Malware Analysis Report

2025-05-06 01:34

Sample ID 241110-dw8azsycrj
Target 2163b36e5b797ff8b2cfb1924417d597f774bc801864f3143a07ca023450345f
SHA256 2163b36e5b797ff8b2cfb1924417d597f774bc801864f3143a07ca023450345f
Tags
healer redline mango sito discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2163b36e5b797ff8b2cfb1924417d597f774bc801864f3143a07ca023450345f

Threat Level: Known bad

The file 2163b36e5b797ff8b2cfb1924417d597f774bc801864f3143a07ca023450345f was found to be: Known bad.

Malicious Activity Summary

healer redline mango sito discovery dropper evasion infostealer persistence trojan

RedLine

RedLine payload

Healer family

Modifies Windows Defender Real-time Protection settings

Redline family

Detects Healer an antivirus disabler dropper

Healer

Windows security modification

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Launches sc.exe

Unsigned PE

Program crash

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 03:22

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 03:22

Reported

2024-11-10 03:25

Platform

win10v2004-20241007-en

Max time kernel

142s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2163b36e5b797ff8b2cfb1924417d597f774bc801864f3143a07ca023450345f.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5028lQ.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5028lQ.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5028lQ.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c85jk18.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c85jk18.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c85jk18.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5028lQ.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5028lQ.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c85jk18.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c85jk18.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c85jk18.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5028lQ.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5028lQ.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c85jk18.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c85jk18.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\2163b36e5b797ff8b2cfb1924417d597f774bc801864f3143a07ca023450345f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice7583.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice6916.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 704 set thread context of 4956 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\deMLI84.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\deMLI84.exe

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c85jk18.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\deMLI84.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\deMLI84.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e52kh04.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2163b36e5b797ff8b2cfb1924417d597f774bc801864f3143a07ca023450345f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice7583.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice6916.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5028lQ.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c85jk18.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\deMLI84.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2304 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\2163b36e5b797ff8b2cfb1924417d597f774bc801864f3143a07ca023450345f.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice7583.exe
PID 2304 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\2163b36e5b797ff8b2cfb1924417d597f774bc801864f3143a07ca023450345f.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice7583.exe
PID 2304 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\2163b36e5b797ff8b2cfb1924417d597f774bc801864f3143a07ca023450345f.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice7583.exe
PID 1420 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice7583.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice6916.exe
PID 1420 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice7583.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice6916.exe
PID 1420 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice7583.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice6916.exe
PID 4028 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice6916.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5028lQ.exe
PID 4028 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice6916.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5028lQ.exe
PID 4028 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice6916.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c85jk18.exe
PID 4028 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice6916.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c85jk18.exe
PID 4028 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice6916.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c85jk18.exe
PID 1420 wrote to memory of 704 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice7583.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\deMLI84.exe
PID 1420 wrote to memory of 704 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice7583.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\deMLI84.exe
PID 1420 wrote to memory of 704 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice7583.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\deMLI84.exe
PID 704 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\deMLI84.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\deMLI84.exe
PID 704 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\deMLI84.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\deMLI84.exe
PID 704 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\deMLI84.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\deMLI84.exe
PID 704 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\deMLI84.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\deMLI84.exe
PID 704 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\deMLI84.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\deMLI84.exe
PID 704 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\deMLI84.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\deMLI84.exe
PID 704 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\deMLI84.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\deMLI84.exe
PID 704 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\deMLI84.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\deMLI84.exe
PID 704 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\deMLI84.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\deMLI84.exe
PID 2304 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\2163b36e5b797ff8b2cfb1924417d597f774bc801864f3143a07ca023450345f.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e52kh04.exe
PID 2304 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\2163b36e5b797ff8b2cfb1924417d597f774bc801864f3143a07ca023450345f.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e52kh04.exe
PID 2304 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\2163b36e5b797ff8b2cfb1924417d597f774bc801864f3143a07ca023450345f.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e52kh04.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2163b36e5b797ff8b2cfb1924417d597f774bc801864f3143a07ca023450345f.exe

"C:\Users\Admin\AppData\Local\Temp\2163b36e5b797ff8b2cfb1924417d597f774bc801864f3143a07ca023450345f.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice7583.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice7583.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice6916.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice6916.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5028lQ.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5028lQ.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c85jk18.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c85jk18.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1404 -ip 1404

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1404 -s 1080

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\deMLI84.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\deMLI84.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\deMLI84.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\deMLI84.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e52kh04.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e52kh04.exe

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start wuauserv

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
RU 193.233.20.28:4125 tcp
RU 193.233.20.28:4125 tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
RU 193.233.20.28:4125 tcp
RU 193.233.20.28:4125 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
RU 193.233.20.28:4125 tcp
RU 193.233.20.28:4125 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
RU 193.233.20.28:4125 tcp
RU 193.233.20.28:4125 tcp
RU 193.233.20.28:4125 tcp
RU 193.233.20.28:4125 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice7583.exe

MD5 c2c07db1f71e570c1b36cb75abf7ad35
SHA1 5450433c9b5663f0b275872188659af84ffcc2f5
SHA256 d416b4eb9c51a459f750743d42c585ecfba93060decc83978f4fc97df0e42f97
SHA512 bd80aa29b4b9b290181aa46a1fb5bf9cc2db46788f24333b543aea5c46e4a53c5ea4e94db6b483b4bf28807fc0b2f69a2b824ebe068b4b86ece00f6cdf6c373e

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice6916.exe

MD5 006d4ead14b352cfbf2c15acbdce789c
SHA1 4b06befc9d0fd003b1500b3c70b58647cb9cb8b2
SHA256 1079d4d05ad2e5737e29a11e87030a12cf50284ceec1f06a6795e4c96df37ba3
SHA512 772ba276c079bf96cf8888757edd91f42a412a9ac3890b990d8a5650ae1173b81d594171e1b94a3ccf6e34f8d51cda8b455357b56a68ae460d8f17fb6e505918

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5028lQ.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/4012-21-0x00007FF985A93000-0x00007FF985A95000-memory.dmp

memory/4012-22-0x0000000000340000-0x000000000034A000-memory.dmp

memory/4012-23-0x00007FF985A93000-0x00007FF985A95000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c85jk18.exe

MD5 6308417c59a28b391b6bfb040d1999fe
SHA1 32cf533d589ed27217fd1e13308ef4a2ccc61a2a
SHA256 3e1b1d987b7f0b7f4f5eff81d78981aac67c6f317c7dfff77e6e3d9aea5600c8
SHA512 37d3e7f5dca67db499e81c1658c680028e2042a4d238b21a3e0c6cd835c8a8f519a7bb40533289267c39a814b926b001c96c8b1d373c17e10bee6b0be7f5f697

memory/1404-29-0x00000000048B0000-0x00000000048CA000-memory.dmp

memory/1404-30-0x00000000074E0000-0x0000000007A84000-memory.dmp

memory/1404-31-0x0000000004980000-0x0000000004998000-memory.dmp

memory/1404-47-0x0000000004980000-0x0000000004992000-memory.dmp

memory/1404-59-0x0000000004980000-0x0000000004992000-memory.dmp

memory/1404-58-0x0000000004980000-0x0000000004992000-memory.dmp

memory/1404-55-0x0000000004980000-0x0000000004992000-memory.dmp

memory/1404-53-0x0000000004980000-0x0000000004992000-memory.dmp

memory/1404-51-0x0000000004980000-0x0000000004992000-memory.dmp

memory/1404-49-0x0000000004980000-0x0000000004992000-memory.dmp

memory/1404-45-0x0000000004980000-0x0000000004992000-memory.dmp

memory/1404-43-0x0000000004980000-0x0000000004992000-memory.dmp

memory/1404-41-0x0000000004980000-0x0000000004992000-memory.dmp

memory/1404-39-0x0000000004980000-0x0000000004992000-memory.dmp

memory/1404-37-0x0000000004980000-0x0000000004992000-memory.dmp

memory/1404-35-0x0000000004980000-0x0000000004992000-memory.dmp

memory/1404-33-0x0000000004980000-0x0000000004992000-memory.dmp

memory/1404-32-0x0000000004980000-0x0000000004992000-memory.dmp

memory/1404-63-0x00007FF9A42D0000-0x00007FF9A44C5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\deMLI84.exe

MD5 9913b2a973e6a5f4654f1a588048d251
SHA1 834a42420536412319a8063a5f9c3bc4e920b594
SHA256 ab2b96e19cb005b81d5f970aeec366a9153a9bd3ff1cde63b4207d4b503a5d72
SHA512 8c5a73a7c10373814f59f3bb7ab964460e3911b35f2f9ddca55e6ec894d8959c7a39c08a0f62170e221471c5c36daae3f88cca9490b9cecede7aba0b0241461d

memory/1404-61-0x0000000000400000-0x0000000002B1C000-memory.dmp

memory/4956-68-0x0000000000400000-0x000000000044E000-memory.dmp

memory/4956-75-0x0000000000400000-0x000000000044E000-memory.dmp

memory/4956-73-0x0000000000400000-0x000000000044E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e52kh04.exe

MD5 795f3fe5687db9b19853eaf6acdc389a
SHA1 cd1ba862909c58a01d3a8e44c29cb71bb6b50630
SHA256 448bad37914cb6f2102c2c8b10cd93770e529ab4fd13e616ee99e2e184cb0e56
SHA512 d9fdfef28242f378cda4698e6e89ae736dc60f5e1852aa414519bf0bdfce129e6c015306c43c7f10ab7648d158761ebaeb4dd54c1a04fa6d20a2f35cbf2b6130

memory/4084-76-0x0000000000F20000-0x0000000000F52000-memory.dmp

memory/4956-77-0x00000000022F0000-0x0000000002336000-memory.dmp

memory/4956-78-0x00000000024D0000-0x0000000002514000-memory.dmp

memory/4956-101-0x00000000024D0000-0x000000000250E000-memory.dmp

memory/4956-109-0x00000000024D0000-0x000000000250E000-memory.dmp

memory/4956-106-0x00000000024D0000-0x000000000250E000-memory.dmp

memory/4956-104-0x00000000024D0000-0x000000000250E000-memory.dmp

memory/4956-103-0x00000000024D0000-0x000000000250E000-memory.dmp

memory/4956-98-0x00000000024D0000-0x000000000250E000-memory.dmp

memory/4956-96-0x00000000024D0000-0x000000000250E000-memory.dmp

memory/4956-94-0x00000000024D0000-0x000000000250E000-memory.dmp

memory/4956-90-0x00000000024D0000-0x000000000250E000-memory.dmp

memory/4956-88-0x00000000024D0000-0x000000000250E000-memory.dmp

memory/4956-86-0x00000000024D0000-0x000000000250E000-memory.dmp

memory/4956-84-0x00000000024D0000-0x000000000250E000-memory.dmp

memory/4956-82-0x00000000024D0000-0x000000000250E000-memory.dmp

memory/4956-79-0x00000000024D0000-0x000000000250E000-memory.dmp

memory/4956-92-0x00000000024D0000-0x000000000250E000-memory.dmp

memory/4956-80-0x00000000024D0000-0x000000000250E000-memory.dmp

memory/4084-509-0x0000000005D40000-0x0000000006358000-memory.dmp

memory/4084-511-0x00000000057F0000-0x0000000005802000-memory.dmp

memory/4084-811-0x0000000005850000-0x000000000588C000-memory.dmp

memory/4084-510-0x00000000058C0000-0x00000000059CA000-memory.dmp

memory/4084-989-0x00000000059D0000-0x0000000005A1C000-memory.dmp