e9ece01a6eca9300135fb86e026d112f3a225ab7f7dc7ee3b84db5a7a09c6255

Analysis

max time kernel
139s
max time network
155s
platform
windows7_x64
resource
win7-20231025-en
resource tags

arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system
submitted
22-11-2023 14:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

mal.exe
Size

749KB
MD5

c56344077a831944c8af79be448c687c
SHA1

bbebd8e987007a6f69b00cef76db759276fde555
SHA256

e52ab8300f63f4267db1d512b6900999debede4c275cfec023a7ff2270d61dac
SHA512

bbb383d777e9d8775108d62094f244c30818cb4c9826809c5fbbf99892108b67a1ec12068ae3e92ce8ca81da0a51758d384f1f5f3f6e95d810d1512a9d78cebb
SSDEEP

6144:sZY2J9yM8RQtfzMmqyjRY2J9yM8RQtvzfTqyjM97:S9yMiY7Rpn9yMiYrLpe7

Score

8^/10

discovery persistence

Malware Config

Signatures

Downloads MZ/PE file
Drops file in Drivers directory 1 IoCs

Processes:

handle64.exe

description ioc process

File created C:\Windows\system32\Drivers\PROCEXP152.SYS handle64.exe

description	ioc	process
File created	C:\Windows\system32\Drivers\PROCEXP152.SYS	handle64.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

handle64.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\PROCEXP152\ImagePath = "\\??\\C:\\Windows\\system32\\Drivers\\PROCEXP152.SYS"	handle64.exe

Executes dropped EXE 4 IoCs

Processes:

GameLauncherUpgrader.exeGameLauncher.exehandle64.exexdelta3.0.11.exe

pid process

2244 GameLauncherUpgrader.exe
2644 GameLauncher.exe
2232 handle64.exe
3008 xdelta3.0.11.exe
Loads dropped DLL 7 IoCs

Processes:

GameLauncher.exe

pid process

2644 GameLauncher.exe
2644 GameLauncher.exe
2644 GameLauncher.exe
1080
2644 GameLauncher.exe
2644 GameLauncher.exe
796
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

pid	process
2244	GameLauncherUpgrader.exe
2644	GameLauncher.exe
2232	handle64.exe
3008	xdelta3.0.11.exe

pid	process
2644	GameLauncher.exe
2644	GameLauncher.exe
2644	GameLauncher.exe
1080
2644	GameLauncher.exe
2644	GameLauncher.exe
796

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

handle64.exe

description	ioc	process
File opened (read-only)	\??\Q:	handle64.exe
File opened (read-only)	\??\S:	handle64.exe
File opened (read-only)	\??\W:	handle64.exe
File opened (read-only)	\??\B:	handle64.exe
File opened (read-only)	\??\H:	handle64.exe
File opened (read-only)	\??\K:	handle64.exe
File opened (read-only)	\??\L:	handle64.exe
File opened (read-only)	\??\M:	handle64.exe
File opened (read-only)	\??\U:	handle64.exe
File opened (read-only)	\??\V:	handle64.exe
File opened (read-only)	\??\A:	handle64.exe
File opened (read-only)	\??\G:	handle64.exe
File opened (read-only)	\??\J:	handle64.exe
File opened (read-only)	\??\N:	handle64.exe
File opened (read-only)	\??\O:	handle64.exe
File opened (read-only)	\??\X:	handle64.exe
File opened (read-only)	\??\Y:	handle64.exe
File opened (read-only)	\??\Z:	handle64.exe
File opened (read-only)	\??\E:	handle64.exe
File opened (read-only)	\??\I:	handle64.exe
File opened (read-only)	\??\P:	handle64.exe
File opened (read-only)	\??\R:	handle64.exe
File opened (read-only)	\??\T:	handle64.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 10 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

GameLauncher.exemal.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	GameLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	GameLauncher.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	GameLauncher.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d46240f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a190000000100000010000000fd960962ac6938e0d4b0769aa1a64e262000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	GameLauncher.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	mal.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	GameLauncher.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	GameLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	mal.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	GameLauncher.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	GameLauncher.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

mal.exeGameLauncherUpgrader.exeGameLauncher.exehandle64.exe

pid	process
2952	mal.exe
2244	GameLauncherUpgrader.exe
2244	GameLauncherUpgrader.exe
2244	GameLauncherUpgrader.exe
2644	GameLauncher.exe
2232	handle64.exe
2232	handle64.exe
2232	handle64.exe
2644	GameLauncher.exe
2644	GameLauncher.exe
2644	GameLauncher.exe
2644	GameLauncher.exe
2644	GameLauncher.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

handle64.exe

pid process

2232 handle64.exe

pid	process
2232	handle64.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

mal.exeGameLauncherUpgrader.exeGameLauncher.exehandle64.exe

description	pid	process
Token: SeDebugPrivilege	2952	mal.exe
Token: SeDebugPrivilege	2244	GameLauncherUpgrader.exe
Token: SeDebugPrivilege	2644	GameLauncher.exe
Token: SeDebugPrivilege	2232	handle64.exe
Token: SeLoadDriverPrivilege	2232	handle64.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

GameLauncher.exe

pid process

2644 GameLauncher.exe

pid	process
2644	GameLauncher.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

mal.exeGameLauncherUpgrader.exeGameLauncher.exe

description	pid	process	target process
PID 2952 wrote to memory of 2244	2952	mal.exe	GameLauncherUpgrader.exe
PID 2952 wrote to memory of 2244	2952	mal.exe	GameLauncherUpgrader.exe
PID 2952 wrote to memory of 2244	2952	mal.exe	GameLauncherUpgrader.exe
PID 2244 wrote to memory of 2644	2244	GameLauncherUpgrader.exe	GameLauncher.exe
PID 2244 wrote to memory of 2644	2244	GameLauncherUpgrader.exe	GameLauncher.exe
PID 2244 wrote to memory of 2644	2244	GameLauncherUpgrader.exe	GameLauncher.exe
PID 2644 wrote to memory of 2232	2644	GameLauncher.exe	handle64.exe
PID 2644 wrote to memory of 2232	2644	GameLauncher.exe	handle64.exe
PID 2644 wrote to memory of 2232	2644	GameLauncher.exe	handle64.exe
PID 2644 wrote to memory of 3008	2644	GameLauncher.exe	xdelta3.0.11.exe
PID 2644 wrote to memory of 3008	2644	GameLauncher.exe	xdelta3.0.11.exe
PID 2644 wrote to memory of 3008	2644	GameLauncher.exe	xdelta3.0.11.exe

C:\Users\Admin\AppData\Local\Temp\mal.exe
"C:\Users\Admin\AppData\Local\Temp\mal.exe"
1⤵
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2952

C:\Users\Admin\AppData\Local\Temp\GameLauncherUpgrader.exe
"C:\Users\Admin\AppData\Local\Temp\GameLauncherUpgrader.exe" yimingjingren
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2244

C:\Users\Admin\AppData\Local\Temp\GameLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\GameLauncher.exe" yimingjingren
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2644

C:\Users\Admin\AppData\Local\Temp\handle64.exe
"C:\Users\Admin\AppData\Local\Temp\handle64.exe" "C:\Users\Admin\AppData\Local\Temp\content" /accepteula
4⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:2232

C:\Users\Admin\AppData\Local\Temp\xdelta3.0.11.exe
"C:\Users\Admin\AppData\Local\Temp\xdelta3.0.11.exe" -f -v -d -B 2147483648 -s .\content\_package\client\c1078262835_0.pkg.temp .\patch\974f75257c85ee522e33425109b3b0f0to5050c4a04bd6290d99350dfe603c481b.patch11 .\content\_package\client\c1078262835_0.pkg.temp.temp
4⤵
- Executes dropped EXE
PID:3008

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Network Service Discovery

T1046

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416
Filesize
1KB

MD5
55540a230bdab55187a841cfe1aa1545

SHA1
363e4734f757bdeb89868efe94907774a327695e

SHA256
d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb

SHA512
c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416
Filesize
230B

MD5
14c845e2135242b392eee1a297156341

SHA1
e21042c2c100852fe72e2ef4afdc9e9abfce4b3e

SHA256
3fd5dd3bdcb961afb5c9524cd3d9e5bac2701a21d7de0680b1b0f8c382731908

SHA512
f991c07612ad4468e23647b616d99876f389c3092f1df4b2233215ac2ddeec49ca7eae98229b8d977d2ad0550253ffe76570a509e49fb903bd023e07b85305ed

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
f0639a0a299d0a5fbaabf674972b3ac9

SHA1
c146739f144b67025b1bcc107ed744164bd6ad66

SHA256
6452ca340d090e65642e89330c0e4cb6194aaf410f11b5df1914030f55523197

SHA512
df2144b39dd5211101a5f9ebfd0d347d4b3e4899ce0e96bfb8e16b476ce793c81044eafebbeaff8eedd5c6741d1c107908a325929b658c77f0e2ec67d7170354

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
acb805ffa49b3d13ba0feae3a32d0812

SHA1
7b8c49defec9fc839510960b909d7cac2f1f5f93

SHA256
176dd5f8ebb68edc984414307c7964ace201664656cac98f6427499a4c68eb78

SHA512
f27e7447c31b71e3e71f4f23ed022de95980b6f940005306c90eeb870870e2bb15e122d41d306c30c5206247c6b629c6ab4880e75ee832c0839bc08ae0457898

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
e089746b5859c761052aaf4535e157de

SHA1
3686fc7992532b4781e59a2e9ec148ca193a81b9

SHA256
cc42df01dbd0ba9f0fe84bfeaf553d95228ab7decfc5fadfa2bdd8a2bf54fa45

SHA512
923ac7c79132dfe812cb77aeecc41960813914a520f3f3c6f315082b7453955b01b609115763185860f80394127e34264263d8b3af74d4d2ab9d4a7db16f518c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
fe23b4e3aafcb7902c979a14840dceb2

SHA1
fcf9df2fdc77f36e0e0b4cffbfb07c04ba0b06fe

SHA256
c1883be68823ca08778de6a99f494f37c023a71e4c16ffc9f5358525a025a722

SHA512
119134ed084d7c2537545258fa3e3827822862374e193b784174c4e1fd3c216d78422640d66c2681b88ced3ac629c91b2d3ba34f69842c586a22584fbd1e2b49

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
d60d631382262649794c7b1782feea7d

SHA1
7f511fa7e1e260952965068dc27ca4ab61bf7f22

SHA256
6279397ed707103d99ee3327da4738a7eade299208280b77c354222ec14c145d

SHA512
aa8c4c08317327a4ed2d9561efce9aa7eb4c4609a45679a61442af9b3c3ab8e99647c97e061cbc32ff64eab041f9c2f6af212e1104a18d8d3e51bd62a0e0953f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
815f905c5a0246e91246d59367ec2765

SHA1
9b1907b7253e0196810b165d5ca3a06f6e16edc8

SHA256
c1f6392eb2867306548cb4df60f639e8a994a3604cb5fa748f0e67ce38b07d93

SHA512
fa920930f8003b2c8690317f2e3c67a0ea250d89277f5b3adba83ccb10025a7182dc917d293d6bd90904b6f1743b1a4f46889c8538caaf223ad22a5f0d1d9089

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
81bbecd09d026afb4fc09cefc658d937

SHA1
4d5ad4f4d6d146d16c8a5e49e283099488eb5dba

SHA256
8e4196c1a0ae6b87e5639ce7a678a91147705e5410413e0a3d3546f7d65d5b1b

SHA512
404b0828ee3063214f22ed8cd4fa4734191b78323f5e7e0bd362863d9c848b217993950ff1fabb78f565b0a52cd73176a10ccc61c7f92389c5714d56c87f8979

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
fb3d4367c9845fcdb12594f1b3e5d59f

SHA1
2c270c3ddce843fe1424d1f4648911bd302765f1

SHA256
3bf6aa7fa999db0492a8525911aba9ebf2219edf265ae3a323e6d2fd37d8adc8

SHA512
105f5de239e054e94abbe92998e02b64118d8058a88a36acb4a4e77a37af3f73afecadb30c326370866faaa68d57570d956dceb999cc901525681bf8860c7e0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab874B.tmp
Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\GameLauncher.exe
Filesize
10.5MB

MD5
cc11d5077423e1d75329caf14b54f111

SHA1
2ca5d2bd31d428e2e1480c2e5ee659debfe73935

SHA256
366118314ded7b6366e073efb9195fbe080f76566bee4029f62deea842553b1a

SHA512
38e9af869b24bec0d17dd45d7a6709f0f16719d609f193217aeb6b3bacdd8d5c0e27b9694ef402c4715a47a432d84bf2055d425c0725e166ef395f0f55367200

Download Submit
C:\Users\Admin\AppData\Local\Temp\GameLauncher.exe
Filesize
10.5MB

MD5
cc11d5077423e1d75329caf14b54f111

SHA1
2ca5d2bd31d428e2e1480c2e5ee659debfe73935

SHA256
366118314ded7b6366e073efb9195fbe080f76566bee4029f62deea842553b1a

SHA512
38e9af869b24bec0d17dd45d7a6709f0f16719d609f193217aeb6b3bacdd8d5c0e27b9694ef402c4715a47a432d84bf2055d425c0725e166ef395f0f55367200

Download Submit
C:\Users\Admin\AppData\Local\Temp\GameLauncherUpgrader.exe
Filesize
89KB

MD5
54095ffb02093dc9c684554e12637181

SHA1
336c56d38b90a5dddcf479a2e15118a2ccf5734c

SHA256
b468ce780c976c2f2bc01c3dfb5c69efbef93285a54c2a5bc7b7b2ddcdf85db1

SHA512
6290460359f8f9ccd709d7d886cb32930656ba77499e8c79a58ac5ae7cc610e6dee0eb59e1ec34a791f5e8d1f08f92bdd8f2c3190d2eed4638b002d571d7ecc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\GameLauncherUpgrader.exe
Filesize
89KB

MD5
54095ffb02093dc9c684554e12637181

SHA1
336c56d38b90a5dddcf479a2e15118a2ccf5734c

SHA256
b468ce780c976c2f2bc01c3dfb5c69efbef93285a54c2a5bc7b7b2ddcdf85db1

SHA512
6290460359f8f9ccd709d7d886cb32930656ba77499e8c79a58ac5ae7cc610e6dee0eb59e1ec34a791f5e8d1f08f92bdd8f2c3190d2eed4638b002d571d7ecc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar8886.tmp
Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\content\_package\client\c1078262835_0.pkg.temp
Filesize
36.4MB

MD5
974f75257c85ee522e33425109b3b0f0

SHA1
e8bb365a675d88230cd541e2d2d8c72de7f3f558

SHA256
11024cc14cafff99d55c07417856b36bb4ec7e1e15e562126eab565d68abf05d

SHA512
512039b035880dcee7f28f1a6c0add488ce401a5b57f521aaaec62ae9f9a60e5fb2c57eb3ef7aa3176b9c4ce9dbb189590dad9de1dee1574b8f141a23d95776f

Download Submit
C:\Users\Admin\AppData\Local\Temp\game_launcher_log.other
Filesize
16KB

MD5
3a2ae11dd7e46df3c260e4810634b4ea

SHA1
ebd4fa120b663e0ed5cd8a6283fef7465abff1fb

SHA256
46bb497f1ece77d271a2e334b8fd31ac63353f40ab1a1652bbc3a0dea731c7e3

SHA512
5c339d54bd8ea9a3c826362f6dd1486059d056b7f0ad9fc2e2af3094b05a5e5f6c55f6bbf5ba9b4e5fb802a364b8aad8f8722bf1d997893ccde2c42bfff02409

Download Submit
C:\Users\Admin\AppData\Local\Temp\handle64.exe
Filesize
591KB

MD5
490abbb59c47d7cd17880b7ded85828a

SHA1
34d093c70f18d1ac7d27bb207bf64501afff5c0d

SHA256
60896bb064332ebdb70f28f5c58e4b62d5ca454f89c23174115ab8768ebd54f4

SHA512
048e5ebb82d418f97462e0598b80b9d1fe06e9f8dc758252bf1158b8b0921b1cf17bc81c8e06278b88fce8f88e60b1fd61ed8d986635bb2d3404b98c74e47ac7

Download Submit
C:\Users\Admin\AppData\Local\Temp\patch\974f75257c85ee522e33425109b3b0f0to5050c4a04bd6290d99350dfe603c481b.patch11
Filesize
376B

MD5
e8be4c28db6a2f3fc6d484c32ab52901

SHA1
4c3abaa82da0f26e80ccbc75e60cb8dd1cae5df7

SHA256
714e774ccbe300b1b87eefffa4b343748ade08b344a406fe9a3f7ef7529b21d0

SHA512
2883c7846d160982d048cc21ebdbde923756139ad243d825ed0382cc58b7529721107a4fd1194cc99513df940e131243f5e43faf7e603c84add5f5e540df7818

Download Submit
C:\Users\Admin\AppData\Local\Temp\xdelta3.0.11.exe
Filesize
602KB

MD5
7ac21750e2032e5aeb681ac88460bdce

SHA1
8b2998807124137ba24b6df41dd6f1137a8b9e6e

SHA256
d81f59b2fe5e8589c0ee9782e231c805084f4d23dfade413903a4cad63b4e342

SHA512
bf377d88375495cdf31e5c90c1d89a337a66c7e64cfcd588c7e412af0411e3b784d143fee6a25229df1188dfd5cbe8bec43702b5076f4020f2ef83dca7480d35

Download Submit
\Users\Admin\AppData\Local\Temp\XLSDKAgent.dll
Filesize
84KB

MD5
29ce882202da90e6f136562d80926573

SHA1
dd053768c22bee14964d0f657d72c13dffddc882

SHA256
c831be0e7d3d910001891e0088cc2b598f2c56a31536b4547e1dbdf29d9eac7e

SHA512
84d66d36772a87da834d037a157b7ec5e579e90fdb7a7e187a1b79c1acca38bbf3bc2dab3a9e4d03a441e7593b1d503b72f712045680ded1b9714e8e62d768c5

Download Submit
\Users\Admin\AppData\Local\Temp\dllXYVodSDK.dll
Filesize
2.3MB

MD5
7fd674ef58a1fb9fa3cbbd9388e35c04

SHA1
ebbcc994532402f5875749caa83347a70dae606f

SHA256
d9889aca7b2adabb1ced48b865b311bb93e1f3a2fbae38508dc2469513240dc6

SHA512
0c6f95aaba155367767290c223008b0d1866912cedecd4041fd07deb357b6fca81d8a8bcf238adc7d4da99209a9c566cf2f60be86a95536a4308241931c62808

Download Submit
\Users\Admin\AppData\Local\Temp\handle64.exe
Filesize
591KB

MD5
490abbb59c47d7cd17880b7ded85828a

SHA1
34d093c70f18d1ac7d27bb207bf64501afff5c0d

SHA256
60896bb064332ebdb70f28f5c58e4b62d5ca454f89c23174115ab8768ebd54f4

SHA512
048e5ebb82d418f97462e0598b80b9d1fe06e9f8dc758252bf1158b8b0921b1cf17bc81c8e06278b88fce8f88e60b1fd61ed8d986635bb2d3404b98c74e47ac7

Download Submit
\Users\Admin\AppData\Local\Temp\handle64.exe
Filesize
591KB

MD5
490abbb59c47d7cd17880b7ded85828a

SHA1
34d093c70f18d1ac7d27bb207bf64501afff5c0d

SHA256
60896bb064332ebdb70f28f5c58e4b62d5ca454f89c23174115ab8768ebd54f4

SHA512
048e5ebb82d418f97462e0598b80b9d1fe06e9f8dc758252bf1158b8b0921b1cf17bc81c8e06278b88fce8f88e60b1fd61ed8d986635bb2d3404b98c74e47ac7

Download Submit
\Users\Admin\AppData\Local\Temp\xdelta3.0.11.exe
Filesize
602KB

MD5
7ac21750e2032e5aeb681ac88460bdce

SHA1
8b2998807124137ba24b6df41dd6f1137a8b9e6e

SHA256
d81f59b2fe5e8589c0ee9782e231c805084f4d23dfade413903a4cad63b4e342

SHA512
bf377d88375495cdf31e5c90c1d89a337a66c7e64cfcd588c7e412af0411e3b784d143fee6a25229df1188dfd5cbe8bec43702b5076f4020f2ef83dca7480d35

Download Submit
\Users\Admin\AppData\Local\Temp\xdelta3.0.11.exe
Filesize
602KB

MD5
7ac21750e2032e5aeb681ac88460bdce

SHA1
8b2998807124137ba24b6df41dd6f1137a8b9e6e

SHA256
d81f59b2fe5e8589c0ee9782e231c805084f4d23dfade413903a4cad63b4e342

SHA512
bf377d88375495cdf31e5c90c1d89a337a66c7e64cfcd588c7e412af0411e3b784d143fee6a25229df1188dfd5cbe8bec43702b5076f4020f2ef83dca7480d35

Download Submit
\Users\Admin\AppData\Local\Temp\xdelta3.0.11.exe
Filesize
602KB

MD5
7ac21750e2032e5aeb681ac88460bdce

SHA1
8b2998807124137ba24b6df41dd6f1137a8b9e6e

SHA256
d81f59b2fe5e8589c0ee9782e231c805084f4d23dfade413903a4cad63b4e342

SHA512
bf377d88375495cdf31e5c90c1d89a337a66c7e64cfcd588c7e412af0411e3b784d143fee6a25229df1188dfd5cbe8bec43702b5076f4020f2ef83dca7480d35

Download Submit
memory/2244-26-0x0000000000560000-0x000000000056A000-memory.dmp

Filesize
40KB

Download
memory/2244-25-0x000007FEF5260000-0x000007FEF5C4C000-memory.dmp

Filesize
9.9MB

Download
memory/2244-10-0x0000000000F10000-0x0000000000F28000-memory.dmp

Filesize
96KB

Download
memory/2244-11-0x000007FEF5260000-0x000007FEF5C4C000-memory.dmp

Filesize
9.9MB

Download
memory/2244-12-0x000000001B140000-0x000000001B1C0000-memory.dmp

Filesize
512KB

Download
memory/2244-13-0x0000000000560000-0x000000000056A000-memory.dmp

Filesize
40KB

Download
memory/2244-14-0x0000000000560000-0x000000000056A000-memory.dmp

Filesize
40KB

Download
memory/2244-15-0x000000001B140000-0x000000001B1C0000-memory.dmp

Filesize
512KB

Download
memory/2644-28-0x000000001BB50000-0x000000001BBD0000-memory.dmp

Filesize
512KB

Download
memory/2644-457-0x000000001BB50000-0x000000001BBD0000-memory.dmp

Filesize
512KB

Download
memory/2644-157-0x0000000002B70000-0x0000000002B71000-memory.dmp

Filesize
4KB

Download
memory/2644-63-0x000000001BB50000-0x000000001BBD0000-memory.dmp

Filesize
512KB

Download
memory/2644-197-0x000000001BB50000-0x000000001BBD0000-memory.dmp

Filesize
512KB

Download
memory/2644-27-0x0000000000040000-0x0000000000ACC000-memory.dmp

Filesize
10.5MB

Download
memory/2644-130-0x0000000002B60000-0x0000000002B68000-memory.dmp

Filesize
32KB

Download
memory/2644-24-0x000007FEF5260000-0x000007FEF5C4C000-memory.dmp

Filesize
9.9MB

Download
memory/2644-37-0x0000000000E70000-0x0000000000E7A000-memory.dmp

Filesize
40KB

Download
memory/2644-38-0x0000000000E70000-0x0000000000E7A000-memory.dmp

Filesize
40KB

Download
memory/2644-454-0x000007FEF5260000-0x000007FEF5C4C000-memory.dmp

Filesize
9.9MB

Download
memory/2644-455-0x000000001BB50000-0x000000001BBD0000-memory.dmp

Filesize
512KB

Download
memory/2644-456-0x0000000000E70000-0x0000000000E7A000-memory.dmp

Filesize
40KB

Download
memory/2644-65-0x000000001BB50000-0x000000001BBD0000-memory.dmp

Filesize
512KB

Download
memory/2644-458-0x000000001BB50000-0x000000001BBD0000-memory.dmp

Filesize
512KB

Download
memory/2644-459-0x000000001BB50000-0x000000001BBD0000-memory.dmp

Filesize
512KB

Download
memory/2644-460-0x000000001BB50000-0x000000001BBD0000-memory.dmp

Filesize
512KB

Download
memory/2644-461-0x000000001BB50000-0x000000001BBD0000-memory.dmp

Filesize
512KB

Download
memory/2644-463-0x000000001BB50000-0x000000001BBD0000-memory.dmp

Filesize
512KB

Download
memory/2644-464-0x000000001BB50000-0x000000001BBD0000-memory.dmp

Filesize
512KB

Download
memory/2644-39-0x0000000000F90000-0x0000000000FB4000-memory.dmp

Filesize
144KB

Download
memory/2644-41-0x000000001BB50000-0x000000001BBD0000-memory.dmp

Filesize
512KB

Download
memory/2644-42-0x000000001BB50000-0x000000001BBD0000-memory.dmp

Filesize
512KB

Download
memory/2952-9-0x000007FEF5260000-0x000007FEF5C4C000-memory.dmp

Filesize
9.9MB

Download
memory/2952-0-0x0000000000D10000-0x0000000000DD0000-memory.dmp

Filesize
768KB

Download
memory/2952-2-0x000000001AFE0000-0x000000001B060000-memory.dmp

Filesize
512KB

Download
memory/2952-1-0x000007FEF5260000-0x000007FEF5C4C000-memory.dmp

Filesize
9.9MB

Download
memory/3008-524-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download