amadey | 48c634a386cef1760cc25fd46e4b42e94d3f48754f0711c573384c7af786d13d

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
23/08/2023, 19:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

48c634a386cef1760cc25fd46e4b42e94d3f48754f0711c573384c7af786d13d.exe
Size

704KB
MD5

41e0df44861db485fe4bfd5a4afa6191
SHA1

a2125ec84fe54a8b8cf6d92d2563bedf63e7679c
SHA256

48c634a386cef1760cc25fd46e4b42e94d3f48754f0711c573384c7af786d13d
SHA512

59d54ddda53cc7dd73fabacb12e952db39acb1d4cca9e02016b666164df02b840ffca9825daa2f612c22e7e23b163a6856f247d310f9b547c3a4b21bc61328f1
SSDEEP

12288:sMrfy90OM5P05xb/L4lq716Sd70fekpB7ov6kOoTpGmq86dabCZk/TSgb:7yq05V4lY3hNO9C6kBTpw8caBmi

Score

10^/10

amadey healer redline gogi dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

amadey

Version

3.87

77.91.68.18/nice/index.php

Extracted

Family

redline

Botnet

gogi

77.91.124.73:19071

Attributes

auth_value
c7dbabcf1eff128a595c7532cb5489a8

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x00080000000231c4-26.dat	healer
behavioral1/files/0x00080000000231c4-27.dat	healer
behavioral1/memory/464-28-0x0000000000130000-0x000000000013A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	g1430632.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	g1430632.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	g1430632.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	g1430632.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	g1430632.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	g1430632.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 9 IoCs

pid	Process
4904	x1673477.exe
4656	x6581872.exe
2864	x9661951.exe
464	g1430632.exe
1088	h2926418.exe
4312	saves.exe
4960	i1872491.exe
400	saves.exe
100	saves.exe

Loads dropped DLL 1 IoCs

pid	Process
4304	rundll32.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	g1430632.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x1673477.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x6581872.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x9661951.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	48c634a386cef1760cc25fd46e4b42e94d3f48754f0711c573384c7af786d13d.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2300	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1972	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
464	g1430632.exe
464	g1430632.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	464	g1430632.exe

Suspicious use of WriteProcessMemory 47 IoCs

description	pid	Process	procid_target
PID 2352 wrote to memory of 4904	2352	48c634a386cef1760cc25fd46e4b42e94d3f48754f0711c573384c7af786d13d.exe	83
PID 2352 wrote to memory of 4904	2352	48c634a386cef1760cc25fd46e4b42e94d3f48754f0711c573384c7af786d13d.exe	83
PID 2352 wrote to memory of 4904	2352	48c634a386cef1760cc25fd46e4b42e94d3f48754f0711c573384c7af786d13d.exe	83
PID 4904 wrote to memory of 4656	4904	x1673477.exe	84
PID 4904 wrote to memory of 4656	4904	x1673477.exe	84
PID 4904 wrote to memory of 4656	4904	x1673477.exe	84
PID 4656 wrote to memory of 2864	4656	x6581872.exe	85
PID 4656 wrote to memory of 2864	4656	x6581872.exe	85
PID 4656 wrote to memory of 2864	4656	x6581872.exe	85
PID 2864 wrote to memory of 464	2864	x9661951.exe	86
PID 2864 wrote to memory of 464	2864	x9661951.exe	86
PID 2864 wrote to memory of 1088	2864	x9661951.exe	91
PID 2864 wrote to memory of 1088	2864	x9661951.exe	91
PID 2864 wrote to memory of 1088	2864	x9661951.exe	91
PID 1088 wrote to memory of 4312	1088	h2926418.exe	92
PID 1088 wrote to memory of 4312	1088	h2926418.exe	92
PID 1088 wrote to memory of 4312	1088	h2926418.exe	92
PID 4656 wrote to memory of 4960	4656	x6581872.exe	93
PID 4656 wrote to memory of 4960	4656	x6581872.exe	93
PID 4656 wrote to memory of 4960	4656	x6581872.exe	93
PID 4312 wrote to memory of 1972	4312	saves.exe	94
PID 4312 wrote to memory of 1972	4312	saves.exe	94
PID 4312 wrote to memory of 1972	4312	saves.exe	94
PID 4312 wrote to memory of 4132	4312	saves.exe	96
PID 4312 wrote to memory of 4132	4312	saves.exe	96
PID 4312 wrote to memory of 4132	4312	saves.exe	96
PID 4132 wrote to memory of 3760	4132	cmd.exe	98
PID 4132 wrote to memory of 3760	4132	cmd.exe	98
PID 4132 wrote to memory of 3760	4132	cmd.exe	98
PID 4132 wrote to memory of 3172	4132	cmd.exe	99
PID 4132 wrote to memory of 3172	4132	cmd.exe	99
PID 4132 wrote to memory of 3172	4132	cmd.exe	99
PID 4132 wrote to memory of 3408	4132	cmd.exe	100
PID 4132 wrote to memory of 3408	4132	cmd.exe	100
PID 4132 wrote to memory of 3408	4132	cmd.exe	100
PID 4132 wrote to memory of 2228	4132	cmd.exe	102
PID 4132 wrote to memory of 2228	4132	cmd.exe	102
PID 4132 wrote to memory of 2228	4132	cmd.exe	102
PID 4132 wrote to memory of 2808	4132	cmd.exe	101
PID 4132 wrote to memory of 2808	4132	cmd.exe	101
PID 4132 wrote to memory of 2808	4132	cmd.exe	101
PID 4132 wrote to memory of 1516	4132	cmd.exe	103
PID 4132 wrote to memory of 1516	4132	cmd.exe	103
PID 4132 wrote to memory of 1516	4132	cmd.exe	103
PID 4312 wrote to memory of 4304	4312	saves.exe	110
PID 4312 wrote to memory of 4304	4312	saves.exe	110
PID 4312 wrote to memory of 4304	4312	saves.exe	110

C:\Users\Admin\AppData\Local\Temp\48c634a386cef1760cc25fd46e4b42e94d3f48754f0711c573384c7af786d13d.exe
"C:\Users\Admin\AppData\Local\Temp\48c634a386cef1760cc25fd46e4b42e94d3f48754f0711c573384c7af786d13d.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2352
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1673477.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1673477.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4904
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6581872.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6581872.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4656
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x9661951.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x9661951.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2864
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g1430632.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g1430632.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:464
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h2926418.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h2926418.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1088
      - C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
        
        "C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4312
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN saves.exe /TR "C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe" /F
        7⤵
        Creates scheduled task(s)
        
        PID:1972
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "saves.exe" /P "Admin:N"&&CACLS "saves.exe" /P "Admin:R" /E&&echo Y|CACLS "..\b40d11255d" /P "Admin:N"&&CACLS "..\b40d11255d" /P "Admin:R" /E&&Exit
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        8⤵
        
        PID:3760
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "saves.exe" /P "Admin:N"
        8⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "saves.exe" /P "Admin:R" /E
        8⤵
        
        PID:3408
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\b40d11255d" /P "Admin:N"
        8⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        8⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\b40d11255d" /P "Admin:R" /E
        8⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
        7⤵
        Loads dropped DLL
        
        PID:4304
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i1872491.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i1872491.exe
      4⤵
      Executes dropped EXE
      PID:4960

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
1⤵
- Executes dropped EXE
PID:400

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
1⤵
- Executes dropped EXE
PID:100

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
1⤵
- Launches sc.exe
PID:2300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1673477.exe

Filesize
598KB

MD5
7eb89f72a5c6ab5596eb35ae3d32ba88

SHA1
31efb2f7b9ce0434484c4294ec267b711b5ed77d

SHA256
8810508ee607c22f1a02adcf20304d16ea6ecf28e26b3f6edc5f1c543f2eb147

SHA512
e3f898e2152320ad0baf79b4acc9887462854b60669d642a35eacfbdbd5ba624163356e6a0b9ee37c29ec0027ab9318670b226c8f98c3854e779ca74421d2699

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1673477.exe

Filesize
598KB

MD5
7eb89f72a5c6ab5596eb35ae3d32ba88

SHA1
31efb2f7b9ce0434484c4294ec267b711b5ed77d

SHA256
8810508ee607c22f1a02adcf20304d16ea6ecf28e26b3f6edc5f1c543f2eb147

SHA512
e3f898e2152320ad0baf79b4acc9887462854b60669d642a35eacfbdbd5ba624163356e6a0b9ee37c29ec0027ab9318670b226c8f98c3854e779ca74421d2699

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6581872.exe

Filesize
433KB

MD5
cec13fc8a517920bb43393d0c726a1fd

SHA1
939aea459a84eca794e7a3f4f6303c5b3b59e4c5

SHA256
e7d50b9473f99b363590f8fb5a1179cdf170cac611103575ae24e5cb36d89bcc

SHA512
9b7dd963f19bc6fd2b1395ec677de3a75cb2b2a2f3835c789aa55ad852e1b344eb77eceb0219d2ee809a03282edc05a22ba099954d082285ba206c289443981c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6581872.exe

Filesize
433KB

MD5
cec13fc8a517920bb43393d0c726a1fd

SHA1
939aea459a84eca794e7a3f4f6303c5b3b59e4c5

SHA256
e7d50b9473f99b363590f8fb5a1179cdf170cac611103575ae24e5cb36d89bcc

SHA512
9b7dd963f19bc6fd2b1395ec677de3a75cb2b2a2f3835c789aa55ad852e1b344eb77eceb0219d2ee809a03282edc05a22ba099954d082285ba206c289443981c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i1872491.exe

Filesize
173KB

MD5
a37eb9402773d3f1ee9707cbf8785b6e

SHA1
6422a641a70ae761d335260ebd0c6beb3a724fcb

SHA256
d6f7b74ebe511a7044cbff930f6d61c8e98467b796b062118e99c1d469d54f98

SHA512
e523b1b6bcaf720fa630c08b47fd3ac4e43c309420df1d671907fe31566488a04c2c3306d56b31bc7f5a48a823659f8a7bd1bb9570ebbfaa5a8e6be90df589dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i1872491.exe

Filesize
173KB

MD5
a37eb9402773d3f1ee9707cbf8785b6e

SHA1
6422a641a70ae761d335260ebd0c6beb3a724fcb

SHA256
d6f7b74ebe511a7044cbff930f6d61c8e98467b796b062118e99c1d469d54f98

SHA512
e523b1b6bcaf720fa630c08b47fd3ac4e43c309420df1d671907fe31566488a04c2c3306d56b31bc7f5a48a823659f8a7bd1bb9570ebbfaa5a8e6be90df589dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x9661951.exe

Filesize
277KB

MD5
accfb7f486fbbf6d57c3e0c919371389

SHA1
311ceea65111b5018f315e2a0807e36ae21575ab

SHA256
c22a7173c1c6fab129f1652b3a452c15ff4bfe22dd202a0a10c284fe19782517

SHA512
dfbae15c1896521f9d5a75e32ff2558f82e5d6073f9b8282f8e82aad022445c713a68286f1bff1ca2b6a05873f589f45d6d72686467641b532fde6bc825082df

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x9661951.exe

Filesize
277KB

MD5
accfb7f486fbbf6d57c3e0c919371389

SHA1
311ceea65111b5018f315e2a0807e36ae21575ab

SHA256
c22a7173c1c6fab129f1652b3a452c15ff4bfe22dd202a0a10c284fe19782517

SHA512
dfbae15c1896521f9d5a75e32ff2558f82e5d6073f9b8282f8e82aad022445c713a68286f1bff1ca2b6a05873f589f45d6d72686467641b532fde6bc825082df

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g1430632.exe

Filesize
12KB

MD5
e3839584bc1c3276b6120b1e05a748a8

SHA1
55d531f47107d1d2ed8a2d5da69c0d7570ed32bd

SHA256
1fa5f9096051c9991130b593b049dd9a53a890f2ae5367e977b79aefbda5472c

SHA512
6fa2541755154b3ee41f6bdbad4828c63e5235fec4808ae4c91737ae50bbbf667480651168948d9629ad16772595af3a6dc8788b98e7dd9ec51b29973da559fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g1430632.exe

Filesize
12KB

MD5
e3839584bc1c3276b6120b1e05a748a8

SHA1
55d531f47107d1d2ed8a2d5da69c0d7570ed32bd

SHA256
1fa5f9096051c9991130b593b049dd9a53a890f2ae5367e977b79aefbda5472c

SHA512
6fa2541755154b3ee41f6bdbad4828c63e5235fec4808ae4c91737ae50bbbf667480651168948d9629ad16772595af3a6dc8788b98e7dd9ec51b29973da559fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h2926418.exe

Filesize
317KB

MD5
af3761696e8c02194fac038b63d939cb

SHA1
2aee36c51113c73560c7ff085165f0e9b770ed2c

SHA256
73062ff2aef4c9bf74180c3df3cd8319d74f5e8935b5bdb465e266c01e3b122c

SHA512
5cb82533fdc609db864f87baa24f1a68bec1494ce6c12a5c6d96158cb0fdfac3da5cbbe3e69e3f6434250cef2f106bdc8e32c95278df8b010184fd005a4f36e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h2926418.exe

Filesize
317KB

MD5
af3761696e8c02194fac038b63d939cb

SHA1
2aee36c51113c73560c7ff085165f0e9b770ed2c

SHA256
73062ff2aef4c9bf74180c3df3cd8319d74f5e8935b5bdb465e266c01e3b122c

SHA512
5cb82533fdc609db864f87baa24f1a68bec1494ce6c12a5c6d96158cb0fdfac3da5cbbe3e69e3f6434250cef2f106bdc8e32c95278df8b010184fd005a4f36e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe

Filesize
317KB

MD5
af3761696e8c02194fac038b63d939cb

SHA1
2aee36c51113c73560c7ff085165f0e9b770ed2c

SHA256
73062ff2aef4c9bf74180c3df3cd8319d74f5e8935b5bdb465e266c01e3b122c

SHA512
5cb82533fdc609db864f87baa24f1a68bec1494ce6c12a5c6d96158cb0fdfac3da5cbbe3e69e3f6434250cef2f106bdc8e32c95278df8b010184fd005a4f36e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe

Filesize
317KB

MD5
af3761696e8c02194fac038b63d939cb

SHA1
2aee36c51113c73560c7ff085165f0e9b770ed2c

SHA256
73062ff2aef4c9bf74180c3df3cd8319d74f5e8935b5bdb465e266c01e3b122c

SHA512
5cb82533fdc609db864f87baa24f1a68bec1494ce6c12a5c6d96158cb0fdfac3da5cbbe3e69e3f6434250cef2f106bdc8e32c95278df8b010184fd005a4f36e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe

Filesize
317KB

MD5
af3761696e8c02194fac038b63d939cb

SHA1
2aee36c51113c73560c7ff085165f0e9b770ed2c

SHA256
73062ff2aef4c9bf74180c3df3cd8319d74f5e8935b5bdb465e266c01e3b122c

SHA512
5cb82533fdc609db864f87baa24f1a68bec1494ce6c12a5c6d96158cb0fdfac3da5cbbe3e69e3f6434250cef2f106bdc8e32c95278df8b010184fd005a4f36e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe

Filesize
317KB

MD5
af3761696e8c02194fac038b63d939cb

SHA1
2aee36c51113c73560c7ff085165f0e9b770ed2c

SHA256
73062ff2aef4c9bf74180c3df3cd8319d74f5e8935b5bdb465e266c01e3b122c

SHA512
5cb82533fdc609db864f87baa24f1a68bec1494ce6c12a5c6d96158cb0fdfac3da5cbbe3e69e3f6434250cef2f106bdc8e32c95278df8b010184fd005a4f36e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe

Filesize
317KB

MD5
af3761696e8c02194fac038b63d939cb

SHA1
2aee36c51113c73560c7ff085165f0e9b770ed2c

SHA256
73062ff2aef4c9bf74180c3df3cd8319d74f5e8935b5bdb465e266c01e3b122c

SHA512
5cb82533fdc609db864f87baa24f1a68bec1494ce6c12a5c6d96158cb0fdfac3da5cbbe3e69e3f6434250cef2f106bdc8e32c95278df8b010184fd005a4f36e2

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
5bc0153d2973241b72a38c51a2f72116

SHA1
cd9c689663557452631d9f8ff609208b01884a32

SHA256
68ec0ef5c26d0204c713ec50f6ad66f8029063c6a9dbd51836f4942bacace554

SHA512
2eef4cc2568b18559f2a2a87d1fcde1f3b77f7aba23dc4483be409cb2c4722ebf89bd1316f785cbb9a21e8d017446e0d876442aec77bf8f28b198aead2b9a55b

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
5bc0153d2973241b72a38c51a2f72116

SHA1
cd9c689663557452631d9f8ff609208b01884a32

SHA256
68ec0ef5c26d0204c713ec50f6ad66f8029063c6a9dbd51836f4942bacace554

SHA512
2eef4cc2568b18559f2a2a87d1fcde1f3b77f7aba23dc4483be409cb2c4722ebf89bd1316f785cbb9a21e8d017446e0d876442aec77bf8f28b198aead2b9a55b

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
5bc0153d2973241b72a38c51a2f72116

SHA1
cd9c689663557452631d9f8ff609208b01884a32

SHA256
68ec0ef5c26d0204c713ec50f6ad66f8029063c6a9dbd51836f4942bacace554

SHA512
2eef4cc2568b18559f2a2a87d1fcde1f3b77f7aba23dc4483be409cb2c4722ebf89bd1316f785cbb9a21e8d017446e0d876442aec77bf8f28b198aead2b9a55b

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
273B

MD5
374bfdcfcf19f4edfe949022092848d2

SHA1
df5ee40497e98efcfba30012452d433373d287d4

SHA256
224a123b69af5a3ab0553e334f6c70846c650597a63f6336c9420bbe8f00571f

SHA512
bc66dd6e675942a8b8cd776b0813d4b182091e45bfa7734b3818f58c83d04f81f0599a27625ff345d393959b8dbe478d8f1ed33d49f9bcee052c986c8665b8d7

Download Submit
memory/464-28-0x0000000000130000-0x000000000013A000-memory.dmp

Filesize
40KB

Download
memory/464-31-0x00007FFF4C110000-0x00007FFF4CBD1000-memory.dmp

Filesize
10.8MB

Download
memory/464-29-0x00007FFF4C110000-0x00007FFF4CBD1000-memory.dmp

Filesize
10.8MB

Download
memory/4960-52-0x0000000004AA0000-0x0000000004AB0000-memory.dmp

Filesize
64KB

Download
memory/4960-51-0x0000000004A50000-0x0000000004A62000-memory.dmp

Filesize
72KB

Download
memory/4960-53-0x0000000004BF0000-0x0000000004C2C000-memory.dmp

Filesize
240KB

Download
memory/4960-54-0x00000000736D0000-0x0000000073E80000-memory.dmp

Filesize
7.7MB

Download
memory/4960-55-0x0000000004AA0000-0x0000000004AB0000-memory.dmp

Filesize
64KB

Download
memory/4960-50-0x0000000004CC0000-0x0000000004DCA000-memory.dmp

Filesize
1.0MB

Download
memory/4960-49-0x00000000051D0000-0x00000000057E8000-memory.dmp

Filesize
6.1MB

Download
memory/4960-48-0x00000000736D0000-0x0000000073E80000-memory.dmp

Filesize
7.7MB

Download
memory/4960-47-0x0000000000090000-0x00000000000C0000-memory.dmp

Filesize
192KB

Download