Malware Analysis Report

2025-03-15 03:56

Sample ID 240626-jqvetswfnp
Target 4daf3337d05daaafe0f71b6075b53a17f191fa229848ccb2209db3f77421e0c6
SHA256 4daf3337d05daaafe0f71b6075b53a17f191fa229848ccb2209db3f77421e0c6
Tags
amadey 5ce0ac trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4daf3337d05daaafe0f71b6075b53a17f191fa229848ccb2209db3f77421e0c6

Threat Level: Known bad

The file 4daf3337d05daaafe0f71b6075b53a17f191fa229848ccb2209db3f77421e0c6 was found to be: Known bad.

Malicious Activity Summary

amadey 5ce0ac trojan

Amadey

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Scheduled Task/Job: Scheduled Task

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-26 07:52

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-26 07:52

Reported

2024-06-26 07:55

Platform

win7-20240220-en

Max time kernel

144s

Max time network

129s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4daf3337d05daaafe0f71b6075b53a17f191fa229848ccb2209db3f77421e0c6.exe"

Signatures

Amadey

trojan amadey

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4daf3337d05daaafe0f71b6075b53a17f191fa229848ccb2209db3f77421e0c6.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1732 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\4daf3337d05daaafe0f71b6075b53a17f191fa229848ccb2209db3f77421e0c6.exe C:\Users\Admin\AppData\Local\Temp\49f0160cce\npsvga64.exe
PID 1732 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\4daf3337d05daaafe0f71b6075b53a17f191fa229848ccb2209db3f77421e0c6.exe C:\Users\Admin\AppData\Local\Temp\49f0160cce\npsvga64.exe
PID 1732 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\4daf3337d05daaafe0f71b6075b53a17f191fa229848ccb2209db3f77421e0c6.exe C:\Users\Admin\AppData\Local\Temp\49f0160cce\npsvga64.exe
PID 1732 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\4daf3337d05daaafe0f71b6075b53a17f191fa229848ccb2209db3f77421e0c6.exe C:\Users\Admin\AppData\Local\Temp\49f0160cce\npsvga64.exe
PID 2996 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\49f0160cce\npsvga64.exe C:\Windows\SysWOW64\schtasks.exe
PID 2996 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\49f0160cce\npsvga64.exe C:\Windows\SysWOW64\schtasks.exe
PID 2996 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\49f0160cce\npsvga64.exe C:\Windows\SysWOW64\schtasks.exe
PID 2996 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\49f0160cce\npsvga64.exe C:\Windows\SysWOW64\schtasks.exe
PID 2996 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\49f0160cce\npsvga64.exe C:\Windows\SysWOW64\cmd.exe
PID 2996 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\49f0160cce\npsvga64.exe C:\Windows\SysWOW64\cmd.exe
PID 2996 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\49f0160cce\npsvga64.exe C:\Windows\SysWOW64\cmd.exe
PID 2996 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\49f0160cce\npsvga64.exe C:\Windows\SysWOW64\cmd.exe
PID 2840 wrote to memory of 2548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2840 wrote to memory of 2548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2840 wrote to memory of 2548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2840 wrote to memory of 2548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2840 wrote to memory of 2640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2840 wrote to memory of 2640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2840 wrote to memory of 2640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2840 wrote to memory of 2640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2840 wrote to memory of 2968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2840 wrote to memory of 2968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2840 wrote to memory of 2968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2840 wrote to memory of 2968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2840 wrote to memory of 2472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2840 wrote to memory of 2472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2840 wrote to memory of 2472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2840 wrote to memory of 2472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2840 wrote to memory of 2612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2840 wrote to memory of 2612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2840 wrote to memory of 2612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2840 wrote to memory of 2612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2840 wrote to memory of 2680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2840 wrote to memory of 2680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2840 wrote to memory of 2680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2840 wrote to memory of 2680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1988 wrote to memory of 1768 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\49f0160cce\npsvga64.exe
PID 1988 wrote to memory of 1768 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\49f0160cce\npsvga64.exe
PID 1988 wrote to memory of 1768 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\49f0160cce\npsvga64.exe
PID 1988 wrote to memory of 1768 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\49f0160cce\npsvga64.exe
PID 1988 wrote to memory of 1684 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\49f0160cce\npsvga64.exe
PID 1988 wrote to memory of 1684 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\49f0160cce\npsvga64.exe
PID 1988 wrote to memory of 1684 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\49f0160cce\npsvga64.exe
PID 1988 wrote to memory of 1684 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\49f0160cce\npsvga64.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4daf3337d05daaafe0f71b6075b53a17f191fa229848ccb2209db3f77421e0c6.exe

"C:\Users\Admin\AppData\Local\Temp\4daf3337d05daaafe0f71b6075b53a17f191fa229848ccb2209db3f77421e0c6.exe"

C:\Users\Admin\AppData\Local\Temp\49f0160cce\npsvga64.exe

"C:\Users\Admin\AppData\Local\Temp\49f0160cce\npsvga64.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN npsvga64.exe /TR "C:\Users\Admin\AppData\Local\Temp\49f0160cce\npsvga64.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "npsvga64.exe" /P "Admin:N"&&CACLS "npsvga64.exe" /P "Admin:R" /E&&echo Y|CACLS "..\49f0160cce" /P "Admin:N"&&CACLS "..\49f0160cce" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "npsvga64.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "npsvga64.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\49f0160cce" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\49f0160cce" /P "Admin:R" /E

C:\Windows\system32\taskeng.exe

taskeng.exe {821BB93F-F37B-48E4-9618-59BCB3D02C71} S-1-5-21-2721934792-624042501-2768869379-1000:BISMIZHX\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\Temp\49f0160cce\npsvga64.exe

C:\Users\Admin\AppData\Local\Temp\49f0160cce\npsvga64.exe

C:\Users\Admin\AppData\Local\Temp\49f0160cce\npsvga64.exe

C:\Users\Admin\AppData\Local\Temp\49f0160cce\npsvga64.exe

Network

Country Destination Domain Proto
DE 188.40.122.96:80 188.40.122.96 tcp
DE 188.40.122.96:80 188.40.122.96 tcp

Files

memory/1732-0-0x0000000003990000-0x00000000039CF000-memory.dmp

memory/1732-2-0x00000000041B0000-0x00000000041B1000-memory.dmp

\Users\Admin\AppData\Local\Temp\49f0160cce\npsvga64.exe

MD5 f67e33f48a1cef22ec4ff037fc2da7c2
SHA1 a7d454e86ccf547561d5bf13d2eea1d471417d5d
SHA256 4daf3337d05daaafe0f71b6075b53a17f191fa229848ccb2209db3f77421e0c6
SHA512 6bef7e7c412b5f5eb8bd3a00b72e6613822b4333bf5472b2d83f0cdcb25e12bd8fc2bc1cc5aa9c4b872a7dc1876eabdd6b20ad581c4a74a365ae00e4fcbf76a5

memory/1732-14-0x0000000003990000-0x00000000039CF000-memory.dmp

memory/1732-16-0x0000000000400000-0x0000000000E70000-memory.dmp

memory/2996-20-0x0000000000E70000-0x0000000000EAF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\721934792624

MD5 1c86d5270a37d5ad352031e5dc8f0868
SHA1 fdb3112e68d80da6cbf4cf60f0d91266e69fd9f8
SHA256 de47e7151465597b47dfa17712e773a0ebd132bb2127bb5aadb5b43216f1bf4c
SHA512 65efbc23fad78b645af41280103be8056bd0d59850c66fd86eada977f972e62ac052b761d7f68387a2d58f3b8f51656a2cf347cfdb87753f0d4610b88164e8ba

memory/2996-33-0x0000000000400000-0x0000000000E70000-memory.dmp

memory/1768-42-0x0000000003960000-0x000000000399F000-memory.dmp

memory/1768-44-0x0000000000400000-0x0000000000E70000-memory.dmp

memory/1684-54-0x0000000003990000-0x00000000039CF000-memory.dmp

memory/1684-55-0x0000000003990000-0x00000000039CF000-memory.dmp

memory/1684-56-0x0000000000400000-0x0000000000E70000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-26 07:52

Reported

2024-06-26 07:55

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4daf3337d05daaafe0f71b6075b53a17f191fa229848ccb2209db3f77421e0c6.exe"

Signatures

Amadey

trojan amadey

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\4daf3337d05daaafe0f71b6075b53a17f191fa229848ccb2209db3f77421e0c6.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\49f0160cce\npsvga64.exe N/A

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4daf3337d05daaafe0f71b6075b53a17f191fa229848ccb2209db3f77421e0c6.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 212 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Local\Temp\4daf3337d05daaafe0f71b6075b53a17f191fa229848ccb2209db3f77421e0c6.exe C:\Users\Admin\AppData\Local\Temp\49f0160cce\npsvga64.exe
PID 212 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Local\Temp\4daf3337d05daaafe0f71b6075b53a17f191fa229848ccb2209db3f77421e0c6.exe C:\Users\Admin\AppData\Local\Temp\49f0160cce\npsvga64.exe
PID 212 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Local\Temp\4daf3337d05daaafe0f71b6075b53a17f191fa229848ccb2209db3f77421e0c6.exe C:\Users\Admin\AppData\Local\Temp\49f0160cce\npsvga64.exe
PID 4944 wrote to memory of 368 N/A C:\Users\Admin\AppData\Local\Temp\49f0160cce\npsvga64.exe C:\Windows\SysWOW64\schtasks.exe
PID 4944 wrote to memory of 368 N/A C:\Users\Admin\AppData\Local\Temp\49f0160cce\npsvga64.exe C:\Windows\SysWOW64\schtasks.exe
PID 4944 wrote to memory of 368 N/A C:\Users\Admin\AppData\Local\Temp\49f0160cce\npsvga64.exe C:\Windows\SysWOW64\schtasks.exe
PID 4944 wrote to memory of 3696 N/A C:\Users\Admin\AppData\Local\Temp\49f0160cce\npsvga64.exe C:\Windows\SysWOW64\cmd.exe
PID 4944 wrote to memory of 3696 N/A C:\Users\Admin\AppData\Local\Temp\49f0160cce\npsvga64.exe C:\Windows\SysWOW64\cmd.exe
PID 4944 wrote to memory of 3696 N/A C:\Users\Admin\AppData\Local\Temp\49f0160cce\npsvga64.exe C:\Windows\SysWOW64\cmd.exe
PID 3696 wrote to memory of 2708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3696 wrote to memory of 2708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3696 wrote to memory of 2708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3696 wrote to memory of 1180 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3696 wrote to memory of 1180 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3696 wrote to memory of 1180 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3696 wrote to memory of 4420 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3696 wrote to memory of 4420 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3696 wrote to memory of 4420 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3696 wrote to memory of 4688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3696 wrote to memory of 4688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3696 wrote to memory of 4688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3696 wrote to memory of 740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3696 wrote to memory of 740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3696 wrote to memory of 740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3696 wrote to memory of 3668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3696 wrote to memory of 3668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3696 wrote to memory of 3668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4daf3337d05daaafe0f71b6075b53a17f191fa229848ccb2209db3f77421e0c6.exe

"C:\Users\Admin\AppData\Local\Temp\4daf3337d05daaafe0f71b6075b53a17f191fa229848ccb2209db3f77421e0c6.exe"

C:\Users\Admin\AppData\Local\Temp\49f0160cce\npsvga64.exe

"C:\Users\Admin\AppData\Local\Temp\49f0160cce\npsvga64.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN npsvga64.exe /TR "C:\Users\Admin\AppData\Local\Temp\49f0160cce\npsvga64.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "npsvga64.exe" /P "Admin:N"&&CACLS "npsvga64.exe" /P "Admin:R" /E&&echo Y|CACLS "..\49f0160cce" /P "Admin:N"&&CACLS "..\49f0160cce" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "npsvga64.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "npsvga64.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\49f0160cce" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\49f0160cce" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\49f0160cce\npsvga64.exe

C:\Users\Admin\AppData\Local\Temp\49f0160cce\npsvga64.exe

C:\Users\Admin\AppData\Local\Temp\49f0160cce\npsvga64.exe

C:\Users\Admin\AppData\Local\Temp\49f0160cce\npsvga64.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
DE 188.40.122.96:80 188.40.122.96 tcp
DE 188.40.122.96:80 188.40.122.96 tcp
US 8.8.8.8:53 96.122.40.188.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 66.229.138.52.in-addr.arpa udp

Files

memory/212-1-0x0000000002450000-0x000000000248F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\49f0160cce\npsvga64.exe

MD5 f67e33f48a1cef22ec4ff037fc2da7c2
SHA1 a7d454e86ccf547561d5bf13d2eea1d471417d5d
SHA256 4daf3337d05daaafe0f71b6075b53a17f191fa229848ccb2209db3f77421e0c6
SHA512 6bef7e7c412b5f5eb8bd3a00b72e6613822b4333bf5472b2d83f0cdcb25e12bd8fc2bc1cc5aa9c4b872a7dc1876eabdd6b20ad581c4a74a365ae00e4fcbf76a5

memory/212-15-0x0000000002450000-0x000000000248F000-memory.dmp

memory/212-17-0x0000000000400000-0x0000000000E70000-memory.dmp

memory/4944-20-0x0000000003AB0000-0x0000000003AEF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\169499791354

MD5 16de5863612e26db7ffed108e111e9c9
SHA1 74a4e8672ec0f506abfc2b94d162f83c0253cfc7
SHA256 ef4ea0524f1fa2259866278cc93bd59f890eea23ce033ec222789d6ad01f84ed
SHA512 1cec95df17715c70d38bcaa026a75f4e6c8d36cbb26def5abcd424e44a5bc3e5bbd55023732ef9be629a1c1f2524192f0a36974097b08756ac6a6ce34cc69ffa

memory/4944-33-0x0000000000400000-0x0000000000E70000-memory.dmp

memory/2924-42-0x0000000001010000-0x000000000104F000-memory.dmp

memory/2924-44-0x0000000000400000-0x0000000000E70000-memory.dmp

memory/5040-54-0x0000000002120000-0x000000000215F000-memory.dmp

memory/5040-55-0x0000000000400000-0x0000000000E70000-memory.dmp