Malware Analysis Report

2025-08-05 11:26

Sample ID 241112-rlms7atje1
Target c2ddd2393dd304f588f3cea7627740ef14c2fc25c5d9aa4ee21c8e04810b4afcN.exe
SHA256 c2ddd2393dd304f588f3cea7627740ef14c2fc25c5d9aa4ee21c8e04810b4afc
Tags
amadey healer 9c0adb discovery dropper evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c2ddd2393dd304f588f3cea7627740ef14c2fc25c5d9aa4ee21c8e04810b4afc

Threat Level: Known bad

The file c2ddd2393dd304f588f3cea7627740ef14c2fc25c5d9aa4ee21c8e04810b4afcN.exe was found to be: Known bad.

Malicious Activity Summary

amadey healer 9c0adb discovery dropper evasion persistence trojan

Modifies Windows Defender Real-time Protection settings

Healer

Amadey family

Healer family

Detects Healer an antivirus disabler dropper

Amadey

Executes dropped EXE

Windows security modification

Checks computer location settings

Adds Run key to start application

Unsigned PE

Enumerates physical storage devices

Program crash

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Scheduled Task/Job: Scheduled Task

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-12 14:16

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-12 14:16

Reported

2024-11-12 14:19

Platform

win10v2004-20241007-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c2ddd2393dd304f588f3cea7627740ef14c2fc25c5d9aa4ee21c8e04810b4afcN.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\145857953.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\145857953.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\145857953.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\258810809.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\258810809.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\145857953.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\145857953.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\145857953.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\258810809.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\258810809.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\258810809.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\369908799.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\145857953.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\145857953.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\258810809.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OO309956.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\c2ddd2393dd304f588f3cea7627740ef14c2fc25c5d9aa4ee21c8e04810b4afcN.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c2ddd2393dd304f588f3cea7627740ef14c2fc25c5d9aa4ee21c8e04810b4afcN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\258810809.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OO309956.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\145857953.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\369908799.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\145857953.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\258810809.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\369908799.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3924 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\c2ddd2393dd304f588f3cea7627740ef14c2fc25c5d9aa4ee21c8e04810b4afcN.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OO309956.exe
PID 3924 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\c2ddd2393dd304f588f3cea7627740ef14c2fc25c5d9aa4ee21c8e04810b4afcN.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OO309956.exe
PID 3924 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\c2ddd2393dd304f588f3cea7627740ef14c2fc25c5d9aa4ee21c8e04810b4afcN.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OO309956.exe
PID 4432 wrote to memory of 116 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OO309956.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\145857953.exe
PID 4432 wrote to memory of 116 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OO309956.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\145857953.exe
PID 4432 wrote to memory of 116 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OO309956.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\145857953.exe
PID 4432 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OO309956.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\258810809.exe
PID 4432 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OO309956.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\258810809.exe
PID 4432 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OO309956.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\258810809.exe
PID 3924 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\c2ddd2393dd304f588f3cea7627740ef14c2fc25c5d9aa4ee21c8e04810b4afcN.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\369908799.exe
PID 3924 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\c2ddd2393dd304f588f3cea7627740ef14c2fc25c5d9aa4ee21c8e04810b4afcN.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\369908799.exe
PID 3924 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\c2ddd2393dd304f588f3cea7627740ef14c2fc25c5d9aa4ee21c8e04810b4afcN.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\369908799.exe
PID 1108 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\369908799.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 1108 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\369908799.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 1108 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\369908799.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 4540 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 4540 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 4540 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 4540 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 4540 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 4540 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 1480 wrote to memory of 3396 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1480 wrote to memory of 3396 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1480 wrote to memory of 3396 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1480 wrote to memory of 3292 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1480 wrote to memory of 3292 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1480 wrote to memory of 3292 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1480 wrote to memory of 4156 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1480 wrote to memory of 4156 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1480 wrote to memory of 4156 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1480 wrote to memory of 3120 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1480 wrote to memory of 3120 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1480 wrote to memory of 3120 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1480 wrote to memory of 4680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1480 wrote to memory of 4680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1480 wrote to memory of 4680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1480 wrote to memory of 2928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1480 wrote to memory of 2928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1480 wrote to memory of 2928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c2ddd2393dd304f588f3cea7627740ef14c2fc25c5d9aa4ee21c8e04810b4afcN.exe

"C:\Users\Admin\AppData\Local\Temp\c2ddd2393dd304f588f3cea7627740ef14c2fc25c5d9aa4ee21c8e04810b4afcN.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OO309956.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OO309956.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\145857953.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\145857953.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\258810809.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\258810809.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2948 -ip 2948

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2948 -s 1080

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\369908799.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\369908799.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 101.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 193.3.19.154:80 tcp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
RU 193.3.19.154:80 tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
RU 193.3.19.154:80 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OO309956.exe

MD5 61d90663421fb32b684f6cbd80ac1b3f
SHA1 29ad2e61bc9a40076e0af3215df0ae008e078738
SHA256 cb12d593fb0000ab7cf8ad21e1450f5c59404cabc347c1fed9871193cb1b8088
SHA512 57d6b82483cc14e6e5e63ae1a86803e2faad001248cbd2017106bbff869dc56ff0e300351c61405b6be0f5023a29e1e7f44e812962b54a9c537df98d103c1c55

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\145857953.exe

MD5 3d10b67208452d7a91d7bd7066067676
SHA1 e6c3ab7b6da65c8cc7dd95351f118caf3a50248d
SHA256 5c8ae96739bd9454a59e92b5eb6965647030e87453f7c417dbd7d53ebd837302
SHA512 b86d5ff4f55c90922a890401ae4301da7e71eb5e546a82536073cc58780ce55585214cff39ec9b52f70704580ad36c1fa95ebee1515dd2e7ea313cb670f2b4df

memory/116-14-0x0000000074AAE000-0x0000000074AAF000-memory.dmp

memory/116-15-0x0000000002190000-0x00000000021AA000-memory.dmp

memory/116-17-0x0000000004C30000-0x00000000051D4000-memory.dmp

memory/116-16-0x0000000074AA0000-0x0000000075250000-memory.dmp

memory/116-19-0x00000000023D0000-0x00000000023E8000-memory.dmp

memory/116-18-0x0000000074AA0000-0x0000000075250000-memory.dmp

memory/116-20-0x0000000074AA0000-0x0000000075250000-memory.dmp

memory/116-48-0x00000000023D0000-0x00000000023E3000-memory.dmp

memory/116-46-0x00000000023D0000-0x00000000023E3000-memory.dmp

memory/116-44-0x00000000023D0000-0x00000000023E3000-memory.dmp

memory/116-42-0x00000000023D0000-0x00000000023E3000-memory.dmp

memory/116-40-0x00000000023D0000-0x00000000023E3000-memory.dmp

memory/116-38-0x00000000023D0000-0x00000000023E3000-memory.dmp

memory/116-36-0x00000000023D0000-0x00000000023E3000-memory.dmp

memory/116-34-0x00000000023D0000-0x00000000023E3000-memory.dmp

memory/116-32-0x00000000023D0000-0x00000000023E3000-memory.dmp

memory/116-30-0x00000000023D0000-0x00000000023E3000-memory.dmp

memory/116-28-0x00000000023D0000-0x00000000023E3000-memory.dmp

memory/116-26-0x00000000023D0000-0x00000000023E3000-memory.dmp

memory/116-24-0x00000000023D0000-0x00000000023E3000-memory.dmp

memory/116-22-0x00000000023D0000-0x00000000023E3000-memory.dmp

memory/116-21-0x00000000023D0000-0x00000000023E3000-memory.dmp

memory/116-49-0x0000000074AAE000-0x0000000074AAF000-memory.dmp

memory/116-50-0x0000000074AA0000-0x0000000075250000-memory.dmp

memory/116-52-0x0000000074AA0000-0x0000000075250000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\258810809.exe

MD5 166c3a38d67502c4341a59ddd044c986
SHA1 06315016c2725ffaf989707cf2e0cac83f84520a
SHA256 cdf7e3b30be8fec731d6a859a557cfb9c1a89fec7805059676b5f20e0a1d02a9
SHA512 eebcd083cdd2ba04091f5ff1406bb2a0002a13ea917331358182b8170fd9d7b6c9a738848be24cd2df00858736f1505a3761dee0b72ab22098a690c1d9a630af

memory/2948-85-0x0000000000400000-0x0000000000455000-memory.dmp

memory/2948-87-0x0000000000400000-0x0000000000455000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\369908799.exe

MD5 1304f384653e08ae497008ff13498608
SHA1 d9a76ed63d74d4217c5027757cb9a7a0d0093080
SHA256 2a9dabab35fb09085750e1cc762e32b0fe4cbd7ed4276ef7e68ba159ae330eaa
SHA512 4138217fd538e827c89db5c0cd4ea21bd8c8d3a7196d2eabf10412caf7b929479e768747df5fd92fc022d758f1840474530ba82dcb7e8672cc6eb88caeaf38c1