healer | 43719d4291618a34f61318ea844dfa05238d799ba0ea61ac419807a56c4e539b

Analysis

max time kernel
121s
max time network
129s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
11-10-2023 04:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

43719d4291618a34f61318ea844dfa05238d799ba0ea61ac419807a56c4e539b.exe
Size

1.1MB
MD5

319e10390538257a26c100a8702b6dfa
SHA1

b3762113cc099af2e22643fb29719e43fe07bbf3
SHA256

43719d4291618a34f61318ea844dfa05238d799ba0ea61ac419807a56c4e539b
SHA512

d6f878878c1968ad36777164df4d1576403b95ced49e8ba31867c21500f96abc611216339af55c0c3d23c1f8ddb03fe4fcd923e8fa474e055db9fed5a957d48f
SSDEEP

24576:ny67bZ9SzBaJckAix2h86yWgZz/xp3e+c9FusCRO:yKbDLJnAiaSVA+c9FzCR

Score

10^/10

healer dropper evasion persistence trojan

Malware Config

Signatures

Detects Healer an antivirus disabler dropper 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2944-55-0x0000000000400000-0x000000000040A000-memory.dmp	healer
behavioral1/memory/2944-56-0x0000000000400000-0x000000000040A000-memory.dmp	healer
behavioral1/memory/2944-58-0x0000000000400000-0x000000000040A000-memory.dmp	healer
behavioral1/memory/2944-60-0x0000000000400000-0x000000000040A000-memory.dmp	healer
behavioral1/memory/2944-62-0x0000000000400000-0x000000000040A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

AppLaunch.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe

Executes dropped EXE 5 IoCs

Processes:

z9378771.exez0927263.exez0487371.exez7040787.exeq5438182.exe

pid process

1924 z9378771.exe
2072 z0927263.exe
2192 z0487371.exe
2236 z7040787.exe
1940 q5438182.exe

pid	process
1924	z9378771.exe
2072	z0927263.exe
2192	z0487371.exe
2236	z7040787.exe
1940	q5438182.exe

Loads dropped DLL 15 IoCs

Processes:

43719d4291618a34f61318ea844dfa05238d799ba0ea61ac419807a56c4e539b.exez9378771.exez0927263.exez0487371.exez7040787.exeq5438182.exeWerFault.exe

pid	process
1408	43719d4291618a34f61318ea844dfa05238d799ba0ea61ac419807a56c4e539b.exe
1924	z9378771.exe
1924	z9378771.exe
2072	z0927263.exe
2072	z0927263.exe
2192	z0487371.exe
2192	z0487371.exe
2236	z7040787.exe
2236	z7040787.exe
2236	z7040787.exe
1940	q5438182.exe
2672	WerFault.exe
2672	WerFault.exe
2672	WerFault.exe
2672	WerFault.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

z0927263.exez0487371.exez7040787.exe43719d4291618a34f61318ea844dfa05238d799ba0ea61ac419807a56c4e539b.exez9378771.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z0927263.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z0487371.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	z7040787.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	43719d4291618a34f61318ea844dfa05238d799ba0ea61ac419807a56c4e539b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z9378771.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

q5438182.exe

description pid process target process

PID 1940 set thread context of 2944 1940 q5438182.exe AppLaunch.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2672 1940 WerFault.exe q5438182.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

AppLaunch.exe

pid process

2944 AppLaunch.exe
2944 AppLaunch.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

AppLaunch.exe

description pid process

Token: SeDebugPrivilege 2944 AppLaunch.exe

description	pid	process	target process
PID 1940 set thread context of 2944	1940	q5438182.exe	AppLaunch.exe

pid	pid_target	process	target process
2672	1940	WerFault.exe	q5438182.exe

pid	process
2944	AppLaunch.exe
2944	AppLaunch.exe

description	pid	process
Token: SeDebugPrivilege	2944	AppLaunch.exe

Suspicious use of WriteProcessMemory 54 IoCs

Processes:

43719d4291618a34f61318ea844dfa05238d799ba0ea61ac419807a56c4e539b.exez9378771.exez0927263.exez0487371.exez7040787.exeq5438182.exe

description	pid	process	target process
PID 1408 wrote to memory of 1924	1408	43719d4291618a34f61318ea844dfa05238d799ba0ea61ac419807a56c4e539b.exe	z9378771.exe
PID 1408 wrote to memory of 1924	1408	43719d4291618a34f61318ea844dfa05238d799ba0ea61ac419807a56c4e539b.exe	z9378771.exe
PID 1408 wrote to memory of 1924	1408	43719d4291618a34f61318ea844dfa05238d799ba0ea61ac419807a56c4e539b.exe	z9378771.exe
PID 1408 wrote to memory of 1924	1408	43719d4291618a34f61318ea844dfa05238d799ba0ea61ac419807a56c4e539b.exe	z9378771.exe
PID 1408 wrote to memory of 1924	1408	43719d4291618a34f61318ea844dfa05238d799ba0ea61ac419807a56c4e539b.exe	z9378771.exe
PID 1408 wrote to memory of 1924	1408	43719d4291618a34f61318ea844dfa05238d799ba0ea61ac419807a56c4e539b.exe	z9378771.exe
PID 1408 wrote to memory of 1924	1408	43719d4291618a34f61318ea844dfa05238d799ba0ea61ac419807a56c4e539b.exe	z9378771.exe
PID 1924 wrote to memory of 2072	1924	z9378771.exe	z0927263.exe
PID 1924 wrote to memory of 2072	1924	z9378771.exe	z0927263.exe
PID 1924 wrote to memory of 2072	1924	z9378771.exe	z0927263.exe
PID 1924 wrote to memory of 2072	1924	z9378771.exe	z0927263.exe
PID 1924 wrote to memory of 2072	1924	z9378771.exe	z0927263.exe
PID 1924 wrote to memory of 2072	1924	z9378771.exe	z0927263.exe
PID 1924 wrote to memory of 2072	1924	z9378771.exe	z0927263.exe
PID 2072 wrote to memory of 2192	2072	z0927263.exe	z0487371.exe
PID 2072 wrote to memory of 2192	2072	z0927263.exe	z0487371.exe
PID 2072 wrote to memory of 2192	2072	z0927263.exe	z0487371.exe
PID 2072 wrote to memory of 2192	2072	z0927263.exe	z0487371.exe
PID 2072 wrote to memory of 2192	2072	z0927263.exe	z0487371.exe
PID 2072 wrote to memory of 2192	2072	z0927263.exe	z0487371.exe
PID 2072 wrote to memory of 2192	2072	z0927263.exe	z0487371.exe
PID 2192 wrote to memory of 2236	2192	z0487371.exe	z7040787.exe
PID 2192 wrote to memory of 2236	2192	z0487371.exe	z7040787.exe
PID 2192 wrote to memory of 2236	2192	z0487371.exe	z7040787.exe
PID 2192 wrote to memory of 2236	2192	z0487371.exe	z7040787.exe
PID 2192 wrote to memory of 2236	2192	z0487371.exe	z7040787.exe
PID 2192 wrote to memory of 2236	2192	z0487371.exe	z7040787.exe
PID 2192 wrote to memory of 2236	2192	z0487371.exe	z7040787.exe
PID 2236 wrote to memory of 1940	2236	z7040787.exe	q5438182.exe
PID 2236 wrote to memory of 1940	2236	z7040787.exe	q5438182.exe
PID 2236 wrote to memory of 1940	2236	z7040787.exe	q5438182.exe
PID 2236 wrote to memory of 1940	2236	z7040787.exe	q5438182.exe
PID 2236 wrote to memory of 1940	2236	z7040787.exe	q5438182.exe
PID 2236 wrote to memory of 1940	2236	z7040787.exe	q5438182.exe
PID 2236 wrote to memory of 1940	2236	z7040787.exe	q5438182.exe
PID 1940 wrote to memory of 2944	1940	q5438182.exe	AppLaunch.exe
PID 1940 wrote to memory of 2944	1940	q5438182.exe	AppLaunch.exe
PID 1940 wrote to memory of 2944	1940	q5438182.exe	AppLaunch.exe
PID 1940 wrote to memory of 2944	1940	q5438182.exe	AppLaunch.exe
PID 1940 wrote to memory of 2944	1940	q5438182.exe	AppLaunch.exe
PID 1940 wrote to memory of 2944	1940	q5438182.exe	AppLaunch.exe
PID 1940 wrote to memory of 2944	1940	q5438182.exe	AppLaunch.exe
PID 1940 wrote to memory of 2944	1940	q5438182.exe	AppLaunch.exe
PID 1940 wrote to memory of 2944	1940	q5438182.exe	AppLaunch.exe
PID 1940 wrote to memory of 2944	1940	q5438182.exe	AppLaunch.exe
PID 1940 wrote to memory of 2944	1940	q5438182.exe	AppLaunch.exe
PID 1940 wrote to memory of 2944	1940	q5438182.exe	AppLaunch.exe
PID 1940 wrote to memory of 2672	1940	q5438182.exe	WerFault.exe
PID 1940 wrote to memory of 2672	1940	q5438182.exe	WerFault.exe
PID 1940 wrote to memory of 2672	1940	q5438182.exe	WerFault.exe
PID 1940 wrote to memory of 2672	1940	q5438182.exe	WerFault.exe
PID 1940 wrote to memory of 2672	1940	q5438182.exe	WerFault.exe
PID 1940 wrote to memory of 2672	1940	q5438182.exe	WerFault.exe
PID 1940 wrote to memory of 2672	1940	q5438182.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\43719d4291618a34f61318ea844dfa05238d799ba0ea61ac419807a56c4e539b.exe
"C:\Users\Admin\AppData\Local\Temp\43719d4291618a34f61318ea844dfa05238d799ba0ea61ac419807a56c4e539b.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1408
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9378771.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9378771.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1924
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z0927263.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z0927263.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2072
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z0487371.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z0487371.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2192
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z7040787.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z7040787.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2236
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q5438182.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q5438182.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1940
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2944
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1940 -s 276
        7⤵
        Loads dropped DLL
        Program crash
        
        PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9378771.exe

Filesize
981KB

MD5
6743e751decb7a2593b541383c70212f

SHA1
18b2f028984c1460ac072a7e335c0ba60302e6bf

SHA256
7dda0c0e3fa8c349790a2d95b3a5a6b4c429d1f9b90a25dd49c99367c5b8f0d5

SHA512
997033ac827f0e8cb56c7b4e591feead3abf980b5abdb89b696ab7284a16c2f28e3b5a3413241415489a020a3fad636cc7ce206fb8e884b8a05440b1f8cc561a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9378771.exe

Filesize
981KB

MD5
6743e751decb7a2593b541383c70212f

SHA1
18b2f028984c1460ac072a7e335c0ba60302e6bf

SHA256
7dda0c0e3fa8c349790a2d95b3a5a6b4c429d1f9b90a25dd49c99367c5b8f0d5

SHA512
997033ac827f0e8cb56c7b4e591feead3abf980b5abdb89b696ab7284a16c2f28e3b5a3413241415489a020a3fad636cc7ce206fb8e884b8a05440b1f8cc561a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z0927263.exe

Filesize
798KB

MD5
e41d8c5a9ce201deaf5e522eb9e447ff

SHA1
680d9e51498bccaff3b03d39036092ea734205e3

SHA256
f0d5505b8f7e10629f4e0a97555448ceb777cb14f1e14598b617312322bf1954

SHA512
cae2f0947598c0726a1be6461f34a021270d2415efe0f1fddcd2eb3ec960c6db5c0debd1ae137e2158c8e7f2211acb035bc47c5afe76cc6b0e9b01348d0358a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z0927263.exe

Filesize
798KB

MD5
e41d8c5a9ce201deaf5e522eb9e447ff

SHA1
680d9e51498bccaff3b03d39036092ea734205e3

SHA256
f0d5505b8f7e10629f4e0a97555448ceb777cb14f1e14598b617312322bf1954

SHA512
cae2f0947598c0726a1be6461f34a021270d2415efe0f1fddcd2eb3ec960c6db5c0debd1ae137e2158c8e7f2211acb035bc47c5afe76cc6b0e9b01348d0358a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z0487371.exe

Filesize
616KB

MD5
e338b43e47eb76ec3d29fb591fdcbd93

SHA1
25ec4da23da2e7f8d5398b2f298ae2aef0f47b7c

SHA256
7f3bd8da17a3a0c90110d7f784326b725f75ccf971b7843616c0c9e5fbf21b5b

SHA512
a636f131819dd0ee685882ec1e661e6a396b2e09f7f308563ab25e127980dd6eb851d24f9484236c9e56c3634c0f677ff068784b40fce54a955e8e8137e8b815

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z0487371.exe

Filesize
616KB

MD5
e338b43e47eb76ec3d29fb591fdcbd93

SHA1
25ec4da23da2e7f8d5398b2f298ae2aef0f47b7c

SHA256
7f3bd8da17a3a0c90110d7f784326b725f75ccf971b7843616c0c9e5fbf21b5b

SHA512
a636f131819dd0ee685882ec1e661e6a396b2e09f7f308563ab25e127980dd6eb851d24f9484236c9e56c3634c0f677ff068784b40fce54a955e8e8137e8b815

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z7040787.exe

Filesize
346KB

MD5
5a9afdbdbdb81b80ad062a3db6e703b6

SHA1
675aaa8529b8eef87cf518e3e9fd3f689a60b36b

SHA256
95dc31e6678c4bb4629e708d605f13bf2ae34b82743fc660e2c626ea009c48b9

SHA512
0a70181ec209528bdc2c31c1e56e54b89ef3b5409272c6609c1eef098ac7898cf4c08e4131dd8d518052b17e76ad450f3b503bc46a8e22961529fe63923263c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z7040787.exe

Filesize
346KB

MD5
5a9afdbdbdb81b80ad062a3db6e703b6

SHA1
675aaa8529b8eef87cf518e3e9fd3f689a60b36b

SHA256
95dc31e6678c4bb4629e708d605f13bf2ae34b82743fc660e2c626ea009c48b9

SHA512
0a70181ec209528bdc2c31c1e56e54b89ef3b5409272c6609c1eef098ac7898cf4c08e4131dd8d518052b17e76ad450f3b503bc46a8e22961529fe63923263c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q5438182.exe

Filesize
227KB

MD5
4903d0f23691cf5cc2798d02a4965ff0

SHA1
b2beda43b036a9ee9861bd2ff321695d1953cf52

SHA256
53246d09ff548bcf5b04ef135170934be2df38cfe8bfef98b3c6e98cdbee4f34

SHA512
7675590901acfccdfbc31925074cc645da04871a3a079a2f88df023441f1aadfc96f2735f638e950a115f55967b59fe2f5c7afe4b6dca4190e374e56a4800dd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q5438182.exe

Filesize
227KB

MD5
4903d0f23691cf5cc2798d02a4965ff0

SHA1
b2beda43b036a9ee9861bd2ff321695d1953cf52

SHA256
53246d09ff548bcf5b04ef135170934be2df38cfe8bfef98b3c6e98cdbee4f34

SHA512
7675590901acfccdfbc31925074cc645da04871a3a079a2f88df023441f1aadfc96f2735f638e950a115f55967b59fe2f5c7afe4b6dca4190e374e56a4800dd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q5438182.exe

Filesize
227KB

MD5
4903d0f23691cf5cc2798d02a4965ff0

SHA1
b2beda43b036a9ee9861bd2ff321695d1953cf52

SHA256
53246d09ff548bcf5b04ef135170934be2df38cfe8bfef98b3c6e98cdbee4f34

SHA512
7675590901acfccdfbc31925074cc645da04871a3a079a2f88df023441f1aadfc96f2735f638e950a115f55967b59fe2f5c7afe4b6dca4190e374e56a4800dd7

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9378771.exe

Filesize
981KB

MD5
6743e751decb7a2593b541383c70212f

SHA1
18b2f028984c1460ac072a7e335c0ba60302e6bf

SHA256
7dda0c0e3fa8c349790a2d95b3a5a6b4c429d1f9b90a25dd49c99367c5b8f0d5

SHA512
997033ac827f0e8cb56c7b4e591feead3abf980b5abdb89b696ab7284a16c2f28e3b5a3413241415489a020a3fad636cc7ce206fb8e884b8a05440b1f8cc561a

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9378771.exe

Filesize
981KB

MD5
6743e751decb7a2593b541383c70212f

SHA1
18b2f028984c1460ac072a7e335c0ba60302e6bf

SHA256
7dda0c0e3fa8c349790a2d95b3a5a6b4c429d1f9b90a25dd49c99367c5b8f0d5

SHA512
997033ac827f0e8cb56c7b4e591feead3abf980b5abdb89b696ab7284a16c2f28e3b5a3413241415489a020a3fad636cc7ce206fb8e884b8a05440b1f8cc561a

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\z0927263.exe

Filesize
798KB

MD5
e41d8c5a9ce201deaf5e522eb9e447ff

SHA1
680d9e51498bccaff3b03d39036092ea734205e3

SHA256
f0d5505b8f7e10629f4e0a97555448ceb777cb14f1e14598b617312322bf1954

SHA512
cae2f0947598c0726a1be6461f34a021270d2415efe0f1fddcd2eb3ec960c6db5c0debd1ae137e2158c8e7f2211acb035bc47c5afe76cc6b0e9b01348d0358a4

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\z0927263.exe

Filesize
798KB

MD5
e41d8c5a9ce201deaf5e522eb9e447ff

SHA1
680d9e51498bccaff3b03d39036092ea734205e3

SHA256
f0d5505b8f7e10629f4e0a97555448ceb777cb14f1e14598b617312322bf1954

SHA512
cae2f0947598c0726a1be6461f34a021270d2415efe0f1fddcd2eb3ec960c6db5c0debd1ae137e2158c8e7f2211acb035bc47c5afe76cc6b0e9b01348d0358a4

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\z0487371.exe

Filesize
616KB

MD5
e338b43e47eb76ec3d29fb591fdcbd93

SHA1
25ec4da23da2e7f8d5398b2f298ae2aef0f47b7c

SHA256
7f3bd8da17a3a0c90110d7f784326b725f75ccf971b7843616c0c9e5fbf21b5b

SHA512
a636f131819dd0ee685882ec1e661e6a396b2e09f7f308563ab25e127980dd6eb851d24f9484236c9e56c3634c0f677ff068784b40fce54a955e8e8137e8b815

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\z0487371.exe

Filesize
616KB

MD5
e338b43e47eb76ec3d29fb591fdcbd93

SHA1
25ec4da23da2e7f8d5398b2f298ae2aef0f47b7c

SHA256
7f3bd8da17a3a0c90110d7f784326b725f75ccf971b7843616c0c9e5fbf21b5b

SHA512
a636f131819dd0ee685882ec1e661e6a396b2e09f7f308563ab25e127980dd6eb851d24f9484236c9e56c3634c0f677ff068784b40fce54a955e8e8137e8b815

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\z7040787.exe

Filesize
346KB

MD5
5a9afdbdbdb81b80ad062a3db6e703b6

SHA1
675aaa8529b8eef87cf518e3e9fd3f689a60b36b

SHA256
95dc31e6678c4bb4629e708d605f13bf2ae34b82743fc660e2c626ea009c48b9

SHA512
0a70181ec209528bdc2c31c1e56e54b89ef3b5409272c6609c1eef098ac7898cf4c08e4131dd8d518052b17e76ad450f3b503bc46a8e22961529fe63923263c0

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\z7040787.exe

Filesize
346KB

MD5
5a9afdbdbdb81b80ad062a3db6e703b6

SHA1
675aaa8529b8eef87cf518e3e9fd3f689a60b36b

SHA256
95dc31e6678c4bb4629e708d605f13bf2ae34b82743fc660e2c626ea009c48b9

SHA512
0a70181ec209528bdc2c31c1e56e54b89ef3b5409272c6609c1eef098ac7898cf4c08e4131dd8d518052b17e76ad450f3b503bc46a8e22961529fe63923263c0

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\q5438182.exe

Filesize
227KB

MD5
4903d0f23691cf5cc2798d02a4965ff0

SHA1
b2beda43b036a9ee9861bd2ff321695d1953cf52

SHA256
53246d09ff548bcf5b04ef135170934be2df38cfe8bfef98b3c6e98cdbee4f34

SHA512
7675590901acfccdfbc31925074cc645da04871a3a079a2f88df023441f1aadfc96f2735f638e950a115f55967b59fe2f5c7afe4b6dca4190e374e56a4800dd7

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\q5438182.exe

Filesize
227KB

MD5
4903d0f23691cf5cc2798d02a4965ff0

SHA1
b2beda43b036a9ee9861bd2ff321695d1953cf52

SHA256
53246d09ff548bcf5b04ef135170934be2df38cfe8bfef98b3c6e98cdbee4f34

SHA512
7675590901acfccdfbc31925074cc645da04871a3a079a2f88df023441f1aadfc96f2735f638e950a115f55967b59fe2f5c7afe4b6dca4190e374e56a4800dd7

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\q5438182.exe

Filesize
227KB

MD5
4903d0f23691cf5cc2798d02a4965ff0

SHA1
b2beda43b036a9ee9861bd2ff321695d1953cf52

SHA256
53246d09ff548bcf5b04ef135170934be2df38cfe8bfef98b3c6e98cdbee4f34

SHA512
7675590901acfccdfbc31925074cc645da04871a3a079a2f88df023441f1aadfc96f2735f638e950a115f55967b59fe2f5c7afe4b6dca4190e374e56a4800dd7

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\q5438182.exe

Filesize
227KB

MD5
4903d0f23691cf5cc2798d02a4965ff0

SHA1
b2beda43b036a9ee9861bd2ff321695d1953cf52

SHA256
53246d09ff548bcf5b04ef135170934be2df38cfe8bfef98b3c6e98cdbee4f34

SHA512
7675590901acfccdfbc31925074cc645da04871a3a079a2f88df023441f1aadfc96f2735f638e950a115f55967b59fe2f5c7afe4b6dca4190e374e56a4800dd7

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\q5438182.exe

Filesize
227KB

MD5
4903d0f23691cf5cc2798d02a4965ff0

SHA1
b2beda43b036a9ee9861bd2ff321695d1953cf52

SHA256
53246d09ff548bcf5b04ef135170934be2df38cfe8bfef98b3c6e98cdbee4f34

SHA512
7675590901acfccdfbc31925074cc645da04871a3a079a2f88df023441f1aadfc96f2735f638e950a115f55967b59fe2f5c7afe4b6dca4190e374e56a4800dd7

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\q5438182.exe

Filesize
227KB

MD5
4903d0f23691cf5cc2798d02a4965ff0

SHA1
b2beda43b036a9ee9861bd2ff321695d1953cf52

SHA256
53246d09ff548bcf5b04ef135170934be2df38cfe8bfef98b3c6e98cdbee4f34

SHA512
7675590901acfccdfbc31925074cc645da04871a3a079a2f88df023441f1aadfc96f2735f638e950a115f55967b59fe2f5c7afe4b6dca4190e374e56a4800dd7

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\q5438182.exe

Filesize
227KB

MD5
4903d0f23691cf5cc2798d02a4965ff0

SHA1
b2beda43b036a9ee9861bd2ff321695d1953cf52

SHA256
53246d09ff548bcf5b04ef135170934be2df38cfe8bfef98b3c6e98cdbee4f34

SHA512
7675590901acfccdfbc31925074cc645da04871a3a079a2f88df023441f1aadfc96f2735f638e950a115f55967b59fe2f5c7afe4b6dca4190e374e56a4800dd7

Download Submit
memory/2944-57-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2944-58-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2944-60-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2944-62-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2944-56-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2944-55-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2944-54-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2944-53-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download