Analysis Overview
SHA256
d4a4a3611e20cd501dced85d177cfa657fa8a8a7d99d9f230fafe817c9ecb8f5
Threat Level: Known bad
The file 18759016437.zip was found to be: Known bad.
Malicious Activity Summary
Healer
Amadey
RedLine
Detects Healer an antivirus disabler dropper
Modifies Windows Defender Real-time Protection settings
RedLine payload
Windows security modification
Executes dropped EXE
Checks computer location settings
Adds Run key to start application
Launches sc.exe
Unsigned PE
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Program crash
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Scheduled Task/Job: Scheduled Task
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-27 20:38
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-27 20:38
Reported
2024-08-27 20:41
Platform
win10v2004-20240802-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Amadey
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Windows\Temp\1.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Windows\Temp\1.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b83632839.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b83632839.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b83632839.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\Temp\1.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Windows\Temp\1.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Windows\Temp\1.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Windows\Temp\1.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b83632839.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b83632839.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b83632839.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a33564524.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c63837854.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d40593754.exe | N/A |
Executes dropped EXE
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b83632839.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Windows\Temp\1.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b83632839.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\043e3e2914317fdc256d1ed74c16eb91ecacbf751e9e65617003ef13d57d76a7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vy828800.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Gb031171.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\gO048014.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\nO213324.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b83632839.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d40593754.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Gb031171.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d40593754.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\gO048014.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\nO213324.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a33564524.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Temp\1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f40958537.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\043e3e2914317fdc256d1ed74c16eb91ecacbf751e9e65617003ef13d57d76a7.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vy828800.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b83632839.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c63837854.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Temp\1.exe | N/A |
| N/A | N/A | C:\Windows\Temp\1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b83632839.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b83632839.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a33564524.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b83632839.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Temp\1.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d40593754.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\043e3e2914317fdc256d1ed74c16eb91ecacbf751e9e65617003ef13d57d76a7.exe
"C:\Users\Admin\AppData\Local\Temp\043e3e2914317fdc256d1ed74c16eb91ecacbf751e9e65617003ef13d57d76a7.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vy828800.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vy828800.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Gb031171.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Gb031171.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\gO048014.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\gO048014.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\nO213324.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\nO213324.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a33564524.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a33564524.exe
C:\Windows\Temp\1.exe
"C:\Windows\Temp\1.exe"
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b83632839.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b83632839.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 5600 -ip 5600
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5600 -s 1052
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c63837854.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c63837854.exe
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
"C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d40593754.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d40593754.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "oneetx.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "oneetx.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\cb7ae701b3" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\cb7ae701b3" /P "Admin:R" /E
C:\Windows\Temp\1.exe
"C:\Windows\Temp\1.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5944 -ip 5944
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5944 -s 1384
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f40958537.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f40958537.exe
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 34.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| RU | 193.3.19.154:80 | 193.3.19.154 | tcp |
| US | 8.8.8.8:53 | 154.19.3.193.in-addr.arpa | udp |
| RU | 185.161.248.73:4164 | tcp | |
| RU | 185.161.248.73:4164 | tcp | |
| RU | 185.161.248.73:4164 | tcp | |
| RU | 185.161.248.73:4164 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| RU | 185.161.248.73:4164 | tcp | |
| RU | 185.161.248.73:4164 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| RU | 185.161.248.73:4164 | tcp | |
| RU | 185.161.248.73:4164 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| RU | 185.161.248.73:4164 | tcp | |
| RU | 185.161.248.73:4164 | tcp | |
| RU | 185.161.248.73:4164 | tcp | |
| RU | 185.161.248.73:4164 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vy828800.exe
| MD5 | e0de19249bf1a5d8b9a3112a4c97e57c |
| SHA1 | dffbd97a74e5fbc40d184720a41d8c98cfb7131f |
| SHA256 | c711f10a893e9a902a5402ffab7a5722f265b2e7b286a08a831b9252acb23aa9 |
| SHA512 | 5d1cc9b5622b61dccfc30d988a2fca343dc5fc612b553f606a01eebaeb1beca9c75c55e3c4961efd07e07140f967b5dbfb36113431099ffbb322d11fb278a345 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Gb031171.exe
| MD5 | 0dbaf7b091e41117a7f23a43aa8b0e81 |
| SHA1 | 124f562afe0fe4c5c90badd3f27fe3f63309b717 |
| SHA256 | 1cdceebcc4b9c79486bbd8053b7da3697cf8289e319bbfc6cd8cdf5aa42c1aa0 |
| SHA512 | 8e1833afe3ec918b20ae9dbf1d487641c35d1e7e36d5802d8b73779adcdaf582218319df2c3c2daec03590a67c5be7e24c313db5990dde635f65efbc248c19fa |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\gO048014.exe
| MD5 | 681d32894db1770a3679b0e676bdad26 |
| SHA1 | b026c3df247211b914ea56002ee1b573fb5df1e8 |
| SHA256 | 5a3be1ee8101bd7dbaf89270c7f66190dc9d459fbbe1fc8aec3e984a53b200cd |
| SHA512 | 137854d32b4059529e5d134b4e52471bfb70263b35293df2b59271479c7340eef03a1b3c59bd5637ac697ec1221b4a13b8799d585d5953fe8b53a2caedf9e8f3 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\nO213324.exe
| MD5 | 9ae61136f20115dbe57ab19a208b55fe |
| SHA1 | f3430de516b0c45e710e3971279b53c0f901efb1 |
| SHA256 | b8be9b29e4bf1da7b8ef470a3a6fae220c602afbf8b820fd70cada51025384f4 |
| SHA512 | 3865aeef3702f24f522e1bdad63ce76f5984cbb3911f81406b586b3092d9944f85bb0af587465592dffbd6be41fc5d1c5e23f6592965af40e5982fdde5d19df0 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a33564524.exe
| MD5 | 34ea3b87b3abdd85d0610aab58b08a37 |
| SHA1 | 54e22c80334f33d8175a7b9fdb6d34fd7bb2f2aa |
| SHA256 | a933a805aeea5efd041dcf863af2632d74108226ebf468a40cea1e91da577e43 |
| SHA512 | ee3bd407fd68031381ea1a5a0a394d384b604c5b560059c3f40af21d1c436bd96b1641ccb2851be67ce40260b1997dde5b8f089f3ce8e3c5a7a4e0c644f406e1 |
memory/464-35-0x0000000004960000-0x00000000049B8000-memory.dmp
memory/464-36-0x0000000004A70000-0x0000000005014000-memory.dmp
memory/464-37-0x00000000049E0000-0x0000000004A36000-memory.dmp
memory/464-108-0x00000000049E0000-0x0000000004A31000-memory.dmp
memory/464-89-0x00000000049E0000-0x0000000004A31000-memory.dmp
memory/464-99-0x00000000049E0000-0x0000000004A31000-memory.dmp
memory/464-97-0x00000000049E0000-0x0000000004A31000-memory.dmp
memory/464-95-0x00000000049E0000-0x0000000004A31000-memory.dmp
memory/464-93-0x00000000049E0000-0x0000000004A31000-memory.dmp
memory/464-91-0x00000000049E0000-0x0000000004A31000-memory.dmp
memory/464-87-0x00000000049E0000-0x0000000004A31000-memory.dmp
memory/464-85-0x00000000049E0000-0x0000000004A31000-memory.dmp
memory/464-83-0x00000000049E0000-0x0000000004A31000-memory.dmp
memory/464-81-0x00000000049E0000-0x0000000004A31000-memory.dmp
memory/464-79-0x00000000049E0000-0x0000000004A31000-memory.dmp
memory/464-77-0x00000000049E0000-0x0000000004A31000-memory.dmp
memory/464-75-0x00000000049E0000-0x0000000004A31000-memory.dmp
memory/464-73-0x00000000049E0000-0x0000000004A31000-memory.dmp
memory/464-69-0x00000000049E0000-0x0000000004A31000-memory.dmp
memory/464-68-0x00000000049E0000-0x0000000004A31000-memory.dmp
memory/464-65-0x00000000049E0000-0x0000000004A31000-memory.dmp
memory/464-61-0x00000000049E0000-0x0000000004A31000-memory.dmp
memory/464-59-0x00000000049E0000-0x0000000004A31000-memory.dmp
memory/464-57-0x00000000049E0000-0x0000000004A31000-memory.dmp
memory/464-55-0x00000000049E0000-0x0000000004A31000-memory.dmp
memory/464-53-0x00000000049E0000-0x0000000004A31000-memory.dmp
memory/464-51-0x00000000049E0000-0x0000000004A31000-memory.dmp
memory/464-49-0x00000000049E0000-0x0000000004A31000-memory.dmp
memory/464-45-0x00000000049E0000-0x0000000004A31000-memory.dmp
memory/464-43-0x00000000049E0000-0x0000000004A31000-memory.dmp
memory/464-41-0x00000000049E0000-0x0000000004A31000-memory.dmp
memory/464-39-0x00000000049E0000-0x0000000004A31000-memory.dmp
memory/464-38-0x00000000049E0000-0x0000000004A31000-memory.dmp
memory/464-71-0x00000000049E0000-0x0000000004A31000-memory.dmp
memory/464-63-0x00000000049E0000-0x0000000004A31000-memory.dmp
memory/464-47-0x00000000049E0000-0x0000000004A31000-memory.dmp
memory/464-2166-0x00000000052F0000-0x00000000052FA000-memory.dmp
C:\Windows\Temp\1.exe
| MD5 | 7e93bacbbc33e6652e147e7fe07572a0 |
| SHA1 | 421a7167da01c8da4dc4d5234ca3dd84e319e762 |
| SHA256 | 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38 |
| SHA512 | 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91 |
memory/1080-2179-0x0000000000030000-0x000000000003A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b83632839.exe
| MD5 | 60f1d50806569dd01ad04b43f168a917 |
| SHA1 | 9b2439d93f6f3164272f70fb6160f6a0dbbad874 |
| SHA256 | db0965e4a69ce9c51c310a644dc0c6090b1475285304d7ab8a1870df1b9e4499 |
| SHA512 | 02ddef7487c5131b1b9b4650dd4b8e332c8d38c8111ff2c429b07fac948be51edd9dceb32cfb5d2f2f4c6d260dcf3ab515619b3f1ac493c7bd220dfa4db64390 |
memory/5600-2184-0x00000000023A0000-0x00000000023BA000-memory.dmp
memory/5600-2185-0x0000000005380000-0x0000000005398000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c63837854.exe
| MD5 | 588abfa30a62ac336d0f50c9ce50b1e2 |
| SHA1 | 6525be76ccaac0a9ee90df86dd0cf339452bcdad |
| SHA256 | dcf05badf70737b3434d728cd3533377ee90fbcb7a74236da033b13742412942 |
| SHA512 | 51d5d4df343272448a04521ca354a6eaf071f16b13d72bc501892635385eabe78c121d985454bc7655027a761f6df8a10a09f9208d12344b031588207e8878ac |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d40593754.exe
| MD5 | f0f86c12d403b43daf01e473e24e2846 |
| SHA1 | 202fd664bfcd626a6fa78b5c79fd558181de9eef |
| SHA256 | 89fc8d02b9312606f03c217aaa5d9f88a39db2402a124dcd811fabe5e146490e |
| SHA512 | e3ef9d2984b860ef5ef62994401000a202cffe591cf6977f0500324f6a671f1f8f04eed49dea07fb5bf915677a88b999a1eeb7d908ee37fe60a09dc7ab5fddec |
memory/5944-2236-0x0000000005550000-0x00000000055B6000-memory.dmp
memory/5944-2235-0x0000000002980000-0x00000000029E8000-memory.dmp
memory/5944-4383-0x0000000005760000-0x0000000005792000-memory.dmp
C:\Windows\Temp\1.exe
| MD5 | f16fb63d4e551d3808e8f01f2671b57e |
| SHA1 | 781153ad6235a1152da112de1fb39a6f2d063575 |
| SHA256 | 8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581 |
| SHA512 | fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf |
memory/6788-4396-0x0000000000A10000-0x0000000000A3E000-memory.dmp
memory/6788-4397-0x0000000002B20000-0x0000000002B26000-memory.dmp
memory/6788-4399-0x0000000005990000-0x0000000005FA8000-memory.dmp
memory/6788-4400-0x0000000005480000-0x000000000558A000-memory.dmp
memory/6788-4401-0x0000000005390000-0x00000000053A2000-memory.dmp
memory/6788-4402-0x00000000053F0000-0x000000000542C000-memory.dmp
memory/6788-4403-0x0000000005590000-0x00000000055DC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f40958537.exe
| MD5 | 25b2a7ebfea8477623ccad041e45538f |
| SHA1 | 215dba9d2af1fe6b1b4dd41575793a3406c5dab2 |
| SHA256 | 251f204427ec48ffcb3f1c8a20dbc68e0f526441a56510fe8d8c56a24ea524b3 |
| SHA512 | 673305d908aa090cad0801ca0ca4dab94145552ee0c81f94f8fb0d90438c156b64864de55bc28117add8bb58f0a4355b98d98518cce00e14d46778627bde5a7d |
memory/6952-4408-0x0000000000610000-0x0000000000640000-memory.dmp
memory/6952-4409-0x00000000027C0000-0x00000000027C6000-memory.dmp
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
| MD5 | 0fb684cc15d197c0b937e5528359d7c8 |
| SHA1 | 7d963246f52f42012bdcddb31214283c84c954ed |
| SHA256 | e767d70fc57483aae7a20cb094a9bfc1fd4f04e97fb772cd6892d057e5be4260 |
| SHA512 | c40335f72f802479dc0926704d87670a782362fedae5bb50179d427fc343c6a33cfe09f4640acb15624d1511d3d66f76d87f663f9ad430fc2ddb00c54056103c |