amadey | ead67b6ebbf6b6d291927e355ed4f1aea09834d74ca6761a2bf911a33aafd481

Analysis

max time kernel
106s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
27-03-2023 12:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ead67b6ebbf6b6d291927e355ed4f1aea09834d74ca6761a2bf911a33aafd481.exe
Size

1.0MB
MD5

68d19e44162edff0e926ff35f2a52a79
SHA1

ea41ae72fd0dac3f7b9de6586d3b4b4669d6b16a
SHA256

ead67b6ebbf6b6d291927e355ed4f1aea09834d74ca6761a2bf911a33aafd481
SHA512

9186c2b61123734823b01fa9a2b2a56d5bef31e702513d1d03bc0e8553ad0047750fbff2ffdf2d565a901fc093757405d8f955528e361eb0cd80801f401a1a01
SSDEEP

24576:QyKKAyRYNtLH47QVk58utufg+0TqnpWjjuyYhBYHztHE:XKKAdfL6jUgnTT3hYfYTd

Score

10^/10

amadey redline sony vila discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

sony

193.233.20.33:4125

Attributes

auth_value
1d93d1744381eeb4fcfd7c23ffe0f0b4

Extracted

Family

redline

Botnet

vila

193.233.20.33:4125

Attributes

auth_value
94b115d79ddcab0a0fb9dfab8e225c3b

Extracted

Family

amadey

Version

3.68

62.204.41.87/joomla/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	tz4529.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	v4579PJ.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	v4579PJ.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	v4579PJ.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	tz4529.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	tz4529.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	tz4529.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	v4579PJ.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	v4579PJ.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	v4579PJ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	tz4529.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	tz4529.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 19 IoCs

resource	yara_rule
behavioral1/memory/2244-210-0x0000000002820000-0x000000000285E000-memory.dmp	family_redline
behavioral1/memory/2244-212-0x0000000002820000-0x000000000285E000-memory.dmp	family_redline
behavioral1/memory/2244-209-0x0000000002820000-0x000000000285E000-memory.dmp	family_redline
behavioral1/memory/2244-214-0x0000000002820000-0x000000000285E000-memory.dmp	family_redline
behavioral1/memory/2244-216-0x0000000002820000-0x000000000285E000-memory.dmp	family_redline
behavioral1/memory/2244-218-0x0000000002820000-0x000000000285E000-memory.dmp	family_redline
behavioral1/memory/2244-220-0x0000000002820000-0x000000000285E000-memory.dmp	family_redline
behavioral1/memory/2244-222-0x0000000002820000-0x000000000285E000-memory.dmp	family_redline
behavioral1/memory/2244-224-0x0000000002820000-0x000000000285E000-memory.dmp	family_redline
behavioral1/memory/2244-228-0x0000000002820000-0x000000000285E000-memory.dmp	family_redline
behavioral1/memory/2244-226-0x0000000002820000-0x000000000285E000-memory.dmp	family_redline
behavioral1/memory/2244-230-0x0000000002820000-0x000000000285E000-memory.dmp	family_redline
behavioral1/memory/2244-232-0x0000000002820000-0x000000000285E000-memory.dmp	family_redline
behavioral1/memory/2244-234-0x0000000002820000-0x000000000285E000-memory.dmp	family_redline
behavioral1/memory/2244-236-0x0000000002820000-0x000000000285E000-memory.dmp	family_redline
behavioral1/memory/2244-238-0x0000000002820000-0x000000000285E000-memory.dmp	family_redline
behavioral1/memory/2244-240-0x0000000002820000-0x000000000285E000-memory.dmp	family_redline
behavioral1/memory/2244-242-0x0000000002820000-0x000000000285E000-memory.dmp	family_redline
behavioral1/memory/2244-248-0x0000000004E70000-0x0000000004E80000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	y78Nv62.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	legenda.exe

Executes dropped EXE 10 IoCs

pid	Process
5080	zap3050.exe
3716	zap3915.exe
2032	zap8500.exe
3820	tz4529.exe
4492	v4579PJ.exe
2244	w83sU63.exe
3700	xLqTX59.exe
464	y78Nv62.exe
396	legenda.exe
2108	legenda.exe

Loads dropped DLL 1 IoCs

pid	Process
3852	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	tz4529.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	v4579PJ.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	v4579PJ.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ead67b6ebbf6b6d291927e355ed4f1aea09834d74ca6761a2bf911a33aafd481.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap3050.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zap3050.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap3915.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zap3915.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap8500.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	zap8500.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ead67b6ebbf6b6d291927e355ed4f1aea09834d74ca6761a2bf911a33aafd481.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
452	4492	WerFault.exe	93
988	2244	WerFault.exe	99

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
5052	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3820	tz4529.exe
3820	tz4529.exe
4492	v4579PJ.exe
4492	v4579PJ.exe
2244	w83sU63.exe
2244	w83sU63.exe
3700	xLqTX59.exe
3700	xLqTX59.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3820	tz4529.exe
Token: SeDebugPrivilege	4492	v4579PJ.exe
Token: SeDebugPrivilege	2244	w83sU63.exe
Token: SeDebugPrivilege	3700	xLqTX59.exe

Suspicious use of WriteProcessMemory 53 IoCs

description	pid	Process	procid_target
PID 648 wrote to memory of 5080	648	ead67b6ebbf6b6d291927e355ed4f1aea09834d74ca6761a2bf911a33aafd481.exe	85
PID 648 wrote to memory of 5080	648	ead67b6ebbf6b6d291927e355ed4f1aea09834d74ca6761a2bf911a33aafd481.exe	85
PID 648 wrote to memory of 5080	648	ead67b6ebbf6b6d291927e355ed4f1aea09834d74ca6761a2bf911a33aafd481.exe	85
PID 5080 wrote to memory of 3716	5080	zap3050.exe	86
PID 5080 wrote to memory of 3716	5080	zap3050.exe	86
PID 5080 wrote to memory of 3716	5080	zap3050.exe	86
PID 3716 wrote to memory of 2032	3716	zap3915.exe	87
PID 3716 wrote to memory of 2032	3716	zap3915.exe	87
PID 3716 wrote to memory of 2032	3716	zap3915.exe	87
PID 2032 wrote to memory of 3820	2032	zap8500.exe	88
PID 2032 wrote to memory of 3820	2032	zap8500.exe	88
PID 2032 wrote to memory of 4492	2032	zap8500.exe	93
PID 2032 wrote to memory of 4492	2032	zap8500.exe	93
PID 2032 wrote to memory of 4492	2032	zap8500.exe	93
PID 3716 wrote to memory of 2244	3716	zap3915.exe	99
PID 3716 wrote to memory of 2244	3716	zap3915.exe	99
PID 3716 wrote to memory of 2244	3716	zap3915.exe	99
PID 5080 wrote to memory of 3700	5080	zap3050.exe	103
PID 5080 wrote to memory of 3700	5080	zap3050.exe	103
PID 5080 wrote to memory of 3700	5080	zap3050.exe	103
PID 648 wrote to memory of 464	648	ead67b6ebbf6b6d291927e355ed4f1aea09834d74ca6761a2bf911a33aafd481.exe	104
PID 648 wrote to memory of 464	648	ead67b6ebbf6b6d291927e355ed4f1aea09834d74ca6761a2bf911a33aafd481.exe	104
PID 648 wrote to memory of 464	648	ead67b6ebbf6b6d291927e355ed4f1aea09834d74ca6761a2bf911a33aafd481.exe	104
PID 464 wrote to memory of 396	464	y78Nv62.exe	105
PID 464 wrote to memory of 396	464	y78Nv62.exe	105
PID 464 wrote to memory of 396	464	y78Nv62.exe	105
PID 396 wrote to memory of 5052	396	legenda.exe	106
PID 396 wrote to memory of 5052	396	legenda.exe	106
PID 396 wrote to memory of 5052	396	legenda.exe	106
PID 396 wrote to memory of 3820	396	legenda.exe	108
PID 396 wrote to memory of 3820	396	legenda.exe	108
PID 396 wrote to memory of 3820	396	legenda.exe	108
PID 3820 wrote to memory of 2628	3820	cmd.exe	110
PID 3820 wrote to memory of 2628	3820	cmd.exe	110
PID 3820 wrote to memory of 2628	3820	cmd.exe	110
PID 3820 wrote to memory of 4132	3820	cmd.exe	111
PID 3820 wrote to memory of 4132	3820	cmd.exe	111
PID 3820 wrote to memory of 4132	3820	cmd.exe	111
PID 3820 wrote to memory of 4012	3820	cmd.exe	112
PID 3820 wrote to memory of 4012	3820	cmd.exe	112
PID 3820 wrote to memory of 4012	3820	cmd.exe	112
PID 3820 wrote to memory of 3128	3820	cmd.exe	113
PID 3820 wrote to memory of 3128	3820	cmd.exe	113
PID 3820 wrote to memory of 3128	3820	cmd.exe	113
PID 3820 wrote to memory of 2484	3820	cmd.exe	114
PID 3820 wrote to memory of 2484	3820	cmd.exe	114
PID 3820 wrote to memory of 2484	3820	cmd.exe	114
PID 3820 wrote to memory of 1832	3820	cmd.exe	115
PID 3820 wrote to memory of 1832	3820	cmd.exe	115
PID 3820 wrote to memory of 1832	3820	cmd.exe	115
PID 396 wrote to memory of 3852	396	legenda.exe	116
PID 396 wrote to memory of 3852	396	legenda.exe	116
PID 396 wrote to memory of 3852	396	legenda.exe	116

C:\Users\Admin\AppData\Local\Temp\ead67b6ebbf6b6d291927e355ed4f1aea09834d74ca6761a2bf911a33aafd481.exe
"C:\Users\Admin\AppData\Local\Temp\ead67b6ebbf6b6d291927e355ed4f1aea09834d74ca6761a2bf911a33aafd481.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:648
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap3050.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap3050.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:5080
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap3915.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap3915.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3716
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap8500.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap8500.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2032
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz4529.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz4529.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3820
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v4579PJ.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v4579PJ.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4492
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 1080
        6⤵
        Program crash
        
        PID:452
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w83sU63.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w83sU63.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2244
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2244 -s 1352
        5⤵
        Program crash
        
        PID:988
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xLqTX59.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xLqTX59.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3700
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y78Nv62.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y78Nv62.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:464
- - C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
    "C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:396
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legenda.exe /TR "C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe" /F
      4⤵
      Creates scheduled task(s)
      PID:5052
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legenda.exe" /P "Admin:N"&&CACLS "legenda.exe" /P "Admin:R" /E&&echo Y|CACLS "..\f22b669919" /P "Admin:N"&&CACLS "..\f22b669919" /P "Admin:R" /E&&Exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3820
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:2628
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "legenda.exe" /P "Admin:N"
        5⤵
        
        PID:4132
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "legenda.exe" /P "Admin:R" /E
        5⤵
        
        PID:4012
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:3128
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\f22b669919" /P "Admin:N"
        5⤵
        
        PID:2484
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\f22b669919" /P "Admin:R" /E
        5⤵
        
        PID:1832
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
      4⤵
      Loads dropped DLL
      PID:3852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4492 -ip 4492
1⤵
PID:532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2244 -ip 2244
1⤵
PID:3280

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
1⤵
- Executes dropped EXE
PID:2108

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y78Nv62.exe

Filesize
236KB

MD5
4d8eb8075c5f867974430ce397c5d3be

SHA1
3a88c3e13739d53ecbbfb52189543dd0e69340eb

SHA256
848c8854f2046d2f4205b06fc3c83f05b886a45aa59f0e6325a21939ba7f687b

SHA512
8500769411e3406015580ac0f6f4b2bfd089ebe7f7ceb845d7ac7bcb1815a647689f434e1751ccd707fbcf0eda4960e34a23d0a331b77436c24623ae67f5398c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y78Nv62.exe

Filesize
236KB

MD5
4d8eb8075c5f867974430ce397c5d3be

SHA1
3a88c3e13739d53ecbbfb52189543dd0e69340eb

SHA256
848c8854f2046d2f4205b06fc3c83f05b886a45aa59f0e6325a21939ba7f687b

SHA512
8500769411e3406015580ac0f6f4b2bfd089ebe7f7ceb845d7ac7bcb1815a647689f434e1751ccd707fbcf0eda4960e34a23d0a331b77436c24623ae67f5398c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap3050.exe

Filesize
842KB

MD5
35e8ed4fa98b1a922e71c26e097205f1

SHA1
11a2481021c5824e0224bc8ce91e1846ecf43493

SHA256
85783f4790adfa96e2aed73ccddd09ae19cba85beb60ab90e4f747bced4c6f9a

SHA512
fa0ea82c4375674427c69d7641800093ab7894d859cd3e2ea3f69699ac49ddce75107a9dfede0d77ebb9ba7325067567e8acfe22db82133d332739ee5afda523

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap3050.exe

Filesize
842KB

MD5
35e8ed4fa98b1a922e71c26e097205f1

SHA1
11a2481021c5824e0224bc8ce91e1846ecf43493

SHA256
85783f4790adfa96e2aed73ccddd09ae19cba85beb60ab90e4f747bced4c6f9a

SHA512
fa0ea82c4375674427c69d7641800093ab7894d859cd3e2ea3f69699ac49ddce75107a9dfede0d77ebb9ba7325067567e8acfe22db82133d332739ee5afda523

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xLqTX59.exe

Filesize
175KB

MD5
ff45a620ec2a5ee565329e93111406da

SHA1
14abb7c540933968093c13f2b26aeb08f7271269

SHA256
193ad1cf62b5d4ab3817d0b924b883de6279546b39e3f26a0907a2c3f41bf127

SHA512
a101679717717ed588a763d4cd75b86cd665626d0bdbbac6c81c6d98d8ef0a8dbd2a64cce9d26fd308675994a263ce2f97fb2562af8dd87ed1aee8519db34dd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xLqTX59.exe

Filesize
175KB

MD5
ff45a620ec2a5ee565329e93111406da

SHA1
14abb7c540933968093c13f2b26aeb08f7271269

SHA256
193ad1cf62b5d4ab3817d0b924b883de6279546b39e3f26a0907a2c3f41bf127

SHA512
a101679717717ed588a763d4cd75b86cd665626d0bdbbac6c81c6d98d8ef0a8dbd2a64cce9d26fd308675994a263ce2f97fb2562af8dd87ed1aee8519db34dd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap3915.exe

Filesize
699KB

MD5
daa3f403476508951fed055cea00851c

SHA1
153c8f304193b18542d1c4317d368c2c18092d4d

SHA256
00de2be596a87a9a3a5c646da32172447b3f273152453df7b7978a9f3b5b13b0

SHA512
7ac7662d0525824a9e4fbcaeceff3871ca58f6bb917e62cc90ddda639cae87281ca06aa75079c412f19a88c6e63746cfa83f8be92ba2210830d81a31b81c015d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap3915.exe

Filesize
699KB

MD5
daa3f403476508951fed055cea00851c

SHA1
153c8f304193b18542d1c4317d368c2c18092d4d

SHA256
00de2be596a87a9a3a5c646da32172447b3f273152453df7b7978a9f3b5b13b0

SHA512
7ac7662d0525824a9e4fbcaeceff3871ca58f6bb917e62cc90ddda639cae87281ca06aa75079c412f19a88c6e63746cfa83f8be92ba2210830d81a31b81c015d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w83sU63.exe

Filesize
359KB

MD5
43cb7a30c4530acced4240b491a75a9a

SHA1
d9a63caf2a5ea1af75603eb9689b3e52427badb4

SHA256
955310c4aac146ae827b8de5a69b57d486f993b584e368f63642394eb5618d20

SHA512
c1842af0c62386877a93ea316a894ed4161c755253f1e2712d3e3eb2367b1ae0be23796a266c202cc2f355333a8b378e7b1fbac8edc5a14caedc11bbeb5552b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w83sU63.exe

Filesize
359KB

MD5
43cb7a30c4530acced4240b491a75a9a

SHA1
d9a63caf2a5ea1af75603eb9689b3e52427badb4

SHA256
955310c4aac146ae827b8de5a69b57d486f993b584e368f63642394eb5618d20

SHA512
c1842af0c62386877a93ea316a894ed4161c755253f1e2712d3e3eb2367b1ae0be23796a266c202cc2f355333a8b378e7b1fbac8edc5a14caedc11bbeb5552b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap8500.exe

Filesize
346KB

MD5
a3f958964d812bb58c2bd98dbf9a94fb

SHA1
ba8a09e9039ec1f0c7b65c25493e0d37b064340e

SHA256
9017be40fae729a41fc0e2082e211caa7afdf2043ee7cc343e8081043d0b46df

SHA512
5baf82319fa2a0e09c11e4d2dd311fcac9935b57574eb9ee6fcd2edc3d0be633fb0a8b66c5de8e738e7f40df54e1d191f11c13f23d525b631d4d56fed795aaab

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap8500.exe

Filesize
346KB

MD5
a3f958964d812bb58c2bd98dbf9a94fb

SHA1
ba8a09e9039ec1f0c7b65c25493e0d37b064340e

SHA256
9017be40fae729a41fc0e2082e211caa7afdf2043ee7cc343e8081043d0b46df

SHA512
5baf82319fa2a0e09c11e4d2dd311fcac9935b57574eb9ee6fcd2edc3d0be633fb0a8b66c5de8e738e7f40df54e1d191f11c13f23d525b631d4d56fed795aaab

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz4529.exe

Filesize
12KB

MD5
ddfb86c57c74804dc1bf9680dce67261

SHA1
204605fbdb68a336f1692d918b6fe1dc693e66e3

SHA256
d4e1e013692be1ca4a62f979de2586175d5183bc03e903f7ee95ede1959a95bd

SHA512
6ee86d0811945b73f6c8289b02333a95bd609c4c70ab76038746faee91dc442490698f9cbf4d9508b6a8521c0300117f316ecf0c1f797e9b77e077e57664093b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz4529.exe

Filesize
12KB

MD5
ddfb86c57c74804dc1bf9680dce67261

SHA1
204605fbdb68a336f1692d918b6fe1dc693e66e3

SHA256
d4e1e013692be1ca4a62f979de2586175d5183bc03e903f7ee95ede1959a95bd

SHA512
6ee86d0811945b73f6c8289b02333a95bd609c4c70ab76038746faee91dc442490698f9cbf4d9508b6a8521c0300117f316ecf0c1f797e9b77e077e57664093b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v4579PJ.exe

Filesize
300KB

MD5
7ca84cb8669d18f17fe1ddd1bc5a5e76

SHA1
eb40dd25b4701c6266f40617d4b6c9481eb7dffc

SHA256
df1ce27afd282175bb275de1da0774be48b386a4c2c1d6e859abdb36ad0fd1cb

SHA512
55e22a732f1cbdc3c7c2f252ac7ea2342c350a5e72d7e6ed5d679bb7971f772d0fb5393cad438b3f8cff9be4ef9db144fd62de051a545d89fcac79e0552f0dda

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v4579PJ.exe

Filesize
300KB

MD5
7ca84cb8669d18f17fe1ddd1bc5a5e76

SHA1
eb40dd25b4701c6266f40617d4b6c9481eb7dffc

SHA256
df1ce27afd282175bb275de1da0774be48b386a4c2c1d6e859abdb36ad0fd1cb

SHA512
55e22a732f1cbdc3c7c2f252ac7ea2342c350a5e72d7e6ed5d679bb7971f772d0fb5393cad438b3f8cff9be4ef9db144fd62de051a545d89fcac79e0552f0dda

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

Filesize
236KB

MD5
4d8eb8075c5f867974430ce397c5d3be

SHA1
3a88c3e13739d53ecbbfb52189543dd0e69340eb

SHA256
848c8854f2046d2f4205b06fc3c83f05b886a45aa59f0e6325a21939ba7f687b

SHA512
8500769411e3406015580ac0f6f4b2bfd089ebe7f7ceb845d7ac7bcb1815a647689f434e1751ccd707fbcf0eda4960e34a23d0a331b77436c24623ae67f5398c

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

Filesize
236KB

MD5
4d8eb8075c5f867974430ce397c5d3be

SHA1
3a88c3e13739d53ecbbfb52189543dd0e69340eb

SHA256
848c8854f2046d2f4205b06fc3c83f05b886a45aa59f0e6325a21939ba7f687b

SHA512
8500769411e3406015580ac0f6f4b2bfd089ebe7f7ceb845d7ac7bcb1815a647689f434e1751ccd707fbcf0eda4960e34a23d0a331b77436c24623ae67f5398c

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

Filesize
236KB

MD5
4d8eb8075c5f867974430ce397c5d3be

SHA1
3a88c3e13739d53ecbbfb52189543dd0e69340eb

SHA256
848c8854f2046d2f4205b06fc3c83f05b886a45aa59f0e6325a21939ba7f687b

SHA512
8500769411e3406015580ac0f6f4b2bfd089ebe7f7ceb845d7ac7bcb1815a647689f434e1751ccd707fbcf0eda4960e34a23d0a331b77436c24623ae67f5398c

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

Filesize
236KB

MD5
4d8eb8075c5f867974430ce397c5d3be

SHA1
3a88c3e13739d53ecbbfb52189543dd0e69340eb

SHA256
848c8854f2046d2f4205b06fc3c83f05b886a45aa59f0e6325a21939ba7f687b

SHA512
8500769411e3406015580ac0f6f4b2bfd089ebe7f7ceb845d7ac7bcb1815a647689f434e1751ccd707fbcf0eda4960e34a23d0a331b77436c24623ae67f5398c

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

Filesize
223B

MD5
94cbeec5d4343918fd0e48760e40539c

SHA1
a049266c5c1131f692f306c8710d7e72586ae79d

SHA256
48eb3ca078da2f5e9fd581197ae1b4dfbac6d86040addbb305e305c014741279

SHA512
4e92450333d60b1977f75c240157a8589cfb1c80a979fbe0793cc641e13556004e554bc6f9f4853487dbcfcdc2ca93afe610649e9712e91415ed3f2a60d4fec0

Download Submit
memory/2244-1127-0x00000000065E0000-0x00000000067A2000-memory.dmp

Filesize
1.8MB

Download
memory/2244-242-0x0000000002820000-0x000000000285E000-memory.dmp

Filesize
248KB

Download
memory/2244-1134-0x00000000070E0000-0x0000000007130000-memory.dmp

Filesize
320KB

Download
memory/2244-1133-0x0000000007050000-0x00000000070C6000-memory.dmp

Filesize
472KB

Download
memory/2244-1132-0x0000000004E70000-0x0000000004E80000-memory.dmp

Filesize
64KB

Download
memory/2244-1131-0x0000000004E70000-0x0000000004E80000-memory.dmp

Filesize
64KB

Download
memory/2244-1130-0x0000000004E70000-0x0000000004E80000-memory.dmp

Filesize
64KB

Download
memory/2244-1129-0x0000000004E70000-0x0000000004E80000-memory.dmp

Filesize
64KB

Download
memory/2244-1128-0x00000000067B0000-0x0000000006CDC000-memory.dmp

Filesize
5.2MB

Download
memory/2244-1125-0x0000000005EB0000-0x0000000005F16000-memory.dmp

Filesize
408KB

Download
memory/2244-1124-0x0000000005E10000-0x0000000005EA2000-memory.dmp

Filesize
584KB

Download
memory/2244-1123-0x0000000004E30000-0x0000000004E6C000-memory.dmp

Filesize
240KB

Download
memory/2244-1122-0x0000000004E10000-0x0000000004E22000-memory.dmp

Filesize
72KB

Download
memory/2244-210-0x0000000002820000-0x000000000285E000-memory.dmp

Filesize
248KB

Download
memory/2244-212-0x0000000002820000-0x000000000285E000-memory.dmp

Filesize
248KB

Download
memory/2244-209-0x0000000002820000-0x000000000285E000-memory.dmp

Filesize
248KB

Download
memory/2244-214-0x0000000002820000-0x000000000285E000-memory.dmp

Filesize
248KB

Download
memory/2244-216-0x0000000002820000-0x000000000285E000-memory.dmp

Filesize
248KB

Download
memory/2244-218-0x0000000002820000-0x000000000285E000-memory.dmp

Filesize
248KB

Download
memory/2244-220-0x0000000002820000-0x000000000285E000-memory.dmp

Filesize
248KB

Download
memory/2244-222-0x0000000002820000-0x000000000285E000-memory.dmp

Filesize
248KB

Download
memory/2244-224-0x0000000002820000-0x000000000285E000-memory.dmp

Filesize
248KB

Download
memory/2244-228-0x0000000002820000-0x000000000285E000-memory.dmp

Filesize
248KB

Download
memory/2244-226-0x0000000002820000-0x000000000285E000-memory.dmp

Filesize
248KB

Download
memory/2244-230-0x0000000002820000-0x000000000285E000-memory.dmp

Filesize
248KB

Download
memory/2244-232-0x0000000002820000-0x000000000285E000-memory.dmp

Filesize
248KB

Download
memory/2244-234-0x0000000002820000-0x000000000285E000-memory.dmp

Filesize
248KB

Download
memory/2244-236-0x0000000002820000-0x000000000285E000-memory.dmp

Filesize
248KB

Download
memory/2244-238-0x0000000002820000-0x000000000285E000-memory.dmp

Filesize
248KB

Download
memory/2244-240-0x0000000002820000-0x000000000285E000-memory.dmp

Filesize
248KB

Download
memory/2244-243-0x0000000002220000-0x000000000226B000-memory.dmp

Filesize
300KB

Download
memory/2244-1121-0x0000000004E70000-0x0000000004E80000-memory.dmp

Filesize
64KB

Download
memory/2244-246-0x0000000004E70000-0x0000000004E80000-memory.dmp

Filesize
64KB

Download
memory/2244-245-0x0000000004E70000-0x0000000004E80000-memory.dmp

Filesize
64KB

Download
memory/2244-248-0x0000000004E70000-0x0000000004E80000-memory.dmp

Filesize
64KB

Download
memory/2244-1119-0x0000000005430000-0x0000000005A48000-memory.dmp

Filesize
6.1MB

Download
memory/2244-1120-0x0000000005A50000-0x0000000005B5A000-memory.dmp

Filesize
1.0MB

Download
memory/3700-1140-0x0000000000D30000-0x0000000000D62000-memory.dmp

Filesize
200KB

Download
memory/3700-1141-0x0000000003060000-0x0000000003070000-memory.dmp

Filesize
64KB

Download
memory/3820-161-0x0000000000E90000-0x0000000000E9A000-memory.dmp

Filesize
40KB

Download
memory/4492-196-0x0000000004E70000-0x0000000004E80000-memory.dmp

Filesize
64KB

Download
memory/4492-182-0x0000000002910000-0x0000000002922000-memory.dmp

Filesize
72KB

Download
memory/4492-186-0x0000000002910000-0x0000000002922000-memory.dmp

Filesize
72KB

Download
memory/4492-202-0x0000000004E70000-0x0000000004E80000-memory.dmp

Filesize
64KB

Download
memory/4492-201-0x0000000004E70000-0x0000000004E80000-memory.dmp

Filesize
64KB

Download
memory/4492-199-0x0000000000400000-0x000000000070E000-memory.dmp

Filesize
3.1MB

Download
memory/4492-198-0x0000000002910000-0x0000000002922000-memory.dmp

Filesize
72KB

Download
memory/4492-194-0x0000000004E70000-0x0000000004E80000-memory.dmp

Filesize
64KB

Download
memory/4492-195-0x0000000002910000-0x0000000002922000-memory.dmp

Filesize
72KB

Download
memory/4492-192-0x0000000002910000-0x0000000002922000-memory.dmp

Filesize
72KB

Download
memory/4492-184-0x0000000002910000-0x0000000002922000-memory.dmp

Filesize
72KB

Download
memory/4492-203-0x0000000004E70000-0x0000000004E80000-memory.dmp

Filesize
64KB

Download
memory/4492-204-0x0000000000400000-0x000000000070E000-memory.dmp

Filesize
3.1MB

Download
memory/4492-190-0x0000000002910000-0x0000000002922000-memory.dmp

Filesize
72KB

Download
memory/4492-180-0x0000000002910000-0x0000000002922000-memory.dmp

Filesize
72KB

Download
memory/4492-178-0x0000000002910000-0x0000000002922000-memory.dmp

Filesize
72KB

Download
memory/4492-176-0x0000000002910000-0x0000000002922000-memory.dmp

Filesize
72KB

Download
memory/4492-174-0x0000000002910000-0x0000000002922000-memory.dmp

Filesize
72KB

Download
memory/4492-172-0x0000000002910000-0x0000000002922000-memory.dmp

Filesize
72KB

Download
memory/4492-170-0x0000000002910000-0x0000000002922000-memory.dmp

Filesize
72KB

Download
memory/4492-169-0x0000000002910000-0x0000000002922000-memory.dmp

Filesize
72KB

Download
memory/4492-168-0x0000000004E80000-0x0000000005424000-memory.dmp

Filesize
5.6MB

Download
memory/4492-167-0x0000000002340000-0x000000000236D000-memory.dmp

Filesize
180KB

Download
memory/4492-188-0x0000000002910000-0x0000000002922000-memory.dmp

Filesize
72KB

Download