Malware Analysis Report

2025-08-11 07:52

Sample ID 241111-gl8esatgrm
Target bfd234bc93c722e4f31b1b135a9d6f8bea69f02ea34e4ad5ae2dc0e8bbe6a243
SHA256 bfd234bc93c722e4f31b1b135a9d6f8bea69f02ea34e4ad5ae2dc0e8bbe6a243
Tags
healer redline mango discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bfd234bc93c722e4f31b1b135a9d6f8bea69f02ea34e4ad5ae2dc0e8bbe6a243

Threat Level: Known bad

The file bfd234bc93c722e4f31b1b135a9d6f8bea69f02ea34e4ad5ae2dc0e8bbe6a243 was found to be: Known bad.

Malicious Activity Summary

healer redline mango discovery dropper evasion infostealer persistence trojan

Detects Healer an antivirus disabler dropper

RedLine

Redline family

Healer

Healer family

RedLine payload

Modifies Windows Defender Real-time Protection settings

Loads dropped DLL

Windows security modification

Executes dropped EXE

Adds Run key to start application

Launches sc.exe

Unsigned PE

Program crash

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-11 05:54

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-11 05:54

Reported

2024-11-11 05:57

Platform

win7-20241010-en

Max time kernel

147s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bfd234bc93c722e4f31b1b135a9d6f8bea69f02ea34e4ad5ae2dc0e8bbe6a243.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus0135.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus0135.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con2689.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con2689.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con2689.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus0135.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus0135.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus0135.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus0135.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con2689.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con2689.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus0135.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus0135.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con2689.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con2689.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino3047.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino3484.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino4765.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\bfd234bc93c722e4f31b1b135a9d6f8bea69f02ea34e4ad5ae2dc0e8bbe6a243.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino3047.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino3484.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino4765.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con2689.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dAp85s79.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bfd234bc93c722e4f31b1b135a9d6f8bea69f02ea34e4ad5ae2dc0e8bbe6a243.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus0135.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con2689.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dAp85s79.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 576 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\bfd234bc93c722e4f31b1b135a9d6f8bea69f02ea34e4ad5ae2dc0e8bbe6a243.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino3047.exe
PID 576 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\bfd234bc93c722e4f31b1b135a9d6f8bea69f02ea34e4ad5ae2dc0e8bbe6a243.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino3047.exe
PID 576 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\bfd234bc93c722e4f31b1b135a9d6f8bea69f02ea34e4ad5ae2dc0e8bbe6a243.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino3047.exe
PID 576 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\bfd234bc93c722e4f31b1b135a9d6f8bea69f02ea34e4ad5ae2dc0e8bbe6a243.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino3047.exe
PID 576 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\bfd234bc93c722e4f31b1b135a9d6f8bea69f02ea34e4ad5ae2dc0e8bbe6a243.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino3047.exe
PID 576 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\bfd234bc93c722e4f31b1b135a9d6f8bea69f02ea34e4ad5ae2dc0e8bbe6a243.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino3047.exe
PID 576 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\bfd234bc93c722e4f31b1b135a9d6f8bea69f02ea34e4ad5ae2dc0e8bbe6a243.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino3047.exe
PID 2832 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino3047.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino3484.exe
PID 2832 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino3047.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino3484.exe
PID 2832 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino3047.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino3484.exe
PID 2832 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino3047.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino3484.exe
PID 2832 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino3047.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino3484.exe
PID 2832 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino3047.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino3484.exe
PID 2832 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino3047.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino3484.exe
PID 2888 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino3484.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino4765.exe
PID 2888 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino3484.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino4765.exe
PID 2888 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino3484.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino4765.exe
PID 2888 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino3484.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino4765.exe
PID 2888 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino3484.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino4765.exe
PID 2888 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino3484.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino4765.exe
PID 2888 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino3484.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino4765.exe
PID 2896 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino4765.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus0135.exe
PID 2896 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino4765.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus0135.exe
PID 2896 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino4765.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus0135.exe
PID 2896 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino4765.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus0135.exe
PID 2896 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino4765.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus0135.exe
PID 2896 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino4765.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus0135.exe
PID 2896 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino4765.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus0135.exe
PID 2896 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino4765.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con2689.exe
PID 2896 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino4765.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con2689.exe
PID 2896 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino4765.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con2689.exe
PID 2896 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino4765.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con2689.exe
PID 2896 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino4765.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con2689.exe
PID 2896 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino4765.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con2689.exe
PID 2896 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino4765.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con2689.exe
PID 2888 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino3484.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dAp85s79.exe
PID 2888 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino3484.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dAp85s79.exe
PID 2888 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino3484.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dAp85s79.exe
PID 2888 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino3484.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dAp85s79.exe
PID 2888 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino3484.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dAp85s79.exe
PID 2888 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino3484.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dAp85s79.exe
PID 2888 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino3484.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dAp85s79.exe

Processes

C:\Users\Admin\AppData\Local\Temp\bfd234bc93c722e4f31b1b135a9d6f8bea69f02ea34e4ad5ae2dc0e8bbe6a243.exe

"C:\Users\Admin\AppData\Local\Temp\bfd234bc93c722e4f31b1b135a9d6f8bea69f02ea34e4ad5ae2dc0e8bbe6a243.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino3047.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino3047.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino3484.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino3484.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino4765.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino4765.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus0135.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus0135.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con2689.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con2689.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dAp85s79.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dAp85s79.exe

Network

Country Destination Domain Proto
RU 193.233.20.28:4125 tcp
RU 193.233.20.28:4125 tcp
RU 193.233.20.28:4125 tcp
RU 193.233.20.28:4125 tcp
RU 193.233.20.28:4125 tcp

Files

memory/576-0-0x00000000002C0000-0x00000000003A8000-memory.dmp

memory/576-2-0x0000000000710000-0x0000000000802000-memory.dmp

memory/576-1-0x00000000002C0000-0x00000000003A8000-memory.dmp

memory/576-3-0x0000000000400000-0x00000000004F5000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino3047.exe

MD5 e13af2e55e3b50cda25df5a6fba41a9a
SHA1 9a745fb2dab5064350535c3d561b4a4926f1fefb
SHA256 45bcc5467b6638a0d8fdf78ca2fbd94d92a156412e66c991fab0bc254bcdf854
SHA512 e03aa9206d9e83bfef316626577a4db6dce490629ffc00faecc822458b79846cc46b60b2d77f221d91cdbc37729f4b161dc4568f7a8c1f0dda22550cf2ee124c

\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino3484.exe

MD5 e2821e674dd78e127304f76707eee32f
SHA1 4f8e19016a6213e7af6d73b3fbdda867b0fc8445
SHA256 d08b8653f7cf51de060a720885e2d01a835b4032dd003d2700a3e63c327319f1
SHA512 20d858058cd5bd1f1edfc25683b6c4d72cd8de086304f43e8fb575714a0770692b9c1a7e4abc49fe178ce2daa7e6e0c9aeda3799d8304c1c215437edc9a2b0a6

\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino4765.exe

MD5 0f3e0bd9ec7de50494e353417fb61d9e
SHA1 7531e0723dd11d17fda4f9cbb65bb1992a4b4598
SHA256 f69714e0689e1f929755278153168e7544dbc88fdcaf58f1aba549880862eb97
SHA512 fb85b050ced087e52a0f871f7a17b223433d1e68bb74b655e8905d42dcc4a43c19417036daac4b7cfb5fc2aa9257e31ac7d83fb5a1aa01cf22bb7d04dc1ada55

\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus0135.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/2920-42-0x00000000000F0000-0x00000000000FA000-memory.dmp

memory/576-43-0x0000000000710000-0x0000000000802000-memory.dmp

memory/576-44-0x0000000000400000-0x0000000000582000-memory.dmp

memory/576-45-0x0000000000400000-0x00000000004F5000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP003.TMP\con2689.exe

MD5 f1f6c8a25f731bb2d8ca8f87d6726298
SHA1 31818c0ad5b31481bbd326e3142364521c6b71bd
SHA256 8ffd32898c4028a3be101f6c62e68dcd8134a4c9b6e3611eaee4b66b283ba797
SHA512 88b74cbcd7183083b7eaddad00e71e7bea56d4c9acab52bc7791670aed2171198dab2ffeb6eecb2683d69cf9ec5584c44bb9be02915bd6e0168376b45c8afe47

memory/2788-56-0x0000000000AD0000-0x0000000000AEA000-memory.dmp

memory/2788-57-0x0000000002140000-0x0000000002158000-memory.dmp

memory/2788-65-0x0000000002140000-0x0000000002152000-memory.dmp

memory/2788-85-0x0000000002140000-0x0000000002152000-memory.dmp

memory/2788-83-0x0000000002140000-0x0000000002152000-memory.dmp

memory/2788-81-0x0000000002140000-0x0000000002152000-memory.dmp

memory/2788-79-0x0000000002140000-0x0000000002152000-memory.dmp

memory/2788-77-0x0000000002140000-0x0000000002152000-memory.dmp

memory/2788-75-0x0000000002140000-0x0000000002152000-memory.dmp

memory/2788-71-0x0000000002140000-0x0000000002152000-memory.dmp

memory/2788-69-0x0000000002140000-0x0000000002152000-memory.dmp

memory/2788-68-0x0000000002140000-0x0000000002152000-memory.dmp

memory/2788-63-0x0000000002140000-0x0000000002152000-memory.dmp

memory/2788-61-0x0000000002140000-0x0000000002152000-memory.dmp

memory/2788-59-0x0000000002140000-0x0000000002152000-memory.dmp

memory/2788-73-0x0000000002140000-0x0000000002152000-memory.dmp

memory/2788-58-0x0000000002140000-0x0000000002152000-memory.dmp

memory/2788-87-0x0000000000400000-0x00000000004B8000-memory.dmp

memory/2788-88-0x0000000000400000-0x00000000004B8000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP002.TMP\dAp85s79.exe

MD5 5ef815b8be58a494bf9c4ccb5713114e
SHA1 882b915c06810b6b7010f16d0b055e3cd6475159
SHA256 6d8c14625043f066a47b5b6b5df153cdb288e7f07eb79a8029c8805a2a2ae301
SHA512 c4809808c91d9ff4a524ff46250dfa60314727e421d489fc2ab8bacbd29b2ce8a8ae6afa79e389e19c00546d5983164b8bdd19715d10620bde9d7bc9ba50e2c3

memory/1976-99-0x00000000022E0000-0x0000000002326000-memory.dmp

memory/1976-100-0x0000000002320000-0x0000000002364000-memory.dmp

memory/1976-101-0x0000000002320000-0x000000000235E000-memory.dmp

memory/1976-116-0x0000000002320000-0x000000000235E000-memory.dmp

memory/1976-102-0x0000000002320000-0x000000000235E000-memory.dmp

memory/1976-130-0x0000000002320000-0x000000000235E000-memory.dmp

memory/1976-128-0x0000000002320000-0x000000000235E000-memory.dmp

memory/1976-126-0x0000000002320000-0x000000000235E000-memory.dmp

memory/1976-124-0x0000000002320000-0x000000000235E000-memory.dmp

memory/1976-122-0x0000000002320000-0x000000000235E000-memory.dmp

memory/1976-120-0x0000000002320000-0x000000000235E000-memory.dmp

memory/1976-118-0x0000000002320000-0x000000000235E000-memory.dmp

memory/1976-114-0x0000000002320000-0x000000000235E000-memory.dmp

memory/1976-112-0x0000000002320000-0x000000000235E000-memory.dmp

memory/1976-110-0x0000000002320000-0x000000000235E000-memory.dmp

memory/1976-108-0x0000000002320000-0x000000000235E000-memory.dmp

memory/1976-106-0x0000000002320000-0x000000000235E000-memory.dmp

memory/1976-104-0x0000000002320000-0x000000000235E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-11 05:54

Reported

2024-11-11 05:57

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bfd234bc93c722e4f31b1b135a9d6f8bea69f02ea34e4ad5ae2dc0e8bbe6a243.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus0135.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus0135.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con2689.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con2689.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con2689.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus0135.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus0135.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus0135.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con2689.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus0135.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con2689.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con2689.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus0135.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con2689.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con2689.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino3484.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino4765.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\bfd234bc93c722e4f31b1b135a9d6f8bea69f02ea34e4ad5ae2dc0e8bbe6a243.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino3047.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bfd234bc93c722e4f31b1b135a9d6f8bea69f02ea34e4ad5ae2dc0e8bbe6a243.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino3047.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino3484.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino4765.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con2689.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dAp85s79.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus0135.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con2689.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dAp85s79.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4076 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\bfd234bc93c722e4f31b1b135a9d6f8bea69f02ea34e4ad5ae2dc0e8bbe6a243.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino3047.exe
PID 4076 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\bfd234bc93c722e4f31b1b135a9d6f8bea69f02ea34e4ad5ae2dc0e8bbe6a243.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino3047.exe
PID 4076 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\bfd234bc93c722e4f31b1b135a9d6f8bea69f02ea34e4ad5ae2dc0e8bbe6a243.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino3047.exe
PID 1140 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino3047.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino3484.exe
PID 1140 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino3047.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino3484.exe
PID 1140 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino3047.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino3484.exe
PID 4120 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino3484.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino4765.exe
PID 4120 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino3484.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino4765.exe
PID 4120 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino3484.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino4765.exe
PID 2796 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino4765.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus0135.exe
PID 2796 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino4765.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus0135.exe
PID 2796 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino4765.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con2689.exe
PID 2796 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino4765.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con2689.exe
PID 2796 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino4765.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con2689.exe
PID 4120 wrote to memory of 3100 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino3484.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dAp85s79.exe
PID 4120 wrote to memory of 3100 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino3484.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dAp85s79.exe
PID 4120 wrote to memory of 3100 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino3484.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dAp85s79.exe

Processes

C:\Users\Admin\AppData\Local\Temp\bfd234bc93c722e4f31b1b135a9d6f8bea69f02ea34e4ad5ae2dc0e8bbe6a243.exe

"C:\Users\Admin\AppData\Local\Temp\bfd234bc93c722e4f31b1b135a9d6f8bea69f02ea34e4ad5ae2dc0e8bbe6a243.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino3047.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino3047.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino3484.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino3484.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino4765.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino4765.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus0135.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus0135.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con2689.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con2689.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 5052 -ip 5052

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5052 -s 1084

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dAp85s79.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dAp85s79.exe

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start wuauserv

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 193.233.20.28:4125 tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
RU 193.233.20.28:4125 tcp
RU 193.233.20.28:4125 tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
RU 193.233.20.28:4125 tcp
RU 193.233.20.28:4125 tcp

Files

memory/4076-2-0x0000000002510000-0x0000000002602000-memory.dmp

memory/4076-1-0x0000000002360000-0x0000000002449000-memory.dmp

memory/4076-3-0x0000000000400000-0x00000000004F5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino3047.exe

MD5 e13af2e55e3b50cda25df5a6fba41a9a
SHA1 9a745fb2dab5064350535c3d561b4a4926f1fefb
SHA256 45bcc5467b6638a0d8fdf78ca2fbd94d92a156412e66c991fab0bc254bcdf854
SHA512 e03aa9206d9e83bfef316626577a4db6dce490629ffc00faecc822458b79846cc46b60b2d77f221d91cdbc37729f4b161dc4568f7a8c1f0dda22550cf2ee124c

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino3484.exe

MD5 e2821e674dd78e127304f76707eee32f
SHA1 4f8e19016a6213e7af6d73b3fbdda867b0fc8445
SHA256 d08b8653f7cf51de060a720885e2d01a835b4032dd003d2700a3e63c327319f1
SHA512 20d858058cd5bd1f1edfc25683b6c4d72cd8de086304f43e8fb575714a0770692b9c1a7e4abc49fe178ce2daa7e6e0c9aeda3799d8304c1c215437edc9a2b0a6

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino4765.exe

MD5 0f3e0bd9ec7de50494e353417fb61d9e
SHA1 7531e0723dd11d17fda4f9cbb65bb1992a4b4598
SHA256 f69714e0689e1f929755278153168e7544dbc88fdcaf58f1aba549880862eb97
SHA512 fb85b050ced087e52a0f871f7a17b223433d1e68bb74b655e8905d42dcc4a43c19417036daac4b7cfb5fc2aa9257e31ac7d83fb5a1aa01cf22bb7d04dc1ada55

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus0135.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/2512-32-0x0000000000DA0000-0x0000000000DAA000-memory.dmp

memory/4076-33-0x0000000002360000-0x0000000002449000-memory.dmp

memory/4076-34-0x0000000002510000-0x0000000002602000-memory.dmp

memory/4076-36-0x0000000000400000-0x00000000004F5000-memory.dmp

memory/4076-35-0x0000000000400000-0x0000000000582000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con2689.exe

MD5 f1f6c8a25f731bb2d8ca8f87d6726298
SHA1 31818c0ad5b31481bbd326e3142364521c6b71bd
SHA256 8ffd32898c4028a3be101f6c62e68dcd8134a4c9b6e3611eaee4b66b283ba797
SHA512 88b74cbcd7183083b7eaddad00e71e7bea56d4c9acab52bc7791670aed2171198dab2ffeb6eecb2683d69cf9ec5584c44bb9be02915bd6e0168376b45c8afe47

memory/5052-42-0x0000000002300000-0x000000000231A000-memory.dmp

memory/5052-43-0x0000000004B90000-0x0000000005134000-memory.dmp

memory/5052-44-0x00000000024E0000-0x00000000024F8000-memory.dmp

memory/5052-46-0x00000000024E0000-0x00000000024F2000-memory.dmp

memory/5052-52-0x00000000024E0000-0x00000000024F2000-memory.dmp

memory/5052-70-0x00000000024E0000-0x00000000024F2000-memory.dmp

memory/5052-69-0x00000000024E0000-0x00000000024F2000-memory.dmp

memory/5052-66-0x00000000024E0000-0x00000000024F2000-memory.dmp

memory/5052-64-0x00000000024E0000-0x00000000024F2000-memory.dmp

memory/5052-62-0x00000000024E0000-0x00000000024F2000-memory.dmp

memory/5052-60-0x00000000024E0000-0x00000000024F2000-memory.dmp

memory/5052-58-0x00000000024E0000-0x00000000024F2000-memory.dmp

memory/5052-56-0x00000000024E0000-0x00000000024F2000-memory.dmp

memory/5052-54-0x00000000024E0000-0x00000000024F2000-memory.dmp

memory/5052-72-0x00000000024E0000-0x00000000024F2000-memory.dmp

memory/5052-50-0x00000000024E0000-0x00000000024F2000-memory.dmp

memory/5052-48-0x00000000024E0000-0x00000000024F2000-memory.dmp

memory/5052-45-0x00000000024E0000-0x00000000024F2000-memory.dmp

memory/5052-74-0x0000000000400000-0x00000000004B8000-memory.dmp

memory/5052-76-0x0000000000400000-0x00000000004B8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dAp85s79.exe

MD5 5ef815b8be58a494bf9c4ccb5713114e
SHA1 882b915c06810b6b7010f16d0b055e3cd6475159
SHA256 6d8c14625043f066a47b5b6b5df153cdb288e7f07eb79a8029c8805a2a2ae301
SHA512 c4809808c91d9ff4a524ff46250dfa60314727e421d489fc2ab8bacbd29b2ce8a8ae6afa79e389e19c00546d5983164b8bdd19715d10620bde9d7bc9ba50e2c3

memory/3100-81-0x00000000026B0000-0x00000000026F6000-memory.dmp

memory/3100-82-0x0000000004AD0000-0x0000000004B14000-memory.dmp

memory/3100-104-0x0000000004AD0000-0x0000000004B0E000-memory.dmp

memory/3100-112-0x0000000004AD0000-0x0000000004B0E000-memory.dmp

memory/3100-114-0x0000000004AD0000-0x0000000004B0E000-memory.dmp

memory/3100-110-0x0000000004AD0000-0x0000000004B0E000-memory.dmp

memory/3100-108-0x0000000004AD0000-0x0000000004B0E000-memory.dmp

memory/3100-106-0x0000000004AD0000-0x0000000004B0E000-memory.dmp

memory/3100-102-0x0000000004AD0000-0x0000000004B0E000-memory.dmp

memory/3100-100-0x0000000004AD0000-0x0000000004B0E000-memory.dmp

memory/3100-98-0x0000000004AD0000-0x0000000004B0E000-memory.dmp

memory/3100-97-0x0000000004AD0000-0x0000000004B0E000-memory.dmp

memory/3100-94-0x0000000004AD0000-0x0000000004B0E000-memory.dmp

memory/3100-92-0x0000000004AD0000-0x0000000004B0E000-memory.dmp

memory/3100-90-0x0000000004AD0000-0x0000000004B0E000-memory.dmp

memory/3100-88-0x0000000004AD0000-0x0000000004B0E000-memory.dmp

memory/3100-86-0x0000000004AD0000-0x0000000004B0E000-memory.dmp

memory/3100-84-0x0000000004AD0000-0x0000000004B0E000-memory.dmp

memory/3100-83-0x0000000004AD0000-0x0000000004B0E000-memory.dmp

memory/3100-990-0x0000000005860000-0x000000000596A000-memory.dmp

memory/3100-989-0x0000000005240000-0x0000000005858000-memory.dmp

memory/3100-991-0x0000000004BF0000-0x0000000004C02000-memory.dmp

memory/3100-992-0x0000000004C10000-0x0000000004C4C000-memory.dmp

memory/3100-993-0x0000000005A70000-0x0000000005ABC000-memory.dmp