b35d15d82efffd1561d404c377d23c97fdacdfc90838b708364ecc0f7c1f2967

Analysis

max time kernel
150s
max time network
152s
platform
windows7_x64
resource
win7v20210410
submitted
08-07-2021 17:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FastDownloader.exe
Size

1.0MB
MD5

ce0abe6028bcff4777da9322c9451998
SHA1

a8d277111e2801b7dea3a31f9d0d6f4a68f011f4
SHA256

b35d15d82efffd1561d404c377d23c97fdacdfc90838b708364ecc0f7c1f2967
SHA512

19f57334c737fd7572e2f15b55c2cd5bba33f8e5d6632346b1f0908b1dcb46c66847cee1b8d7b35eb5243431fc61847a8227f978927a0eb4bdb7767cfa67cb1f

Score

8^/10

bootkit discovery persistence

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 7 IoCs

Processes:

1__3112633__3f7372633d6c6d266c733d6e34623664373335303965__68616f2e3336302e636e__0c6f.exeInst3__3112601__3f7372633d6c6d266c733d6e30316264363462333966__68616f2e3336302e636e__0c97.exeLDSGameMasterInstRoad_211501.exeldsgamemaster.exeSoftMgrInst.exeheinote_501255047_beiao_003.exeIAbtukweZabckantu4092521131beiao001.exe

pid	process
1612	1__3112633__3f7372633d6c6d266c733d6e34623664373335303965__68616f2e3336302e636e__0c6f.exe
800	Inst3__3112601__3f7372633d6c6d266c733d6e30316264363462333966__68616f2e3336302e636e__0c97.exe
968	LDSGameMasterInstRoad_211501.exe
316	ldsgamemaster.exe
572	SoftMgrInst.exe
1540	heinote_501255047_beiao_003.exe
1308	IAbtukweZabckantu4092521131beiao001.exe

Loads dropped DLL 31 IoCs

Processes:

FastDownloader.exe1__3112633__3f7372633d6c6d266c733d6e34623664373335303965__68616f2e3336302e636e__0c6f.exeLDSGameMasterInstRoad_211501.exeInst3__3112601__3f7372633d6c6d266c733d6e30316264363462333966__68616f2e3336302e636e__0c97.exeldsgamemaster.exeSoftMgrInst.exe

pid	process
1096	FastDownloader.exe
1612	1__3112633__3f7372633d6c6d266c733d6e34623664373335303965__68616f2e3336302e636e__0c6f.exe
1612	1__3112633__3f7372633d6c6d266c733d6e34623664373335303965__68616f2e3336302e636e__0c6f.exe
1612	1__3112633__3f7372633d6c6d266c733d6e34623664373335303965__68616f2e3336302e636e__0c6f.exe
1612	1__3112633__3f7372633d6c6d266c733d6e34623664373335303965__68616f2e3336302e636e__0c6f.exe
1612	1__3112633__3f7372633d6c6d266c733d6e34623664373335303965__68616f2e3336302e636e__0c6f.exe
1096	FastDownloader.exe
1096	FastDownloader.exe
968	LDSGameMasterInstRoad_211501.exe
968	LDSGameMasterInstRoad_211501.exe
968	LDSGameMasterInstRoad_211501.exe
800	Inst3__3112601__3f7372633d6c6d266c733d6e30316264363462333966__68616f2e3336302e636e__0c97.exe
316	ldsgamemaster.exe
316	ldsgamemaster.exe
316	ldsgamemaster.exe
800	Inst3__3112601__3f7372633d6c6d266c733d6e30316264363462333966__68616f2e3336302e636e__0c97.exe
316	ldsgamemaster.exe
316	ldsgamemaster.exe
316	ldsgamemaster.exe
316	ldsgamemaster.exe
572	SoftMgrInst.exe
572	SoftMgrInst.exe
572	SoftMgrInst.exe
572	SoftMgrInst.exe
572	SoftMgrInst.exe
572	SoftMgrInst.exe
572	SoftMgrInst.exe
572	SoftMgrInst.exe
572	SoftMgrInst.exe
1096	FastDownloader.exe
1096	FastDownloader.exe

Checks for any installed AV software in registry 1 TTPs 8 IoCs

Security Software Discovery

T1063

Processes:

Inst3__3112601__3f7372633d6c6d266c733d6e30316264363462333966__68616f2e3336302e636e__0c97.exe1__3112633__3f7372633d6c6d266c733d6e34623664373335303965__68616f2e3336302e636e__0c6f.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Avira\Launcher	Inst3__3112601__3f7372633d6c6d266c733d6e30316264363462333966__68616f2e3336302e636e__0c97.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AhnLab\V3IS80	Inst3__3112601__3f7372633d6c6d266c733d6e30316264363462333966__68616f2e3336302e636e__0c97.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AhnLab\V3IS80	Inst3__3112601__3f7372633d6c6d266c733d6e30316264363462333966__68616f2e3336302e636e__0c97.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avira\Launcher	1__3112633__3f7372633d6c6d266c733d6e34623664373335303965__68616f2e3336302e636e__0c6f.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Avira\Launcher	1__3112633__3f7372633d6c6d266c733d6e34623664373335303965__68616f2e3336302e636e__0c6f.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AhnLab\V3IS80	1__3112633__3f7372633d6c6d266c733d6e34623664373335303965__68616f2e3336302e636e__0c6f.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AhnLab\V3IS80	1__3112633__3f7372633d6c6d266c733d6e34623664373335303965__68616f2e3336302e636e__0c6f.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avira\Launcher	Inst3__3112601__3f7372633d6c6d266c733d6e30316264363462333966__68616f2e3336302e636e__0c97.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

ldsgamemaster.exe

description	ioc	process
File opened (read-only)	\??\R:	ldsgamemaster.exe
File opened (read-only)	\??\Z:	ldsgamemaster.exe
File opened (read-only)	\??\E:	ldsgamemaster.exe
File opened (read-only)	\??\F:	ldsgamemaster.exe
File opened (read-only)	\??\I:	ldsgamemaster.exe
File opened (read-only)	\??\O:	ldsgamemaster.exe
File opened (read-only)	\??\H:	ldsgamemaster.exe
File opened (read-only)	\??\S:	ldsgamemaster.exe
File opened (read-only)	\??\V:	ldsgamemaster.exe
File opened (read-only)	\??\W:	ldsgamemaster.exe
File opened (read-only)	\??\X:	ldsgamemaster.exe
File opened (read-only)	\??\Y:	ldsgamemaster.exe
File opened (read-only)	\??\K:	ldsgamemaster.exe
File opened (read-only)	\??\L:	ldsgamemaster.exe
File opened (read-only)	\??\N:	ldsgamemaster.exe
File opened (read-only)	\??\T:	ldsgamemaster.exe
File opened (read-only)	\??\Q:	ldsgamemaster.exe
File opened (read-only)	\??\U:	ldsgamemaster.exe
File opened (read-only)	\??\G:	ldsgamemaster.exe
File opened (read-only)	\??\J:	ldsgamemaster.exe
File opened (read-only)	\??\M:	ldsgamemaster.exe
File opened (read-only)	\??\P:	ldsgamemaster.exe

Writes to the Master Boot Record (MBR) 1 TTPs 5 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

Processes:

FastDownloader.exe1__3112633__3f7372633d6c6d266c733d6e34623664373335303965__68616f2e3336302e636e__0c6f.exeInst3__3112601__3f7372633d6c6d266c733d6e30316264363462333966__68616f2e3336302e636e__0c97.exeldsgamemaster.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	FastDownloader.exe
File opened for modification	\??\PhysicalDrive0	1__3112633__3f7372633d6c6d266c733d6e34623664373335303965__68616f2e3336302e636e__0c6f.exe
File opened for modification	\??\PHYSICALDRIVE0	1__3112633__3f7372633d6c6d266c733d6e34623664373335303965__68616f2e3336302e636e__0c6f.exe
File opened for modification	\??\PhysicalDrive0	Inst3__3112601__3f7372633d6c6d266c733d6e30316264363462333966__68616f2e3336302e636e__0c97.exe
File opened for modification	\??\PhysicalDrive0	ldsgamemaster.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs

Processes:

Inst3__3112601__3f7372633d6c6d266c733d6e30316264363462333966__68616f2e3336302e636e__0c97.exe

pid	process
800	Inst3__3112601__3f7372633d6c6d266c733d6e30316264363462333966__68616f2e3336302e636e__0c97.exe
800	Inst3__3112601__3f7372633d6c6d266c733d6e30316264363462333966__68616f2e3336302e636e__0c97.exe
800	Inst3__3112601__3f7372633d6c6d266c733d6e30316264363462333966__68616f2e3336302e636e__0c97.exe
800	Inst3__3112601__3f7372633d6c6d266c733d6e30316264363462333966__68616f2e3336302e636e__0c97.exe
800	Inst3__3112601__3f7372633d6c6d266c733d6e30316264363462333966__68616f2e3336302e636e__0c97.exe
800	Inst3__3112601__3f7372633d6c6d266c733d6e30316264363462333966__68616f2e3336302e636e__0c97.exe
800	Inst3__3112601__3f7372633d6c6d266c733d6e30316264363462333966__68616f2e3336302e636e__0c97.exe
800	Inst3__3112601__3f7372633d6c6d266c733d6e30316264363462333966__68616f2e3336302e636e__0c97.exe
800	Inst3__3112601__3f7372633d6c6d266c733d6e30316264363462333966__68616f2e3336302e636e__0c97.exe
800	Inst3__3112601__3f7372633d6c6d266c733d6e30316264363462333966__68616f2e3336302e636e__0c97.exe
800	Inst3__3112601__3f7372633d6c6d266c733d6e30316264363462333966__68616f2e3336302e636e__0c97.exe
800	Inst3__3112601__3f7372633d6c6d266c733d6e30316264363462333966__68616f2e3336302e636e__0c97.exe
800	Inst3__3112601__3f7372633d6c6d266c733d6e30316264363462333966__68616f2e3336302e636e__0c97.exe
800	Inst3__3112601__3f7372633d6c6d266c733d6e30316264363462333966__68616f2e3336302e636e__0c97.exe
800	Inst3__3112601__3f7372633d6c6d266c733d6e30316264363462333966__68616f2e3336302e636e__0c97.exe
800	Inst3__3112601__3f7372633d6c6d266c733d6e30316264363462333966__68616f2e3336302e636e__0c97.exe
800	Inst3__3112601__3f7372633d6c6d266c733d6e30316264363462333966__68616f2e3336302e636e__0c97.exe
800	Inst3__3112601__3f7372633d6c6d266c733d6e30316264363462333966__68616f2e3336302e636e__0c97.exe
800	Inst3__3112601__3f7372633d6c6d266c733d6e30316264363462333966__68616f2e3336302e636e__0c97.exe
800	Inst3__3112601__3f7372633d6c6d266c733d6e30316264363462333966__68616f2e3336302e636e__0c97.exe
800	Inst3__3112601__3f7372633d6c6d266c733d6e30316264363462333966__68616f2e3336302e636e__0c97.exe
800	Inst3__3112601__3f7372633d6c6d266c733d6e30316264363462333966__68616f2e3336302e636e__0c97.exe
800	Inst3__3112601__3f7372633d6c6d266c733d6e30316264363462333966__68616f2e3336302e636e__0c97.exe
800	Inst3__3112601__3f7372633d6c6d266c733d6e30316264363462333966__68616f2e3336302e636e__0c97.exe
800	Inst3__3112601__3f7372633d6c6d266c733d6e30316264363462333966__68616f2e3336302e636e__0c97.exe
800	Inst3__3112601__3f7372633d6c6d266c733d6e30316264363462333966__68616f2e3336302e636e__0c97.exe
800	Inst3__3112601__3f7372633d6c6d266c733d6e30316264363462333966__68616f2e3336302e636e__0c97.exe
800	Inst3__3112601__3f7372633d6c6d266c733d6e30316264363462333966__68616f2e3336302e636e__0c97.exe
800	Inst3__3112601__3f7372633d6c6d266c733d6e30316264363462333966__68616f2e3336302e636e__0c97.exe
800	Inst3__3112601__3f7372633d6c6d266c733d6e30316264363462333966__68616f2e3336302e636e__0c97.exe
800	Inst3__3112601__3f7372633d6c6d266c733d6e30316264363462333966__68616f2e3336302e636e__0c97.exe
800	Inst3__3112601__3f7372633d6c6d266c733d6e30316264363462333966__68616f2e3336302e636e__0c97.exe
800	Inst3__3112601__3f7372633d6c6d266c733d6e30316264363462333966__68616f2e3336302e636e__0c97.exe
800	Inst3__3112601__3f7372633d6c6d266c733d6e30316264363462333966__68616f2e3336302e636e__0c97.exe
800	Inst3__3112601__3f7372633d6c6d266c733d6e30316264363462333966__68616f2e3336302e636e__0c97.exe
800	Inst3__3112601__3f7372633d6c6d266c733d6e30316264363462333966__68616f2e3336302e636e__0c97.exe
800	Inst3__3112601__3f7372633d6c6d266c733d6e30316264363462333966__68616f2e3336302e636e__0c97.exe
800	Inst3__3112601__3f7372633d6c6d266c733d6e30316264363462333966__68616f2e3336302e636e__0c97.exe
800	Inst3__3112601__3f7372633d6c6d266c733d6e30316264363462333966__68616f2e3336302e636e__0c97.exe
800	Inst3__3112601__3f7372633d6c6d266c733d6e30316264363462333966__68616f2e3336302e636e__0c97.exe
800	Inst3__3112601__3f7372633d6c6d266c733d6e30316264363462333966__68616f2e3336302e636e__0c97.exe
800	Inst3__3112601__3f7372633d6c6d266c733d6e30316264363462333966__68616f2e3336302e636e__0c97.exe
800	Inst3__3112601__3f7372633d6c6d266c733d6e30316264363462333966__68616f2e3336302e636e__0c97.exe
800	Inst3__3112601__3f7372633d6c6d266c733d6e30316264363462333966__68616f2e3336302e636e__0c97.exe
800	Inst3__3112601__3f7372633d6c6d266c733d6e30316264363462333966__68616f2e3336302e636e__0c97.exe
800	Inst3__3112601__3f7372633d6c6d266c733d6e30316264363462333966__68616f2e3336302e636e__0c97.exe
800	Inst3__3112601__3f7372633d6c6d266c733d6e30316264363462333966__68616f2e3336302e636e__0c97.exe
800	Inst3__3112601__3f7372633d6c6d266c733d6e30316264363462333966__68616f2e3336302e636e__0c97.exe
800	Inst3__3112601__3f7372633d6c6d266c733d6e30316264363462333966__68616f2e3336302e636e__0c97.exe
800	Inst3__3112601__3f7372633d6c6d266c733d6e30316264363462333966__68616f2e3336302e636e__0c97.exe
800	Inst3__3112601__3f7372633d6c6d266c733d6e30316264363462333966__68616f2e3336302e636e__0c97.exe
800	Inst3__3112601__3f7372633d6c6d266c733d6e30316264363462333966__68616f2e3336302e636e__0c97.exe
800	Inst3__3112601__3f7372633d6c6d266c733d6e30316264363462333966__68616f2e3336302e636e__0c97.exe
800	Inst3__3112601__3f7372633d6c6d266c733d6e30316264363462333966__68616f2e3336302e636e__0c97.exe
800	Inst3__3112601__3f7372633d6c6d266c733d6e30316264363462333966__68616f2e3336302e636e__0c97.exe
800	Inst3__3112601__3f7372633d6c6d266c733d6e30316264363462333966__68616f2e3336302e636e__0c97.exe
800	Inst3__3112601__3f7372633d6c6d266c733d6e30316264363462333966__68616f2e3336302e636e__0c97.exe
800	Inst3__3112601__3f7372633d6c6d266c733d6e30316264363462333966__68616f2e3336302e636e__0c97.exe
800	Inst3__3112601__3f7372633d6c6d266c733d6e30316264363462333966__68616f2e3336302e636e__0c97.exe
800	Inst3__3112601__3f7372633d6c6d266c733d6e30316264363462333966__68616f2e3336302e636e__0c97.exe
800	Inst3__3112601__3f7372633d6c6d266c733d6e30316264363462333966__68616f2e3336302e636e__0c97.exe
800	Inst3__3112601__3f7372633d6c6d266c733d6e30316264363462333966__68616f2e3336302e636e__0c97.exe
800	Inst3__3112601__3f7372633d6c6d266c733d6e30316264363462333966__68616f2e3336302e636e__0c97.exe
800	Inst3__3112601__3f7372633d6c6d266c733d6e30316264363462333966__68616f2e3336302e636e__0c97.exe

Drops file in Program Files directory 2 IoCs

Processes:

1__3112633__3f7372633d6c6d266c733d6e34623664373335303965__68616f2e3336302e636e__0c6f.exe

description	ioc	process
File created	C:\Program Files (x86)\360\360Safe\{F0D8F18A-684A-4a73-BB87-DBBD241EE1D9}.tf	1__3112633__3f7372633d6c6d266c733d6e34623664373335303965__68616f2e3336302e636e__0c6f.exe
File created	C:\Program Files (x86)\360\360Safe\{4C7A1784-A677-4341-8576-FA3499FF1C8E}.tf	1__3112633__3f7372633d6c6d266c733d6e34623664373335303965__68616f2e3336302e636e__0c6f.exe

Drops file in Windows directory 1 IoCs

Processes:

ldsgamemaster.exe

description ioc process

File opened for modification C:\Windows\ ldsgamemaster.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\	ldsgamemaster.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

Processes:

FastDownloader.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main	FastDownloader.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	FastDownloader.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	FastDownloader.exe

Modifies system certificate store 2 TTPs 10 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

Inst3__3112601__3f7372633d6c6d266c733d6e30316264363462333966__68616f2e3336302e636e__0c97.exeldsgamemaster.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\6252DC40F71143A22FDE9EF7348E064251B18118	Inst3__3112601__3f7372633d6c6d266c733d6e30316264363462333966__68616f2e3336302e636e__0c97.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\6252DC40F71143A22FDE9EF7348E064251B18118\Blob = 1900000001000000100000000b6cd9778e41ad67fd6be0a6903710440300000001000000140000006252dc40f71143a22fde9ef7348e064251b181180b000000010000000e000000430065007200740075006d0000001d000000010000001000000096f98b6e79a74810ce7d398a82f977781400000001000000140000006daa9b0987c4d0d422ed4007374d19f191ffded309000000010000003e000000303c06082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030806082b060105050703090f00000001000000140000001e427a3639cce4c27e94b1777964ca289a722cad2000000001000000100300003082030c308201f4a0030201020203010020300d06092a864886f70d0101050500303e310b300906035504061302504c311b3019060355040a1312556e697a65746f2053702e207a206f2e6f2e311230100603550403130943657274756d204341301e170d3032303631313130343633395a170d3237303631313130343633395a303e310b300906035504061302504c311b3019060355040a1312556e697a65746f2053702e207a206f2e6f2e311230100603550403130943657274756d20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ceb1c12ed34f7ccd25ce183e4fc48c6f806a73c85b51f89bd2dcbb005cb1a0fc7503ee81f088ee2352e9e615338dac2d09c576f92b398089e4974b90a5a878f873437ba461b0d858cce16c667e9cf3095e556384d5a8eff3b12e3068b3c43cd8ac6e8d995a904e34dc369a8f818850b76d964209f3d795830d414bb06a6bf8fc0f7e629f67c4ed265f10260f084ff0a45728ce8fb8ed45f66eee255daa6e39bee4932fd947a072ebfaa65bafca533fe20ec69656116ef7e966a926d87f9553ed0a8588ba4f29a5428c5eb6fc852000aa680ba11a85019cc446638288b622b1eefeaa46597ecf352cd5b6da5df748331454b6ebd96fcecd88d6ab1bda963b1d590203010001a3133011300f0603551d130101ff040530030101ff300d06092a864886f70d01010505000382010100b88dceefe714bacfeeb044926cb4393ea2846eadb82177d2d4778287e6204181eee2f811b763d11737be1976241c041a4ceb3daa676f2dd4cdfe653170c51ba6020aba607b6d58c29a49fe63320b6be33ac0acab3bb0e8d309518c1083c634e0c52be01ab66014276c32778cbcb27298cfcdcc3fb9c8244214d657fce62643a91de58090ce0354283ef73fd3f84ded6a0a3a93139b3b142313639c3fd1872779e54c51e301ad855d1a3bb1d57310a4d3f2bc6e64f55a5690a8c70e4c740f2e713bf7c847f4696f15f2115e831e9c7c52aefd02da12a8596718dbbc70dd9bb169ed80ce8940486a0e35ca29661521942ce8602a9b854a40f36b8a24ec06162c73	Inst3__3112601__3f7372633d6c6d266c733d6e30316264363462333966__68616f2e3336302e636e__0c97.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	ldsgamemaster.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	ldsgamemaster.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c909000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c01400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e52000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	ldsgamemaster.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e51d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af33313353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b060105050703030f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c92000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	ldsgamemaster.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\6252DC40F71143A22FDE9EF7348E064251B18118\Blob = 0f00000001000000140000001e427a3639cce4c27e94b1777964ca289a722cad09000000010000003e000000303c06082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030806082b060105050703091400000001000000140000006daa9b0987c4d0d422ed4007374d19f191ffded31d000000010000001000000096f98b6e79a74810ce7d398a82f977780b000000010000000e000000430065007200740075006d0000000300000001000000140000006252dc40f71143a22fde9ef7348e064251b181182000000001000000100300003082030c308201f4a0030201020203010020300d06092a864886f70d0101050500303e310b300906035504061302504c311b3019060355040a1312556e697a65746f2053702e207a206f2e6f2e311230100603550403130943657274756d204341301e170d3032303631313130343633395a170d3237303631313130343633395a303e310b300906035504061302504c311b3019060355040a1312556e697a65746f2053702e207a206f2e6f2e311230100603550403130943657274756d20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ceb1c12ed34f7ccd25ce183e4fc48c6f806a73c85b51f89bd2dcbb005cb1a0fc7503ee81f088ee2352e9e615338dac2d09c576f92b398089e4974b90a5a878f873437ba461b0d858cce16c667e9cf3095e556384d5a8eff3b12e3068b3c43cd8ac6e8d995a904e34dc369a8f818850b76d964209f3d795830d414bb06a6bf8fc0f7e629f67c4ed265f10260f084ff0a45728ce8fb8ed45f66eee255daa6e39bee4932fd947a072ebfaa65bafca533fe20ec69656116ef7e966a926d87f9553ed0a8588ba4f29a5428c5eb6fc852000aa680ba11a85019cc446638288b622b1eefeaa46597ecf352cd5b6da5df748331454b6ebd96fcecd88d6ab1bda963b1d590203010001a3133011300f0603551d130101ff040530030101ff300d06092a864886f70d01010505000382010100b88dceefe714bacfeeb044926cb4393ea2846eadb82177d2d4778287e6204181eee2f811b763d11737be1976241c041a4ceb3daa676f2dd4cdfe653170c51ba6020aba607b6d58c29a49fe63320b6be33ac0acab3bb0e8d309518c1083c634e0c52be01ab66014276c32778cbcb27298cfcdcc3fb9c8244214d657fce62643a91de58090ce0354283ef73fd3f84ded6a0a3a93139b3b142313639c3fd1872779e54c51e301ad855d1a3bb1d57310a4d3f2bc6e64f55a5690a8c70e4c740f2e713bf7c847f4696f15f2115e831e9c7c52aefd02da12a8596718dbbc70dd9bb169ed80ce8940486a0e35ca29661521942ce8602a9b854a40f36b8a24ec06162c73	Inst3__3112601__3f7372633d6c6d266c733d6e30316264363462333966__68616f2e3336302e636e__0c97.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	ldsgamemaster.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	ldsgamemaster.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5	ldsgamemaster.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

pid	process
1096	FastDownloader.exe
1096	FastDownloader.exe
1612	1__3112633__3f7372633d6c6d266c733d6e34623664373335303965__68616f2e3336302e636e__0c6f.exe
1612	1__3112633__3f7372633d6c6d266c733d6e34623664373335303965__68616f2e3336302e636e__0c6f.exe
1612	1__3112633__3f7372633d6c6d266c733d6e34623664373335303965__68616f2e3336302e636e__0c6f.exe
1612	1__3112633__3f7372633d6c6d266c733d6e34623664373335303965__68616f2e3336302e636e__0c6f.exe
1612	1__3112633__3f7372633d6c6d266c733d6e34623664373335303965__68616f2e3336302e636e__0c6f.exe
1612	1__3112633__3f7372633d6c6d266c733d6e34623664373335303965__68616f2e3336302e636e__0c6f.exe
1612	1__3112633__3f7372633d6c6d266c733d6e34623664373335303965__68616f2e3336302e636e__0c6f.exe
1612	1__3112633__3f7372633d6c6d266c733d6e34623664373335303965__68616f2e3336302e636e__0c6f.exe
1612	1__3112633__3f7372633d6c6d266c733d6e34623664373335303965__68616f2e3336302e636e__0c6f.exe
1612	1__3112633__3f7372633d6c6d266c733d6e34623664373335303965__68616f2e3336302e636e__0c6f.exe
1612	1__3112633__3f7372633d6c6d266c733d6e34623664373335303965__68616f2e3336302e636e__0c6f.exe
1612	1__3112633__3f7372633d6c6d266c733d6e34623664373335303965__68616f2e3336302e636e__0c6f.exe
1612	1__3112633__3f7372633d6c6d266c733d6e34623664373335303965__68616f2e3336302e636e__0c6f.exe
1612	1__3112633__3f7372633d6c6d266c733d6e34623664373335303965__68616f2e3336302e636e__0c6f.exe
1612	1__3112633__3f7372633d6c6d266c733d6e34623664373335303965__68616f2e3336302e636e__0c6f.exe
1612	1__3112633__3f7372633d6c6d266c733d6e34623664373335303965__68616f2e3336302e636e__0c6f.exe
1612	1__3112633__3f7372633d6c6d266c733d6e34623664373335303965__68616f2e3336302e636e__0c6f.exe
1612	1__3112633__3f7372633d6c6d266c733d6e34623664373335303965__68616f2e3336302e636e__0c6f.exe
1612	1__3112633__3f7372633d6c6d266c733d6e34623664373335303965__68616f2e3336302e636e__0c6f.exe
1612	1__3112633__3f7372633d6c6d266c733d6e34623664373335303965__68616f2e3336302e636e__0c6f.exe
1612	1__3112633__3f7372633d6c6d266c733d6e34623664373335303965__68616f2e3336302e636e__0c6f.exe
1612	1__3112633__3f7372633d6c6d266c733d6e34623664373335303965__68616f2e3336302e636e__0c6f.exe
1612	1__3112633__3f7372633d6c6d266c733d6e34623664373335303965__68616f2e3336302e636e__0c6f.exe
1612	1__3112633__3f7372633d6c6d266c733d6e34623664373335303965__68616f2e3336302e636e__0c6f.exe
1612	1__3112633__3f7372633d6c6d266c733d6e34623664373335303965__68616f2e3336302e636e__0c6f.exe
1612	1__3112633__3f7372633d6c6d266c733d6e34623664373335303965__68616f2e3336302e636e__0c6f.exe
1612	1__3112633__3f7372633d6c6d266c733d6e34623664373335303965__68616f2e3336302e636e__0c6f.exe
800	Inst3__3112601__3f7372633d6c6d266c733d6e30316264363462333966__68616f2e3336302e636e__0c97.exe
800	Inst3__3112601__3f7372633d6c6d266c733d6e30316264363462333966__68616f2e3336302e636e__0c97.exe
800	Inst3__3112601__3f7372633d6c6d266c733d6e30316264363462333966__68616f2e3336302e636e__0c97.exe
800	Inst3__3112601__3f7372633d6c6d266c733d6e30316264363462333966__68616f2e3336302e636e__0c97.exe
800	Inst3__3112601__3f7372633d6c6d266c733d6e30316264363462333966__68616f2e3336302e636e__0c97.exe
800	Inst3__3112601__3f7372633d6c6d266c733d6e30316264363462333966__68616f2e3336302e636e__0c97.exe
800	Inst3__3112601__3f7372633d6c6d266c733d6e30316264363462333966__68616f2e3336302e636e__0c97.exe
800	Inst3__3112601__3f7372633d6c6d266c733d6e30316264363462333966__68616f2e3336302e636e__0c97.exe
800	Inst3__3112601__3f7372633d6c6d266c733d6e30316264363462333966__68616f2e3336302e636e__0c97.exe
800	Inst3__3112601__3f7372633d6c6d266c733d6e30316264363462333966__68616f2e3336302e636e__0c97.exe
800	Inst3__3112601__3f7372633d6c6d266c733d6e30316264363462333966__68616f2e3336302e636e__0c97.exe
800	Inst3__3112601__3f7372633d6c6d266c733d6e30316264363462333966__68616f2e3336302e636e__0c97.exe
800	Inst3__3112601__3f7372633d6c6d266c733d6e30316264363462333966__68616f2e3336302e636e__0c97.exe
800	Inst3__3112601__3f7372633d6c6d266c733d6e30316264363462333966__68616f2e3336302e636e__0c97.exe
800	Inst3__3112601__3f7372633d6c6d266c733d6e30316264363462333966__68616f2e3336302e636e__0c97.exe
800	Inst3__3112601__3f7372633d6c6d266c733d6e30316264363462333966__68616f2e3336302e636e__0c97.exe
800	Inst3__3112601__3f7372633d6c6d266c733d6e30316264363462333966__68616f2e3336302e636e__0c97.exe
800	Inst3__3112601__3f7372633d6c6d266c733d6e30316264363462333966__68616f2e3336302e636e__0c97.exe
800	Inst3__3112601__3f7372633d6c6d266c733d6e30316264363462333966__68616f2e3336302e636e__0c97.exe
800	Inst3__3112601__3f7372633d6c6d266c733d6e30316264363462333966__68616f2e3336302e636e__0c97.exe
800	Inst3__3112601__3f7372633d6c6d266c733d6e30316264363462333966__68616f2e3336302e636e__0c97.exe
800	Inst3__3112601__3f7372633d6c6d266c733d6e30316264363462333966__68616f2e3336302e636e__0c97.exe
800	Inst3__3112601__3f7372633d6c6d266c733d6e30316264363462333966__68616f2e3336302e636e__0c97.exe
800	Inst3__3112601__3f7372633d6c6d266c733d6e30316264363462333966__68616f2e3336302e636e__0c97.exe
800	Inst3__3112601__3f7372633d6c6d266c733d6e30316264363462333966__68616f2e3336302e636e__0c97.exe
800	Inst3__3112601__3f7372633d6c6d266c733d6e30316264363462333966__68616f2e3336302e636e__0c97.exe
800	Inst3__3112601__3f7372633d6c6d266c733d6e30316264363462333966__68616f2e3336302e636e__0c97.exe
800	Inst3__3112601__3f7372633d6c6d266c733d6e30316264363462333966__68616f2e3336302e636e__0c97.exe
800	Inst3__3112601__3f7372633d6c6d266c733d6e30316264363462333966__68616f2e3336302e636e__0c97.exe
800	Inst3__3112601__3f7372633d6c6d266c733d6e30316264363462333966__68616f2e3336302e636e__0c97.exe
316	ldsgamemaster.exe
316	ldsgamemaster.exe
316	ldsgamemaster.exe
316	ldsgamemaster.exe
316	ldsgamemaster.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

1__3112633__3f7372633d6c6d266c733d6e34623664373335303965__68616f2e3336302e636e__0c6f.exeldsgamemaster.exeSoftMgrInst.exe

description	pid	process
Token: SeDebugPrivilege	1612	1__3112633__3f7372633d6c6d266c733d6e34623664373335303965__68616f2e3336302e636e__0c6f.exe
Token: SeRestorePrivilege	1612	1__3112633__3f7372633d6c6d266c733d6e34623664373335303965__68616f2e3336302e636e__0c6f.exe
Token: SeDebugPrivilege	316	ldsgamemaster.exe
Token: SeDebugPrivilege	316	ldsgamemaster.exe
Token: SeManageVolumePrivilege	572	SoftMgrInst.exe
Token: SeDebugPrivilege	316	ldsgamemaster.exe
Token: SeDebugPrivilege	316	ldsgamemaster.exe
Token: SeDebugPrivilege	316	ldsgamemaster.exe
Token: SeDebugPrivilege	316	ldsgamemaster.exe
Token: SeDebugPrivilege	316	ldsgamemaster.exe
Token: SeDebugPrivilege	316	ldsgamemaster.exe
Token: SeDebugPrivilege	316	ldsgamemaster.exe
Token: SeDebugPrivilege	316	ldsgamemaster.exe
Token: SeDebugPrivilege	316	ldsgamemaster.exe
Token: SeDebugPrivilege	316	ldsgamemaster.exe
Token: SeDebugPrivilege	316	ldsgamemaster.exe

Suspicious use of FindShellTrayWindow 33 IoCs

Processes:

ldsgamemaster.exe

pid	process
316	ldsgamemaster.exe
316	ldsgamemaster.exe
316	ldsgamemaster.exe
316	ldsgamemaster.exe
316	ldsgamemaster.exe
316	ldsgamemaster.exe
316	ldsgamemaster.exe
316	ldsgamemaster.exe
316	ldsgamemaster.exe
316	ldsgamemaster.exe
316	ldsgamemaster.exe
316	ldsgamemaster.exe
316	ldsgamemaster.exe
316	ldsgamemaster.exe
316	ldsgamemaster.exe
316	ldsgamemaster.exe
316	ldsgamemaster.exe
316	ldsgamemaster.exe
316	ldsgamemaster.exe
316	ldsgamemaster.exe
316	ldsgamemaster.exe
316	ldsgamemaster.exe
316	ldsgamemaster.exe
316	ldsgamemaster.exe
316	ldsgamemaster.exe
316	ldsgamemaster.exe
316	ldsgamemaster.exe
316	ldsgamemaster.exe
316	ldsgamemaster.exe
316	ldsgamemaster.exe
316	ldsgamemaster.exe
316	ldsgamemaster.exe
316	ldsgamemaster.exe

Suspicious use of SendNotifyMessage 33 IoCs

Processes:

ldsgamemaster.exe

pid	process
316	ldsgamemaster.exe
316	ldsgamemaster.exe
316	ldsgamemaster.exe
316	ldsgamemaster.exe
316	ldsgamemaster.exe
316	ldsgamemaster.exe
316	ldsgamemaster.exe
316	ldsgamemaster.exe
316	ldsgamemaster.exe
316	ldsgamemaster.exe
316	ldsgamemaster.exe
316	ldsgamemaster.exe
316	ldsgamemaster.exe
316	ldsgamemaster.exe
316	ldsgamemaster.exe
316	ldsgamemaster.exe
316	ldsgamemaster.exe
316	ldsgamemaster.exe
316	ldsgamemaster.exe
316	ldsgamemaster.exe
316	ldsgamemaster.exe
316	ldsgamemaster.exe
316	ldsgamemaster.exe
316	ldsgamemaster.exe
316	ldsgamemaster.exe
316	ldsgamemaster.exe
316	ldsgamemaster.exe
316	ldsgamemaster.exe
316	ldsgamemaster.exe
316	ldsgamemaster.exe
316	ldsgamemaster.exe
316	ldsgamemaster.exe
316	ldsgamemaster.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

FastDownloader.exe

pid process

1096 FastDownloader.exe
1096 FastDownloader.exe

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

FastDownloader.exeLDSGameMasterInstRoad_211501.exeldsgamemaster.exe

description	pid	process	target process
PID 1096 wrote to memory of 1612	1096	FastDownloader.exe	1__3112633__3f7372633d6c6d266c733d6e34623664373335303965__68616f2e3336302e636e__0c6f.exe
PID 1096 wrote to memory of 1612	1096	FastDownloader.exe	1__3112633__3f7372633d6c6d266c733d6e34623664373335303965__68616f2e3336302e636e__0c6f.exe
PID 1096 wrote to memory of 1612	1096	FastDownloader.exe	1__3112633__3f7372633d6c6d266c733d6e34623664373335303965__68616f2e3336302e636e__0c6f.exe
PID 1096 wrote to memory of 1612	1096	FastDownloader.exe	1__3112633__3f7372633d6c6d266c733d6e34623664373335303965__68616f2e3336302e636e__0c6f.exe
PID 1096 wrote to memory of 1612	1096	FastDownloader.exe	1__3112633__3f7372633d6c6d266c733d6e34623664373335303965__68616f2e3336302e636e__0c6f.exe
PID 1096 wrote to memory of 1612	1096	FastDownloader.exe	1__3112633__3f7372633d6c6d266c733d6e34623664373335303965__68616f2e3336302e636e__0c6f.exe
PID 1096 wrote to memory of 1612	1096	FastDownloader.exe	1__3112633__3f7372633d6c6d266c733d6e34623664373335303965__68616f2e3336302e636e__0c6f.exe
PID 1096 wrote to memory of 800	1096	FastDownloader.exe	Inst3__3112601__3f7372633d6c6d266c733d6e30316264363462333966__68616f2e3336302e636e__0c97.exe
PID 1096 wrote to memory of 800	1096	FastDownloader.exe	Inst3__3112601__3f7372633d6c6d266c733d6e30316264363462333966__68616f2e3336302e636e__0c97.exe
PID 1096 wrote to memory of 800	1096	FastDownloader.exe	Inst3__3112601__3f7372633d6c6d266c733d6e30316264363462333966__68616f2e3336302e636e__0c97.exe
PID 1096 wrote to memory of 800	1096	FastDownloader.exe	Inst3__3112601__3f7372633d6c6d266c733d6e30316264363462333966__68616f2e3336302e636e__0c97.exe
PID 1096 wrote to memory of 800	1096	FastDownloader.exe	Inst3__3112601__3f7372633d6c6d266c733d6e30316264363462333966__68616f2e3336302e636e__0c97.exe
PID 1096 wrote to memory of 800	1096	FastDownloader.exe	Inst3__3112601__3f7372633d6c6d266c733d6e30316264363462333966__68616f2e3336302e636e__0c97.exe
PID 1096 wrote to memory of 800	1096	FastDownloader.exe	Inst3__3112601__3f7372633d6c6d266c733d6e30316264363462333966__68616f2e3336302e636e__0c97.exe
PID 1096 wrote to memory of 968	1096	FastDownloader.exe	LDSGameMasterInstRoad_211501.exe
PID 1096 wrote to memory of 968	1096	FastDownloader.exe	LDSGameMasterInstRoad_211501.exe
PID 1096 wrote to memory of 968	1096	FastDownloader.exe	LDSGameMasterInstRoad_211501.exe
PID 1096 wrote to memory of 968	1096	FastDownloader.exe	LDSGameMasterInstRoad_211501.exe
PID 968 wrote to memory of 316	968	LDSGameMasterInstRoad_211501.exe	ldsgamemaster.exe
PID 968 wrote to memory of 316	968	LDSGameMasterInstRoad_211501.exe	ldsgamemaster.exe
PID 968 wrote to memory of 316	968	LDSGameMasterInstRoad_211501.exe	ldsgamemaster.exe
PID 968 wrote to memory of 316	968	LDSGameMasterInstRoad_211501.exe	ldsgamemaster.exe
PID 968 wrote to memory of 316	968	LDSGameMasterInstRoad_211501.exe	ldsgamemaster.exe
PID 968 wrote to memory of 316	968	LDSGameMasterInstRoad_211501.exe	ldsgamemaster.exe
PID 968 wrote to memory of 316	968	LDSGameMasterInstRoad_211501.exe	ldsgamemaster.exe
PID 316 wrote to memory of 572	316	ldsgamemaster.exe	SoftMgrInst.exe
PID 316 wrote to memory of 572	316	ldsgamemaster.exe	SoftMgrInst.exe
PID 316 wrote to memory of 572	316	ldsgamemaster.exe	SoftMgrInst.exe
PID 316 wrote to memory of 572	316	ldsgamemaster.exe	SoftMgrInst.exe
PID 1096 wrote to memory of 1540	1096	FastDownloader.exe	heinote_501255047_beiao_003.exe
PID 1096 wrote to memory of 1540	1096	FastDownloader.exe	heinote_501255047_beiao_003.exe
PID 1096 wrote to memory of 1540	1096	FastDownloader.exe	heinote_501255047_beiao_003.exe
PID 1096 wrote to memory of 1540	1096	FastDownloader.exe	heinote_501255047_beiao_003.exe
PID 1096 wrote to memory of 1540	1096	FastDownloader.exe	heinote_501255047_beiao_003.exe
PID 1096 wrote to memory of 1540	1096	FastDownloader.exe	heinote_501255047_beiao_003.exe
PID 1096 wrote to memory of 1540	1096	FastDownloader.exe	heinote_501255047_beiao_003.exe
PID 1096 wrote to memory of 1308	1096	FastDownloader.exe	IAbtukweZabckantu4092521131beiao001.exe
PID 1096 wrote to memory of 1308	1096	FastDownloader.exe	IAbtukweZabckantu4092521131beiao001.exe
PID 1096 wrote to memory of 1308	1096	FastDownloader.exe	IAbtukweZabckantu4092521131beiao001.exe
PID 1096 wrote to memory of 1308	1096	FastDownloader.exe	IAbtukweZabckantu4092521131beiao001.exe
PID 1096 wrote to memory of 1308	1096	FastDownloader.exe	IAbtukweZabckantu4092521131beiao001.exe
PID 1096 wrote to memory of 1308	1096	FastDownloader.exe	IAbtukweZabckantu4092521131beiao001.exe
PID 1096 wrote to memory of 1308	1096	FastDownloader.exe	IAbtukweZabckantu4092521131beiao001.exe

C:\Users\Admin\AppData\Local\Temp\FastDownloader.exe
"C:\Users\Admin\AppData\Local\Temp\FastDownloader.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1096

C:\Download\1__3112633__3f7372633d6c6d266c733d6e34623664373335303965__68616f2e3336302e636e__0c6f.exe
C:\Download\\1__3112633__3f7372633d6c6d266c733d6e34623664373335303965__68616f2e3336302e636e__0c6f.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks for any installed AV software in registry
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1612

C:\Users\Admin\AppData\Local\Temp\45CD0BYsY6cisjwT\Inst3__3112601__3f7372633d6c6d266c733d6e30316264363462333966__68616f2e3336302e636e__0c97.exe
Inst3__3112601__3f7372633d6c6d266c733d6e30316264363462333966__68616f2e3336302e636e__0c97.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks for any installed AV software in registry
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:800

C:\Users\Admin\AppData\Local\Temp\45CD0BYsY6cisjwT\LDSGameMasterInstRoad_211501.exe
LDSGameMasterInstRoad_211501.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:968

C:\Users\Admin\AppData\Local\Temp\ldsgamemaster.exe
"C:\Users\Admin\AppData\Local\Temp\ldsgamemaster.exe" /PID="211501" /S /FROM=inst
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:316

C:\MobileEmuMaster\SoftMgr\SoftMgrInst.exe
"C:\MobileEmuMaster\SoftMgr\SoftMgrInst.exe" --hwnd=131542 --from=LDSGameMaster --new=true --log
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:572

C:\Users\Admin\AppData\Local\Temp\45CD0BYsY6cisjwT\heinote_501255047_beiao_003.exe
heinote_501255047_beiao_003.exe
2⤵
- Executes dropped EXE
PID:1540

C:\Users\Admin\AppData\Local\Temp\45CD0BYsY6cisjwT\IAbtukweZabckantu4092521131beiao001.exe
IAbtukweZabckantu4092521131beiao001.exe
2⤵
- Executes dropped EXE
PID:1308

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Discovery

Security Software Discovery

T1063

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Download\1__3112633__3f7372633d6c6d266c733d6e34623664373335303965__68616f2e3336302e636e__0c6f.exe
MD5
650b5f38739760b1a4158c50ed826925

SHA1
816dcba314008db49521458b3d3c9819874dc543

SHA256
1d42fa6a81fef2148f013b881b450084e4549e36a9bcfeebbd360feeae11bec8

SHA512
06f81c94acec88eea1b70b4b279861f772ced3a223b5c5c0375d6634dc01c1921b8564e4c7106d61573f6a0d7e831631fd1aaffb56cc2ab3be15be3cec120b69

Download Submit
C:\MobileEmuMaster\360P2SP.dll
MD5
96c74f16a2b94f33ce54df012e1a9143

SHA1
c685b6a26b4abffa25399beea2eb45dc7869bc0a

SHA256
9dfc5349404e386f87c44419f8ff83e2dc0666f3ef3278860d872e10af9766a5

SHA512
e186578e68ed40e91b3167a6d7f594f390d614c44b83f5d17213421cff12649c3a8a4f1dc47c8479bd0a20e303f90be8c5526325086db20e960024af1996fb65

Download Submit
C:\MobileEmuMaster\360base.dll
MD5
84beb92b22b17841b326e4df2d31117b

SHA1
ef3a1cb3f64e3a9084f047c777f3ce29e761aa09

SHA256
51f68c7e9e40694ff4cc49d23a2e406b5feba6f0aa9f998bdd8030065c90a9da

SHA512
4d4b29e84daa5e999a35723bddb32019a306fdefec660fc53244385d960e55a94a9855093fc146e3fa0110f8dc6a264ef4c6802386c19175b7464c629f6fe8e9

Download Submit
C:\MobileEmuMaster\360net.dll
MD5
48e996402b35f914dc869f8f529e2444

SHA1
fdcbf945a79ca75b0fc663d3de6ce86ca4a50d2f

SHA256
8c2a4ef1b9ac458d48b2944f90f90527f5b0650aa1107e808bf7716a8d894250

SHA512
233bad9580a906547958643befc1e2bc0707e0a39531fdb74b91212b7514d429e6dd63d589228d42ca2fea4fb3f7cbbf438f3ade94e0832bb83ee42bd6018b3b

Download Submit
C:\MobileEmuMaster\LiveUpd360.dll
MD5
299f4394db122aa9dd9328b4337e1f72

SHA1
34bccbc1132513424c589bf61300d69d4f8a105f

SHA256
9b0ffaeec2131cf8813751805208c34b61c6874fcbc88c751f1c9f642f4b4f35

SHA512
80ffea81b7b25fa4f3a4ca6a672fb8cbabd166f10d7a3498bd691082727ea8ede16774b91d2f51ebdee614918e5a478c6ca2124e8a676d16903b2cdbca8b0414

Download Submit
C:\MobileEmuMaster\PDown.dll
MD5
611eef942e78702fbe407d544986de78

SHA1
1280da24a46ab08c8a6c5d62780767c56369c793

SHA256
684783eebce759a34094964a99de1a67b1da6f23d603bbea722e549a6068b280

SHA512
90575f3b8550436106694f8c41952dd4303c1e2c53ae9b7a0bc29deda3ab3ca70885bfecedb64d9d86766b3b48078013a4ec1d33db9fcda2ded91722da6e9683

Download Submit
C:\MobileEmuMaster\SoftMgr\SoftMgrInst.exe
MD5
15254ec0bae2cda3b4a73317ed1aed0c

SHA1
1b8e1adb34f3e9f2127ad4099fe7c1a733b63f55

SHA256
33fce3de689e28c4066e468867cc5e9163fbb3071bb1b031dbe95f60ddb745d7

SHA512
16503dd3ae32273f8b4f102ec8f0070093f14aec04f05aa2e83babdf6b2eaf5e986c417c952062390a05e4c8d2546d553fd97675a13445d446b5e54270c3632e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
MD5
2902de11e30dcc620b184e3bb0f0c1cb

SHA1
5d11d14a2558801a2688dc2d6dfad39ac294f222

SHA256
e6a7f1f8810e46a736e80ee5ac6187690f28f4d5d35d130d410e20084b2c1544

SHA512
efd415cde25b827ac2a7ca4d6486ce3a43cdcc1c31d3a94fd7944681aa3e83a4966625bf2e6770581c4b59d05e35ff9318d9adaddade9070f131076892af2fa0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
dcc841e6550547ae9635f0c1832cb162

SHA1
d22a305dffae9451f754c0d334268f56474cde8b

SHA256
631bc7413499759223d733fdfa86192dca453ae1e248dd8773040a95a0ea7bcc

SHA512
a219763fc06659d0994477e88a5ded9f7470c2715efe87002c9db0458559105c88a00b1ede9bf702b427c4fa5ad840b33c3f8b139f02d87eb097d10a0c40e5f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\45CD0BYsY6cisjwT\IAbtukweZabckantu4092521131beiao001.exe
MD5
e0303508721d6babf011d0545a177c28

SHA1
69cc4b4accc99d8d17bbcb6fa43fe588eb515dc2

SHA256
b870bac99508bd532a828f295f460c7d0ec4759f17505154a75df4ede06200c7

SHA512
30e11f5c6b1a3faf5f578cd779114bf1b6bf1d5ba2f5ae5abe622ec61d81d3d82d76438bbd0efd9896702431bd2ba88a261ae0da5d9e72d175c313e5422fa5e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\45CD0BYsY6cisjwT\Inst3__3112601__3f7372633d6c6d266c733d6e30316264363462333966__68616f2e3336302e636e__0c97.exe
MD5
a4b2ddd3af44fa63bf4b68ee6bf2ce7b

SHA1
e3c817ab77ad65f7cff1e51a2d0ffcc2ea4a9b6c

SHA256
8e9f79413596b65dea30f6948ed67b256e023d6ac2a2b9975ab7b28a9c42203f

SHA512
4c846168d1c96882792a11181c0700b185659c0069bd8adef48fc87b26fecc669735e586df4f49655eeb6e154a006db9f43aa8e8d6c41e3b4340dcb2348419d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\45CD0BYsY6cisjwT\Inst3__3112601__3f7372633d6c6d266c733d6e30316264363462333966__68616f2e3336302e636e__0c97.exe
MD5
a4b2ddd3af44fa63bf4b68ee6bf2ce7b

SHA1
e3c817ab77ad65f7cff1e51a2d0ffcc2ea4a9b6c

SHA256
8e9f79413596b65dea30f6948ed67b256e023d6ac2a2b9975ab7b28a9c42203f

SHA512
4c846168d1c96882792a11181c0700b185659c0069bd8adef48fc87b26fecc669735e586df4f49655eeb6e154a006db9f43aa8e8d6c41e3b4340dcb2348419d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\45CD0BYsY6cisjwT\LDSGameMasterInstRoad_211501.exe
MD5
8e5a83388b85007dd02a41b512ada556

SHA1
0cf9f44f21c4b8cd7a4735e483d5d919cd3d5f43

SHA256
d3709b4ff018f33e486b99ef6873dec91bed41cb240c630de754e9b4cc30bd1d

SHA512
133f2ae0c7aaa38c9cfd3ecb7ed13e1d43b8ba59dc517d1e54c0c13759220db4093f4e1ad4f85e42fcc22d62073d0d2f12bce06bea504e2cf0c32536b2e2cc1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\45CD0BYsY6cisjwT\heinote_501255047_beiao_003.exe
MD5
661158f3416d0fa89b76bc5470929b6c

SHA1
eeb5cc7946f25d1d8702a8576a43ce168154cf15

SHA256
e3de0ab1ebe7092f9dcf573c738029f5cfa1a00b328385e32b6e368c08d097d5

SHA512
2a9fed00b356bb15d5ec7c38f78e939a1ebc1ea95811e32a9332abfaff59055f9e56c449b667d4d20132bf42be5d60990631bbe16cc30382c04834e0911abb13

Download Submit
C:\Users\Admin\AppData\Local\Temp\ldsgamemaster.exe
MD5
565838545b2f422521bb70f322b78af0

SHA1
d1d9d07bebe2afbff3ed72502e28fbc671f39377

SHA256
05444227c19ceaf5f9c267fc435f6c8ec7e7a12f9909114e0c79bb4d41d388cb

SHA512
0e1e6cdf5c039cf74763ae92f9f55d10fb97c6542346bdfa028eb60af2264c886238b721c7785d5b9db508652b1a4c5d2da61c801757d9f7c1392e6e0965cbcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ldsgamemaster.exe
MD5
565838545b2f422521bb70f322b78af0

SHA1
d1d9d07bebe2afbff3ed72502e28fbc671f39377

SHA256
05444227c19ceaf5f9c267fc435f6c8ec7e7a12f9909114e0c79bb4d41d388cb

SHA512
0e1e6cdf5c039cf74763ae92f9f55d10fb97c6542346bdfa028eb60af2264c886238b721c7785d5b9db508652b1a4c5d2da61c801757d9f7c1392e6e0965cbcb

Download Submit
C:\Users\Admin\Desktop\灭神2神魔传说.lnk
MD5
5d682a734e2b554610c7e5222cd73e4b

SHA1
9ba3f140109e1683f66db3b03762079d27a73f60

SHA256
c5af275d11b52051f9f0181da52f86254e6268285902340ff4908c89f7d8c750

SHA512
c2a37a8115ab78e92eb6e3c6f88f870c71de0efb2bcdb7440001d5de926fc06137397813e927afa4fe11ab11d56a49ab6e9b95c9143777fb9ef3eeaa07ecef44

Download Submit
\Download\1__3112633__3f7372633d6c6d266c733d6e34623664373335303965__68616f2e3336302e636e__0c6f.exe
MD5
650b5f38739760b1a4158c50ed826925

SHA1
816dcba314008db49521458b3d3c9819874dc543

SHA256
1d42fa6a81fef2148f013b881b450084e4549e36a9bcfeebbd360feeae11bec8

SHA512
06f81c94acec88eea1b70b4b279861f772ced3a223b5c5c0375d6634dc01c1921b8564e4c7106d61573f6a0d7e831631fd1aaffb56cc2ab3be15be3cec120b69

Download Submit
\MobileEmuMaster\360Base.dll
MD5
84beb92b22b17841b326e4df2d31117b

SHA1
ef3a1cb3f64e3a9084f047c777f3ce29e761aa09

SHA256
51f68c7e9e40694ff4cc49d23a2e406b5feba6f0aa9f998bdd8030065c90a9da

SHA512
4d4b29e84daa5e999a35723bddb32019a306fdefec660fc53244385d960e55a94a9855093fc146e3fa0110f8dc6a264ef4c6802386c19175b7464c629f6fe8e9

Download Submit
\MobileEmuMaster\360Net.dll
MD5
48e996402b35f914dc869f8f529e2444

SHA1
fdcbf945a79ca75b0fc663d3de6ce86ca4a50d2f

SHA256
8c2a4ef1b9ac458d48b2944f90f90527f5b0650aa1107e808bf7716a8d894250

SHA512
233bad9580a906547958643befc1e2bc0707e0a39531fdb74b91212b7514d429e6dd63d589228d42ca2fea4fb3f7cbbf438f3ade94e0832bb83ee42bd6018b3b

Download Submit
\MobileEmuMaster\360Net.dll
MD5
48e996402b35f914dc869f8f529e2444

SHA1
fdcbf945a79ca75b0fc663d3de6ce86ca4a50d2f

SHA256
8c2a4ef1b9ac458d48b2944f90f90527f5b0650aa1107e808bf7716a8d894250

SHA512
233bad9580a906547958643befc1e2bc0707e0a39531fdb74b91212b7514d429e6dd63d589228d42ca2fea4fb3f7cbbf438f3ade94e0832bb83ee42bd6018b3b

Download Submit
\MobileEmuMaster\360Net.dll
MD5
48e996402b35f914dc869f8f529e2444

SHA1
fdcbf945a79ca75b0fc663d3de6ce86ca4a50d2f

SHA256
8c2a4ef1b9ac458d48b2944f90f90527f5b0650aa1107e808bf7716a8d894250

SHA512
233bad9580a906547958643befc1e2bc0707e0a39531fdb74b91212b7514d429e6dd63d589228d42ca2fea4fb3f7cbbf438f3ade94e0832bb83ee42bd6018b3b

Download Submit
\MobileEmuMaster\360P2SP.dll
MD5
96c74f16a2b94f33ce54df012e1a9143

SHA1
c685b6a26b4abffa25399beea2eb45dc7869bc0a

SHA256
9dfc5349404e386f87c44419f8ff83e2dc0666f3ef3278860d872e10af9766a5

SHA512
e186578e68ed40e91b3167a6d7f594f390d614c44b83f5d17213421cff12649c3a8a4f1dc47c8479bd0a20e303f90be8c5526325086db20e960024af1996fb65

Download Submit
\MobileEmuMaster\360P2SP.dll
MD5
96c74f16a2b94f33ce54df012e1a9143

SHA1
c685b6a26b4abffa25399beea2eb45dc7869bc0a

SHA256
9dfc5349404e386f87c44419f8ff83e2dc0666f3ef3278860d872e10af9766a5

SHA512
e186578e68ed40e91b3167a6d7f594f390d614c44b83f5d17213421cff12649c3a8a4f1dc47c8479bd0a20e303f90be8c5526325086db20e960024af1996fb65

Download Submit
\MobileEmuMaster\360P2SP.dll
MD5
96c74f16a2b94f33ce54df012e1a9143

SHA1
c685b6a26b4abffa25399beea2eb45dc7869bc0a

SHA256
9dfc5349404e386f87c44419f8ff83e2dc0666f3ef3278860d872e10af9766a5

SHA512
e186578e68ed40e91b3167a6d7f594f390d614c44b83f5d17213421cff12649c3a8a4f1dc47c8479bd0a20e303f90be8c5526325086db20e960024af1996fb65

Download Submit
\MobileEmuMaster\LiveUpd360.dll
MD5
299f4394db122aa9dd9328b4337e1f72

SHA1
34bccbc1132513424c589bf61300d69d4f8a105f

SHA256
9b0ffaeec2131cf8813751805208c34b61c6874fcbc88c751f1c9f642f4b4f35

SHA512
80ffea81b7b25fa4f3a4ca6a672fb8cbabd166f10d7a3498bd691082727ea8ede16774b91d2f51ebdee614918e5a478c6ca2124e8a676d16903b2cdbca8b0414

Download Submit
\MobileEmuMaster\PDown.dll
MD5
611eef942e78702fbe407d544986de78

SHA1
1280da24a46ab08c8a6c5d62780767c56369c793

SHA256
684783eebce759a34094964a99de1a67b1da6f23d603bbea722e549a6068b280

SHA512
90575f3b8550436106694f8c41952dd4303c1e2c53ae9b7a0bc29deda3ab3ca70885bfecedb64d9d86766b3b48078013a4ec1d33db9fcda2ded91722da6e9683

Download Submit
\MobileEmuMaster\SoftMgr\SoftMgrInst.exe
MD5
15254ec0bae2cda3b4a73317ed1aed0c

SHA1
1b8e1adb34f3e9f2127ad4099fe7c1a733b63f55

SHA256
33fce3de689e28c4066e468867cc5e9163fbb3071bb1b031dbe95f60ddb745d7

SHA512
16503dd3ae32273f8b4f102ec8f0070093f14aec04f05aa2e83babdf6b2eaf5e986c417c952062390a05e4c8d2546d553fd97675a13445d446b5e54270c3632e

Download Submit
\MobileEmuMaster\SoftMgr\SoftMgrInst.exe
MD5
15254ec0bae2cda3b4a73317ed1aed0c

SHA1
1b8e1adb34f3e9f2127ad4099fe7c1a733b63f55

SHA256
33fce3de689e28c4066e468867cc5e9163fbb3071bb1b031dbe95f60ddb745d7

SHA512
16503dd3ae32273f8b4f102ec8f0070093f14aec04f05aa2e83babdf6b2eaf5e986c417c952062390a05e4c8d2546d553fd97675a13445d446b5e54270c3632e

Download Submit
\MobileEmuMaster\SoftMgr\SoftMgrInst.exe
MD5
15254ec0bae2cda3b4a73317ed1aed0c

SHA1
1b8e1adb34f3e9f2127ad4099fe7c1a733b63f55

SHA256
33fce3de689e28c4066e468867cc5e9163fbb3071bb1b031dbe95f60ddb745d7

SHA512
16503dd3ae32273f8b4f102ec8f0070093f14aec04f05aa2e83babdf6b2eaf5e986c417c952062390a05e4c8d2546d553fd97675a13445d446b5e54270c3632e

Download Submit
\Users\Admin\AppData\Local\Temp\360Base.dll
MD5
ab00bed7cb2b7a8290e247fc34aaa5ff

SHA1
d6014e2920d9b587a8e12ae1ba0f1e1fc9edffa8

SHA256
ceffaedc050688e8dcc11ec30b703c63fefbfcf479558604fdb0ea42bcb497c0

SHA512
fbe3bf5e142d689bb15d05503fcf5c807aad5bcb99a02dc99590589ee66f7942a0d8365d470041972212dbdf9c232ab4bbab25e79d7bcd43f001a95d9012cca6

Download Submit
\Users\Admin\AppData\Local\Temp\360net.dll
MD5
48e996402b35f914dc869f8f529e2444

SHA1
fdcbf945a79ca75b0fc663d3de6ce86ca4a50d2f

SHA256
8c2a4ef1b9ac458d48b2944f90f90527f5b0650aa1107e808bf7716a8d894250

SHA512
233bad9580a906547958643befc1e2bc0707e0a39531fdb74b91212b7514d429e6dd63d589228d42ca2fea4fb3f7cbbf438f3ade94e0832bb83ee42bd6018b3b

Download Submit
\Users\Admin\AppData\Local\Temp\45CD0BYsY6cisjwT\IAbtukweZabckantu4092521131beiao001.exe
MD5
e6c66d3248c0bffa0d68576796abe1bc

SHA1
4c1622d99e76302888f7c42bf2052d12b04d4467

SHA256
e2a2172a3a2bee58d6f00269c0b07bfec4788e720fb749a34279bf58a9b3717c

SHA512
9402ba9489665632c0b7b9024cc2907e68d7407e034767900a1a4ccc8061d6593ca2787fe3f4f46febd8e64856fbd1efef755421200cddd731b7f67a203a3e01

Download Submit
\Users\Admin\AppData\Local\Temp\45CD0BYsY6cisjwT\Inst3__3112601__3f7372633d6c6d266c733d6e30316264363462333966__68616f2e3336302e636e__0c97.exe
MD5
a4b2ddd3af44fa63bf4b68ee6bf2ce7b

SHA1
e3c817ab77ad65f7cff1e51a2d0ffcc2ea4a9b6c

SHA256
8e9f79413596b65dea30f6948ed67b256e023d6ac2a2b9975ab7b28a9c42203f

SHA512
4c846168d1c96882792a11181c0700b185659c0069bd8adef48fc87b26fecc669735e586df4f49655eeb6e154a006db9f43aa8e8d6c41e3b4340dcb2348419d5

Download Submit
\Users\Admin\AppData\Local\Temp\45CD0BYsY6cisjwT\LDSGameMasterInstRoad_211501.exe
MD5
8e5a83388b85007dd02a41b512ada556

SHA1
0cf9f44f21c4b8cd7a4735e483d5d919cd3d5f43

SHA256
d3709b4ff018f33e486b99ef6873dec91bed41cb240c630de754e9b4cc30bd1d

SHA512
133f2ae0c7aaa38c9cfd3ecb7ed13e1d43b8ba59dc517d1e54c0c13759220db4093f4e1ad4f85e42fcc22d62073d0d2f12bce06bea504e2cf0c32536b2e2cc1e

Download Submit
\Users\Admin\AppData\Local\Temp\45CD0BYsY6cisjwT\heinote_501255047_beiao_003.exe
MD5
661158f3416d0fa89b76bc5470929b6c

SHA1
eeb5cc7946f25d1d8702a8576a43ce168154cf15

SHA256
e3de0ab1ebe7092f9dcf573c738029f5cfa1a00b328385e32b6e368c08d097d5

SHA512
2a9fed00b356bb15d5ec7c38f78e939a1ebc1ea95811e32a9332abfaff59055f9e56c449b667d4d20132bf42be5d60990631bbe16cc30382c04834e0911abb13

Download Submit
\Users\Admin\AppData\Local\Temp\ldsgamemaster.exe
MD5
565838545b2f422521bb70f322b78af0

SHA1
d1d9d07bebe2afbff3ed72502e28fbc671f39377

SHA256
05444227c19ceaf5f9c267fc435f6c8ec7e7a12f9909114e0c79bb4d41d388cb

SHA512
0e1e6cdf5c039cf74763ae92f9f55d10fb97c6542346bdfa028eb60af2264c886238b721c7785d5b9db508652b1a4c5d2da61c801757d9f7c1392e6e0965cbcb

Download Submit
\Users\Admin\AppData\Local\Temp\tBmByWbNsRpXqCwN\360ini.dll
MD5
858ff2e53ae66c38346c3eab2496392c

SHA1
9c7eb03d090e62aa9ba68ce8be545b6481a2e40d

SHA256
4484071a243b9201fd772e3f19cdd94ff4326c5ee9b05f1afbfaebfb1bbaab62

SHA512
d2ada0d070e2df51c1392aa6f95e9d26d8de9b1d0260b85656a58a06f7958f3054f1d1a811c4aafbde79018701161fd6857afe5b7f878be5695d1654382594e4

Download Submit
\Users\Admin\AppData\Local\Temp\{0AE67765-71C2-4b3b-AB19-57CA70061C4D}.tmp\360NetUL.dll
MD5
cd03029957ebc78c0ca7a6c02a9ca846

SHA1
0044114b8073781479044f0294701be9611be2ac

SHA256
139fdd92e6ddf1aac0761a68502b374daa32e82039621018511dc491ed9b4048

SHA512
14c641cb9536def0ddc1969d50b97b83a23017c97373e3ad74d3fbf9825ac81f3fdf8169281c8ad4cebd45d9c9ae05f752d553ba4653e620889b274479cb7c32

Download Submit
\Users\Admin\AppData\Local\Temp\{0AE67765-71C2-4b3b-AB19-57CA70061C4D}.tmp\NetBridge.dll
MD5
8786d469338c30e0ba9fedfc62bd5197

SHA1
5fb12028ceae9772f938e1b98b699f0e02e32718

SHA256
beeaf8b72f7008e9adabacfcd85e32a50747a0dfb5c86802aeb973bd1f5c3d2f

SHA512
5db1e5b78e62cda81a63e8e712e720f87a7c7a539237a55a9098c076f9fb4e0b5adb83383c23657b4ccc90c117e55e3946a399cdf3d15cb94444b203d9d6c45c

Download Submit
\Users\Admin\AppData\Local\Temp\{0AE67765-71C2-4b3b-AB19-57CA70061C4D}.tmp\Utils\LDSBasic.dll
MD5
cc7b7a2d031fbef005b82bc5221e6046

SHA1
61b9cf646825c37e5262ab5b2ecc755d72770393

SHA256
28f4e42556497b05a017309c69c7e62683a043ab1c452170056a1b5f77175633

SHA512
ec67289b40e88acb946c18890e40e53322b386ce17c351c5fbbebccae84b6d16c2df79ebe79a143d1276101151544aa24a65bdd3101cfd096390034aa70d3e29

Download Submit
\Users\Admin\AppData\Local\Temp\{0D399809-3ED4-49b8-BA06-3642197E7799}.tmp
MD5
67948ae2b6282987787bb8cf38992ffe

SHA1
e4067474bc88df5ca1dcdfed0eecf43d5ce4aebc

SHA256
e58fb52e90764e0a480e3003d6797a889fb8a44c682ce79924f98b54ce584caa

SHA512
bc7a48da852c6d2f425b2d19fcb7fcc9642377fe3aac26264b479f34fd3a4cc5083af0f98ea06a8236f8153ab2b72ca61f264654ff2757183bea6a532287dcb6

Download Submit
\Users\Admin\AppData\Local\Temp\{142F6DBE-D261-4053-B527-DA701F363DB6}.tmp\7z.dll
MD5
b902e3ce824b63d3220bff0150097f83

SHA1
efb511c687b1376b683cac4dfe26e044535aa8d3

SHA256
bc19ccc142de96f79288a7edd5468b5e9a96a35a64c888a6e9a9733933c4ae51

SHA512
ace3714e3d5c1409636478564c4ea1828c97cbeacea0e1ab95ec353e898bafcef0c682c780cbfa49589a480d36f0962c805508f4df1b430efb5955c9290b9656

Download Submit
\Users\Admin\AppData\Local\Temp\{55AF27A5-9CF9-46a4-9247-EBCEB4F276CE}.tmp\MiniUI.dll
MD5
5123c3b8adeb6192d5a6b9dc50c867b1

SHA1
6d142074a21aa50c240ce57ca19a61e104bbdf41

SHA256
273ce954c8d33abaac3a0fd8546719f09718c1d91317ecf5b99181dffa3fe26a

SHA512
067305a8f09c480fe4a4c8609638c9a490c4ebe2782bd13c10b380df14f76d4748eb785f44e7bcb86514718f99d07c3c6a4b43928a294b18020cb0fa589ee2a0

Download Submit
\Users\Admin\AppData\Local\Temp\{6CBBB806-D5B3-4ee8-8DD6-0C7E25AC0A13}\{7E893CA3-505A-424a-9DAE-459340FB0066}.tmp
MD5
baff1377615c22fab1a72611e4eb4f5e

SHA1
0ff1b09d1e6b2ed584a78f17c4f8de16707e41c3

SHA256
78cdb6d5f13fb5b760b4a5c2973883d9ed47b02272d46b325530f52d4bc914f2

SHA512
f2ae1bfede8a1dad826531d8107a55dc883dcdef749fd88dc4a44afdaf6f746457458c2129f3be41026d1ddd4cc2357df9f55c97099fa387665ee90b3693b034

Download Submit
\Users\Admin\AppData\Local\Temp\{B44977BB-5831-45b5-B543-9AC4734525D9}.tmp\360Base.dll
MD5
7e519aca128e7c13921ff1ce28c6f464

SHA1
16aeb633ba8bc52c8fee2187d307b9389a78824e

SHA256
b4348c968e41541a849fd7ec54a059330157598fc34437c4356875ba76fa4a5d

SHA512
7d7b1f3b55721812c9265acd7005cf1d1709f1003a1c198f8ab2f1ade5391900559ba12aa274c900415b0d4d0c02441a21498eee3c712897074834fa83f59934

Download Submit
\Users\Admin\AppData\Local\Temp\{B44977BB-5831-45b5-B543-9AC4734525D9}.tmp\CrashReport.dll
MD5
361ee0170374127e396e7ab4d839bdb3

SHA1
44430877438ca137b0386de1223349b8e86a3270

SHA256
bb393ebae1fd656b019cd086c05fcece979405c4616989bfdde6d60044d08b8d

SHA512
617b80214537675a5964f0cbc3d8e5bec53afb7ce8c5a7de18ad4ea9389767294c11407f85c72a08dd400020ed06f37e6898c85bcea74c06e9d43f84cc4caafa

Download Submit
\Users\Admin\AppData\Local\Temp\{F3C42CB6-D7AE-41f9-9180-251076A80647}.tmp\urlproc.dll
MD5
c904c8321ebd4ae87d55714eb179c50a

SHA1
9eac227bcd6132e36457093ba137d22a824801c1

SHA256
97baeb93dfed4c38b19c8702b9ffadf0c2891bf83bcf68ba75293791aead9572

SHA512
e62d61ae25e3f8dd6ba36f37f3e093803e5a6e9d158882e00f3126ffca172b7c5d2159989db652a355d71537f776b54648fa173262d91111eb069e1f6ab10fa0

Download Submit
memory/316-84-0x0000000000000000-mapping.dmp

Download
memory/316-95-0x0000000002270000-0x00000000022A9000-memory.dmp

Filesize
228KB

Download
memory/572-111-0x0000000002C10000-0x0000000002C83000-memory.dmp

Filesize
460KB

Download
memory/572-107-0x0000000000B40000-0x0000000000B41000-memory.dmp

Filesize
4KB

Download
memory/572-119-0x0000000002900000-0x0000000002948000-memory.dmp

Filesize
288KB

Download
memory/572-100-0x0000000000000000-mapping.dmp

Download
memory/800-71-0x0000000000000000-mapping.dmp

Download
memory/800-74-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/968-76-0x0000000000000000-mapping.dmp

Download
memory/968-81-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/1096-59-0x00000000752F1000-0x00000000752F3000-memory.dmp

Filesize
8KB

Download
memory/1308-125-0x0000000000000000-mapping.dmp

Download
memory/1308-132-0x0000000010000000-0x00000000100E0000-memory.dmp

Filesize
896KB

Download
memory/1540-122-0x0000000000000000-mapping.dmp

Download
memory/1540-129-0x0000000010000000-0x00000000100DA000-memory.dmp

Filesize
872KB

Download
memory/1612-66-0x00000000004B0000-0x00000000004B1000-memory.dmp

Filesize
4KB

Download
memory/1612-61-0x0000000000000000-mapping.dmp

Download