Analysis Overview
SHA256
ab7f858306a08653ec95886a6bad02947a7472c493f4e56cee99b32fbbf3682b
Threat Level: Known bad
The file ab7f858306a08653ec95886a6bad02947a7472c493f4e56cee99b32fbbf3682b was found to be: Known bad.
Malicious Activity Summary
Amadey family
Healer
Detects Healer an antivirus disabler dropper
Healer family
Modifies Windows Defender Real-time Protection settings
RedLine payload
Redline family
RedLine
Amadey
Checks computer location settings
Windows security modification
Executes dropped EXE
Adds Run key to start application
System Location Discovery: System Language Discovery
Program crash
Enumerates physical storage devices
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-04 13:55
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-04 13:55
Reported
2024-11-04 13:58
Platform
win10v2004-20241007-en
Max time kernel
147s
Max time network
147s
Command Line
Signatures
Amadey
Amadey family
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\169879222.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\281598029.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\281598029.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\169879222.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\169879222.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\169879222.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\281598029.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\281598029.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\281598029.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\169879222.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\169879222.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\326179846.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cq295742.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\VO258863.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lB644166.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\169879222.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\281598029.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\326179846.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\462992892.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\281598029.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\169879222.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\169879222.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\ab7f858306a08653ec95886a6bad02947a7472c493f4e56cee99b32fbbf3682b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cq295742.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\VO258863.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lB644166.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\281598029.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\VO258863.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lB644166.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cq295742.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\169879222.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\326179846.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\462992892.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ab7f858306a08653ec95886a6bad02947a7472c493f4e56cee99b32fbbf3682b.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\281598029.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cacls.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\169879222.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\169879222.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\281598029.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\281598029.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\169879222.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\281598029.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\462992892.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\326179846.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ab7f858306a08653ec95886a6bad02947a7472c493f4e56cee99b32fbbf3682b.exe
"C:\Users\Admin\AppData\Local\Temp\ab7f858306a08653ec95886a6bad02947a7472c493f4e56cee99b32fbbf3682b.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cq295742.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cq295742.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\VO258863.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\VO258863.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lB644166.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lB644166.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\169879222.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\169879222.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\281598029.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\281598029.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3060 -ip 3060
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3060 -s 1076
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\326179846.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\326179846.exe
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
"C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\462992892.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\462992892.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "oneetx.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "oneetx.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\cb7ae701b3" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\cb7ae701b3" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| RU | 193.3.19.154:80 | tcp | |
| RU | 185.161.248.72:38452 | tcp | |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| RU | 185.161.248.72:38452 | tcp | |
| RU | 185.161.248.72:38452 | tcp | |
| RU | 193.3.19.154:80 | tcp | |
| RU | 185.161.248.72:38452 | tcp | |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| RU | 193.3.19.154:80 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| RU | 185.161.248.72:38452 | tcp | |
| RU | 193.3.19.154:80 | tcp | |
| RU | 185.161.248.72:38452 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cq295742.exe
| MD5 | 088f6cf506e30c4e829edb01e1f5c271 |
| SHA1 | e6cb9f5d6c5cf8f384f2e2d0260d48e62a7f5e9a |
| SHA256 | d510cbaf52d57c0f75ed7c985c8d6658f7456e0565eca95c2367150b1ad68965 |
| SHA512 | d6e6ddd21ea5ec0704c35f573d96f72a6c159fb02da973209d619d3af469dec6a8a281c03ce3884bb696a5010819fcbb26f0117e5d2ac356bc8eb0324c16632d |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\VO258863.exe
| MD5 | 3b7e8eab730bb1668bce9328c76371ff |
| SHA1 | ae94e2becbcdb234b9de33414b075a42ad521f09 |
| SHA256 | a690958a21d72573e16fdb480230ac1fe76399f936cd93ff448e6f0c573fdf9e |
| SHA512 | ce60a3f807ef46d7263fc67dc68e44a0bcaa529a81b41cc7bec649c6626cfe0ac967072e91fc014d52a59d9e7051021aac88e300eece18cb183d54f9add613b2 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lB644166.exe
| MD5 | a69cab46db2c824b9deda2ca8c10f406 |
| SHA1 | 53e96ba05ae3e06ce48b50b43e82158e39791a1b |
| SHA256 | 336a974dfee704c6a113c64dfdec6753c239f922ab0b20785828a08d6c6a9e94 |
| SHA512 | b66f63526442bb28389fd402c26116fec06e9b583c9b727f4b38cc3c5d765e621669d26a4e086348479d60f4733eeed7978174bbf3dc3601c649330d4419764e |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\169879222.exe
| MD5 | 1f0cedd8c4489414b2f3baa31b3e7abb |
| SHA1 | 383794249e96c296f663ff35ae789f8ad20b99a2 |
| SHA256 | d3eac9dd6063dd1ae3a9e84eb9d52e8869252e15fe7ac0a2c10a8f1b3ddfdcc5 |
| SHA512 | 6642ee42dd65f966aa36ee5f10c3ddac7059d37bb75c94d7bff68a7976b9bff0cff7920ce969ca81d27b4167b0480cbb67320e99c89d21e6ca43d431a2c1c2df |
memory/1624-28-0x00000000024D0000-0x00000000024EA000-memory.dmp
memory/1624-29-0x0000000004B20000-0x00000000050C4000-memory.dmp
memory/1624-30-0x0000000004AC0000-0x0000000004AD8000-memory.dmp
memory/1624-46-0x0000000004AC0000-0x0000000004AD3000-memory.dmp
memory/1624-58-0x0000000004AC0000-0x0000000004AD3000-memory.dmp
memory/1624-56-0x0000000004AC0000-0x0000000004AD3000-memory.dmp
memory/1624-54-0x0000000004AC0000-0x0000000004AD3000-memory.dmp
memory/1624-52-0x0000000004AC0000-0x0000000004AD3000-memory.dmp
memory/1624-50-0x0000000004AC0000-0x0000000004AD3000-memory.dmp
memory/1624-48-0x0000000004AC0000-0x0000000004AD3000-memory.dmp
memory/1624-44-0x0000000004AC0000-0x0000000004AD3000-memory.dmp
memory/1624-42-0x0000000004AC0000-0x0000000004AD3000-memory.dmp
memory/1624-40-0x0000000004AC0000-0x0000000004AD3000-memory.dmp
memory/1624-38-0x0000000004AC0000-0x0000000004AD3000-memory.dmp
memory/1624-34-0x0000000004AC0000-0x0000000004AD3000-memory.dmp
memory/1624-31-0x0000000004AC0000-0x0000000004AD3000-memory.dmp
memory/1624-36-0x0000000004AC0000-0x0000000004AD3000-memory.dmp
memory/1624-32-0x0000000004AC0000-0x0000000004AD3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\281598029.exe
| MD5 | b06bb09f979a9e5be74040f617c45160 |
| SHA1 | b28380d838c5f910f9ee2228b2d6d1e1fe0358a0 |
| SHA256 | 77e1f5dff641b43b3b0a7413f3e0fc4b536772e52882eed84aafdb1ba1abed92 |
| SHA512 | c3c431b8f69cee94ce88fe27dc615384bc2ea264aeb37c9786262a87f56a58944269183f34038da6cf674375e48a5f93e3acc74b14404230d6d2034a134d220c |
memory/3060-64-0x0000000002470000-0x000000000248A000-memory.dmp
memory/3060-65-0x00000000025B0000-0x00000000025C8000-memory.dmp
memory/3060-73-0x00000000025B0000-0x00000000025C2000-memory.dmp
memory/3060-75-0x00000000025B0000-0x00000000025C2000-memory.dmp
memory/3060-93-0x00000000025B0000-0x00000000025C2000-memory.dmp
memory/3060-91-0x00000000025B0000-0x00000000025C2000-memory.dmp
memory/3060-89-0x00000000025B0000-0x00000000025C2000-memory.dmp
memory/3060-87-0x00000000025B0000-0x00000000025C2000-memory.dmp
memory/3060-83-0x00000000025B0000-0x00000000025C2000-memory.dmp
memory/3060-81-0x00000000025B0000-0x00000000025C2000-memory.dmp
memory/3060-80-0x00000000025B0000-0x00000000025C2000-memory.dmp
memory/3060-77-0x00000000025B0000-0x00000000025C2000-memory.dmp
memory/3060-71-0x00000000025B0000-0x00000000025C2000-memory.dmp
memory/3060-69-0x00000000025B0000-0x00000000025C2000-memory.dmp
memory/3060-85-0x00000000025B0000-0x00000000025C2000-memory.dmp
memory/3060-67-0x00000000025B0000-0x00000000025C2000-memory.dmp
memory/3060-66-0x00000000025B0000-0x00000000025C2000-memory.dmp
memory/3060-94-0x0000000000400000-0x0000000000466000-memory.dmp
memory/3060-96-0x0000000000400000-0x0000000000466000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\326179846.exe
| MD5 | 97193b2c3343334e0db48bb1fadf822d |
| SHA1 | 7bca3c872c39434e98dd67e086f6b1daedcba14e |
| SHA256 | 8712c7dd83f526dce4498822db04fd09515044956c2c3810d416ab91eb4cd4a4 |
| SHA512 | 3ce6b2c8820b2c2a6039a49fae675c2a9ca4684dfe339a2fc1aa7ab7d55d49303afcc88d60ef33a3ff56e0b1a3d2875d8f41987299f42d8e25ac94c34a31cc0b |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\462992892.exe
| MD5 | c50b844a387bae098dcb8a5fd65f05f2 |
| SHA1 | 9e631380ed129979b5a4f49d5c3b77ca3864023a |
| SHA256 | 595022bdba0e388d82d666ad6bc80a236496b710bf6e7c61d7b2ed70cd24db02 |
| SHA512 | 6095f85b463aab6c3add064f614d1569932a922c59680c06008ab8202657263b6a820c18dbf12da9428a9eb3f5afd21162cae4c6e85cb8134137e4904d6a3e1c |
memory/3080-114-0x0000000002460000-0x000000000249C000-memory.dmp
memory/3080-115-0x0000000005030000-0x000000000506A000-memory.dmp
memory/3080-119-0x0000000005030000-0x0000000005065000-memory.dmp
memory/3080-117-0x0000000005030000-0x0000000005065000-memory.dmp
memory/3080-116-0x0000000005030000-0x0000000005065000-memory.dmp
memory/3080-121-0x0000000005030000-0x0000000005065000-memory.dmp
memory/3080-908-0x0000000007B60000-0x0000000008178000-memory.dmp
memory/3080-909-0x00000000075E0000-0x00000000075F2000-memory.dmp
memory/3080-910-0x0000000007600000-0x000000000770A000-memory.dmp
memory/3080-911-0x0000000007720000-0x000000000775C000-memory.dmp
memory/3080-912-0x0000000002350000-0x000000000239C000-memory.dmp