amadey | 2219fa1e23dac10134da6a6be9d6634a250dc2fc4cfdac1ad48d6e41c9406203

Analysis

max time kernel
293s
max time network
302s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
03/05/2024, 22:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2219fa1e23dac10134da6a6be9d6634a250dc2fc4cfdac1ad48d6e41c9406203.exe
Size

1.8MB
MD5

f5a33e2c9e2f68449a07778cc2edf846
SHA1

9b1c77c93fdf834a281da35fb3d5060d6de64de6
SHA256

2219fa1e23dac10134da6a6be9d6634a250dc2fc4cfdac1ad48d6e41c9406203
SHA512

cacf32b567797196a636d17ab2457cbe1bbd25f339cef8bd46848abba8d0e60ebbb5937d378a3300c8c0f242743489ceb1909039ebcf9670cabaecf08afdb12e
SSDEEP

49152:kcvZBay16INgG3P2GHYTAIEj6G3KdbeuBJI4:ki1tC3KX66cR/I

Score

10^/10

amadey lumma redline stealc xmrig zgrat @cloudytteam test1234 discovery evasion execution infostealer miner rat spyware stealer trojan vmprotect

Malware Config

Extracted

Family

amadey

Version

4.18

http://193.233.132.56

Attributes

install_dir
09fd851a4f
install_file
explorha.exe
strings_key
443351145ece4966ded809641c77cfa8
url_paths
/Pneh2sXQk0/index.php

rc4.plain

Extracted

Family

redline

Botnet

Test1234

185.215.113.67:26260

Extracted

Family

stealc

http://52.143.157.84

Attributes

url_path
/c73eed764cc59dcb.php

Extracted

Family

redline

Botnet

@CLOUDYTTEAM

185.172.128.33:8970

Extracted

Family

lumma

https://affordcharmcropwo.shop/api

https://cleartotalfisherwo.shop/api

https://worryfillvolcawoi.shop/api

https://enthusiasimtitleow.shop/api

https://dismissalcylinderhostw.shop/api

https://diskretainvigorousiw.shop/api

https://communicationgenerwo.shop/api

https://pillowbrocccolipe.shop/api

https://incredibleextedwj.shop/api

https://zippyfinickysofwps.shop/api

https://productivelookewr.shop/api

https://acceptabledcooeprs.shop/api

https://tolerateilusidjukl.shop/api

https://obsceneclassyjuwks.shop/api

https://shatterbreathepsw.shop/api

https://miniaturefinerninewjs.shop/api

https://shortsvelventysjo.shop/api

https://plaintediousidowsko.shop/api

https://alcojoldwograpciw.shop/api

https://sweetsquarediaslw.shop/api

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect ZGRat V1 3 IoCs

resource	yara_rule
behavioral2/memory/3160-293-0x0000000000400000-0x0000000000592000-memory.dmp	family_zgrat_v1
behavioral2/files/0x000700000001ac43-300.dat	family_zgrat_v1
behavioral2/memory/404-321-0x0000000000940000-0x0000000000A00000-memory.dmp	family_zgrat_v1

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 6 IoCs

resource	yara_rule
behavioral2/files/0x000700000001ac28-148.dat	family_redline
behavioral2/memory/2836-156-0x0000000000790000-0x00000000007E2000-memory.dmp	family_redline
behavioral2/files/0x00040000000154e3-301.dat	family_redline
behavioral2/files/0x000700000001ac43-300.dat	family_redline
behavioral2/memory/644-303-0x00000000002B0000-0x0000000000302000-memory.dmp	family_redline
behavioral2/memory/404-321-0x0000000000940000-0x0000000000A00000-memory.dmp	family_redline

Stealc
Stealc is an infostealer written in C++.
stealer stealc

XMRig Miner payload 2 IoCs

miner

resource	yara_rule
behavioral2/files/0x000700000001ac52-381.dat	family_xmrig
behavioral2/files/0x000700000001ac52-381.dat	xmrig

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	2219fa1e23dac10134da6a6be9d6634a250dc2fc4cfdac1ad48d6e41c9406203.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe

Blocklisted process makes network request 2 IoCs

flow	pid	Process
26	5036	rundll32.exe
34	4992	rundll32.exe

Downloads MZ/PE file
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks BIOS information in registry 2 TTPs 14 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	2219fa1e23dac10134da6a6be9d6634a250dc2fc4cfdac1ad48d6e41c9406203.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	2219fa1e23dac10134da6a6be9d6634a250dc2fc4cfdac1ad48d6e41c9406203.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe

Executes dropped EXE 49 IoCs

pid	Process
4784	explorha.exe
3548	swiiiii.exe
4052	explorha.exe
2836	jok.exe
1812	swiiii.exe
1384	explorha.exe
2612	explorha.exe
432	jfesawdr.exe
2748	work.exe
4620	podaw.exe
1884	gold.exe
5064	alexxxxxxxx.exe
404	trf.exe
644	keks.exe
1544	install.exe
4592	GameService.exe
68	GameService.exe
2224	GameService.exe
224	GameService.exe
2140	GameService.exe
4788	GameSyncLink.exe
2900	GameService.exe
5100	GameService.exe
2824	GameService.exe
2848	GameService.exe
4456	GameService.exe
1804	PiercingNetLink.exe
3448	GameService.exe
4128	GameService.exe
4088	GameService.exe
4640	GameService.exe
4692	GameSyncLinks.exe
692	GameSyncLink.exe
4420	PiercingNetLink.exe
4104	GameSyncLinks.exe
2952	GameSyncLink.exe
872	PiercingNetLink.exe
4380	GameSyncLinks.exe
2600	GameSyncLink.exe
4292	PiercingNetLink.exe
236	GameSyncLinks.exe
4152	explorha.exe
2232	GameSyncLink.exe
4128	PiercingNetLink.exe
1588	GameSyncLinks.exe
1440	GameSyncLink.exe
3176	PiercingNetLink.exe
4356	GameSyncLinks.exe
724	explorha.exe

Identifies Wine through registry keys 2 TTPs 7 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Wine	2219fa1e23dac10134da6a6be9d6634a250dc2fc4cfdac1ad48d6e41c9406203.exe
Key opened	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Wine	explorha.exe

Loads dropped DLL 3 IoCs

pid	Process
4912	rundll32.exe
5036	rundll32.exe
4992	rundll32.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/files/0x000700000001ac3b-260.dat	vmprotect
behavioral2/memory/4620-262-0x0000000001040000-0x0000000001931000-memory.dmp	vmprotect

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs

pid	Process
68	2219fa1e23dac10134da6a6be9d6634a250dc2fc4cfdac1ad48d6e41c9406203.exe
4784	explorha.exe
4052	explorha.exe
1384	explorha.exe
2612	explorha.exe
4152	explorha.exe
724	explorha.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 3548 set thread context of 2648	3548	swiiiii.exe	76
PID 1812 set thread context of 2872	1812	swiiii.exe	91
PID 1884 set thread context of 4140	1884	gold.exe	137
PID 5064 set thread context of 3160	5064	alexxxxxxxx.exe	106

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\GameSyncLink\installc.bat	install.exe
File created	C:\Program Files (x86)\GameSyncLink\installg.bat	install.exe
File opened for modification	C:\Program Files (x86)\GameSyncLink\GameService.exe	install.exe
File opened for modification	C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe	install.exe
File created	C:\Program Files (x86)\GameSyncLink\installm.bat	install.exe
File opened for modification	C:\Program Files (x86)\GameSyncLink\installm.bat	install.exe
File created	C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe	install.exe
File created	C:\Program Files (x86)\GameSyncLink\installc.bat	install.exe
File opened for modification	C:\Program Files (x86)\GameSyncLink\installg.bat	install.exe
File created	C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe	install.exe
File opened for modification	C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe	install.exe
File created	C:\Program Files (x86)\GameSyncLink\GameService.exe	install.exe
File created	C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe	install.exe
File opened for modification	C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe	install.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\explorha.job	2219fa1e23dac10134da6a6be9d6634a250dc2fc4cfdac1ad48d6e41c9406203.exe

Launches sc.exe 5 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4140	sc.exe
1112	sc.exe
4136	sc.exe
2316	sc.exe
3768	sc.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1296	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
4560	3548	WerFault.exe	74
5028	2872	WerFault.exe	91
2628	5064	WerFault.exe	105

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	jok.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	jok.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
68	2219fa1e23dac10134da6a6be9d6634a250dc2fc4cfdac1ad48d6e41c9406203.exe
68	2219fa1e23dac10134da6a6be9d6634a250dc2fc4cfdac1ad48d6e41c9406203.exe
4784	explorha.exe
4784	explorha.exe
5036	rundll32.exe
5036	rundll32.exe
5036	rundll32.exe
5036	rundll32.exe
5036	rundll32.exe
5036	rundll32.exe
5036	rundll32.exe
5036	rundll32.exe
5036	rundll32.exe
5036	rundll32.exe
1296	powershell.exe
1296	powershell.exe
1296	powershell.exe
4052	explorha.exe
4052	explorha.exe
2836	jok.exe
2836	jok.exe
2836	jok.exe
1384	explorha.exe
1384	explorha.exe
2872	RegAsm.exe
2872	RegAsm.exe
2612	explorha.exe
2612	explorha.exe
4620	podaw.exe
4620	podaw.exe
2140	GameService.exe
2140	GameService.exe
4456	GameService.exe
4456	GameService.exe
4640	GameService.exe
4640	GameService.exe
2140	GameService.exe
2140	GameService.exe
4456	GameService.exe
4456	GameService.exe
4640	GameService.exe
4640	GameService.exe
2140	GameService.exe
2140	GameService.exe
4456	GameService.exe
4456	GameService.exe
4640	GameService.exe
4640	GameService.exe
2140	GameService.exe
2140	GameService.exe
4456	GameService.exe
4456	GameService.exe
4640	GameService.exe
4640	GameService.exe
4152	explorha.exe
4152	explorha.exe
2140	GameService.exe
2140	GameService.exe
4456	GameService.exe
4456	GameService.exe
4640	GameService.exe
4640	GameService.exe
2140	GameService.exe
2140	GameService.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	1296	powershell.exe
Token: SeDebugPrivilege	2836	jok.exe
Token: SeDebugPrivilege	404	trf.exe
Token: SeBackupPrivilege	404	trf.exe
Token: SeSecurityPrivilege	404	trf.exe
Token: SeSecurityPrivilege	404	trf.exe
Token: SeSecurityPrivilege	404	trf.exe
Token: SeSecurityPrivilege	404	trf.exe
Token: SeBackupPrivilege	404	trf.exe
Token: SeSecurityPrivilege	404	trf.exe
Token: SeSecurityPrivilege	404	trf.exe
Token: SeSecurityPrivilege	404	trf.exe
Token: SeSecurityPrivilege	404	trf.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 68 wrote to memory of 4784	68	2219fa1e23dac10134da6a6be9d6634a250dc2fc4cfdac1ad48d6e41c9406203.exe	73
PID 68 wrote to memory of 4784	68	2219fa1e23dac10134da6a6be9d6634a250dc2fc4cfdac1ad48d6e41c9406203.exe	73
PID 68 wrote to memory of 4784	68	2219fa1e23dac10134da6a6be9d6634a250dc2fc4cfdac1ad48d6e41c9406203.exe	73
PID 4784 wrote to memory of 3548	4784	explorha.exe	74
PID 4784 wrote to memory of 3548	4784	explorha.exe	74
PID 4784 wrote to memory of 3548	4784	explorha.exe	74
PID 3548 wrote to memory of 2648	3548	swiiiii.exe	76
PID 3548 wrote to memory of 2648	3548	swiiiii.exe	76
PID 3548 wrote to memory of 2648	3548	swiiiii.exe	76
PID 3548 wrote to memory of 2648	3548	swiiiii.exe	76
PID 3548 wrote to memory of 2648	3548	swiiiii.exe	76
PID 3548 wrote to memory of 2648	3548	swiiiii.exe	76
PID 3548 wrote to memory of 2648	3548	swiiiii.exe	76
PID 3548 wrote to memory of 2648	3548	swiiiii.exe	76
PID 3548 wrote to memory of 2648	3548	swiiiii.exe	76
PID 4784 wrote to memory of 4912	4784	explorha.exe	79
PID 4784 wrote to memory of 4912	4784	explorha.exe	79
PID 4784 wrote to memory of 4912	4784	explorha.exe	79
PID 4912 wrote to memory of 5036	4912	rundll32.exe	80
PID 4912 wrote to memory of 5036	4912	rundll32.exe	80
PID 5036 wrote to memory of 2092	5036	rundll32.exe	81
PID 5036 wrote to memory of 2092	5036	rundll32.exe	81
PID 5036 wrote to memory of 1296	5036	rundll32.exe	83
PID 5036 wrote to memory of 1296	5036	rundll32.exe	83
PID 4784 wrote to memory of 4992	4784	explorha.exe	85
PID 4784 wrote to memory of 4992	4784	explorha.exe	85
PID 4784 wrote to memory of 4992	4784	explorha.exe	85
PID 4784 wrote to memory of 2836	4784	explorha.exe	87
PID 4784 wrote to memory of 2836	4784	explorha.exe	87
PID 4784 wrote to memory of 2836	4784	explorha.exe	87
PID 4784 wrote to memory of 1812	4784	explorha.exe	89
PID 4784 wrote to memory of 1812	4784	explorha.exe	89
PID 4784 wrote to memory of 1812	4784	explorha.exe	89
PID 1812 wrote to memory of 2872	1812	swiiii.exe	91
PID 1812 wrote to memory of 2872	1812	swiiii.exe	91
PID 1812 wrote to memory of 2872	1812	swiiii.exe	91
PID 1812 wrote to memory of 2872	1812	swiiii.exe	91
PID 1812 wrote to memory of 2872	1812	swiiii.exe	91
PID 1812 wrote to memory of 2872	1812	swiiii.exe	91
PID 1812 wrote to memory of 2872	1812	swiiii.exe	91
PID 1812 wrote to memory of 2872	1812	swiiii.exe	91
PID 1812 wrote to memory of 2872	1812	swiiii.exe	91
PID 4784 wrote to memory of 432	4784	explorha.exe	95
PID 4784 wrote to memory of 432	4784	explorha.exe	95
PID 4784 wrote to memory of 432	4784	explorha.exe	95
PID 432 wrote to memory of 1332	432	jfesawdr.exe	96
PID 432 wrote to memory of 1332	432	jfesawdr.exe	96
PID 432 wrote to memory of 1332	432	jfesawdr.exe	96
PID 1332 wrote to memory of 2748	1332	cmd.exe	99
PID 1332 wrote to memory of 2748	1332	cmd.exe	99
PID 1332 wrote to memory of 2748	1332	cmd.exe	99
PID 2748 wrote to memory of 4620	2748	work.exe	100
PID 2748 wrote to memory of 4620	2748	work.exe	100
PID 2748 wrote to memory of 4620	2748	work.exe	100
PID 4784 wrote to memory of 1884	4784	explorha.exe	101
PID 4784 wrote to memory of 1884	4784	explorha.exe	101
PID 4784 wrote to memory of 1884	4784	explorha.exe	101
PID 1884 wrote to memory of 4140	1884	gold.exe	137
PID 1884 wrote to memory of 4140	1884	gold.exe	137
PID 1884 wrote to memory of 4140	1884	gold.exe	137
PID 1884 wrote to memory of 4140	1884	gold.exe	137
PID 1884 wrote to memory of 4140	1884	gold.exe	137
PID 1884 wrote to memory of 4140	1884	gold.exe	137
PID 1884 wrote to memory of 4140	1884	gold.exe	137

C:\Users\Admin\AppData\Local\Temp\2219fa1e23dac10134da6a6be9d6634a250dc2fc4cfdac1ad48d6e41c9406203.exe
"C:\Users\Admin\AppData\Local\Temp\2219fa1e23dac10134da6a6be9d6634a250dc2fc4cfdac1ad48d6e41c9406203.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:68
- C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
  "C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4784
- - C:\Users\Admin\AppData\Local\Temp\1000066001\swiiiii.exe
    "C:\Users\Admin\AppData\Local\Temp\1000066001\swiiiii.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:3548
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:2648
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3548 -s 836
      4⤵
      Program crash
      PID:4560
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:4912
  - - C:\Windows\system32\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
      4⤵
      Blocklisted process makes network request
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:5036
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        5⤵
        
        PID:2092
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\735606991074_Desktop.zip' -CompressionLevel Optimal
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1296
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    PID:4992
- - C:\Users\Admin\AppData\Local\Temp\1000071001\jok.exe
    "C:\Users\Admin\AppData\Local\Temp\1000071001\jok.exe"
    3⤵
    - Executes dropped EXE
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2836
- - C:\Users\Admin\AppData\Local\Temp\1000073001\swiiii.exe
    "C:\Users\Admin\AppData\Local\Temp\1000073001\swiiii.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1812
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      PID:2872
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2872 -s 1204
        5⤵
        Program crash
        
        PID:5028
- - C:\Users\Admin\AppData\Local\Temp\1000077001\jfesawdr.exe
    "C:\Users\Admin\AppData\Local\Temp\1000077001\jfesawdr.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:432
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1332
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe
        
        work.exe -priverdD
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2748
      - C:\Users\Admin\AppData\Local\Temp\RarSFX1\podaw.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX1\podaw.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:4620
- - C:\Users\Admin\AppData\Local\Temp\1000079001\gold.exe
    "C:\Users\Admin\AppData\Local\Temp\1000079001\gold.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1884
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:4140
- - C:\Users\Admin\AppData\Local\Temp\1000080001\alexxxxxxxx.exe
    "C:\Users\Admin\AppData\Local\Temp\1000080001\alexxxxxxxx.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:5064
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:3160
    - - C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe
        
        "C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:404
    - - C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe
        
        "C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe"
        5⤵
        Executes dropped EXE
        
        PID:644
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 508
      4⤵
      Program crash
      PID:2628
- - C:\Users\Admin\AppData\Local\Temp\1000081001\install.exe
    "C:\Users\Admin\AppData\Local\Temp\1000081001\install.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:1544
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\GameSyncLink\installg.bat" "
      4⤵
      PID:3540
    - - C:\Windows\SysWOW64\sc.exe
        
        Sc stop GameServerClient
        5⤵
        Launches sc.exe
        
        PID:2316
    - - C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService remove GameServerClient confirm
        5⤵
        Executes dropped EXE
        
        PID:4592
    - - C:\Windows\SysWOW64\sc.exe
        
        Sc delete GameSyncLink
        5⤵
        Launches sc.exe
        
        PID:4136
    - - C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService remove GameSyncLink confirm
        5⤵
        Executes dropped EXE
        
        PID:68
    - - C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService install GameSyncLink "C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"
        5⤵
        Executes dropped EXE
        
        PID:2224
    - - C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService start GameSyncLink
        5⤵
        Executes dropped EXE
        
        PID:224
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\GameSyncLink\installc.bat" "
      4⤵
      PID:4376
    - - C:\Windows\SysWOW64\sc.exe
        
        Sc stop GameServerClientC
        5⤵
        Launches sc.exe
        
        PID:1112
    - - C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService remove GameServerClientC confirm
        5⤵
        Executes dropped EXE
        
        PID:2900
    - - C:\Windows\SysWOW64\sc.exe
        
        Sc delete PiercingNetLink
        5⤵
        Launches sc.exe
        
        PID:3768
    - - C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService remove PiercingNetLink confirm
        5⤵
        Executes dropped EXE
        
        PID:5100
    - - C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService install PiercingNetLink "C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"
        5⤵
        Executes dropped EXE
        
        PID:2824
    - - C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService start PiercingNetLink
        5⤵
        Executes dropped EXE
        
        PID:2848
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\GameSyncLink\installm.bat" "
      4⤵
      PID:2552
    - - C:\Windows\SysWOW64\sc.exe
        
        Sc delete GameSyncLinks
        5⤵
        Launches sc.exe
        
        PID:4140
    - - C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService remove GameSyncLinks confirm
        5⤵
        Executes dropped EXE
        
        PID:3448
    - - C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService install GameSyncLinks "C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"
        5⤵
        Executes dropped EXE
        
        PID:4128
    - - C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService start GameSyncLinks
        5⤵
        Executes dropped EXE
        
        PID:4088
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "
      4⤵
      PID:4028

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4052

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1384

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2612

C:\Program Files (x86)\GameSyncLink\GameService.exe
"C:\Program Files (x86)\GameSyncLink\GameService.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2140
- C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe
  "C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"
  2⤵
  - Executes dropped EXE
  PID:4788
- C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe
  "C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"
  2⤵
  - Executes dropped EXE
  PID:692
- C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe
  "C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"
  2⤵
  - Executes dropped EXE
  PID:2952
- C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe
  "C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"
  2⤵
  - Executes dropped EXE
  PID:2600
- C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe
  "C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"
  2⤵
  - Executes dropped EXE
  PID:2232
- C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe
  "C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"
  2⤵
  - Executes dropped EXE
  PID:1440

C:\Program Files (x86)\GameSyncLink\GameService.exe
"C:\Program Files (x86)\GameSyncLink\GameService.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4456
- C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe
  "C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"
  2⤵
  - Executes dropped EXE
  PID:1804
- C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe
  "C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"
  2⤵
  - Executes dropped EXE
  PID:4420
- C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe
  "C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"
  2⤵
  - Executes dropped EXE
  PID:872
- C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe
  "C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"
  2⤵
  - Executes dropped EXE
  PID:4292
- C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe
  "C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"
  2⤵
  - Executes dropped EXE
  PID:4128
- C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe
  "C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"
  2⤵
  - Executes dropped EXE
  PID:3176

C:\Program Files (x86)\GameSyncLink\GameService.exe
"C:\Program Files (x86)\GameSyncLink\GameService.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4640
- C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe
  "C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"
  2⤵
  - Executes dropped EXE
  PID:4692
- C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe
  "C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"
  2⤵
  - Executes dropped EXE
  PID:4104
- C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe
  "C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"
  2⤵
  - Executes dropped EXE
  PID:4380
- C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe
  "C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"
  2⤵
  - Executes dropped EXE
  PID:236
- C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe
  "C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"
  2⤵
  - Executes dropped EXE
  PID:1588
- C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe
  "C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"
  2⤵
  - Executes dropped EXE
  PID:4356

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4152

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\GameSyncLink\GameService.exe

Filesize
288KB

MD5
d9ec6f3a3b2ac7cd5eef07bd86e3efbc

SHA1
e1908caab6f938404af85a7df0f80f877a4d9ee6

SHA256
472232ca821b5c2ef562ab07f53638bc2cc82eae84cea13fbe674d6022b6481c

SHA512
1b6b8702dca3cb90fe64c4e48f2477045900c5e71dd96b84f673478bab1089febfa186bfc55aebd721ca73db1669145280ebb4e1862d3b9dc21f712cd76a07c4

Download Submit
C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe

Filesize
2.5MB

MD5
e6943a08bb91fc3086394c7314be367d

SHA1
451d2e171f906fa6c43f8b901cd41b0283d1fa40

SHA256
aafdcfe5386452f4924cfcc23f2cf7eccf3f868947ad7291a77b2eca2af0c873

SHA512
505d3c76988882602f06398e747c4e496ecad9df1b7959069b87c8111c4d9118484f4d6baef5f671466a184c8caec362d635da210fa0987ccb746cbeea218d2a

Download Submit
C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe

Filesize
6.2MB

MD5
1bacbebf6b237c75dbe5610d2d9e1812

SHA1
3ca5768a9cf04a2c8e157d91d4a1b118668f5cf1

SHA256
c3747b167c70fd52b16fb93a4f815e7a4ee27cf67d2c7d55ea9d1edc7969c67d

SHA512
f6438eced6915890d5d15d853c3ad6856de949b7354dcea97b1cf40d0c8aed767c8e45730e64ab0368f3606da5e95fd1d4db9cc21e613d517f37ddebbd0fa1fe

Download Submit
C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe

Filesize
13.2MB

MD5
72b396a9053dff4d804e07ee1597d5e3

SHA1
5ec4fefa66771613433c17c11545c6161e1552d5

SHA256
d0b206f0f47a9f8593b6434dc27dadde8480a902e878882fa8c73fc7fe01b11d

SHA512
ad96c9ca2feae7af7fcf01a843d5aa6cbdde0520d68dedff44554a17639c6c66b2301d73daf272708cb76c22eae2d5c89db23af45105c4f0e35f4787f98e192b

Download Submit
C:\Program Files (x86)\GameSyncLink\installc.bat

Filesize
301B

MD5
998ab24316795f67c26aca0f1b38c8ce

SHA1
a2a6dc94e08c086fe27f8c08cb8178e7a64f200d

SHA256
a468b43795f1083fb37b12787c5ff29f8117c26ac35af470084e00c48280442e

SHA512
7c9c2ade898a8defb6510ddd15730bec859d4474071eb6b8e8738ea6089764f81924ad2a6ebf0479d4fed7d61890edaa38f4bfbf70a4e6b30d33aa5bfc5b5c75

Download Submit
C:\Program Files (x86)\GameSyncLink\installg.bat

Filesize
284B

MD5
5dee3cbf941c5dbe36b54690b2a3c240

SHA1
82b9f1ad3ca523f3794e052f7e67ecdcd1ae87e1

SHA256
98370b86626b8fd7a7cac96693348045b081326c49e2421113f49a5ea3588edb

SHA512
9ee431d485e2f09268a22b287b0960859d2f22db8c7e61309a042999c436b3de74f5d75837b739e01122a796ad65bc6468d009ec6ddf4962f4ff288155410556

Download Submit
C:\Program Files (x86)\GameSyncLink\installm.bat

Filesize
218B

MD5
94b87b86dc338b8f0c4e5869496a8a35

SHA1
2584e6496d048068f61ac72f5c08b54ad08627c3

SHA256
2928d8e9a41f39d3802cfd2900d8edeb107666baa942d9c0ffbfd0234b5e5bfc

SHA512
b67eb73fe51d4dba990789f1e0123e902dac6d26569851c3d51ca0a575221ce317f973999d962669016017d8f81a01f11bd977609e66bb1b244334bce2db5d5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe

Filesize
1.8MB

MD5
f5a33e2c9e2f68449a07778cc2edf846

SHA1
9b1c77c93fdf834a281da35fb3d5060d6de64de6

SHA256
2219fa1e23dac10134da6a6be9d6634a250dc2fc4cfdac1ad48d6e41c9406203

SHA512
cacf32b567797196a636d17ab2457cbe1bbd25f339cef8bd46848abba8d0e60ebbb5937d378a3300c8c0f242743489ceb1909039ebcf9670cabaecf08afdb12e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000066001\swiiiii.exe

Filesize
321KB

MD5
1c7d0f34bb1d85b5d2c01367cc8f62ef

SHA1
33aedadb5361f1646cffd68791d72ba5f1424114

SHA256
e9e09c5e5d03d21fca820bd9b0a0ea7b86ab9e85cdc9996f8f1dc822b0cc801c

SHA512
53bf85d2b004f69bbbf7b6dc78e5f021aba71b6f814101c55d3bf76e6d058a973bc58270b6b621b2100c6e02d382f568d1e96024464e8ea81e6db8ccd948679d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000069001\NewB.exe

Filesize
64KB

MD5
a622afb2ca5b500110a99596a1c64795

SHA1
36a751a6f24d766d78a838fedbaf67316e036320

SHA256
b2488c3453669a4bbe965a832bc9191e179d5f95c0a51dbbe7458fafedbaab4e

SHA512
60b139b0f5779e3234d152ff5b9c2422594283c9872d85cf9508553522a32842134f0a4d6c1de9ee761a6257e69b616cecd8771e86ebb1381b467a1fa05eda10

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000071001\jok.exe

Filesize
304KB

MD5
8510bcf5bc264c70180abe78298e4d5b

SHA1
2c3a2a85d129b0d750ed146d1d4e4d6274623e28

SHA256
096220045877e456edfea1adcd5bf1efd332665ef073c6d1e9474c84ca5433f6

SHA512
5ff0a47f9e14e22fc76d41910b2986605376605913173d8ad83d29d85eb79b679459e2723a6ad17bc3c3b8c9b359e2be7348ee1c21fa2e8ceb7cc9220515258d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000073001\swiiii.exe

Filesize
158KB

MD5
586f7fecacd49adab650fae36e2db994

SHA1
35d9fb512a8161ce867812633f0a43b042f9a5e6

SHA256
cf88d499c83da613ad5ccd8805822901bdc3a12eb9b15804aeff8c53dc05fc4e

SHA512
a44a2c99d18509681505cf70a251baf2558030a8648d9c621acc72fafcb2f744e3ef664dfd0229baf7c78fb72e69f5d644c755ded4060dcafa7f711d70e94772

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000077001\jfesawdr.exe

Filesize
6.1MB

MD5
9fb56dd5b5beb0b9c5d0102f22373c0b

SHA1
5559dc162d09c11c1ed80aedf8e9fa86fd531e4c

SHA256
a65b290aa9ebfb82746cf75440c19956169f48d7dcbebafde6996c9b46039539

SHA512
ab6c88acddf3350f4da37e20e38fc1bd4ac56433d5320fa071649ddf261cf1b6bb4692b54791e08e47b9e887a87ba5704afde6cb9aa9220c1da7f27c85400a1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000079001\gold.exe

Filesize
564KB

MD5
f15a9cfa3726845017a7f91abe0a14f7

SHA1
5540ae40231fe4bf97e59540033b679dda22f134

SHA256
2dec75328413d4c278c119db42920fb183a88a5398d56ecc80c8cc74fba13071

SHA512
1c2af9608736ad6a02d093f769fe5ec5a06cb395a639e021d4ee3f6c46cebc8c101e7db1064984f801ad3bee65d81b95fe6e2e60c0ec949bb172ba9c455b9869

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000080001\alexxxxxxxx.exe

Filesize
2.7MB

MD5
31841361be1f3dc6c2ce7756b490bf0f

SHA1
ff2506641a401ac999f5870769f50b7326f7e4eb

SHA256
222393a4ab4b2ae83ca861faee6df02ac274b2f2ca0bed8db1783dd61f2f37ee

SHA512
53d66fa19e8db360042dadc55caaa9a1ca30a9d825e23ed2a58f32834691eb2aaaa27a4471e3fc4d13e201accc43160436ed0e9939df1cc227a62a09a2ae0019

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000081001\install.exe

Filesize
4.2MB

MD5
0f52e5e68fe33694d488bfe7a1a71529

SHA1
11d7005bd72cb3fd46f24917bf3fc5f3203f361f

SHA256
efd29c35766c607aa15d1cb83dec625739791b1616ad37d5b47e78cdb8a42ca8

SHA512
238fbb1c04eef2f2005cb7abf0223e3cd062d9d2840966292e19dcaa495609e134a0bdc35389ae9925ecfc787a13772d3ac7b29058579f702bc849dd0343c400

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd

Filesize
208B

MD5
4e79187970192cf4106d807651e316de

SHA1
ead8189a1f3c47e2b643fad73203245f8443ff3a

SHA256
ad7ee56d0d470094a2929d50ebf879d50891314fa8ef926dd02b365d70b4d816

SHA512
be87213ce44d2969e3e24bda57bebed7dd469b41904968ff8df123a80d84dfb62de964b1f8a003557eb41f5de574ae5d5ba67e0938e7ac903fbb38b354e50481

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat

Filesize
35B

MD5
ff59d999beb970447667695ce3273f75

SHA1
316fa09f467ba90ac34a054daf2e92e6e2854ff8

SHA256
065d2b17ad499587dc9de7ee9ecda4938b45da1df388bc72e6627dff220f64d2

SHA512
d5ac72cb065a3cd3cb118a69a2f356314eeed24dcb4880751e1a3683895e66cedc62607967e29f77a0c27adf1c9fe0efd86e804f693f0a63a5b51b0bf0056b5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe

Filesize
5.8MB

MD5
8eeea65d388106b4489d07e025e17fed

SHA1
96651968f724c7daec51e74476403899bc7bf8c2

SHA256
69efe73bf8f9669427fb25962d104fb63ae7a4fdb4fb2f0022c7541a72c8a2c3

SHA512
1c5966906a89b8e7e83bf382c382e5ece1cf6827e7ba7e4ab4fc0ba0c91284bf398bf4822c53aab250520f7ffde231090a9e44d11493b6be8921899fb6d944d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\podaw.exe

Filesize
5.5MB

MD5
125c7efdef3f11c70b514739b1bab646

SHA1
526560d1ff7636ea4f0404eb74f5da68f7eb8e23

SHA256
2ca04fad5b8a81264292bb9877cb9c1c9f7a484cd03815ec9bb686ddf70edefa

SHA512
e08218e2415a051b9b8b7e6d28e6822341227fc5256f418c22b2b39f6d3d89e763f58b77dbbdfc792f8a8a17870136be5757c736db1c98d3437e76500f768261

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tmp9CD7.tmp

Filesize
2KB

MD5
1420d30f964eac2c85b2ccfe968eebce

SHA1
bdf9a6876578a3e38079c4f8cf5d6c79687ad750

SHA256
f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

SHA512
6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jdbiu4xm.0rw.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
109KB

MD5
726cd06231883a159ec1ce28dd538699

SHA1
404897e6a133d255ad5a9c26ac6414d7134285a2

SHA256
12fef2d5995d671ec0e91bdbdc91e2b0d3c90ed3a8b2b13ddaa8ad64727dcd46

SHA512
9ea82e7cb6c6a58446bd5033855947c3e2d475d2910f2b941235e0b96aa08eec822d2dd17cc86b2d3fce930f78b799291992408e309a6c63e3011266810ea83e

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

Filesize
1.2MB

MD5
15a42d3e4579da615a384c717ab2109b

SHA1
22aeedeb2307b1370cdab70d6a6b6d2c13ad2301

SHA256
3c97bb410e49b11af8116feb7240b7101e1967cae7538418c45c3d2e072e8103

SHA512
1eb7f126dccc88a2479e3818c36120f5af3caa0d632b9ea803485ee6531d6e2a1fd0805b1c4364983d280df23ea5ca3ad4a5fca558ac436efae36af9b795c444

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe

Filesize
304KB

MD5
0c582da789c91878ab2f1b12d7461496

SHA1
238bd2408f484dd13113889792d6e46d6b41c5ba

SHA256
a6ab532816fbb0c9664c708746db35287aaa85cbb417bef2eafcd9f5eaf7cf67

SHA512
a1b7c5c13462a7704ea2aea5025d1cb16ddd622fe1e2de3bbe08337c271a4dc8b9be2eae58a4896a7df3ad44823675384dbc60bdc737c54b173909be7a0a086a

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe

Filesize
750KB

MD5
20ae0bb07ba77cb3748aa63b6eb51afb

SHA1
87c468dc8f3d90a63833d36e4c900fa88d505c6d

SHA256
daf6ae706fc78595f0d386817a0f8a3a7eb4ec8613219382b1cbaa7089418e7d

SHA512
db315e00ce2b2d5a05cb69541ee45aade4332e424c4955a79d2b7261ab7bd739f02dc688224f031a7a030c92fa915d029538e236dbd3c28b8d07d1265a52e5b2

Download Submit
C:\Users\Public\Desktop\Google Chrome.lnk

Filesize
2KB

MD5
bc66475ee3b9ba37ec6828944dadd734

SHA1
9b82600ed9625cd85c114473a66b2160aea60b0a

SHA256
4c14b7589cf62d4a93c2e2e3f6b74c3b2424973df96e12dfbfb988cc6d29d409

SHA512
e45e908918f2c08cc2a1fe85f268c858a6bfa082c792ce893ef649aeffe7d570b791236f70f6f9e1ac2388173a6e5b76fe53a340685d0f1880bb2f28a440cbdf

Download Submit
memory/68-3-0x0000000000830000-0x0000000000CEB000-memory.dmp

Filesize
4.7MB

Download
memory/68-0-0x0000000000830000-0x0000000000CEB000-memory.dmp

Filesize
4.7MB

Download
memory/68-1-0x0000000077664000-0x0000000077665000-memory.dmp

Filesize
4KB

Download
memory/68-2-0x0000000000831000-0x0000000000860000-memory.dmp

Filesize
188KB

Download
memory/68-5-0x0000000000830000-0x0000000000CEB000-memory.dmp

Filesize
4.7MB

Download
memory/68-14-0x0000000000830000-0x0000000000CEB000-memory.dmp

Filesize
4.7MB

Download
memory/404-393-0x000000001DB70000-0x000000001DC7A000-memory.dmp

Filesize
1.0MB

Download
memory/404-395-0x000000001C690000-0x000000001C6CE000-memory.dmp

Filesize
248KB

Download
memory/404-321-0x0000000000940000-0x0000000000A00000-memory.dmp

Filesize
768KB

Download
memory/404-394-0x000000001B7F0000-0x000000001B802000-memory.dmp

Filesize
72KB

Download
memory/644-303-0x00000000002B0000-0x0000000000302000-memory.dmp

Filesize
328KB

Download
memory/644-324-0x0000000006370000-0x00000000063BB000-memory.dmp

Filesize
300KB

Download
memory/724-423-0x00000000012E0000-0x000000000179B000-memory.dmp

Filesize
4.7MB

Download
memory/724-425-0x00000000012E0000-0x000000000179B000-memory.dmp

Filesize
4.7MB

Download
memory/1296-103-0x00000295A6E40000-0x00000295A6E4A000-memory.dmp

Filesize
40KB

Download
memory/1296-53-0x00000295A6EC0000-0x00000295A6EE2000-memory.dmp

Filesize
136KB

Download
memory/1296-56-0x00000295A6FF0000-0x00000295A7066000-memory.dmp

Filesize
472KB

Download
memory/1296-90-0x00000295A6E70000-0x00000295A6E82000-memory.dmp

Filesize
72KB

Download
memory/1384-212-0x00000000012E0000-0x000000000179B000-memory.dmp

Filesize
4.7MB

Download
memory/1384-214-0x00000000012E0000-0x000000000179B000-memory.dmp

Filesize
4.7MB

Download
memory/1812-196-0x0000000000630000-0x000000000065E000-memory.dmp

Filesize
184KB

Download
memory/1884-277-0x00000000011A0000-0x0000000001223FAE-memory.dmp

Filesize
527KB

Download
memory/2612-226-0x00000000012E0000-0x000000000179B000-memory.dmp

Filesize
4.7MB

Download
memory/2612-225-0x00000000012E0000-0x000000000179B000-memory.dmp

Filesize
4.7MB

Download
memory/2648-34-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2648-36-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2836-209-0x0000000008100000-0x00000000082C2000-memory.dmp

Filesize
1.8MB

Download
memory/2836-158-0x00000000050F0000-0x0000000005182000-memory.dmp

Filesize
584KB

Download
memory/2836-207-0x0000000006B70000-0x0000000006BC0000-memory.dmp

Filesize
320KB

Download
memory/2836-210-0x0000000008800000-0x0000000008D2C000-memory.dmp

Filesize
5.2MB

Download
memory/2836-204-0x0000000006970000-0x00000000069D6000-memory.dmp

Filesize
408KB

Download
memory/2836-156-0x0000000000790000-0x00000000007E2000-memory.dmp

Filesize
328KB

Download
memory/2836-157-0x00000000055F0000-0x0000000005AEE000-memory.dmp

Filesize
5.0MB

Download
memory/2836-159-0x00000000051B0000-0x00000000051BA000-memory.dmp

Filesize
40KB

Download
memory/2836-176-0x0000000005BF0000-0x0000000005C66000-memory.dmp

Filesize
472KB

Download
memory/2836-177-0x00000000064A0000-0x00000000064BE000-memory.dmp

Filesize
120KB

Download
memory/2836-179-0x0000000006BD0000-0x00000000071D6000-memory.dmp

Filesize
6.0MB

Download
memory/2836-180-0x0000000006740000-0x000000000684A000-memory.dmp

Filesize
1.0MB

Download
memory/2836-181-0x0000000006670000-0x0000000006682000-memory.dmp

Filesize
72KB

Download
memory/2836-182-0x00000000066D0000-0x000000000670E000-memory.dmp

Filesize
248KB

Download
memory/2836-183-0x0000000006850000-0x000000000689B000-memory.dmp

Filesize
300KB

Download
memory/2872-199-0x0000000000400000-0x000000000063B000-memory.dmp

Filesize
2.2MB

Download
memory/2872-201-0x0000000000400000-0x000000000063B000-memory.dmp

Filesize
2.2MB

Download
memory/3160-293-0x0000000000400000-0x0000000000592000-memory.dmp

Filesize
1.6MB

Download
memory/3548-31-0x0000000000870000-0x00000000008C2000-memory.dmp

Filesize
328KB

Download
memory/4052-127-0x00000000012E0000-0x000000000179B000-memory.dmp

Filesize
4.7MB

Download
memory/4052-129-0x00000000012E0000-0x000000000179B000-memory.dmp

Filesize
4.7MB

Download
memory/4140-276-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4140-278-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4152-410-0x00000000012E0000-0x000000000179B000-memory.dmp

Filesize
4.7MB

Download
memory/4152-408-0x00000000012E0000-0x000000000179B000-memory.dmp

Filesize
4.7MB

Download
memory/4620-261-0x0000000001030000-0x0000000001031000-memory.dmp

Filesize
4KB

Download
memory/4620-262-0x0000000001040000-0x0000000001931000-memory.dmp

Filesize
8.9MB

Download
memory/4784-130-0x00000000012E0000-0x000000000179B000-memory.dmp

Filesize
4.7MB

Download
memory/4784-112-0x00000000012E0000-0x000000000179B000-memory.dmp

Filesize
4.7MB

Download
memory/4784-280-0x00000000012E0000-0x000000000179B000-memory.dmp

Filesize
4.7MB

Download
memory/4784-218-0x00000000012E0000-0x000000000179B000-memory.dmp

Filesize
4.7MB

Download
memory/4784-208-0x00000000012E0000-0x000000000179B000-memory.dmp

Filesize
4.7MB

Download
memory/4784-215-0x00000000012E0000-0x000000000179B000-memory.dmp

Filesize
4.7MB

Download
memory/4784-203-0x00000000012E0000-0x000000000179B000-memory.dmp

Filesize
4.7MB

Download
memory/4784-143-0x00000000012E0000-0x000000000179B000-memory.dmp

Filesize
4.7MB

Download
memory/4784-132-0x00000000012E0000-0x000000000179B000-memory.dmp

Filesize
4.7MB

Download
memory/4784-131-0x00000000012E0000-0x000000000179B000-memory.dmp

Filesize
4.7MB

Download
memory/4784-228-0x00000000012E0000-0x000000000179B000-memory.dmp

Filesize
4.7MB

Download
memory/4784-279-0x00000000012E0000-0x000000000179B000-memory.dmp

Filesize
4.7MB

Download
memory/4784-221-0x00000000012E0000-0x000000000179B000-memory.dmp

Filesize
4.7MB

Download
memory/4784-125-0x00000000012E0000-0x000000000179B000-memory.dmp

Filesize
4.7MB

Download
memory/4784-114-0x00000000012E0000-0x000000000179B000-memory.dmp

Filesize
4.7MB

Download
memory/4784-386-0x00000000012E0000-0x000000000179B000-memory.dmp

Filesize
4.7MB

Download
memory/4784-113-0x00000000012E0000-0x000000000179B000-memory.dmp

Filesize
4.7MB

Download
memory/4784-220-0x00000000012E0000-0x000000000179B000-memory.dmp

Filesize
4.7MB

Download
memory/4784-37-0x00000000012E0000-0x000000000179B000-memory.dmp

Filesize
4.7MB

Download
memory/4784-222-0x00000000012E0000-0x000000000179B000-memory.dmp

Filesize
4.7MB

Download
memory/4784-18-0x00000000012E0000-0x000000000179B000-memory.dmp

Filesize
4.7MB

Download
memory/4784-17-0x00000000012E0000-0x000000000179B000-memory.dmp

Filesize
4.7MB

Download
memory/4784-402-0x00000000012E0000-0x000000000179B000-memory.dmp

Filesize
4.7MB

Download
memory/4784-223-0x00000000012E0000-0x000000000179B000-memory.dmp

Filesize
4.7MB

Download
memory/4784-227-0x00000000012E0000-0x000000000179B000-memory.dmp

Filesize
4.7MB

Download
memory/4784-411-0x00000000012E0000-0x000000000179B000-memory.dmp

Filesize
4.7MB

Download
memory/4784-412-0x00000000012E0000-0x000000000179B000-memory.dmp

Filesize
4.7MB

Download
memory/4784-416-0x00000000012E0000-0x000000000179B000-memory.dmp

Filesize
4.7MB

Download
memory/4784-417-0x00000000012E0000-0x000000000179B000-memory.dmp

Filesize
4.7MB

Download
memory/4784-418-0x00000000012E0000-0x000000000179B000-memory.dmp

Filesize
4.7MB

Download
memory/4784-422-0x00000000012E0000-0x000000000179B000-memory.dmp

Filesize
4.7MB

Download
memory/4784-16-0x00000000012E1000-0x0000000001310000-memory.dmp

Filesize
188KB

Download
memory/4784-15-0x00000000012E0000-0x000000000179B000-memory.dmp

Filesize
4.7MB

Download
memory/4784-426-0x00000000012E0000-0x000000000179B000-memory.dmp

Filesize
4.7MB

Download
memory/4784-427-0x00000000012E0000-0x000000000179B000-memory.dmp

Filesize
4.7MB

Download