Malware Analysis Report

2024-09-11 14:25

Sample ID 240620-qq8e1szekg
Target setup.exe
SHA256 314c137a0bb73b688fb855ceb56f0ff129145ab7a573ecaed70dc4bb1c486f61
Tags
amadey 8fc809 trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

314c137a0bb73b688fb855ceb56f0ff129145ab7a573ecaed70dc4bb1c486f61

Threat Level: Known bad

The file setup.exe was found to be: Known bad.

Malicious Activity Summary

amadey 8fc809 trojan

Amadey

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Drops file in Windows directory

Program crash

Unsigned PE

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-20 13:29

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-20 13:29

Reported

2024-06-20 13:31

Platform

win7-20240611-en

Max time kernel

148s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\setup.exe"

Signatures

Amadey

trojan amadey

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Dctooux.job C:\Users\Admin\AppData\Local\Temp\setup.exe N/A

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3032 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
PID 3032 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
PID 3032 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
PID 3032 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
PID 3032 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
PID 3032 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
PID 3032 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

Processes

C:\Users\Admin\AppData\Local\Temp\setup.exe

"C:\Users\Admin\AppData\Local\Temp\setup.exe"

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

"C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 selltix.org udp
US 8.8.8.8:53 nudump.com udp
US 8.8.8.8:53 otyt.ru udp
US 8.8.8.8:53 nudump.com udp
US 8.8.8.8:53 otyt.ru udp
US 8.8.8.8:53 selltix.org udp
US 8.8.8.8:53 otyt.ru udp
US 8.8.8.8:53 nudump.com udp
BR 177.129.90.106:80 selltix.org tcp
BR 177.129.90.106:80 selltix.org tcp
BR 177.129.90.106:80 selltix.org tcp
BR 177.129.90.106:80 selltix.org tcp
BR 177.129.90.106:80 selltix.org tcp
US 8.8.8.8:53 otyt.ru udp
US 8.8.8.8:53 otyt.ru udp
US 8.8.8.8:53 otyt.ru udp
US 8.8.8.8:53 nudump.com udp
US 8.8.8.8:53 nudump.com udp
US 8.8.8.8:53 nudump.com udp
BR 177.129.90.106:80 selltix.org tcp
BR 177.129.90.106:80 selltix.org tcp
BR 177.129.90.106:80 selltix.org tcp
US 8.8.8.8:53 otyt.ru udp
US 8.8.8.8:53 otyt.ru udp

Files

\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

MD5 052e6b664d68958cff0d19ef11286662
SHA1 abe767326cf2188599f6b59863e74ade34e48d73
SHA256 314c137a0bb73b688fb855ceb56f0ff129145ab7a573ecaed70dc4bb1c486f61
SHA512 93b273c8bfd6723ecda2867f0793130837bf4b05d640aa89ba3afdee0289ffeb23a5645d684495caa38862a948d83ac66b397973b81970877f761a2e13a0737b

memory/3032-13-0x0000000000400000-0x0000000002767000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\969036373035

MD5 8ba8a6ac80024bee82ac61b8e88e21b7
SHA1 b920954ecae187573e6b42a1e72b1effb5456147
SHA256 6b35165e5598832b7bbf4ccd55e4ea4ab1f8f6b8b27be032155187345db35a4f
SHA512 9f852ffb5ded37f16c7946f4eb82143b3e4a72e293d5fa52fa8620d6e6c3d2b68949cdae5d023d4a3febddb1f3aeb14cc98fec13cf90a4deded75bb85b60e759

memory/2600-27-0x0000000000400000-0x0000000002767000-memory.dmp

memory/2600-35-0x0000000000400000-0x0000000002767000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-20 13:29

Reported

2024-06-20 13:31

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\setup.exe"

Signatures

Amadey

trojan amadey

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\setup.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Dctooux.job C:\Users\Admin\AppData\Local\Temp\setup.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4380 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
PID 4380 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
PID 4380 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

Processes

C:\Users\Admin\AppData\Local\Temp\setup.exe

"C:\Users\Admin\AppData\Local\Temp\setup.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4380 -ip 4380

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 876

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4380 -ip 4380

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 900

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4380 -ip 4380

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 936

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4380 -ip 4380

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 944

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4380 -ip 4380

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 1044

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4380 -ip 4380

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 1044

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4380 -ip 4380

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 1256

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4380 -ip 4380

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 1368

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4380 -ip 4380

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 1388

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

"C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4380 -ip 4380

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 888

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3652 -ip 3652

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3652 -s 472

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3112 -ip 3112

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3112 -s 532

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 3112 -ip 3112

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3112 -s 572

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3112 -ip 3112

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3112 -s 588

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3112 -ip 3112

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3112 -s 528

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 3112 -ip 3112

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3112 -s 572

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 3112 -ip 3112

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3112 -s 652

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 3112 -ip 3112

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3112 -s 740

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3112 -ip 3112

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3112 -s 832

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 3112 -ip 3112

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3112 -s 864

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 3112 -ip 3112

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3112 -s 916

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3112 -ip 3112

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3112 -s 936

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 3112 -ip 3112

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3112 -s 992

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 3112 -ip 3112

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3112 -s 996

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 3112 -ip 3112

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3112 -s 1164

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 3112 -ip 3112

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3112 -s 1428

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3112 -ip 3112

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3112 -s 1340

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3112 -ip 3112

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3112 -s 1340

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 otyt.ru udp
US 8.8.8.8:53 nudump.com udp
US 8.8.8.8:53 selltix.org udp
KR 211.171.233.126:80 selltix.org tcp
KR 211.171.233.126:80 selltix.org tcp
KR 211.171.233.126:80 selltix.org tcp
US 8.8.8.8:53 126.233.171.211.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
KR 211.171.233.126:80 selltix.org tcp
KR 211.171.233.126:80 selltix.org tcp
KR 211.171.233.126:80 selltix.org tcp
US 8.8.8.8:53 otyt.ru udp
US 8.8.8.8:53 97.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 otyt.ru udp
US 8.8.8.8:53 otyt.ru udp
US 8.8.8.8:53 nudump.com udp
US 8.8.8.8:53 nudump.com udp
US 8.8.8.8:53 nudump.com udp
KR 211.171.233.126:80 selltix.org tcp
KR 211.171.233.126:80 selltix.org tcp

Files

memory/4380-3-0x0000000000400000-0x0000000000472000-memory.dmp

memory/4380-2-0x0000000002780000-0x00000000027EF000-memory.dmp

memory/4380-1-0x00000000028E0000-0x00000000029E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

MD5 052e6b664d68958cff0d19ef11286662
SHA1 abe767326cf2188599f6b59863e74ade34e48d73
SHA256 314c137a0bb73b688fb855ceb56f0ff129145ab7a573ecaed70dc4bb1c486f61
SHA512 93b273c8bfd6723ecda2867f0793130837bf4b05d640aa89ba3afdee0289ffeb23a5645d684495caa38862a948d83ac66b397973b81970877f761a2e13a0737b

memory/3652-16-0x0000000000400000-0x0000000002767000-memory.dmp

memory/3652-17-0x0000000000400000-0x0000000002767000-memory.dmp

memory/4380-19-0x0000000000400000-0x0000000000472000-memory.dmp

memory/4380-20-0x0000000002780000-0x00000000027EF000-memory.dmp

memory/4380-18-0x0000000000400000-0x0000000002767000-memory.dmp

memory/3652-22-0x0000000000400000-0x0000000002767000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\804150937214

MD5 bf922bc7c127eade3ae1af2a67b7245a
SHA1 a85b65242b3ecf89d0e0fd068b4ccd468e8772ef
SHA256 ba7f837bf259a394e8a4c23a830e1d2de9dafc8d90c20e1d709dbc549b75d589
SHA512 d28a5568007fff625ccfe2c83ba87b44f1f507f8079511b5d7e5fbca5c714b38cad1555f8d2369cfd5ef99fb158d461b8116c35137f7765810a673b420d488cc

memory/3112-40-0x0000000000400000-0x0000000002767000-memory.dmp

memory/3112-41-0x0000000000400000-0x0000000002767000-memory.dmp