Analysis Overview
SHA256
a4ee47d67806fed8ba868f9359ed7b6168d7d4494068c539c20d7ec09704b712
Threat Level: Known bad
The file a4ee47d67806fed8ba868f9359ed7b6168d7d4494068c539c20d7ec09704b712 was found to be: Known bad.
Malicious Activity Summary
Detects Healer an antivirus disabler dropper
Amadey family
RedLine payload
Healer family
Healer
Redline family
Modifies Windows Defender Real-time Protection settings
RedLine
Amadey
Executes dropped EXE
Windows security modification
Checks computer location settings
Adds Run key to start application
Unsigned PE
Program crash
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-10 02:56
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 02:56
Reported
2024-11-10 02:59
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
145s
Command Line
Signatures
Amadey
Amadey family
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\201924211.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\124254912.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\124254912.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\124254912.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\124254912.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\201924211.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\201924211.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\201924211.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\124254912.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\124254912.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\201924211.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\377868088.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bi705263.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\QA767361.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jM276425.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\124254912.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\201924211.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\377868088.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\448479176.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\124254912.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\124254912.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\201924211.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\a4ee47d67806fed8ba868f9359ed7b6168d7d4494068c539c20d7ec09704b712.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bi705263.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\QA767361.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jM276425.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\201924211.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a4ee47d67806fed8ba868f9359ed7b6168d7d4494068c539c20d7ec09704b712.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\124254912.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\377868088.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\448479176.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\201924211.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bi705263.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\QA767361.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jM276425.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cacls.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\124254912.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\124254912.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\201924211.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\201924211.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\124254912.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\201924211.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\448479176.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a4ee47d67806fed8ba868f9359ed7b6168d7d4494068c539c20d7ec09704b712.exe
"C:\Users\Admin\AppData\Local\Temp\a4ee47d67806fed8ba868f9359ed7b6168d7d4494068c539c20d7ec09704b712.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bi705263.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bi705263.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\QA767361.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\QA767361.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jM276425.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jM276425.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\124254912.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\124254912.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\201924211.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\201924211.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4348 -ip 4348
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 1080
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\377868088.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\377868088.exe
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
"C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\448479176.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\448479176.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "oneetx.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "oneetx.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\cb7ae701b3" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\cb7ae701b3" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| RU | 193.3.19.154:80 | tcp | |
| RU | 185.161.248.72:38452 | tcp | |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| RU | 185.161.248.72:38452 | tcp | |
| RU | 185.161.248.72:38452 | tcp | |
| RU | 193.3.19.154:80 | tcp | |
| RU | 185.161.248.72:38452 | tcp | |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| RU | 193.3.19.154:80 | tcp | |
| RU | 185.161.248.72:38452 | tcp | |
| RU | 193.3.19.154:80 | tcp | |
| RU | 185.161.248.72:38452 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bi705263.exe
| MD5 | 611e8951df4e9e37c95d726b8f8564da |
| SHA1 | 85e70c7474fd68f5f4e3818a5fc135548aa20752 |
| SHA256 | 4de4a6e11c0ec208d40221f2f965119766272d0a419b391e7fc32823fb5730a6 |
| SHA512 | 46c5f10abfa94a43cd25ca81527e45a3d228c04f87ba8a2c4d52a357f9038bc04c4ccc48f42788046dd5c87b24210a0428ca9054cd679565b3255c6a7d2ed226 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\QA767361.exe
| MD5 | 552d980f8a030b3f730c6d670d840482 |
| SHA1 | a827ec9d289e1d436e31383b1326d5c01092486d |
| SHA256 | 549359e402e56bf0327f60630f82d453862b4b47301c6a7e0b52fe0e70c379f2 |
| SHA512 | 62b867105b74e4bf979e015da998a732a4f827767b2b1c5947d515c164798ea2cd4ecd66facadf614d18fd81fbacc7ae6c6a978079d234d2f46bc4f5ed617098 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jM276425.exe
| MD5 | 3125a292f523186fa323160973d737a8 |
| SHA1 | 5e50c46532de6f7a11483e72e9716b4d6f9ae1db |
| SHA256 | 6e6314e4e31c91b43810d82bf1bb3d4cbfddb807e4133609bfcc2b0336d6aa92 |
| SHA512 | be081d909c8549947a1c458f9b9e27781adcb37bef9cd83112391bf4beddd8bd70860499e6233d35813a2f35dd011adc9d777aa3033ad36e8d032f1ea6e0dbbc |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\124254912.exe
| MD5 | 3ca926f984d0345bb4e8f5da60b5ce60 |
| SHA1 | 01002765e2a05ef53d17161ab33eff9c3acb6811 |
| SHA256 | 661c0ca77d12801bb38ffe2c1176fcbedb5e27d48cddd497cff3d686ef957050 |
| SHA512 | c763ed6883b586886a536fd68ccff3a56264648fe452a2902a1c5e763c8bd229a1234a3bf0947b371bfe798ce8c2e7e9f9d1ce60934c4d772b6d21881ab5e9ec |
memory/4912-28-0x0000000002390000-0x00000000023AA000-memory.dmp
memory/4912-29-0x0000000004A70000-0x0000000005014000-memory.dmp
memory/4912-30-0x00000000023B0000-0x00000000023C8000-memory.dmp
memory/4912-32-0x00000000023B0000-0x00000000023C3000-memory.dmp
memory/4912-58-0x00000000023B0000-0x00000000023C3000-memory.dmp
memory/4912-56-0x00000000023B0000-0x00000000023C3000-memory.dmp
memory/4912-54-0x00000000023B0000-0x00000000023C3000-memory.dmp
memory/4912-52-0x00000000023B0000-0x00000000023C3000-memory.dmp
memory/4912-50-0x00000000023B0000-0x00000000023C3000-memory.dmp
memory/4912-48-0x00000000023B0000-0x00000000023C3000-memory.dmp
memory/4912-46-0x00000000023B0000-0x00000000023C3000-memory.dmp
memory/4912-44-0x00000000023B0000-0x00000000023C3000-memory.dmp
memory/4912-42-0x00000000023B0000-0x00000000023C3000-memory.dmp
memory/4912-40-0x00000000023B0000-0x00000000023C3000-memory.dmp
memory/4912-38-0x00000000023B0000-0x00000000023C3000-memory.dmp
memory/4912-36-0x00000000023B0000-0x00000000023C3000-memory.dmp
memory/4912-34-0x00000000023B0000-0x00000000023C3000-memory.dmp
memory/4912-31-0x00000000023B0000-0x00000000023C3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\201924211.exe
| MD5 | 4ed6a0366c72512d62a7ad5d247f197d |
| SHA1 | 6625d1d0acb5aa13a7308d6e7b513701013c85ba |
| SHA256 | 0db0cc094af86f920a75399910a8f1f0eaa0160f85d2dd28e828b7f394225810 |
| SHA512 | aadca7b2b848d30b927a441661d45bc3ff4a2ecf0893be2dea726edcda247c164d07014e4760298d56b8c5663b0812ac08d3dc85f898fdb3e5482bb0150b68ba |
memory/4348-64-0x0000000002520000-0x000000000253A000-memory.dmp
memory/4348-65-0x0000000002750000-0x0000000002768000-memory.dmp
memory/4348-66-0x0000000002750000-0x0000000002762000-memory.dmp
memory/4348-73-0x0000000002750000-0x0000000002762000-memory.dmp
memory/4348-91-0x0000000002750000-0x0000000002762000-memory.dmp
memory/4348-89-0x0000000002750000-0x0000000002762000-memory.dmp
memory/4348-87-0x0000000002750000-0x0000000002762000-memory.dmp
memory/4348-85-0x0000000002750000-0x0000000002762000-memory.dmp
memory/4348-83-0x0000000002750000-0x0000000002762000-memory.dmp
memory/4348-81-0x0000000002750000-0x0000000002762000-memory.dmp
memory/4348-79-0x0000000002750000-0x0000000002762000-memory.dmp
memory/4348-77-0x0000000002750000-0x0000000002762000-memory.dmp
memory/4348-75-0x0000000002750000-0x0000000002762000-memory.dmp
memory/4348-71-0x0000000002750000-0x0000000002762000-memory.dmp
memory/4348-93-0x0000000002750000-0x0000000002762000-memory.dmp
memory/4348-69-0x0000000002750000-0x0000000002762000-memory.dmp
memory/4348-67-0x0000000002750000-0x0000000002762000-memory.dmp
memory/4348-95-0x0000000000400000-0x0000000000803000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\377868088.exe
| MD5 | e75a91e7755850f71b6953b84a7012d3 |
| SHA1 | ef7e204760db4dd3aca0eb4cde71852e06a3b1fb |
| SHA256 | a418fecad082441529e41a846c18e0008f4a8296f9032bac69a323016141ca46 |
| SHA512 | 10a2467c1868116993583215c9a76dceced8693597155615cc5fce76cc0d746a74daccca5be0a0dfad0e7687938b07b77dfb699dcb59cc79f36d66b50556bae7 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\448479176.exe
| MD5 | 316c81a0df44146be1b882ce0ef2559f |
| SHA1 | ccca202e11580b3fdee5639fc010922de89e42e0 |
| SHA256 | 7820877d631bbe05bd858033b085ea2568f0616eb192ab871003f7745b1cc436 |
| SHA512 | b0fd3719e0e90798c894988c08078a9988dcaaae1df50bcf9236f2626e98ec0f21bae8564b28c09504a74689d9ea92d55f86c7f69563e5dec83a9356c6ff677c |
memory/4024-114-0x0000000002710000-0x000000000274C000-memory.dmp
memory/4024-115-0x0000000004E20000-0x0000000004E5A000-memory.dmp
memory/4024-116-0x0000000004E20000-0x0000000004E55000-memory.dmp
memory/4024-117-0x0000000004E20000-0x0000000004E55000-memory.dmp
memory/4024-119-0x0000000004E20000-0x0000000004E55000-memory.dmp
memory/4024-121-0x0000000004E20000-0x0000000004E55000-memory.dmp
memory/4024-908-0x0000000007F20000-0x0000000008538000-memory.dmp
memory/4024-909-0x0000000007980000-0x0000000007992000-memory.dmp
memory/4024-910-0x00000000079A0000-0x0000000007AAA000-memory.dmp
memory/4024-911-0x0000000007AC0000-0x0000000007AFC000-memory.dmp
memory/4024-912-0x00000000048D0000-0x000000000491C000-memory.dmp