amadey | b50a455b38340055fe28091525b17a3b9de0ed0a3c0a8bb6d8337850ea3bb81f

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
24-12-2022 08:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b50a455b38340055fe28091525b17a3b9de0ed0a3c0a8bb6d8337850ea3bb81f.exe
Size

342KB
MD5

1883b1cf887b4748bcf5f6fd82a6dce3
SHA1

0027119a3c92b25e6dac059d952c2298de29cc66
SHA256

b50a455b38340055fe28091525b17a3b9de0ed0a3c0a8bb6d8337850ea3bb81f
SHA512

88f56c14b4517b1745e769c9995d3dd5f8ae804cb3ab4e861017a85837b967b88ece92c7cb5a16d50a1cb1d6189f38e75d971b3f28a6f506f061f6ce1d7c2edc
SSDEEP

6144:bkXpGtKOhRiO2etLe6ftHYoUJ2Kw4kN4SHyK1tjvoFSDtZQxW:bmpkKOXiO57ftHjJ4xzwWW

Score

10^/10

amadey systembc persistence trojan upx

Malware Config

Extracted

Family

amadey

Version

3.60

85.209.135.11/gjend7w/index.php

Extracted

Family

systembc

89.22.236.225:4193

176.124.205.5:4193

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

44 3784 rundll32.exe
Downloads MZ/PE file
Executes dropped EXE 5 IoCs

Processes:

gntuud.exeumciavi32.exeEngine.exeavicapn32.exePortion.exe.pif

pid process

3608 gntuud.exe
3068 umciavi32.exe
820 Engine.exe
4408 avicapn32.exe
228 Portion.exe.pif

flow	pid	process
44	3784	rundll32.exe

pid	process
3608	gntuud.exe
3068	umciavi32.exe
820	Engine.exe
4408	avicapn32.exe
228	Portion.exe.pif

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\SETUP_19059\Engine.exe	upx
C:\Users\Admin\AppData\Local\Temp\SETUP_19059\Engine.exe	upx
behavioral1/memory/820-161-0x0000000000400000-0x0000000000558000-memory.dmp	upx

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

b50a455b38340055fe28091525b17a3b9de0ed0a3c0a8bb6d8337850ea3bb81f.exegntuud.exeavicapn32.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	b50a455b38340055fe28091525b17a3b9de0ed0a3c0a8bb6d8337850ea3bb81f.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	gntuud.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	avicapn32.exe

Loads dropped DLL 2 IoCs

Processes:

rundll32.exerundll32.exe

pid process

3420 rundll32.exe
3784 rundll32.exe

pid	process
3420	rundll32.exe
3784	rundll32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

gntuud.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\syncfiles.dll = "rundll32 C:\\Users\\Admin\\1000003062\\syncfiles.dll, rundll"	gntuud.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\umciavi32.exe = "C:\\Users\\Admin\\AppData\\Roaming\\1000019050\\umciavi32.exe"	gntuud.exe

Drops desktop.ini file(s) 1 IoCs

Processes:

svchost.exe

description ioc process

File opened for modification C:\Users\Admin\Videos\Captures\desktop.ini svchost.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

rundll32.exe

pid process

3784 rundll32.exe
3784 rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4048 schtasks.exe
2564 schtasks.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1488 PING.EXE

description	ioc	process
File opened for modification	C:\Users\Admin\Videos\Captures\desktop.ini	svchost.exe

pid	process
4048	schtasks.exe
2564	schtasks.exe

pid	process
1488	PING.EXE

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

rundll32.exepowershell.exepowershell.exePortion.exe.pif

pid	process
3784	rundll32.exe
3784	rundll32.exe
3228	powershell.exe
3228	powershell.exe
3228	powershell.exe
3812	powershell.exe
3812	powershell.exe
3812	powershell.exe
228	Portion.exe.pif
228	Portion.exe.pif
228	Portion.exe.pif
228	Portion.exe.pif
228	Portion.exe.pif
228	Portion.exe.pif
228	Portion.exe.pif
228	Portion.exe.pif

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 3228 powershell.exe
Token: SeDebugPrivilege 3812 powershell.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

Portion.exe.pif

pid process

228 Portion.exe.pif
228 Portion.exe.pif
228 Portion.exe.pif
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

Portion.exe.pif

pid process

228 Portion.exe.pif
228 Portion.exe.pif
228 Portion.exe.pif
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

OpenWith.exe

pid process

4324 OpenWith.exe

description	pid	process
Token: SeDebugPrivilege	3228	powershell.exe
Token: SeDebugPrivilege	3812	powershell.exe

pid	process
228	Portion.exe.pif
228	Portion.exe.pif
228	Portion.exe.pif

pid	process
228	Portion.exe.pif
228	Portion.exe.pif
228	Portion.exe.pif

pid	process
4324	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

b50a455b38340055fe28091525b17a3b9de0ed0a3c0a8bb6d8337850ea3bb81f.exegntuud.execmd.exerundll32.exeumciavi32.exeEngine.execmd.execmd.exeavicapn32.exe

description	pid	process	target process
PID 4304 wrote to memory of 3608	4304	b50a455b38340055fe28091525b17a3b9de0ed0a3c0a8bb6d8337850ea3bb81f.exe	gntuud.exe
PID 4304 wrote to memory of 3608	4304	b50a455b38340055fe28091525b17a3b9de0ed0a3c0a8bb6d8337850ea3bb81f.exe	gntuud.exe
PID 4304 wrote to memory of 3608	4304	b50a455b38340055fe28091525b17a3b9de0ed0a3c0a8bb6d8337850ea3bb81f.exe	gntuud.exe
PID 3608 wrote to memory of 4048	3608	gntuud.exe	schtasks.exe
PID 3608 wrote to memory of 4048	3608	gntuud.exe	schtasks.exe
PID 3608 wrote to memory of 4048	3608	gntuud.exe	schtasks.exe
PID 3608 wrote to memory of 3324	3608	gntuud.exe	cmd.exe
PID 3608 wrote to memory of 3324	3608	gntuud.exe	cmd.exe
PID 3608 wrote to memory of 3324	3608	gntuud.exe	cmd.exe
PID 3324 wrote to memory of 864	3324	cmd.exe	cmd.exe
PID 3324 wrote to memory of 864	3324	cmd.exe	cmd.exe
PID 3324 wrote to memory of 864	3324	cmd.exe	cmd.exe
PID 3324 wrote to memory of 1396	3324	cmd.exe	cacls.exe
PID 3324 wrote to memory of 1396	3324	cmd.exe	cacls.exe
PID 3324 wrote to memory of 1396	3324	cmd.exe	cacls.exe
PID 3324 wrote to memory of 4572	3324	cmd.exe	cacls.exe
PID 3324 wrote to memory of 4572	3324	cmd.exe	cacls.exe
PID 3324 wrote to memory of 4572	3324	cmd.exe	cacls.exe
PID 3324 wrote to memory of 1500	3324	cmd.exe	cmd.exe
PID 3324 wrote to memory of 1500	3324	cmd.exe	cmd.exe
PID 3324 wrote to memory of 1500	3324	cmd.exe	cmd.exe
PID 3324 wrote to memory of 4380	3324	cmd.exe	cacls.exe
PID 3324 wrote to memory of 4380	3324	cmd.exe	cacls.exe
PID 3324 wrote to memory of 4380	3324	cmd.exe	cacls.exe
PID 3324 wrote to memory of 3680	3324	cmd.exe	cacls.exe
PID 3324 wrote to memory of 3680	3324	cmd.exe	cacls.exe
PID 3324 wrote to memory of 3680	3324	cmd.exe	cacls.exe
PID 3608 wrote to memory of 3420	3608	gntuud.exe	rundll32.exe
PID 3608 wrote to memory of 3420	3608	gntuud.exe	rundll32.exe
PID 3608 wrote to memory of 3420	3608	gntuud.exe	rundll32.exe
PID 3420 wrote to memory of 3784	3420	rundll32.exe	rundll32.exe
PID 3420 wrote to memory of 3784	3420	rundll32.exe	rundll32.exe
PID 3608 wrote to memory of 3068	3608	gntuud.exe	umciavi32.exe
PID 3608 wrote to memory of 3068	3608	gntuud.exe	umciavi32.exe
PID 3608 wrote to memory of 3068	3608	gntuud.exe	umciavi32.exe
PID 3068 wrote to memory of 820	3068	umciavi32.exe	Engine.exe
PID 3068 wrote to memory of 820	3068	umciavi32.exe	Engine.exe
PID 3068 wrote to memory of 820	3068	umciavi32.exe	Engine.exe
PID 820 wrote to memory of 4448	820	Engine.exe	cmd.exe
PID 820 wrote to memory of 4448	820	Engine.exe	cmd.exe
PID 820 wrote to memory of 4448	820	Engine.exe	cmd.exe
PID 4448 wrote to memory of 5000	4448	cmd.exe	cmd.exe
PID 4448 wrote to memory of 5000	4448	cmd.exe	cmd.exe
PID 4448 wrote to memory of 5000	4448	cmd.exe	cmd.exe
PID 3608 wrote to memory of 4408	3608	gntuud.exe	avicapn32.exe
PID 3608 wrote to memory of 4408	3608	gntuud.exe	avicapn32.exe
PID 3608 wrote to memory of 4408	3608	gntuud.exe	avicapn32.exe
PID 5000 wrote to memory of 3228	5000	cmd.exe	powershell.exe
PID 5000 wrote to memory of 3228	5000	cmd.exe	powershell.exe
PID 5000 wrote to memory of 3228	5000	cmd.exe	powershell.exe
PID 4408 wrote to memory of 2564	4408	avicapn32.exe	schtasks.exe
PID 4408 wrote to memory of 2564	4408	avicapn32.exe	schtasks.exe
PID 4408 wrote to memory of 2564	4408	avicapn32.exe	schtasks.exe
PID 5000 wrote to memory of 3812	5000	cmd.exe	powershell.exe
PID 5000 wrote to memory of 3812	5000	cmd.exe	powershell.exe
PID 5000 wrote to memory of 3812	5000	cmd.exe	powershell.exe
PID 5000 wrote to memory of 1268	5000	cmd.exe	findstr.exe
PID 5000 wrote to memory of 1268	5000	cmd.exe	findstr.exe
PID 5000 wrote to memory of 1268	5000	cmd.exe	findstr.exe
PID 5000 wrote to memory of 228	5000	cmd.exe	Portion.exe.pif
PID 5000 wrote to memory of 228	5000	cmd.exe	Portion.exe.pif
PID 5000 wrote to memory of 228	5000	cmd.exe	Portion.exe.pif
PID 5000 wrote to memory of 1488	5000	cmd.exe	PING.EXE
PID 5000 wrote to memory of 1488	5000	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\b50a455b38340055fe28091525b17a3b9de0ed0a3c0a8bb6d8337850ea3bb81f.exe
"C:\Users\Admin\AppData\Local\Temp\b50a455b38340055fe28091525b17a3b9de0ed0a3c0a8bb6d8337850ea3bb81f.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4304

C:\Users\Admin\AppData\Local\Temp\acc0b83959\gntuud.exe
"C:\Users\Admin\AppData\Local\Temp\acc0b83959\gntuud.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3608

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\Admin\AppData\Local\Temp\acc0b83959\gntuud.exe" /F
3⤵
- Creates scheduled task(s)
PID:4048

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "gntuud.exe" /P "Admin:N"&&CACLS "gntuud.exe" /P "Admin:R" /E&&echo Y|CACLS "..\acc0b83959" /P "Admin:N"&&CACLS "..\acc0b83959" /P "Admin:R" /E&&Exit
3⤵
- Suspicious use of WriteProcessMemory
PID:3324

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
4⤵
PID:864

C:\Windows\SysWOW64\cacls.exe
CACLS "gntuud.exe" /P "Admin:N"
4⤵
PID:1396

C:\Windows\SysWOW64\cacls.exe
CACLS "gntuud.exe" /P "Admin:R" /E
4⤵
PID:4572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
4⤵
PID:1500

C:\Windows\SysWOW64\cacls.exe
CACLS "..\acc0b83959" /P "Admin:N"
4⤵
PID:4380

C:\Windows\SysWOW64\cacls.exe
CACLS "..\acc0b83959" /P "Admin:R" /E
4⤵
PID:3680

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\1000003062\syncfiles.dll, rundll
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3420

C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\1000003062\syncfiles.dll, rundll
4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3784

C:\Users\Admin\AppData\Roaming\1000019050\umciavi32.exe
"C:\Users\Admin\AppData\Roaming\1000019050\umciavi32.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3068

C:\Users\Admin\AppData\Local\Temp\SETUP_19059\Engine.exe
C:\Users\Admin\AppData\Local\Temp\SETUP_19059\Engine.exe /TH_ID=_3216 /OriginExe="C:\Users\Admin\AppData\Roaming\1000019050\umciavi32.exe"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:820

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cmd < 69
5⤵
- Suspicious use of WriteProcessMemory
PID:4448

C:\Windows\SysWOW64\cmd.exe
cmd
6⤵
- Suspicious use of WriteProcessMemory
PID:5000

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell get-process avastui
7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3228

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell get-process avgui
7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3812

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^3248094640093801934202449064570492665154867496$" 06
7⤵
PID:1268

C:\Users\Admin\AppData\Local\Temp\ckt51500.ria\28117\Portion.exe.pif
28117\\Portion.exe.pif 28117\\B
7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:228

C:\Windows\SysWOW64\PING.EXE
ping localhost -n 8
7⤵
- Runs ping.exe
PID:1488

C:\Users\Admin\AppData\Local\Temp\1000020001\avicapn32.exe
"C:\Users\Admin\AppData\Local\Temp\1000020001\avicapn32.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4408

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /tn "svcupdater" /tr "C:\Users\Admin\AppData\Roaming\Win32Sync\svcupdater.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f
4⤵
- Creates scheduled task(s)
PID:2564

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:4324

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
1⤵
- Drops desktop.ini file(s)
PID:5084

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\1000003062\syncfiles.dll
Filesize
6.4MB

MD5
2f781ea76036a17bbd0c0f63be7cff12

SHA1
b9b4c756949a038e87f4efd3569ba12c41a8e810

SHA256
3acc979360b4496d3557182148b005a36f5334ea1b7efc42095c85aa0bf64372

SHA512
c2b89d8be8438b9234a4cfeee4bd46535ec15dbf599c7553b957f0d3a8703fbd9dada2d2baa3b1a25b2bc58907f6db2f271d9d1926cac89d69912fb9e4f83208

Download Submit
C:\Users\Admin\1000003062\syncfiles.dll
Filesize
6.4MB

MD5
2f781ea76036a17bbd0c0f63be7cff12

SHA1
b9b4c756949a038e87f4efd3569ba12c41a8e810

SHA256
3acc979360b4496d3557182148b005a36f5334ea1b7efc42095c85aa0bf64372

SHA512
c2b89d8be8438b9234a4cfeee4bd46535ec15dbf599c7553b957f0d3a8703fbd9dada2d2baa3b1a25b2bc58907f6db2f271d9d1926cac89d69912fb9e4f83208

Download Submit
C:\Users\Admin\1000003062\syncfiles.dll
Filesize
6.4MB

MD5
2f781ea76036a17bbd0c0f63be7cff12

SHA1
b9b4c756949a038e87f4efd3569ba12c41a8e810

SHA256
3acc979360b4496d3557182148b005a36f5334ea1b7efc42095c85aa0bf64372

SHA512
c2b89d8be8438b9234a4cfeee4bd46535ec15dbf599c7553b957f0d3a8703fbd9dada2d2baa3b1a25b2bc58907f6db2f271d9d1926cac89d69912fb9e4f83208

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
1KB

MD5
def65711d78669d7f8e69313be4acf2e

SHA1
6522ebf1de09eeb981e270bd95114bc69a49cda6

SHA256
aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c

SHA512
05b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
856c193eb7f323116e93f943be44666c

SHA1
93065eef3deda5dac6ed21769ab3a864e34cbe3c

SHA256
6efa4802074dde39e7781a7149c7aebab546aa5f835038e056936d5f8278d87d

SHA512
8009ae5fdcf3e1010a802c761a7b9069fa4eb310eca6b82db0d3d814ed5b4f1725a6df07c28f1133ac2680c6754a5ae2b9f85688fd004424cfd9243ddb6d184b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000020001\avicapn32.exe
Filesize
194KB

MD5
9ac7b60b880d404a156457d7b1dacd05

SHA1
54ad3bc6bd447a016aba24d3d7adaf0ecac38f75

SHA256
c0a070dd3a3fe772359440bce75f73825ea8f16b195e15d91a2fa8c120c32463

SHA512
5b738e583cfcb06f44afc3da81b38f493bc17b4657cdf911b0a8759e85ba3d1b165e7b327523b6bb79d7e9dc086d5474f64776f8e7e9393fce7769a377934a36

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000020001\avicapn32.exe
Filesize
194KB

MD5
9ac7b60b880d404a156457d7b1dacd05

SHA1
54ad3bc6bd447a016aba24d3d7adaf0ecac38f75

SHA256
c0a070dd3a3fe772359440bce75f73825ea8f16b195e15d91a2fa8c120c32463

SHA512
5b738e583cfcb06f44afc3da81b38f493bc17b4657cdf911b0a8759e85ba3d1b165e7b327523b6bb79d7e9dc086d5474f64776f8e7e9393fce7769a377934a36

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_19059\00000#06
Filesize
872KB

MD5
3cdc0d31aee9f7223afdbdfc2f36f6a5

SHA1
de414174005ac4794e901f8d99ff3ea595ba68eb

SHA256
4021cce6fdc1d43d1a389fcfb212ce07cef8e01e8803ced6fe3c421802639369

SHA512
ee86c1123b107c784b6e94bd9e4037136f73686c0f6fedf3f60926b7371941359f32b131dd29401e2ebf6e9f26a7ccc1b347591a862a686ff4ce6237762da9c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_19059\00001#69
Filesize
10KB

MD5
767125c146432d6bc91cfebb697da9e1

SHA1
48b0e29458447a6b5e111dc04ac5b7b565a0656b

SHA256
1085125450bde79c1c70230d90a6965e22d218d103c456a2b95d50d2b05b3eba

SHA512
77ec52dfe0454c34a9d7d0fb14641398b6bf11ab3a9919470d018c25d6b7d5e542fa9406465dbf4fd403349a91b36691b6f63896ec02a3c8e9be3a84c57954e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_19059\00002#7
Filesize
1.5MB

MD5
c4608baba4469ad420ea3a18c0daba5a

SHA1
68abd369422fb326e387d461244226f5242761ee

SHA256
3ebd30c7fb5a86de8975a5e96f4e875e21ad50358de6988e4deffd250c4bacf8

SHA512
a785b72f5db57bc165586b1551d1c7702b2c387d6d76ae82f126ac9567cd2a1a1f0ebf80eeeddb1dc6b155680b9d99eeff3fed59fbec6b4a3bc1cc91362d64e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_19059\Engine.exe
Filesize
392KB

MD5
a7a99a201774531d761f6aac2651a9df

SHA1
b122ae368c4bf103e959a6ebb54ddb310117ab96

SHA256
e6e73497e85e9ece4c92ac7d49e07b9d55e932ba2d9e5789b94b95a9841ee524

SHA512
056504da2afeed547a4123ac8c38b35291b7dc0126fb638ae304eee802ac572715f9d608e9f1655788a030f488354741ee27c805434111c8e915cf841c0892f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_19059\Engine.exe
Filesize
392KB

MD5
a7a99a201774531d761f6aac2651a9df

SHA1
b122ae368c4bf103e959a6ebb54ddb310117ab96

SHA256
e6e73497e85e9ece4c92ac7d49e07b9d55e932ba2d9e5789b94b95a9841ee524

SHA512
056504da2afeed547a4123ac8c38b35291b7dc0126fb638ae304eee802ac572715f9d608e9f1655788a030f488354741ee27c805434111c8e915cf841c0892f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_19059\Modern_Icon.bmp
Filesize
7KB

MD5
1dd88f67f029710d5c5858a6293a93f1

SHA1
3e5ef66613415fe9467b2a24ccc27d8f997e7df6

SHA256
b5dad33ceb6eb1ac2a05fbda76e29a73038403939218a88367925c3a20c05532

SHA512
7071fd64038e0058c8c586c63c62677c0ca403768100f90323cf9c0bc7b7fcb538391e6f3606bd7970b8769445606ada47adcdcfc1e991e25caf272a13e10c94

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_19059\Setup.txt
Filesize
2KB

MD5
3502606b47f353647741bfae662f1fd4

SHA1
1fc4247b029a2ab3c092154b16b960200c6954e8

SHA256
467b95e5714e8c0490965500aadf0576afccd0504a3419bbac059f51cc5f4c80

SHA512
610809440132e4b412e9ecbfaf88303c788626bb0858d2aeb4842ec6a6fb529abdd7deaa8900775a964055a25af41143184cd8096d0f4d9ebc3b0752ece1f11b

Download Submit
C:\Users\Admin\AppData\Local\Temp\acc0b83959\gntuud.exe
Filesize
342KB

MD5
1883b1cf887b4748bcf5f6fd82a6dce3

SHA1
0027119a3c92b25e6dac059d952c2298de29cc66

SHA256
b50a455b38340055fe28091525b17a3b9de0ed0a3c0a8bb6d8337850ea3bb81f

SHA512
88f56c14b4517b1745e769c9995d3dd5f8ae804cb3ab4e861017a85837b967b88ece92c7cb5a16d50a1cb1d6189f38e75d971b3f28a6f506f061f6ce1d7c2edc

Download Submit
C:\Users\Admin\AppData\Local\Temp\acc0b83959\gntuud.exe
Filesize
342KB

MD5
1883b1cf887b4748bcf5f6fd82a6dce3

SHA1
0027119a3c92b25e6dac059d952c2298de29cc66

SHA256
b50a455b38340055fe28091525b17a3b9de0ed0a3c0a8bb6d8337850ea3bb81f

SHA512
88f56c14b4517b1745e769c9995d3dd5f8ae804cb3ab4e861017a85837b967b88ece92c7cb5a16d50a1cb1d6189f38e75d971b3f28a6f506f061f6ce1d7c2edc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ckt51500.ria\28117\Portion.exe.pif
Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Roaming\1000019050\umciavi32.exe
Filesize
1.6MB

MD5
69a3014aa137c526dfd131460f458241

SHA1
f0c6afa51de99f657d4d005615d6cb290dca4540

SHA256
35c6d144c1b40b1914e7a16856af6e05eccccae04545bb04716b0f1f186ee7ff

SHA512
132429678f8c1d60eb09a1d7239161bf4232303ad63b8fcee8fa98173721ecb6c8909749153681f738725f2850e969ad12b5c904cd96cfb8fe146d46f246cdac

Download Submit
C:\Users\Admin\AppData\Roaming\1000019050\umciavi32.exe
Filesize
1.6MB

MD5
69a3014aa137c526dfd131460f458241

SHA1
f0c6afa51de99f657d4d005615d6cb290dca4540

SHA256
35c6d144c1b40b1914e7a16856af6e05eccccae04545bb04716b0f1f186ee7ff

SHA512
132429678f8c1d60eb09a1d7239161bf4232303ad63b8fcee8fa98173721ecb6c8909749153681f738725f2850e969ad12b5c904cd96cfb8fe146d46f246cdac

Download Submit
memory/228-191-0x0000000000000000-mapping.dmp

Download
memory/820-157-0x0000000000000000-mapping.dmp

Download
memory/820-161-0x0000000000400000-0x0000000000558000-memory.dmp

Filesize
1.3MB

Download
memory/864-142-0x0000000000000000-mapping.dmp

Download
memory/1268-190-0x0000000000000000-mapping.dmp

Download
memory/1396-143-0x0000000000000000-mapping.dmp

Download
memory/1488-193-0x0000000000000000-mapping.dmp

Download
memory/1500-145-0x0000000000000000-mapping.dmp

Download
memory/2564-181-0x0000000000000000-mapping.dmp

Download
memory/3068-153-0x0000000000000000-mapping.dmp

Download
memory/3228-178-0x0000000005980000-0x00000000059E6000-memory.dmp

Filesize
408KB

Download
memory/3228-184-0x0000000006520000-0x000000000653A000-memory.dmp

Filesize
104KB

Download
memory/3228-186-0x00000000075D0000-0x0000000007B74000-memory.dmp

Filesize
5.6MB

Download
memory/3228-185-0x0000000006FF0000-0x0000000007012000-memory.dmp

Filesize
136KB

Download
memory/3228-183-0x0000000006590000-0x0000000006626000-memory.dmp

Filesize
600KB

Download
memory/3228-180-0x0000000006030000-0x000000000604E000-memory.dmp

Filesize
120KB

Download
memory/3228-179-0x00000000059F0000-0x0000000005A56000-memory.dmp

Filesize
408KB

Download
memory/3228-177-0x0000000005180000-0x00000000051A2000-memory.dmp

Filesize
136KB

Download
memory/3228-176-0x00000000052E0000-0x0000000005908000-memory.dmp

Filesize
6.2MB

Download
memory/3228-174-0x0000000002730000-0x0000000002766000-memory.dmp

Filesize
216KB

Download
memory/3228-172-0x0000000000000000-mapping.dmp

Download
memory/3324-141-0x0000000000000000-mapping.dmp

Download
memory/3420-148-0x0000000000000000-mapping.dmp

Download
memory/3608-134-0x0000000000000000-mapping.dmp

Download
memory/3608-175-0x0000000000C50000-0x0000000000C94000-memory.dmp

Filesize
272KB

Download
memory/3608-139-0x0000000000C50000-0x0000000000C94000-memory.dmp

Filesize
272KB

Download
memory/3680-147-0x0000000000000000-mapping.dmp

Download
memory/3784-156-0x00007FFC42B40000-0x00007FFC4353D000-memory.dmp

Filesize
10.0MB

Download
memory/3784-151-0x0000000000000000-mapping.dmp

Download
memory/3812-187-0x0000000000000000-mapping.dmp

Download
memory/4048-140-0x0000000000000000-mapping.dmp

Download
memory/4304-132-0x0000000001220000-0x0000000001264000-memory.dmp

Filesize
272KB

Download
memory/4304-137-0x0000000001220000-0x0000000001264000-memory.dmp

Filesize
272KB

Download
memory/4304-133-0x0000000001220000-0x0000000001264000-memory.dmp

Filesize
272KB

Download
memory/4380-146-0x0000000000000000-mapping.dmp

Download
memory/4408-182-0x0000000001260000-0x0000000001279000-memory.dmp

Filesize
100KB

Download
memory/4408-168-0x0000000000000000-mapping.dmp

Download
memory/4408-173-0x0000000001260000-0x0000000001279000-memory.dmp

Filesize
100KB

Download
memory/4408-171-0x0000000001260000-0x0000000001279000-memory.dmp

Filesize
100KB

Download
memory/4448-166-0x0000000000000000-mapping.dmp

Download
memory/4572-144-0x0000000000000000-mapping.dmp

Download
memory/5000-167-0x0000000000000000-mapping.dmp

Download