healer | 828ea4bc7fb1ce389b865bb66afbcfb4c116f5b308f438c56ef5d48b7b06090e

Analysis

max time kernel
122s
max time network
128s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
12/10/2023, 10:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

828ea4bc7fb1ce389b865bb66afbcfb4c116f5b308f438c56ef5d48b7b06090e.exe
Size

2.6MB
MD5

f41a4df182ef98f9f5d198910942c1c4
SHA1

2167c024a2075dea97b866e54da66ee8b283d98a
SHA256

828ea4bc7fb1ce389b865bb66afbcfb4c116f5b308f438c56ef5d48b7b06090e
SHA512

1cb7ff9bb30cc650842285aeaf778b21cc4c160b0136fcb8aa75b84ea42831fc1433603bb49090100c268961f5f79b66468d11709e00a34dd62e908f242fbdf2
SSDEEP

49152:I99i4yt/CN9aBxxLf7cTyec/eruo3QtidaV3JfOQ:tIaBnf7QdYV3tT

Score

10^/10

healer dropper evasion persistence trojan

Malware Config

Signatures

Detects Healer an antivirus disabler dropper 5 IoCs

resource	yara_rule
behavioral1/memory/2008-64-0x0000000000400000-0x000000000040A000-memory.dmp	healer
behavioral1/memory/2008-63-0x0000000000400000-0x000000000040A000-memory.dmp	healer
behavioral1/memory/2008-66-0x0000000000400000-0x000000000040A000-memory.dmp	healer
behavioral1/memory/2008-70-0x0000000000400000-0x000000000040A000-memory.dmp	healer
behavioral1/memory/2008-68-0x0000000000400000-0x000000000040A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe

Executes dropped EXE 4 IoCs

pid	Process
2432	x9663602.exe
2244	x7249290.exe
2500	x9271324.exe
3000	g6429997.exe

Loads dropped DLL 13 IoCs

pid	Process
2132	AppLaunch.exe
2432	x9663602.exe
2432	x9663602.exe
2244	x7249290.exe
2244	x7249290.exe
2500	x9271324.exe
2500	x9271324.exe
2500	x9271324.exe
3000	g6429997.exe
580	WerFault.exe
580	WerFault.exe
580	WerFault.exe
580	WerFault.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	AppLaunch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x9663602.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x7249290.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x9271324.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1980 set thread context of 2132	1980	828ea4bc7fb1ce389b865bb66afbcfb4c116f5b308f438c56ef5d48b7b06090e.exe	29
PID 3000 set thread context of 2008	3000	g6429997.exe	36

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2740	1980	WerFault.exe	27
580	3000	WerFault.exe	34

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2008	AppLaunch.exe
2008	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2008	AppLaunch.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1980 wrote to memory of 2132	1980	828ea4bc7fb1ce389b865bb66afbcfb4c116f5b308f438c56ef5d48b7b06090e.exe	29
PID 1980 wrote to memory of 2132	1980	828ea4bc7fb1ce389b865bb66afbcfb4c116f5b308f438c56ef5d48b7b06090e.exe	29
PID 1980 wrote to memory of 2132	1980	828ea4bc7fb1ce389b865bb66afbcfb4c116f5b308f438c56ef5d48b7b06090e.exe	29
PID 1980 wrote to memory of 2132	1980	828ea4bc7fb1ce389b865bb66afbcfb4c116f5b308f438c56ef5d48b7b06090e.exe	29
PID 1980 wrote to memory of 2132	1980	828ea4bc7fb1ce389b865bb66afbcfb4c116f5b308f438c56ef5d48b7b06090e.exe	29
PID 1980 wrote to memory of 2132	1980	828ea4bc7fb1ce389b865bb66afbcfb4c116f5b308f438c56ef5d48b7b06090e.exe	29
PID 1980 wrote to memory of 2132	1980	828ea4bc7fb1ce389b865bb66afbcfb4c116f5b308f438c56ef5d48b7b06090e.exe	29
PID 1980 wrote to memory of 2132	1980	828ea4bc7fb1ce389b865bb66afbcfb4c116f5b308f438c56ef5d48b7b06090e.exe	29
PID 1980 wrote to memory of 2132	1980	828ea4bc7fb1ce389b865bb66afbcfb4c116f5b308f438c56ef5d48b7b06090e.exe	29
PID 1980 wrote to memory of 2132	1980	828ea4bc7fb1ce389b865bb66afbcfb4c116f5b308f438c56ef5d48b7b06090e.exe	29
PID 1980 wrote to memory of 2132	1980	828ea4bc7fb1ce389b865bb66afbcfb4c116f5b308f438c56ef5d48b7b06090e.exe	29
PID 1980 wrote to memory of 2132	1980	828ea4bc7fb1ce389b865bb66afbcfb4c116f5b308f438c56ef5d48b7b06090e.exe	29
PID 1980 wrote to memory of 2132	1980	828ea4bc7fb1ce389b865bb66afbcfb4c116f5b308f438c56ef5d48b7b06090e.exe	29
PID 1980 wrote to memory of 2132	1980	828ea4bc7fb1ce389b865bb66afbcfb4c116f5b308f438c56ef5d48b7b06090e.exe	29
PID 1980 wrote to memory of 2740	1980	828ea4bc7fb1ce389b865bb66afbcfb4c116f5b308f438c56ef5d48b7b06090e.exe	30
PID 1980 wrote to memory of 2740	1980	828ea4bc7fb1ce389b865bb66afbcfb4c116f5b308f438c56ef5d48b7b06090e.exe	30
PID 1980 wrote to memory of 2740	1980	828ea4bc7fb1ce389b865bb66afbcfb4c116f5b308f438c56ef5d48b7b06090e.exe	30
PID 1980 wrote to memory of 2740	1980	828ea4bc7fb1ce389b865bb66afbcfb4c116f5b308f438c56ef5d48b7b06090e.exe	30
PID 2132 wrote to memory of 2432	2132	AppLaunch.exe	31
PID 2132 wrote to memory of 2432	2132	AppLaunch.exe	31
PID 2132 wrote to memory of 2432	2132	AppLaunch.exe	31
PID 2132 wrote to memory of 2432	2132	AppLaunch.exe	31
PID 2132 wrote to memory of 2432	2132	AppLaunch.exe	31
PID 2132 wrote to memory of 2432	2132	AppLaunch.exe	31
PID 2132 wrote to memory of 2432	2132	AppLaunch.exe	31
PID 2432 wrote to memory of 2244	2432	x9663602.exe	32
PID 2432 wrote to memory of 2244	2432	x9663602.exe	32
PID 2432 wrote to memory of 2244	2432	x9663602.exe	32
PID 2432 wrote to memory of 2244	2432	x9663602.exe	32
PID 2432 wrote to memory of 2244	2432	x9663602.exe	32
PID 2432 wrote to memory of 2244	2432	x9663602.exe	32
PID 2432 wrote to memory of 2244	2432	x9663602.exe	32
PID 2244 wrote to memory of 2500	2244	x7249290.exe	33
PID 2244 wrote to memory of 2500	2244	x7249290.exe	33
PID 2244 wrote to memory of 2500	2244	x7249290.exe	33
PID 2244 wrote to memory of 2500	2244	x7249290.exe	33
PID 2244 wrote to memory of 2500	2244	x7249290.exe	33
PID 2244 wrote to memory of 2500	2244	x7249290.exe	33
PID 2244 wrote to memory of 2500	2244	x7249290.exe	33
PID 2500 wrote to memory of 3000	2500	x9271324.exe	34
PID 2500 wrote to memory of 3000	2500	x9271324.exe	34
PID 2500 wrote to memory of 3000	2500	x9271324.exe	34
PID 2500 wrote to memory of 3000	2500	x9271324.exe	34
PID 2500 wrote to memory of 3000	2500	x9271324.exe	34
PID 2500 wrote to memory of 3000	2500	x9271324.exe	34
PID 2500 wrote to memory of 3000	2500	x9271324.exe	34
PID 3000 wrote to memory of 2008	3000	g6429997.exe	36
PID 3000 wrote to memory of 2008	3000	g6429997.exe	36
PID 3000 wrote to memory of 2008	3000	g6429997.exe	36
PID 3000 wrote to memory of 2008	3000	g6429997.exe	36
PID 3000 wrote to memory of 2008	3000	g6429997.exe	36
PID 3000 wrote to memory of 2008	3000	g6429997.exe	36
PID 3000 wrote to memory of 2008	3000	g6429997.exe	36
PID 3000 wrote to memory of 2008	3000	g6429997.exe	36
PID 3000 wrote to memory of 2008	3000	g6429997.exe	36
PID 3000 wrote to memory of 2008	3000	g6429997.exe	36
PID 3000 wrote to memory of 2008	3000	g6429997.exe	36
PID 3000 wrote to memory of 2008	3000	g6429997.exe	36
PID 3000 wrote to memory of 580	3000	g6429997.exe	37
PID 3000 wrote to memory of 580	3000	g6429997.exe	37
PID 3000 wrote to memory of 580	3000	g6429997.exe	37
PID 3000 wrote to memory of 580	3000	g6429997.exe	37
PID 3000 wrote to memory of 580	3000	g6429997.exe	37
PID 3000 wrote to memory of 580	3000	g6429997.exe	37

C:\Users\Admin\AppData\Local\Temp\828ea4bc7fb1ce389b865bb66afbcfb4c116f5b308f438c56ef5d48b7b06090e.exe
"C:\Users\Admin\AppData\Local\Temp\828ea4bc7fb1ce389b865bb66afbcfb4c116f5b308f438c56ef5d48b7b06090e.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1980
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2132
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9663602.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9663602.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2432
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7249290.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7249290.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2244
    - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x9271324.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x9271324.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2500
      - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g6429997.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g6429997.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3000
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2008
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3000 -s 268
        7⤵
        Loads dropped DLL
        Program crash
        
        PID:580
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1980 -s 92
  2⤵
  - Program crash
  PID:2740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9663602.exe

Filesize
1.0MB

MD5
1386f628abc8cf69b453f67d42c84c7a

SHA1
fab5038930e75ebfb991e36924f5c9d86fe6cdc7

SHA256
d3c232845e181a4c4a9da20c4a10db2c540a224af46a684fb2f4b8cdf8d85042

SHA512
b9b6cafbaa6fcfe4d0408d450404c28a1b75a51abef7974bed5b403c369d1065e4bc8eaaf808be25ab9608b515316f59a55f8e525c8f85c05f0b26c478423693

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9663602.exe

Filesize
1.0MB

MD5
1386f628abc8cf69b453f67d42c84c7a

SHA1
fab5038930e75ebfb991e36924f5c9d86fe6cdc7

SHA256
d3c232845e181a4c4a9da20c4a10db2c540a224af46a684fb2f4b8cdf8d85042

SHA512
b9b6cafbaa6fcfe4d0408d450404c28a1b75a51abef7974bed5b403c369d1065e4bc8eaaf808be25ab9608b515316f59a55f8e525c8f85c05f0b26c478423693

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7249290.exe

Filesize
651KB

MD5
ca7a6c546268d7073f3d498e6b17ce18

SHA1
9df96bbca7e7fb3859ebb8912fd930a35f028c3c

SHA256
e32147775057d02e266598c08c8915bcf2b65599af1750f7505a9f26718139d7

SHA512
bc6a2c4b9197017b0b02589f06250fa8d3ade54a74b4ba43b3717c7cfecbddce0d58af8da2df692c04de32e9faca2c6cae5003b6d3104f7d659f0f2e43fb7017

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7249290.exe

Filesize
651KB

MD5
ca7a6c546268d7073f3d498e6b17ce18

SHA1
9df96bbca7e7fb3859ebb8912fd930a35f028c3c

SHA256
e32147775057d02e266598c08c8915bcf2b65599af1750f7505a9f26718139d7

SHA512
bc6a2c4b9197017b0b02589f06250fa8d3ade54a74b4ba43b3717c7cfecbddce0d58af8da2df692c04de32e9faca2c6cae5003b6d3104f7d659f0f2e43fb7017

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x9271324.exe

Filesize
465KB

MD5
cc254ac3bc0b5da2d3855e3e0bbeab12

SHA1
0c63f9777fdfb0a13ae2090f2b941cfe6c2969fd

SHA256
d95f9b4df585102fa0e52ccbf2d6b942166f61d4c2f4486b3106adebd485f15c

SHA512
384fcadcac1f20eb3d5bfc43115c3e10b47003ea829991fe39833422e88a839b9a58b7824feb6134a71dc30ba32f563448b4d6f6e93870d237f50f7f5fc2ccdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x9271324.exe

Filesize
465KB

MD5
cc254ac3bc0b5da2d3855e3e0bbeab12

SHA1
0c63f9777fdfb0a13ae2090f2b941cfe6c2969fd

SHA256
d95f9b4df585102fa0e52ccbf2d6b942166f61d4c2f4486b3106adebd485f15c

SHA512
384fcadcac1f20eb3d5bfc43115c3e10b47003ea829991fe39833422e88a839b9a58b7824feb6134a71dc30ba32f563448b4d6f6e93870d237f50f7f5fc2ccdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g6429997.exe

Filesize
899KB

MD5
e24af533190236c12489caf567cf1de4

SHA1
600618345c0b24fe9a3fc7dc9b900d794bfe31e2

SHA256
72de34b17049ec523f78b48f3e7984cefe06bbc5b25e04c890a296a13486f9ea

SHA512
59f5e5eef6a1f6df0b4d30dfdcf7699b214b9866f77ab3e4f8c3a7e5da7cea7aadd9476a0171c6337a65dc8781e17b8775e7a552c08b8f5c501adf8bb3e040a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g6429997.exe

Filesize
899KB

MD5
e24af533190236c12489caf567cf1de4

SHA1
600618345c0b24fe9a3fc7dc9b900d794bfe31e2

SHA256
72de34b17049ec523f78b48f3e7984cefe06bbc5b25e04c890a296a13486f9ea

SHA512
59f5e5eef6a1f6df0b4d30dfdcf7699b214b9866f77ab3e4f8c3a7e5da7cea7aadd9476a0171c6337a65dc8781e17b8775e7a552c08b8f5c501adf8bb3e040a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g6429997.exe

Filesize
899KB

MD5
e24af533190236c12489caf567cf1de4

SHA1
600618345c0b24fe9a3fc7dc9b900d794bfe31e2

SHA256
72de34b17049ec523f78b48f3e7984cefe06bbc5b25e04c890a296a13486f9ea

SHA512
59f5e5eef6a1f6df0b4d30dfdcf7699b214b9866f77ab3e4f8c3a7e5da7cea7aadd9476a0171c6337a65dc8781e17b8775e7a552c08b8f5c501adf8bb3e040a7

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9663602.exe

Filesize
1.0MB

MD5
1386f628abc8cf69b453f67d42c84c7a

SHA1
fab5038930e75ebfb991e36924f5c9d86fe6cdc7

SHA256
d3c232845e181a4c4a9da20c4a10db2c540a224af46a684fb2f4b8cdf8d85042

SHA512
b9b6cafbaa6fcfe4d0408d450404c28a1b75a51abef7974bed5b403c369d1065e4bc8eaaf808be25ab9608b515316f59a55f8e525c8f85c05f0b26c478423693

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9663602.exe

Filesize
1.0MB

MD5
1386f628abc8cf69b453f67d42c84c7a

SHA1
fab5038930e75ebfb991e36924f5c9d86fe6cdc7

SHA256
d3c232845e181a4c4a9da20c4a10db2c540a224af46a684fb2f4b8cdf8d85042

SHA512
b9b6cafbaa6fcfe4d0408d450404c28a1b75a51abef7974bed5b403c369d1065e4bc8eaaf808be25ab9608b515316f59a55f8e525c8f85c05f0b26c478423693

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7249290.exe

Filesize
651KB

MD5
ca7a6c546268d7073f3d498e6b17ce18

SHA1
9df96bbca7e7fb3859ebb8912fd930a35f028c3c

SHA256
e32147775057d02e266598c08c8915bcf2b65599af1750f7505a9f26718139d7

SHA512
bc6a2c4b9197017b0b02589f06250fa8d3ade54a74b4ba43b3717c7cfecbddce0d58af8da2df692c04de32e9faca2c6cae5003b6d3104f7d659f0f2e43fb7017

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7249290.exe

Filesize
651KB

MD5
ca7a6c546268d7073f3d498e6b17ce18

SHA1
9df96bbca7e7fb3859ebb8912fd930a35f028c3c

SHA256
e32147775057d02e266598c08c8915bcf2b65599af1750f7505a9f26718139d7

SHA512
bc6a2c4b9197017b0b02589f06250fa8d3ade54a74b4ba43b3717c7cfecbddce0d58af8da2df692c04de32e9faca2c6cae5003b6d3104f7d659f0f2e43fb7017

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\x9271324.exe

Filesize
465KB

MD5
cc254ac3bc0b5da2d3855e3e0bbeab12

SHA1
0c63f9777fdfb0a13ae2090f2b941cfe6c2969fd

SHA256
d95f9b4df585102fa0e52ccbf2d6b942166f61d4c2f4486b3106adebd485f15c

SHA512
384fcadcac1f20eb3d5bfc43115c3e10b47003ea829991fe39833422e88a839b9a58b7824feb6134a71dc30ba32f563448b4d6f6e93870d237f50f7f5fc2ccdf

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\x9271324.exe

Filesize
465KB

MD5
cc254ac3bc0b5da2d3855e3e0bbeab12

SHA1
0c63f9777fdfb0a13ae2090f2b941cfe6c2969fd

SHA256
d95f9b4df585102fa0e52ccbf2d6b942166f61d4c2f4486b3106adebd485f15c

SHA512
384fcadcac1f20eb3d5bfc43115c3e10b47003ea829991fe39833422e88a839b9a58b7824feb6134a71dc30ba32f563448b4d6f6e93870d237f50f7f5fc2ccdf

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\g6429997.exe

Filesize
899KB

MD5
e24af533190236c12489caf567cf1de4

SHA1
600618345c0b24fe9a3fc7dc9b900d794bfe31e2

SHA256
72de34b17049ec523f78b48f3e7984cefe06bbc5b25e04c890a296a13486f9ea

SHA512
59f5e5eef6a1f6df0b4d30dfdcf7699b214b9866f77ab3e4f8c3a7e5da7cea7aadd9476a0171c6337a65dc8781e17b8775e7a552c08b8f5c501adf8bb3e040a7

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\g6429997.exe

Filesize
899KB

MD5
e24af533190236c12489caf567cf1de4

SHA1
600618345c0b24fe9a3fc7dc9b900d794bfe31e2

SHA256
72de34b17049ec523f78b48f3e7984cefe06bbc5b25e04c890a296a13486f9ea

SHA512
59f5e5eef6a1f6df0b4d30dfdcf7699b214b9866f77ab3e4f8c3a7e5da7cea7aadd9476a0171c6337a65dc8781e17b8775e7a552c08b8f5c501adf8bb3e040a7

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\g6429997.exe

Filesize
899KB

MD5
e24af533190236c12489caf567cf1de4

SHA1
600618345c0b24fe9a3fc7dc9b900d794bfe31e2

SHA256
72de34b17049ec523f78b48f3e7984cefe06bbc5b25e04c890a296a13486f9ea

SHA512
59f5e5eef6a1f6df0b4d30dfdcf7699b214b9866f77ab3e4f8c3a7e5da7cea7aadd9476a0171c6337a65dc8781e17b8775e7a552c08b8f5c501adf8bb3e040a7

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\g6429997.exe

Filesize
899KB

MD5
e24af533190236c12489caf567cf1de4

SHA1
600618345c0b24fe9a3fc7dc9b900d794bfe31e2

SHA256
72de34b17049ec523f78b48f3e7984cefe06bbc5b25e04c890a296a13486f9ea

SHA512
59f5e5eef6a1f6df0b4d30dfdcf7699b214b9866f77ab3e4f8c3a7e5da7cea7aadd9476a0171c6337a65dc8781e17b8775e7a552c08b8f5c501adf8bb3e040a7

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\g6429997.exe

Filesize
899KB

MD5
e24af533190236c12489caf567cf1de4

SHA1
600618345c0b24fe9a3fc7dc9b900d794bfe31e2

SHA256
72de34b17049ec523f78b48f3e7984cefe06bbc5b25e04c890a296a13486f9ea

SHA512
59f5e5eef6a1f6df0b4d30dfdcf7699b214b9866f77ab3e4f8c3a7e5da7cea7aadd9476a0171c6337a65dc8781e17b8775e7a552c08b8f5c501adf8bb3e040a7

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\g6429997.exe

Filesize
899KB

MD5
e24af533190236c12489caf567cf1de4

SHA1
600618345c0b24fe9a3fc7dc9b900d794bfe31e2

SHA256
72de34b17049ec523f78b48f3e7984cefe06bbc5b25e04c890a296a13486f9ea

SHA512
59f5e5eef6a1f6df0b4d30dfdcf7699b214b9866f77ab3e4f8c3a7e5da7cea7aadd9476a0171c6337a65dc8781e17b8775e7a552c08b8f5c501adf8bb3e040a7

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\g6429997.exe

Filesize
899KB

MD5
e24af533190236c12489caf567cf1de4

SHA1
600618345c0b24fe9a3fc7dc9b900d794bfe31e2

SHA256
72de34b17049ec523f78b48f3e7984cefe06bbc5b25e04c890a296a13486f9ea

SHA512
59f5e5eef6a1f6df0b4d30dfdcf7699b214b9866f77ab3e4f8c3a7e5da7cea7aadd9476a0171c6337a65dc8781e17b8775e7a552c08b8f5c501adf8bb3e040a7

Download Submit
memory/2008-62-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2008-70-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2008-68-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2008-66-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2008-65-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2008-63-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2008-64-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2008-61-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2132-0-0x0000000000400000-0x0000000000580000-memory.dmp

Filesize
1.5MB

Download
memory/2132-11-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2132-10-0x0000000000400000-0x0000000000580000-memory.dmp

Filesize
1.5MB

Download
memory/2132-12-0x0000000000400000-0x0000000000580000-memory.dmp

Filesize
1.5MB

Download
memory/2132-14-0x0000000000400000-0x0000000000580000-memory.dmp

Filesize
1.5MB

Download
memory/2132-17-0x0000000000400000-0x0000000000580000-memory.dmp

Filesize
1.5MB

Download
memory/2132-16-0x0000000000400000-0x0000000000580000-memory.dmp

Filesize
1.5MB

Download
memory/2132-8-0x0000000000400000-0x0000000000580000-memory.dmp

Filesize
1.5MB

Download
memory/2132-6-0x0000000000400000-0x0000000000580000-memory.dmp

Filesize
1.5MB

Download
memory/2132-4-0x0000000000400000-0x0000000000580000-memory.dmp

Filesize
1.5MB

Download
memory/2132-2-0x0000000000400000-0x0000000000580000-memory.dmp

Filesize
1.5MB

Download
memory/2132-75-0x0000000000400000-0x0000000000580000-memory.dmp

Filesize
1.5MB

Download