healer | ff5a345e66395da78acaf57882a5838048190d45a2131451e74f4442f2e396b2

Analysis

max time kernel
118s
max time network
124s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
11-10-2023 09:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b2b1d1443477c4516046b9a19b6147589b85a786db9f3adab66bdcd801194b35.exe
Size

1.0MB
MD5

75280d4148aaa0ad2db420c5053dac86
SHA1

94d49a37a32719aed5051735dec84da8bcf1c74c
SHA256

b2b1d1443477c4516046b9a19b6147589b85a786db9f3adab66bdcd801194b35
SHA512

36cd2f88bcde1202dd21b918800456beaf940ab9cb7c8c52745c2923f52454df463731ae7247da564a2ebe2b1d7cc4a42587c0c7439161d92da26f7cd2139246
SSDEEP

24576:fy/OFKK9D8fgLBV7w0euhDxaFknbzTa0K:q/OFKu8Y8m5XT

Score

10^/10

healer dropper evasion persistence trojan

Malware Config

Signatures

Detects Healer an antivirus disabler dropper 5 IoCs

resource	yara_rule
behavioral1/memory/2992-56-0x0000000000400000-0x000000000040A000-memory.dmp	healer
behavioral1/memory/2992-55-0x0000000000400000-0x000000000040A000-memory.dmp	healer
behavioral1/memory/2992-58-0x0000000000400000-0x000000000040A000-memory.dmp	healer
behavioral1/memory/2992-62-0x0000000000400000-0x000000000040A000-memory.dmp	healer
behavioral1/memory/2992-60-0x0000000000400000-0x000000000040A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe

Executes dropped EXE 5 IoCs

pid	Process
2824	z7463627.exe
2908	z4985003.exe
3020	z2052342.exe
2520	z8688796.exe
2636	q6054440.exe

Loads dropped DLL 15 IoCs

pid	Process
2792	b2b1d1443477c4516046b9a19b6147589b85a786db9f3adab66bdcd801194b35.exe
2824	z7463627.exe
2824	z7463627.exe
2908	z4985003.exe
2908	z4985003.exe
3020	z2052342.exe
3020	z2052342.exe
2520	z8688796.exe
2520	z8688796.exe
2520	z8688796.exe
2636	q6054440.exe
2168	WerFault.exe
2168	WerFault.exe
2168	WerFault.exe
2168	WerFault.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	z8688796.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b2b1d1443477c4516046b9a19b6147589b85a786db9f3adab66bdcd801194b35.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z7463627.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z4985003.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z2052342.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2636 set thread context of 2992	2636	q6054440.exe	34

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2168	2636	WerFault.exe	33

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2992	AppLaunch.exe
2992	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2992	AppLaunch.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 2792 wrote to memory of 2824	2792	b2b1d1443477c4516046b9a19b6147589b85a786db9f3adab66bdcd801194b35.exe	29
PID 2792 wrote to memory of 2824	2792	b2b1d1443477c4516046b9a19b6147589b85a786db9f3adab66bdcd801194b35.exe	29
PID 2792 wrote to memory of 2824	2792	b2b1d1443477c4516046b9a19b6147589b85a786db9f3adab66bdcd801194b35.exe	29
PID 2792 wrote to memory of 2824	2792	b2b1d1443477c4516046b9a19b6147589b85a786db9f3adab66bdcd801194b35.exe	29
PID 2792 wrote to memory of 2824	2792	b2b1d1443477c4516046b9a19b6147589b85a786db9f3adab66bdcd801194b35.exe	29
PID 2792 wrote to memory of 2824	2792	b2b1d1443477c4516046b9a19b6147589b85a786db9f3adab66bdcd801194b35.exe	29
PID 2792 wrote to memory of 2824	2792	b2b1d1443477c4516046b9a19b6147589b85a786db9f3adab66bdcd801194b35.exe	29
PID 2824 wrote to memory of 2908	2824	z7463627.exe	30
PID 2824 wrote to memory of 2908	2824	z7463627.exe	30
PID 2824 wrote to memory of 2908	2824	z7463627.exe	30
PID 2824 wrote to memory of 2908	2824	z7463627.exe	30
PID 2824 wrote to memory of 2908	2824	z7463627.exe	30
PID 2824 wrote to memory of 2908	2824	z7463627.exe	30
PID 2824 wrote to memory of 2908	2824	z7463627.exe	30
PID 2908 wrote to memory of 3020	2908	z4985003.exe	31
PID 2908 wrote to memory of 3020	2908	z4985003.exe	31
PID 2908 wrote to memory of 3020	2908	z4985003.exe	31
PID 2908 wrote to memory of 3020	2908	z4985003.exe	31
PID 2908 wrote to memory of 3020	2908	z4985003.exe	31
PID 2908 wrote to memory of 3020	2908	z4985003.exe	31
PID 2908 wrote to memory of 3020	2908	z4985003.exe	31
PID 3020 wrote to memory of 2520	3020	z2052342.exe	32
PID 3020 wrote to memory of 2520	3020	z2052342.exe	32
PID 3020 wrote to memory of 2520	3020	z2052342.exe	32
PID 3020 wrote to memory of 2520	3020	z2052342.exe	32
PID 3020 wrote to memory of 2520	3020	z2052342.exe	32
PID 3020 wrote to memory of 2520	3020	z2052342.exe	32
PID 3020 wrote to memory of 2520	3020	z2052342.exe	32
PID 2520 wrote to memory of 2636	2520	z8688796.exe	33
PID 2520 wrote to memory of 2636	2520	z8688796.exe	33
PID 2520 wrote to memory of 2636	2520	z8688796.exe	33
PID 2520 wrote to memory of 2636	2520	z8688796.exe	33
PID 2520 wrote to memory of 2636	2520	z8688796.exe	33
PID 2520 wrote to memory of 2636	2520	z8688796.exe	33
PID 2520 wrote to memory of 2636	2520	z8688796.exe	33
PID 2636 wrote to memory of 2992	2636	q6054440.exe	34
PID 2636 wrote to memory of 2992	2636	q6054440.exe	34
PID 2636 wrote to memory of 2992	2636	q6054440.exe	34
PID 2636 wrote to memory of 2992	2636	q6054440.exe	34
PID 2636 wrote to memory of 2992	2636	q6054440.exe	34
PID 2636 wrote to memory of 2992	2636	q6054440.exe	34
PID 2636 wrote to memory of 2992	2636	q6054440.exe	34
PID 2636 wrote to memory of 2992	2636	q6054440.exe	34
PID 2636 wrote to memory of 2992	2636	q6054440.exe	34
PID 2636 wrote to memory of 2992	2636	q6054440.exe	34
PID 2636 wrote to memory of 2992	2636	q6054440.exe	34
PID 2636 wrote to memory of 2992	2636	q6054440.exe	34
PID 2636 wrote to memory of 2168	2636	q6054440.exe	35
PID 2636 wrote to memory of 2168	2636	q6054440.exe	35
PID 2636 wrote to memory of 2168	2636	q6054440.exe	35
PID 2636 wrote to memory of 2168	2636	q6054440.exe	35
PID 2636 wrote to memory of 2168	2636	q6054440.exe	35
PID 2636 wrote to memory of 2168	2636	q6054440.exe	35
PID 2636 wrote to memory of 2168	2636	q6054440.exe	35

C:\Users\Admin\AppData\Local\Temp\b2b1d1443477c4516046b9a19b6147589b85a786db9f3adab66bdcd801194b35.exe
"C:\Users\Admin\AppData\Local\Temp\b2b1d1443477c4516046b9a19b6147589b85a786db9f3adab66bdcd801194b35.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2792
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7463627.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7463627.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2824
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4985003.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4985003.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2908
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z2052342.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z2052342.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3020
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8688796.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8688796.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2520
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q6054440.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q6054440.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2636
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2992
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2636 -s 272
        7⤵
        Loads dropped DLL
        Program crash
        
        PID:2168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7463627.exe

Filesize
960KB

MD5
9ac02b19d9a5998061a991459368e01c

SHA1
d323b6da68deea6c3909e2f1cba3c7ba02d2b4db

SHA256
c1cd195d9806181e060763a3ea68d09a20f091318a0cf1f4923f710451535412

SHA512
639c8856e3ee1ab6e1273ac8cb6abc95c47d2b53ee56b0003cd2c189fd77737e314190481cae824f5715a29d2cd2ec4e6699afe3729ca99609aca74df1b9e167

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7463627.exe

Filesize
960KB

MD5
9ac02b19d9a5998061a991459368e01c

SHA1
d323b6da68deea6c3909e2f1cba3c7ba02d2b4db

SHA256
c1cd195d9806181e060763a3ea68d09a20f091318a0cf1f4923f710451535412

SHA512
639c8856e3ee1ab6e1273ac8cb6abc95c47d2b53ee56b0003cd2c189fd77737e314190481cae824f5715a29d2cd2ec4e6699afe3729ca99609aca74df1b9e167

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4985003.exe

Filesize
777KB

MD5
fc64b6e6881e77102dfe17e65100d2f7

SHA1
1b0e3f69a6333e1cf195cb8d6505828d68bc6a22

SHA256
5cc10198f211dcb351d9bbf1748af5b6fdbf9fb261a1c7506ecd76c966d4d81b

SHA512
eb0f4ed3f4d2bc209b594982f7cfd066ba7284e1c3212feb62429abeb9836406d75fed1913a318f7ad5b603929f63ca234bc247e5eb896437ba2dcba8e1488c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4985003.exe

Filesize
777KB

MD5
fc64b6e6881e77102dfe17e65100d2f7

SHA1
1b0e3f69a6333e1cf195cb8d6505828d68bc6a22

SHA256
5cc10198f211dcb351d9bbf1748af5b6fdbf9fb261a1c7506ecd76c966d4d81b

SHA512
eb0f4ed3f4d2bc209b594982f7cfd066ba7284e1c3212feb62429abeb9836406d75fed1913a318f7ad5b603929f63ca234bc247e5eb896437ba2dcba8e1488c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z2052342.exe

Filesize
595KB

MD5
fd2ea836f25d1b5db903290d673cbcfe

SHA1
51804978fe326893e1e431ce5757d3eb917b8fb2

SHA256
162550290a8ec20032e5ab85f9fbfcb1cf8a2fc47be155faad5c61d759586fb8

SHA512
0713c360a0c1e11ab701d35bf037507fa4c933c00f17f2584e48401a9d3214aebbaddf2b925612ffd5b912f208aa597a02cf5c93f8f74a65c5764ebd530df599

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z2052342.exe

Filesize
595KB

MD5
fd2ea836f25d1b5db903290d673cbcfe

SHA1
51804978fe326893e1e431ce5757d3eb917b8fb2

SHA256
162550290a8ec20032e5ab85f9fbfcb1cf8a2fc47be155faad5c61d759586fb8

SHA512
0713c360a0c1e11ab701d35bf037507fa4c933c00f17f2584e48401a9d3214aebbaddf2b925612ffd5b912f208aa597a02cf5c93f8f74a65c5764ebd530df599

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8688796.exe

Filesize
334KB

MD5
47e048c35b81277c842a461818600da8

SHA1
4a3c634ace6d2e3c22e04d070f21aa752636c2e7

SHA256
459bb5d959ec16cc695d1134b2a3a4b2363400cc82a30edc3471409c0dd4e3bb

SHA512
28a8f0febe1472cc76c4517a910bd337fe9c82b5b79e9e8269378218eee6456f4291f3dad5790c710ae5006e6ee60d803c4c7ae6677cfc04d3a101c7770e71ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8688796.exe

Filesize
334KB

MD5
47e048c35b81277c842a461818600da8

SHA1
4a3c634ace6d2e3c22e04d070f21aa752636c2e7

SHA256
459bb5d959ec16cc695d1134b2a3a4b2363400cc82a30edc3471409c0dd4e3bb

SHA512
28a8f0febe1472cc76c4517a910bd337fe9c82b5b79e9e8269378218eee6456f4291f3dad5790c710ae5006e6ee60d803c4c7ae6677cfc04d3a101c7770e71ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q6054440.exe

Filesize
221KB

MD5
bd0dc599b8215ad0e0570bc57c002482

SHA1
c144a84eb9c167aae6408308bff0aa901895698f

SHA256
73fba5e547b757215def1488154a1b534348f65915d529cf9a7ffb614d67eb9a

SHA512
2c6d299c77fff9553497548611862c05691d9cb715eb9b4e8b34ce0fb7d64b586eb6df81f02f27048f6311abaafd5096f1fe1e8ae0b235f89675b5509a0372f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q6054440.exe

Filesize
221KB

MD5
bd0dc599b8215ad0e0570bc57c002482

SHA1
c144a84eb9c167aae6408308bff0aa901895698f

SHA256
73fba5e547b757215def1488154a1b534348f65915d529cf9a7ffb614d67eb9a

SHA512
2c6d299c77fff9553497548611862c05691d9cb715eb9b4e8b34ce0fb7d64b586eb6df81f02f27048f6311abaafd5096f1fe1e8ae0b235f89675b5509a0372f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q6054440.exe

Filesize
221KB

MD5
bd0dc599b8215ad0e0570bc57c002482

SHA1
c144a84eb9c167aae6408308bff0aa901895698f

SHA256
73fba5e547b757215def1488154a1b534348f65915d529cf9a7ffb614d67eb9a

SHA512
2c6d299c77fff9553497548611862c05691d9cb715eb9b4e8b34ce0fb7d64b586eb6df81f02f27048f6311abaafd5096f1fe1e8ae0b235f89675b5509a0372f2

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7463627.exe

Filesize
960KB

MD5
9ac02b19d9a5998061a991459368e01c

SHA1
d323b6da68deea6c3909e2f1cba3c7ba02d2b4db

SHA256
c1cd195d9806181e060763a3ea68d09a20f091318a0cf1f4923f710451535412

SHA512
639c8856e3ee1ab6e1273ac8cb6abc95c47d2b53ee56b0003cd2c189fd77737e314190481cae824f5715a29d2cd2ec4e6699afe3729ca99609aca74df1b9e167

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7463627.exe

Filesize
960KB

MD5
9ac02b19d9a5998061a991459368e01c

SHA1
d323b6da68deea6c3909e2f1cba3c7ba02d2b4db

SHA256
c1cd195d9806181e060763a3ea68d09a20f091318a0cf1f4923f710451535412

SHA512
639c8856e3ee1ab6e1273ac8cb6abc95c47d2b53ee56b0003cd2c189fd77737e314190481cae824f5715a29d2cd2ec4e6699afe3729ca99609aca74df1b9e167

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4985003.exe

Filesize
777KB

MD5
fc64b6e6881e77102dfe17e65100d2f7

SHA1
1b0e3f69a6333e1cf195cb8d6505828d68bc6a22

SHA256
5cc10198f211dcb351d9bbf1748af5b6fdbf9fb261a1c7506ecd76c966d4d81b

SHA512
eb0f4ed3f4d2bc209b594982f7cfd066ba7284e1c3212feb62429abeb9836406d75fed1913a318f7ad5b603929f63ca234bc247e5eb896437ba2dcba8e1488c7

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4985003.exe

Filesize
777KB

MD5
fc64b6e6881e77102dfe17e65100d2f7

SHA1
1b0e3f69a6333e1cf195cb8d6505828d68bc6a22

SHA256
5cc10198f211dcb351d9bbf1748af5b6fdbf9fb261a1c7506ecd76c966d4d81b

SHA512
eb0f4ed3f4d2bc209b594982f7cfd066ba7284e1c3212feb62429abeb9836406d75fed1913a318f7ad5b603929f63ca234bc247e5eb896437ba2dcba8e1488c7

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\z2052342.exe

Filesize
595KB

MD5
fd2ea836f25d1b5db903290d673cbcfe

SHA1
51804978fe326893e1e431ce5757d3eb917b8fb2

SHA256
162550290a8ec20032e5ab85f9fbfcb1cf8a2fc47be155faad5c61d759586fb8

SHA512
0713c360a0c1e11ab701d35bf037507fa4c933c00f17f2584e48401a9d3214aebbaddf2b925612ffd5b912f208aa597a02cf5c93f8f74a65c5764ebd530df599

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\z2052342.exe

Filesize
595KB

MD5
fd2ea836f25d1b5db903290d673cbcfe

SHA1
51804978fe326893e1e431ce5757d3eb917b8fb2

SHA256
162550290a8ec20032e5ab85f9fbfcb1cf8a2fc47be155faad5c61d759586fb8

SHA512
0713c360a0c1e11ab701d35bf037507fa4c933c00f17f2584e48401a9d3214aebbaddf2b925612ffd5b912f208aa597a02cf5c93f8f74a65c5764ebd530df599

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8688796.exe

Filesize
334KB

MD5
47e048c35b81277c842a461818600da8

SHA1
4a3c634ace6d2e3c22e04d070f21aa752636c2e7

SHA256
459bb5d959ec16cc695d1134b2a3a4b2363400cc82a30edc3471409c0dd4e3bb

SHA512
28a8f0febe1472cc76c4517a910bd337fe9c82b5b79e9e8269378218eee6456f4291f3dad5790c710ae5006e6ee60d803c4c7ae6677cfc04d3a101c7770e71ca

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8688796.exe

Filesize
334KB

MD5
47e048c35b81277c842a461818600da8

SHA1
4a3c634ace6d2e3c22e04d070f21aa752636c2e7

SHA256
459bb5d959ec16cc695d1134b2a3a4b2363400cc82a30edc3471409c0dd4e3bb

SHA512
28a8f0febe1472cc76c4517a910bd337fe9c82b5b79e9e8269378218eee6456f4291f3dad5790c710ae5006e6ee60d803c4c7ae6677cfc04d3a101c7770e71ca

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\q6054440.exe

Filesize
221KB

MD5
bd0dc599b8215ad0e0570bc57c002482

SHA1
c144a84eb9c167aae6408308bff0aa901895698f

SHA256
73fba5e547b757215def1488154a1b534348f65915d529cf9a7ffb614d67eb9a

SHA512
2c6d299c77fff9553497548611862c05691d9cb715eb9b4e8b34ce0fb7d64b586eb6df81f02f27048f6311abaafd5096f1fe1e8ae0b235f89675b5509a0372f2

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\q6054440.exe

Filesize
221KB

MD5
bd0dc599b8215ad0e0570bc57c002482

SHA1
c144a84eb9c167aae6408308bff0aa901895698f

SHA256
73fba5e547b757215def1488154a1b534348f65915d529cf9a7ffb614d67eb9a

SHA512
2c6d299c77fff9553497548611862c05691d9cb715eb9b4e8b34ce0fb7d64b586eb6df81f02f27048f6311abaafd5096f1fe1e8ae0b235f89675b5509a0372f2

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\q6054440.exe

Filesize
221KB

MD5
bd0dc599b8215ad0e0570bc57c002482

SHA1
c144a84eb9c167aae6408308bff0aa901895698f

SHA256
73fba5e547b757215def1488154a1b534348f65915d529cf9a7ffb614d67eb9a

SHA512
2c6d299c77fff9553497548611862c05691d9cb715eb9b4e8b34ce0fb7d64b586eb6df81f02f27048f6311abaafd5096f1fe1e8ae0b235f89675b5509a0372f2

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\q6054440.exe

Filesize
221KB

MD5
bd0dc599b8215ad0e0570bc57c002482

SHA1
c144a84eb9c167aae6408308bff0aa901895698f

SHA256
73fba5e547b757215def1488154a1b534348f65915d529cf9a7ffb614d67eb9a

SHA512
2c6d299c77fff9553497548611862c05691d9cb715eb9b4e8b34ce0fb7d64b586eb6df81f02f27048f6311abaafd5096f1fe1e8ae0b235f89675b5509a0372f2

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\q6054440.exe

Filesize
221KB

MD5
bd0dc599b8215ad0e0570bc57c002482

SHA1
c144a84eb9c167aae6408308bff0aa901895698f

SHA256
73fba5e547b757215def1488154a1b534348f65915d529cf9a7ffb614d67eb9a

SHA512
2c6d299c77fff9553497548611862c05691d9cb715eb9b4e8b34ce0fb7d64b586eb6df81f02f27048f6311abaafd5096f1fe1e8ae0b235f89675b5509a0372f2

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\q6054440.exe

Filesize
221KB

MD5
bd0dc599b8215ad0e0570bc57c002482

SHA1
c144a84eb9c167aae6408308bff0aa901895698f

SHA256
73fba5e547b757215def1488154a1b534348f65915d529cf9a7ffb614d67eb9a

SHA512
2c6d299c77fff9553497548611862c05691d9cb715eb9b4e8b34ce0fb7d64b586eb6df81f02f27048f6311abaafd5096f1fe1e8ae0b235f89675b5509a0372f2

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\q6054440.exe

Filesize
221KB

MD5
bd0dc599b8215ad0e0570bc57c002482

SHA1
c144a84eb9c167aae6408308bff0aa901895698f

SHA256
73fba5e547b757215def1488154a1b534348f65915d529cf9a7ffb614d67eb9a

SHA512
2c6d299c77fff9553497548611862c05691d9cb715eb9b4e8b34ce0fb7d64b586eb6df81f02f27048f6311abaafd5096f1fe1e8ae0b235f89675b5509a0372f2

Download Submit
memory/2992-54-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2992-58-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2992-62-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2992-60-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2992-55-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2992-57-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2992-56-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2992-53-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download