580cdee9a1dcaa2c53c97cb0685058e81db7dd7b234c5f5818d8d44cec7548fb

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
27/06/2024, 04:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

14aa8760fa3e3d00d2b0e18b6491dc4f_JaffaCakes118.exe
Size

645KB
MD5

14aa8760fa3e3d00d2b0e18b6491dc4f
SHA1

3d02f92123ce0aed6788e7a8c5fd32489ef94f2b
SHA256

580cdee9a1dcaa2c53c97cb0685058e81db7dd7b234c5f5818d8d44cec7548fb
SHA512

f14ec0ee64559e410ad43ca1d490df5f8da8a19527727996be81f461ab32d513437e62a2d4e2926f05e21653bde492ba66bc9af79d6295ec132d6eeebf71d854
SSDEEP

12288:Tzo75/bUOEXYKZYsw5Eq65otrGaUtzAyFVpzM4TjVlZP+/lA/DL0+5kG:I75IbYAY/5EqIotKHtkyFg2VTkADA+5F

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
2080	magiclink.exe
2368	magiclink.exe
2532	magiclink.exe
1692	magiclink.exe
632	magiclink.exe
1780	magiclink.exe
2140	magiclink.exe
1764	magiclink.exe
2280	magiclink.exe
3028	magiclink.exe
1972	magiclink.exe
2208	magiclink.exe
1576	magiclink.exe
1756	magiclink.exe
2732	magiclink.exe
2880	magiclink.exe
2300	magiclink.exe
1292	magiclink.exe
1744	magiclink.exe
1080	magiclink.exe
1708	magiclink.exe
1464	magiclink.exe
2240	magiclink.exe
2304	magiclink.exe
1040	magiclink.exe
1856	magiclink.exe
1984	magiclink.exe
2872	magiclink.exe
2564	magiclink.exe
2468	magiclink.exe
2792	magiclink.exe
2368	magiclink.exe
2440	magiclink.exe
2336	magiclink.exe
2800	magiclink.exe
1248	magiclink.exe
2148	magiclink.exe
1516	magiclink.exe
1748	magiclink.exe
1780	magiclink.exe
380	magiclink.exe
2128	magiclink.exe
2044	magiclink.exe
2036	magiclink.exe
1844	magiclink.exe
3020	magiclink.exe
1720	magiclink.exe
2460	magiclink.exe
2320	magiclink.exe
1308	magiclink.exe
1724	magiclink.exe
2864	magiclink.exe
356	magiclink.exe
552	magiclink.exe
2300	magiclink.exe
1924	magiclink.exe
1660	magiclink.exe
1904	magiclink.exe
1736	magiclink.exe
2964	magiclink.exe
884	magiclink.exe
1536	magiclink.exe
2876	magiclink.exe
2512	magiclink.exe

Loads dropped DLL 64 IoCs

pid	Process
1936	14aa8760fa3e3d00d2b0e18b6491dc4f_JaffaCakes118.exe
1936	14aa8760fa3e3d00d2b0e18b6491dc4f_JaffaCakes118.exe
2080	magiclink.exe
2080	magiclink.exe
2368	magiclink.exe
2368	magiclink.exe
2532	magiclink.exe
2532	magiclink.exe
1692	magiclink.exe
1692	magiclink.exe
632	magiclink.exe
632	magiclink.exe
1780	magiclink.exe
1780	magiclink.exe
2140	magiclink.exe
2140	magiclink.exe
1764	magiclink.exe
1764	magiclink.exe
2280	magiclink.exe
2280	magiclink.exe
3028	magiclink.exe
3028	magiclink.exe
1972	magiclink.exe
1972	magiclink.exe
2208	magiclink.exe
2208	magiclink.exe
1576	magiclink.exe
1576	magiclink.exe
1756	magiclink.exe
1756	magiclink.exe
2732	magiclink.exe
2732	magiclink.exe
2880	magiclink.exe
2880	magiclink.exe
2300	magiclink.exe
2300	magiclink.exe
1292	magiclink.exe
1292	magiclink.exe
1744	magiclink.exe
1744	magiclink.exe
1080	magiclink.exe
1080	magiclink.exe
1708	magiclink.exe
1708	magiclink.exe
1464	magiclink.exe
1464	magiclink.exe
2240	magiclink.exe
2240	magiclink.exe
2304	magiclink.exe
2304	magiclink.exe
1040	magiclink.exe
1040	magiclink.exe
1856	magiclink.exe
1856	magiclink.exe
1984	magiclink.exe
1984	magiclink.exe
2872	magiclink.exe
2872	magiclink.exe
2564	magiclink.exe
2564	magiclink.exe
2468	magiclink.exe
2468	magiclink.exe
2792	magiclink.exe
2792	magiclink.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1936-0-0x0000000000400000-0x000000000061E000-memory.dmp	upx
behavioral1/files/0x0007000000016d06-10.dat	upx
behavioral1/memory/1936-11-0x0000000003A10000-0x0000000003C2E000-memory.dmp	upx
behavioral1/memory/2080-21-0x0000000000400000-0x000000000061E000-memory.dmp	upx
behavioral1/memory/1936-19-0x0000000000400000-0x000000000061E000-memory.dmp	upx
behavioral1/memory/2080-36-0x0000000000400000-0x000000000061E000-memory.dmp	upx
behavioral1/memory/2368-44-0x0000000000400000-0x000000000061E000-memory.dmp	upx
behavioral1/memory/2532-53-0x0000000000400000-0x000000000061E000-memory.dmp	upx
behavioral1/memory/2368-50-0x0000000000400000-0x000000000061E000-memory.dmp	upx
behavioral1/memory/2532-68-0x0000000000400000-0x000000000061E000-memory.dmp	upx
behavioral1/memory/1692-76-0x0000000000400000-0x000000000061E000-memory.dmp	upx
behavioral1/memory/1692-83-0x0000000000400000-0x000000000061E000-memory.dmp	upx
behavioral1/memory/632-84-0x0000000000400000-0x000000000061E000-memory.dmp	upx
behavioral1/memory/632-99-0x0000000000400000-0x000000000061E000-memory.dmp	upx
behavioral1/memory/1780-98-0x0000000000400000-0x000000000061E000-memory.dmp	upx
behavioral1/memory/1780-112-0x0000000000400000-0x000000000061E000-memory.dmp	upx
behavioral1/memory/2140-114-0x0000000000400000-0x000000000061E000-memory.dmp	upx
behavioral1/memory/2140-129-0x0000000000400000-0x000000000061E000-memory.dmp	upx
behavioral1/memory/1764-136-0x0000000000400000-0x000000000061E000-memory.dmp	upx
behavioral1/memory/1764-143-0x0000000000400000-0x000000000061E000-memory.dmp	upx
behavioral1/memory/2280-144-0x0000000000400000-0x000000000061E000-memory.dmp	upx
behavioral1/memory/2280-156-0x0000000000400000-0x000000000061E000-memory.dmp	upx
behavioral1/memory/3028-157-0x0000000000400000-0x000000000061E000-memory.dmp	upx
behavioral1/memory/3028-164-0x0000000000400000-0x000000000061E000-memory.dmp	upx
behavioral1/memory/1972-165-0x0000000000400000-0x000000000061E000-memory.dmp	upx
behavioral1/memory/1972-172-0x0000000000400000-0x000000000061E000-memory.dmp	upx
behavioral1/memory/2208-173-0x0000000000400000-0x000000000061E000-memory.dmp	upx
behavioral1/memory/2208-180-0x0000000000400000-0x000000000061E000-memory.dmp	upx
behavioral1/memory/1576-181-0x0000000000400000-0x000000000061E000-memory.dmp	upx
behavioral1/memory/1576-188-0x0000000000400000-0x000000000061E000-memory.dmp	upx
behavioral1/memory/1756-193-0x0000000000400000-0x000000000061E000-memory.dmp	upx
behavioral1/memory/1756-196-0x0000000000400000-0x000000000061E000-memory.dmp	upx
behavioral1/memory/2732-201-0x0000000000400000-0x000000000061E000-memory.dmp	upx
behavioral1/memory/2732-204-0x0000000000400000-0x000000000061E000-memory.dmp	upx
behavioral1/memory/2880-210-0x0000000000400000-0x000000000061E000-memory.dmp	upx
behavioral1/memory/2300-216-0x0000000000400000-0x000000000061E000-memory.dmp	upx
behavioral1/memory/1292-222-0x0000000000400000-0x000000000061E000-memory.dmp	upx
behavioral1/memory/1744-228-0x0000000000400000-0x000000000061E000-memory.dmp	upx
behavioral1/memory/1080-234-0x0000000000400000-0x000000000061E000-memory.dmp	upx
behavioral1/memory/1708-240-0x0000000000400000-0x000000000061E000-memory.dmp	upx
behavioral1/memory/1464-246-0x0000000000400000-0x000000000061E000-memory.dmp	upx
behavioral1/memory/2240-252-0x0000000000400000-0x000000000061E000-memory.dmp	upx
behavioral1/memory/2304-258-0x0000000000400000-0x000000000061E000-memory.dmp	upx
behavioral1/memory/1040-264-0x0000000000400000-0x000000000061E000-memory.dmp	upx
behavioral1/memory/1856-270-0x0000000000400000-0x000000000061E000-memory.dmp	upx
behavioral1/memory/1984-276-0x0000000000400000-0x000000000061E000-memory.dmp	upx
behavioral1/memory/2872-282-0x0000000000400000-0x000000000061E000-memory.dmp	upx
behavioral1/memory/2564-288-0x0000000000400000-0x000000000061E000-memory.dmp	upx
behavioral1/memory/2468-294-0x0000000000400000-0x000000000061E000-memory.dmp	upx
behavioral1/memory/2792-300-0x0000000000400000-0x000000000061E000-memory.dmp	upx
behavioral1/memory/2368-306-0x0000000000400000-0x000000000061E000-memory.dmp	upx
behavioral1/memory/2440-312-0x0000000000400000-0x000000000061E000-memory.dmp	upx
behavioral1/memory/2336-318-0x0000000000400000-0x000000000061E000-memory.dmp	upx
behavioral1/memory/2800-324-0x0000000000400000-0x000000000061E000-memory.dmp	upx
behavioral1/memory/1248-330-0x0000000000400000-0x000000000061E000-memory.dmp	upx
behavioral1/memory/2148-336-0x0000000000400000-0x000000000061E000-memory.dmp	upx
behavioral1/memory/1516-342-0x0000000000400000-0x000000000061E000-memory.dmp	upx
behavioral1/memory/1748-348-0x0000000000400000-0x000000000061E000-memory.dmp	upx
behavioral1/memory/1780-354-0x0000000000400000-0x000000000061E000-memory.dmp	upx
behavioral1/memory/380-360-0x0000000000400000-0x000000000061E000-memory.dmp	upx
behavioral1/memory/2128-366-0x0000000000400000-0x000000000061E000-memory.dmp	upx
behavioral1/memory/2044-372-0x0000000000400000-0x000000000061E000-memory.dmp	upx
behavioral1/memory/2036-378-0x0000000000400000-0x000000000061E000-memory.dmp	upx
behavioral1/memory/1844-384-0x0000000000400000-0x000000000061E000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\SysWOW64\systemdllx.vxd	magiclink.exe
File opened for modification	\??\c:\windows\SysWOW64\systemdllx.vxd	magiclink.exe
File opened for modification	\??\c:\windows\SysWOW64\systemdllx.vxd	magiclink.exe
File created	\??\c:\windows\SysWOW64\magiclink.exe	magiclink.exe
File opened for modification	\??\c:\windows\SysWOW64\systemdllx.vxd	magiclink.exe
File opened for modification	\??\c:\windows\SysWOW64\magiclink .exe	magiclink.exe
File opened for modification	\??\c:\windows\SysWOW64\systemdllx.vxd	magiclink.exe
File opened for modification	\??\c:\windows\SysWOW64\magiclink.exe	magiclink.exe
File opened for modification	\??\c:\windows\SysWOW64\systemdllx.vxd	magiclink.exe
File opened for modification	\??\c:\windows\SysWOW64\magiclink .exe	magiclink.exe
File created	\??\c:\windows\SysWOW64\magiclink.exe	magiclink.exe
File created	\??\c:\windows\SysWOW64\magiclink.exe	magiclink.exe
File created	\??\c:\windows\SysWOW64\magiclink.exe	magiclink.exe
File opened for modification	\??\c:\windows\SysWOW64\magiclink.exe	magiclink.exe
File opened for modification	\??\c:\windows\SysWOW64\magiclink.exe	magiclink.exe
File opened for modification	\??\c:\windows\SysWOW64\systemdllx.vxd	magiclink.exe
File opened for modification	\??\c:\windows\SysWOW64\magiclink.exe	magiclink.exe
File opened for modification	\??\c:\windows\SysWOW64\magiclink .exe	magiclink.exe
File created	\??\c:\windows\SysWOW64\magiclink.exe	magiclink.exe
File opened for modification	\??\c:\windows\SysWOW64\systemdllx.vxd	magiclink.exe
File opened for modification	\??\c:\windows\SysWOW64\magiclink.exe	magiclink.exe
File opened for modification	\??\c:\windows\SysWOW64\systemdllx.vxd	magiclink.exe
File opened for modification	\??\c:\windows\SysWOW64\systemdllx.vxd	magiclink.exe
File opened for modification	\??\c:\windows\SysWOW64\systemdllx.vxd	magiclink.exe
File opened for modification	\??\c:\windows\SysWOW64\magiclink.exe	magiclink.exe
File opened for modification	\??\c:\windows\SysWOW64\magiclink.exe	magiclink.exe
File opened for modification	\??\c:\windows\SysWOW64\magiclink .exe	magiclink.exe
File opened for modification	\??\c:\windows\SysWOW64\systemdllx.vxd	magiclink.exe
File created	\??\c:\windows\SysWOW64\magiclink.exe	magiclink.exe
File opened for modification	\??\c:\windows\SysWOW64\systemdllx.vxd	magiclink.exe
File opened for modification	\??\c:\windows\SysWOW64\magiclink .exe	magiclink.exe
File opened for modification	\??\c:\windows\SysWOW64\magiclink .exe	magiclink.exe
File opened for modification	\??\c:\windows\SysWOW64\magiclink.exe	magiclink.exe
File opened for modification	\??\c:\windows\SysWOW64\systemdllx.vxd	magiclink.exe
File opened for modification	\??\c:\windows\SysWOW64\magiclink .exe	magiclink.exe
File opened for modification	\??\c:\windows\SysWOW64\magiclink.exe	magiclink.exe
File opened for modification	\??\c:\windows\SysWOW64\magiclink .exe	magiclink.exe
File opened for modification	\??\c:\windows\SysWOW64\magiclink.exe	magiclink.exe
File opened for modification	\??\c:\windows\SysWOW64\systemdllx.vxd	magiclink.exe
File opened for modification	\??\c:\windows\SysWOW64\systemdllx.vxd	magiclink.exe
File opened for modification	\??\c:\windows\SysWOW64\systemdllx.vxd	magiclink.exe
File opened for modification	\??\c:\windows\SysWOW64\magiclink.exe	magiclink.exe
File opened for modification	\??\c:\windows\SysWOW64\magiclink .exe	magiclink.exe
File opened for modification	\??\c:\windows\SysWOW64\magiclink .exe	magiclink.exe
File created	\??\c:\windows\SysWOW64\magiclink.exe	magiclink.exe
File opened for modification	\??\c:\windows\SysWOW64\systemdllx.vxd	magiclink.exe
File opened for modification	\??\c:\windows\SysWOW64\magiclink .exe	magiclink.exe
File opened for modification	\??\c:\windows\SysWOW64\systemdllx.vxd	magiclink.exe
File opened for modification	\??\c:\windows\SysWOW64\systemdllx.vxd	magiclink.exe
File opened for modification	\??\c:\windows\SysWOW64\magiclink.exe	magiclink.exe
File opened for modification	\??\c:\windows\SysWOW64\magiclink .exe	magiclink.exe
File opened for modification	\??\c:\windows\SysWOW64\magiclink.exe	magiclink.exe
File opened for modification	\??\c:\windows\SysWOW64\magiclink .exe	magiclink.exe
File opened for modification	\??\c:\windows\SysWOW64\magiclink.exe	magiclink.exe
File opened for modification	\??\c:\windows\SysWOW64\magiclink .exe	magiclink.exe
File opened for modification	\??\c:\windows\SysWOW64\systemdllx.vxd	magiclink.exe
File opened for modification	\??\c:\windows\SysWOW64\magiclink .exe	magiclink.exe
File opened for modification	\??\c:\windows\SysWOW64\magiclink.exe	magiclink.exe
File opened for modification	\??\c:\windows\SysWOW64\magiclink .exe	magiclink.exe
File opened for modification	\??\c:\windows\SysWOW64\magiclink .exe	magiclink.exe
File created	\??\c:\windows\SysWOW64\magiclink.exe	magiclink.exe
File opened for modification	\??\c:\windows\SysWOW64\magiclink.exe	magiclink.exe
File opened for modification	\??\c:\windows\SysWOW64\magiclink .exe	magiclink.exe
File created	\??\c:\windows\SysWOW64\magiclink.exe	magiclink.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1936 wrote to memory of 2080	1936	14aa8760fa3e3d00d2b0e18b6491dc4f_JaffaCakes118.exe	28
PID 1936 wrote to memory of 2080	1936	14aa8760fa3e3d00d2b0e18b6491dc4f_JaffaCakes118.exe	28
PID 1936 wrote to memory of 2080	1936	14aa8760fa3e3d00d2b0e18b6491dc4f_JaffaCakes118.exe	28
PID 1936 wrote to memory of 2080	1936	14aa8760fa3e3d00d2b0e18b6491dc4f_JaffaCakes118.exe	28
PID 2080 wrote to memory of 2368	2080	magiclink.exe	29
PID 2080 wrote to memory of 2368	2080	magiclink.exe	29
PID 2080 wrote to memory of 2368	2080	magiclink.exe	29
PID 2080 wrote to memory of 2368	2080	magiclink.exe	29
PID 2368 wrote to memory of 2532	2368	magiclink.exe	30
PID 2368 wrote to memory of 2532	2368	magiclink.exe	30
PID 2368 wrote to memory of 2532	2368	magiclink.exe	30
PID 2368 wrote to memory of 2532	2368	magiclink.exe	30
PID 2532 wrote to memory of 1692	2532	magiclink.exe	31
PID 2532 wrote to memory of 1692	2532	magiclink.exe	31
PID 2532 wrote to memory of 1692	2532	magiclink.exe	31
PID 2532 wrote to memory of 1692	2532	magiclink.exe	31
PID 1692 wrote to memory of 632	1692	magiclink.exe	32
PID 1692 wrote to memory of 632	1692	magiclink.exe	32
PID 1692 wrote to memory of 632	1692	magiclink.exe	32
PID 1692 wrote to memory of 632	1692	magiclink.exe	32
PID 632 wrote to memory of 1780	632	magiclink.exe	33
PID 632 wrote to memory of 1780	632	magiclink.exe	33
PID 632 wrote to memory of 1780	632	magiclink.exe	33
PID 632 wrote to memory of 1780	632	magiclink.exe	33
PID 1780 wrote to memory of 2140	1780	magiclink.exe	34
PID 1780 wrote to memory of 2140	1780	magiclink.exe	34
PID 1780 wrote to memory of 2140	1780	magiclink.exe	34
PID 1780 wrote to memory of 2140	1780	magiclink.exe	34
PID 2140 wrote to memory of 1764	2140	magiclink.exe	35
PID 2140 wrote to memory of 1764	2140	magiclink.exe	35
PID 2140 wrote to memory of 1764	2140	magiclink.exe	35
PID 2140 wrote to memory of 1764	2140	magiclink.exe	35
PID 1764 wrote to memory of 2280	1764	magiclink.exe	36
PID 1764 wrote to memory of 2280	1764	magiclink.exe	36
PID 1764 wrote to memory of 2280	1764	magiclink.exe	36
PID 1764 wrote to memory of 2280	1764	magiclink.exe	36
PID 2280 wrote to memory of 3028	2280	magiclink.exe	37
PID 2280 wrote to memory of 3028	2280	magiclink.exe	37
PID 2280 wrote to memory of 3028	2280	magiclink.exe	37
PID 2280 wrote to memory of 3028	2280	magiclink.exe	37
PID 3028 wrote to memory of 1972	3028	magiclink.exe	38
PID 3028 wrote to memory of 1972	3028	magiclink.exe	38
PID 3028 wrote to memory of 1972	3028	magiclink.exe	38
PID 3028 wrote to memory of 1972	3028	magiclink.exe	38
PID 1972 wrote to memory of 2208	1972	magiclink.exe	39
PID 1972 wrote to memory of 2208	1972	magiclink.exe	39
PID 1972 wrote to memory of 2208	1972	magiclink.exe	39
PID 1972 wrote to memory of 2208	1972	magiclink.exe	39
PID 2208 wrote to memory of 1576	2208	magiclink.exe	40
PID 2208 wrote to memory of 1576	2208	magiclink.exe	40
PID 2208 wrote to memory of 1576	2208	magiclink.exe	40
PID 2208 wrote to memory of 1576	2208	magiclink.exe	40
PID 1576 wrote to memory of 1756	1576	magiclink.exe	41
PID 1576 wrote to memory of 1756	1576	magiclink.exe	41
PID 1576 wrote to memory of 1756	1576	magiclink.exe	41
PID 1576 wrote to memory of 1756	1576	magiclink.exe	41
PID 1756 wrote to memory of 2732	1756	magiclink.exe	42
PID 1756 wrote to memory of 2732	1756	magiclink.exe	42
PID 1756 wrote to memory of 2732	1756	magiclink.exe	42
PID 1756 wrote to memory of 2732	1756	magiclink.exe	42
PID 2732 wrote to memory of 2880	2732	magiclink.exe	43
PID 2732 wrote to memory of 2880	2732	magiclink.exe	43
PID 2732 wrote to memory of 2880	2732	magiclink.exe	43
PID 2732 wrote to memory of 2880	2732	magiclink.exe	43

C:\Users\Admin\AppData\Local\Temp\14aa8760fa3e3d00d2b0e18b6491dc4f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\14aa8760fa3e3d00d2b0e18b6491dc4f_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1936
- C:\windows\SysWOW64\magiclink.exe
  "C:\windows\system32\magiclink.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2080
- - C:\windows\SysWOW64\magiclink.exe
    "C:\windows\system32\magiclink.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2368
  - - C:\windows\SysWOW64\magiclink.exe
      "C:\windows\system32\magiclink.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2532
    - - C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1692
      - C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:632
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1780
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2140
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1764
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2280
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:3028
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1972
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2208
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1576
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1756
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2732
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2880
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2300
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1292
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1744
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1080
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1708
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1464
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2240
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2304
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1040
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1856
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1984
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2872
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2564
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2468
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2792
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        33⤵
        Executes dropped EXE
        
        PID:2368
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        34⤵
        Executes dropped EXE
        
        PID:2440
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        35⤵
        Executes dropped EXE
        
        PID:2336
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        36⤵
        Executes dropped EXE
        
        PID:2800
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        37⤵
        Executes dropped EXE
        
        PID:1248
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        38⤵
        Executes dropped EXE
        
        PID:2148
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1516
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1748
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        41⤵
        Executes dropped EXE
        
        PID:1780
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        42⤵
        Executes dropped EXE
        
        PID:380
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2128
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        44⤵
        Executes dropped EXE
        
        PID:2044
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        45⤵
        Executes dropped EXE
        
        PID:2036
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        46⤵
        Executes dropped EXE
        
        PID:1844
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        47⤵
        Executes dropped EXE
        
        PID:3020
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        48⤵
        Executes dropped EXE
        
        PID:1720
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        49⤵
        Executes dropped EXE
        
        PID:2460
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2320
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1308
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        52⤵
        Executes dropped EXE
        
        PID:1724
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        53⤵
        Executes dropped EXE
        
        PID:2864
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        54⤵
        Executes dropped EXE
        
        PID:356
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:552
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2300
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        57⤵
        Executes dropped EXE
        
        PID:1924
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        58⤵
        Executes dropped EXE
        
        PID:1660
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        59⤵
        Executes dropped EXE
        
        PID:1904
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        60⤵
        Executes dropped EXE
        
        PID:1736
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        61⤵
        Executes dropped EXE
        
        PID:2964
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:884
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        63⤵
        Executes dropped EXE
        
        PID:1536
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        64⤵
        Executes dropped EXE
        
        PID:2876
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        65⤵
        Executes dropped EXE
        
        PID:2512
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        66⤵
        
        PID:1928
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        67⤵
        
        PID:2552
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        68⤵
        
        PID:2356
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        69⤵
        
        PID:2376
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        70⤵
        
        PID:3012
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        71⤵
        
        PID:1244
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        72⤵
        Drops file in System32 directory
        
        PID:1188
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        73⤵
        
        PID:2424
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        74⤵
        
        PID:2248
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        75⤵
        Drops file in System32 directory
        
        PID:2104
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        76⤵
        
        PID:2100
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        77⤵
        Drops file in System32 directory
        
        PID:1596
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        78⤵
        
        PID:1548
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        79⤵
        
        PID:2284
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        80⤵
        Drops file in System32 directory
        
        PID:1556
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        81⤵
        
        PID:2912
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        82⤵
        
        PID:2200
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        83⤵
        
        PID:1204
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        84⤵
        
        PID:2028
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        85⤵
        Drops file in System32 directory
        
        PID:3064
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        86⤵
        
        PID:2312
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        87⤵
        Drops file in System32 directory
        
        PID:2068
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        88⤵
        
        PID:1084
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        89⤵
        Drops file in System32 directory
        
        PID:496
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        90⤵
        
        PID:2736
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        91⤵
        Drops file in System32 directory
        
        PID:320
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        92⤵
        
        PID:1604
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        93⤵
        
        PID:920
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        94⤵
        Drops file in System32 directory
        
        PID:1932
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        95⤵
        
        PID:616
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        96⤵
        Drops file in System32 directory
        
        PID:1436
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        97⤵
        Drops file in System32 directory
        
        PID:892
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        98⤵
        Drops file in System32 directory
        
        PID:1668
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        99⤵
        
        PID:1040
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        100⤵
        
        PID:2924
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        101⤵
        
        PID:2612
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        102⤵
        Drops file in System32 directory
        
        PID:2636
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        103⤵
        
        PID:2372
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        104⤵
        Drops file in System32 directory
        
        PID:2836
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        105⤵
        
        PID:2412
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        106⤵
        
        PID:1692
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        107⤵
        Drops file in System32 directory
        
        PID:888
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        108⤵
        
        PID:2800
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        109⤵
        
        PID:2672
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        110⤵
        Drops file in System32 directory
        
        PID:3044
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        111⤵
        
        PID:764
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        112⤵
        
        PID:1580
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        113⤵
        
        PID:540
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        114⤵
        
        PID:2272
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        115⤵
        
        PID:480
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        116⤵
        
        PID:1004
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        117⤵
        Drops file in System32 directory
        
        PID:2704
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        118⤵
        
        PID:3020
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        119⤵
        Drops file in System32 directory
        
        PID:1412
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        120⤵
        
        PID:1728
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        121⤵
        Drops file in System32 directory
        
        PID:2064
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        122⤵
        Drops file in System32 directory
        
        PID:1444
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        123⤵
        
        PID:1788
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        124⤵
        
        PID:2864
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        125⤵
        
        PID:2084
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        126⤵
        
        PID:1552
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        127⤵
        
        PID:952
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        128⤵
        Drops file in System32 directory
        
        PID:2992
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        129⤵
        
        PID:2748
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        130⤵
        
        PID:1708
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        131⤵
        
        PID:2228
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        132⤵
        
        PID:916
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        133⤵
        
        PID:2240
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        134⤵
        
        PID:1540
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        135⤵
        Drops file in System32 directory
        
        PID:884
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        136⤵
        
        PID:2476
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        137⤵
        
        PID:2612
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        138⤵
        
        PID:2640
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        139⤵
        
        PID:2792
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        140⤵
        
        PID:2768
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        141⤵
        
        PID:2836
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        142⤵
        
        PID:2436
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        143⤵
        
        PID:1244
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        144⤵
        Drops file in System32 directory
        
        PID:2592
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        145⤵
        
        PID:2608
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        146⤵
        
        PID:2332
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        147⤵
        
        PID:2156
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        148⤵
        
        PID:1228
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        149⤵
        Drops file in System32 directory
        
        PID:1580
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        150⤵
        
        PID:2872
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        151⤵
        
        PID:1220
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        152⤵
        
        PID:2044
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        153⤵
        
        PID:1840
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        154⤵
        Drops file in System32 directory
        
        PID:2196
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        155⤵
        
        PID:1948
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        156⤵
        
        PID:3020
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        157⤵
        
        PID:2028
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        158⤵
        
        PID:2596
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        159⤵
        
        PID:2848
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        160⤵
        
        PID:656
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        161⤵
        
        PID:1084
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        162⤵
        
        PID:1796
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        163⤵
        
        PID:1888
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        164⤵
        
        PID:576
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        165⤵
        
        PID:1960
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        166⤵
        Drops file in System32 directory
        
        PID:1660
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        167⤵
        
        PID:1872
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        168⤵
        
        PID:2232
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        169⤵
        
        PID:2228
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        170⤵
        
        PID:916
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        171⤵
        
        PID:2176
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        172⤵
        
        PID:1856
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        173⤵
        
        PID:1640
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        174⤵
        
        PID:2360
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        175⤵
        
        PID:2468
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        176⤵
        
        PID:2804
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        177⤵
        
        PID:2056
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        178⤵
        
        PID:1688
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        179⤵
        
        PID:2836
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        180⤵
        Drops file in System32 directory
        
        PID:2600
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        181⤵
        Drops file in System32 directory
        
        PID:1368
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        182⤵
        Drops file in System32 directory
        
        PID:888
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        183⤵
        
        PID:2672
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        184⤵
        
        PID:3044
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        185⤵
        
        PID:2104
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        186⤵
        
        PID:380
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        187⤵
        
        PID:1580
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        188⤵
        
        PID:1184
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        189⤵
        
        PID:2040
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        190⤵
        
        PID:2036
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        191⤵
        
        PID:1860
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        192⤵
        
        PID:1972
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        193⤵
        
        PID:3048
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        194⤵
        
        PID:3064
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        195⤵
        
        PID:1728
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        196⤵
        
        PID:2308
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        197⤵
        
        PID:1108
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        198⤵
        
        PID:2952
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        199⤵
        Drops file in System32 directory
        
        PID:2744
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        200⤵
        
        PID:1292
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        201⤵
        
        PID:808
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        202⤵
        Drops file in System32 directory
        
        PID:920
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        203⤵
        
        PID:1744
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        204⤵
        Drops file in System32 directory
        
        PID:2892
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        205⤵
        Drops file in System32 directory
        
        PID:2184
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        206⤵
        Drops file in System32 directory
        
        PID:1708
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        207⤵
        
        PID:2164
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        208⤵
        
        PID:1908
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        209⤵
        Drops file in System32 directory
        
        PID:1668
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        210⤵
        
        PID:1352
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        211⤵
        
        PID:2212
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        212⤵
        
        PID:1640
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        213⤵
        
        PID:2428
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        214⤵
        Drops file in System32 directory
        
        PID:2972
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        215⤵
        
        PID:2804
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        216⤵
        
        PID:2220
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        217⤵
        Drops file in System32 directory
        
        PID:2628
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        218⤵
        Drops file in System32 directory
        
        PID:1692
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        219⤵
        Drops file in System32 directory
        
        PID:112
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        220⤵
        Drops file in System32 directory
        
        PID:2152
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        221⤵
        
        PID:2168
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        222⤵
        Drops file in System32 directory
        
        PID:1232
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        223⤵
        
        PID:3044
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        224⤵
        
        PID:2472
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        225⤵
        
        PID:380
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        226⤵
        
        PID:2568
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        227⤵
        
        PID:2020
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        228⤵
        
        PID:2024
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        229⤵
        
        PID:2400
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        230⤵
        
        PID:640
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        231⤵
        Drops file in System32 directory
        
        PID:1912
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        232⤵
        Drops file in System32 directory
        
        PID:1204
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        233⤵
        Drops file in System32 directory
        
        PID:2316
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        234⤵
        
        PID:452
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        235⤵
        
        PID:2620
        
        C:\windows\SysWOW64\magiclink.exe
        
        "C:\windows\system32\magiclink.exe"
        236⤵
        
        PID:832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\firstrunm.txt

Filesize
255B

MD5
997b2a8efaa6b95f9d88c9af9bceaf8e

SHA1
bd4806ee779602171154c7d679b26af5b9bc3405

SHA256
3dc1a86a4172dbee0a1ace3a6a7fa733a368ddf1c9ec28dc410366a6b015faa2

SHA512
e1ca4e27f95b4d382a4cf13e33ef91bcdf7cea8029ee3b11e6f68b8c2d757e0cee1c982ab2badff0b03865b8d56fa624115420bf41d6b5df92790718adf9d9f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tdllcope.vxd

Filesize
1000B

MD5
545a67d28de528c88e42c41b05693963

SHA1
83bba65a5bc8bbf58ef33a0507a328b6b74bba88

SHA256
a82df735cc734795b819657b152d756c0fbef394338997eacb7398d8024b5853

SHA512
0632600814005c11e2e8cdf17668040ba291d61f8702853b05357744fba74ff12e826661f6028932305a80fdffb79a9a41b55e9d9f3a9ab026530d7acd1e3a7e

Download Submit
C:\Windows\SysWOW64\systemdllx.vxd

Filesize
20B

MD5
a791164f59b4ddce7c282faf78d3878a

SHA1
32fdfb3aa641b89ceb414bdc72d672b56de07cc1

SHA256
0d94d9873938307f20b092c694f8355727452ac85332f53af3663c63fdca4ccb

SHA512
e91ee2cea1331d7de2aad0fa0324098b77039063233489dd2376705013f4b55bf1b1dc6b097562c90ef37630bafa5d83aa0ddd378ecf27018117e8c221d062a7

Download Submit
C:\Windows\SysWOW64\systemdllx.vxd

Filesize
20B

MD5
f7c029b90f8c421f7fdeb21881a148bb

SHA1
9cd449e8089fae3ee7bf226584ea8172ecb8adc8

SHA256
586810f439b8fc9de86ea04e98649a3786425294bddfacc9c3825e1ca3d11b79

SHA512
3ee4b5bd40f14e0337d64f5112dbbcdf410f476f639be34f71c294fdc2c27b75b0423210a7c0dab1fc4524c318cb215ff98eeb903662b55ecd9dd1aab49bb2b7

Download Submit
C:\Windows\SysWOW64\systemdllx.vxd

Filesize
20B

MD5
55ee9b2f4246da3b2150a7b142829ca3

SHA1
39ea30ee8cdf6df48c02577c478a2f20ffa3685f

SHA256
c8945dcb956618b3c7478c728d3d11a70aafce6cde2e5901745da7e83127d40c

SHA512
7df6f37dc2829fc3f5c4d979f20e5d80e199d23e679ce7ff2d399c9cfdc78462624a574a4ba4332ec6a46710c2294bf6fdab8cddb0e65ff322e03871cf72e6c8

Download Submit
C:\Windows\SysWOW64\systemdllx.vxd

Filesize
20B

MD5
191d5dff217e432592ee98a3ac8be806

SHA1
8afbfaab425362fa04f4da8647a310eb083061db

SHA256
d1d0fa548bc500f241a881984b02eb00e5942f77d639708d3c11e0e84f8bbb72

SHA512
6c92618e7a96367b94c4da9b232d2ef8cabca062f0e01165137ffebd4e7159611a9cb47d9fcac3b1764fa8953c00938b78a47211803f130584036ffa63038bf7

Download Submit
C:\Windows\SysWOW64\systemdllx.vxd

Filesize
20B

MD5
2017555fe2a74084a95ad1ee852fe5e8

SHA1
cff489c463c8b474533c8ef547cedb05e1ebd581

SHA256
9028f049ca91d40d430dfee0e4573f95941966b70a5d2b8af26bdff9f35d76b5

SHA512
54da36763c1b92e1e1cfd1ea05762fd08cab0b6be7d7ffb8dcbd93c633226159ec59a918acf2e4b52e8a0a753560b6191bf58cbff69a43d818fba473c0cd3854

Download Submit
C:\Windows\SysWOW64\systemdllx.vxd

Filesize
20B

MD5
eca3bde12871444be3b6e831b6039c2d

SHA1
b436f75ff771cb2db83553520be0b6c838eecd6d

SHA256
73511a1b238e59549ed9951ce95d2f178ae643de099d4a6f9878c5fcc2e39dd9

SHA512
d7874c0b7d8d9c7b435d6b6dbbe8e51d6ece164b37cc458cc08e67b6475c455d5e3150b2056d23265d3221bac3ee67b893b8bd1e58ea538e3a030b7fd7ae4c25

Download Submit
C:\Windows\SysWOW64\systemdllx.vxd

Filesize
20B

MD5
9b006886502023ed82605f5f48b01283

SHA1
6a6243326446232993fb6056933ac9629fb2a50a

SHA256
928487e59814898cdd0bb16b5f196a82233ab3450f76ef4bb45b6d447dde0741

SHA512
11d2ce38457baabae2b398016d5ebcc3fcf2ae9228ddf06ce58fec3def4702408b48869208434a87fee25f31840ea08e42bcab72546a6f6ad60ac5e96e98de89

Download Submit
C:\Windows\SysWOW64\systemdllx.vxd

Filesize
20B

MD5
07b9e581e3ee58f7a83866824499f61f

SHA1
82e4cf74adceea91680b3fdab641d9d8d5ea0be3

SHA256
5e63f6e3aaf42c20818e4dcc40f0e51d216aa2be48759af55a29090b562b41cb

SHA512
6bf89136d27934c2e28f7289b4174b830d1c0d1571a49b3ecf61d8394c48dae1e0f27d0410be6ffbdb9c50eed9cce88db7705efb71ce8181c23e4f2d1a67e768

Download Submit
C:\Windows\SysWOW64\systemdllx.vxd

Filesize
20B

MD5
af8c3bb7988862c9be808de0e8c59f8e

SHA1
88e74b726efbb8f8d1217b95c232e3d7505ff822

SHA256
d6a699b37245b7775915be150123e93bf50ecd0ea11206691ef9eebf0a27c133

SHA512
17350a24f6ab638a460bd9cbc23448c8735cbf06db9e10e14e6891d6213f48dd5ec2ee815b4383aafd34bb30a219186f4792aa8fd90f634334b65737991eb0d1

Download Submit
C:\Windows\SysWOW64\systemdllx.vxd

Filesize
20B

MD5
ffad61d4435d139887c40c802c7fcd81

SHA1
6c648c5ea3efad2f6661c227d21d94f8db5db5ba

SHA256
82b8c9dc6af825ce2596fe1ceb50321ed3f725c4a255e31a5569e1b0afb5638d

SHA512
01738fffbb4777d747b5403f277c4052962fbe43986e052e8eb60e3aa3dd5d8ea690d6dbcdd8b55bd3b4eed3899ef5f1443bf649a0cc656cdb5f122c0a377268

Download Submit
C:\Windows\SysWOW64\systemdllx.vxd

Filesize
20B

MD5
4c698a040fd6ffaae9d8b893e2ac89e4

SHA1
4061dbbc7e79ce0e1ac94d202d9175ef3c7a740a

SHA256
dfbdab1128a368f8fed67cb7af20b2c4d454f6de071809c0ccdb2e91f78a72f5

SHA512
658c489e59c01f1ddd0f4bb599b9d18792674e65f3063b6b664f2999a08bb235183800038ae9ef63c4f92c192a3d8b9fda653a1a91d0b9de2fa1e62b01c02615

Download Submit
\??\c:\windows\SysWOW64\magiclink .exe

Filesize
405KB

MD5
3240e086a353fc80470b8f810da9ae91

SHA1
45277d99d9b78634a13607e1d395f94972d3550c

SHA256
9a7e85faf7130a0722b133992ed324239abdfdb1fb2a2cbf6bcfae03e75fb193

SHA512
43d46874c6272424299949cb3215c0ceb78ab912ebecb4dd9d2f847a0297caf57bcb693b07ef7c4c69d98e16b21c153a76a1a52f8b04c1c6db4708a5f2e4f668

Download Submit
\??\c:\windows\SysWOW64\systemdllx.vxd

Filesize
20B

MD5
dfd6aaa3a229d6b300a31498bbd3a311

SHA1
67516ba3d2d4c3d99bac73adc2bd8535634617a1

SHA256
92ba80e5bcc2c6d543b0a30918e659a06761c2872ca4e4b5048330efd324efc3

SHA512
ca35a539fb7344941a8730b7c8901ad1567064e59a472bfbd65943f72ac7f68154afa847fe54febeb1eb2001ed2419595da4655be80f6f0de078bc27cb733270

Download Submit
\??\c:\windows\SysWOW64\systemdllx.vxd

Filesize
20B

MD5
e8dfee8489c335435afdbeb200d3fda5

SHA1
21f89371b37c76597312317c5a363093fb461cbf

SHA256
854fcc9d32cadecb3e9a305020dee8adaf821d00d19a7bf646b11112286b1d37

SHA512
6af0745556b0574c60f90a6be3ad3633ed30e61f355ae6fb81a6028213e81b3bd6f92e9ad6ba6efd498fe624cf58c535ca685ca19ec2ab1525ab0e55e8c6cfbd

Download Submit
\??\c:\windows\SysWOW64\systemdllx.vxd

Filesize
20B

MD5
891e7e67f727f007b88767d7c8d3e5b4

SHA1
17e43144eb314c5f5ba54a48778374bf7068740e

SHA256
f2a8a6e893baba72a75076deb6416dcb385aee69dce232dd86ce8d51eb0f92d3

SHA512
d1f5deb6d6afd0971ffe1612f06717b5a09a195c82bbcb465dc5b1fe8e5fb28d94f90e9f16fa4b547118cb0e36b33d1861c78461bac7b63000d6d4d400536cb2

Download Submit
\??\c:\windows\SysWOW64\systemdllx.vxd

Filesize
20B

MD5
e588f0f68932facaf3ee8a3668bfdd12

SHA1
c25bb64135bb3d2fed82cc985b74ec5d3f631482

SHA256
250ec2bf09cd1d8140d3460e20e03f4b62e19e07bb7156740818234c35bd1747

SHA512
23a9a700530c770066a55c82766ce168516d12f57c4be13c97b9283a36e2f3f43b9e4cdb3f31049017bf75c1891ec1a210385539a79b3f01bf287efe42750a5b

Download Submit
\??\c:\windows\SysWOW64\systemdllx.vxd

Filesize
20B

MD5
1f847cb3a9b8c1a3d22568e2825e07ee

SHA1
620bf003b999ed23657d6a983ed3a38aec208a9b

SHA256
b017e0a4a67649fdecfc0d653fa1f1bebcce65f576e4c4b1b3f7c6ce65d4292c

SHA512
a7d3f5f4095b8e9c70ce2da3d15b3284194c1d19289a29aea8bb03a5c3695d88b2016f39f4c6fab223725ff7ce1a73edf2b43772721a01a92a954e305b78b34f

Download Submit
\??\c:\windows\SysWOW64\systemdllx.vxd

Filesize
20B

MD5
ca80338e515c028b8bc6e69380f95b3c

SHA1
03a6ed73da49ca6cac7c3a9327b44602d3ee7f78

SHA256
148c6b9e64406c89ac28987a230dd9e242eeda09d432c6e3cca4098afaa9ee80

SHA512
078787669a0830374d0a846f81123f92af2af4d647b827682b664b0e60514cbdaecb66b7769a2202b3837b8bf58652f90cb69b83649bb4969642c3679373f23b

Download Submit
\??\c:\windows\SysWOW64\systemdllx.vxd

Filesize
20B

MD5
f7ce2f828cb46e0f184de86b7dd28ceb

SHA1
d7747e1fea4cce993373a1bbaf8c61033949e13e

SHA256
1cf9ac31ab98e2571c4c487ee46e4832f873983d6544a9f566c5e947f55d6112

SHA512
1fd07b5dbc8f92c88a0f3dcac4a68d30c03e57da2bd5de2f1eafaf41711e6afaeaf36d67a2b20bd750396718291fd307c8a718396f7b768db9494b543835749c

Download Submit
\Windows\SysWOW64\magiclink.exe

Filesize
645KB

MD5
14aa8760fa3e3d00d2b0e18b6491dc4f

SHA1
3d02f92123ce0aed6788e7a8c5fd32489ef94f2b

SHA256
580cdee9a1dcaa2c53c97cb0685058e81db7dd7b234c5f5818d8d44cec7548fb

SHA512
f14ec0ee64559e410ad43ca1d490df5f8da8a19527727996be81f461ab32d513437e62a2d4e2926f05e21653bde492ba66bc9af79d6295ec132d6eeebf71d854

Download Submit
memory/356-432-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/380-360-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/552-438-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/632-99-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/632-84-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/884-480-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/1040-264-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/1080-234-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/1248-330-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/1292-222-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/1308-414-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/1464-246-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/1516-342-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/1536-486-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/1576-181-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/1576-188-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/1660-456-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/1692-83-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/1692-76-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/1708-240-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/1720-396-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/1724-420-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/1736-468-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/1744-228-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/1748-348-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/1756-193-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/1756-196-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/1764-136-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/1764-143-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/1780-98-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/1780-112-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/1780-354-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/1844-384-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/1856-270-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/1904-462-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/1924-450-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/1936-19-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/1936-1-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/1936-11-0x0000000003A10000-0x0000000003C2E000-memory.dmp

Filesize
2.1MB

Download
memory/1936-0-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/1936-17-0x0000000003A10000-0x0000000003C2E000-memory.dmp

Filesize
2.1MB

Download
memory/1972-172-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/1972-165-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/1984-276-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/2036-378-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/2044-372-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/2080-36-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/2080-21-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/2080-22-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2128-366-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/2140-114-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/2140-129-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/2148-336-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/2208-173-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/2208-180-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/2240-252-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/2280-144-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/2280-156-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/2300-216-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/2300-444-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/2304-258-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/2320-408-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/2336-318-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/2368-44-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/2368-126-0x00000000036A0000-0x00000000038BE000-memory.dmp

Filesize
2.1MB

Download
memory/2368-306-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/2368-50-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/2368-52-0x00000000036A0000-0x00000000038BE000-memory.dmp

Filesize
2.1MB

Download
memory/2440-312-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/2460-402-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/2468-294-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/2532-65-0x0000000003810000-0x0000000003A2E000-memory.dmp

Filesize
2.1MB

Download
memory/2532-68-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/2532-53-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/2564-288-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/2732-204-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/2732-201-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/2792-300-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/2800-324-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/2864-426-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/2872-282-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/2876-492-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/2880-210-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/2964-474-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/3020-390-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/3028-164-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/3028-157-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download