Malware Analysis Report

2024-12-06 02:56

Sample ID 241110-ch5ghawnhs
Target 4ed3a6ee78b487f150df86542685c682a274432af80d8c529822c308bd01a8f8
SHA256 4ed3a6ee78b487f150df86542685c682a274432af80d8c529822c308bd01a8f8
Tags
healer redline gena discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4ed3a6ee78b487f150df86542685c682a274432af80d8c529822c308bd01a8f8

Threat Level: Known bad

The file 4ed3a6ee78b487f150df86542685c682a274432af80d8c529822c308bd01a8f8 was found to be: Known bad.

Malicious Activity Summary

healer redline gena discovery dropper evasion infostealer persistence trojan

Healer

Detects Healer an antivirus disabler dropper

Modifies Windows Defender Real-time Protection settings

RedLine payload

Healer family

Redline family

RedLine

Windows security modification

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Unsigned PE

Program crash

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 02:05

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 02:05

Reported

2024-11-10 02:08

Platform

win7-20240903-en

Max time kernel

144s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4ed3a6ee78b487f150df86542685c682a274432af80d8c529822c308bd01a8f8.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus4051.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con1221.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con1221.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con1221.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus4051.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus4051.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus4051.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus4051.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus4051.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con1221.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con1221.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus4051.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus4051.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con1221.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con1221.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\4ed3a6ee78b487f150df86542685c682a274432af80d8c529822c308bd01a8f8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino1892.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino6318.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino2854.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino2854.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con1221.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dsn74s64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4ed3a6ee78b487f150df86542685c682a274432af80d8c529822c308bd01a8f8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino1892.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino6318.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus4051.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con1221.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dsn74s64.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3068 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\4ed3a6ee78b487f150df86542685c682a274432af80d8c529822c308bd01a8f8.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino1892.exe
PID 3068 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\4ed3a6ee78b487f150df86542685c682a274432af80d8c529822c308bd01a8f8.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino1892.exe
PID 3068 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\4ed3a6ee78b487f150df86542685c682a274432af80d8c529822c308bd01a8f8.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino1892.exe
PID 3068 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\4ed3a6ee78b487f150df86542685c682a274432af80d8c529822c308bd01a8f8.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino1892.exe
PID 3068 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\4ed3a6ee78b487f150df86542685c682a274432af80d8c529822c308bd01a8f8.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino1892.exe
PID 3068 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\4ed3a6ee78b487f150df86542685c682a274432af80d8c529822c308bd01a8f8.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino1892.exe
PID 3068 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\4ed3a6ee78b487f150df86542685c682a274432af80d8c529822c308bd01a8f8.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino1892.exe
PID 1708 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino1892.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino6318.exe
PID 1708 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino1892.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino6318.exe
PID 1708 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino1892.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino6318.exe
PID 1708 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino1892.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino6318.exe
PID 1708 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino1892.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino6318.exe
PID 1708 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino1892.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino6318.exe
PID 1708 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino1892.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino6318.exe
PID 1732 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino6318.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino2854.exe
PID 1732 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino6318.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino2854.exe
PID 1732 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino6318.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino2854.exe
PID 1732 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino6318.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino2854.exe
PID 1732 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino6318.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino2854.exe
PID 1732 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino6318.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino2854.exe
PID 1732 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino6318.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino2854.exe
PID 2336 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino2854.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus4051.exe
PID 2336 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino2854.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus4051.exe
PID 2336 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino2854.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus4051.exe
PID 2336 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino2854.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus4051.exe
PID 2336 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino2854.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus4051.exe
PID 2336 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino2854.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus4051.exe
PID 2336 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino2854.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus4051.exe
PID 2336 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino2854.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con1221.exe
PID 2336 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino2854.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con1221.exe
PID 2336 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino2854.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con1221.exe
PID 2336 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino2854.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con1221.exe
PID 2336 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino2854.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con1221.exe
PID 2336 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino2854.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con1221.exe
PID 2336 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino2854.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con1221.exe
PID 1732 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino6318.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dsn74s64.exe
PID 1732 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino6318.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dsn74s64.exe
PID 1732 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino6318.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dsn74s64.exe
PID 1732 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino6318.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dsn74s64.exe
PID 1732 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino6318.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dsn74s64.exe
PID 1732 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino6318.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dsn74s64.exe
PID 1732 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino6318.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dsn74s64.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4ed3a6ee78b487f150df86542685c682a274432af80d8c529822c308bd01a8f8.exe

"C:\Users\Admin\AppData\Local\Temp\4ed3a6ee78b487f150df86542685c682a274432af80d8c529822c308bd01a8f8.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino1892.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino1892.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino6318.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino6318.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino2854.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino2854.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus4051.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus4051.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con1221.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con1221.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dsn74s64.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dsn74s64.exe

Network

Country Destination Domain Proto
RU 193.233.20.30:4125 tcp
RU 193.233.20.30:4125 tcp
RU 193.233.20.30:4125 tcp
RU 193.233.20.30:4125 tcp
RU 193.233.20.30:4125 tcp

Files

memory/3068-0-0x0000000000230000-0x0000000000327000-memory.dmp

memory/3068-2-0x0000000002BE0000-0x0000000002CE0000-memory.dmp

memory/3068-1-0x0000000000230000-0x0000000000327000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino1892.exe

MD5 a9a4f433e19b950cd1a448a5353482c2
SHA1 b85853920b093c75410ebb1231625dea3f4df93a
SHA256 c2aaf884f1659fdbf4e44d1e3ec29617db6c52ce3ebd410ab8339a138481cb11
SHA512 28e2bde5400eca3f5c318bc44cca4bc4a0daca069c5302923f51031a886c2573b9a0cce14158887ce278d0a89a367e5750bd1337b62a4d53d7a3fdd595f137a2

memory/3068-11-0x0000000000400000-0x0000000000504000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino6318.exe

MD5 28466bc0e58558080eec755e86b79ca6
SHA1 0601116c08753c74c7fb7ef29c3454d5f26ee015
SHA256 4e60bf62b5e1061afc332db5fbed020790cb25a81bf1b734640223809bc9a4cf
SHA512 d66be36fa54ede01457709c1d2d2590c5282c6363f79a5e4fe2cb97a2ad3ac47dbb9f2cde9d6d626b7de71d9651b68685a3bc32ffcf1c00e4df4bd35dbec4cd2

\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino2854.exe

MD5 ac69bf292ea82d93a379ba646937ce4a
SHA1 ce731be984acd03a1f28fd0ec1c0af0f127c30b0
SHA256 764d22383b64553d72efa57a9938ca30161a004029a4d28a3093f6a95657551e
SHA512 291fd46f26297ce05cba59ff70d31c696dd9ff1eea7edf38c909dd0fa3545f6280412553987aaf7aa71fd66049418f04912db3ece2caa61e32dec7924e754b32

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus4051.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/2836-42-0x0000000000E60000-0x0000000000E6A000-memory.dmp

memory/3068-43-0x0000000002BE0000-0x0000000002CE0000-memory.dmp

memory/3068-44-0x0000000000400000-0x0000000002BDB000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP003.TMP\con1221.exe

MD5 1845d7115abbbded5df9b33cff8075e9
SHA1 380706bc021b2ab8e70160d12a204322b8ffdf68
SHA256 3173d3942a07773858280d66153c666a112b17e893c6ed5f21c5efcc193ad5c6
SHA512 5b8018fc9c9158e419e924cfad719d3972ae3d723e858f158dd74a13cc208389b7adc40f726ae9db552598f98d1b97d258397ee64b681b78b35933873d8e1575

memory/2604-55-0x0000000002C10000-0x0000000002C2A000-memory.dmp

memory/2604-56-0x0000000002DD0000-0x0000000002DE8000-memory.dmp

memory/2604-58-0x0000000002DD0000-0x0000000002DE2000-memory.dmp

memory/2604-57-0x0000000002DD0000-0x0000000002DE2000-memory.dmp

memory/2604-60-0x0000000002DD0000-0x0000000002DE2000-memory.dmp

memory/2604-84-0x0000000002DD0000-0x0000000002DE2000-memory.dmp

memory/2604-82-0x0000000002DD0000-0x0000000002DE2000-memory.dmp

memory/2604-80-0x0000000002DD0000-0x0000000002DE2000-memory.dmp

memory/2604-78-0x0000000002DD0000-0x0000000002DE2000-memory.dmp

memory/2604-76-0x0000000002DD0000-0x0000000002DE2000-memory.dmp

memory/2604-74-0x0000000002DD0000-0x0000000002DE2000-memory.dmp

memory/2604-72-0x0000000002DD0000-0x0000000002DE2000-memory.dmp

memory/2604-70-0x0000000002DD0000-0x0000000002DE2000-memory.dmp

memory/2604-68-0x0000000002DD0000-0x0000000002DE2000-memory.dmp

memory/2604-66-0x0000000002DD0000-0x0000000002DE2000-memory.dmp

memory/2604-64-0x0000000002DD0000-0x0000000002DE2000-memory.dmp

memory/2604-62-0x0000000002DD0000-0x0000000002DE2000-memory.dmp

memory/2604-86-0x0000000000400000-0x0000000002B03000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dsn74s64.exe

MD5 715a7b0e3c0218dc84653285d8412b69
SHA1 98da656a4dc77098db5fb61820bfa4d7d034990a
SHA256 31d01e0dd4351edbcb072810ff3b143a54821432e168e116b6d5779d643a455a
SHA512 ed6cc658c470ad5d0c60c980d2e453e9fb240f47e649eed67ff4449210c07116d7582e60787a05bc866f443e40500875c66ae5e5b18d48607253febd0841787d

memory/2604-87-0x0000000000400000-0x0000000002B03000-memory.dmp

memory/1980-98-0x0000000004C40000-0x0000000004C86000-memory.dmp

memory/1980-99-0x0000000004C80000-0x0000000004CC4000-memory.dmp

memory/1980-109-0x0000000004C80000-0x0000000004CBE000-memory.dmp

memory/1980-129-0x0000000004C80000-0x0000000004CBE000-memory.dmp

memory/1980-127-0x0000000004C80000-0x0000000004CBE000-memory.dmp

memory/1980-125-0x0000000004C80000-0x0000000004CBE000-memory.dmp

memory/1980-123-0x0000000004C80000-0x0000000004CBE000-memory.dmp

memory/1980-121-0x0000000004C80000-0x0000000004CBE000-memory.dmp

memory/1980-119-0x0000000004C80000-0x0000000004CBE000-memory.dmp

memory/1980-117-0x0000000004C80000-0x0000000004CBE000-memory.dmp

memory/1980-115-0x0000000004C80000-0x0000000004CBE000-memory.dmp

memory/1980-113-0x0000000004C80000-0x0000000004CBE000-memory.dmp

memory/1980-111-0x0000000004C80000-0x0000000004CBE000-memory.dmp

memory/1980-107-0x0000000004C80000-0x0000000004CBE000-memory.dmp

memory/1980-105-0x0000000004C80000-0x0000000004CBE000-memory.dmp

memory/1980-103-0x0000000004C80000-0x0000000004CBE000-memory.dmp

memory/1980-101-0x0000000004C80000-0x0000000004CBE000-memory.dmp

memory/1980-100-0x0000000004C80000-0x0000000004CBE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-10 02:05

Reported

2024-11-10 02:08

Platform

win10v2004-20241007-en

Max time kernel

144s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4ed3a6ee78b487f150df86542685c682a274432af80d8c529822c308bd01a8f8.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus4051.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus4051.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus4051.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus4051.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con1221.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con1221.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus4051.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus4051.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con1221.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con1221.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con1221.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con1221.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus4051.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con1221.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con1221.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\4ed3a6ee78b487f150df86542685c682a274432af80d8c529822c308bd01a8f8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino1892.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino6318.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino2854.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4ed3a6ee78b487f150df86542685c682a274432af80d8c529822c308bd01a8f8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino1892.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino6318.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino2854.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con1221.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dsn74s64.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus4051.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con1221.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dsn74s64.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4836 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\4ed3a6ee78b487f150df86542685c682a274432af80d8c529822c308bd01a8f8.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino1892.exe
PID 4836 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\4ed3a6ee78b487f150df86542685c682a274432af80d8c529822c308bd01a8f8.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino1892.exe
PID 4836 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\4ed3a6ee78b487f150df86542685c682a274432af80d8c529822c308bd01a8f8.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino1892.exe
PID 1516 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino1892.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino6318.exe
PID 1516 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino1892.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino6318.exe
PID 1516 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino1892.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino6318.exe
PID 4540 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino6318.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino2854.exe
PID 4540 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino6318.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino2854.exe
PID 4540 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino6318.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino2854.exe
PID 3616 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino2854.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus4051.exe
PID 3616 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino2854.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus4051.exe
PID 3616 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino2854.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con1221.exe
PID 3616 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino2854.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con1221.exe
PID 3616 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino2854.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con1221.exe
PID 4540 wrote to memory of 3828 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino6318.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dsn74s64.exe
PID 4540 wrote to memory of 3828 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino6318.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dsn74s64.exe
PID 4540 wrote to memory of 3828 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino6318.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dsn74s64.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4ed3a6ee78b487f150df86542685c682a274432af80d8c529822c308bd01a8f8.exe

"C:\Users\Admin\AppData\Local\Temp\4ed3a6ee78b487f150df86542685c682a274432af80d8c529822c308bd01a8f8.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino1892.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino1892.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino6318.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino6318.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino2854.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino2854.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus4051.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus4051.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con1221.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con1221.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1488 -ip 1488

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1488 -s 1004

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dsn74s64.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dsn74s64.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 193.233.20.30:4125 tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
RU 193.233.20.30:4125 tcp
RU 193.233.20.30:4125 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
RU 193.233.20.30:4125 tcp
RU 193.233.20.30:4125 tcp

Files

memory/4836-1-0x0000000004950000-0x0000000004A55000-memory.dmp

memory/4836-2-0x0000000004A90000-0x0000000004B90000-memory.dmp

memory/4836-3-0x0000000000400000-0x0000000000504000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino1892.exe

MD5 a9a4f433e19b950cd1a448a5353482c2
SHA1 b85853920b093c75410ebb1231625dea3f4df93a
SHA256 c2aaf884f1659fdbf4e44d1e3ec29617db6c52ce3ebd410ab8339a138481cb11
SHA512 28e2bde5400eca3f5c318bc44cca4bc4a0daca069c5302923f51031a886c2573b9a0cce14158887ce278d0a89a367e5750bd1337b62a4d53d7a3fdd595f137a2

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino6318.exe

MD5 28466bc0e58558080eec755e86b79ca6
SHA1 0601116c08753c74c7fb7ef29c3454d5f26ee015
SHA256 4e60bf62b5e1061afc332db5fbed020790cb25a81bf1b734640223809bc9a4cf
SHA512 d66be36fa54ede01457709c1d2d2590c5282c6363f79a5e4fe2cb97a2ad3ac47dbb9f2cde9d6d626b7de71d9651b68685a3bc32ffcf1c00e4df4bd35dbec4cd2

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino2854.exe

MD5 ac69bf292ea82d93a379ba646937ce4a
SHA1 ce731be984acd03a1f28fd0ec1c0af0f127c30b0
SHA256 764d22383b64553d72efa57a9938ca30161a004029a4d28a3093f6a95657551e
SHA512 291fd46f26297ce05cba59ff70d31c696dd9ff1eea7edf38c909dd0fa3545f6280412553987aaf7aa71fd66049418f04912db3ece2caa61e32dec7924e754b32

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus4051.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/4816-32-0x0000000000DE0000-0x0000000000DEA000-memory.dmp

memory/4836-33-0x0000000004950000-0x0000000004A55000-memory.dmp

memory/4836-34-0x0000000004A90000-0x0000000004B90000-memory.dmp

memory/4836-36-0x0000000000400000-0x0000000000504000-memory.dmp

memory/4836-35-0x0000000000400000-0x0000000002BDB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con1221.exe

MD5 1845d7115abbbded5df9b33cff8075e9
SHA1 380706bc021b2ab8e70160d12a204322b8ffdf68
SHA256 3173d3942a07773858280d66153c666a112b17e893c6ed5f21c5efcc193ad5c6
SHA512 5b8018fc9c9158e419e924cfad719d3972ae3d723e858f158dd74a13cc208389b7adc40f726ae9db552598f98d1b97d258397ee64b681b78b35933873d8e1575

memory/1488-42-0x00000000049E0000-0x00000000049FA000-memory.dmp

memory/1488-43-0x00000000071F0000-0x0000000007794000-memory.dmp

memory/1488-44-0x0000000004B40000-0x0000000004B58000-memory.dmp

memory/1488-45-0x0000000004B40000-0x0000000004B52000-memory.dmp

memory/1488-50-0x0000000004B40000-0x0000000004B52000-memory.dmp

memory/1488-72-0x0000000004B40000-0x0000000004B52000-memory.dmp

memory/1488-70-0x0000000004B40000-0x0000000004B52000-memory.dmp

memory/1488-68-0x0000000004B40000-0x0000000004B52000-memory.dmp

memory/1488-66-0x0000000004B40000-0x0000000004B52000-memory.dmp

memory/1488-64-0x0000000004B40000-0x0000000004B52000-memory.dmp

memory/1488-62-0x0000000004B40000-0x0000000004B52000-memory.dmp

memory/1488-60-0x0000000004B40000-0x0000000004B52000-memory.dmp

memory/1488-58-0x0000000004B40000-0x0000000004B52000-memory.dmp

memory/1488-56-0x0000000004B40000-0x0000000004B52000-memory.dmp

memory/1488-54-0x0000000004B40000-0x0000000004B52000-memory.dmp

memory/1488-52-0x0000000004B40000-0x0000000004B52000-memory.dmp

memory/1488-48-0x0000000004B40000-0x0000000004B52000-memory.dmp

memory/1488-46-0x0000000004B40000-0x0000000004B52000-memory.dmp

memory/1488-74-0x0000000000400000-0x0000000002B03000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dsn74s64.exe

MD5 715a7b0e3c0218dc84653285d8412b69
SHA1 98da656a4dc77098db5fb61820bfa4d7d034990a
SHA256 31d01e0dd4351edbcb072810ff3b143a54821432e168e116b6d5779d643a455a
SHA512 ed6cc658c470ad5d0c60c980d2e453e9fb240f47e649eed67ff4449210c07116d7582e60787a05bc866f443e40500875c66ae5e5b18d48607253febd0841787d

memory/1488-76-0x0000000000400000-0x0000000002B03000-memory.dmp

memory/3828-81-0x0000000004C10000-0x0000000004C56000-memory.dmp

memory/3828-82-0x00000000076B0000-0x00000000076F4000-memory.dmp

memory/3828-86-0x00000000076B0000-0x00000000076EE000-memory.dmp

memory/3828-108-0x00000000076B0000-0x00000000076EE000-memory.dmp

memory/3828-114-0x00000000076B0000-0x00000000076EE000-memory.dmp

memory/3828-112-0x00000000076B0000-0x00000000076EE000-memory.dmp

memory/3828-110-0x00000000076B0000-0x00000000076EE000-memory.dmp

memory/3828-106-0x00000000076B0000-0x00000000076EE000-memory.dmp

memory/3828-104-0x00000000076B0000-0x00000000076EE000-memory.dmp

memory/3828-102-0x00000000076B0000-0x00000000076EE000-memory.dmp

memory/3828-100-0x00000000076B0000-0x00000000076EE000-memory.dmp

memory/3828-98-0x00000000076B0000-0x00000000076EE000-memory.dmp

memory/3828-96-0x00000000076B0000-0x00000000076EE000-memory.dmp

memory/3828-94-0x00000000076B0000-0x00000000076EE000-memory.dmp

memory/3828-92-0x00000000076B0000-0x00000000076EE000-memory.dmp

memory/3828-90-0x00000000076B0000-0x00000000076EE000-memory.dmp

memory/3828-88-0x00000000076B0000-0x00000000076EE000-memory.dmp

memory/3828-84-0x00000000076B0000-0x00000000076EE000-memory.dmp

memory/3828-83-0x00000000076B0000-0x00000000076EE000-memory.dmp

memory/3828-989-0x0000000007750000-0x0000000007D68000-memory.dmp

memory/3828-990-0x0000000007DF0000-0x0000000007EFA000-memory.dmp

memory/3828-991-0x0000000007F30000-0x0000000007F42000-memory.dmp

memory/3828-992-0x0000000007F50000-0x0000000007F8C000-memory.dmp

memory/3828-993-0x00000000080A0000-0x00000000080EC000-memory.dmp