healer | 6d2cd5e665788d2ac6736ece6b870dc7d944ebe1e0c495e7ed2370d88e6b3465

Analysis

max time kernel
161s
max time network
55s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
11-10-2023 14:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cb56348f79ead46b16afc16726a35457a124e2b11db56d3d72c0fe5ba267e727.exe
Size

1.1MB
MD5

81e16bd56262282e3e859223c081b74b
SHA1

edf0e80c0397c8e7d7580dd36373d02491d72821
SHA256

cb56348f79ead46b16afc16726a35457a124e2b11db56d3d72c0fe5ba267e727
SHA512

2c25df2c75241988033b5c4d1b9572204e969e06a386d91bb87dad2e682fc37b7dd463bb8b8afa230132573c10feb596e98929f2b43abeb5cc084546432c5f6a
SSDEEP

24576:WywEgreBsukMqwZ9bqasuQQEpY5RZivMq7o+jV5HM3V2ssMk1UbWxPy:loQkMPZxjszCRZiv9Dsl2lhWW

Score

10^/10

healer dropper evasion persistence trojan

Malware Config

Signatures

Detects Healer an antivirus disabler dropper 5 IoCs

resource	yara_rule
behavioral1/memory/1956-55-0x0000000000400000-0x000000000040A000-memory.dmp	healer
behavioral1/memory/1956-56-0x0000000000400000-0x000000000040A000-memory.dmp	healer
behavioral1/memory/1956-58-0x0000000000400000-0x000000000040A000-memory.dmp	healer
behavioral1/memory/1956-62-0x0000000000400000-0x000000000040A000-memory.dmp	healer
behavioral1/memory/1956-60-0x0000000000400000-0x000000000040A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe

Executes dropped EXE 5 IoCs

pid	Process
2572	z3588073.exe
2584	z9997535.exe
2388	z1379828.exe
2824	z6197518.exe
2720	q3595961.exe

Loads dropped DLL 15 IoCs

pid	Process
3004	cb56348f79ead46b16afc16726a35457a124e2b11db56d3d72c0fe5ba267e727.exe
2572	z3588073.exe
2572	z3588073.exe
2584	z9997535.exe
2584	z9997535.exe
2388	z1379828.exe
2388	z1379828.exe
2824	z6197518.exe
2824	z6197518.exe
2824	z6197518.exe
2720	q3595961.exe
1244	WerFault.exe
1244	WerFault.exe
1244	WerFault.exe
1244	WerFault.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z1379828.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	z6197518.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	cb56348f79ead46b16afc16726a35457a124e2b11db56d3d72c0fe5ba267e727.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z3588073.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z9997535.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2720 set thread context of 1956	2720	q3595961.exe	32

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1244	2720	WerFault.exe	31

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1956	AppLaunch.exe
1956	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1956	AppLaunch.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 3004 wrote to memory of 2572	3004	cb56348f79ead46b16afc16726a35457a124e2b11db56d3d72c0fe5ba267e727.exe	27
PID 3004 wrote to memory of 2572	3004	cb56348f79ead46b16afc16726a35457a124e2b11db56d3d72c0fe5ba267e727.exe	27
PID 3004 wrote to memory of 2572	3004	cb56348f79ead46b16afc16726a35457a124e2b11db56d3d72c0fe5ba267e727.exe	27
PID 3004 wrote to memory of 2572	3004	cb56348f79ead46b16afc16726a35457a124e2b11db56d3d72c0fe5ba267e727.exe	27
PID 3004 wrote to memory of 2572	3004	cb56348f79ead46b16afc16726a35457a124e2b11db56d3d72c0fe5ba267e727.exe	27
PID 3004 wrote to memory of 2572	3004	cb56348f79ead46b16afc16726a35457a124e2b11db56d3d72c0fe5ba267e727.exe	27
PID 3004 wrote to memory of 2572	3004	cb56348f79ead46b16afc16726a35457a124e2b11db56d3d72c0fe5ba267e727.exe	27
PID 2572 wrote to memory of 2584	2572	z3588073.exe	28
PID 2572 wrote to memory of 2584	2572	z3588073.exe	28
PID 2572 wrote to memory of 2584	2572	z3588073.exe	28
PID 2572 wrote to memory of 2584	2572	z3588073.exe	28
PID 2572 wrote to memory of 2584	2572	z3588073.exe	28
PID 2572 wrote to memory of 2584	2572	z3588073.exe	28
PID 2572 wrote to memory of 2584	2572	z3588073.exe	28
PID 2584 wrote to memory of 2388	2584	z9997535.exe	29
PID 2584 wrote to memory of 2388	2584	z9997535.exe	29
PID 2584 wrote to memory of 2388	2584	z9997535.exe	29
PID 2584 wrote to memory of 2388	2584	z9997535.exe	29
PID 2584 wrote to memory of 2388	2584	z9997535.exe	29
PID 2584 wrote to memory of 2388	2584	z9997535.exe	29
PID 2584 wrote to memory of 2388	2584	z9997535.exe	29
PID 2388 wrote to memory of 2824	2388	z1379828.exe	30
PID 2388 wrote to memory of 2824	2388	z1379828.exe	30
PID 2388 wrote to memory of 2824	2388	z1379828.exe	30
PID 2388 wrote to memory of 2824	2388	z1379828.exe	30
PID 2388 wrote to memory of 2824	2388	z1379828.exe	30
PID 2388 wrote to memory of 2824	2388	z1379828.exe	30
PID 2388 wrote to memory of 2824	2388	z1379828.exe	30
PID 2824 wrote to memory of 2720	2824	z6197518.exe	31
PID 2824 wrote to memory of 2720	2824	z6197518.exe	31
PID 2824 wrote to memory of 2720	2824	z6197518.exe	31
PID 2824 wrote to memory of 2720	2824	z6197518.exe	31
PID 2824 wrote to memory of 2720	2824	z6197518.exe	31
PID 2824 wrote to memory of 2720	2824	z6197518.exe	31
PID 2824 wrote to memory of 2720	2824	z6197518.exe	31
PID 2720 wrote to memory of 1956	2720	q3595961.exe	32
PID 2720 wrote to memory of 1956	2720	q3595961.exe	32
PID 2720 wrote to memory of 1956	2720	q3595961.exe	32
PID 2720 wrote to memory of 1956	2720	q3595961.exe	32
PID 2720 wrote to memory of 1956	2720	q3595961.exe	32
PID 2720 wrote to memory of 1956	2720	q3595961.exe	32
PID 2720 wrote to memory of 1956	2720	q3595961.exe	32
PID 2720 wrote to memory of 1956	2720	q3595961.exe	32
PID 2720 wrote to memory of 1956	2720	q3595961.exe	32
PID 2720 wrote to memory of 1956	2720	q3595961.exe	32
PID 2720 wrote to memory of 1956	2720	q3595961.exe	32
PID 2720 wrote to memory of 1956	2720	q3595961.exe	32
PID 2720 wrote to memory of 1244	2720	q3595961.exe	33
PID 2720 wrote to memory of 1244	2720	q3595961.exe	33
PID 2720 wrote to memory of 1244	2720	q3595961.exe	33
PID 2720 wrote to memory of 1244	2720	q3595961.exe	33
PID 2720 wrote to memory of 1244	2720	q3595961.exe	33
PID 2720 wrote to memory of 1244	2720	q3595961.exe	33
PID 2720 wrote to memory of 1244	2720	q3595961.exe	33

C:\Users\Admin\AppData\Local\Temp\cb56348f79ead46b16afc16726a35457a124e2b11db56d3d72c0fe5ba267e727.exe
"C:\Users\Admin\AppData\Local\Temp\cb56348f79ead46b16afc16726a35457a124e2b11db56d3d72c0fe5ba267e727.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3004
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3588073.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3588073.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2572
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9997535.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9997535.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2584
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z1379828.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z1379828.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2388
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z6197518.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z6197518.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2824
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q3595961.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q3595961.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2720
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1956
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2720 -s 272
        7⤵
        Loads dropped DLL
        Program crash
        
        PID:1244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3588073.exe

Filesize
983KB

MD5
78110d8d8fb26c2033ed55805a07c908

SHA1
2588abd80de98172e95adb5ef146895fa032b907

SHA256
7ba8670b1f7ec0289e6c26265614d80feef80192841ed6dc92ed5c7bb744440d

SHA512
d82328c37f7ad38c1fa9fcf3a3f029a02b230fb98f347b4299054aef17ae8f8e8e7fe2a8b0ff0044636ec1853b10d54a76909e18a29e08610e561176333a4c28

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3588073.exe

Filesize
983KB

MD5
78110d8d8fb26c2033ed55805a07c908

SHA1
2588abd80de98172e95adb5ef146895fa032b907

SHA256
7ba8670b1f7ec0289e6c26265614d80feef80192841ed6dc92ed5c7bb744440d

SHA512
d82328c37f7ad38c1fa9fcf3a3f029a02b230fb98f347b4299054aef17ae8f8e8e7fe2a8b0ff0044636ec1853b10d54a76909e18a29e08610e561176333a4c28

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9997535.exe

Filesize
799KB

MD5
782bd3ff6a1425d367a26a6538c64520

SHA1
2dd5286840c15d17f79234997057aaf3a7daba30

SHA256
6dc08d8f756ca2a60a93f4b3bef1fdde4ec66780efc272f1791397d62ed1bd83

SHA512
3e59e197da3520de33339ab6deaa8bbd31056a93747f7c24723ff08b1e84af68789863e220fae3973bca167c5b0f4f72579edbe1e42492def10d78d6fe8b4f16

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9997535.exe

Filesize
799KB

MD5
782bd3ff6a1425d367a26a6538c64520

SHA1
2dd5286840c15d17f79234997057aaf3a7daba30

SHA256
6dc08d8f756ca2a60a93f4b3bef1fdde4ec66780efc272f1791397d62ed1bd83

SHA512
3e59e197da3520de33339ab6deaa8bbd31056a93747f7c24723ff08b1e84af68789863e220fae3973bca167c5b0f4f72579edbe1e42492def10d78d6fe8b4f16

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z1379828.exe

Filesize
616KB

MD5
3f9ba20189e7443295e99b965b1ce579

SHA1
4083e3dd97fb3345fd50d7a45e11d538783a0ab6

SHA256
1226a4fc8ffa9542a08bf3ac28351b242f6243e625b01ab40bd1b0577ca87382

SHA512
92a8eca78a5ffd726f5fdafd4c1775e7d5a2a9626c8f10f9bfb9f991193b1679b5fb860ddc062f7b05a2ebbd4f9a97f2456160dfe070071d53bf2cca00347d37

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z1379828.exe

Filesize
616KB

MD5
3f9ba20189e7443295e99b965b1ce579

SHA1
4083e3dd97fb3345fd50d7a45e11d538783a0ab6

SHA256
1226a4fc8ffa9542a08bf3ac28351b242f6243e625b01ab40bd1b0577ca87382

SHA512
92a8eca78a5ffd726f5fdafd4c1775e7d5a2a9626c8f10f9bfb9f991193b1679b5fb860ddc062f7b05a2ebbd4f9a97f2456160dfe070071d53bf2cca00347d37

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z6197518.exe

Filesize
346KB

MD5
b280fb4297ff8f3c5cab8fb875d204cf

SHA1
93b3d177dc41729367fb007912bc9fde8e5a73bf

SHA256
c7c8689502234b385120421926ac6c668ea34414d6030d9365e298e10293eb96

SHA512
e41b0c435622658602f7bf8c3f61a10226090f45aa37be11650ac9c649fa61ece46a3a419e97636c1a526527c6ef6497461df4ac4a0370561b4b7733fed3f3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z6197518.exe

Filesize
346KB

MD5
b280fb4297ff8f3c5cab8fb875d204cf

SHA1
93b3d177dc41729367fb007912bc9fde8e5a73bf

SHA256
c7c8689502234b385120421926ac6c668ea34414d6030d9365e298e10293eb96

SHA512
e41b0c435622658602f7bf8c3f61a10226090f45aa37be11650ac9c649fa61ece46a3a419e97636c1a526527c6ef6497461df4ac4a0370561b4b7733fed3f3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q3595961.exe

Filesize
235KB

MD5
c35f196687a5be7fb22b3b9c610bf8ec

SHA1
ddbbe642ac5dc4eab7064091385a929751d47c4c

SHA256
3a24dc73409fdc3c7d0e5aeb309242b186bdfbd4ee83a67f824be51847535a6d

SHA512
e4745573d29f36389254aad7f129cf6dd982649d09213ed2558fa4e7d83bf8aca9b3f17637554c1c4bd2708fcb1b6cffd0b2a6cd683b14465d05f2355270558d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q3595961.exe

Filesize
235KB

MD5
c35f196687a5be7fb22b3b9c610bf8ec

SHA1
ddbbe642ac5dc4eab7064091385a929751d47c4c

SHA256
3a24dc73409fdc3c7d0e5aeb309242b186bdfbd4ee83a67f824be51847535a6d

SHA512
e4745573d29f36389254aad7f129cf6dd982649d09213ed2558fa4e7d83bf8aca9b3f17637554c1c4bd2708fcb1b6cffd0b2a6cd683b14465d05f2355270558d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q3595961.exe

Filesize
235KB

MD5
c35f196687a5be7fb22b3b9c610bf8ec

SHA1
ddbbe642ac5dc4eab7064091385a929751d47c4c

SHA256
3a24dc73409fdc3c7d0e5aeb309242b186bdfbd4ee83a67f824be51847535a6d

SHA512
e4745573d29f36389254aad7f129cf6dd982649d09213ed2558fa4e7d83bf8aca9b3f17637554c1c4bd2708fcb1b6cffd0b2a6cd683b14465d05f2355270558d

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3588073.exe

Filesize
983KB

MD5
78110d8d8fb26c2033ed55805a07c908

SHA1
2588abd80de98172e95adb5ef146895fa032b907

SHA256
7ba8670b1f7ec0289e6c26265614d80feef80192841ed6dc92ed5c7bb744440d

SHA512
d82328c37f7ad38c1fa9fcf3a3f029a02b230fb98f347b4299054aef17ae8f8e8e7fe2a8b0ff0044636ec1853b10d54a76909e18a29e08610e561176333a4c28

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3588073.exe

Filesize
983KB

MD5
78110d8d8fb26c2033ed55805a07c908

SHA1
2588abd80de98172e95adb5ef146895fa032b907

SHA256
7ba8670b1f7ec0289e6c26265614d80feef80192841ed6dc92ed5c7bb744440d

SHA512
d82328c37f7ad38c1fa9fcf3a3f029a02b230fb98f347b4299054aef17ae8f8e8e7fe2a8b0ff0044636ec1853b10d54a76909e18a29e08610e561176333a4c28

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9997535.exe

Filesize
799KB

MD5
782bd3ff6a1425d367a26a6538c64520

SHA1
2dd5286840c15d17f79234997057aaf3a7daba30

SHA256
6dc08d8f756ca2a60a93f4b3bef1fdde4ec66780efc272f1791397d62ed1bd83

SHA512
3e59e197da3520de33339ab6deaa8bbd31056a93747f7c24723ff08b1e84af68789863e220fae3973bca167c5b0f4f72579edbe1e42492def10d78d6fe8b4f16

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9997535.exe

Filesize
799KB

MD5
782bd3ff6a1425d367a26a6538c64520

SHA1
2dd5286840c15d17f79234997057aaf3a7daba30

SHA256
6dc08d8f756ca2a60a93f4b3bef1fdde4ec66780efc272f1791397d62ed1bd83

SHA512
3e59e197da3520de33339ab6deaa8bbd31056a93747f7c24723ff08b1e84af68789863e220fae3973bca167c5b0f4f72579edbe1e42492def10d78d6fe8b4f16

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\z1379828.exe

Filesize
616KB

MD5
3f9ba20189e7443295e99b965b1ce579

SHA1
4083e3dd97fb3345fd50d7a45e11d538783a0ab6

SHA256
1226a4fc8ffa9542a08bf3ac28351b242f6243e625b01ab40bd1b0577ca87382

SHA512
92a8eca78a5ffd726f5fdafd4c1775e7d5a2a9626c8f10f9bfb9f991193b1679b5fb860ddc062f7b05a2ebbd4f9a97f2456160dfe070071d53bf2cca00347d37

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\z1379828.exe

Filesize
616KB

MD5
3f9ba20189e7443295e99b965b1ce579

SHA1
4083e3dd97fb3345fd50d7a45e11d538783a0ab6

SHA256
1226a4fc8ffa9542a08bf3ac28351b242f6243e625b01ab40bd1b0577ca87382

SHA512
92a8eca78a5ffd726f5fdafd4c1775e7d5a2a9626c8f10f9bfb9f991193b1679b5fb860ddc062f7b05a2ebbd4f9a97f2456160dfe070071d53bf2cca00347d37

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\z6197518.exe

Filesize
346KB

MD5
b280fb4297ff8f3c5cab8fb875d204cf

SHA1
93b3d177dc41729367fb007912bc9fde8e5a73bf

SHA256
c7c8689502234b385120421926ac6c668ea34414d6030d9365e298e10293eb96

SHA512
e41b0c435622658602f7bf8c3f61a10226090f45aa37be11650ac9c649fa61ece46a3a419e97636c1a526527c6ef6497461df4ac4a0370561b4b7733fed3f3aa

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\z6197518.exe

Filesize
346KB

MD5
b280fb4297ff8f3c5cab8fb875d204cf

SHA1
93b3d177dc41729367fb007912bc9fde8e5a73bf

SHA256
c7c8689502234b385120421926ac6c668ea34414d6030d9365e298e10293eb96

SHA512
e41b0c435622658602f7bf8c3f61a10226090f45aa37be11650ac9c649fa61ece46a3a419e97636c1a526527c6ef6497461df4ac4a0370561b4b7733fed3f3aa

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\q3595961.exe

Filesize
235KB

MD5
c35f196687a5be7fb22b3b9c610bf8ec

SHA1
ddbbe642ac5dc4eab7064091385a929751d47c4c

SHA256
3a24dc73409fdc3c7d0e5aeb309242b186bdfbd4ee83a67f824be51847535a6d

SHA512
e4745573d29f36389254aad7f129cf6dd982649d09213ed2558fa4e7d83bf8aca9b3f17637554c1c4bd2708fcb1b6cffd0b2a6cd683b14465d05f2355270558d

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\q3595961.exe

Filesize
235KB

MD5
c35f196687a5be7fb22b3b9c610bf8ec

SHA1
ddbbe642ac5dc4eab7064091385a929751d47c4c

SHA256
3a24dc73409fdc3c7d0e5aeb309242b186bdfbd4ee83a67f824be51847535a6d

SHA512
e4745573d29f36389254aad7f129cf6dd982649d09213ed2558fa4e7d83bf8aca9b3f17637554c1c4bd2708fcb1b6cffd0b2a6cd683b14465d05f2355270558d

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\q3595961.exe

Filesize
235KB

MD5
c35f196687a5be7fb22b3b9c610bf8ec

SHA1
ddbbe642ac5dc4eab7064091385a929751d47c4c

SHA256
3a24dc73409fdc3c7d0e5aeb309242b186bdfbd4ee83a67f824be51847535a6d

SHA512
e4745573d29f36389254aad7f129cf6dd982649d09213ed2558fa4e7d83bf8aca9b3f17637554c1c4bd2708fcb1b6cffd0b2a6cd683b14465d05f2355270558d

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\q3595961.exe

Filesize
235KB

MD5
c35f196687a5be7fb22b3b9c610bf8ec

SHA1
ddbbe642ac5dc4eab7064091385a929751d47c4c

SHA256
3a24dc73409fdc3c7d0e5aeb309242b186bdfbd4ee83a67f824be51847535a6d

SHA512
e4745573d29f36389254aad7f129cf6dd982649d09213ed2558fa4e7d83bf8aca9b3f17637554c1c4bd2708fcb1b6cffd0b2a6cd683b14465d05f2355270558d

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\q3595961.exe

Filesize
235KB

MD5
c35f196687a5be7fb22b3b9c610bf8ec

SHA1
ddbbe642ac5dc4eab7064091385a929751d47c4c

SHA256
3a24dc73409fdc3c7d0e5aeb309242b186bdfbd4ee83a67f824be51847535a6d

SHA512
e4745573d29f36389254aad7f129cf6dd982649d09213ed2558fa4e7d83bf8aca9b3f17637554c1c4bd2708fcb1b6cffd0b2a6cd683b14465d05f2355270558d

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\q3595961.exe

Filesize
235KB

MD5
c35f196687a5be7fb22b3b9c610bf8ec

SHA1
ddbbe642ac5dc4eab7064091385a929751d47c4c

SHA256
3a24dc73409fdc3c7d0e5aeb309242b186bdfbd4ee83a67f824be51847535a6d

SHA512
e4745573d29f36389254aad7f129cf6dd982649d09213ed2558fa4e7d83bf8aca9b3f17637554c1c4bd2708fcb1b6cffd0b2a6cd683b14465d05f2355270558d

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\q3595961.exe

Filesize
235KB

MD5
c35f196687a5be7fb22b3b9c610bf8ec

SHA1
ddbbe642ac5dc4eab7064091385a929751d47c4c

SHA256
3a24dc73409fdc3c7d0e5aeb309242b186bdfbd4ee83a67f824be51847535a6d

SHA512
e4745573d29f36389254aad7f129cf6dd982649d09213ed2558fa4e7d83bf8aca9b3f17637554c1c4bd2708fcb1b6cffd0b2a6cd683b14465d05f2355270558d

Download Submit
memory/1956-57-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/1956-58-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1956-62-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1956-60-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1956-56-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1956-55-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1956-53-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1956-54-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download