Overview

overview

10

Static

static

1

URLScan

urlscan

1

https://cdn.discorda...

windows10-2004-x64

10

Analysis

  • max time kernel
    69s
  • max time network
    77s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-05-2024 18:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    https://cdn.discordapp.com/attachments/1224456587133849751/1242518582731083836/gamesnus-fixed.rar?ex=664e211b&is=664ccf9b&hm=c011acce9872cfc56ebb131b1e696b4397d1d9fc60057d3a43462f7bde811eae&

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

programme-garden.gl.at.ply.gg:42957

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    wemm.exe

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 50 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of FindShellTrayWindow 35 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.discordapp.com/attachments/1224456587133849751/1242518582731083836/gamesnus-fixed.rar?ex=664e211b&is=664ccf9b&hm=c011acce9872cfc56ebb131b1e696b4397d1d9fc60057d3a43462f7bde811eae&
    1⤵
    • Enumerates system info in registry
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1448
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdf58f46f8,0x7ffdf58f4708,0x7ffdf58f4718
      2⤵
        PID:1216
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,5871120379713869589,9227641144382794748,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2084 /prefetch:2
        2⤵
          PID:3780
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2072,5871120379713869589,9227641144382794748,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:872
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2072,5871120379713869589,9227641144382794748,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2904 /prefetch:8
          2⤵
            PID:3568
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,5871120379713869589,9227641144382794748,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
            2⤵
              PID:2100
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,5871120379713869589,9227641144382794748,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
              2⤵
                PID:3376
              • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,5871120379713869589,9227641144382794748,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5392 /prefetch:8
                2⤵
                  PID:876
                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,5871120379713869589,9227641144382794748,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5392 /prefetch:8
                  2⤵
                  • Suspicious behavior: EnumeratesProcesses
                  PID:4020
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,5871120379713869589,9227641144382794748,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5448 /prefetch:1
                  2⤵
                    PID:3104
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,5871120379713869589,9227641144382794748,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4760 /prefetch:1
                    2⤵
                      PID:4724
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2072,5871120379713869589,9227641144382794748,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3420 /prefetch:8
                      2⤵
                        PID:816
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,5871120379713869589,9227641144382794748,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5148 /prefetch:1
                        2⤵
                          PID:4840
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2072,5871120379713869589,9227641144382794748,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5872 /prefetch:8
                          2⤵
                          • Suspicious behavior: EnumeratesProcesses
                          PID:3904
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,5871120379713869589,9227641144382794748,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5976 /prefetch:1
                          2⤵
                            PID:1440
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,5871120379713869589,9227641144382794748,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5988 /prefetch:1
                            2⤵
                              PID:5060
                          • C:\Windows\System32\CompPkgSrv.exe
                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                            1⤵
                              PID:4228
                            • C:\Windows\System32\CompPkgSrv.exe
                              C:\Windows\System32\CompPkgSrv.exe -Embedding
                              1⤵
                                PID:1592
                              • C:\Windows\System32\rundll32.exe
                                C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                1⤵
                                  PID:5868
                                • C:\Program Files\7-Zip\7zG.exe
                                  "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\gamesnus-fixed\" -spe -an -ai#7zMap59:90:7zEvent25970
                                  1⤵
                                  • Suspicious use of AdjustPrivilegeToken
                                  • Suspicious use of FindShellTrayWindow
                                  PID:6076
                                • C:\Users\Admin\Downloads\gamesnus-fixed\Lua Injector\gamesnus-fixed.exe
                                  "C:\Users\Admin\Downloads\gamesnus-fixed\Lua Injector\gamesnus-fixed.exe"
                                  1⤵
                                  • Checks computer location settings
                                  • Executes dropped EXE
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:4308
                                  • C:\Users\Admin\AppData\Local\Temp\gamesnus-fixed.exe
                                    "C:\Users\Admin\AppData\Local\Temp\gamesnus-fixed.exe"
                                    2⤵
                                    • Executes dropped EXE
                                    PID:2096
                                    • C:\Windows\SysWOW64\cmd.exe
                                      C:\Windows\system32\cmd.exe /c color 5F
                                      3⤵
                                        PID:5408
                                    • C:\Users\Admin\AppData\Local\Temp\wemm.exe
                                      "C:\Users\Admin\AppData\Local\Temp\wemm.exe"
                                      2⤵
                                      • Checks computer location settings
                                      • Drops startup file
                                      • Executes dropped EXE
                                      • Adds Run key to start application
                                      • Suspicious behavior: EnumeratesProcesses
                                      • Suspicious use of AdjustPrivilegeToken
                                      • Suspicious use of SetWindowsHookEx
                                      PID:2124
                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wemm.exe'
                                        3⤵
                                        • Command and Scripting Interpreter: PowerShell
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:2224
                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'wemm.exe'
                                        3⤵
                                        • Command and Scripting Interpreter: PowerShell
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:5616
                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\wemm.exe'
                                        3⤵
                                        • Command and Scripting Interpreter: PowerShell
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:5764
                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'wemm.exe'
                                        3⤵
                                        • Command and Scripting Interpreter: PowerShell
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:6000
                                      • C:\Windows\System32\schtasks.exe
                                        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "wemm" /tr "C:\ProgramData\wemm.exe"
                                        3⤵
                                        • Creates scheduled task(s)
                                        PID:6056
                                  • C:\Users\Admin\Downloads\gamesnus-fixed\Lua Injector\gamesnus-fixed.exe
                                    "C:\Users\Admin\Downloads\gamesnus-fixed\Lua Injector\gamesnus-fixed.exe"
                                    1⤵
                                    • Executes dropped EXE
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:4064

                                  Network

                                  MITRE ATT&CK Enterprise v15

                                  Replay Monitor

                                  Loading Replay Monitor...

                                  Downloads

                                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\gamesnus-fixed.exe.log
                                    Filesize

                                    1KB

                                    MD5

                                    bb6a89a9355baba2918bb7c32eca1c94

                                    SHA1

                                    976c76dfbc072e405ce0d0b9314fe5b9e84cb1b2

                                    SHA256

                                    192fbb7f4d1396fd4846854c5472a60aa80932f3c754f2c2f1a2a136c8a6bb4b

                                    SHA512

                                    efdf0c6228c3a8a7550804ac921dfefc5265eb2c9bbf4b8b00cedd427c0a5adf610586b844ff444bd717abff138affcbe49632ce984cbffc5fa8019b4ba6ec0f

                                    Download Submit
                                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                                    Filesize

                                    2KB

                                    MD5

                                    d85ba6ff808d9e5444a4b369f5bc2730

                                    SHA1

                                    31aa9d96590fff6981b315e0b391b575e4c0804a

                                    SHA256

                                    84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                                    SHA512

                                    8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                                    Download Submit
                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                    Filesize

                                    152B

                                    MD5

                                    a8e767fd33edd97d306efb6905f93252

                                    SHA1

                                    a6f80ace2b57599f64b0ae3c7381f34e9456f9d3

                                    SHA256

                                    c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb

                                    SHA512

                                    07b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241

                                    Download Submit
                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                    Filesize

                                    152B

                                    MD5

                                    439b5e04ca18c7fb02cf406e6eb24167

                                    SHA1

                                    e0c5bb6216903934726e3570b7d63295b9d28987

                                    SHA256

                                    247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654

                                    SHA512

                                    d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2

                                    Download Submit
                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                    Filesize

                                    5KB

                                    MD5

                                    40c0335d1c37631bc81eab656cff8edc

                                    SHA1

                                    4c0d92630c16fc88ba68c2d3facb410e6bdefcfd

                                    SHA256

                                    3213def1ae063e26f79851926486e7081429580f309b25df18f765e7582395cc

                                    SHA512

                                    072b61b8cdf317057eed5cd1a62d19627b379be1f0ff59905813e661fd74f78c54a72f72dca449b8f2a747ed80aa36543b9242f23a3d66fbf367b7e006c3aa65

                                    Download Submit
                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                    Filesize

                                    6KB

                                    MD5

                                    ab9d3d80bb2c538e48444531d9852d20

                                    SHA1

                                    fc0295ac4a4b414ad60240d6bfe3a23a9e1966bd

                                    SHA256

                                    52bc09ada83ee92606c82ee5ce61dc6210ac62b6c91a917d551aaf42de651742

                                    SHA512

                                    c12d0ca32061d8b045b850562f8496d708b588be84024716d817087c54ff10b5ca12618520fee51856ff931528db580ea109774ee4bbeffff80e9785e2a15a8b

                                    Download Submit
                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                    Filesize

                                    16B

                                    MD5

                                    6752a1d65b201c13b62ea44016eb221f

                                    SHA1

                                    58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                    SHA256

                                    0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                    SHA512

                                    9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                    Download Submit
                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                    Filesize

                                    11KB

                                    MD5

                                    46ed559f3c4691c9069fe2e628f72e17

                                    SHA1

                                    38f32a194b95e5a15fe8bac5510d64a76cc5a5d4

                                    SHA256

                                    a9f055f5ce5e3f17b7889c3b86766084b0edfdcfa8f6d3c47485b6aa480b4370

                                    SHA512

                                    4c68345be98f19a2a9cd88535c124ab2267b253bfa78b09cc2ae653a677f014477759e2bd5a500f0f50a74f14ac83e4026138d48a3bbd72115d4ea105ef7c304

                                    Download Submit
                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                    Filesize

                                    11KB

                                    MD5

                                    d648924072666901d304cb7339c7fc5f

                                    SHA1

                                    58f1e180bc92a0de5bafefd4836d1da139a3effc

                                    SHA256

                                    6f61ef6e44835b78234dc5b0fa0e6a22dbf2ca462da8310f3b9de983f19d7eb3

                                    SHA512

                                    8a914f187a1aaa584db281a5f375c11eb6a373f72c1b47953545aac70db296ae68270b3baa6717019510061d47ed0f6fd72473919e8056dcb36c0612bdb14811

                                    Download Submit
                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                    Filesize

                                    944B

                                    MD5

                                    6d42b6da621e8df5674e26b799c8e2aa

                                    SHA1

                                    ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

                                    SHA256

                                    5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

                                    SHA512

                                    53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

                                    Download Submit
                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                    Filesize

                                    944B

                                    MD5

                                    22310ad6749d8cc38284aa616efcd100

                                    SHA1

                                    440ef4a0a53bfa7c83fe84326a1dff4326dcb515

                                    SHA256

                                    55b1d8021c4eb4c3c0d75e3ed7a4eb30cd0123e3d69f32eeb596fe4ffec05abf

                                    SHA512

                                    2ef08e2ee15bb86695fe0c10533014ffed76ececc6e579d299d3365fafb7627f53e32e600bb6d872b9f58aca94f8cb7e1e94cdfd14777527f7f0aa019d9c6def

                                    Download Submit
                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                    Filesize

                                    944B

                                    MD5

                                    96e3b86880fedd5afc001d108732a3e5

                                    SHA1

                                    8fc17b39d744a9590a6d5897012da5e6757439a3

                                    SHA256

                                    c3077e4cadb4ed246c02abe55aa6cf832fee4c2546b7addb7d22cd1c7c8c1294

                                    SHA512

                                    909b1968f7204fa7029109b02232d8cc5438f6b4dc7c9044e4e47c59fcee538199b13029e36592b12ed573d48a308dd4822d2ced4129ab08d4111897e02be55d

                                    Download Submit
                                  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fekdxvl5.lj0.ps1
                                    Filesize

                                    60B

                                    MD5

                                    d17fe0a3f47be24a6453e9ef58c94641

                                    SHA1

                                    6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                    SHA256

                                    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                    SHA512

                                    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                    Download Submit
                                  • C:\Users\Admin\AppData\Local\Temp\gamesnus-fixed.exe
                                    Filesize

                                    159KB

                                    MD5

                                    3d3e59a445f716de310d2c2b09c2d235

                                    SHA1

                                    4e62578c1fec3b12d15c12a88b7b56980136f23e

                                    SHA256

                                    3bd7bc7dcadce9331ad1d51cb865552f1d78d8a7474f847055a32f47fb2de86b

                                    SHA512

                                    3effe7a7486743a48fd670cc8ff9b01b42bc8f1680c67cc004ec66cbeff87bf8a1ed2b4a1074bbac39e60fd591e27041cf8a10582bde250ac6d92b092fa5d197

                                    Download Submit
                                  • C:\Users\Admin\AppData\Local\Temp\wemm.exe
                                    Filesize

                                    65KB

                                    MD5

                                    6af459292b6149b3089fd2fd8600ce19

                                    SHA1

                                    46e3bed7822a490a97dd22a0f2eb41cebe5f8147

                                    SHA256

                                    bbb58baaf7f3c5db1ed0a012262ab462659c0be8c4f62e26fae3e5677162069b

                                    SHA512

                                    6d4859e51cc49e6b88ee0a1cd822c19d69dc848caf73440b148968f89abbe28c2ca0095f9906c546b8a4ae2e105b3e9ee60ba7accb122a5a5c51f805703b8bde

                                    Download Submit
                                  • C:\Users\Admin\Downloads\gamesnus-fixed.rar
                                    Filesize

                                    2.1MB

                                    MD5

                                    939a9c2a6ac5006e6a5def761614bf6b

                                    SHA1

                                    56f73c53145bf11175f5a78c6d003e54f5118aa2

                                    SHA256

                                    39f616e3c151dfa6005cdbe2fe29cc7919ed8f87c91526bf3dbd4769e6afa4b9

                                    SHA512

                                    f5112d3300b8b649ca81eb06c84d72434d702f112ac962799976169f0411c6e00e6018952504fadfb121c84a98563d9a13a958f70561c4bdb14583a8ef9bb5ce

                                    Download Submit
                                  • C:\Users\Admin\Downloads\gamesnus-fixed\Lua Injector\gamesnus-fixed.exe
                                    Filesize

                                    408KB

                                    MD5

                                    a1ff0c0cadbc22d30193655a32f0e08c

                                    SHA1

                                    e26691e4882885f1cd43e76cb816ed2921397b8a

                                    SHA256

                                    5e29180ee083c9f393566e43050d941f353edeccb1f4d3b1c21389bdda2f80e6

                                    SHA512

                                    44e9fed11888e00e765cf3163fddd6074b0e35cba52a9434a9ffd168cd42565db24d8eb4b8df821afd1fa0949dd293107ba6c99de2b1a5f25650507bff43b497

                                    Download Submit
                                  • \??\pipe\LOCAL\crashpad_1448_NTKYNGPFSLDTBWDD
                                    MD5

                                    d41d8cd98f00b204e9800998ecf8427e

                                    SHA1

                                    da39a3ee5e6b4b0d3255bfef95601890afd80709

                                    SHA256

                                    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                    SHA512

                                    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                    Download Submit
                                  • memory/2124-126-0x00000000004A0000-0x00000000004B6000-memory.dmp
                                    Filesize

                                    88KB

                                    Download
                                  • memory/2224-129-0x00000214FF3F0000-0x00000214FF412000-memory.dmp
                                    Filesize

                                    136KB

                                    Download
                                  • memory/4308-103-0x00000000008C0000-0x000000000092C000-memory.dmp
                                    Filesize

                                    432KB

                                    Download