amadey | aa69245f1de4736bb7e95461f9dbc24212790166113bea5a3ae719d5268f3fdb

Analysis

max time kernel
115s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
26-03-2023 18:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

888853269223dfc801a3ad3e3235fbc1.exe
Size

1.0MB
MD5

888853269223dfc801a3ad3e3235fbc1
SHA1

aefe02c01dc2503a61bf38c2bf924f3be138053d
SHA256

aa69245f1de4736bb7e95461f9dbc24212790166113bea5a3ae719d5268f3fdb
SHA512

ecae9748ede2d44be721532f64d4b528618fb192ac935f98112d530a5ea0fe7369bf4388f1d44e725cc452fa0a08e9247a67d387495a344a6108e135f03b0666
SSDEEP

24576:XyQR5waSbnqA0WXs1eaHZZbJ1GQ4h0TaoI:iQRjSbn/0cs1tX3GJAa

Score

10^/10

amadey redline fort sony discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

sony

193.233.20.33:4125

Attributes

auth_value
1d93d1744381eeb4fcfd7c23ffe0f0b4

Extracted

Family

redline

Botnet

fort

193.233.20.33:4125

Attributes

auth_value
5ea5673154a804d8c80f565f7276f720

Extracted

Family

amadey

Version

3.68

62.204.41.87/joomla/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

tz7346.exev9000cV.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	tz7346.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	tz7346.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	tz7346.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	tz7346.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	v9000cV.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	v9000cV.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	tz7346.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	tz7346.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	v9000cV.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	v9000cV.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	v9000cV.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	v9000cV.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 18 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3020-210-0x0000000004BF0000-0x0000000004C2E000-memory.dmp	family_redline
behavioral2/memory/3020-211-0x0000000004BF0000-0x0000000004C2E000-memory.dmp	family_redline
behavioral2/memory/3020-213-0x0000000004BF0000-0x0000000004C2E000-memory.dmp	family_redline
behavioral2/memory/3020-215-0x0000000004BF0000-0x0000000004C2E000-memory.dmp	family_redline
behavioral2/memory/3020-219-0x0000000004BF0000-0x0000000004C2E000-memory.dmp	family_redline
behavioral2/memory/3020-223-0x0000000004BF0000-0x0000000004C2E000-memory.dmp	family_redline
behavioral2/memory/3020-225-0x0000000004BF0000-0x0000000004C2E000-memory.dmp	family_redline
behavioral2/memory/3020-227-0x0000000004BF0000-0x0000000004C2E000-memory.dmp	family_redline
behavioral2/memory/3020-229-0x0000000004BF0000-0x0000000004C2E000-memory.dmp	family_redline
behavioral2/memory/3020-231-0x0000000004BF0000-0x0000000004C2E000-memory.dmp	family_redline
behavioral2/memory/3020-233-0x0000000004BF0000-0x0000000004C2E000-memory.dmp	family_redline
behavioral2/memory/3020-235-0x0000000004BF0000-0x0000000004C2E000-memory.dmp	family_redline
behavioral2/memory/3020-237-0x0000000004BF0000-0x0000000004C2E000-memory.dmp	family_redline
behavioral2/memory/3020-239-0x0000000004BF0000-0x0000000004C2E000-memory.dmp	family_redline
behavioral2/memory/3020-241-0x0000000004BF0000-0x0000000004C2E000-memory.dmp	family_redline
behavioral2/memory/3020-243-0x0000000004BF0000-0x0000000004C2E000-memory.dmp	family_redline
behavioral2/memory/3020-245-0x0000000004BF0000-0x0000000004C2E000-memory.dmp	family_redline
behavioral2/memory/3020-247-0x0000000004BF0000-0x0000000004C2E000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

y99uW76.exelegenda.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	y99uW76.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	legenda.exe

Executes dropped EXE 10 IoCs

Processes:

zap2100.exezap5928.exezap7230.exetz7346.exev9000cV.exew71pW19.exexwiGE63.exey99uW76.exelegenda.exelegenda.exe

pid	process
3408	zap2100.exe
5112	zap5928.exe
4900	zap7230.exe
672	tz7346.exe
4480	v9000cV.exe
3020	w71pW19.exe
3456	xwiGE63.exe
1528	y99uW76.exe
1324	legenda.exe
3532	legenda.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

3932 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3932	rundll32.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

tz7346.exev9000cV.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	tz7346.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	v9000cV.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	v9000cV.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

zap5928.exezap7230.exe888853269223dfc801a3ad3e3235fbc1.exezap2100.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zap5928.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap7230.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	zap7230.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	888853269223dfc801a3ad3e3235fbc1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	888853269223dfc801a3ad3e3235fbc1.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap2100.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zap2100.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap5928.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2080 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

tz7346.exev9000cV.exew71pW19.exexwiGE63.exe

pid process

672 tz7346.exe
672 tz7346.exe
4480 v9000cV.exe
4480 v9000cV.exe
3020 w71pW19.exe
3020 w71pW19.exe
3456 xwiGE63.exe
3456 xwiGE63.exe

pid	process
2080	schtasks.exe

pid	process
672	tz7346.exe
672	tz7346.exe
4480	v9000cV.exe
4480	v9000cV.exe
3020	w71pW19.exe
3020	w71pW19.exe
3456	xwiGE63.exe
3456	xwiGE63.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

tz7346.exev9000cV.exew71pW19.exexwiGE63.exe

description	pid	process
Token: SeDebugPrivilege	672	tz7346.exe
Token: SeDebugPrivilege	4480	v9000cV.exe
Token: SeDebugPrivilege	3020	w71pW19.exe
Token: SeDebugPrivilege	3456	xwiGE63.exe

Suspicious use of WriteProcessMemory 53 IoCs

Processes:

888853269223dfc801a3ad3e3235fbc1.exezap2100.exezap5928.exezap7230.exey99uW76.exelegenda.execmd.exe

description	pid	process	target process
PID 464 wrote to memory of 3408	464	888853269223dfc801a3ad3e3235fbc1.exe	zap2100.exe
PID 464 wrote to memory of 3408	464	888853269223dfc801a3ad3e3235fbc1.exe	zap2100.exe
PID 464 wrote to memory of 3408	464	888853269223dfc801a3ad3e3235fbc1.exe	zap2100.exe
PID 3408 wrote to memory of 5112	3408	zap2100.exe	zap5928.exe
PID 3408 wrote to memory of 5112	3408	zap2100.exe	zap5928.exe
PID 3408 wrote to memory of 5112	3408	zap2100.exe	zap5928.exe
PID 5112 wrote to memory of 4900	5112	zap5928.exe	zap7230.exe
PID 5112 wrote to memory of 4900	5112	zap5928.exe	zap7230.exe
PID 5112 wrote to memory of 4900	5112	zap5928.exe	zap7230.exe
PID 4900 wrote to memory of 672	4900	zap7230.exe	tz7346.exe
PID 4900 wrote to memory of 672	4900	zap7230.exe	tz7346.exe
PID 4900 wrote to memory of 4480	4900	zap7230.exe	v9000cV.exe
PID 4900 wrote to memory of 4480	4900	zap7230.exe	v9000cV.exe
PID 4900 wrote to memory of 4480	4900	zap7230.exe	v9000cV.exe
PID 5112 wrote to memory of 3020	5112	zap5928.exe	w71pW19.exe
PID 5112 wrote to memory of 3020	5112	zap5928.exe	w71pW19.exe
PID 5112 wrote to memory of 3020	5112	zap5928.exe	w71pW19.exe
PID 3408 wrote to memory of 3456	3408	zap2100.exe	xwiGE63.exe
PID 3408 wrote to memory of 3456	3408	zap2100.exe	xwiGE63.exe
PID 3408 wrote to memory of 3456	3408	zap2100.exe	xwiGE63.exe
PID 464 wrote to memory of 1528	464	888853269223dfc801a3ad3e3235fbc1.exe	y99uW76.exe
PID 464 wrote to memory of 1528	464	888853269223dfc801a3ad3e3235fbc1.exe	y99uW76.exe
PID 464 wrote to memory of 1528	464	888853269223dfc801a3ad3e3235fbc1.exe	y99uW76.exe
PID 1528 wrote to memory of 1324	1528	y99uW76.exe	legenda.exe
PID 1528 wrote to memory of 1324	1528	y99uW76.exe	legenda.exe
PID 1528 wrote to memory of 1324	1528	y99uW76.exe	legenda.exe
PID 1324 wrote to memory of 2080	1324	legenda.exe	schtasks.exe
PID 1324 wrote to memory of 2080	1324	legenda.exe	schtasks.exe
PID 1324 wrote to memory of 2080	1324	legenda.exe	schtasks.exe
PID 1324 wrote to memory of 2612	1324	legenda.exe	cmd.exe
PID 1324 wrote to memory of 2612	1324	legenda.exe	cmd.exe
PID 1324 wrote to memory of 2612	1324	legenda.exe	cmd.exe
PID 2612 wrote to memory of 620	2612	cmd.exe	cmd.exe
PID 2612 wrote to memory of 620	2612	cmd.exe	cmd.exe
PID 2612 wrote to memory of 620	2612	cmd.exe	cmd.exe
PID 2612 wrote to memory of 384	2612	cmd.exe	cacls.exe
PID 2612 wrote to memory of 384	2612	cmd.exe	cacls.exe
PID 2612 wrote to memory of 384	2612	cmd.exe	cacls.exe
PID 2612 wrote to memory of 1448	2612	cmd.exe	cacls.exe
PID 2612 wrote to memory of 1448	2612	cmd.exe	cacls.exe
PID 2612 wrote to memory of 1448	2612	cmd.exe	cacls.exe
PID 2612 wrote to memory of 4276	2612	cmd.exe	cmd.exe
PID 2612 wrote to memory of 4276	2612	cmd.exe	cmd.exe
PID 2612 wrote to memory of 4276	2612	cmd.exe	cmd.exe
PID 2612 wrote to memory of 4620	2612	cmd.exe	cacls.exe
PID 2612 wrote to memory of 4620	2612	cmd.exe	cacls.exe
PID 2612 wrote to memory of 4620	2612	cmd.exe	cacls.exe
PID 2612 wrote to memory of 3588	2612	cmd.exe	cacls.exe
PID 2612 wrote to memory of 3588	2612	cmd.exe	cacls.exe
PID 2612 wrote to memory of 3588	2612	cmd.exe	cacls.exe
PID 1324 wrote to memory of 3932	1324	legenda.exe	rundll32.exe
PID 1324 wrote to memory of 3932	1324	legenda.exe	rundll32.exe
PID 1324 wrote to memory of 3932	1324	legenda.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\888853269223dfc801a3ad3e3235fbc1.exe
"C:\Users\Admin\AppData\Local\Temp\888853269223dfc801a3ad3e3235fbc1.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:464

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap2100.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap2100.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3408

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap5928.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap5928.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5112

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap7230.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap7230.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4900

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz7346.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz7346.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:672

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9000cV.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9000cV.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4480

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w71pW19.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w71pW19.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3020

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xwiGE63.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xwiGE63.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3456

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y99uW76.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y99uW76.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1528

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
"C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1324

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legenda.exe /TR "C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe" /F
4⤵
- Creates scheduled task(s)
PID:2080

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legenda.exe" /P "Admin:N"&&CACLS "legenda.exe" /P "Admin:R" /E&&echo Y|CACLS "..\f22b669919" /P "Admin:N"&&CACLS "..\f22b669919" /P "Admin:R" /E&&Exit
4⤵
- Suspicious use of WriteProcessMemory
PID:2612

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:620

C:\Windows\SysWOW64\cacls.exe
CACLS "legenda.exe" /P "Admin:N"
5⤵
PID:384

C:\Windows\SysWOW64\cacls.exe
CACLS "legenda.exe" /P "Admin:R" /E
5⤵
PID:1448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:4276

C:\Windows\SysWOW64\cacls.exe
CACLS "..\f22b669919" /P "Admin:N"
5⤵
PID:4620

C:\Windows\SysWOW64\cacls.exe
CACLS "..\f22b669919" /P "Admin:R" /E
5⤵
PID:3588

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
4⤵
- Loads dropped DLL
PID:3932

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
1⤵
- Executes dropped EXE
PID:3532

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y99uW76.exe
Filesize
236KB

MD5
f03606e572ae6eb2e9ed471b43256d7d

SHA1
3b15e2a7a23e51bc079ac8381bd0565369b47db7

SHA256
ea13ae3940905548608aabc25e4dfac2fd34506e2300bda3346910b626ee4ec3

SHA512
f0ce44132c7c5d9787dbb9854ea5e247d6a2afbfa2134b5b35fb27e42a3f57468846ddc28945e4009050a30c68e494c1d25ff1c9a3bde8c457c27ded93e53349

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y99uW76.exe
Filesize
236KB

MD5
f03606e572ae6eb2e9ed471b43256d7d

SHA1
3b15e2a7a23e51bc079ac8381bd0565369b47db7

SHA256
ea13ae3940905548608aabc25e4dfac2fd34506e2300bda3346910b626ee4ec3

SHA512
f0ce44132c7c5d9787dbb9854ea5e247d6a2afbfa2134b5b35fb27e42a3f57468846ddc28945e4009050a30c68e494c1d25ff1c9a3bde8c457c27ded93e53349

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap2100.exe
Filesize
853KB

MD5
8b7a21c3d01db3929979acb688bc879b

SHA1
b508042f9d7fedd4a685c83e107253dcec922923

SHA256
96d6bf4f9f57a8e6d76a4d631950221f43495ad009e6021016c737fe5d1cdccd

SHA512
3e9a2bd6a326c4d03fd85502a834a9c9ee14452f6c04fab6fd503928edb5093f33fde6abe1c6479517f9edfa772651933e2c4a97c1bf8c8f12354fdc70406173

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap2100.exe
Filesize
853KB

MD5
8b7a21c3d01db3929979acb688bc879b

SHA1
b508042f9d7fedd4a685c83e107253dcec922923

SHA256
96d6bf4f9f57a8e6d76a4d631950221f43495ad009e6021016c737fe5d1cdccd

SHA512
3e9a2bd6a326c4d03fd85502a834a9c9ee14452f6c04fab6fd503928edb5093f33fde6abe1c6479517f9edfa772651933e2c4a97c1bf8c8f12354fdc70406173

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xwiGE63.exe
Filesize
175KB

MD5
242809dc278b152075f9fa6af3f2a165

SHA1
336dc948dc38340d790cefa9b4df0434c70d49aa

SHA256
d70d306ce77e374d9dac97874e4b9887c139e90ed59c5ce7fbd98b2de567304f

SHA512
828dc2567e4af7f62441791d74329d4802340d85d3d0a56c24876c7aa87eb0a1cb9f3958a012c5e842bf21481e142087af4fd0d8376fffae49e56e421c28a253

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xwiGE63.exe
Filesize
175KB

MD5
242809dc278b152075f9fa6af3f2a165

SHA1
336dc948dc38340d790cefa9b4df0434c70d49aa

SHA256
d70d306ce77e374d9dac97874e4b9887c139e90ed59c5ce7fbd98b2de567304f

SHA512
828dc2567e4af7f62441791d74329d4802340d85d3d0a56c24876c7aa87eb0a1cb9f3958a012c5e842bf21481e142087af4fd0d8376fffae49e56e421c28a253

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap5928.exe
Filesize
711KB

MD5
854599ecf6d3f4aeac14f3dd088974bb

SHA1
4035ed65ed7765ae13f4c3682141da67263cea98

SHA256
c61fc4a270703d64adeebb41bcf2c92c9e5df2fc9af03cd46bde9910f21497da

SHA512
38f4da44dbd6e74927a18e4c6cdd6e405321b87183374f652cde96065ceb8f8707125bb7eefd6f5993b5de3ea052b2739ab1b52289aed9abb6cf7494527ca3d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap5928.exe
Filesize
711KB

MD5
854599ecf6d3f4aeac14f3dd088974bb

SHA1
4035ed65ed7765ae13f4c3682141da67263cea98

SHA256
c61fc4a270703d64adeebb41bcf2c92c9e5df2fc9af03cd46bde9910f21497da

SHA512
38f4da44dbd6e74927a18e4c6cdd6e405321b87183374f652cde96065ceb8f8707125bb7eefd6f5993b5de3ea052b2739ab1b52289aed9abb6cf7494527ca3d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w71pW19.exe
Filesize
384KB

MD5
1f349449d019456edffc62c702079d88

SHA1
5369a260e2913878bcbc991150db47e7a3037ba5

SHA256
71a82465d20d849be03c8ba26048acb79e01bd8fd7fcbd6be321ab6737e563d8

SHA512
d572dd01a3ec7eb2eea086fa333ef746edbb7b749d091505ffe2a671277aa42380fd6bb0a3dc963157534647c654d3ae8a9bc1d7acc3b9ea6c9feac290e6134a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w71pW19.exe
Filesize
384KB

MD5
1f349449d019456edffc62c702079d88

SHA1
5369a260e2913878bcbc991150db47e7a3037ba5

SHA256
71a82465d20d849be03c8ba26048acb79e01bd8fd7fcbd6be321ab6737e563d8

SHA512
d572dd01a3ec7eb2eea086fa333ef746edbb7b749d091505ffe2a671277aa42380fd6bb0a3dc963157534647c654d3ae8a9bc1d7acc3b9ea6c9feac290e6134a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap7230.exe
Filesize
352KB

MD5
ad1460345a27a9596c1e2ac111aa1fb9

SHA1
6ef9d7d5a152d69b4036c8e797dec79807c29bbe

SHA256
98af692e6fb7491c5a1028e6956120ff78c92d1aca9e201b6841409e11a076f7

SHA512
d19417543b9d2b50ed1c68113fc0929fee22e701bb0dbbe077dc39a94824277a89ef2ccbf1b2bc68eff748b880dc2c273c029605043e125187f605489b21eada

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap7230.exe
Filesize
352KB

MD5
ad1460345a27a9596c1e2ac111aa1fb9

SHA1
6ef9d7d5a152d69b4036c8e797dec79807c29bbe

SHA256
98af692e6fb7491c5a1028e6956120ff78c92d1aca9e201b6841409e11a076f7

SHA512
d19417543b9d2b50ed1c68113fc0929fee22e701bb0dbbe077dc39a94824277a89ef2ccbf1b2bc68eff748b880dc2c273c029605043e125187f605489b21eada

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz7346.exe
Filesize
11KB

MD5
5e29a477a896a699f35b9b253898c130

SHA1
ec07a2b39c1b6587deff3740d7f03f9c02b0c74e

SHA256
0c3a89da99e43c666ce0f68bcca35d81112d25cb379e2baf2e20fd6dc06d7136

SHA512
f4f13fcf4f70d51319dc0a22fae98878ccfc3e0f4e4fea4ab5bccc60c5ba54b2fa468d7ba394e7b1691cce85bb5a976f531bdbbbeba031f816946171bd040607

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz7346.exe
Filesize
11KB

MD5
5e29a477a896a699f35b9b253898c130

SHA1
ec07a2b39c1b6587deff3740d7f03f9c02b0c74e

SHA256
0c3a89da99e43c666ce0f68bcca35d81112d25cb379e2baf2e20fd6dc06d7136

SHA512
f4f13fcf4f70d51319dc0a22fae98878ccfc3e0f4e4fea4ab5bccc60c5ba54b2fa468d7ba394e7b1691cce85bb5a976f531bdbbbeba031f816946171bd040607

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9000cV.exe
Filesize
325KB

MD5
dd5810033e26778f1baa489ef67f124e

SHA1
a4363494d9c54a20d07ad9f1f5e25729bef4ad32

SHA256
dee5d0eaab0b5384e84cc39ddf38f0be54a7f46348e262cf159b26557c7f4504

SHA512
a328f66c4694819ead063213ffe8d14b0272b65c0fa5ab7b4d6e6ff5be2ba64e634ecdecfe061ddd1a3e7f9c5f5d9116106a1fe5fa6924f02122de066b0280e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9000cV.exe
Filesize
325KB

MD5
dd5810033e26778f1baa489ef67f124e

SHA1
a4363494d9c54a20d07ad9f1f5e25729bef4ad32

SHA256
dee5d0eaab0b5384e84cc39ddf38f0be54a7f46348e262cf159b26557c7f4504

SHA512
a328f66c4694819ead063213ffe8d14b0272b65c0fa5ab7b4d6e6ff5be2ba64e634ecdecfe061ddd1a3e7f9c5f5d9116106a1fe5fa6924f02122de066b0280e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
236KB

MD5
f03606e572ae6eb2e9ed471b43256d7d

SHA1
3b15e2a7a23e51bc079ac8381bd0565369b47db7

SHA256
ea13ae3940905548608aabc25e4dfac2fd34506e2300bda3346910b626ee4ec3

SHA512
f0ce44132c7c5d9787dbb9854ea5e247d6a2afbfa2134b5b35fb27e42a3f57468846ddc28945e4009050a30c68e494c1d25ff1c9a3bde8c457c27ded93e53349

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
236KB

MD5
f03606e572ae6eb2e9ed471b43256d7d

SHA1
3b15e2a7a23e51bc079ac8381bd0565369b47db7

SHA256
ea13ae3940905548608aabc25e4dfac2fd34506e2300bda3346910b626ee4ec3

SHA512
f0ce44132c7c5d9787dbb9854ea5e247d6a2afbfa2134b5b35fb27e42a3f57468846ddc28945e4009050a30c68e494c1d25ff1c9a3bde8c457c27ded93e53349

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
236KB

MD5
f03606e572ae6eb2e9ed471b43256d7d

SHA1
3b15e2a7a23e51bc079ac8381bd0565369b47db7

SHA256
ea13ae3940905548608aabc25e4dfac2fd34506e2300bda3346910b626ee4ec3

SHA512
f0ce44132c7c5d9787dbb9854ea5e247d6a2afbfa2134b5b35fb27e42a3f57468846ddc28945e4009050a30c68e494c1d25ff1c9a3bde8c457c27ded93e53349

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
236KB

MD5
f03606e572ae6eb2e9ed471b43256d7d

SHA1
3b15e2a7a23e51bc079ac8381bd0565369b47db7

SHA256
ea13ae3940905548608aabc25e4dfac2fd34506e2300bda3346910b626ee4ec3

SHA512
f0ce44132c7c5d9787dbb9854ea5e247d6a2afbfa2134b5b35fb27e42a3f57468846ddc28945e4009050a30c68e494c1d25ff1c9a3bde8c457c27ded93e53349

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
223B

MD5
94cbeec5d4343918fd0e48760e40539c

SHA1
a049266c5c1131f692f306c8710d7e72586ae79d

SHA256
48eb3ca078da2f5e9fd581197ae1b4dfbac6d86040addbb305e305c014741279

SHA512
4e92450333d60b1977f75c240157a8589cfb1c80a979fbe0793cc641e13556004e554bc6f9f4853487dbcfcdc2ca93afe610649e9712e91415ed3f2a60d4fec0

Download Submit
memory/672-161-0x0000000000230000-0x000000000023A000-memory.dmp

Filesize
40KB

Download
memory/3020-1127-0x0000000008A80000-0x0000000008B12000-memory.dmp

Filesize
584KB

Download
memory/3020-241-0x0000000004BF0000-0x0000000004C2E000-memory.dmp

Filesize
248KB

Download
memory/3020-1134-0x0000000007260000-0x0000000007270000-memory.dmp

Filesize
64KB

Download
memory/3020-1133-0x0000000007260000-0x0000000007270000-memory.dmp

Filesize
64KB

Download
memory/3020-1132-0x0000000007260000-0x0000000007270000-memory.dmp

Filesize
64KB

Download
memory/3020-1131-0x0000000009440000-0x0000000009490000-memory.dmp

Filesize
320KB

Download
memory/3020-1130-0x00000000093C0000-0x0000000009436000-memory.dmp

Filesize
472KB

Download
memory/3020-1129-0x0000000008D50000-0x000000000927C000-memory.dmp

Filesize
5.2MB

Download
memory/3020-1128-0x0000000008B80000-0x0000000008D42000-memory.dmp

Filesize
1.8MB

Download
memory/3020-1126-0x00000000083C0000-0x0000000008426000-memory.dmp

Filesize
408KB

Download
memory/3020-1124-0x0000000007260000-0x0000000007270000-memory.dmp

Filesize
64KB

Download
memory/3020-1123-0x00000000080D0000-0x000000000810C000-memory.dmp

Filesize
240KB

Download
memory/3020-1122-0x00000000080B0000-0x00000000080C2000-memory.dmp

Filesize
72KB

Download
memory/3020-210-0x0000000004BF0000-0x0000000004C2E000-memory.dmp

Filesize
248KB

Download
memory/3020-211-0x0000000004BF0000-0x0000000004C2E000-memory.dmp

Filesize
248KB

Download
memory/3020-213-0x0000000004BF0000-0x0000000004C2E000-memory.dmp

Filesize
248KB

Download
memory/3020-215-0x0000000004BF0000-0x0000000004C2E000-memory.dmp

Filesize
248KB

Download
memory/3020-216-0x0000000002D90000-0x0000000002DDB000-memory.dmp

Filesize
300KB

Download
memory/3020-218-0x0000000007260000-0x0000000007270000-memory.dmp

Filesize
64KB

Download
memory/3020-219-0x0000000004BF0000-0x0000000004C2E000-memory.dmp

Filesize
248KB

Download
memory/3020-220-0x0000000007260000-0x0000000007270000-memory.dmp

Filesize
64KB

Download
memory/3020-223-0x0000000004BF0000-0x0000000004C2E000-memory.dmp

Filesize
248KB

Download
memory/3020-222-0x0000000007260000-0x0000000007270000-memory.dmp

Filesize
64KB

Download
memory/3020-225-0x0000000004BF0000-0x0000000004C2E000-memory.dmp

Filesize
248KB

Download
memory/3020-227-0x0000000004BF0000-0x0000000004C2E000-memory.dmp

Filesize
248KB

Download
memory/3020-229-0x0000000004BF0000-0x0000000004C2E000-memory.dmp

Filesize
248KB

Download
memory/3020-231-0x0000000004BF0000-0x0000000004C2E000-memory.dmp

Filesize
248KB

Download
memory/3020-233-0x0000000004BF0000-0x0000000004C2E000-memory.dmp

Filesize
248KB

Download
memory/3020-235-0x0000000004BF0000-0x0000000004C2E000-memory.dmp

Filesize
248KB

Download
memory/3020-237-0x0000000004BF0000-0x0000000004C2E000-memory.dmp

Filesize
248KB

Download
memory/3020-239-0x0000000004BF0000-0x0000000004C2E000-memory.dmp

Filesize
248KB

Download
memory/3020-1121-0x0000000007F70000-0x000000000807A000-memory.dmp

Filesize
1.0MB

Download
memory/3020-243-0x0000000004BF0000-0x0000000004C2E000-memory.dmp

Filesize
248KB

Download
memory/3020-245-0x0000000004BF0000-0x0000000004C2E000-memory.dmp

Filesize
248KB

Download
memory/3020-247-0x0000000004BF0000-0x0000000004C2E000-memory.dmp

Filesize
248KB

Download
memory/3020-1120-0x0000000007920000-0x0000000007F38000-memory.dmp

Filesize
6.1MB

Download
memory/3456-1140-0x00000000002F0000-0x0000000000322000-memory.dmp

Filesize
200KB

Download
memory/3456-1141-0x0000000004C30000-0x0000000004C40000-memory.dmp

Filesize
64KB

Download
memory/4480-193-0x0000000004970000-0x0000000004982000-memory.dmp

Filesize
72KB

Download
memory/4480-202-0x0000000007370000-0x0000000007380000-memory.dmp

Filesize
64KB

Download
memory/4480-181-0x0000000004970000-0x0000000004982000-memory.dmp

Filesize
72KB

Download
memory/4480-185-0x0000000004970000-0x0000000004982000-memory.dmp

Filesize
72KB

Download
memory/4480-189-0x0000000004970000-0x0000000004982000-memory.dmp

Filesize
72KB

Download
memory/4480-201-0x0000000007370000-0x0000000007380000-memory.dmp

Filesize
64KB

Download
memory/4480-200-0x0000000000400000-0x0000000002B7F000-memory.dmp

Filesize
39.5MB

Download
memory/4480-187-0x0000000004970000-0x0000000004982000-memory.dmp

Filesize
72KB

Download
memory/4480-197-0x0000000004970000-0x0000000004982000-memory.dmp

Filesize
72KB

Download
memory/4480-195-0x0000000004970000-0x0000000004982000-memory.dmp

Filesize
72KB

Download
memory/4480-191-0x0000000004970000-0x0000000004982000-memory.dmp

Filesize
72KB

Download
memory/4480-183-0x0000000004970000-0x0000000004982000-memory.dmp

Filesize
72KB

Download
memory/4480-203-0x0000000007370000-0x0000000007380000-memory.dmp

Filesize
64KB

Download
memory/4480-205-0x0000000000400000-0x0000000002B7F000-memory.dmp

Filesize
39.5MB

Download
memory/4480-199-0x0000000004970000-0x0000000004982000-memory.dmp

Filesize
72KB

Download
memory/4480-177-0x0000000004970000-0x0000000004982000-memory.dmp

Filesize
72KB

Download
memory/4480-179-0x0000000004970000-0x0000000004982000-memory.dmp

Filesize
72KB

Download
memory/4480-173-0x0000000004970000-0x0000000004982000-memory.dmp

Filesize
72KB

Download
memory/4480-175-0x0000000004970000-0x0000000004982000-memory.dmp

Filesize
72KB

Download
memory/4480-172-0x0000000004970000-0x0000000004982000-memory.dmp

Filesize
72KB

Download
memory/4480-171-0x0000000007380000-0x0000000007924000-memory.dmp

Filesize
5.6MB

Download
memory/4480-170-0x0000000007370000-0x0000000007380000-memory.dmp

Filesize
64KB

Download
memory/4480-169-0x0000000007370000-0x0000000007380000-memory.dmp

Filesize
64KB

Download
memory/4480-168-0x0000000007370000-0x0000000007380000-memory.dmp

Filesize
64KB

Download
memory/4480-167-0x0000000002C50000-0x0000000002C7D000-memory.dmp

Filesize
180KB

Download