Analysis Overview
SHA256
ff89993416757600a3101735bdd43da863c7179a74859d347515e1293f4178ee
Threat Level: Known bad
The file ff89993416757600a3101735bdd43da863c7179a74859d347515e1293f4178ee was found to be: Known bad.
Malicious Activity Summary
Amadey family
Healer
RedLine payload
RedLine
Amadey
Redline family
Detects Healer an antivirus disabler dropper
Healer family
Modifies Windows Defender Real-time Protection settings
Executes dropped EXE
Windows security modification
Checks computer location settings
Adds Run key to start application
Program crash
Enumerates physical storage devices
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 03:55
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 03:55
Reported
2024-11-09 03:57
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Amadey
Amadey family
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\243464673.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\243464673.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\243464673.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\168602685.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\168602685.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\168602685.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\168602685.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\243464673.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\243464673.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\168602685.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\168602685.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\321650139.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Av657546.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qF794022.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\BE113926.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\168602685.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\243464673.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\321650139.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\475052364.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\168602685.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\168602685.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\243464673.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\ff89993416757600a3101735bdd43da863c7179a74859d347515e1293f4178ee.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Av657546.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qF794022.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\BE113926.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\243464673.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ff89993416757600a3101735bdd43da863c7179a74859d347515e1293f4178ee.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qF794022.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\321650139.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\BE113926.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\243464673.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\475052364.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Av657546.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\168602685.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\168602685.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\168602685.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\243464673.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\243464673.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\168602685.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\243464673.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\475052364.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ff89993416757600a3101735bdd43da863c7179a74859d347515e1293f4178ee.exe
"C:\Users\Admin\AppData\Local\Temp\ff89993416757600a3101735bdd43da863c7179a74859d347515e1293f4178ee.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Av657546.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Av657546.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qF794022.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qF794022.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\BE113926.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\BE113926.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\168602685.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\168602685.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\243464673.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\243464673.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3056 -ip 3056
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3056 -s 1088
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\321650139.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\321650139.exe
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
"C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\475052364.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\475052364.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "oneetx.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "oneetx.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\cb7ae701b3" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\cb7ae701b3" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| RU | 193.3.19.154:80 | tcp | |
| RU | 185.161.248.143:38452 | tcp | |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| RU | 185.161.248.143:38452 | tcp | |
| RU | 185.161.248.143:38452 | tcp | |
| RU | 193.3.19.154:80 | tcp | |
| RU | 185.161.248.143:38452 | tcp | |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| RU | 193.3.19.154:80 | tcp | |
| RU | 185.161.248.143:38452 | tcp | |
| RU | 193.3.19.154:80 | tcp | |
| RU | 185.161.248.143:38452 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Av657546.exe
| MD5 | 2b00e235acbb373db3983401fbb14b7d |
| SHA1 | b5639bbfb2631461ec64e1ec8b449f49273c70b6 |
| SHA256 | 5eb43bb9b9620694be3ea8819454a98fd04e4ee5e9dd69eda6c36c3f659b2475 |
| SHA512 | 1a35b3843841f9e0092d4d5c76166f8ddd478b3fa39aa79dd44695675554846be4fd46a24d7686827f3425d0c952274b0b78f82054179f856baaaf6e5d0ec470 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qF794022.exe
| MD5 | d3067e5ceebb2770391ec066a9b771b1 |
| SHA1 | aa4047d6d0920db0fac7ddb0202ab9df2da54660 |
| SHA256 | d249eeb50b6a37e00ecb73a6579b4add315c89177de55008120b402d5e13f741 |
| SHA512 | 26551a60d6530859610f5c8d3a5b2be6e18e7333f00749f60f1b281743b29051e2d6e960ab1cab56c32f1e28d467364a536a31d236511d1751e7cf300fbac522 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\BE113926.exe
| MD5 | 9d15b42ee28573d800aae84e1ff644a7 |
| SHA1 | ec6345b3d26b957c094029b5f14558315bc40c42 |
| SHA256 | ec38afdde1c30cf94a2105090201ff908143cd27851d571fa68b31e9782d3389 |
| SHA512 | 3ece2c397847d02385d3ad4eb96e0e13513e5b7cfbd99f13b77854218b3d4f82d6e88a724cd542ad4f8bc11aba45a1116ab598c7c0bc30e8342531121131c90b |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\168602685.exe
| MD5 | 2b71f4b18ac8214a2bff547b6ce2f64f |
| SHA1 | b8f2f25139a7b2e8d5e8fbc024eb5cac518bc6a5 |
| SHA256 | f7eedf3aec775a62c265d1652686b30a8a45a953523e2fb3cfc1fac3c6a66fbc |
| SHA512 | 33518eff768610bf54f9888d9d0d746b0c3500dc5f2b8fd5f1641d5a264f657a8311b40364f70932512581183b244fec3feb535e21c13e0ec8adec9994175177 |
memory/2216-28-0x00000000021D0000-0x00000000021EA000-memory.dmp
memory/2216-29-0x0000000004C20000-0x00000000051C4000-memory.dmp
memory/2216-30-0x00000000023C0000-0x00000000023D8000-memory.dmp
memory/2216-44-0x00000000023C0000-0x00000000023D3000-memory.dmp
memory/2216-58-0x00000000023C0000-0x00000000023D3000-memory.dmp
memory/2216-56-0x00000000023C0000-0x00000000023D3000-memory.dmp
memory/2216-54-0x00000000023C0000-0x00000000023D3000-memory.dmp
memory/2216-52-0x00000000023C0000-0x00000000023D3000-memory.dmp
memory/2216-50-0x00000000023C0000-0x00000000023D3000-memory.dmp
memory/2216-48-0x00000000023C0000-0x00000000023D3000-memory.dmp
memory/2216-46-0x00000000023C0000-0x00000000023D3000-memory.dmp
memory/2216-42-0x00000000023C0000-0x00000000023D3000-memory.dmp
memory/2216-40-0x00000000023C0000-0x00000000023D3000-memory.dmp
memory/2216-38-0x00000000023C0000-0x00000000023D3000-memory.dmp
memory/2216-34-0x00000000023C0000-0x00000000023D3000-memory.dmp
memory/2216-31-0x00000000023C0000-0x00000000023D3000-memory.dmp
memory/2216-36-0x00000000023C0000-0x00000000023D3000-memory.dmp
memory/2216-32-0x00000000023C0000-0x00000000023D3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\243464673.exe
| MD5 | 1afdceb2c35119d44aed2452d04c24fe |
| SHA1 | 87e9c8ad7c48dbc712b4b45619de3afa3949334e |
| SHA256 | 540ac0d593777ac27b9ef7e82b6d345315c17e31fac25dc08c91dece2edb5f41 |
| SHA512 | 9678694355f89ba318893a115aff4e28a3f93f34cc16e675258a7605b6b5dc38a50d3a9a76fa040746d8fc08f66b274ad69101799284631d95bae3c038fbf3d1 |
memory/3056-92-0x0000000000400000-0x0000000002B9B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\321650139.exe
| MD5 | 1304f384653e08ae497008ff13498608 |
| SHA1 | d9a76ed63d74d4217c5027757cb9a7a0d0093080 |
| SHA256 | 2a9dabab35fb09085750e1cc762e32b0fe4cbd7ed4276ef7e68ba159ae330eaa |
| SHA512 | 4138217fd538e827c89db5c0cd4ea21bd8c8d3a7196d2eabf10412caf7b929479e768747df5fd92fc022d758f1840474530ba82dcb7e8672cc6eb88caeaf38c1 |
memory/3056-94-0x0000000000400000-0x0000000002B9B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\475052364.exe
| MD5 | fc899291613a1ad0747199dda6f2857a |
| SHA1 | 7d456bc8b31b0b92a8471dd5b9297bbba9446450 |
| SHA256 | 1ce52d5605bd9939fb425ccba8015149658d28d0772055df8fcc589b36f2c7e2 |
| SHA512 | aa586280c3fb9327620ab2d5b90dca6fc92c89a09dbf11c67fd49a6f4048594423b5a58816edee3bac327fc03eca446057d35ff74ccb5443eadfea786a45a0b9 |
memory/3256-112-0x0000000004BA0000-0x0000000004BDC000-memory.dmp
memory/3256-113-0x0000000007740000-0x000000000777A000-memory.dmp
memory/3256-114-0x0000000007740000-0x0000000007775000-memory.dmp
memory/3256-119-0x0000000007740000-0x0000000007775000-memory.dmp
memory/3256-117-0x0000000007740000-0x0000000007775000-memory.dmp
memory/3256-115-0x0000000007740000-0x0000000007775000-memory.dmp
memory/3256-906-0x0000000009C70000-0x000000000A288000-memory.dmp
memory/3256-907-0x000000000A330000-0x000000000A342000-memory.dmp
memory/3256-908-0x000000000A350000-0x000000000A45A000-memory.dmp
memory/3256-909-0x000000000A470000-0x000000000A4AC000-memory.dmp
memory/3256-910-0x00000000048C0000-0x000000000490C000-memory.dmp