Analysis Overview
SHA256
af930b3b97cb07bdad46e482df7000753cbf8822861cf7d043dde2678e5c0600
Threat Level: Known bad
The file af930b3b97cb07bdad46e482df7000753cbf8822861cf7d043dde2678e5c0600 was found to be: Known bad.
Malicious Activity Summary
Amadey family
Amadey
Healer family
Detects Healer an antivirus disabler dropper
Redline family
RedLine payload
RedLine
Healer
Modifies Windows Defender Real-time Protection settings
Checks computer location settings
Windows security modification
Executes dropped EXE
Adds Run key to start application
Launches sc.exe
Program crash
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Unsigned PE
Scheduled Task/Job: Scheduled Task
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-10 01:44
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 01:44
Reported
2024-11-10 01:47
Platform
win10v2004-20241007-en
Max time kernel
140s
Max time network
149s
Command Line
Signatures
Amadey
Amadey family
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf074053.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf074053.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf074053.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf074053.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az477708.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az477708.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az477708.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az477708.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf074053.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf074053.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az477708.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az477708.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu376061.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki827564.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki394480.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki956587.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az477708.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu376061.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf074053.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ft521733.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az477708.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf074053.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf074053.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\af930b3b97cb07bdad46e482df7000753cbf8822861cf7d043dde2678e5c0600.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki827564.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki394480.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki956587.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf074053.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf074053.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki827564.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki394480.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu376061.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\af930b3b97cb07bdad46e482df7000753cbf8822861cf7d043dde2678e5c0600.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ft521733.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki956587.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cacls.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az477708.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az477708.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf074053.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf074053.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az477708.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf074053.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\af930b3b97cb07bdad46e482df7000753cbf8822861cf7d043dde2678e5c0600.exe
"C:\Users\Admin\AppData\Local\Temp\af930b3b97cb07bdad46e482df7000753cbf8822861cf7d043dde2678e5c0600.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki827564.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki827564.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki394480.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki394480.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki956587.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki956587.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az477708.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az477708.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu376061.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu376061.exe
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
"C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf074053.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf074053.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "oneetx.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "oneetx.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\cb7ae701b3" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\cb7ae701b3" /P "Admin:R" /E
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2312 -ip 2312
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 240
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ft521733.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ft521733.exe
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| RU | 193.3.19.154:80 | tcp | |
| RU | 185.161.248.152:38452 | tcp | |
| RU | 185.161.248.152:38452 | tcp | |
| RU | 193.3.19.154:80 | tcp | |
| US | 8.8.8.8:53 | 98.209.201.84.in-addr.arpa | udp |
| RU | 185.161.248.152:38452 | tcp | |
| RU | 185.161.248.152:38452 | tcp | |
| RU | 193.3.19.154:80 | tcp | |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| RU | 185.161.248.152:38452 | tcp | |
| RU | 193.3.19.154:80 | tcp | |
| RU | 185.161.248.152:38452 | tcp | |
| RU | 193.3.19.154:80 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki827564.exe
| MD5 | 9a3422d1de526c4443427574a7f204cc |
| SHA1 | e4136974c42ad2f118abd45aa2c33ec558cd95f3 |
| SHA256 | cc9f6a95d91a91f1ddaa776a10449e67616cccf70d992616f31f48a4c397f8cb |
| SHA512 | 94396e140f74f5bc5fd22a485d64757eeea253ac3fcb0d9fed55aa450d75940aed26592401ec09a2e4f39ce3e31ed3e08c3cb803e0f44dbfb194debb0e4923b3 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki394480.exe
| MD5 | 306979b7cc1b7b42489f3c4297615fcb |
| SHA1 | a87a36cf9a4c3f7976f9f2c9bd12df826974c4b9 |
| SHA256 | a8e1fe4973b61e3190128fa35d7b9ae57baf130a785837208fef9ecc73e69380 |
| SHA512 | 0e4610d057a16e7dc918a846627a84fb5f762df29c25a21520d9a090277901bcd766a34e255f4350ac444d294a8c91c01bf6e2029eea2d122eab0f57d1e7daf7 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki956587.exe
| MD5 | 2a2fad583afa734a9699073547e49348 |
| SHA1 | 1ebe3a7a69210fe0ac39d5c22603fd2b53398aa7 |
| SHA256 | 67363e7e9e9edcc47b9d13d0374674880ecc6b1cca783af14fb967fbe0b56b9b |
| SHA512 | 9feb57d2e3355eec0f9b8c7aa3778825dd18665273bae2cc99a9b2d95e0939dc003226ccb1c8ae71a2fa4f00bad8fac55dffec96be7253c5627b691b4a78e7a0 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az477708.exe
| MD5 | 7e93bacbbc33e6652e147e7fe07572a0 |
| SHA1 | 421a7167da01c8da4dc4d5234ca3dd84e319e762 |
| SHA256 | 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38 |
| SHA512 | 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91 |
memory/5072-28-0x0000000000050000-0x000000000005A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu376061.exe
| MD5 | 1304f384653e08ae497008ff13498608 |
| SHA1 | d9a76ed63d74d4217c5027757cb9a7a0d0093080 |
| SHA256 | 2a9dabab35fb09085750e1cc762e32b0fe4cbd7ed4276ef7e68ba159ae330eaa |
| SHA512 | 4138217fd538e827c89db5c0cd4ea21bd8c8d3a7196d2eabf10412caf7b929479e768747df5fd92fc022d758f1840474530ba82dcb7e8672cc6eb88caeaf38c1 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf074053.exe
| MD5 | 63a3b1a520594e3eed2a3b35561f04ca |
| SHA1 | bf5afb1b4a3000392e7739f64d986ebba471de50 |
| SHA256 | 2b38ca9762b6627743a2d7965a382f8d3ec57b897acb27cb44f34da73a43f555 |
| SHA512 | b1ef1a28d27d214ea9a0180258d973f7b56ec746f0067d921bade2bc58be1e559071880de4a1ecf7e8ccc2c7b8da27e5fe17ded902c28d6e8fd55d885adc4e9b |
memory/2312-47-0x0000000004B70000-0x0000000004B8A000-memory.dmp
memory/2312-48-0x0000000007210000-0x00000000077B4000-memory.dmp
memory/2312-49-0x0000000007160000-0x0000000007178000-memory.dmp
memory/2312-50-0x0000000007160000-0x0000000007172000-memory.dmp
memory/2312-59-0x0000000007160000-0x0000000007172000-memory.dmp
memory/2312-77-0x0000000007160000-0x0000000007172000-memory.dmp
memory/2312-75-0x0000000007160000-0x0000000007172000-memory.dmp
memory/2312-74-0x0000000007160000-0x0000000007172000-memory.dmp
memory/2312-71-0x0000000007160000-0x0000000007172000-memory.dmp
memory/2312-69-0x0000000007160000-0x0000000007172000-memory.dmp
memory/2312-68-0x0000000007160000-0x0000000007172000-memory.dmp
memory/2312-65-0x0000000007160000-0x0000000007172000-memory.dmp
memory/2312-63-0x0000000007160000-0x0000000007172000-memory.dmp
memory/2312-61-0x0000000007160000-0x0000000007172000-memory.dmp
memory/2312-57-0x0000000007160000-0x0000000007172000-memory.dmp
memory/2312-55-0x0000000007160000-0x0000000007172000-memory.dmp
memory/2312-53-0x0000000007160000-0x0000000007172000-memory.dmp
memory/2312-51-0x0000000007160000-0x0000000007172000-memory.dmp
memory/2312-78-0x0000000000400000-0x0000000002BB5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ft521733.exe
| MD5 | fe0bc4d1c8ecc23179c4bd4acd72942c |
| SHA1 | b31181d30dee3416b562daed2bc558e2cbad7139 |
| SHA256 | fe7719c0d2688d99f6791f933c4ba149ad1edfe11e8b331e4cd2464f9a35f717 |
| SHA512 | e2b11c71e9958b3bfa923e67ec8e4518d98c0004a89e4aff344c7fbe0fbd47f8d870aa64d1e13b2994ef3f43d3709099892162ad3ad825ca49a46ce48b4b182b |
memory/1368-84-0x0000000000940000-0x0000000000968000-memory.dmp
memory/1368-85-0x0000000007C20000-0x0000000008238000-memory.dmp
memory/1368-86-0x0000000007660000-0x0000000007672000-memory.dmp
memory/1368-87-0x00000000077D0000-0x00000000078DA000-memory.dmp
memory/2312-80-0x0000000000400000-0x0000000002BB5000-memory.dmp
memory/1368-88-0x0000000007700000-0x000000000773C000-memory.dmp
memory/1368-89-0x00000000029F0000-0x0000000002A3C000-memory.dmp