7f
SHA1 1c3f81147cfc5668343c1a04dc89214fc1c63a23
SHA256 21b6c9639237b095f4ff32f54ae7790ce419f8a607443f234d11a8da8f0a4f49
SHA512 d289b0a68f87af28587fad1ff719c966aae55c4abd7a72d743c23fabc7d6d485f56c0d9195ea7a8212d0f310608283f7d1938e578a39fd8c8198e7b3b9f254f8

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino3054.exe

MD5 572e3d67932761f71aa9fa66f2f6412e
SHA1 50f7586a5a493947247b2762a5b83146557683f5
SHA256 0c729989cb699f227214671d68aa3e9add92f670cb955b2f63045fdcfc6e6c0b
SHA512 633e4b188de85fbe70c5f05da30f7d64c1fc5524c32d43674720eee726ed10702f751c9b0adeede72b427018d3d089958fa13b78ec7e8a03d0576c1a21a33220

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino0208.exe

MD5 bfc4d9091d7aab8fca7c342c522a086a
SHA1 19e83b3a193edb7f8848546c3626875b718b2f57
SHA256 ba58846c3008b5ea1e9c49ff433ef6dbbd68c12f5dfd858beaaf7d9e86dfc362
SHA512 79b63e61757b0a7d40f4b0f29ac68dd4146e24fbffbf4e8ad620acb307c5ea622644ccbdb0f812fc2e9e88c2d8c8b0dfd60b163a021448a6c77cf430d6e4f290

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus1247.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/2868-32-0x0000000000900000-0x000000000090A000-memory.dmp

memory/1796-33-0x0000000004A90000-0x0000000004B91000-memory.dmp

memory/1796-34-0x0000000004BA0000-0x0000000004CA2000-memory.dmp

memory/1796-36-0x0000000000400000-0x0000000000505000-memory.dmp

memory/1796-35-0x0000000000400000-0x0000000002BE7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con8568.exe

MD5 6e8158adb9701e11d91308856283b4ee
SHA1 c9e2286d40fcaef9116414504c9ec14d6b4a80d7
SHA256 f04fd301a06b5f0d523569fd18053e2352373aa68330183b6b9de4385849d322
SHA512 8baba867b5f3bc4ba336b2454862cdeee4682c855e33ee4076bc9167f78f3be84992e764591e9092240c54decf761a52f1bc4e0235311afdb7739480c4d42bdc

memory/1140-45-0x00000000048F0000-0x000000000490A000-memory.dmp

memory/1140-46-0x0000000007310000-0x00000000078B4000-memory.dmp

memory/1140-47-0x0000000004C40000-0x0000000004C58000-memory.dmp

memory/1140-48-0x0000000004C40000-0x0000000004C52000-memory.dmp

memory/1140-57-0x0000000004C40000-0x0000000004C52000-memory.dmp

memory/1140-75-0x0000000004C40000-0x0000000004C52000-memory.dmp

memory/1140-73-0x0000000004C40000-0x0000000004C52000-memory.dmp

memory/1140-71-0x0000000004C40000-0x0000000004C52000-memory.dmp

memory/1140-69-0x0000000004C40000-0x0000000004C52000-memory.dmp

memory/1140-67-0x0000000004C40000-0x0000000004C52000-memory.dmp

memory/1140-65-0x0000000004C40000-0x0000000004C52000-memory.dmp

memory/1140-63-0x0000000004C40000-0x0000000004C52000-memory.dmp

memory/1140-61-0x0000000004C40000-0x0000000004C52000-memory.dmp

memory/1140-59-0x0000000004C40000-0x0000000004C52000-memory.dmp

memory/1140-55-0x0000000004C40000-0x0000000004C52000-memory.dmp

memory/1140-53-0x0000000004C40000-0x0000000004C52000-memory.dmp

memory/1140-51-0x0000000004C40000-0x0000000004C52000-memory.dmp

memory/1140-49-0x0000000004C40000-0x0000000004C52000-memory.dmp

memory/1140-77-0x0000000000400000-0x0000000002B05000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dyj65s59.exe

MD5 cfd9fd906ad91a1f8e95e9629b589e4d
SHA1 1bd0d089b9c491f18cd738d73933b70ce2e35f6a
SHA256 35bd0e6db97e955e502ca62513ed082b9b8dc3f2972cd6b95c275a1f0b131af3
SHA512 611a5e0706b30016926c3296a9596ab46ae7ed684d5ba6e9013cc3beaf8a35f7802c15179cf6e76304380e1aa70f294fccf6bf56042f910d7d161f2188b9cf0c

memory/1140-79-0x0000000000400000-0x0000000002B05000-memory.dmp

memory/2440-84-0x00000000070E0000-0x0000000007126000-memory.dmp

memory/2440-85-0x0000000007710000-0x0000000007754000-memory.dmp

memory/2440-109-0x0000000007710000-0x000000000774E000-memory.dmp

memory/2440-117-0x0000000007710000-0x000000000774E000-memory.dmp

memory/2440-115-0x0000000007710000-0x000000000774E000-memory.dmp

memory/2440-113-0x0000000007710000-0x000000000774E000-memory.dmp

memory/2440-111-0x0000000007710000-0x000000000774E000-memory.dmp

memory/2440-107-0x0000000007710000-0x000000000774E000-memory.dmp

memory/2440-105-0x0000000007710000-0x000000000774E000-memory.dmp

memory/2440-104-0x0000000007710000-0x000000000774E000-memory.dmp

memory/2440-101-0x0000000007710000-0x000000000774E000-memory.dmp

memory/2440-99-0x0000000007710000-0x000000000774E000-memory.dmp

memory/2440-97-0x0000000007710000-0x000000000774E000-memory.dmp

memory/2440-95-0x0000000007710000-0x000000000774E000-memory.dmp

memory/2440-93-0x0000000007710000-0x000000000774E000-memory.dmp

memory/2440-91-0x0000000007710000-0x000000000774E000-memory.dmp

memory/2440-89-0x0000000007710000-0x000000000774E000-memory.dmp

memory/2440-87-0x0000000007710000-0x000000000774E000-memory.dmp

memory/2440-86-0x0000000007710000-0x000000000774E000-memory.dmp

memory/2440-992-0x0000000007890000-0x0000000007EA8000-memory.dmp

memory/2440-993-0x0000000007F30000-0x000000000803A000-memory.dmp

memory/2440-994-0x0000000008070000-0x0000000008082000-memory.dmp

memory/2440-995-0x0000000008090000-0x00000000080CC000-memory.dmp

memory/2440-996-0x00000000081E0000-0x000000000822C000-memory.dmp