Analysis Overview
SHA256
edb5934c4212adcd1ad077f9d90fc9ae79f8b94bc1866170af21037fd2d53330
Threat Level: Known bad
The file 0339fc09bdf988bb047ee2347f623d6b.bin was found to be: Known bad.
Malicious Activity Summary
Amadey family
Detects Healer an antivirus disabler dropper
Amadey
Modifies Windows Defender Real-time Protection settings
Redline family
RedLine
RedLine payload
Healer family
Healer
Windows security modification
Executes dropped EXE
Checks computer location settings
Adds Run key to start application
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Unsigned PE
Program crash
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-10 01:00
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 01:00
Reported
2024-11-10 01:02
Platform
win10v2004-20241007-en
Max time kernel
144s
Max time network
149s
Command Line
Signatures
Amadey
Amadey family
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Windows\Temp\1.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Windows\Temp\1.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Windows\Temp\1.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\Temp\1.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Windows\Temp\1.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Windows\Temp\1.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a00560390.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c33475999.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nM534994.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rK785166.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vz500697.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\jH053548.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a00560390.exe | N/A |
| N/A | N/A | C:\Windows\Temp\1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b79318081.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c33475999.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d62605527.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f64682884.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Windows\Temp\1.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\904261e7b5b202e8594644130cf31089c365ad1a79ee02af0de9920a82f14dc2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nM534994.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rK785166.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vz500697.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\jH053548.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b79318081.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d62605527.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c33475999.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\904261e7b5b202e8594644130cf31089c365ad1a79ee02af0de9920a82f14dc2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nM534994.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d62605527.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rK785166.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vz500697.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\jH053548.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a00560390.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b79318081.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f64682884.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Temp\1.exe | N/A |
| N/A | N/A | C:\Windows\Temp\1.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a00560390.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b79318081.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Temp\1.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d62605527.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\904261e7b5b202e8594644130cf31089c365ad1a79ee02af0de9920a82f14dc2.exe
"C:\Users\Admin\AppData\Local\Temp\904261e7b5b202e8594644130cf31089c365ad1a79ee02af0de9920a82f14dc2.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nM534994.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nM534994.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rK785166.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rK785166.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vz500697.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vz500697.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\jH053548.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\jH053548.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a00560390.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a00560390.exe
C:\Windows\Temp\1.exe
"C:\Windows\Temp\1.exe"
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b79318081.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b79318081.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4844 -ip 4844
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4844 -s 1260
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c33475999.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c33475999.exe
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
"C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d62605527.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d62605527.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "oneetx.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "oneetx.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\cb7ae701b3" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\cb7ae701b3" /P "Admin:R" /E
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 6768 -ip 6768
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6768 -s 1256
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f64682884.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f64682884.exe
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| RU | 193.3.19.154:80 | tcp | |
| RU | 185.161.248.73:4164 | tcp | |
| RU | 185.161.248.73:4164 | tcp | |
| RU | 193.3.19.154:80 | tcp | |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| RU | 185.161.248.73:4164 | tcp | |
| RU | 193.3.19.154:80 | tcp | |
| RU | 185.161.248.73:4164 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| RU | 193.3.19.154:80 | tcp | |
| RU | 185.161.248.73:4164 | tcp | |
| RU | 193.3.19.154:80 | tcp | |
| RU | 185.161.248.73:4164 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nM534994.exe
| MD5 | fab9189b698312de434e71e724a7d442 |
| SHA1 | 813c4f920efd390e210eaa3a6c7f13c768fd3f79 |
| SHA256 | 0d00f37e9fc9f3065951afcf3d741abd4c31bb0f29347c994fc5c0b401ae6146 |
| SHA512 | 836155a7e61373c6ba879ee73388e85cf0e4d48630144e8156fc6f2de6f8eefcc89fd1114d6559c349f679f826eb60e5a7092bfbd0f856b88d8a0bf3ad390c3a |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rK785166.exe
| MD5 | 9c35856ad7d39d05509eefab065d0419 |
| SHA1 | 6ee0220247561c97c3a3b2ec967271a0b4391b55 |
| SHA256 | 2b83750153378133f0791c8fba8a4d431177dca1add49446c36689c8099f8a42 |
| SHA512 | 1c55e8f75a0c93e5c33b0bf51d9519cfd747c098d4266d7ef145d460867fbff997401b020b05cff38221234bc946348ba512e23a58232e7cdbdb62377ef9e564 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vz500697.exe
| MD5 | aa4fd3bbb9e5135bd7eed08102cd3d96 |
| SHA1 | 870cb28b37ca9138b17e8b7d74af117c1bf8d86e |
| SHA256 | 617d66ab73259950f4576ac8fd13a6915c3a2a5164b5585b74c42f1c6eb19153 |
| SHA512 | ae3142b8c2875230b860529ca81202599554399487d8ae9b306e45d05a6be75bc790e35dd532d48cc633555c477c4868045c6e6dc510462c3b4a4faf7d54f32c |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\jH053548.exe
| MD5 | d60c8f45f54879332cc8fe13aeb3fc26 |
| SHA1 | 0c0f1fa847a4fa9fdf63936a6220b521941bab57 |
| SHA256 | ad1f1810c72e3e1f8c210d3934092d0ed560e279b9c162a431b81baed7e2a922 |
| SHA512 | 70d72b1583626143527afa0ed32c10cca8ef4e10817459992bdd189b323c8ca6734e235325dcf21d926b45d0835f6a10a36a29185ccc73fad3bdc6de27cfe9b5 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a00560390.exe
| MD5 | 2e3812945bdaf2736d245a66bb89f9d7 |
| SHA1 | 9101380072eeff2a53eac2b9d7a6c3688b70eb3e |
| SHA256 | f9e3ef889ddc9ca32ae38dd85ad5693b40b91dde810ad479504894c7c01e8cb0 |
| SHA512 | c1c6c2e0c70819c40886960a9f40bda505a0f589c1363283f5b09258fe6fe03744c7063c35155d2e7079acb3154b0afefbb320b4cf71148e08c74c0065e54b32 |
memory/3528-35-0x0000000002370000-0x00000000023C8000-memory.dmp
memory/3528-36-0x0000000004B60000-0x0000000005104000-memory.dmp
memory/3528-37-0x00000000049F0000-0x0000000004A46000-memory.dmp
memory/3528-87-0x00000000049F0000-0x0000000004A41000-memory.dmp
memory/3528-65-0x00000000049F0000-0x0000000004A41000-memory.dmp
memory/3528-45-0x00000000049F0000-0x0000000004A41000-memory.dmp
memory/3528-101-0x00000000049F0000-0x0000000004A41000-memory.dmp
memory/3528-99-0x00000000049F0000-0x0000000004A41000-memory.dmp
memory/3528-97-0x00000000049F0000-0x0000000004A41000-memory.dmp
memory/3528-95-0x00000000049F0000-0x0000000004A41000-memory.dmp
memory/3528-93-0x00000000049F0000-0x0000000004A41000-memory.dmp
memory/3528-91-0x00000000049F0000-0x0000000004A41000-memory.dmp
memory/3528-89-0x00000000049F0000-0x0000000004A41000-memory.dmp
memory/3528-85-0x00000000049F0000-0x0000000004A41000-memory.dmp
memory/3528-83-0x00000000049F0000-0x0000000004A41000-memory.dmp
memory/3528-81-0x00000000049F0000-0x0000000004A41000-memory.dmp
memory/3528-79-0x00000000049F0000-0x0000000004A41000-memory.dmp
memory/3528-77-0x00000000049F0000-0x0000000004A41000-memory.dmp
memory/3528-75-0x00000000049F0000-0x0000000004A41000-memory.dmp
memory/3528-73-0x00000000049F0000-0x0000000004A41000-memory.dmp
memory/3528-71-0x00000000049F0000-0x0000000004A41000-memory.dmp
memory/3528-69-0x00000000049F0000-0x0000000004A41000-memory.dmp
memory/3528-67-0x00000000049F0000-0x0000000004A41000-memory.dmp
memory/3528-63-0x00000000049F0000-0x0000000004A41000-memory.dmp
memory/3528-61-0x00000000049F0000-0x0000000004A41000-memory.dmp
memory/3528-59-0x00000000049F0000-0x0000000004A41000-memory.dmp
memory/3528-57-0x00000000049F0000-0x0000000004A41000-memory.dmp
memory/3528-55-0x00000000049F0000-0x0000000004A41000-memory.dmp
memory/3528-53-0x00000000049F0000-0x0000000004A41000-memory.dmp
memory/3528-51-0x00000000049F0000-0x0000000004A41000-memory.dmp
memory/3528-49-0x00000000049F0000-0x0000000004A41000-memory.dmp
memory/3528-47-0x00000000049F0000-0x0000000004A41000-memory.dmp
memory/3528-43-0x00000000049F0000-0x0000000004A41000-memory.dmp
memory/3528-41-0x00000000049F0000-0x0000000004A41000-memory.dmp
memory/3528-39-0x00000000049F0000-0x0000000004A41000-memory.dmp
memory/3528-38-0x00000000049F0000-0x0000000004A41000-memory.dmp
memory/3528-2166-0x0000000004B30000-0x0000000004B3A000-memory.dmp
C:\Windows\Temp\1.exe
| MD5 | 7e93bacbbc33e6652e147e7fe07572a0 |
| SHA1 | 421a7167da01c8da4dc4d5234ca3dd84e319e762 |
| SHA256 | 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38 |
| SHA512 | 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91 |
memory/2320-2179-0x00000000000B0000-0x00000000000BA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b79318081.exe
| MD5 | 4dfc323f301368ae5cd575552bd6385f |
| SHA1 | 378775d72f9af1892cab72d0065a96aeb96bbd6e |
| SHA256 | c2044c35272e0ff2b25232a6f03c64b8f8a3c3b76289b59460c53a25789b0076 |
| SHA512 | dc54fb5cdf8e49156838ba7f608d98d35a17829b9e5cb24236c91533ba08f4cfb950fcbe0017bad52c3ec16b3de0062355754a72d3f50ed3295a2497964ea4d5 |
memory/4844-4312-0x0000000005750000-0x00000000057E2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c33475999.exe
| MD5 | 5aa3d3603947235fffb00d67f08a576e |
| SHA1 | e08e70b5f3ab0f13735ae0f06faa0116b9929440 |
| SHA256 | da12f7083d26b3c7141171e5c1dea1bcbb784df7a1907bae8db99a1d8ca52026 |
| SHA512 | 7462879df9a7dea1275fe1852d2b2f4e7e734bfb8f3dcb9e5924b31313f80bdaf0b2cdc40a0aba8bf046930d922dbb104ef7cac22f2cc14dd4cd9444df3c88be |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d62605527.exe
| MD5 | b24ac7b3f7e5ebece52ab1c1bd05f886 |
| SHA1 | 116ef6d1a9e8cab94bf9dd434ed8300ac9ea19dc |
| SHA256 | 8440f59132de140506f302c65a74e897abe0eadee42581a4bc5d6cdd831c8874 |
| SHA512 | 7d8b1a02af93f602ae159e3adaf5666873b29d18c8b72767c6daaa3663211c281535e2fa4dff9ae5fed3f243afb7867f2e52261d44146578354213a2a8bbfeb7 |
memory/6768-4332-0x0000000004D40000-0x0000000004DA8000-memory.dmp
memory/6768-4333-0x0000000005510000-0x0000000005576000-memory.dmp
memory/6768-6480-0x0000000005760000-0x0000000005792000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f64682884.exe
| MD5 | d8e7ab86428e56568df8a4526a0dd1a6 |
| SHA1 | 149eba06f2ab103a4fff4bb6a6f02b54c1bce992 |
| SHA256 | 7d263f5280e94528cbb05197b413914d4384983dedb4feb4d5ccca43264d2f6c |
| SHA512 | 047043f39f22c4af5e7aca240ff482b38c8844b06d0683a176b033270c71fbfea9034df5d119d1e8dcc3adca27c963bde92a99a64aaef405b637d103e4de1001 |
memory/4288-6486-0x0000000000540000-0x0000000000570000-memory.dmp
memory/4288-6487-0x0000000002660000-0x0000000002666000-memory.dmp
memory/4288-6488-0x0000000005670000-0x0000000005C88000-memory.dmp
memory/4288-6489-0x0000000005160000-0x000000000526A000-memory.dmp
memory/4288-6490-0x0000000004DF0000-0x0000000004E02000-memory.dmp
memory/4288-6491-0x0000000005090000-0x00000000050CC000-memory.dmp
memory/4288-6492-0x00000000050D0000-0x000000000511C000-memory.dmp