Malware Analysis Report

2025-01-23 05:59

Sample ID 241107-aspgxs1fnh
Target 58bc8c265e2c543d9f972ac3751a25a133826041361ed8ec9aa9f62861377a66
SHA256 58bc8c265e2c543d9f972ac3751a25a133826041361ed8ec9aa9f62861377a66
Tags
amadey healer redline 47f88f lada discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

58bc8c265e2c543d9f972ac3751a25a133826041361ed8ec9aa9f62861377a66

Threat Level: Known bad

The file 58bc8c265e2c543d9f972ac3751a25a133826041361ed8ec9aa9f62861377a66 was found to be: Known bad.

Malicious Activity Summary

amadey healer redline 47f88f lada discovery dropper evasion infostealer persistence trojan

RedLine

Redline family

Amadey

RedLine payload

Healer

Detects Healer an antivirus disabler dropper

Amadey family

Healer family

Modifies Windows Defender Real-time Protection settings

Checks computer location settings

Windows security modification

Executes dropped EXE

Adds Run key to start application

Launches sc.exe

System Location Discovery: System Language Discovery

Program crash

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-07 00:28

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-07 00:28

Reported

2024-11-07 00:31

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

160s

Command Line

"C:\Users\Admin\AppData\Local\Temp\58bc8c265e2c543d9f972ac3751a25a133826041361ed8ec9aa9f62861377a66.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr793287.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr793287.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr793287.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr793287.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr793287.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr793287.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu784126.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si029103.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr793287.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr793287.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\58bc8c265e2c543d9f972ac3751a25a133826041361ed8ec9aa9f62861377a66.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un557601.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\58bc8c265e2c543d9f972ac3751a25a133826041361ed8ec9aa9f62861377a66.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un557601.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr793287.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu784126.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Temp\1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si029103.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr793287.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr793287.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr793287.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu784126.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si029103.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4796 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\58bc8c265e2c543d9f972ac3751a25a133826041361ed8ec9aa9f62861377a66.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un557601.exe
PID 4796 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\58bc8c265e2c543d9f972ac3751a25a133826041361ed8ec9aa9f62861377a66.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un557601.exe
PID 4796 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\58bc8c265e2c543d9f972ac3751a25a133826041361ed8ec9aa9f62861377a66.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un557601.exe
PID 4924 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un557601.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr793287.exe
PID 4924 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un557601.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr793287.exe
PID 4924 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un557601.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr793287.exe
PID 4924 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un557601.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu784126.exe
PID 4924 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un557601.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu784126.exe
PID 4924 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un557601.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu784126.exe
PID 3732 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu784126.exe C:\Windows\Temp\1.exe
PID 3732 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu784126.exe C:\Windows\Temp\1.exe
PID 3732 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu784126.exe C:\Windows\Temp\1.exe
PID 4796 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\58bc8c265e2c543d9f972ac3751a25a133826041361ed8ec9aa9f62861377a66.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si029103.exe
PID 4796 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\58bc8c265e2c543d9f972ac3751a25a133826041361ed8ec9aa9f62861377a66.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si029103.exe
PID 4796 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\58bc8c265e2c543d9f972ac3751a25a133826041361ed8ec9aa9f62861377a66.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si029103.exe
PID 2260 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si029103.exe C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
PID 2260 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si029103.exe C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
PID 2260 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si029103.exe C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
PID 4404 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 4404 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 4404 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\58bc8c265e2c543d9f972ac3751a25a133826041361ed8ec9aa9f62861377a66.exe

"C:\Users\Admin\AppData\Local\Temp\58bc8c265e2c543d9f972ac3751a25a133826041361ed8ec9aa9f62861377a66.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un557601.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un557601.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr793287.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr793287.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4652 -ip 4652

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4652 -s 1084

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu784126.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu784126.exe

C:\Windows\Temp\1.exe

"C:\Windows\Temp\1.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3732 -ip 3732

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3732 -s 1520

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si029103.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si029103.exe

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe" /F

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start wuauserv

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
RU 193.201.9.43:80 tcp
RU 185.161.248.90:4125 tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
RU 185.161.248.90:4125 tcp
RU 193.201.9.43:80 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
RU 185.161.248.90:4125 tcp
US 8.8.8.8:53 105.209.201.84.in-addr.arpa udp
RU 193.201.9.43:80 tcp
RU 185.161.248.90:4125 tcp
RU 193.201.9.43:80 tcp
RU 185.161.248.90:4125 tcp
US 8.8.8.8:53 6.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un557601.exe

MD5 8582f3894b937a7d67f0d16aabee049c
SHA1 55318ea11a85a78d84dac2215f2082a7c5dfa7f8
SHA256 d1008ec070dd176afa659c4b8e4873ee8dc57fd87c885b32eb8c3ff855990474
SHA512 d6a9b8ad2bdc1f42bf716dc2cddc08f03e7edcaf93c322d32f7af88d14a6b07005dbf6c7b66347eddcdd3e9b392a01746014996bc83c33e2d431ac93de62a6b3

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr793287.exe

MD5 fd2647385d09d8d08898f42855587530
SHA1 53db344d786b5cc72115ad4e9f65338ccde2a36e
SHA256 718b1a008f42ecd30322ae330fe55cd9a0f8e703dddfc9395ba788ab66ef8119
SHA512 7f86133b1819e5fc76b48baebffb97c8f174a843e8ba75c86ae2d4f83765c421b81a8ee79ad68cafd5c6241cc9e31f7c668055df2d007e788c593912e2a62ac2

memory/4652-16-0x00000000004B0000-0x00000000004DD000-memory.dmp

memory/4652-15-0x00000000004F0000-0x00000000005F0000-memory.dmp

memory/4652-17-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4652-18-0x0000000000400000-0x00000000004AF000-memory.dmp

memory/4652-19-0x0000000002440000-0x000000000245A000-memory.dmp

memory/4652-20-0x00000000004F0000-0x00000000005F0000-memory.dmp

memory/4652-21-0x0000000004BA0000-0x0000000005144000-memory.dmp

memory/4652-22-0x00000000024F0000-0x0000000002508000-memory.dmp

memory/4652-24-0x00000000024F0000-0x0000000002502000-memory.dmp

memory/4652-50-0x00000000024F0000-0x0000000002502000-memory.dmp

memory/4652-48-0x00000000024F0000-0x0000000002502000-memory.dmp

memory/4652-46-0x00000000024F0000-0x0000000002502000-memory.dmp

memory/4652-44-0x00000000024F0000-0x0000000002502000-memory.dmp

memory/4652-42-0x00000000024F0000-0x0000000002502000-memory.dmp

memory/4652-40-0x00000000024F0000-0x0000000002502000-memory.dmp

memory/4652-38-0x00000000024F0000-0x0000000002502000-memory.dmp

memory/4652-36-0x00000000024F0000-0x0000000002502000-memory.dmp

memory/4652-34-0x00000000024F0000-0x0000000002502000-memory.dmp

memory/4652-30-0x00000000024F0000-0x0000000002502000-memory.dmp

memory/4652-28-0x00000000024F0000-0x0000000002502000-memory.dmp

memory/4652-26-0x00000000024F0000-0x0000000002502000-memory.dmp

memory/4652-23-0x00000000024F0000-0x0000000002502000-memory.dmp

memory/4652-32-0x00000000024F0000-0x0000000002502000-memory.dmp

memory/4652-51-0x00000000004B0000-0x00000000004DD000-memory.dmp

memory/4652-52-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4652-55-0x0000000000400000-0x00000000004AF000-memory.dmp

memory/4652-56-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu784126.exe

MD5 9478db3f85ecae95a19d891116f4fba7
SHA1 f6456e962c76592151dbc92aeff835aa26dc3bbe
SHA256 d94d1c5b103a575159a8f1eb9e479d99ed3cdd505b528c7aec959ffdc8aa6586
SHA512 d66319f2318e37c2a57d767a644b83e68fdc8dd735733d6d81391a22d021c660e5b95d5790a100220e771fc9ae4f1d768ead574cf631da606de8c83abde0f312

memory/3732-61-0x0000000002210000-0x0000000002278000-memory.dmp

memory/3732-62-0x0000000004C70000-0x0000000004CD6000-memory.dmp

memory/3732-63-0x0000000004C70000-0x0000000004CD0000-memory.dmp

memory/3732-68-0x0000000004C70000-0x0000000004CD0000-memory.dmp

memory/3732-96-0x0000000004C70000-0x0000000004CD0000-memory.dmp

memory/3732-94-0x0000000004C70000-0x0000000004CD0000-memory.dmp

memory/3732-92-0x0000000004C70000-0x0000000004CD0000-memory.dmp

memory/3732-90-0x0000000004C70000-0x0000000004CD0000-memory.dmp

memory/3732-88-0x0000000004C70000-0x0000000004CD0000-memory.dmp

memory/3732-86-0x0000000004C70000-0x0000000004CD0000-memory.dmp

memory/3732-84-0x0000000004C70000-0x0000000004CD0000-memory.dmp

memory/3732-80-0x0000000004C70000-0x0000000004CD0000-memory.dmp

memory/3732-78-0x0000000004C70000-0x0000000004CD0000-memory.dmp

memory/3732-76-0x0000000004C70000-0x0000000004CD0000-memory.dmp

memory/3732-74-0x0000000004C70000-0x0000000004CD0000-memory.dmp

memory/3732-72-0x0000000004C70000-0x0000000004CD0000-memory.dmp

memory/3732-70-0x0000000004C70000-0x0000000004CD0000-memory.dmp

memory/3732-66-0x0000000004C70000-0x0000000004CD0000-memory.dmp

memory/3732-64-0x0000000004C70000-0x0000000004CD0000-memory.dmp

memory/3732-83-0x0000000004C70000-0x0000000004CD0000-memory.dmp

memory/3732-2205-0x0000000005410000-0x0000000005442000-memory.dmp

C:\Windows\Temp\1.exe

MD5 03728fed675bcde5256342183b1d6f27
SHA1 d13eace7d3d92f93756504b274777cc269b222a2
SHA256 f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0
SHA512 6e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1

memory/4464-2218-0x00000000008D0000-0x00000000008FE000-memory.dmp

memory/4464-2219-0x0000000001200000-0x0000000001206000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si029103.exe

MD5 ee1f5f0e1168ce5938997c932b4dcd27
SHA1 b8c0928da3a41d579c19f44b9e1fef6014d06452
SHA256 dea01b17d6e06c3bdf6f5387faa77a788ce9726a3110db90294b2e207b3d51ed
SHA512 bacc2d22b71bc5bc73c0699aaf4e2271effa4fe47c3ac63f3ee3ae3385d963eb6f93db082a9530d75d5c6f13884f30b0375d41badfe540f31ef747003a36c0a8

memory/4464-2225-0x00000000058B0000-0x0000000005EC8000-memory.dmp

memory/4464-2226-0x00000000053A0000-0x00000000054AA000-memory.dmp

memory/4464-2227-0x0000000002AF0000-0x0000000002B02000-memory.dmp

memory/4464-2228-0x00000000052D0000-0x000000000530C000-memory.dmp

memory/4464-2239-0x0000000005310000-0x000000000535C000-memory.dmp