Analysis Overview
SHA256
b2fdc078bc230d8e259c39a4b2f89f120f664c414a6413e3b933ee1408e7294d
Threat Level: Known bad
The file b2fdc078bc230d8e259c39a4b2f89f120f664c414a6413e3b933ee1408e7294d was found to be: Known bad.
Malicious Activity Summary
Amadey
RedLine payload
Redline family
Amadey family
RedLine
Detects Healer an antivirus disabler dropper
Healer family
Modifies Windows Defender Real-time Protection settings
Healer
Checks computer location settings
Windows security modification
Executes dropped EXE
Adds Run key to start application
Launches sc.exe
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Program crash
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Scheduled Task/Job: Scheduled Task
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-04 13:48
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-04 13:48
Reported
2024-11-04 13:51
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
153s
Command Line
Signatures
Amadey
Amadey family
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\189292868.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\189292868.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\189292868.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\210760503.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\210760503.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\210760503.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\189292868.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\189292868.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\189292868.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\210760503.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\210760503.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\359077904.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DS574987.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\OZ107911.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\GA344183.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\189292868.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\210760503.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\359077904.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\485336308.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\189292868.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\210760503.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\189292868.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\b2fdc078bc230d8e259c39a4b2f89f120f664c414a6413e3b933ee1408e7294d.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DS574987.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\OZ107911.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\GA344183.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\210760503.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\485336308.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\GA344183.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\189292868.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\359077904.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b2fdc078bc230d8e259c39a4b2f89f120f664c414a6413e3b933ee1408e7294d.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\210760503.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\OZ107911.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DS574987.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\189292868.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\189292868.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\210760503.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\210760503.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\189292868.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\210760503.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\485336308.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\359077904.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b2fdc078bc230d8e259c39a4b2f89f120f664c414a6413e3b933ee1408e7294d.exe
"C:\Users\Admin\AppData\Local\Temp\b2fdc078bc230d8e259c39a4b2f89f120f664c414a6413e3b933ee1408e7294d.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DS574987.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DS574987.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\OZ107911.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\OZ107911.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\GA344183.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\GA344183.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\189292868.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\189292868.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\210760503.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\210760503.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4208 -ip 4208
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4208 -s 1084
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\359077904.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\359077904.exe
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
"C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\485336308.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\485336308.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "oneetx.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "oneetx.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\cb7ae701b3" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\cb7ae701b3" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| RU | 193.3.19.154:80 | tcp | |
| RU | 185.161.248.143:38452 | tcp | |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| RU | 185.161.248.143:38452 | tcp | |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| RU | 185.161.248.143:38452 | tcp | |
| RU | 193.3.19.154:80 | tcp | |
| RU | 185.161.248.143:38452 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| RU | 193.3.19.154:80 | tcp | |
| RU | 185.161.248.143:38452 | tcp | |
| RU | 193.3.19.154:80 | tcp | |
| RU | 185.161.248.143:38452 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DS574987.exe
| MD5 | 09c179cea059eab4d91b80c5207a257a |
| SHA1 | 8ce86f987d3a68dfcd57a1d430ec01a8c31a3e20 |
| SHA256 | 8c3058938c26131ee587f0724a414ffbb2498d5ab11210d3727160829058e1c6 |
| SHA512 | 3e43f040155df8c5732694788e0bd022ebf548becb91a5e0dc261c29af93c389283d3b14ef2d09795561964eca28d49c788c80436a72664195e3d101644e605f |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\OZ107911.exe
| MD5 | 043fff5fefe171c1b3e2a8a0441a4b7f |
| SHA1 | 991586986f7770c2539466446ac55017cf684e7d |
| SHA256 | 2696f93b5e7e46102c9f7ddfdfbaaf8e2b91b2189fcd703411725b52058901a3 |
| SHA512 | dd2e1ea533cd4ec07f4406684c3a0d383cd1ac0f8faf75ad6f81fabcfddc282a6735404028551c511dd851ebed99de3d7f66485e9754185999ab9ce23d6c47b6 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\GA344183.exe
| MD5 | a04ba8cd21358e0cb5da934090304a75 |
| SHA1 | 962365d46f05f78bd361873869c748371d97a402 |
| SHA256 | 54060daefaa01e15e372c53c3a8ce2be8185ed2d6ddc61843c1b0a3b432a0d2b |
| SHA512 | 51b1e779198d58aa3f854db0e70a0a9c0670ef4d31d39c6afd7a29e2cbb9e33a283603714d63e4d7268b944ef7268b09f9774c5ecebf40b55b30a4570594566d |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\189292868.exe
| MD5 | 3d10b67208452d7a91d7bd7066067676 |
| SHA1 | e6c3ab7b6da65c8cc7dd95351f118caf3a50248d |
| SHA256 | 5c8ae96739bd9454a59e92b5eb6965647030e87453f7c417dbd7d53ebd837302 |
| SHA512 | b86d5ff4f55c90922a890401ae4301da7e71eb5e546a82536073cc58780ce55585214cff39ec9b52f70704580ad36c1fa95ebee1515dd2e7ea313cb670f2b4df |
memory/3644-28-0x00000000048D0000-0x00000000048EA000-memory.dmp
memory/3644-29-0x0000000004A80000-0x0000000005024000-memory.dmp
memory/3644-30-0x0000000004980000-0x0000000004998000-memory.dmp
memory/3644-54-0x0000000004980000-0x0000000004993000-memory.dmp
memory/3644-58-0x0000000004980000-0x0000000004993000-memory.dmp
memory/3644-56-0x0000000004980000-0x0000000004993000-memory.dmp
memory/3644-46-0x0000000004980000-0x0000000004993000-memory.dmp
memory/3644-44-0x0000000004980000-0x0000000004993000-memory.dmp
memory/3644-34-0x0000000004980000-0x0000000004993000-memory.dmp
memory/3644-32-0x0000000004980000-0x0000000004993000-memory.dmp
memory/3644-31-0x0000000004980000-0x0000000004993000-memory.dmp
memory/3644-52-0x0000000004980000-0x0000000004993000-memory.dmp
memory/3644-50-0x0000000004980000-0x0000000004993000-memory.dmp
memory/3644-48-0x0000000004980000-0x0000000004993000-memory.dmp
memory/3644-42-0x0000000004980000-0x0000000004993000-memory.dmp
memory/3644-40-0x0000000004980000-0x0000000004993000-memory.dmp
memory/3644-38-0x0000000004980000-0x0000000004993000-memory.dmp
memory/3644-36-0x0000000004980000-0x0000000004993000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\210760503.exe
| MD5 | 5116f7b65c8a365e966139b4e95c5d90 |
| SHA1 | 2ebb80c964bf3efba22a4026a106aa0a967dc941 |
| SHA256 | 66313ff2245b2fc17ccbd80cb8d4c72081ac709dd517a41b90192cbb90abbeb7 |
| SHA512 | 1f4ad3a20f6dc6ed78b5c1b057a0689cd41cf396a9dfec4459872297db24633b7df6102e8c239ccaf3fea30028c619f8d2073f1d8ec1d1f0d69440f95b71144a |
memory/4208-92-0x0000000000400000-0x0000000002B99000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\359077904.exe
| MD5 | 1304f384653e08ae497008ff13498608 |
| SHA1 | d9a76ed63d74d4217c5027757cb9a7a0d0093080 |
| SHA256 | 2a9dabab35fb09085750e1cc762e32b0fe4cbd7ed4276ef7e68ba159ae330eaa |
| SHA512 | 4138217fd538e827c89db5c0cd4ea21bd8c8d3a7196d2eabf10412caf7b929479e768747df5fd92fc022d758f1840474530ba82dcb7e8672cc6eb88caeaf38c1 |
memory/4208-94-0x0000000000400000-0x0000000002B99000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\485336308.exe
| MD5 | 8a0eb7e8a70c2389f556496c617f6f52 |
| SHA1 | b654e9deb2ba40860b9b5f30cd26b8fa90b9cee6 |
| SHA256 | e3ad1522b0d886ee9ebc16ada6aa54644e87994c287180d8b20c82184a5dc47a |
| SHA512 | 8503b9c6d7c78c6a2bb027801cffe77b9047b496f5dab6908395b061e1c466985d0a55427cb3bb2ed543b98f1a8888abf343c674316200265c76684e041ae1bc |
memory/4716-112-0x0000000004AE0000-0x0000000004B1C000-memory.dmp
memory/4716-113-0x0000000007180000-0x00000000071BA000-memory.dmp
memory/4716-117-0x0000000007180000-0x00000000071B5000-memory.dmp
memory/4716-119-0x0000000007180000-0x00000000071B5000-memory.dmp
memory/4716-115-0x0000000007180000-0x00000000071B5000-memory.dmp
memory/4716-114-0x0000000007180000-0x00000000071B5000-memory.dmp
memory/4716-906-0x0000000009CB0000-0x000000000A2C8000-memory.dmp
memory/4716-907-0x000000000A330000-0x000000000A342000-memory.dmp
memory/4716-908-0x000000000A350000-0x000000000A45A000-memory.dmp
memory/4716-909-0x000000000A470000-0x000000000A4AC000-memory.dmp
memory/4716-910-0x0000000006CB0000-0x0000000006CFC000-memory.dmp