healer | 48dcf83a6e12e1ff58a6d3b61009ab8bff8ed04425353c45daab9ebf2e7ef6a0

Analysis

max time kernel
117s
max time network
121s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
11/10/2023, 09:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

48dcf83a6e12e1ff58a6d3b61009ab8bff8ed04425353c45daab9ebf2e7ef6a0.exe
Size

1.3MB
MD5

3ad91a42d1a06eb373c54e7cf4ab69df
SHA1

d287322d1e505fb15d3f1c20fb9dce995c16cb47
SHA256

48dcf83a6e12e1ff58a6d3b61009ab8bff8ed04425353c45daab9ebf2e7ef6a0
SHA512

85321e49038aee10b4ce9d799aa4853a1d7f36fb402d92b0415145798c9f25ac5cd54da8d03fae8720243cfcd82c73b0d49f18a325e604b2f63242666749407d
SSDEEP

24576:UyyAngXcNYr0pF0rbEtIZGINxpDnFcFXRjKhcEpUSg4s4tP6ZMH:jyGq0kr4tIZfNxp5cFtKlG4tS

Score

10^/10

healer dropper evasion persistence trojan

Malware Config

Signatures

Detects Healer an antivirus disabler dropper 5 IoCs

resource	yara_rule
behavioral1/memory/2628-57-0x0000000000400000-0x000000000040A000-memory.dmp	healer
behavioral1/memory/2628-58-0x0000000000400000-0x000000000040A000-memory.dmp	healer
behavioral1/memory/2628-60-0x0000000000400000-0x000000000040A000-memory.dmp	healer
behavioral1/memory/2628-64-0x0000000000400000-0x000000000040A000-memory.dmp	healer
behavioral1/memory/2628-62-0x0000000000400000-0x000000000040A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe

Executes dropped EXE 5 IoCs

pid	Process
2092	z9337188.exe
2216	z6524909.exe
1168	z0604415.exe
2660	z8276382.exe
2668	q9857242.exe

Loads dropped DLL 15 IoCs

pid	Process
2256	48dcf83a6e12e1ff58a6d3b61009ab8bff8ed04425353c45daab9ebf2e7ef6a0.exe
2092	z9337188.exe
2092	z9337188.exe
2216	z6524909.exe
2216	z6524909.exe
1168	z0604415.exe
1168	z0604415.exe
2660	z8276382.exe
2660	z8276382.exe
2660	z8276382.exe
2668	q9857242.exe
2648	WerFault.exe
2648	WerFault.exe
2648	WerFault.exe
2648	WerFault.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z0604415.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	z8276382.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	48dcf83a6e12e1ff58a6d3b61009ab8bff8ed04425353c45daab9ebf2e7ef6a0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z9337188.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z6524909.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2668 set thread context of 2628	2668	q9857242.exe	34

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2648	2668	WerFault.exe	32

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2628	AppLaunch.exe
2628	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2628	AppLaunch.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 2256 wrote to memory of 2092	2256	48dcf83a6e12e1ff58a6d3b61009ab8bff8ed04425353c45daab9ebf2e7ef6a0.exe	28
PID 2256 wrote to memory of 2092	2256	48dcf83a6e12e1ff58a6d3b61009ab8bff8ed04425353c45daab9ebf2e7ef6a0.exe	28
PID 2256 wrote to memory of 2092	2256	48dcf83a6e12e1ff58a6d3b61009ab8bff8ed04425353c45daab9ebf2e7ef6a0.exe	28
PID 2256 wrote to memory of 2092	2256	48dcf83a6e12e1ff58a6d3b61009ab8bff8ed04425353c45daab9ebf2e7ef6a0.exe	28
PID 2256 wrote to memory of 2092	2256	48dcf83a6e12e1ff58a6d3b61009ab8bff8ed04425353c45daab9ebf2e7ef6a0.exe	28
PID 2256 wrote to memory of 2092	2256	48dcf83a6e12e1ff58a6d3b61009ab8bff8ed04425353c45daab9ebf2e7ef6a0.exe	28
PID 2256 wrote to memory of 2092	2256	48dcf83a6e12e1ff58a6d3b61009ab8bff8ed04425353c45daab9ebf2e7ef6a0.exe	28
PID 2092 wrote to memory of 2216	2092	z9337188.exe	29
PID 2092 wrote to memory of 2216	2092	z9337188.exe	29
PID 2092 wrote to memory of 2216	2092	z9337188.exe	29
PID 2092 wrote to memory of 2216	2092	z9337188.exe	29
PID 2092 wrote to memory of 2216	2092	z9337188.exe	29
PID 2092 wrote to memory of 2216	2092	z9337188.exe	29
PID 2092 wrote to memory of 2216	2092	z9337188.exe	29
PID 2216 wrote to memory of 1168	2216	z6524909.exe	30
PID 2216 wrote to memory of 1168	2216	z6524909.exe	30
PID 2216 wrote to memory of 1168	2216	z6524909.exe	30
PID 2216 wrote to memory of 1168	2216	z6524909.exe	30
PID 2216 wrote to memory of 1168	2216	z6524909.exe	30
PID 2216 wrote to memory of 1168	2216	z6524909.exe	30
PID 2216 wrote to memory of 1168	2216	z6524909.exe	30
PID 1168 wrote to memory of 2660	1168	z0604415.exe	31
PID 1168 wrote to memory of 2660	1168	z0604415.exe	31
PID 1168 wrote to memory of 2660	1168	z0604415.exe	31
PID 1168 wrote to memory of 2660	1168	z0604415.exe	31
PID 1168 wrote to memory of 2660	1168	z0604415.exe	31
PID 1168 wrote to memory of 2660	1168	z0604415.exe	31
PID 1168 wrote to memory of 2660	1168	z0604415.exe	31
PID 2660 wrote to memory of 2668	2660	z8276382.exe	32
PID 2660 wrote to memory of 2668	2660	z8276382.exe	32
PID 2660 wrote to memory of 2668	2660	z8276382.exe	32
PID 2660 wrote to memory of 2668	2660	z8276382.exe	32
PID 2660 wrote to memory of 2668	2660	z8276382.exe	32
PID 2660 wrote to memory of 2668	2660	z8276382.exe	32
PID 2660 wrote to memory of 2668	2660	z8276382.exe	32
PID 2668 wrote to memory of 2628	2668	q9857242.exe	34
PID 2668 wrote to memory of 2628	2668	q9857242.exe	34
PID 2668 wrote to memory of 2628	2668	q9857242.exe	34
PID 2668 wrote to memory of 2628	2668	q9857242.exe	34
PID 2668 wrote to memory of 2628	2668	q9857242.exe	34
PID 2668 wrote to memory of 2628	2668	q9857242.exe	34
PID 2668 wrote to memory of 2628	2668	q9857242.exe	34
PID 2668 wrote to memory of 2628	2668	q9857242.exe	34
PID 2668 wrote to memory of 2628	2668	q9857242.exe	34
PID 2668 wrote to memory of 2628	2668	q9857242.exe	34
PID 2668 wrote to memory of 2628	2668	q9857242.exe	34
PID 2668 wrote to memory of 2628	2668	q9857242.exe	34
PID 2668 wrote to memory of 2648	2668	q9857242.exe	35
PID 2668 wrote to memory of 2648	2668	q9857242.exe	35
PID 2668 wrote to memory of 2648	2668	q9857242.exe	35
PID 2668 wrote to memory of 2648	2668	q9857242.exe	35
PID 2668 wrote to memory of 2648	2668	q9857242.exe	35
PID 2668 wrote to memory of 2648	2668	q9857242.exe	35
PID 2668 wrote to memory of 2648	2668	q9857242.exe	35

C:\Users\Admin\AppData\Local\Temp\48dcf83a6e12e1ff58a6d3b61009ab8bff8ed04425353c45daab9ebf2e7ef6a0.exe
"C:\Users\Admin\AppData\Local\Temp\48dcf83a6e12e1ff58a6d3b61009ab8bff8ed04425353c45daab9ebf2e7ef6a0.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2256
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9337188.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9337188.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2092
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z6524909.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z6524909.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2216
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z0604415.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z0604415.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1168
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8276382.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8276382.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2660
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q9857242.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q9857242.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2668
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2628
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2668 -s 268
        7⤵
        Loads dropped DLL
        Program crash
        
        PID:2648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9337188.exe

Filesize
1.2MB

MD5
0e792322f2929be5694a7efca67fe166

SHA1
6678675aa91ac81063f58f0bb9bf3b6a10070870

SHA256
e71d6637618df0283a49a8f4223c769df1459fa6a4f8e0fd63ed8258df6c29f6

SHA512
4fdf527ffe436d64aff289169c51ea9657f93bb22b4cbf653f81525a5c0ed40ff31d851774de114b56abd97fa119e2e2efbf3b0c4df149eab1c751888aa0c26a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9337188.exe

Filesize
1.2MB

MD5
0e792322f2929be5694a7efca67fe166

SHA1
6678675aa91ac81063f58f0bb9bf3b6a10070870

SHA256
e71d6637618df0283a49a8f4223c769df1459fa6a4f8e0fd63ed8258df6c29f6

SHA512
4fdf527ffe436d64aff289169c51ea9657f93bb22b4cbf653f81525a5c0ed40ff31d851774de114b56abd97fa119e2e2efbf3b0c4df149eab1c751888aa0c26a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z6524909.exe

Filesize
1.0MB

MD5
42b48397423aafb6310ba0a9df18c266

SHA1
936b7ae5fceaf36733e6ce6cf81644e335eafc85

SHA256
0ce596488e41181db8af571040c3ba03dabc9ea719549137834168709e6cb6be

SHA512
1bd8838d02021688cd730bb1cec862c75fe788d826e5e8125b5bfbb9ff5998307b201fda0c9c707f50906e09a998b89d977672e44264ccacb6d717340e7b4e99

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z6524909.exe

Filesize
1.0MB

MD5
42b48397423aafb6310ba0a9df18c266

SHA1
936b7ae5fceaf36733e6ce6cf81644e335eafc85

SHA256
0ce596488e41181db8af571040c3ba03dabc9ea719549137834168709e6cb6be

SHA512
1bd8838d02021688cd730bb1cec862c75fe788d826e5e8125b5bfbb9ff5998307b201fda0c9c707f50906e09a998b89d977672e44264ccacb6d717340e7b4e99

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z0604415.exe

Filesize
884KB

MD5
fe3c957ecd1fcc4f4eae55cc6333c78f

SHA1
2286d2ff17bc79d63029b659d0eeea12df51972b

SHA256
e1e0596dd921ebeb9b2b42ea234319aeae42c784399045c0e7f3acf0333241b3

SHA512
98af44cb3162c7f4dbde1b68998b6a82338fab9837a46635fec9fcafbd606038e1ec2f8616a1136582c2b14410716eedfa469db0a808c5720fb68a22e50cce8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z0604415.exe

Filesize
884KB

MD5
fe3c957ecd1fcc4f4eae55cc6333c78f

SHA1
2286d2ff17bc79d63029b659d0eeea12df51972b

SHA256
e1e0596dd921ebeb9b2b42ea234319aeae42c784399045c0e7f3acf0333241b3

SHA512
98af44cb3162c7f4dbde1b68998b6a82338fab9837a46635fec9fcafbd606038e1ec2f8616a1136582c2b14410716eedfa469db0a808c5720fb68a22e50cce8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8276382.exe

Filesize
493KB

MD5
8d005944fe6bc90684a177b7a923424c

SHA1
ff2b2ee2c4edf27d46431532913bd77827f101d0

SHA256
3c8d4d6741deb70ebfc635813f720d2a76f79b2804afd11478a851b88f14a418

SHA512
a5e281e6bd0cad50cbb7beda7f2e2175860e77da6f0410b721de9be2fd6691df3ef322774a7b3514729c4a0dfcb46e43f906833786dc02753292ebfb5d0c928d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8276382.exe

Filesize
493KB

MD5
8d005944fe6bc90684a177b7a923424c

SHA1
ff2b2ee2c4edf27d46431532913bd77827f101d0

SHA256
3c8d4d6741deb70ebfc635813f720d2a76f79b2804afd11478a851b88f14a418

SHA512
a5e281e6bd0cad50cbb7beda7f2e2175860e77da6f0410b721de9be2fd6691df3ef322774a7b3514729c4a0dfcb46e43f906833786dc02753292ebfb5d0c928d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q9857242.exe

Filesize
860KB

MD5
7f04d1f88225cfd07de9af0d9127acd9

SHA1
618e16fcee4e934366fc3c0fe53350b658ae06f1

SHA256
e37b9dcced4b5c75e1f51a6e1d5cf39270cf3aca8bacdf447f95ec9254c2776e

SHA512
8ae547639b0b238d40f658a814bb2544fd97fb0e1533a2cdd14cf40fb3753b421db3b2b914434509dc8cea3030c5f34992e1a985ebcccd7c5dd34a784dfe2fdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q9857242.exe

Filesize
860KB

MD5
7f04d1f88225cfd07de9af0d9127acd9

SHA1
618e16fcee4e934366fc3c0fe53350b658ae06f1

SHA256
e37b9dcced4b5c75e1f51a6e1d5cf39270cf3aca8bacdf447f95ec9254c2776e

SHA512
8ae547639b0b238d40f658a814bb2544fd97fb0e1533a2cdd14cf40fb3753b421db3b2b914434509dc8cea3030c5f34992e1a985ebcccd7c5dd34a784dfe2fdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q9857242.exe

Filesize
860KB

MD5
7f04d1f88225cfd07de9af0d9127acd9

SHA1
618e16fcee4e934366fc3c0fe53350b658ae06f1

SHA256
e37b9dcced4b5c75e1f51a6e1d5cf39270cf3aca8bacdf447f95ec9254c2776e

SHA512
8ae547639b0b238d40f658a814bb2544fd97fb0e1533a2cdd14cf40fb3753b421db3b2b914434509dc8cea3030c5f34992e1a985ebcccd7c5dd34a784dfe2fdf

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9337188.exe

Filesize
1.2MB

MD5
0e792322f2929be5694a7efca67fe166

SHA1
6678675aa91ac81063f58f0bb9bf3b6a10070870

SHA256
e71d6637618df0283a49a8f4223c769df1459fa6a4f8e0fd63ed8258df6c29f6

SHA512
4fdf527ffe436d64aff289169c51ea9657f93bb22b4cbf653f81525a5c0ed40ff31d851774de114b56abd97fa119e2e2efbf3b0c4df149eab1c751888aa0c26a

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9337188.exe

Filesize
1.2MB

MD5
0e792322f2929be5694a7efca67fe166

SHA1
6678675aa91ac81063f58f0bb9bf3b6a10070870

SHA256
e71d6637618df0283a49a8f4223c769df1459fa6a4f8e0fd63ed8258df6c29f6

SHA512
4fdf527ffe436d64aff289169c51ea9657f93bb22b4cbf653f81525a5c0ed40ff31d851774de114b56abd97fa119e2e2efbf3b0c4df149eab1c751888aa0c26a

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\z6524909.exe

Filesize
1.0MB

MD5
42b48397423aafb6310ba0a9df18c266

SHA1
936b7ae5fceaf36733e6ce6cf81644e335eafc85

SHA256
0ce596488e41181db8af571040c3ba03dabc9ea719549137834168709e6cb6be

SHA512
1bd8838d02021688cd730bb1cec862c75fe788d826e5e8125b5bfbb9ff5998307b201fda0c9c707f50906e09a998b89d977672e44264ccacb6d717340e7b4e99

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\z6524909.exe

Filesize
1.0MB

MD5
42b48397423aafb6310ba0a9df18c266

SHA1
936b7ae5fceaf36733e6ce6cf81644e335eafc85

SHA256
0ce596488e41181db8af571040c3ba03dabc9ea719549137834168709e6cb6be

SHA512
1bd8838d02021688cd730bb1cec862c75fe788d826e5e8125b5bfbb9ff5998307b201fda0c9c707f50906e09a998b89d977672e44264ccacb6d717340e7b4e99

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\z0604415.exe

Filesize
884KB

MD5
fe3c957ecd1fcc4f4eae55cc6333c78f

SHA1
2286d2ff17bc79d63029b659d0eeea12df51972b

SHA256
e1e0596dd921ebeb9b2b42ea234319aeae42c784399045c0e7f3acf0333241b3

SHA512
98af44cb3162c7f4dbde1b68998b6a82338fab9837a46635fec9fcafbd606038e1ec2f8616a1136582c2b14410716eedfa469db0a808c5720fb68a22e50cce8e

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\z0604415.exe

Filesize
884KB

MD5
fe3c957ecd1fcc4f4eae55cc6333c78f

SHA1
2286d2ff17bc79d63029b659d0eeea12df51972b

SHA256
e1e0596dd921ebeb9b2b42ea234319aeae42c784399045c0e7f3acf0333241b3

SHA512
98af44cb3162c7f4dbde1b68998b6a82338fab9837a46635fec9fcafbd606038e1ec2f8616a1136582c2b14410716eedfa469db0a808c5720fb68a22e50cce8e

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8276382.exe

Filesize
493KB

MD5
8d005944fe6bc90684a177b7a923424c

SHA1
ff2b2ee2c4edf27d46431532913bd77827f101d0

SHA256
3c8d4d6741deb70ebfc635813f720d2a76f79b2804afd11478a851b88f14a418

SHA512
a5e281e6bd0cad50cbb7beda7f2e2175860e77da6f0410b721de9be2fd6691df3ef322774a7b3514729c4a0dfcb46e43f906833786dc02753292ebfb5d0c928d

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8276382.exe

Filesize
493KB

MD5
8d005944fe6bc90684a177b7a923424c

SHA1
ff2b2ee2c4edf27d46431532913bd77827f101d0

SHA256
3c8d4d6741deb70ebfc635813f720d2a76f79b2804afd11478a851b88f14a418

SHA512
a5e281e6bd0cad50cbb7beda7f2e2175860e77da6f0410b721de9be2fd6691df3ef322774a7b3514729c4a0dfcb46e43f906833786dc02753292ebfb5d0c928d

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\q9857242.exe

Filesize
860KB

MD5
7f04d1f88225cfd07de9af0d9127acd9

SHA1
618e16fcee4e934366fc3c0fe53350b658ae06f1

SHA256
e37b9dcced4b5c75e1f51a6e1d5cf39270cf3aca8bacdf447f95ec9254c2776e

SHA512
8ae547639b0b238d40f658a814bb2544fd97fb0e1533a2cdd14cf40fb3753b421db3b2b914434509dc8cea3030c5f34992e1a985ebcccd7c5dd34a784dfe2fdf

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\q9857242.exe

Filesize
860KB

MD5
7f04d1f88225cfd07de9af0d9127acd9

SHA1
618e16fcee4e934366fc3c0fe53350b658ae06f1

SHA256
e37b9dcced4b5c75e1f51a6e1d5cf39270cf3aca8bacdf447f95ec9254c2776e

SHA512
8ae547639b0b238d40f658a814bb2544fd97fb0e1533a2cdd14cf40fb3753b421db3b2b914434509dc8cea3030c5f34992e1a985ebcccd7c5dd34a784dfe2fdf

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\q9857242.exe

Filesize
860KB

MD5
7f04d1f88225cfd07de9af0d9127acd9

SHA1
618e16fcee4e934366fc3c0fe53350b658ae06f1

SHA256
e37b9dcced4b5c75e1f51a6e1d5cf39270cf3aca8bacdf447f95ec9254c2776e

SHA512
8ae547639b0b238d40f658a814bb2544fd97fb0e1533a2cdd14cf40fb3753b421db3b2b914434509dc8cea3030c5f34992e1a985ebcccd7c5dd34a784dfe2fdf

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\q9857242.exe

Filesize
860KB

MD5
7f04d1f88225cfd07de9af0d9127acd9

SHA1
618e16fcee4e934366fc3c0fe53350b658ae06f1

SHA256
e37b9dcced4b5c75e1f51a6e1d5cf39270cf3aca8bacdf447f95ec9254c2776e

SHA512
8ae547639b0b238d40f658a814bb2544fd97fb0e1533a2cdd14cf40fb3753b421db3b2b914434509dc8cea3030c5f34992e1a985ebcccd7c5dd34a784dfe2fdf

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\q9857242.exe

Filesize
860KB

MD5
7f04d1f88225cfd07de9af0d9127acd9

SHA1
618e16fcee4e934366fc3c0fe53350b658ae06f1

SHA256
e37b9dcced4b5c75e1f51a6e1d5cf39270cf3aca8bacdf447f95ec9254c2776e

SHA512
8ae547639b0b238d40f658a814bb2544fd97fb0e1533a2cdd14cf40fb3753b421db3b2b914434509dc8cea3030c5f34992e1a985ebcccd7c5dd34a784dfe2fdf

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\q9857242.exe

Filesize
860KB

MD5
7f04d1f88225cfd07de9af0d9127acd9

SHA1
618e16fcee4e934366fc3c0fe53350b658ae06f1

SHA256
e37b9dcced4b5c75e1f51a6e1d5cf39270cf3aca8bacdf447f95ec9254c2776e

SHA512
8ae547639b0b238d40f658a814bb2544fd97fb0e1533a2cdd14cf40fb3753b421db3b2b914434509dc8cea3030c5f34992e1a985ebcccd7c5dd34a784dfe2fdf

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\q9857242.exe

Filesize
860KB

MD5
7f04d1f88225cfd07de9af0d9127acd9

SHA1
618e16fcee4e934366fc3c0fe53350b658ae06f1

SHA256
e37b9dcced4b5c75e1f51a6e1d5cf39270cf3aca8bacdf447f95ec9254c2776e

SHA512
8ae547639b0b238d40f658a814bb2544fd97fb0e1533a2cdd14cf40fb3753b421db3b2b914434509dc8cea3030c5f34992e1a985ebcccd7c5dd34a784dfe2fdf

Download Submit
memory/2628-60-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2628-59-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2628-64-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2628-62-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2628-58-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2628-57-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2628-55-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2628-53-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download