6089250f3735c55649b570d08192bab37c741237f00dc34f6781ef9cdf7d7280

Analysis

max time kernel
151s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
18-05-2023 08:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

12.3MB
MD5

cc54288aa36779380bcd0fddbfc7d79b
SHA1

59b8d83a7b7a3bd6cdabdc3ced7ae458aa00476f
SHA256

6089250f3735c55649b570d08192bab37c741237f00dc34f6781ef9cdf7d7280
SHA512

83242718d8d47b503fadc53266599f701734c550eb0493e18ebf71d63e5d433e5e412e225bdb3561acc516f81099a02ebf0332db30716d7d629c7a909204e732
SSDEEP

196608:M+xO/x34KJpucfd1F9tgzs31HGz7A2Nq5H5KOELL9ZGs21BNldISR5vlfl+hs68B:M+xOW0d1NEi1HGzESqREXKsaBfiSPUbg

Score

7^/10

discovery upx

Malware Config

Signatures

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/636-133-0x0000000000170000-0x00000000027AC000-memory.dmp	upx
behavioral2/memory/636-231-0x0000000000170000-0x00000000027AC000-memory.dmp	upx

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	tmp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	GameCenter.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Executes dropped EXE 1 IoCs

pid	Process
2184	GameCenter.exe

Loads dropped DLL 7 IoCs

pid	Process
2184	GameCenter.exe
2184	GameCenter.exe
2184	GameCenter.exe
2184	GameCenter.exe
2184	GameCenter.exe
2184	GameCenter.exe
2184	GameCenter.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	tmp.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0280f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	tmp.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 5c000000010000000400000000080000190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0282000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	tmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD	tmp.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	tmp.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	tmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	tmp.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	tmp.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\GameCenter\GameCenter.ini:Tamper	tmp.exe
File opened for modification	C:\Users\Admin\AppData\Local\GameCenter\GameCenter.ini:Tamper	GameCenter.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
636	tmp.exe
636	tmp.exe
2184	GameCenter.exe
2184	GameCenter.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2184	GameCenter.exe
2184	GameCenter.exe
2184	GameCenter.exe
2184	GameCenter.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
2184	GameCenter.exe
2184	GameCenter.exe
2184	GameCenter.exe
2184	GameCenter.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 636 wrote to memory of 2184	636	tmp.exe	85
PID 636 wrote to memory of 2184	636	tmp.exe	85
PID 636 wrote to memory of 2184	636	tmp.exe	85

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Checks computer location settings
- Modifies system certificate store
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:636
- C:\Users\Admin\AppData\Local\GameCenter\GameCenter.exe
  "C:\Users\Admin\AppData\Local\GameCenter\GameCenter.exe" -startedbysetup "installer=C:\Users\Admin\AppData\Local\Temp\tmp.exe" game=13.0 -removeifinstallcanceled
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2184

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\GameCenter\7zxa.dll

Filesize
160KB

MD5
c6c778752b11c3e443c97c55e60720e8

SHA1
57b29fb5760885e1594a5e97eccf18017cbbf604

SHA256
863f6bf4f51e08a4604a4e175781b35c251bb204f479eac58af0db11c7f019a2

SHA512
8ef6ea70f0b3ff65ef2cac3668487f1fc121fdb945d10919db187e95ad22e5098b5357fbfa77caee5ce2394fa707c8c79e80703aad9937a93d8cf9a5a46a413c

Download Submit
C:\Users\Admin\AppData\Local\GameCenter\7zxa.dll

Filesize
160KB

MD5
c6c778752b11c3e443c97c55e60720e8

SHA1
57b29fb5760885e1594a5e97eccf18017cbbf604

SHA256
863f6bf4f51e08a4604a4e175781b35c251bb204f479eac58af0db11c7f019a2

SHA512
8ef6ea70f0b3ff65ef2cac3668487f1fc121fdb945d10919db187e95ad22e5098b5357fbfa77caee5ce2394fa707c8c79e80703aad9937a93d8cf9a5a46a413c

Download Submit
C:\Users\Admin\AppData\Local\GameCenter\BigUp2.dll

Filesize
2.5MB

MD5
1f90a97426a6353d124592cfebb20404

SHA1
f1fd6d676a03d86085503027da398df38e63ef32

SHA256
492e84682b9de47df5d3711361e46884155b8af4ea30da49f8581ea948f99c15

SHA512
1d4dfd7418508710ae31783023b1dfc6ec553a08502c07f26a5d482ebb116a3dd8eef15da60ae2d8ee812d1e3a8164201e938ba5eb92621d51ec258af720134a

Download Submit
C:\Users\Admin\AppData\Local\GameCenter\GameCenter.exe

Filesize
11.4MB

MD5
8108bbe3fdcf56b35992815dfb484695

SHA1
beeb8fd3b4b2915a65e943dbf41d3c6f3da48352

SHA256
a058036b6d4d2bb3821884e0298f6f21d3017f4ede5542b9b00d98a81346ee16

SHA512
2e07e13d90ab54716e35eb91789c4ea1602cbc761c418c1f0d8b419e5cdb4d9cec49560dce0531cc1c293d29200eaacece8bed6c01f169c8c84e682f45a6d486

Download Submit
C:\Users\Admin\AppData\Local\GameCenter\GameCenter.exe

Filesize
11.4MB

MD5
8108bbe3fdcf56b35992815dfb484695

SHA1
beeb8fd3b4b2915a65e943dbf41d3c6f3da48352

SHA256
a058036b6d4d2bb3821884e0298f6f21d3017f4ede5542b9b00d98a81346ee16

SHA512
2e07e13d90ab54716e35eb91789c4ea1602cbc761c418c1f0d8b419e5cdb4d9cec49560dce0531cc1c293d29200eaacece8bed6c01f169c8c84e682f45a6d486

Download Submit
C:\Users\Admin\AppData\Local\GameCenter\GameCenter.exe

Filesize
11.4MB

MD5
8108bbe3fdcf56b35992815dfb484695

SHA1
beeb8fd3b4b2915a65e943dbf41d3c6f3da48352

SHA256
a058036b6d4d2bb3821884e0298f6f21d3017f4ede5542b9b00d98a81346ee16

SHA512
2e07e13d90ab54716e35eb91789c4ea1602cbc761c418c1f0d8b419e5cdb4d9cec49560dce0531cc1c293d29200eaacece8bed6c01f169c8c84e682f45a6d486

Download Submit
C:\Users\Admin\AppData\Local\GameCenter\GameCenter.ini

Filesize
452B

MD5
c5b03bb928e9788edb03d24d230a9d9d

SHA1
9cf7b0ab2fe06bcd16cef96fe6b0551662bd2e7d

SHA256
df36b309d6910fcd2eaa33573ae6c0b150c2971c499a035e707cf2f6e55be45c

SHA512
9695a1ef32a94b3a317f6da273fd67d0ae51de66a80546ae1bcc76447a03eeb750550551846663c0dfe9438dd693a286464a9a0bf908a8a78d11990748e182be

Download Submit
C:\Users\Admin\AppData\Local\GameCenter\LightUpdate.dll

Filesize
250KB

MD5
f1ec86626e9368c58019c055e5834ffa

SHA1
0c04d92a8c2dd8bd4d556fdb89f0f2f4c5e2a5ea

SHA256
a4e5081a86abc8a82b6157e5a54fe76669159f70c8056d51c09c9ffb87eb97c6

SHA512
245811e56e8e1f1e79edf9fee8ccff0ab67210cef8ce806ddb6aa90a8ab19ba29bfc946ef357a5c68e44dbbc7478c5541ec7919880c87bb3b7144657e541f3a0

Download Submit
C:\Users\Admin\AppData\Local\GameCenter\SkiAcc.dll

Filesize
4.3MB

MD5
d7b871149b27daab5b660d1346bfe7d3

SHA1
68abca52d6b1213be8af1c5ed938985f0aea89e5

SHA256
61c65da2663ec3dc358ce33b1ce80305a40db8b017c5ed337541de133f1c96e4

SHA512
f90762917df27b0c797f26e2a4eb13af7e1ead57f66c2bd2400a91457f86f1571ef1214a5a323d8b537aee7fe559fb3c006d25ed57754a6c9de863ceef0a85c1

Download Submit
C:\Users\Admin\AppData\Local\GameCenter\SkiAcc.dll

Filesize
4.3MB

MD5
d7b871149b27daab5b660d1346bfe7d3

SHA1
68abca52d6b1213be8af1c5ed938985f0aea89e5

SHA256
61c65da2663ec3dc358ce33b1ce80305a40db8b017c5ed337541de133f1c96e4

SHA512
f90762917df27b0c797f26e2a4eb13af7e1ead57f66c2bd2400a91457f86f1571ef1214a5a323d8b537aee7fe559fb3c006d25ed57754a6c9de863ceef0a85c1

Download Submit
C:\Users\Admin\AppData\Local\GameCenter\bigup2.dll

Filesize
2.5MB

MD5
1f90a97426a6353d124592cfebb20404

SHA1
f1fd6d676a03d86085503027da398df38e63ef32

SHA256
492e84682b9de47df5d3711361e46884155b8af4ea30da49f8581ea948f99c15

SHA512
1d4dfd7418508710ae31783023b1dfc6ec553a08502c07f26a5d482ebb116a3dd8eef15da60ae2d8ee812d1e3a8164201e938ba5eb92621d51ec258af720134a

Download Submit
C:\Users\Admin\AppData\Local\GameCenter\icudtl.dat

Filesize
10.0MB

MD5
3f019441588332ac8b79a3a3901a5449

SHA1
c8930e95b78deef5b7730102acd39f03965d479a

SHA256
594637e10b8f5c97157413528f0cbf5bc65b4ab9e79f5fa34fe268092655ec57

SHA512
ee083ae5e93e70d5bbebe36ec482aa75c47d908df487a43db2b55ddd6b55c291606649175cf7907d6ab64fc81ead7275ec56e3193b631f8f78b10d2c775fd1a9

Download Submit
C:\Users\Admin\AppData\Local\GameCenter\libcurl.dll

Filesize
678KB

MD5
1d32f187d88634a9a50c52f7bf247f66

SHA1
7f27d63d083fd67e9ae0b14a04b4808e03981b19

SHA256
7ba503c6300f27af7d236cbf2cba2a81401b0a9fe363a36b6de7dc662741d1fb

SHA512
86248280c72deb2fd843ebacc19526521ddd3eda2ffeba194fd76a410a5b048e3cc80d7f53edc77c37c11f689f6624507040c8f7002a27c54675fd51cf2fd2f3

Download Submit
C:\Users\Admin\AppData\Local\GameCenter\libcurl.dll

Filesize
678KB

MD5
1d32f187d88634a9a50c52f7bf247f66

SHA1
7f27d63d083fd67e9ae0b14a04b4808e03981b19

SHA256
7ba503c6300f27af7d236cbf2cba2a81401b0a9fe363a36b6de7dc662741d1fb

SHA512
86248280c72deb2fd843ebacc19526521ddd3eda2ffeba194fd76a410a5b048e3cc80d7f53edc77c37c11f689f6624507040c8f7002a27c54675fd51cf2fd2f3

Download Submit
C:\Users\Admin\AppData\Local\GameCenter\lightupdate.dll

Filesize
250KB

MD5
f1ec86626e9368c58019c055e5834ffa

SHA1
0c04d92a8c2dd8bd4d556fdb89f0f2f4c5e2a5ea

SHA256
a4e5081a86abc8a82b6157e5a54fe76669159f70c8056d51c09c9ffb87eb97c6

SHA512
245811e56e8e1f1e79edf9fee8ccff0ab67210cef8ce806ddb6aa90a8ab19ba29bfc946ef357a5c68e44dbbc7478c5541ec7919880c87bb3b7144657e541f3a0

Download Submit
C:\Users\Admin\AppData\Local\GameCenter\main.log

Filesize
1KB

MD5
5a52e470f2eb389a2b9cb16f637cd504

SHA1
0da845a6098054a52a61cf51ae40c81df0c04b6c

SHA256
dd7b2aca0184bcc38c44ff863988ab5464f36c7b52a9f3cb5d7b9b48a7fe297f

SHA512
3e6becc505c1da0f51779df2aa2420937380b80dcf037156949dfe792e7ec8d439b13d3f9b882047356e65fd4692322ea878a4985c107824896f3cfd72078e90

Download Submit
C:\Users\Admin\AppData\Local\GameCenter\main.log

Filesize
1KB

MD5
594ab3e9983d060cb13a45255dbf3a2e

SHA1
daf6e0b2eacfa8fa60ad6cc0f7623a1e380dccc4

SHA256
693659ef769472d788ba5c6b3860f00a777f667b4b7df26701e7c17258a67246

SHA512
c66efd70569741d14ae1a6df485f30ab95a3010ac9e1dc8bc3ac599c6d50dcd0ba8d4efe8fe57f9434529d230d38513fc1005ec61a7966f8e9070cc6fb994f2c

Download Submit
C:\Users\Admin\AppData\Local\GameCenter\preinstall.brs

Filesize
95KB

MD5
16af6b2b224214b30426482faae6c036

SHA1
2c9b677aa8f0c269be5536e84c9446936502113e

SHA256
55aeaff5b49389444b197a9b740944ce57ecf321f56225e11227ab49acad983a

SHA512
3354926355cb40c57e8e43acbb5d81fa93fecfd738524d384d9139bb10041f047b6edd69f28180fe8f0984acd9851906c8d033876e195960fb3497ad672ebadb

Download Submit
C:\Users\Admin\AppData\Local\GameCenter\pxd.dll

Filesize
81KB

MD5
67245252b3545085d69ecfb878d7e0ae

SHA1
d2b4464f2c8d1e5bc9085a5016a8316241f13c23

SHA256
43fc9d41a43f67304f00aa95540e3854f3ad31c4ad30ea99f04e41ef9fc318a0

SHA512
c4c6f418101fd6ef0690c73276b3ace7317c1a3af9cdcd401028cb64f37979151aaccf5e33e671aecd62019e51f334b84d1e40bdd17018b2655f944c11f3f3e1

Download Submit
C:\Users\Admin\AppData\Local\GameCenter\pxd.dll

Filesize
81KB

MD5
67245252b3545085d69ecfb878d7e0ae

SHA1
d2b4464f2c8d1e5bc9085a5016a8316241f13c23

SHA256
43fc9d41a43f67304f00aa95540e3854f3ad31c4ad30ea99f04e41ef9fc318a0

SHA512
c4c6f418101fd6ef0690c73276b3ace7317c1a3af9cdcd401028cb64f37979151aaccf5e33e671aecd62019e51f334b84d1e40bdd17018b2655f944c11f3f3e1

Download Submit
C:\Users\Admin\AppData\Local\GameCenter\zlib1.dll

Filesize
141KB

MD5
96a7bd8901a727706aefeffcbad16604

SHA1
8441e01ad740fb28590effbd0b3136626fce55d5

SHA256
b3d9ec3c9854504d16acfb40396b9ad014c6552a9c460a07a9e895e8d2da9caf

SHA512
e18b508c41ec19b024e8cd03ff9d6070a8fbe79d19ea99c3e633b25ad3a8230da8a2ed8382cbfe1e7e12f5774ae78c260592a2935da203bf7649d156dce5b767

Download Submit
C:\Users\Admin\AppData\Local\GameCenter\zlib1.dll

Filesize
141KB

MD5
96a7bd8901a727706aefeffcbad16604

SHA1
8441e01ad740fb28590effbd0b3136626fce55d5

SHA256
b3d9ec3c9854504d16acfb40396b9ad014c6552a9c460a07a9e895e8d2da9caf

SHA512
e18b508c41ec19b024e8cd03ff9d6070a8fbe79d19ea99c3e633b25ad3a8230da8a2ed8382cbfe1e7e12f5774ae78c260592a2935da203bf7649d156dce5b767

Download Submit
memory/636-133-0x0000000000170000-0x00000000027AC000-memory.dmp

Filesize
38.2MB

Download
memory/636-231-0x0000000000170000-0x00000000027AC000-memory.dmp

Filesize
38.2MB

Download
memory/2184-200-0x000000006FBF0000-0x000000006FC00000-memory.dmp

Filesize
64KB

Download
memory/2184-197-0x000000006FBF0000-0x000000006FC00000-memory.dmp

Filesize
64KB

Download
memory/2184-239-0x0000000001A90000-0x0000000001A91000-memory.dmp

Filesize
4KB

Download
memory/2184-240-0x00000000002F0000-0x0000000000E7A000-memory.dmp

Filesize
11.5MB

Download
memory/2184-241-0x00000000002F0000-0x0000000000E7A000-memory.dmp

Filesize
11.5MB

Download
memory/2184-244-0x00000000002F0000-0x0000000000E7A000-memory.dmp

Filesize
11.5MB

Download