Malware Analysis Report

2025-08-11 07:52

Sample ID 241111-gmxdxavckg
Target 06dc9deb6904c7dddab5c24f17c295208bd64aaaf186cbd7322160c02868345aN.exe
SHA256 e23ed4794ead3f85c8b72475a27e5962b603225e3d64d0d11cb2852c25617dde
Tags
amadey healer redline 9c0adb discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e23ed4794ead3f85c8b72475a27e5962b603225e3d64d0d11cb2852c25617dde

Threat Level: Known bad

The file 06dc9deb6904c7dddab5c24f17c295208bd64aaaf186cbd7322160c02868345aN.exe was found to be: Known bad.

Malicious Activity Summary

amadey healer redline 9c0adb discovery dropper evasion infostealer persistence trojan

Healer

RedLine payload

Redline family

Healer family

RedLine

Amadey family

Modifies Windows Defender Real-time Protection settings

Detects Healer an antivirus disabler dropper

Amadey

Executes dropped EXE

Windows security modification

Checks computer location settings

Adds Run key to start application

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Program crash

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Scheduled Task/Job: Scheduled Task

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-11 05:55

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-11 05:55

Reported

2024-11-11 05:57

Platform

win10v2004-20241007-en

Max time kernel

111s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\06dc9deb6904c7dddab5c24f17c295208bd64aaaf186cbd7322160c02868345aN.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Windows\Temp\1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Windows\Temp\1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\Temp\1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Windows\Temp\1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Windows\Temp\1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Windows\Temp\1.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\170382928.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\361103506.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Windows\Temp\1.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\06dc9deb6904c7dddab5c24f17c295208bd64aaaf186cbd7322160c02868345aN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iI024552.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Fy476355.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\418229472.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iI024552.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Fy476355.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\170382928.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\06dc9deb6904c7dddab5c24f17c295208bd64aaaf186cbd7322160c02868345aN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\242840271.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\361103506.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Temp\1.exe N/A
N/A N/A C:\Windows\Temp\1.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\170382928.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\242840271.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Temp\1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\418229472.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3024 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\Temp\06dc9deb6904c7dddab5c24f17c295208bd64aaaf186cbd7322160c02868345aN.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iI024552.exe
PID 3024 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\Temp\06dc9deb6904c7dddab5c24f17c295208bd64aaaf186cbd7322160c02868345aN.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iI024552.exe
PID 3024 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\Temp\06dc9deb6904c7dddab5c24f17c295208bd64aaaf186cbd7322160c02868345aN.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iI024552.exe
PID 4404 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iI024552.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Fy476355.exe
PID 4404 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iI024552.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Fy476355.exe
PID 4404 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iI024552.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Fy476355.exe
PID 2572 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Fy476355.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\170382928.exe
PID 2572 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Fy476355.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\170382928.exe
PID 2572 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Fy476355.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\170382928.exe
PID 3616 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\170382928.exe C:\Windows\Temp\1.exe
PID 3616 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\170382928.exe C:\Windows\Temp\1.exe
PID 2572 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Fy476355.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\242840271.exe
PID 2572 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Fy476355.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\242840271.exe
PID 2572 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Fy476355.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\242840271.exe
PID 4404 wrote to memory of 5672 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iI024552.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\361103506.exe
PID 4404 wrote to memory of 5672 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iI024552.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\361103506.exe
PID 4404 wrote to memory of 5672 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iI024552.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\361103506.exe
PID 5672 wrote to memory of 5984 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\361103506.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 5672 wrote to memory of 5984 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\361103506.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 5672 wrote to memory of 5984 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\361103506.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 3024 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\06dc9deb6904c7dddab5c24f17c295208bd64aaaf186cbd7322160c02868345aN.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\418229472.exe
PID 3024 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\06dc9deb6904c7dddab5c24f17c295208bd64aaaf186cbd7322160c02868345aN.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\418229472.exe
PID 3024 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\06dc9deb6904c7dddab5c24f17c295208bd64aaaf186cbd7322160c02868345aN.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\418229472.exe
PID 5984 wrote to memory of 5196 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 5984 wrote to memory of 5196 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 5984 wrote to memory of 5196 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 5984 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 5984 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 5984 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 3472 wrote to memory of 5968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3472 wrote to memory of 5968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3472 wrote to memory of 5968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3472 wrote to memory of 5964 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3472 wrote to memory of 5964 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3472 wrote to memory of 5964 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3472 wrote to memory of 5560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3472 wrote to memory of 5560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3472 wrote to memory of 5560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3472 wrote to memory of 6096 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3472 wrote to memory of 6096 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3472 wrote to memory of 6096 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3472 wrote to memory of 1216 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3472 wrote to memory of 1216 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3472 wrote to memory of 1216 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3472 wrote to memory of 5416 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3472 wrote to memory of 5416 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3472 wrote to memory of 5416 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe

Processes

C:\Users\Admin\AppData\Local\Temp\06dc9deb6904c7dddab5c24f17c295208bd64aaaf186cbd7322160c02868345aN.exe

"C:\Users\Admin\AppData\Local\Temp\06dc9deb6904c7dddab5c24f17c295208bd64aaaf186cbd7322160c02868345aN.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iI024552.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iI024552.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Fy476355.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Fy476355.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\170382928.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\170382928.exe

C:\Windows\Temp\1.exe

"C:\Windows\Temp\1.exe"

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\242840271.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\242840271.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 212 -ip 212

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 212 -s 1256

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\361103506.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\361103506.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\418229472.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\418229472.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:R" /E

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4664 -ip 4664

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4664 -s 1252

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
RU 193.3.19.154:80 tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
RU 193.3.19.154:80 tcp
RU 193.3.19.154:80 tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
RU 193.3.19.154:80 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iI024552.exe

MD5 827ccbc4c11603646f8a3c69172e8a45
SHA1 2017a8048034862c7e92e2d3ece454ed3e927779
SHA256 525e8d353a3ec8dca403c848bb02e2f0f9cbbdc041f5ab6c7ff85aa2f14f0b67
SHA512 f32bf5eb824031eff1a497961cc6a3ad4de9eddab3944eadbefdd1d0e6f87f6a7abb4ab9794d96fc8f771ad60c9347cfe7ac3f44d74b04021ddcdaa5d28fa207

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Fy476355.exe

MD5 fbd51d7e7ef4b74311ada32235dad4a3
SHA1 cd77bc5d2d0c52f65ee8ca49e413fc04436a0951
SHA256 18a2596e9e9421902f25d1f2ff4b591f1489d8a716842c295b18c4bc5342abe6
SHA512 8aabcdbb6cfa9fd24c0f3dd92b48d6eaedbf5625dfc819d7d065db795e4104facaf2126401e39df235107c9ec697fdbf4895d50f8d7c8231ac4b514e4a50af95

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\170382928.exe

MD5 f6d59c97a0ed988291f29786087dc183
SHA1 b441493c234cb87c634ba56b170372ab7c6ae6e3
SHA256 8b77e63aa6736150639ebd0fd474f9c6fcf6cc7a4e6795e92e888b2ce52a14cb
SHA512 8ac6b127cec2616e637fef0bff71cc2360c48e3690958c66c9233844792276d912b8cfce0f63834b20d9a94fd2cadca9b0ced8846ec474686d91b3d402f21ea2

memory/3616-21-0x00000000023C0000-0x0000000002418000-memory.dmp

memory/3616-22-0x0000000004B10000-0x00000000050B4000-memory.dmp

memory/3616-23-0x0000000004A70000-0x0000000004AC6000-memory.dmp

memory/3616-24-0x0000000004A70000-0x0000000004AC1000-memory.dmp

memory/3616-71-0x0000000004A70000-0x0000000004AC1000-memory.dmp

memory/3616-53-0x0000000004A70000-0x0000000004AC1000-memory.dmp

memory/3616-49-0x0000000004A70000-0x0000000004AC1000-memory.dmp

memory/3616-45-0x0000000004A70000-0x0000000004AC1000-memory.dmp

memory/3616-41-0x0000000004A70000-0x0000000004AC1000-memory.dmp

memory/3616-37-0x0000000004A70000-0x0000000004AC1000-memory.dmp

memory/3616-33-0x0000000004A70000-0x0000000004AC1000-memory.dmp

memory/3616-30-0x0000000004A70000-0x0000000004AC1000-memory.dmp

memory/3616-27-0x0000000004A70000-0x0000000004AC1000-memory.dmp

memory/3616-87-0x0000000004A70000-0x0000000004AC1000-memory.dmp

memory/3616-85-0x0000000004A70000-0x0000000004AC1000-memory.dmp

memory/3616-84-0x0000000004A70000-0x0000000004AC1000-memory.dmp

memory/3616-81-0x0000000004A70000-0x0000000004AC1000-memory.dmp

memory/3616-79-0x0000000004A70000-0x0000000004AC1000-memory.dmp

memory/3616-77-0x0000000004A70000-0x0000000004AC1000-memory.dmp

memory/3616-75-0x0000000004A70000-0x0000000004AC1000-memory.dmp

memory/3616-73-0x0000000004A70000-0x0000000004AC1000-memory.dmp

memory/3616-69-0x0000000004A70000-0x0000000004AC1000-memory.dmp

memory/3616-67-0x0000000004A70000-0x0000000004AC1000-memory.dmp

memory/3616-65-0x0000000004A70000-0x0000000004AC1000-memory.dmp

memory/3616-63-0x0000000004A70000-0x0000000004AC1000-memory.dmp

memory/3616-61-0x0000000004A70000-0x0000000004AC1000-memory.dmp

memory/3616-59-0x0000000004A70000-0x0000000004AC1000-memory.dmp

memory/3616-57-0x0000000004A70000-0x0000000004AC1000-memory.dmp

memory/3616-55-0x0000000004A70000-0x0000000004AC1000-memory.dmp

memory/3616-51-0x0000000004A70000-0x0000000004AC1000-memory.dmp

memory/3616-47-0x0000000004A70000-0x0000000004AC1000-memory.dmp

memory/3616-43-0x0000000004A70000-0x0000000004AC1000-memory.dmp

memory/3616-39-0x0000000004A70000-0x0000000004AC1000-memory.dmp

memory/3616-35-0x0000000004A70000-0x0000000004AC1000-memory.dmp

memory/3616-31-0x0000000004A70000-0x0000000004AC1000-memory.dmp

memory/3616-25-0x0000000004A70000-0x0000000004AC1000-memory.dmp

memory/3616-2152-0x0000000002430000-0x000000000243A000-memory.dmp

C:\Windows\Temp\1.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\242840271.exe

MD5 cd22ce939659072b194a1fa34ad136e3
SHA1 e6fe1c548efc7fae64a6a6569ed4747df39999b8
SHA256 cb90776180a118ffd70a5e77dfcb25217e04ba16fc0813436d15b68dc1f63240
SHA512 70a29db233981f5800c9130626371bfee55973175e25b86a9f74832d03a38d47ee0e7d58e63e13e8410010062442334649a5c7f23f8c7391a36d2d2ab0dbeeaf

memory/1152-2167-0x00000000008E0000-0x00000000008EA000-memory.dmp

memory/212-4298-0x0000000005870000-0x0000000005902000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\361103506.exe

MD5 c09473f87c87e6bd0ebab611067875bb
SHA1 b42294e8ce5804dec65735d142a4a29e8a861cd6
SHA256 d7e3a6c78044fb393ebbc9d262dbe7609eb07acff787d6b43f96dc8107d287d1
SHA512 c3ddb62d12a1d0ee584815faecf616e8a3884d8b13ed9f832308fbf57ebb770c2b1dd7df38d32da4ee072eb8d61bfc9b37607cf37e1b52dccb1a986c247476a6

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\418229472.exe

MD5 85648d9d3c25a9cae3d60bba38357e3e
SHA1 f319e778b59b4b81158f6433a9d19d0145472217
SHA256 dd05dc35b6c6320abc834b7624bd557e4961aa1564de949f6bc0c386ff11f57f
SHA512 cf8a4c68e50f17fd2000c11766656aa3a4162ea18a9cd51bb6027dae5604e3a48c1d555184cee656dc179a4a033fedcf78f04a5dff5fecadbf4ebd74e7341d15

memory/4664-4318-0x0000000004F10000-0x0000000004F78000-memory.dmp

memory/4664-4319-0x0000000005550000-0x00000000055B6000-memory.dmp

memory/4664-6466-0x0000000005740000-0x0000000005772000-memory.dmp