Malware Analysis Report

2025-05-06 01:34

Sample ID 241110-dxn9haxrcs
Target dbaadcd406e143a9098ca0ec153676dc559fc119da980ee5c3394d9b388abe16
SHA256 dbaadcd406e143a9098ca0ec153676dc559fc119da980ee5c3394d9b388abe16
Tags
amadey healer 9c0adb discovery dropper evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

dbaadcd406e143a9098ca0ec153676dc559fc119da980ee5c3394d9b388abe16

Threat Level: Known bad

The file dbaadcd406e143a9098ca0ec153676dc559fc119da980ee5c3394d9b388abe16 was found to be: Known bad.

Malicious Activity Summary

amadey healer 9c0adb discovery dropper evasion persistence trojan

Amadey

Modifies Windows Defender Real-time Protection settings

Amadey family

Detects Healer an antivirus disabler dropper

Healer family

Healer

Checks computer location settings

Executes dropped EXE

Windows security modification

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Program crash

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Scheduled Task/Job: Scheduled Task

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 03:23

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 03:23

Reported

2024-11-10 03:25

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dbaadcd406e143a9098ca0ec153676dc559fc119da980ee5c3394d9b388abe16.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\181183091.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\181183091.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\181183091.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\258197172.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\258197172.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\258197172.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\181183091.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\181183091.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\181183091.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\258197172.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\258197172.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\360635826.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\181183091.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\181183091.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\258197172.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\dbaadcd406e143a9098ca0ec153676dc559fc119da980ee5c3394d9b388abe16.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\eH521242.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\258197172.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\181183091.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\dbaadcd406e143a9098ca0ec153676dc559fc119da980ee5c3394d9b388abe16.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\eH521242.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\360635826.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\181183091.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\258197172.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\360635826.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4768 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\dbaadcd406e143a9098ca0ec153676dc559fc119da980ee5c3394d9b388abe16.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\eH521242.exe
PID 4768 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\dbaadcd406e143a9098ca0ec153676dc559fc119da980ee5c3394d9b388abe16.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\eH521242.exe
PID 4768 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\dbaadcd406e143a9098ca0ec153676dc559fc119da980ee5c3394d9b388abe16.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\eH521242.exe
PID 644 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\eH521242.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\181183091.exe
PID 644 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\eH521242.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\181183091.exe
PID 644 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\eH521242.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\181183091.exe
PID 644 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\eH521242.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\258197172.exe
PID 644 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\eH521242.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\258197172.exe
PID 644 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\eH521242.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\258197172.exe
PID 4768 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\dbaadcd406e143a9098ca0ec153676dc559fc119da980ee5c3394d9b388abe16.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\360635826.exe
PID 4768 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\dbaadcd406e143a9098ca0ec153676dc559fc119da980ee5c3394d9b388abe16.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\360635826.exe
PID 4768 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\dbaadcd406e143a9098ca0ec153676dc559fc119da980ee5c3394d9b388abe16.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\360635826.exe
PID 2508 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\360635826.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 2508 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\360635826.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 2508 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\360635826.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 1052 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 1052 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 1052 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 1052 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 1052 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 1052 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 1280 wrote to memory of 1756 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1280 wrote to memory of 1756 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1280 wrote to memory of 1756 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1280 wrote to memory of 3924 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1280 wrote to memory of 3924 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1280 wrote to memory of 3924 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1280 wrote to memory of 2740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1280 wrote to memory of 2740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1280 wrote to memory of 2740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1280 wrote to memory of 232 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1280 wrote to memory of 232 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1280 wrote to memory of 232 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1280 wrote to memory of 984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1280 wrote to memory of 984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1280 wrote to memory of 984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1280 wrote to memory of 1872 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1280 wrote to memory of 1872 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1280 wrote to memory of 1872 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe

Processes

C:\Users\Admin\AppData\Local\Temp\dbaadcd406e143a9098ca0ec153676dc559fc119da980ee5c3394d9b388abe16.exe

"C:\Users\Admin\AppData\Local\Temp\dbaadcd406e143a9098ca0ec153676dc559fc119da980ee5c3394d9b388abe16.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\eH521242.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\eH521242.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\181183091.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\181183091.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\258197172.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\258197172.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 212 -ip 212

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 212 -s 1080

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\360635826.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\360635826.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 193.3.19.154:80 tcp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
RU 193.3.19.154:80 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
RU 193.3.19.154:80 tcp
RU 193.3.19.154:80 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\eH521242.exe

MD5 f10f95d3c7c49e83bac3b952d6e7f751
SHA1 75f0709ab610d28dcf25588f04da50aee809193c
SHA256 40bdbaec8f615fd9104ac3806c04771dad51e09ffe28094e12d5b37010828594
SHA512 edcf5d5c595727524aaead9dd08ac6e10db35da062da05b2d910dcb7ec8851cc2d03e65d93977bdd094f4b1d5e10051644cd73d868dfe19df5870b5771f4df67

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\181183091.exe

MD5 3d10b67208452d7a91d7bd7066067676
SHA1 e6c3ab7b6da65c8cc7dd95351f118caf3a50248d
SHA256 5c8ae96739bd9454a59e92b5eb6965647030e87453f7c417dbd7d53ebd837302
SHA512 b86d5ff4f55c90922a890401ae4301da7e71eb5e546a82536073cc58780ce55585214cff39ec9b52f70704580ad36c1fa95ebee1515dd2e7ea313cb670f2b4df

memory/4728-14-0x000000007416E000-0x000000007416F000-memory.dmp

memory/4728-15-0x0000000002250000-0x000000000226A000-memory.dmp

memory/4728-16-0x0000000074160000-0x0000000074910000-memory.dmp

memory/4728-17-0x0000000004AC0000-0x0000000005064000-memory.dmp

memory/4728-18-0x00000000024F0000-0x0000000002508000-memory.dmp

memory/4728-22-0x00000000024F0000-0x0000000002503000-memory.dmp

memory/4728-47-0x0000000074160000-0x0000000074910000-memory.dmp

memory/4728-44-0x00000000024F0000-0x0000000002503000-memory.dmp

memory/4728-48-0x0000000074160000-0x0000000074910000-memory.dmp

memory/4728-42-0x00000000024F0000-0x0000000002503000-memory.dmp

memory/4728-41-0x00000000024F0000-0x0000000002503000-memory.dmp

memory/4728-38-0x00000000024F0000-0x0000000002503000-memory.dmp

memory/4728-46-0x00000000024F0000-0x0000000002503000-memory.dmp

memory/4728-20-0x00000000024F0000-0x0000000002503000-memory.dmp

memory/4728-19-0x00000000024F0000-0x0000000002503000-memory.dmp

memory/4728-36-0x00000000024F0000-0x0000000002503000-memory.dmp

memory/4728-34-0x00000000024F0000-0x0000000002503000-memory.dmp

memory/4728-32-0x00000000024F0000-0x0000000002503000-memory.dmp

memory/4728-30-0x00000000024F0000-0x0000000002503000-memory.dmp

memory/4728-28-0x00000000024F0000-0x0000000002503000-memory.dmp

memory/4728-26-0x00000000024F0000-0x0000000002503000-memory.dmp

memory/4728-24-0x00000000024F0000-0x0000000002503000-memory.dmp

memory/4728-49-0x000000007416E000-0x000000007416F000-memory.dmp

memory/4728-50-0x0000000074160000-0x0000000074910000-memory.dmp

memory/4728-52-0x0000000074160000-0x0000000074910000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\258197172.exe

MD5 3e1ea58c2982e65c58b171d455bbf3a0
SHA1 3a0114724522bdfe707da54708cc709417da2845
SHA256 7e88add95114c88251940e8537fcf0a3fb1e9cbe001bcf35b2fab98553c5dc7e
SHA512 1ef5a48c8bee768b97cb5a9f7497c6f0bb5d80af82f2b4f0a3ce27ff782db8daa71297137a09324f1e81e6c83e850c33e1b764aecab975aa90531324dd55ea56

memory/212-85-0x0000000000400000-0x0000000002B99000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\360635826.exe

MD5 1304f384653e08ae497008ff13498608
SHA1 d9a76ed63d74d4217c5027757cb9a7a0d0093080
SHA256 2a9dabab35fb09085750e1cc762e32b0fe4cbd7ed4276ef7e68ba159ae330eaa
SHA512 4138217fd538e827c89db5c0cd4ea21bd8c8d3a7196d2eabf10412caf7b929479e768747df5fd92fc022d758f1840474530ba82dcb7e8672cc6eb88caeaf38c1

memory/212-87-0x0000000000400000-0x0000000002B99000-memory.dmp