ffd63fe2aeaa91f05bef47b3583290ccdba3f44912ab8b67044f3d58bf817ebf

Analysis

max time kernel
263s
max time network
283s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
22-11-2024 16:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Stormshot.PC.V1.0_b4bfd35522.exe
Size

2.8MB
MD5

6aae47cbaa4c56095a1eb0422c1d2ecb
SHA1

34e29d1801d270a2bd7ac02d4ea84c14c553d66f
SHA256

ffd63fe2aeaa91f05bef47b3583290ccdba3f44912ab8b67044f3d58bf817ebf
SHA512

d6b2406922d2618816db55110bf12a8579b69325e0c196d0d2508bafec68a0430acf48482160bf42cca4bd0995d864abfa2425e8e5af794c8d8d1c430fee4cff
SSDEEP

49152:c8ZQVqWu+fqu79LNTRBO1L2VQjJY80KruthaPVu+2zE0y5VCmdAlacRk3Y:vZARtBEqVQq80ThzTzEElask3Y

Score

9^/10

bootkit defense_evasion discovery evasion persistence

Malware Config

Signatures

Enumerates VirtualBox registry keys 2 TTPs 20 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest	Stormshot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxService	Stormshot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxService	Stormshot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF	Stormshot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxVideo	Stormshot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest	Stormshot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxVideo	Stormshot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxMouse	Stormshot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF	Stormshot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxVideo	Stormshot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxMouse	Stormshot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF	Stormshot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxService	Stormshot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxVideo	Stormshot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest	Stormshot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxService	Stormshot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest	Stormshot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxMouse	Stormshot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxMouse	Stormshot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF	Stormshot.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 12 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\FADT\VBOX__	Stormshot.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Stormshot.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\FADT\VBOX__	Stormshot.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Stormshot.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\FADT\VBOX__	Stormshot.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Stormshot.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\RSDT\VBOX__	Stormshot.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\RSDT\VBOX__	Stormshot.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\RSDT\VBOX__	Stormshot.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\FADT\VBOX__	Stormshot.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Stormshot.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\RSDT\VBOX__	Stormshot.exe

Looks for VirtualBox Guest Additions in registry 2 TTPs 4 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	Stormshot.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	Stormshot.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	Stormshot.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	Stormshot.exe

Looks for VMWare Tools registry key 2 TTPs 4 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools	Stormshot.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools	Stormshot.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools	Stormshot.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools	Stormshot.exe

Checks BIOS information in registry 2 TTPs 12 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Stormshot.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	Stormshot.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Stormshot.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	Stormshot.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	Stormshot.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Stormshot.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Stormshot.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Stormshot.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Stormshot.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Stormshot.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Stormshot.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	Stormshot.exe

Identifies Wine through registry keys 2 TTPs 4 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wine	Stormshot.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wine	Stormshot.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wine	Stormshot.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wine	Stormshot.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\st_global = "F:\\FunPlus\\Stormshot\\Launcher.exe"	PC-Launcher.exe

Enumerates connected drives 3 TTPs 3 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	PC-Launcher.exe
File opened (read-only)	\??\F:	st_b4bfd35522.exe
File opened (read-only)	\??\D:	PC-Launcher.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	Stormshot.exe

Drops file in System32 directory 48 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\mono-2.0-bdwgc.pdb	Stormshot.exe
File opened for modification	C:\Windows\system32\dll\mono-2.0-bdwgc.pdb	Stormshot.exe
File opened for modification	C:\Windows\system32\symbols\dll\ntdll.pdb	Stormshot.exe
File opened for modification	C:\Windows\system32\kernelbase.pdb	Stormshot.exe
File opened for modification	C:\Windows\system32\dll\mono-2.0-bdwgc.pdb	Stormshot.exe
File opened for modification	C:\Windows\system32\kernel32.pdb	Stormshot.exe
File opened for modification	C:\Windows\system32\kernel32.pdb	Stormshot.exe
File opened for modification	C:\Windows\system32\symbols\DLL\kernel32.pdb	Stormshot.exe
File opened for modification	C:\Windows\system32\ntdll.pdb	Stormshot.exe
File opened for modification	C:\Windows\system32\dll\ntdll.pdb	Stormshot.exe
File opened for modification	C:\Windows\system32\symbols\dll\ntdll.pdb	Stormshot.exe
File opened for modification	C:\Windows\system32\symbols\dll\mono-2.0-bdwgc.pdb	Stormshot.exe
File opened for modification	C:\Windows\system32\kernel32.pdb	Stormshot.exe
File opened for modification	C:\Windows\system32\DLL\kernel32.pdb	Stormshot.exe
File opened for modification	C:\Windows\system32\mono-2.0-bdwgc.pdb	Stormshot.exe
File opened for modification	C:\Windows\system32\symbols\dll\ntdll.pdb	Stormshot.exe
File opened for modification	C:\Windows\system32\mono-2.0-bdwgc.pdb	Stormshot.exe
File opened for modification	C:\Windows\system32\DLL\kernel32.pdb	Stormshot.exe
File opened for modification	C:\Windows\system32\symbols\dll\kernelbase.pdb	Stormshot.exe
File opened for modification	C:\Windows\system32\symbols\DLL\kernel32.pdb	Stormshot.exe
File opened for modification	C:\Windows\system32\dll\mono-2.0-bdwgc.pdb	Stormshot.exe
File opened for modification	C:\Windows\system32\kernel32.pdb	Stormshot.exe
File opened for modification	C:\Windows\system32\DLL\kernel32.pdb	Stormshot.exe
File opened for modification	C:\Windows\system32\dll\ntdll.pdb	Stormshot.exe
File opened for modification	C:\Windows\system32\dll\kernelbase.pdb	Stormshot.exe
File opened for modification	C:\Windows\system32\DLL\kernel32.pdb	Stormshot.exe
File opened for modification	C:\Windows\system32\symbols\DLL\kernel32.pdb	Stormshot.exe
File opened for modification	C:\Windows\system32\dll\ntdll.pdb	Stormshot.exe
File opened for modification	C:\Windows\system32\kernelbase.pdb	Stormshot.exe
File opened for modification	C:\Windows\system32\dll\ntdll.pdb	Stormshot.exe
File opened for modification	C:\Windows\system32\dll\mono-2.0-bdwgc.pdb	Stormshot.exe
File opened for modification	C:\Windows\system32\kernelbase.pdb	Stormshot.exe
File opened for modification	C:\Windows\system32\symbols\dll\kernelbase.pdb	Stormshot.exe
File opened for modification	C:\Windows\system32\symbols\dll\mono-2.0-bdwgc.pdb	Stormshot.exe
File opened for modification	C:\Windows\system32\ntdll.pdb	Stormshot.exe
File opened for modification	C:\Windows\system32\kernelbase.pdb	Stormshot.exe
File opened for modification	C:\Windows\system32\symbols\dll\kernelbase.pdb	Stormshot.exe
File opened for modification	C:\Windows\system32\ntdll.pdb	Stormshot.exe
File opened for modification	C:\Windows\system32\symbols\dll\ntdll.pdb	Stormshot.exe
File opened for modification	C:\Windows\system32\dll\kernelbase.pdb	Stormshot.exe
File opened for modification	C:\Windows\system32\symbols\dll\kernelbase.pdb	Stormshot.exe
File opened for modification	C:\Windows\system32\mono-2.0-bdwgc.pdb	Stormshot.exe
File opened for modification	C:\Windows\system32\dll\kernelbase.pdb	Stormshot.exe
File opened for modification	C:\Windows\system32\symbols\dll\mono-2.0-bdwgc.pdb	Stormshot.exe
File opened for modification	C:\Windows\system32\symbols\DLL\kernel32.pdb	Stormshot.exe
File opened for modification	C:\Windows\system32\ntdll.pdb	Stormshot.exe
File opened for modification	C:\Windows\system32\symbols\dll\mono-2.0-bdwgc.pdb	Stormshot.exe
File opened for modification	C:\Windows\system32\dll\kernelbase.pdb	Stormshot.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 4 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	Stormshot.exe
File opened (read-only)	\??\VBoxMiniRdrDN	Stormshot.exe
File opened (read-only)	\??\VBoxMiniRdrDN	Stormshot.exe
File opened (read-only)	\??\VBoxMiniRdrDN	Stormshot.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks system information in the registry 2 TTPs 8 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	Stormshot.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	Stormshot.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	Stormshot.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	Stormshot.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	Stormshot.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	Stormshot.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	Stormshot.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	Stormshot.exe

Drops file in Windows directory 48 IoCs

description	ioc	Process
File opened for modification	C:\Windows\dll\kernelbase.pdb	Stormshot.exe
File opened for modification	C:\Windows\symbols\dll\kernelbase.pdb	Stormshot.exe
File opened for modification	C:\Windows\symbols\dll\ntdll.pdb	Stormshot.exe
File opened for modification	C:\Windows\symbols\dll\kernelbase.pdb	Stormshot.exe
File opened for modification	C:\Windows\symbols\dll\mono-2.0-bdwgc.pdb	Stormshot.exe
File opened for modification	C:\Windows\symbols\DLL\kernel32.pdb	Stormshot.exe
File opened for modification	C:\Windows\kernel32.pdb	Stormshot.exe
File opened for modification	C:\Windows\mono-2.0-bdwgc.pdb	Stormshot.exe
File opened for modification	C:\Windows\symbols\dll\ntdll.pdb	Stormshot.exe
File opened for modification	C:\Windows\dll\mono-2.0-bdwgc.pdb	Stormshot.exe
File opened for modification	C:\Windows\dll\mono-2.0-bdwgc.pdb	Stormshot.exe
File opened for modification	C:\Windows\symbols\dll\ntdll.pdb	Stormshot.exe
File opened for modification	C:\Windows\kernelbase.pdb	Stormshot.exe
File opened for modification	C:\Windows\ntdll.pdb	Stormshot.exe
File opened for modification	C:\Windows\symbols\dll\mono-2.0-bdwgc.pdb	Stormshot.exe
File opened for modification	C:\Windows\mono-2.0-bdwgc.pdb	Stormshot.exe
File opened for modification	C:\Windows\kernel32.pdb	Stormshot.exe
File opened for modification	C:\Windows\dll\ntdll.pdb	Stormshot.exe
File opened for modification	C:\Windows\symbols\dll\ntdll.pdb	Stormshot.exe
File opened for modification	C:\Windows\kernelbase.pdb	Stormshot.exe
File opened for modification	C:\Windows\ntdll.pdb	Stormshot.exe
File opened for modification	C:\Windows\symbols\dll\mono-2.0-bdwgc.pdb	Stormshot.exe
File opened for modification	C:\Windows\dll\mono-2.0-bdwgc.pdb	Stormshot.exe
File opened for modification	C:\Windows\DLL\kernel32.pdb	Stormshot.exe
File opened for modification	C:\Windows\ntdll.pdb	Stormshot.exe
File opened for modification	C:\Windows\kernelbase.pdb	Stormshot.exe
File opened for modification	C:\Windows\mono-2.0-bdwgc.pdb	Stormshot.exe
File opened for modification	C:\Windows\kernelbase.pdb	Stormshot.exe
File opened for modification	C:\Windows\mono-2.0-bdwgc.pdb	Stormshot.exe
File opened for modification	C:\Windows\DLL\kernel32.pdb	Stormshot.exe
File opened for modification	C:\Windows\dll\kernelbase.pdb	Stormshot.exe
File opened for modification	C:\Windows\symbols\dll\mono-2.0-bdwgc.pdb	Stormshot.exe
File opened for modification	C:\Windows\DLL\kernel32.pdb	Stormshot.exe
File opened for modification	C:\Windows\symbols\DLL\kernel32.pdb	Stormshot.exe
File opened for modification	C:\Windows\kernel32.pdb	Stormshot.exe
File opened for modification	C:\Windows\dll\kernelbase.pdb	Stormshot.exe
File opened for modification	C:\Windows\ntdll.pdb	Stormshot.exe
File opened for modification	C:\Windows\dll\ntdll.pdb	Stormshot.exe
File opened for modification	C:\Windows\dll\ntdll.pdb	Stormshot.exe
File opened for modification	C:\Windows\dll\kernelbase.pdb	Stormshot.exe
File opened for modification	C:\Windows\symbols\dll\kernelbase.pdb	Stormshot.exe
File opened for modification	C:\Windows\DLL\kernel32.pdb	Stormshot.exe
File opened for modification	C:\Windows\dll\ntdll.pdb	Stormshot.exe
File opened for modification	C:\Windows\dll\mono-2.0-bdwgc.pdb	Stormshot.exe
File opened for modification	C:\Windows\symbols\DLL\kernel32.pdb	Stormshot.exe
File opened for modification	C:\Windows\symbols\DLL\kernel32.pdb	Stormshot.exe
File opened for modification	C:\Windows\symbols\dll\kernelbase.pdb	Stormshot.exe
File opened for modification	C:\Windows\kernel32.pdb	Stormshot.exe

Executes dropped EXE 20 IoCs

pid	Process
2504	st_b4bfd35522.exe
4124	Launcher.exe
1076	PC-Launcher.exe
3164	7za.exe
2568	Stormshot.exe
3400	UnityCrashHandler64.exe
4040	TQMCenter_64.exe
6316	UnityCrashHandler64.exe
6380	Stormshot.exe
6416	UnityCrashHandler64.exe
6792	TQMCenter_64.exe
5080	UnityCrashHandler64.exe
7188	Stormshot.exe
7228	UnityCrashHandler64.exe
7576	TQMCenter_64.exe
8016	UnityCrashHandler64.exe
8088	Stormshot.exe
8124	UnityCrashHandler64.exe
8444	TQMCenter_64.exe
8812	UnityCrashHandler64.exe

Loads dropped DLL 64 IoCs

pid	Process
1076	PC-Launcher.exe
1076	PC-Launcher.exe
1076	PC-Launcher.exe
1076	PC-Launcher.exe
1076	PC-Launcher.exe
1076	PC-Launcher.exe
1076	PC-Launcher.exe
1076	PC-Launcher.exe
1076	PC-Launcher.exe
1076	PC-Launcher.exe
1076	PC-Launcher.exe
1076	PC-Launcher.exe
1076	PC-Launcher.exe
1076	PC-Launcher.exe
1076	PC-Launcher.exe
1076	PC-Launcher.exe
1076	PC-Launcher.exe
1076	PC-Launcher.exe
1076	PC-Launcher.exe
1076	PC-Launcher.exe
1076	PC-Launcher.exe
1076	PC-Launcher.exe
1076	PC-Launcher.exe
1076	PC-Launcher.exe
1076	PC-Launcher.exe
1076	PC-Launcher.exe
1076	PC-Launcher.exe
1076	PC-Launcher.exe
1076	PC-Launcher.exe
1076	PC-Launcher.exe
1076	PC-Launcher.exe
1076	PC-Launcher.exe
1076	PC-Launcher.exe
1076	PC-Launcher.exe
1076	PC-Launcher.exe
1076	PC-Launcher.exe
1076	PC-Launcher.exe
1076	PC-Launcher.exe
2568	Stormshot.exe
2568	Stormshot.exe
2568	Stormshot.exe
2568	Stormshot.exe
2568	Stormshot.exe
2568	Stormshot.exe
2568	Stormshot.exe
2568	Stormshot.exe
2568	Stormshot.exe
4040	TQMCenter_64.exe
2568	Stormshot.exe
3400	UnityCrashHandler64.exe
6380	Stormshot.exe
6380	Stormshot.exe
6380	Stormshot.exe
6380	Stormshot.exe
6380	Stormshot.exe
6380	Stormshot.exe
6380	Stormshot.exe
6380	Stormshot.exe
6380	Stormshot.exe
6792	TQMCenter_64.exe
6380	Stormshot.exe
6416	UnityCrashHandler64.exe
7188	Stormshot.exe
7188	Stormshot.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	st_b4bfd35522.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Launcher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PC-Launcher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7za.exe

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	Stormshot.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	Stormshot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	Stormshot.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	Stormshot.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Stormshot.PC.V1.0_b4bfd35522.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	PC-Launcher.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	PC-Launcher.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\	PC-Launcher.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	PC-Launcher.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Stormshot.PC.V1.0_b4bfd35522.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\	Stormshot.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Stormshot.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Stormshot.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\funplus.st\shell\open\command	Launcher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\funplus.st\shell	Launcher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\funplus.st\shell\open	Launcher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\funplus.st\DefaultIcon\ = "F:\\FunPlus\\Stormshot\\Launcher.exe"	Launcher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\funplus.st	Launcher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\funplus.st\ = "URL:funplus.st Protocol"	Launcher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\funplus.st\URL Protocol	Launcher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\funplus.st\shell\open\command\ = "F:\\FunPlus\\Stormshot\\Launcher.exe %1"	Launcher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\funplus.st\DefaultIcon	Launcher.exe

Modifies system certificate store 2 TTPs 7 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000001465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb658140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	PC-Launcher.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d4624030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e76200000001000000200000001465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb65809000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	PC-Launcher.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e260f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000001465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb658140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a040000000100000010000000324a4bbbc863699bbe749ac6dd1d46242000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	PC-Launcher.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 5c000000010000000400000000080000040000000100000010000000324a4bbbc863699bbe749ac6dd1d4624030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e76200000001000000200000001465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb65809000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e650190000000100000010000000fd960962ac6938e0d4b0769aa1a64e262000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	PC-Launcher.exe
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\SystemCertificates\CA\Certificates\9E99A48A9960B14926BB7F3B02E22DA2B0AB7280	PC-Launcher.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\SystemCertificates\CA\Certificates\9E99A48A9960B14926BB7F3B02E22DA2B0AB7280\Blob = 0300000001000000140000009e99a48a9960b14926bb7f3b02e22da2b0ab72801400000001000000140000009c5f00dfaa01d7302b3888a2b86d4a9cf2119183040000000100000010000000c6150925cfea5941ddc7ff2a0a5066920f00000001000000200000008408d5e5010ab8da67eb33a7d79ace944dd0ac103ae6ead3ff30dec571066b0319000000010000001000000014d4b19434670e6dc091d154abb20edc5c000000010000000400000000080000180000000100000010000000fd960962ac6938e0d4b0769aa1a64e26200000000100000079040000308204753082035da003020102020900a70e4a4c3482b77f300d06092a864886f70d01010b05003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3039303930323030303030305a170d3334303632383137333931365a308198310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e313b303906035504031332537461726669656c6420536572766963657320526f6f7420436572746966696361746520417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100d50c3ac42af94ee2f5be19975f8e8853b11f3fcbcf9f20136d293ac80f7d3cf76b763863d93660a89b5e5c0080b22f597ff687f9254386e7691b529a90e171e3d82d0d4e6ff6c849d9b6f31a56ae2bb67414ebcffb26e31aba1d962e6a3b5894894756ff25a093705383da847414c3679e04683adf8e405a1d4a4ecf43913be756d60070cb52ee7b7dae3ae7bc31f945f6c260cf1359022b80cc3447dfb9de90656d02cf2c91a6a6e7de8518497c664ea33a6da9b5ee342eba0d03b833df47ebb16b8d25d99bce81d1454632967087de020e494385b66c73bb64ea6141acc9d454df872fc722b226cc9f5954689ffcbe2a2fc4551c75406017850255398b7f050203010001a381f03081ed300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604149c5f00dfaa01d7302b3888a2b86d4a9cf2119183301f0603551d23041830168014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7304f06082b0601050507010104433041301c06082b060105050730018610687474703a2f2f6f2e7373322e75732f302106082b060105050730028615687474703a2f2f782e7373322e75732f782e63657230260603551d1f041f301d301ba019a0178615687474703a2f2f732e7373322e75732f722e63726c30110603551d20040a300830060604551d2000300d06092a864886f70d01010b05000382010100231de38a57ca7de917794cf11e55fdcc536e3e470fdfc655f2b20436ed801f53c45d34286bbec755fc67eacb3f7f90b233cd1b58108202f8f82ff51360d405cef18108c1dda775974f18b96ddef7939108ba7e402cedc1eabb769e3306771d0d087f53dd1b64ab8227f169d54d5eaef4a1c375a758442df23c7098acba69b695777f0f315e2cfca0873a4769f0795ff41454a4955e1178126027ce9fc277ff2353775dbaffea59e7dbcfaf9296ef249a35107a9c91c60e7d99f63f19dff57254e115a907597b83bf522e468cb20064761c48d3d879e86e56ccae2c0390d7193899e4ca09195bff0796b0a87f3449df56a9f7b05fed33ed8c47b730035df4038c	PC-Launcher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	PC-Launcher.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1076	PC-Launcher.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4120	Stormshot.PC.V1.0_b4bfd35522.exe
4120	Stormshot.PC.V1.0_b4bfd35522.exe
2504	st_b4bfd35522.exe
2504	st_b4bfd35522.exe
2504	st_b4bfd35522.exe
2504	st_b4bfd35522.exe
2568	Stormshot.exe
2568	Stormshot.exe
2568	Stormshot.exe
2568	Stormshot.exe
2568	Stormshot.exe
2568	Stormshot.exe
2568	Stormshot.exe
2568	Stormshot.exe
2568	Stormshot.exe
2568	Stormshot.exe
2568	Stormshot.exe
2568	Stormshot.exe
2568	Stormshot.exe
2568	Stormshot.exe
2568	Stormshot.exe
2568	Stormshot.exe
2568	Stormshot.exe
2568	Stormshot.exe
2568	Stormshot.exe
2568	Stormshot.exe
2568	Stormshot.exe
2568	Stormshot.exe
2568	Stormshot.exe
2568	Stormshot.exe
2568	Stormshot.exe
2568	Stormshot.exe
2568	Stormshot.exe
2568	Stormshot.exe
2568	Stormshot.exe
2568	Stormshot.exe
4040	TQMCenter_64.exe
4040	TQMCenter_64.exe
2568	Stormshot.exe
2568	Stormshot.exe
3400	UnityCrashHandler64.exe
3400	UnityCrashHandler64.exe
3400	UnityCrashHandler64.exe
3400	UnityCrashHandler64.exe
6380	Stormshot.exe
6380	Stormshot.exe
6380	Stormshot.exe
6380	Stormshot.exe
6380	Stormshot.exe
6380	Stormshot.exe
6380	Stormshot.exe
6380	Stormshot.exe
6380	Stormshot.exe
6380	Stormshot.exe
6380	Stormshot.exe
6380	Stormshot.exe
6380	Stormshot.exe
6380	Stormshot.exe
6380	Stormshot.exe
6380	Stormshot.exe
6380	Stormshot.exe
6380	Stormshot.exe
6380	Stormshot.exe
6380	Stormshot.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1076	PC-Launcher.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	3164	7za.exe
Token: 35	3164	7za.exe
Token: SeSecurityPrivilege	3164	7za.exe
Token: SeSecurityPrivilege	3164	7za.exe
Token: 33	1452	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1452	AUDIODG.EXE
Token: SeDebugPrivilege	2568	Stormshot.exe
Token: SeDebugPrivilege	2568	Stormshot.exe
Token: SeDebugPrivilege	2568	Stormshot.exe
Token: SeDebugPrivilege	2568	Stormshot.exe
Token: SeDebugPrivilege	2568	Stormshot.exe
Token: SeDebugPrivilege	2568	Stormshot.exe
Token: SeDebugPrivilege	2568	Stormshot.exe
Token: SeDebugPrivilege	2568	Stormshot.exe
Token: SeDebugPrivilege	2568	Stormshot.exe
Token: SeDebugPrivilege	2568	Stormshot.exe
Token: SeDebugPrivilege	2568	Stormshot.exe
Token: SeDebugPrivilege	2568	Stormshot.exe
Token: SeDebugPrivilege	2568	Stormshot.exe
Token: SeDebugPrivilege	2568	Stormshot.exe
Token: SeDebugPrivilege	2568	Stormshot.exe
Token: SeShutdownPrivilege	2568	Stormshot.exe
Token: SeCreatePagefilePrivilege	2568	Stormshot.exe
Token: SeDebugPrivilege	4040	TQMCenter_64.exe
Token: SeDebugPrivilege	6380	Stormshot.exe
Token: SeDebugPrivilege	6380	Stormshot.exe
Token: SeDebugPrivilege	6380	Stormshot.exe
Token: SeDebugPrivilege	6380	Stormshot.exe
Token: SeDebugPrivilege	6380	Stormshot.exe
Token: SeDebugPrivilege	6380	Stormshot.exe
Token: SeDebugPrivilege	6380	Stormshot.exe
Token: SeDebugPrivilege	6380	Stormshot.exe
Token: SeDebugPrivilege	6380	Stormshot.exe
Token: SeDebugPrivilege	6380	Stormshot.exe
Token: SeDebugPrivilege	6380	Stormshot.exe
Token: SeDebugPrivilege	6380	Stormshot.exe
Token: SeDebugPrivilege	6380	Stormshot.exe
Token: SeDebugPrivilege	6380	Stormshot.exe
Token: SeShutdownPrivilege	6380	Stormshot.exe
Token: SeCreatePagefilePrivilege	6380	Stormshot.exe
Token: SeDebugPrivilege	6792	TQMCenter_64.exe
Token: SeDebugPrivilege	7188	Stormshot.exe
Token: SeDebugPrivilege	7188	Stormshot.exe
Token: SeDebugPrivilege	7188	Stormshot.exe
Token: SeDebugPrivilege	7188	Stormshot.exe
Token: SeDebugPrivilege	7188	Stormshot.exe
Token: SeDebugPrivilege	7188	Stormshot.exe
Token: SeDebugPrivilege	7188	Stormshot.exe
Token: SeDebugPrivilege	7188	Stormshot.exe
Token: SeDebugPrivilege	7188	Stormshot.exe
Token: SeDebugPrivilege	7188	Stormshot.exe
Token: SeDebugPrivilege	7188	Stormshot.exe
Token: SeDebugPrivilege	7188	Stormshot.exe
Token: SeDebugPrivilege	7188	Stormshot.exe
Token: SeDebugPrivilege	7188	Stormshot.exe
Token: SeShutdownPrivilege	7188	Stormshot.exe
Token: SeCreatePagefilePrivilege	7188	Stormshot.exe
Token: SeDebugPrivilege	7576	TQMCenter_64.exe
Token: SeDebugPrivilege	8088	Stormshot.exe
Token: SeDebugPrivilege	8088	Stormshot.exe
Token: SeDebugPrivilege	8088	Stormshot.exe
Token: SeDebugPrivilege	8088	Stormshot.exe
Token: SeDebugPrivilege	8088	Stormshot.exe
Token: SeDebugPrivilege	8088	Stormshot.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
1076	PC-Launcher.exe
1076	PC-Launcher.exe
1076	PC-Launcher.exe
1076	PC-Launcher.exe
1076	PC-Launcher.exe
1076	PC-Launcher.exe

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
1076	PC-Launcher.exe
1076	PC-Launcher.exe
1076	PC-Launcher.exe
1076	PC-Launcher.exe
1076	PC-Launcher.exe
1076	PC-Launcher.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
1076	PC-Launcher.exe
1076	PC-Launcher.exe
2568	Stormshot.exe
2568	Stormshot.exe
6380	Stormshot.exe
6380	Stormshot.exe
7188	Stormshot.exe
7188	Stormshot.exe
8088	Stormshot.exe
8088	Stormshot.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 4120 wrote to memory of 2504	4120	Stormshot.PC.V1.0_b4bfd35522.exe	80
PID 4120 wrote to memory of 2504	4120	Stormshot.PC.V1.0_b4bfd35522.exe	80
PID 4120 wrote to memory of 2504	4120	Stormshot.PC.V1.0_b4bfd35522.exe	80
PID 2504 wrote to memory of 4124	2504	st_b4bfd35522.exe	81
PID 2504 wrote to memory of 4124	2504	st_b4bfd35522.exe	81
PID 2504 wrote to memory of 4124	2504	st_b4bfd35522.exe	81
PID 4124 wrote to memory of 1076	4124	Launcher.exe	82
PID 4124 wrote to memory of 1076	4124	Launcher.exe	82
PID 4124 wrote to memory of 1076	4124	Launcher.exe	82
PID 1076 wrote to memory of 3164	1076	PC-Launcher.exe	84
PID 1076 wrote to memory of 3164	1076	PC-Launcher.exe	84
PID 1076 wrote to memory of 3164	1076	PC-Launcher.exe	84
PID 1076 wrote to memory of 2568	1076	PC-Launcher.exe	86
PID 1076 wrote to memory of 2568	1076	PC-Launcher.exe	86
PID 2568 wrote to memory of 3400	2568	Stormshot.exe	87
PID 2568 wrote to memory of 3400	2568	Stormshot.exe	87
PID 2568 wrote to memory of 4040	2568	Stormshot.exe	90
PID 2568 wrote to memory of 4040	2568	Stormshot.exe	90
PID 4040 wrote to memory of 1380	4040	TQMCenter_64.exe	91
PID 4040 wrote to memory of 1380	4040	TQMCenter_64.exe	91
PID 3400 wrote to memory of 6316	3400	UnityCrashHandler64.exe	96
PID 3400 wrote to memory of 6316	3400	UnityCrashHandler64.exe	96
PID 1076 wrote to memory of 6380	1076	PC-Launcher.exe	97
PID 1076 wrote to memory of 6380	1076	PC-Launcher.exe	97
PID 6380 wrote to memory of 6416	6380	Stormshot.exe	98
PID 6380 wrote to memory of 6416	6380	Stormshot.exe	98
PID 4040 wrote to memory of 6600	4040	TQMCenter_64.exe	99
PID 4040 wrote to memory of 6600	4040	TQMCenter_64.exe	99
PID 6380 wrote to memory of 6792	6380	Stormshot.exe	101
PID 6380 wrote to memory of 6792	6380	Stormshot.exe	101
PID 6792 wrote to memory of 6896	6792	TQMCenter_64.exe	102
PID 6792 wrote to memory of 6896	6792	TQMCenter_64.exe	102
PID 6416 wrote to memory of 5080	6416	UnityCrashHandler64.exe	106
PID 6416 wrote to memory of 5080	6416	UnityCrashHandler64.exe	106
PID 1076 wrote to memory of 7188	1076	PC-Launcher.exe	107
PID 1076 wrote to memory of 7188	1076	PC-Launcher.exe	107
PID 7188 wrote to memory of 7228	7188	Stormshot.exe	108
PID 7188 wrote to memory of 7228	7188	Stormshot.exe	108
PID 6792 wrote to memory of 7404	6792	TQMCenter_64.exe	109
PID 6792 wrote to memory of 7404	6792	TQMCenter_64.exe	109
PID 7188 wrote to memory of 7576	7188	Stormshot.exe	111
PID 7188 wrote to memory of 7576	7188	Stormshot.exe	111
PID 7576 wrote to memory of 7668	7576	TQMCenter_64.exe	112
PID 7576 wrote to memory of 7668	7576	TQMCenter_64.exe	112
PID 7228 wrote to memory of 8016	7228	UnityCrashHandler64.exe	116
PID 7228 wrote to memory of 8016	7228	UnityCrashHandler64.exe	116
PID 7576 wrote to memory of 8032	7576	TQMCenter_64.exe	117
PID 7576 wrote to memory of 8032	7576	TQMCenter_64.exe	117
PID 1076 wrote to memory of 8088	1076	PC-Launcher.exe	119
PID 1076 wrote to memory of 8088	1076	PC-Launcher.exe	119
PID 8088 wrote to memory of 8124	8088	Stormshot.exe	120
PID 8088 wrote to memory of 8124	8088	Stormshot.exe	120
PID 8088 wrote to memory of 8444	8088	Stormshot.exe	121
PID 8088 wrote to memory of 8444	8088	Stormshot.exe	121
PID 8444 wrote to memory of 8508	8444	TQMCenter_64.exe	122
PID 8444 wrote to memory of 8508	8444	TQMCenter_64.exe	122
PID 8124 wrote to memory of 8812	8124	UnityCrashHandler64.exe	126
PID 8124 wrote to memory of 8812	8124	UnityCrashHandler64.exe	126
PID 8444 wrote to memory of 8852	8444	TQMCenter_64.exe	127
PID 8444 wrote to memory of 8852	8444	TQMCenter_64.exe	127

C:\Users\Admin\AppData\Local\Temp\Stormshot.PC.V1.0_b4bfd35522.exe
"C:\Users\Admin\AppData\Local\Temp\Stormshot.PC.V1.0_b4bfd35522.exe"
1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4120
- C:\Users\Admin\AppData\Local\Temp\st_b4bfd35522.exe
  C:\Users\Admin\AppData\Local\Temp\st_b4bfd35522.exe
  2⤵
  - Enumerates connected drives
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2504
- - F:\FunPlus\Stormshot\Launcher.exe
    "F:\FunPlus\Stormshot\Launcher.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4124
  - - F:\FunPlus\Stormshot\1.0.0.86\PC-Launcher.exe
      "F:\FunPlus\Stormshot\1.0.0.86\PC-Launcher.exe" --currentPath="F:\FunPlus\Stormshot" --configVersion=1.0.0.86 --launchExe="F:\FunPlus\Stormshot\Launcher.exe"
      4⤵
      Adds Run key to start application
      Enumerates connected drives
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Modifies system certificate store
      Suspicious behavior: AddClipboardFormatListener
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1076
    - - F:\FunPlus\Stormshot\Plugin\7z.21.07\7za.exe
        
        F:\FunPlus\Stormshot\Plugin\7z.21.07\7za.exe x -aoa -bsp2 -bse1 -bso0 F:/FunPlus/Stormshot/download/ngame/st_global_4.6.0_650d35c930e4e44ca05e1f1e9a7b331f.7z -oF:/FunPlus/Stormshot/nGame/4.6.0
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3164
    - - F:\FunPlus\Stormshot\nGame\4.6.0\Stormshot.exe
        
        "F:/FunPlus/Stormshot/nGame/4.6.0\Stormshot.exe" --index=0 --gameid=2202
        5⤵
        Enumerates VirtualBox registry keys
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Looks for VirtualBox Guest Additions in registry
        Looks for VMWare Tools registry key
        Checks BIOS information in registry
        Identifies Wine through registry keys
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        Checks for VirtualBox DLLs, possible anti-VM trick
        Checks system information in the registry
        Drops file in Windows directory
        Executes dropped EXE
        Loads dropped DLL
        Checks SCSI registry key(s)
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2568
      - F:\FunPlus\Stormshot\nGame\4.6.0\UnityCrashHandler64.exe
        
        "F:\FunPlus\Stormshot\nGame\4.6.0\UnityCrashHandler64.exe" --attach 2568 2544921546752
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3400
        
        F:\FunPlus\Stormshot\nGame\4.6.0\UnityCrashHandler64.exe
        
        "F:\FunPlus\Stormshot\nGame\4.6.0\UnityCrashHandler64.exe" "2568" "2544921546752"
        7⤵
        Executes dropped EXE
        
        PID:6316
      - F:\FunPlus\Stormshot\nGame\4.6.0\tqm64\TQMCenter_64.exe
        
        "F:\FunPlus\Stormshot\nGame\4.6.0\tqm64\TQMCenter_64.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4040
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c rmdir /s /q "F:\FunPlus\Stormshot\nGame\4.6.0\tqm64\stm\"
        7⤵
        
        PID:1380
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c rmdir /s /q "F:\FunPlus\Stormshot\nGame\4.6.0\tqm64\stm\"
        7⤵
        
        PID:6600
    - - F:\FunPlus\Stormshot\nGame\4.6.0\Stormshot.exe
        
        "F:/FunPlus/Stormshot/nGame/4.6.0\Stormshot.exe" --index=0 --gameid=2202
        5⤵
        Enumerates VirtualBox registry keys
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Looks for VirtualBox Guest Additions in registry
        Looks for VMWare Tools registry key
        Checks BIOS information in registry
        Identifies Wine through registry keys
        Drops file in System32 directory
        Checks for VirtualBox DLLs, possible anti-VM trick
        Checks system information in the registry
        Drops file in Windows directory
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:6380
      - F:\FunPlus\Stormshot\nGame\4.6.0\UnityCrashHandler64.exe
        
        "F:\FunPlus\Stormshot\nGame\4.6.0\UnityCrashHandler64.exe" --attach 6380 2806369882112
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:6416
        
        F:\FunPlus\Stormshot\nGame\4.6.0\UnityCrashHandler64.exe
        
        "F:\FunPlus\Stormshot\nGame\4.6.0\UnityCrashHandler64.exe" "6380" "2806369882112"
        7⤵
        Executes dropped EXE
        
        PID:5080
      - F:\FunPlus\Stormshot\nGame\4.6.0\tqm64\TQMCenter_64.exe
        
        "F:\FunPlus\Stormshot\nGame\4.6.0\tqm64\TQMCenter_64.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:6792
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c rmdir /s /q "F:\FunPlus\Stormshot\nGame\4.6.0\tqm64\stm\"
        7⤵
        
        PID:6896
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c rmdir /s /q "F:\FunPlus\Stormshot\nGame\4.6.0\tqm64\stm\"
        7⤵
        
        PID:7404
    - - F:\FunPlus\Stormshot\nGame\4.6.0\Stormshot.exe
        
        "F:/FunPlus/Stormshot/nGame/4.6.0\Stormshot.exe" --index=0 --gameid=2202
        5⤵
        Enumerates VirtualBox registry keys
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Looks for VirtualBox Guest Additions in registry
        Looks for VMWare Tools registry key
        Checks BIOS information in registry
        Identifies Wine through registry keys
        Drops file in System32 directory
        Checks for VirtualBox DLLs, possible anti-VM trick
        Checks system information in the registry
        Drops file in Windows directory
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:7188
      - F:\FunPlus\Stormshot\nGame\4.6.0\UnityCrashHandler64.exe
        
        "F:\FunPlus\Stormshot\nGame\4.6.0\UnityCrashHandler64.exe" --attach 7188 2374814142464
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:7228
        
        F:\FunPlus\Stormshot\nGame\4.6.0\UnityCrashHandler64.exe
        
        "F:\FunPlus\Stormshot\nGame\4.6.0\UnityCrashHandler64.exe" "7188" "2374814142464"
        7⤵
        Executes dropped EXE
        
        PID:8016
      - F:\FunPlus\Stormshot\nGame\4.6.0\tqm64\TQMCenter_64.exe
        
        "F:\FunPlus\Stormshot\nGame\4.6.0\tqm64\TQMCenter_64.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:7576
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c rmdir /s /q "F:\FunPlus\Stormshot\nGame\4.6.0\tqm64\stm\"
        7⤵
        
        PID:7668
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c rmdir /s /q "F:\FunPlus\Stormshot\nGame\4.6.0\tqm64\stm\"
        7⤵
        
        PID:8032
    - - F:\FunPlus\Stormshot\nGame\4.6.0\Stormshot.exe
        
        "F:/FunPlus/Stormshot/nGame/4.6.0\Stormshot.exe" --index=0 --gameid=2202
        5⤵
        Enumerates VirtualBox registry keys
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Looks for VirtualBox Guest Additions in registry
        Looks for VMWare Tools registry key
        Checks BIOS information in registry
        Identifies Wine through registry keys
        Drops file in System32 directory
        Checks for VirtualBox DLLs, possible anti-VM trick
        Checks system information in the registry
        Drops file in Windows directory
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:8088
      - F:\FunPlus\Stormshot\nGame\4.6.0\UnityCrashHandler64.exe
        
        "F:\FunPlus\Stormshot\nGame\4.6.0\UnityCrashHandler64.exe" --attach 8088 1868719591424
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:8124
        
        F:\FunPlus\Stormshot\nGame\4.6.0\UnityCrashHandler64.exe
        
        "F:\FunPlus\Stormshot\nGame\4.6.0\UnityCrashHandler64.exe" "8088" "1868719591424"
        7⤵
        Executes dropped EXE
        
        PID:8812
      - F:\FunPlus\Stormshot\nGame\4.6.0\tqm64\TQMCenter_64.exe
        
        "F:\FunPlus\Stormshot\nGame\4.6.0\tqm64\TQMCenter_64.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:8444
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c rmdir /s /q "F:\FunPlus\Stormshot\nGame\4.6.0\tqm64\stm\"
        7⤵
        
        PID:8508
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c rmdir /s /q "F:\FunPlus\Stormshot\nGame\4.6.0\tqm64\stm\"
        7⤵
        
        PID:8852

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004E4 0x00000000000004D4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\NeteaseWinDev\isc.dat

Filesize
216B

MD5
66415a736d6e9b8c8a58014821d54d4c

SHA1
d704b942fb74e44e3dee41f9998e5be8a5d3e09d

SHA256
75da2c555299382a571e8ff971c9924d61dfb1213ee74f98d9318d346b00a080

SHA512
87c1afb6f17fef2ae248a30299092f0ea7d938ea8a6364cdd78b3272c1ccf0a90c4dfaa2ea2379db8e27d18fc50aedc12fcbc4f82bdac430a56c45234d1fe1ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\st_b4bfd35522.exe

Filesize
38.2MB

MD5
bd8bf063eab9a25e00200d6508af7375

SHA1
8b033d76ad63fd7472e61aeae9d1a6cf0a9de5ca

SHA256
fc5e6c9c2c6eda0b17df21e724a1bcc1cfd07e117db36619536130e9e29c83c1

SHA512
62a06462d3571250c3dafc0eec228a172a37caf6deee1d4af663c3ba1d528fe76a563363b72ba14058a382ac5b1f3534668e15512c2a8c76ae30aac0fb7cfad0

Download Submit
F:\FunPlus\Stormshot\1.0.0.86\PC-Launcher.exe

Filesize
8.9MB

MD5
68fc65b06c3162b1b685303a2b51e675

SHA1
c784b06ffa39e19615326267e3fada16418abfb4

SHA256
75b7a9df79f90954e23ee8d459b4705136838390a9b76ec0482a9335b2016c0e

SHA512
24f1e322a4eb541f1f8aa5eec3582b586d9bc77c1960ae0a6efec7f1a881f53ff7bb5656ac2db2719ca8d55153be98d2c22da967e6c3d9bc07940124433d15ba

Download Submit
F:\FunPlus\Stormshot\1.0.0.86\Qt5Core.dll

Filesize
5.2MB

MD5
ccb1f269d09dae974fe338ac807966f0

SHA1
5bbc886073b68ac54c28e5cd2f81392b532e5c55

SHA256
1cd06fffc17269a864fec6ec8f47bbf8af3f5d1cfa391f173ae63da4c7a7b498

SHA512
2e82eebae0b9c4c7f7168aa89082d51e45c8622ad831c13b1a2219ba22db50dcff9e4846642dbfe8103f18bc8277d35753494be7aaa3791929975d135345f4b8

Download Submit
F:\FunPlus\Stormshot\1.0.0.86\Qt5Gui.dll

Filesize
5.7MB

MD5
00375b48f58242be0aeb9fea5db47a34

SHA1
f5ff390642cf75f562aa43e5041b3ecaeae19e8e

SHA256
b5d8b8997a484f342739e15689b4a29389c1cd99e61d8a2ab208bc5644c1d8a8

SHA512
3aa570d2395019bea0be84523a1c81f9a8bc8ae984066f478aa7ff967fbc241f150bc23b0d9bd727a960b0799d84e1d36d46a7bd8e5ff95b60b24a4cc92130b0

Download Submit
F:\FunPlus\Stormshot\1.0.0.86\Qt5Network.dll

Filesize
1.0MB

MD5
6ac9a28a6fbc7f48e7504f34b5480797

SHA1
348d596e4566cc99cb7b78ba4e9076ba9d8a1d38

SHA256
fc6179c80db2afb79f67b2f0e39ed1739717129ae30b8b81c6155f17ba83c576

SHA512
a3a5da0bce62d5ec48563b93e4faf59e89162afa8f5c01ae23198490b9b202251baa550582d84d83e51187b93ca77b7bb7a3c3ec07950b283f49e16beb6f077a

Download Submit
F:\FunPlus\Stormshot\1.0.0.86\Qt5Qml.dll

Filesize
2.9MB

MD5
2247c7ba00ffd5fb0b8bed697e7e7ab3

SHA1
0977e47d8efb192fd2a05c845e5633109858ea0d

SHA256
61bc4ed1824d6c1327d298a7a788d7ce3d8a2e64dd9e7955fd08088920890642

SHA512
2331e1d1dfb71f1482efd1d5ba4c71e67ca84570e089a020d4cfc9341dc3053bd79a39448ad952b53f9055ca49cbbbd6b0f1d071f96ca5b16a3e3d7fa585949c

Download Submit
F:\FunPlus\Stormshot\1.0.0.86\Qt5QmlModels.dll

Filesize
349KB

MD5
b79193c4770635dbc6d578d4bc24142a

SHA1
83aea1916910f865449a2db90a68e9c1cfd22a1f

SHA256
e488c6ae94e9610f8df22a97732c918f3261c32a897c3c357e6fc8995e94810b

SHA512
37f362fe14dfebacf32cea643a59a059f6e6116c6986516c98681b0314290894c9cfc7571d7ce04dbeab93aad5a869eb7ff586a88f7b30606e1ce05a6cd94a46

Download Submit
F:\FunPlus\Stormshot\1.0.0.86\Qt5Quick.dll

Filesize
3.4MB

MD5
474a9e2de31376e21bce06d9cacef668

SHA1
c3ee8d3008d1daa6cce23d1261ea3f7bf4ab5308

SHA256
82156019afb320612a4b48243b05c7c8477770c83b23af836c7c99563fa26786

SHA512
5c894e47ff3853f1d692e3ab8f773ed70161cb05e497b8cc9412a060366dd7ddb4bc01939671d5ad6853d83c4a7641625d0b4f6eacf40d34401e3f12269773df

Download Submit
F:\FunPlus\Stormshot\1.0.0.86\Qt5QuickWidgets.dll

Filesize
72KB

MD5
a2075c10b993bccd74523823d362a727

SHA1
e2f324e0f29bfa2b4016649aacecb71074e7a835

SHA256
2f3f0142e9b82e5c6d4f84c04578255a957981ee14ac96d76f5b93f0ca1c6769

SHA512
2dfd91deb83fa0ba2115ec8c03cd20515063fcf69a6919e5fa023672251d519664d33e8662670625745f85784445a559133c03a10bc7986859221045bbd07216

Download Submit
F:\FunPlus\Stormshot\1.0.0.86\Qt5Svg.dll

Filesize
264KB

MD5
37265e6e2e85b59f9cc85c9b8fba9074

SHA1
f1db159aeb042fc9aa2d017e67a0a384ee9e5382

SHA256
f4453045b5bb77f14ab3ff2e7a05d6aa49681f3120851ccfb8e33660cd2662da

SHA512
ef9de075a05defcd6812bff34f4d7cbbeb9d7c39d17c213ab120b93410b43415be8bbfab78a4c911ffd2e4361df9efcc9e4b21fd725e8e67e49a87f6764a7579

Download Submit
F:\FunPlus\Stormshot\1.0.0.86\Qt5WebSockets.dll

Filesize
125KB

MD5
aaeac5122ab6a42e8b186ea771a72cc7

SHA1
26194f8d020d332990f33883294eb51bb8472bea

SHA256
41da80ee11c6d9caffa0ec863e61faf665c0ab3fea5add6febf131d2ad45071e

SHA512
f38b8c176f03c47bb7ed7942edfbcff7be20b1e796c5fa62a4fec2e3c7b664de06989699cd50be9c1cbae3501a9ac854870030576f5a4a8cc1cabf19bd73cf21

Download Submit
F:\FunPlus\Stormshot\1.0.0.86\Qt5Widgets.dll

Filesize
4.3MB

MD5
a372a06ef5d5dfaeca77e54597585e03

SHA1
035c5bc89dd0fbe93ce411ebcb808c5fb50cc63d

SHA256
14230cbb6fcabd799c0269723c0f77dc46d4b89789b3d8eba0920ea217548c5a

SHA512
e68a5df0a1a70f0a11127d071dc528dec43a0d7e34ae568b282f3ed888a674b8ae0c80c0714d7f04fdc4a2fe4e820ae4629bf3429be7ab606784d9107b9f8604

Download Submit
F:\FunPlus\Stormshot\1.0.0.86\fpxcore.dll

Filesize
6.6MB

MD5
8082299bc394324885eaadaa880c37f6

SHA1
4512b2441622d56089b12273feeb5ab466391639

SHA256
87434863f2a2f89b672adab0d2ba791fc01ba474b7a6ebbf20b85ae761f6a1c1

SHA512
91389a1b1fd2dd2743d88fb666e1a9d855ab3b73c75215be044daeb001a7dc744a82f3ced013e8def4d8449cd0612ebddd26cc04b555e1d3343773bdc747a10b

Download Submit
F:\FunPlus\Stormshot\1.0.0.86\iconengines\qsvgicon.dll

Filesize
40KB

MD5
34732c85bc4f9bb4a4a2297a0aa20aad

SHA1
7e8d22f248e8d23b208807df1c86db99435afe49

SHA256
79e48711e6bdd497e9efc7c423f34f30d742db0aa04c0febd3b214004526a818

SHA512
3cb974eca119d2f521219c9f8037cd484d116a41ab3c8f2886b2219b75ff16c7accf619ba985645d1a8dc2c32c7acb10b03e3169111e786bd90a18fd69267f17

Download Submit
F:\FunPlus\Stormshot\1.0.0.86\imageformats\qgif.dll

Filesize
38KB

MD5
6f1b578054aadf5e184d9153a0537364

SHA1
136c349a97957f406e45a60247fc1d2bd4296294

SHA256
c0964a239ba5b0b5262ac6ed36d41ba4b8c466d5e8cfc8577f8a061197e6272d

SHA512
28cc8d72e524dfbebc6ae35c150f874c082652cc6bc1d99712d0211219e893d63dfefeed8981dd2ed1097cf217d852c50845355d39691045bf19d53fa171750c

Download Submit
F:\FunPlus\Stormshot\1.0.0.86\imageformats\qicns.dll

Filesize
42KB

MD5
3e887a30afb41edefc0651eed9478942

SHA1
5c132f72c3fb02497d565bfe066d1813e4d1e668

SHA256
af8a95934fddaee350425a26206b732567d6f47e52b33853447382e553df1916

SHA512
e9319e42349b491c9afb0ca72a1696f8af15e2b4bc9db0667057fecfd8b4fc7166c7ac4a0d764cd036c0784b5731b881a3da58d0914469b6e5495168172f8a48

Download Submit
F:\FunPlus\Stormshot\1.0.0.86\imageformats\qico.dll

Filesize
36KB

MD5
3f7d35e556b2223286a9c70869192b20

SHA1
5e520e616170b4efd7f37f1f083b8c1613eedf8e

SHA256
004e88375bdf797c20a1fb83bcc461882155c3ce0bc51ef9f99f89beea11858b

SHA512
2158f0851cb08160e57aaba56e7eb7c6cf9d4e2e8104e2a458b23e8f11b468f1ce8950f45b1c85a777aade8c1ab3b53ba80eda4b101bd0689356d736294d8b18

Download Submit
F:\FunPlus\Stormshot\1.0.0.86\imageformats\qjpeg.dll

Filesize
385KB

MD5
7adbe963467564d0e33335f9208209ab

SHA1
9773b6f12728e3e7b388972b5e44bcdbc5eb6d0b

SHA256
dfe1df3c8e7dec4a2e754f48012ccc18baa59b1332fa908a4cc34d09f260d010

SHA512
38f7e3bb4af8ac34abb779f2fbb64c9f96e9070de6385b2cfb381261ea863705d19ae9cb4a975f14f4b0fa62e9a47e1c3a21dccacd89989edc991f7b04b78d8d

Download Submit
F:\FunPlus\Stormshot\1.0.0.86\imageformats\qpdf.dll

Filesize
33KB

MD5
6ec14154abfab839695ba85ba1d0d675

SHA1
7a6b116c5cb09fc6b2d48c0923395baddd7bbbc5

SHA256
7e05e808865b8633ff507482beefee9da290dbe5741bf12f0dae9eaf6faa0fdf

SHA512
e4bcc00221d9b3b9f1efb73e2e95c8c3fc906dc386cda4a3b486936cf62d2679ac291a0e754456d46d972ced7d906685f7778a3227f513f8cd8d0cc2308aba26

Download Submit
F:\FunPlus\Stormshot\1.0.0.86\imageformats\qsvg.dll

Filesize
32KB

MD5
891c2966d58483c0e4b98dceb37d642a

SHA1
b1dbb83e021994b3ab8f3a3f5f9a7b5c7dfd9a1d

SHA256
236085c82fbbe4cc9a4a96a5744916da729cdfee91e89a8b56b68b0e8b831960

SHA512
1948f2bc9fe207ad2d5c2f23366ade8c27271bf6ca090e67c433c9033bde92852b5524d91d71f07a7277b18c1ecec966b0c5d6c6400dfff94c73969e2a7d0200

Download Submit
F:\FunPlus\Stormshot\1.0.0.86\imageformats\qtga.dll

Filesize
31KB

MD5
015dba45aedc50a3ee5737c6bc7c97b1

SHA1
44545cd8ed24081a68f4524848c716f6c00e8281

SHA256
0adfc1901455be8fa9cfe420b0529c9f7a1fadcee4140ec0441256a1bb2235da

SHA512
66ad7811aba986339a2bd806aca7f5f8b33d2d4140e0cea5619642a3761447a2e8ef260cf06e22daf37df5df573b77b830cec9281065b64778a0bae3b5ac8376

Download Submit
F:\FunPlus\Stormshot\1.0.0.86\imageformats\qtiff.dll

Filesize
356KB

MD5
6742a1c8b9687561ff37f385ac492c30

SHA1
5b9d8f698dc1ec47ab791225707db4af59360efc

SHA256
de742e6d940061f32d2dcaedbeaab6006f55b181db16d08faa66fc6eaf1ba8c2

SHA512
4eb40d887b6250951cb14f68918d3e6133367b246692b4d4eaf4c970d823d1183998280c1113e8453270dee8e94c52bb2ff36a6aed692b5bded3cefa480d64a6

Download Submit
F:\FunPlus\Stormshot\1.0.0.86\imageformats\qwbmp.dll

Filesize
30KB

MD5
9228078a9ab4aa393a99c32b1a399e35

SHA1
6184f51bcfd52e3e14cdc0b595189fc7f89acdb9

SHA256
e45ac8841b5cb23ce1c46c8ca23cee7002ee66c77e6a6c8fde6e3a6a9ced581e

SHA512
f78aafbcc43af9ba9928619d55c1cc6ce3d996122cf9a68a31e9583317cbee31a88d62105eaf21053546b2ab5517761adf3f85e21ab444475b385fc9c52d6817

Download Submit
F:\FunPlus\Stormshot\1.0.0.86\imageformats\qwebp.dll

Filesize
409KB

MD5
1bd1829d0fdd041dec9d50c8c0a77e32

SHA1
728afbad0fcf76395f98a46e1da06c500cdf8472

SHA256
190da7505ed54ad3ad06a274e73f00f26405a043bcac86fc437549dde8070719

SHA512
4dc545b03b9399c57ca01a69cff45d332fbb9da996746d8bf7fd84ec3cefcc45772a35c30a4cdd0f589ecf83910440dcbebd2b05fd7f6361f08004ebbb504eb5

Download Submit
F:\FunPlus\Stormshot\1.0.0.86\msvcp140.dll

Filesize
425KB

MD5
d4e9ae2301232a7599807ae02023187e

SHA1
af68af4f51c1affd0a8c29b3e707642636374583

SHA256
322af358aad037db8136623586e65fedbba3040b355f76ed34e7aa1763b2dc89

SHA512
5fe2cba77f0c285c519142a71cc1e6216b4ad78077aebf1c3f23e84e4b8fcd7f9cb6363668674869e3bd2c56ffd178b2c2d51725ab38e0a2338e5dc15d7d05f8

Download Submit
F:\FunPlus\Stormshot\1.0.0.86\msvcp140_1.dll

Filesize
20KB

MD5
ca7c343e1f6ffdacd0818b9e46ad58a5

SHA1
9731858d1cc5f1c1ca3bb2253df8feb9a912b8f2

SHA256
87428634883461f50ef4dc812273dc8822cf608b32ef6f11bcc61223052c1ae1

SHA512
13602dbd97f41dfb32f9c2cb5fcc263fd2663667374372b4414f64f0f56191419a79e74add3286524710d1b75869933cd21c8d8401ff6df6d711dd8efc8800d9

Download Submit
F:\FunPlus\Stormshot\1.0.0.86\platforms\qwindows.dll

Filesize
1.2MB

MD5
981f9dc4f537012d21aab34071896788

SHA1
58e0c4baf55f1908c6abf8f2b81fa5cab6a5c840

SHA256
334f317e5afd0b9cf05e85ba1c241e57cc84833658c6db04595c0f1accdfe69c

SHA512
d4327a401909fe8b0e9cf561c525a51fbd6e168cf6daf1513653c524b08d0fe12b9b2db588a3398ef1285e993cd3078a9d3770a676a001c61f3f358178266e5d

Download Submit
F:\FunPlus\Stormshot\1.0.0.86\styles\qwindowsvistastyle.dll

Filesize
132KB

MD5
b65e3ef6042684b489d0cb2574b4d144

SHA1
98747aec7f187d03ee2604fca947744efcab0b99

SHA256
9fd317f3da3eee0d53dc78687aad61440dfbc30a0d42169be434731e11f423bb

SHA512
980a7e9a9265c275beeba3469a0e676bb68f0b18ee760b43c0b9ab9856a11cf23175d10b53532299e1f8c1f5b74aaace61352eef398b4307267812a698f0e008

Download Submit
F:\FunPlus\Stormshot\1.0.0.86\vcruntime140.dll

Filesize
76KB

MD5
2cec885177f8e329a314f975806d0e3d

SHA1
942d6525d23833ac51af1fd0cb6c18f0aacc90fa

SHA256
e4989178cb90a65428bcb19b2f1d2c811ab66077b38c0645522d8669b176b99e

SHA512
210d12d8912341e1625bbc603060aaf37ded1fec58fe677b0f92dd5bdc89d1629f29b50f7e95985bda6c7f316790f753dee2305d154ae94f5ee7816886e91fb1

Download Submit
F:\FunPlus\Stormshot\InstallSettings.ini

Filesize
88B

MD5
2598a87cf86f2193ea55f697a01f538b

SHA1
01d22b3dfd75b85209bcf7c3dd2f85d8885e4f65

SHA256
8032fe233a7966f272d181c1de3fae287f0413380c857780d1913869bb2107c1

SHA512
9bda74c426d197c9178425df67e00e610acdc8007c3bc10d14d5211bb4e6e4895d778bb3189610f0dbb090a360a1a2be8a9da97255ffc4f247f7ec1f1b5ff85c

Download Submit
F:\FunPlus\Stormshot\Launcher.exe

Filesize
1.1MB

MD5
3cc6533aa26ae8452322b42fd136edd7

SHA1
8e9fa011161825a533e72a07544b672e68427b6c

SHA256
9a28d78a00f1f70ba166b4e9f35c48bfbc8d136b526416d3584c1d8e4cd5f3e7

SHA512
fa2f2847d54bf139d22007be18dfcdb3be98b0e00022971ea34f5c0e94da4ebc532ad001539e3ed367cd2e079350935b4814500ef6174e81292c8f27b59914eb

Download Submit
F:\FunPlus\Stormshot\Plugin\7z.21.07\7za.exe

Filesize
822KB

MD5
aba4e46f75a9d3768ae26b5027a010df

SHA1
ee1a6bdd029bf4431bd60d5a4a2ed77398adbdb7

SHA256
8efb204d78a28e7f714b9086f7e01b56642a2980c5b646c83b15cc3adcab9163

SHA512
e4ecef5a3a6cd55a62034b392eb0326c52b1661bc6debea81e86b1cd2513269fad9e2253b901e3bda8f4a3b0a2220214ef47e5e20678c1b62b29c3a44a33bdca

Download Submit
F:\FunPlus\Stormshot\config\version.ini

Filesize
16B

MD5
7a2340e9a8e24036260d3d52ce67a947

SHA1
e168de05dfe4df716d65ff409c7d40f147bc3a10

SHA256
2bf19e65a1a9bf35f4e1ee52863f49f7452f5b9a290cc71b1250ec12d2a52931

SHA512
37faeb549558f24759452acdafb8ed41c4ea5b124cec94a65c984ea51ea44886f764b844e9a6fa019bcba2af385140a830e3e5bac3752dabba5864c80fb53223

Download Submit
F:\FunPlus\Stormshot\nGame\4.6.0\MonoBleedingEdge\etc\mono\4.5\Browsers\Compat.browser

Filesize
1KB

MD5
0d831c1264b5b32a39fa347de368fe48

SHA1
187dff516f9448e63ea5078190b3347922c4b3eb

SHA256
8a1082057ac5681dcd4e9c227ed7fb8eb42ac1618963b5de3b65739dd77e2741

SHA512
4b7549eda1f8ed2c4533d056b62ca5030445393f9c6003e5ee47301ff7f44b4bd5022b74d54f571aa890b6e4593c6eded1a881500ac5ba2a720dc0ff280300af

Download Submit
F:\FunPlus\Stormshot\nGame\4.6.0\MonoBleedingEdge\etc\mono\4.5\DefaultWsdlHelpGenerator.aspx

Filesize
59KB

MD5
f7be9f1841ff92f9d4040aed832e0c79

SHA1
b3e4b508aab3cf201c06892713b43ddb0c43b7ae

SHA256
751861040b69ea63a3827507b7c8da9c7f549dc181c1c8af4b7ca78cc97d710a

SHA512
380e97f7c17ee0fdf6177ed65f6e30de662a33a8a727d9f1874e9f26bd573434c3dedd655b47a21b998d32aaa72a0566df37e901fd6c618854039d5e0cbef3f5

Download Submit
F:\FunPlus\Stormshot\nGame\4.6.0\Stormshot_Data\Plugins\x86_64\FPXGame.dll

Filesize
2.5MB

MD5
ed95f00376f3f7ba16044ff1ad91c999

SHA1
d0cdf7727ec62134157b5cc5816199d99ef5fb0f

SHA256
254eb459c7e83bea40ca4017a125bf8197872f8bce96fbf21f67fded7fed5ff4

SHA512
1fd42a00ed49e10372092b04fadc42a5ba6bc8a15105a2c66aa6d29f195fc713a24bd2d4a2d104636de2412cb13069f2dc7750d4224919c8d934a4a7065a4442

Download Submit
F:\FunPlus\Stormshot\nGame\4.6.0\Stormshot_Data\Plugins\x86_64\FPXUI.dll

Filesize
23.9MB

MD5
6ff87913a1d2957485fc7c7a9517cc65

SHA1
49eef8c04aa2fe1fbcaaf8b1b1de68d004b272a9

SHA256
b26d58761ef6db7c658dbd144d93c6489f845edb2402fd543e0ae79584eb3f46

SHA512
ee98a4127b55ee7d90c7c819277fc1b9a728f7f0f1ddcfa03f7731392e2fbe16040aeff6ab7ebbea6a93450127b5ec060f28a8eee62c8ef9ede7f7176e2f8ee4

Download Submit
F:\FunPlus\Stormshot\nGame\4.6.0\Stormshot_Data\persistentDataPath\Audio\static+ST.acf

Filesize
64KB

MD5
730e7040a7ac3d3fbaa19c11a47e48d4

SHA1
9ad7be5c0fb9ed64238cc46b5cc49f16d8975ec6

SHA256
21502c3d7f22acd1c6dff2e8f6d955c5f1ff52215b21a37dd4b805af9a931f81

SHA512
6894dedc082a5315a535911fa3d6f00c0f251b9c7c5f8d96fdab18f0bcbb7ca78299796fa7a785a5de9137ed1862c33021bff8c7fb9282125b88ba5d5da65fff

Download Submit
F:\FunPlus\Stormshot\nGame\4.6.0\Stormshot_Data\persistentDataPath\Language\LoadingLanguage\language_en.bin

Filesize
30KB

MD5
1e8679d19c31248e3057f04cc0ab1186

SHA1
889f7bf471cabf3aef4d4059a6cdaabd8c1e6b67

SHA256
0378f1b680dfdbc80cd936d4ec681c4f655286db29bb54ce4559f0aca08fba80

SHA512
8291fff12e3bc11a68d60b6e7b6341f6e4fd58a913e5575e5a9afe570ab26e9fc4048473bf7ae594b6c8adbb3f5ae88ca9ade299c71b5d511c38a899dd925fa2

Download Submit
F:\FunPlus\Stormshot\nGame\4.6.0\Stormshot_Data\persistentDataPath\condition_group.json

Filesize
35KB

MD5
477e8ff030accf75be570eefc37a6217

SHA1
73f38ed7cedc37d6cd487e8d71a6541acaadbb62

SHA256
1f195390554dc79130906f0a9064b12ee167341dfce2d372162d961d7ad4dac0

SHA512
f846d75cd464aedc30f255bc57eb6938ca3d69c02501dc131053dd156e4f0d042fbccc4a90d27753dee32aa6b9d436615e6bba467201ecdd39c0a6985b5afa49

Download Submit
F:\FunPlus\Stormshot\nGame\4.6.0\Stormshot_Data\persistentDataPath\condition_main.json

Filesize
80KB

MD5
e24bf75cae87097a0742b9c39c0cbc21

SHA1
db117678cad550c05254677202b40a6b7cc9dbf7

SHA256
8affdc835c958054bca009bb9296cad46fd21110c348c9eb4c8b72a6ed8431a9

SHA512
fa0acf2df3c40b94d5d2fbf0c79bdc070eee1affe74e129c6b84e454c91248a0cbabe7fb64f19b219573ec3ac2adb6754f289f5d8a1cabab604eab30f08c8b81

Download Submit
F:\FunPlus\Stormshot\nGame\4.6.0\Stormshot_Data\persistentDataPath\iap_package_excitation_limited_new.json

Filesize
509KB

MD5
d798e1d5a06e62db7870c71169e20679

SHA1
8dbb1e5fc65133d66ec44ab1f78b2e49a66908c7

SHA256
35e0846bc5761aeb304e36da6ad8aee200a657c2342d0433eee3b488414cd0c8

SHA512
22a79905d47f40145d0ccd87cf44194e1f7ca315b562eac9c7a2c0731457a299eddd9a281638008030b009134dfdd0cd4fbccbcbe8278716cfb5d7687f7526af

Download Submit
F:\FunPlus\Stormshot\nGame\4.6.0\TQM64\dump\GbDump.1.240803859.Stormshot.exe.dmp

Filesize
939KB

MD5
bb431afb0d17572560324b4601a40dba

SHA1
aff0e228cd5470393e2573f32d127d1e277196fd

SHA256
e2ca1ed80f992dec92cc669079d92e5aace1aff990b941a3249a402622eb9837

SHA512
6992952cb945a4b0b18db8753c48b0acd7bd7878f4154a3fe26e41d6cee912f95f2276fa9bebea9125c0f1f6ef6e8ae0450b73fda286f7106003dc620c238728

Download Submit
F:\FunPlus\Stormshot\nGame\4.6.0\TQM64\dump\GbDump.1.240829656.Stormshot.exe.dmp

Filesize
828KB

MD5
3ca3c8edbb118539d56adf3aded71b63

SHA1
3590570dba34d070a7047688cd0cbabca38fd8b3

SHA256
ab1f69845a1f87ede368806844285e1f1016be1538aa396a90ad1ecd1e323909

SHA512
9db071a3f49631ea891eaf4674045b454efd07e6620881ee4aeea1f76a1667ea0d97720f2accee36846f0305c0dc4c071c01c75f73df00302cc801b463796ca2

Download Submit
F:\FunPlus\Stormshot\nGame\4.6.0\TQM64\dump\GbDump.1.240852937.Stormshot.exe.dmp

Filesize
1.1MB

MD5
f7e2de060ae3671386a7ce860f586131

SHA1
497bbf59f1a8a49e0382a6a89fa0ec00c401e35e

SHA256
5b838ce1a212a2f2ac2e33116d519b4939d6d1dc14f9d824a6f76e89d8c5b9b8

SHA512
fa60ed86eda7a9e81551cdab8d3fce26b804544b7720857df81d431260e2530636e17ae6ba8335b8f55b735ee521b007c3151ffc2000dab33592dda9908640ee

Download Submit
F:\FunPlus\Stormshot\nGame\4.6.0\TQM64\dump\GbDump.1.240879656.Stormshot.exe.dmp

Filesize
837KB

MD5
85def86da7e8f26136b99c9708bcfec8

SHA1
f3f8088af1eba0e7fdb1bf4b62e97b939e770ad9

SHA256
c33a35999c255c9c6b623009d4e38fa71174170fd672210cc3a5c001614c3a29

SHA512
c2673573f57b47a3da44ae347f4681b4edbf4dcbe0447fcc390e387bda49a483e48a71b69d81911637ea2c39f897272852622148c9bf3628f09f9984e3138563

Download Submit
F:\FunPlus\Stormshot\nGame\4.6.0\UnityCrashHandler64.exe

Filesize
1.1MB

MD5
fe6ad13e451a75c0b1e8560b229298cf

SHA1
a9eaf0b78533c0b8e9324b6f59c59f07c781d499

SHA256
fb13e2cae71c7713c70d4851e277e3d8103638f4fd4356168634d458f647d624

SHA512
5c324fd38c362aee0c1ea5b6d3128756db2cf83cb2d278b3f578ff5529c8848e455efdfc739a7f2b8f5d8c0605dbe61bb47367cb2618811998e8ac5399b714af

Download Submit
F:\FunPlus\Stormshot\prefs\st_global_setting.ini

Filesize
1KB

MD5
8c989a70b868e67878454bc6df23baf0

SHA1
f9711dc7d0ddb1a842d537e4e626ceb8227b18f3

SHA256
2223ea6905d3af8056ece4b0db0b57a5be0a34f2ce55a276701895339cee00f5

SHA512
56cc851dfdbb7440d5eae2e1e6e064da0eacd7fa470081b6e6a6ed48a15737a4029549e444bdc8c97ed63a0e1ea7283348db169d49db97a0a750ef086d369513

Download Submit
F:\FunPlus\Stormshot\prefs\st_global_setting.ini.lock

Filesize
64B

MD5
83af45ad59f3bb25f589589733c3d29e

SHA1
fa41b78eef1aa39799917faa23892e47c6cbd156

SHA256
62695b89aff557d3d532128f475a551754ce48278f12cf95f5e3ad53c03f04fe

SHA512
24853da11168f98183ac35a14f86e8c7001431ff577388a508e72cc7927140ba05c764100b250048bcd26ecadb2f23f0a785402a12de566ef1a7b1d3c3d70806

Download Submit
F:\FunPlus\Stormshot\uninstall.exe

Filesize
1.6MB

MD5
0a9e40cb44b570ae4de1612a6baeace5

SHA1
5d2229f0de79e4f9cc6da9275e257b788e19003c

SHA256
8a084438f025e8bf9a81902dd3f12ab37ab8912df4ef6322db078d4dfcd45e54

SHA512
3bd0daf44fe35485e220d8ba79419c7650ea45cf7cf87605bdef597d40554ecff05a2f98e8b4d3ffcbe20da187e80d9abd96cf763ac87290046c2d26af096422

Download Submit
memory/1076-698-0x0000000006DE0000-0x0000000007220000-memory.dmp

Filesize
4.2MB

Download
memory/1076-700-0x0000000007220000-0x0000000007420000-memory.dmp

Filesize
2.0MB

Download
memory/2568-5753-0x00007FFCBB1A0000-0x00007FFCBB1B0000-memory.dmp

Filesize
64KB

Download
memory/2568-5766-0x00007FFCBB1A0000-0x00007FFCBB1B0000-memory.dmp

Filesize
64KB

Download
memory/2568-5767-0x00007FFCBB1A0000-0x00007FFCBB1B0000-memory.dmp

Filesize
64KB

Download
memory/2568-5768-0x00007FFCBB1A0000-0x00007FFCBB1B0000-memory.dmp

Filesize
64KB

Download
memory/2568-9430-0x00007FF655FF0000-0x00007FF6560E3000-memory.dmp

Filesize
972KB

Download
memory/2568-5801-0x00007FFCBB1A0000-0x00007FFCBB1B0000-memory.dmp

Filesize
64KB

Download
memory/2568-5755-0x00007FFCBB1A0000-0x00007FFCBB1B0000-memory.dmp

Filesize
64KB

Download
memory/2568-5752-0x00007FF655FF0000-0x00007FF6560E3000-memory.dmp

Filesize
972KB

Download
memory/2568-5754-0x00007FFCBB1A0000-0x00007FFCBB1B0000-memory.dmp

Filesize
64KB

Download
memory/6380-9435-0x00007FF655FF0000-0x00007FF6560E3000-memory.dmp

Filesize
972KB

Download
memory/6380-9441-0x00007FFCBB1A0000-0x00007FFCBB1B0000-memory.dmp

Filesize
64KB

Download
memory/6380-9440-0x00007FFCBB1A0000-0x00007FFCBB1B0000-memory.dmp

Filesize
64KB

Download
memory/6380-9442-0x00007FFCBB1A0000-0x00007FFCBB1B0000-memory.dmp

Filesize
64KB

Download
memory/6380-9467-0x00007FF655FF0000-0x00007FF6560E3000-memory.dmp

Filesize
972KB

Download
memory/6380-9436-0x00007FFCBB1A0000-0x00007FFCBB1B0000-memory.dmp

Filesize
64KB

Download
memory/6380-9437-0x00007FFCBB1A0000-0x00007FFCBB1B0000-memory.dmp

Filesize
64KB

Download
memory/6380-9438-0x00007FFCBB1A0000-0x00007FFCBB1B0000-memory.dmp

Filesize
64KB

Download
memory/7188-9472-0x00007FF655FF0000-0x00007FF6560E3000-memory.dmp

Filesize
972KB

Download
memory/7188-9480-0x00007FFCBB1A0000-0x00007FFCBB1B0000-memory.dmp

Filesize
64KB

Download
memory/7188-9505-0x00007FF655FF0000-0x00007FF6560E3000-memory.dmp

Filesize
972KB

Download
memory/8088-9510-0x00007FF655FF0000-0x00007FF6560E3000-memory.dmp

Filesize
972KB

Download
memory/8088-9543-0x00007FF655FF0000-0x00007FF6560E3000-memory.dmp

Filesize
972KB

Download