Malware Analysis Report

2025-08-11 08:18

Sample ID 241112-nz5z5sscmd
Target 4a47e9004818b0ef470d023d10c041e5ef3758055ded80f3ffdbae9fd4a389cdN
SHA256 4a47e9004818b0ef470d023d10c041e5ef3758055ded80f3ffdbae9fd4a389cd
Tags
amadey healer 9c0adb discovery dropper evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4a47e9004818b0ef470d023d10c041e5ef3758055ded80f3ffdbae9fd4a389cd

Threat Level: Known bad

The file 4a47e9004818b0ef470d023d10c041e5ef3758055ded80f3ffdbae9fd4a389cdN was found to be: Known bad.

Malicious Activity Summary

amadey healer 9c0adb discovery dropper evasion persistence trojan

Healer

Modifies Windows Defender Real-time Protection settings

Amadey family

Amadey

Healer family

Detects Healer an antivirus disabler dropper

Checks computer location settings

Executes dropped EXE

Windows security modification

Adds Run key to start application

Program crash

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Scheduled Task/Job: Scheduled Task

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-12 11:51

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-12 11:51

Reported

2024-11-12 11:53

Platform

win10v2004-20241007-en

Max time kernel

112s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4a47e9004818b0ef470d023d10c041e5ef3758055ded80f3ffdbae9fd4a389cdN.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\296865278.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\133249119.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\133249119.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\133249119.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\133249119.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\133249119.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\133249119.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\296865278.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\296865278.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\296865278.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\296865278.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\352125291.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\133249119.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\133249119.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\296865278.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fL620478.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\4a47e9004818b0ef470d023d10c041e5ef3758055ded80f3ffdbae9fd4a389cdN.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\352125291.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\296865278.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fL620478.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\133249119.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4a47e9004818b0ef470d023d10c041e5ef3758055ded80f3ffdbae9fd4a389cdN.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\133249119.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\296865278.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\352125291.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2580 wrote to memory of 880 N/A C:\Users\Admin\AppData\Local\Temp\4a47e9004818b0ef470d023d10c041e5ef3758055ded80f3ffdbae9fd4a389cdN.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fL620478.exe
PID 2580 wrote to memory of 880 N/A C:\Users\Admin\AppData\Local\Temp\4a47e9004818b0ef470d023d10c041e5ef3758055ded80f3ffdbae9fd4a389cdN.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fL620478.exe
PID 2580 wrote to memory of 880 N/A C:\Users\Admin\AppData\Local\Temp\4a47e9004818b0ef470d023d10c041e5ef3758055ded80f3ffdbae9fd4a389cdN.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fL620478.exe
PID 880 wrote to memory of 3100 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fL620478.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\133249119.exe
PID 880 wrote to memory of 3100 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fL620478.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\133249119.exe
PID 880 wrote to memory of 3100 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fL620478.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\133249119.exe
PID 880 wrote to memory of 4020 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fL620478.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\296865278.exe
PID 880 wrote to memory of 4020 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fL620478.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\296865278.exe
PID 880 wrote to memory of 4020 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fL620478.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\296865278.exe
PID 2580 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\4a47e9004818b0ef470d023d10c041e5ef3758055ded80f3ffdbae9fd4a389cdN.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\352125291.exe
PID 2580 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\4a47e9004818b0ef470d023d10c041e5ef3758055ded80f3ffdbae9fd4a389cdN.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\352125291.exe
PID 2580 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\4a47e9004818b0ef470d023d10c041e5ef3758055ded80f3ffdbae9fd4a389cdN.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\352125291.exe
PID 4992 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\352125291.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 4992 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\352125291.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 4992 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\352125291.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 2960 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 2960 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 2960 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 2960 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 4140 wrote to memory of 1840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4140 wrote to memory of 1840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4140 wrote to memory of 1840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4140 wrote to memory of 2304 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4140 wrote to memory of 2304 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4140 wrote to memory of 2304 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4140 wrote to memory of 4824 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4140 wrote to memory of 4824 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4140 wrote to memory of 4824 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4140 wrote to memory of 4360 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4140 wrote to memory of 4360 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4140 wrote to memory of 4360 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4140 wrote to memory of 3744 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4140 wrote to memory of 3744 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4140 wrote to memory of 3744 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4140 wrote to memory of 1412 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4140 wrote to memory of 1412 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4140 wrote to memory of 1412 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4a47e9004818b0ef470d023d10c041e5ef3758055ded80f3ffdbae9fd4a389cdN.exe

"C:\Users\Admin\AppData\Local\Temp\4a47e9004818b0ef470d023d10c041e5ef3758055ded80f3ffdbae9fd4a389cdN.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fL620478.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fL620478.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\133249119.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\133249119.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\296865278.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\296865278.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4020 -ip 4020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4020 -s 1084

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\352125291.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\352125291.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
RU 193.3.19.154:80 tcp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 100.117.19.2.in-addr.arpa udp
RU 193.3.19.154:80 tcp
RU 193.3.19.154:80 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fL620478.exe

MD5 d316d0cc264213b48624ff29845536e7
SHA1 2277438596f198c20440153e4e16dc908924f394
SHA256 f098d07c08b8752f46db720e5423047b015e1718d1c17432158c5c81d2c11ea6
SHA512 36e2dd15690a440b497dd20fffb3d78ee2f11abf916223224f130919e18f975f85ce9e7d113b50b8a9188037eb6c6c59a6cafaa12f9fcb6b81dd484f8a074e3e

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\133249119.exe

MD5 2b71f4b18ac8214a2bff547b6ce2f64f
SHA1 b8f2f25139a7b2e8d5e8fbc024eb5cac518bc6a5
SHA256 f7eedf3aec775a62c265d1652686b30a8a45a953523e2fb3cfc1fac3c6a66fbc
SHA512 33518eff768610bf54f9888d9d0d746b0c3500dc5f2b8fd5f1641d5a264f657a8311b40364f70932512581183b244fec3feb535e21c13e0ec8adec9994175177

memory/3100-14-0x0000000073CAE000-0x0000000073CAF000-memory.dmp

memory/3100-15-0x00000000023E0000-0x00000000023FA000-memory.dmp

memory/3100-16-0x0000000073CA0000-0x0000000074450000-memory.dmp

memory/3100-17-0x0000000073CA0000-0x0000000074450000-memory.dmp

memory/3100-18-0x0000000004A00000-0x0000000004FA4000-memory.dmp

memory/3100-19-0x0000000004980000-0x0000000004998000-memory.dmp

memory/3100-47-0x0000000004980000-0x0000000004993000-memory.dmp

memory/3100-45-0x0000000004980000-0x0000000004993000-memory.dmp

memory/3100-43-0x0000000004980000-0x0000000004993000-memory.dmp

memory/3100-41-0x0000000004980000-0x0000000004993000-memory.dmp

memory/3100-39-0x0000000004980000-0x0000000004993000-memory.dmp

memory/3100-37-0x0000000004980000-0x0000000004993000-memory.dmp

memory/3100-35-0x0000000004980000-0x0000000004993000-memory.dmp

memory/3100-33-0x0000000004980000-0x0000000004993000-memory.dmp

memory/3100-31-0x0000000004980000-0x0000000004993000-memory.dmp

memory/3100-29-0x0000000004980000-0x0000000004993000-memory.dmp

memory/3100-27-0x0000000004980000-0x0000000004993000-memory.dmp

memory/3100-25-0x0000000004980000-0x0000000004993000-memory.dmp

memory/3100-23-0x0000000004980000-0x0000000004993000-memory.dmp

memory/3100-21-0x0000000004980000-0x0000000004993000-memory.dmp

memory/3100-20-0x0000000004980000-0x0000000004993000-memory.dmp

memory/3100-48-0x0000000073CAE000-0x0000000073CAF000-memory.dmp

memory/3100-49-0x0000000073CA0000-0x0000000074450000-memory.dmp

memory/3100-51-0x0000000073CA0000-0x0000000074450000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\296865278.exe

MD5 a03d5d915ad17d3a703b28609194244a
SHA1 8c843bf4d225521fa2e46d4824674700c19b66ce
SHA256 29eb2bd63937e743c04e6c615cdc8be743b8a204ad3538cac93456f589ab34dc
SHA512 fa175ff570310b2fdff109f53206289e4a7afa7ca83fff3b66edaf2a115117cea4b048569702f9818022faa85035425381626d9a149dae3c0f9ec097103db49c

memory/4020-84-0x0000000000400000-0x0000000002B9B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\352125291.exe

MD5 1304f384653e08ae497008ff13498608
SHA1 d9a76ed63d74d4217c5027757cb9a7a0d0093080
SHA256 2a9dabab35fb09085750e1cc762e32b0fe4cbd7ed4276ef7e68ba159ae330eaa
SHA512 4138217fd538e827c89db5c0cd4ea21bd8c8d3a7196d2eabf10412caf7b929479e768747df5fd92fc022d758f1840474530ba82dcb7e8672cc6eb88caeaf38c1

memory/4020-86-0x0000000000400000-0x0000000002B9B000-memory.dmp