3d84d2ad35397d5b2b3d482886e2a15551053e903de3fb446704754b48ffa925

Analysis

max time kernel
46s
max time network
134s
platform
windows7_x64
resource
win7v20201028
submitted
11-01-2021 11:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

atiflash_293.exe
Size

3.2MB
MD5

e6172650b97c48b350630e67e13387d9
SHA1

ad2a2c83d70088b1fe69adb77b8efdccb280be04
SHA256

3d84d2ad35397d5b2b3d482886e2a15551053e903de3fb446704754b48ffa925
SHA512

8a61d1a837c338f09fc21f1bb803ecb3813174015724b4bb69dc4c444086efef3e83702483dc7c41acfb0ea11cdcda7c8585eedfcff485e3c66c70ab65280ac8

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

Processes:

atiwinflash.exeatiwinflash.exeamdvbflashWin.exezatiwinflash.exe

pid process

1164 atiwinflash.exe
1788 atiwinflash.exe
1704 amdvbflashWin.exe
1780 zatiwinflash.exe

pid	process
1164	atiwinflash.exe
1788	atiwinflash.exe
1704	amdvbflashWin.exe
1780	zatiwinflash.exe

Loads dropped DLL 8 IoCs

Processes:

atiflash_293.exeatiwinflash.exeatiwinflash.exeamdvbflashWin.exe

pid	process
596	atiflash_293.exe
596	atiflash_293.exe
596	atiflash_293.exe
596	atiflash_293.exe
1164	atiwinflash.exe
1788	atiwinflash.exe
1788	atiwinflash.exe
1704	amdvbflashWin.exe

JavaScript code in executable 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\RarSFX0\atiwinflash-1.bin	js
\Program Files (x86)\My Program\amdvbflashWin.exe	js
C:\Program Files (x86)\My Program\amdvbflashWin.exe	js

Drops file in System32 directory 2 IoCs

Processes:

atiwinflash.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\zatiwinflash.exe	atiwinflash.exe
File created	C:\Windows\SysWOW64\is-OUC92.tmp	atiwinflash.exe

Drops file in Program Files directory 31 IoCs

Processes:

atiwinflash.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\My Program\amdvbflashWin.exe	atiwinflash.exe
File created	C:\Program Files (x86)\My Program\is-JV03C.tmp	atiwinflash.exe
File opened for modification	C:\Program Files (x86)\My Program\ATIWinflashchs.dll	atiwinflash.exe
File created	C:\Program Files (x86)\My Program\is-D5LFF.tmp	atiwinflash.exe
File created	C:\Program Files (x86)\My Program\is-LUTP1.tmp	atiwinflash.exe
File created	C:\Program Files (x86)\My Program\is-PV7DA.tmp	atiwinflash.exe
File opened for modification	C:\Program Files (x86)\My Program\ATIWinflashcht.dll	atiwinflash.exe
File opened for modification	C:\Program Files (x86)\My Program\ATIWinflashdef.dll	atiwinflash.exe
File opened for modification	C:\Program Files (x86)\My Program\ATIWinflashesp.dll	atiwinflash.exe
File created	C:\Program Files (x86)\My Program\is-8JPRK.tmp	atiwinflash.exe
File created	C:\Program Files (x86)\My Program\is-MFGRL.tmp	atiwinflash.exe
File opened for modification	C:\Program Files (x86)\My Program\ATIWinflashenu.dll	atiwinflash.exe
File opened for modification	C:\Program Files (x86)\My Program\ATIWinflashjpn.dll	atiwinflash.exe
File created	C:\Program Files (x86)\My Program\is-RLJRS.tmp	atiwinflash.exe
File created	C:\Program Files (x86)\My Program\is-N1C3H.tmp	atiwinflash.exe
File created	C:\Program Files (x86)\My Program\is-EGCJM.tmp	atiwinflash.exe
File created	C:\Program Files (x86)\My Program\is-KDJGJ.tmp	atiwinflash.exe
File created	C:\Program Files (x86)\My Program\is-FVOBS.tmp	atiwinflash.exe
File opened for modification	C:\Program Files (x86)\My Program\ATIWinflashfra.dll	atiwinflash.exe
File opened for modification	C:\Program Files (x86)\My Program\ATIWinflashptb.dll	atiwinflash.exe
File opened for modification	C:\Program Files (x86)\My Program\ATIWinflashsve.dll	atiwinflash.exe
File created	C:\Program Files (x86)\My Program\is-77SU8.tmp	atiwinflash.exe
File created	C:\Program Files (x86)\My Program\is-J4PMB.tmp	atiwinflash.exe
File opened for modification	C:\Program Files (x86)\My Program\ULPSCtrl.dll	atiwinflash.exe
File opened for modification	C:\Program Files (x86)\My Program\ATIWinflashita.dll	atiwinflash.exe
File opened for modification	C:\Program Files (x86)\My Program\ATIWinflashkor.dll	atiwinflash.exe
File created	C:\Program Files (x86)\My Program\is-KMPQH.tmp	atiwinflash.exe
File created	C:\Program Files (x86)\My Program\is-PL0AU.tmp	atiwinflash.exe
File created	C:\Program Files (x86)\My Program\is-3UIJC.tmp	atiwinflash.exe
File opened for modification	C:\Program Files (x86)\My Program\ATIWinflashdeu.dll	atiwinflash.exe
File created	C:\Program Files (x86)\My Program\is-BSMBG.tmp	atiwinflash.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

Processes:

atiwinflash.exezatiwinflash.exenotepad.exe

pid	process
1788	atiwinflash.exe
1788	atiwinflash.exe
1780	zatiwinflash.exe
872	notepad.exe
872	notepad.exe
872	notepad.exe
872	notepad.exe
872	notepad.exe
872	notepad.exe
872	notepad.exe
872	notepad.exe
872	notepad.exe
872	notepad.exe
872	notepad.exe
872	notepad.exe
872	notepad.exe
872	notepad.exe
872	notepad.exe
872	notepad.exe
872	notepad.exe
872	notepad.exe
872	notepad.exe
872	notepad.exe
872	notepad.exe
872	notepad.exe
872	notepad.exe
872	notepad.exe
872	notepad.exe
872	notepad.exe
872	notepad.exe
872	notepad.exe
872	notepad.exe
872	notepad.exe
872	notepad.exe
872	notepad.exe
872	notepad.exe

Suspicious behavior: LoadsDriver 4 IoCs

Processes:

pid process

464
464
464
464

pid	process
464
464
464
464

Suspicious behavior: MapViewOfSection 33 IoCs

Processes:

notepad.exe

pid	process
872	notepad.exe
872	notepad.exe
872	notepad.exe
872	notepad.exe
872	notepad.exe
872	notepad.exe
872	notepad.exe
872	notepad.exe
872	notepad.exe
872	notepad.exe
872	notepad.exe
872	notepad.exe
872	notepad.exe
872	notepad.exe
872	notepad.exe
872	notepad.exe
872	notepad.exe
872	notepad.exe
872	notepad.exe
872	notepad.exe
872	notepad.exe
872	notepad.exe
872	notepad.exe
872	notepad.exe
872	notepad.exe
872	notepad.exe
872	notepad.exe
872	notepad.exe
872	notepad.exe
872	notepad.exe
872	notepad.exe
872	notepad.exe
872	notepad.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

atiwinflash.exe

pid process

1788 atiwinflash.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

amdvbflashWin.exezatiwinflash.exe

pid process

1704 amdvbflashWin.exe
1780 zatiwinflash.exe

pid	process
1704	amdvbflashWin.exe
1780	zatiwinflash.exe

Suspicious use of WriteProcessMemory 486 IoCs

Processes:

atiflash_293.exeatiwinflash.exeatiwinflash.exezatiwinflash.exenotepad.exe

description	pid	process	target process
PID 596 wrote to memory of 1164	596	atiflash_293.exe	atiwinflash.exe
PID 596 wrote to memory of 1164	596	atiflash_293.exe	atiwinflash.exe
PID 596 wrote to memory of 1164	596	atiflash_293.exe	atiwinflash.exe
PID 596 wrote to memory of 1164	596	atiflash_293.exe	atiwinflash.exe
PID 596 wrote to memory of 1164	596	atiflash_293.exe	atiwinflash.exe
PID 596 wrote to memory of 1164	596	atiflash_293.exe	atiwinflash.exe
PID 596 wrote to memory of 1164	596	atiflash_293.exe	atiwinflash.exe
PID 1164 wrote to memory of 1788	1164	atiwinflash.exe	atiwinflash.exe
PID 1164 wrote to memory of 1788	1164	atiwinflash.exe	atiwinflash.exe
PID 1164 wrote to memory of 1788	1164	atiwinflash.exe	atiwinflash.exe
PID 1164 wrote to memory of 1788	1164	atiwinflash.exe	atiwinflash.exe
PID 1164 wrote to memory of 1788	1164	atiwinflash.exe	atiwinflash.exe
PID 1164 wrote to memory of 1788	1164	atiwinflash.exe	atiwinflash.exe
PID 1164 wrote to memory of 1788	1164	atiwinflash.exe	atiwinflash.exe
PID 1788 wrote to memory of 1704	1788	atiwinflash.exe	amdvbflashWin.exe
PID 1788 wrote to memory of 1704	1788	atiwinflash.exe	amdvbflashWin.exe
PID 1788 wrote to memory of 1704	1788	atiwinflash.exe	amdvbflashWin.exe
PID 1788 wrote to memory of 1704	1788	atiwinflash.exe	amdvbflashWin.exe
PID 1788 wrote to memory of 1780	1788	atiwinflash.exe	zatiwinflash.exe
PID 1788 wrote to memory of 1780	1788	atiwinflash.exe	zatiwinflash.exe
PID 1788 wrote to memory of 1780	1788	atiwinflash.exe	zatiwinflash.exe
PID 1788 wrote to memory of 1780	1788	atiwinflash.exe	zatiwinflash.exe
PID 1780 wrote to memory of 872	1780	zatiwinflash.exe	notepad.exe
PID 1780 wrote to memory of 872	1780	zatiwinflash.exe	notepad.exe
PID 1780 wrote to memory of 872	1780	zatiwinflash.exe	notepad.exe
PID 1780 wrote to memory of 872	1780	zatiwinflash.exe	notepad.exe
PID 1780 wrote to memory of 872	1780	zatiwinflash.exe	notepad.exe
PID 1780 wrote to memory of 872	1780	zatiwinflash.exe	notepad.exe
PID 1780 wrote to memory of 872	1780	zatiwinflash.exe	notepad.exe
PID 1780 wrote to memory of 872	1780	zatiwinflash.exe	notepad.exe
PID 1780 wrote to memory of 872	1780	zatiwinflash.exe	notepad.exe
PID 1780 wrote to memory of 872	1780	zatiwinflash.exe	notepad.exe
PID 1780 wrote to memory of 872	1780	zatiwinflash.exe	notepad.exe
PID 1780 wrote to memory of 872	1780	zatiwinflash.exe	notepad.exe
PID 1780 wrote to memory of 872	1780	zatiwinflash.exe	notepad.exe
PID 1780 wrote to memory of 872	1780	zatiwinflash.exe	notepad.exe
PID 1780 wrote to memory of 872	1780	zatiwinflash.exe	notepad.exe
PID 1780 wrote to memory of 872	1780	zatiwinflash.exe	notepad.exe
PID 1780 wrote to memory of 872	1780	zatiwinflash.exe	notepad.exe
PID 1780 wrote to memory of 872	1780	zatiwinflash.exe	notepad.exe
PID 1780 wrote to memory of 872	1780	zatiwinflash.exe	notepad.exe
PID 1780 wrote to memory of 872	1780	zatiwinflash.exe	notepad.exe
PID 1780 wrote to memory of 872	1780	zatiwinflash.exe	notepad.exe
PID 1780 wrote to memory of 872	1780	zatiwinflash.exe	notepad.exe
PID 1780 wrote to memory of 872	1780	zatiwinflash.exe	notepad.exe
PID 1780 wrote to memory of 872	1780	zatiwinflash.exe	notepad.exe
PID 1780 wrote to memory of 872	1780	zatiwinflash.exe	notepad.exe
PID 1780 wrote to memory of 872	1780	zatiwinflash.exe	notepad.exe
PID 1780 wrote to memory of 872	1780	zatiwinflash.exe	notepad.exe
PID 1780 wrote to memory of 872	1780	zatiwinflash.exe	notepad.exe
PID 1780 wrote to memory of 872	1780	zatiwinflash.exe	notepad.exe
PID 1780 wrote to memory of 872	1780	zatiwinflash.exe	notepad.exe
PID 1780 wrote to memory of 872	1780	zatiwinflash.exe	notepad.exe
PID 1780 wrote to memory of 872	1780	zatiwinflash.exe	notepad.exe
PID 1780 wrote to memory of 872	1780	zatiwinflash.exe	notepad.exe
PID 1780 wrote to memory of 872	1780	zatiwinflash.exe	notepad.exe
PID 1780 wrote to memory of 872	1780	zatiwinflash.exe	notepad.exe
PID 872 wrote to memory of 876	872	notepad.exe	cmd.exe
PID 872 wrote to memory of 876	872	notepad.exe	cmd.exe
PID 872 wrote to memory of 876	872	notepad.exe	cmd.exe
PID 872 wrote to memory of 876	872	notepad.exe	cmd.exe
PID 872 wrote to memory of 876	872	notepad.exe	cmd.exe
PID 872 wrote to memory of 876	872	notepad.exe	cmd.exe
PID 872 wrote to memory of 876	872	notepad.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\atiflash_293.exe
"C:\Users\Admin\AppData\Local\Temp\atiflash_293.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:596

C:\Users\Admin\AppData\Local\Temp\RarSFX0\atiwinflash.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\atiwinflash.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1164

C:\Users\Admin\AppData\Local\Temp\RarSFX0\atiwinflash.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\atiwinflash.exe" /VERYSILENT
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1788

C:\Windows\SysWOW64\zatiwinflash.exe
"C:\Windows\SysWOW64\zatiwinflash.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1780

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:872

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
6⤵
PID:876

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
6⤵
PID:2032

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
6⤵
PID:1168

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
6⤵
PID:1380

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
6⤵
PID:1804

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
6⤵
PID:1376

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
6⤵
PID:1160

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
6⤵
PID:1044

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
6⤵
PID:1504

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
6⤵
PID:608

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
6⤵
PID:1844

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
6⤵
PID:1860

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
6⤵
PID:2008

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
6⤵
PID:1172

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
6⤵
PID:304

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
6⤵
PID:668

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
6⤵
PID:980

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
6⤵
PID:2040

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
6⤵
PID:708

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
6⤵
PID:288

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
6⤵
PID:316

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
6⤵
PID:1060

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
6⤵
PID:1584

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
6⤵
PID:1316

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
6⤵
PID:908

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
6⤵
PID:1680

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
6⤵
PID:1600

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
6⤵
PID:1608

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
6⤵
PID:1720

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
6⤵
PID:1924

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
6⤵
PID:2020

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
6⤵
PID:1988

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
6⤵
PID:1980

C:\Program Files (x86)\My Program\amdvbflashWin.exe
"C:\Program Files (x86)\My Program\amdvbflashWin.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1704

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\My Program\ATIWinflashenu.dll
MD5
9ad4a476b03ad2f9034ac1b30f006a4f

SHA1
cc96accc636eb105dd4d6ed459780a3065b36734

SHA256
9b5f694c4381ac3c4c2dd1f5a7241a4318f9d2a57ef60db1fbf36fd50b7242cc

SHA512
688b61633ae7cb56b1a8aa3c200628004020161ea643bbd9661de2f34dbfe1a5ee4a8997417e5448260b41f051a7bb71f68db1cf975e4ac56915edcef8b81658

Download Submit
C:\Program Files (x86)\My Program\amdvbflashWin.exe
MD5
0c9bbd178196c451beb69302294c9330

SHA1
28c12558a93fdb6a5da086ec72b9e049f545982d

SHA256
d7e0e886486181692ee2ee0930dd5974456c1c7470e89ebc392ffe040574a328

SHA512
ba3ce393c5a1d4e8aa60ee8debd3edb1016317c707cc54f083fc41125957f4971e720de784ea961f2375eccd976c46fc9ecdc97209a5b0c4e016e6d658bbfd07

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\atiwinflash-0.bin
MD5
ba3704cb4c2a4d5dc08598c5720a0b37

SHA1
e8ec82e06f3fb58474f898847bc7ecfe3717cea0

SHA256
23406c0629d480ab4db3909dc103e577d9e5080c5e8be059b4c5d211adce6625

SHA512
f1b6066695573b032076a1cc05a5da4a7d67fa27bc6d1b1e113bd927c1c1eb279021dff50e99b69a484d31b963a8bad22de605498e8b310bc967f0725f0dc7bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\atiwinflash-1.bin
MD5
c850123aa3753e8e5665f329e9b83e41

SHA1
26419b90b539f2da529e40ed6b88e00f981b1618

SHA256
1cdc3094d875a040b16ead487e9c335095791d8f9b8463733c1181c3e3809be0

SHA512
9dca6a581b00ae080ce919506785b2a1afff3c1404507ff393cf33be1b58fc5392411233d8de20ecc399143cce6ddefc2514e24416a5a710fa93d2b9a0846cd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\atiwinflash.exe
MD5
93adde4b19317826f3a8991013fe235e

SHA1
fc83922dfe41a6d0990448d33ad2f1421303dbf2

SHA256
20119b217ab1c6eea456b166fd40c9b5942684b58999c59b67d689441cdcf9e6

SHA512
8a38f85c7939a716ea1bd557d86417de1706dad77212e8dd99d5b7fad1a77b3849e1aa497f9904b71e44203aa1c23287e43dbbfc7a64570b8ae5b26dd25174cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\atiwinflash.exe
MD5
93adde4b19317826f3a8991013fe235e

SHA1
fc83922dfe41a6d0990448d33ad2f1421303dbf2

SHA256
20119b217ab1c6eea456b166fd40c9b5942684b58999c59b67d689441cdcf9e6

SHA512
8a38f85c7939a716ea1bd557d86417de1706dad77212e8dd99d5b7fad1a77b3849e1aa497f9904b71e44203aa1c23287e43dbbfc7a64570b8ae5b26dd25174cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\atiwinflash.exe
MD5
93adde4b19317826f3a8991013fe235e

SHA1
fc83922dfe41a6d0990448d33ad2f1421303dbf2

SHA256
20119b217ab1c6eea456b166fd40c9b5942684b58999c59b67d689441cdcf9e6

SHA512
8a38f85c7939a716ea1bd557d86417de1706dad77212e8dd99d5b7fad1a77b3849e1aa497f9904b71e44203aa1c23287e43dbbfc7a64570b8ae5b26dd25174cb

Download Submit
C:\Windows\SysWOW64\zatiwinflash.exe
MD5
b482a15e02f50b37e00a2c4fccaac7f9

SHA1
b9874893328b43970e09c9d42319d0c3f044f448

SHA256
58c24970b7e3fd8a86585547df9a939b5cf6d5326b798400c804d9f55ddb3b10

SHA512
2f7aa997016b6013a41e9d658265fd988ef0e36228bd773414788cafd61d531a30fc060434b5689dd23bd62d00a44642f76434c314dc9b1f6cdf980cc6904512

Download Submit
\Program Files (x86)\My Program\ATIWinflashenu.dll
MD5
9ad4a476b03ad2f9034ac1b30f006a4f

SHA1
cc96accc636eb105dd4d6ed459780a3065b36734

SHA256
9b5f694c4381ac3c4c2dd1f5a7241a4318f9d2a57ef60db1fbf36fd50b7242cc

SHA512
688b61633ae7cb56b1a8aa3c200628004020161ea643bbd9661de2f34dbfe1a5ee4a8997417e5448260b41f051a7bb71f68db1cf975e4ac56915edcef8b81658

Download Submit
\Program Files (x86)\My Program\amdvbflashWin.exe
MD5
0c9bbd178196c451beb69302294c9330

SHA1
28c12558a93fdb6a5da086ec72b9e049f545982d

SHA256
d7e0e886486181692ee2ee0930dd5974456c1c7470e89ebc392ffe040574a328

SHA512
ba3ce393c5a1d4e8aa60ee8debd3edb1016317c707cc54f083fc41125957f4971e720de784ea961f2375eccd976c46fc9ecdc97209a5b0c4e016e6d658bbfd07

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\atiwinflash.exe
MD5
93adde4b19317826f3a8991013fe235e

SHA1
fc83922dfe41a6d0990448d33ad2f1421303dbf2

SHA256
20119b217ab1c6eea456b166fd40c9b5942684b58999c59b67d689441cdcf9e6

SHA512
8a38f85c7939a716ea1bd557d86417de1706dad77212e8dd99d5b7fad1a77b3849e1aa497f9904b71e44203aa1c23287e43dbbfc7a64570b8ae5b26dd25174cb

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\atiwinflash.exe
MD5
93adde4b19317826f3a8991013fe235e

SHA1
fc83922dfe41a6d0990448d33ad2f1421303dbf2

SHA256
20119b217ab1c6eea456b166fd40c9b5942684b58999c59b67d689441cdcf9e6

SHA512
8a38f85c7939a716ea1bd557d86417de1706dad77212e8dd99d5b7fad1a77b3849e1aa497f9904b71e44203aa1c23287e43dbbfc7a64570b8ae5b26dd25174cb

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\atiwinflash.exe
MD5
93adde4b19317826f3a8991013fe235e

SHA1
fc83922dfe41a6d0990448d33ad2f1421303dbf2

SHA256
20119b217ab1c6eea456b166fd40c9b5942684b58999c59b67d689441cdcf9e6

SHA512
8a38f85c7939a716ea1bd557d86417de1706dad77212e8dd99d5b7fad1a77b3849e1aa497f9904b71e44203aa1c23287e43dbbfc7a64570b8ae5b26dd25174cb

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\atiwinflash.exe
MD5
93adde4b19317826f3a8991013fe235e

SHA1
fc83922dfe41a6d0990448d33ad2f1421303dbf2

SHA256
20119b217ab1c6eea456b166fd40c9b5942684b58999c59b67d689441cdcf9e6

SHA512
8a38f85c7939a716ea1bd557d86417de1706dad77212e8dd99d5b7fad1a77b3849e1aa497f9904b71e44203aa1c23287e43dbbfc7a64570b8ae5b26dd25174cb

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\atiwinflash.exe
MD5
93adde4b19317826f3a8991013fe235e

SHA1
fc83922dfe41a6d0990448d33ad2f1421303dbf2

SHA256
20119b217ab1c6eea456b166fd40c9b5942684b58999c59b67d689441cdcf9e6

SHA512
8a38f85c7939a716ea1bd557d86417de1706dad77212e8dd99d5b7fad1a77b3849e1aa497f9904b71e44203aa1c23287e43dbbfc7a64570b8ae5b26dd25174cb

Download Submit
\Windows\SysWOW64\zatiwinflash.exe
MD5
b482a15e02f50b37e00a2c4fccaac7f9

SHA1
b9874893328b43970e09c9d42319d0c3f044f448

SHA256
58c24970b7e3fd8a86585547df9a939b5cf6d5326b798400c804d9f55ddb3b10

SHA512
2f7aa997016b6013a41e9d658265fd988ef0e36228bd773414788cafd61d531a30fc060434b5689dd23bd62d00a44642f76434c314dc9b1f6cdf980cc6904512

Download Submit
memory/872-22-0x0000000000000000-mapping.dmp

Download
memory/1164-6-0x0000000000000000-mapping.dmp

Download
memory/1704-15-0x0000000000000000-mapping.dmp

Download
memory/1780-18-0x0000000000000000-mapping.dmp

Download
memory/1788-11-0x0000000000000000-mapping.dmp

Download