ec4a958ab73fa233b4bb5cbaf68ea3486384997d53740bfa9c3307ce150a59dd

Analysis

max time kernel
104s
max time network
105s
platform
windows11-21h2_x64
resource
win11-20240419-en
resource tags

arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
submitted
28-04-2024 10:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ec4a958ab73fa233b4bb5cbaf68ea3486384997d53740bfa9c3307ce150a59dd.exe
Size

16.0MB
MD5

655c33920fd920dc86fe9c572f1bbaba
SHA1

766af67dd9d609c1cbf56578f25b0a3bacc580e2
SHA256

ec4a958ab73fa233b4bb5cbaf68ea3486384997d53740bfa9c3307ce150a59dd
SHA512

e8e29eb2e9d26122d59b806a3bb7047b61f36942f34c0c883394337dc86896f71bf0cea4951525387c1eb9511624453022a0aa7e852882bbba7271c1dc2448fe
SSDEEP

393216:fuIjTX0c+rk9t2+arEhxiLFbHO1mmailtTZ0h6xZ:fuIjYcgPdHcmmaGtTZ0hC

Score

8^/10

discovery evasion persistence

Malware Config

Signatures

Disables RegEdit via registry modification 1 IoCs

evasion

Processes:

poda64.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "0"	poda64.exe

Disables Task Manager via registry modification
evasion

Drops file in Drivers directory 2 IoCs

Processes:

poda64.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\poflt64.sys	poda64.exe
File created	C:\Windows\system32\drivers\poflt64.sys	poda64.exe

Enumerates connected drives 3 TTPs 9 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

poda32.exepoda64.exepobus64.exepobus64.exepobus64.exepobus64.exepobus64.exepobus64.exepobus64.exe

description	ioc	process
File opened (read-only)	\??\f:	poda32.exe
File opened (read-only)	\??\f:	poda64.exe
File opened (read-only)	\??\f:	pobus64.exe
File opened (read-only)	\??\f:	pobus64.exe
File opened (read-only)	\??\f:	pobus64.exe
File opened (read-only)	\??\f:	pobus64.exe
File opened (read-only)	\??\f:	pobus64.exe
File opened (read-only)	\??\f:	pobus64.exe
File opened (read-only)	\??\f:	pobus64.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Windows directory 64 IoCs

Processes:

rundll32.exeec4a958ab73fa233b4bb5cbaf68ea3486384997d53740bfa9c3307ce150a59dd.exepobus64.exepobus64.exepoda32.exepobus64.exepobus64.exepobus64.exepobus64.exerundll32.exepobus64.exepobus64.exepobus64.exepobus64.exepoda64.exepobus64.exerundll32.exe

description	ioc	process
File created	C:\Windows\projone\potcm\cache\dump\pobus64_20240428105216_pid_3436\exception.log	rundll32.exe
File created	C:\Windows\projone\potcm\skin\pochat	ec4a958ab73fa233b4bb5cbaf68ea3486384997d53740bfa9c3307ce150a59dd.exe
File created	C:\Windows\projone\potcm\docguard64.dll	ec4a958ab73fa233b4bb5cbaf68ea3486384997d53740bfa9c3307ce150a59dd.exe
File created	C:\Windows\projone\potcm\sscanner64.dll	ec4a958ab73fa233b4bb5cbaf68ea3486384997d53740bfa9c3307ce150a59dd.exe
File created	C:\Windows\projone\potcm\siriuv64.dll	ec4a958ab73fa233b4bb5cbaf68ea3486384997d53740bfa9c3307ce150a59dd.exe
File created	C:\Windows\projone\potcm\log\pobus64\20240428105151_pobus64-0.log	pobus64.exe
File opened for modification	C:\Windows\projone\potcm\log\pobus64\20240428105203_pobus64-0.log	pobus64.exe
File created	C:\Windows\projone\potcm\athenx32.dll	ec4a958ab73fa233b4bb5cbaf68ea3486384997d53740bfa9c3307ce150a59dd.exe
File created	C:\Windows\projone\potcm\nfwfp32.sys	ec4a958ab73fa233b4bb5cbaf68ea3486384997d53740bfa9c3307ce150a59dd.exe
File created	C:\Windows\projone\potcm\libcurl64.dll	ec4a958ab73fa233b4bb5cbaf68ea3486384997d53740bfa9c3307ce150a59dd.exe
File created	C:\Windows\projone\potcm\scrnrcd64.dll	ec4a958ab73fa233b4bb5cbaf68ea3486384997d53740bfa9c3307ce150a59dd.exe
File created	C:\Windows\projone\potcm\log\poda32\20240428105101_poda32-0.log	poda32.exe
File opened for modification	C:\Windows\projone\potcm\cache\dump\pobus64_20240428105216_pid_3436\minidump.dmp	rundll32.exe
File created	C:\Windows\projone\potcm\naca32.dll	ec4a958ab73fa233b4bb5cbaf68ea3486384997d53740bfa9c3307ce150a59dd.exe
File created	C:\Windows\projone\potcm\poda64.exe	ec4a958ab73fa233b4bb5cbaf68ea3486384997d53740bfa9c3307ce150a59dd.exe
File created	C:\Windows\projone\potcm\odipus64.dll	ec4a958ab73fa233b4bb5cbaf68ea3486384997d53740bfa9c3307ce150a59dd.exe
File created	C:\Windows\projone\potcm\patch64.dll	ec4a958ab73fa233b4bb5cbaf68ea3486384997d53740bfa9c3307ce150a59dd.exe
File created	C:\Windows\projone\potcm\ffmpeg.exe	pobus64.exe
File opened for modification	C:\Windows\projone\potcm\log\pobus64\20240428105126_pobus64-0.log	pobus64.exe
File created	C:\Windows\projone\potcm\protocolfilters.dll	ec4a958ab73fa233b4bb5cbaf68ea3486384997d53740bfa9c3307ce150a59dd.exe
File created	C:\Windows\projone\potcm\docwm32.dll	ec4a958ab73fa233b4bb5cbaf68ea3486384997d53740bfa9c3307ce150a59dd.exe
File created	C:\Windows\projone\potcm\rptcache64.dll	ec4a958ab73fa233b4bb5cbaf68ea3486384997d53740bfa9c3307ce150a59dd.exe
File created	C:\Windows\projone\potcm\poprotect64.dll	ec4a958ab73fa233b4bb5cbaf68ea3486384997d53740bfa9c3307ce150a59dd.exe
File created	C:\Windows\projone\potcm\setuphlpr.dll	ec4a958ab73fa233b4bb5cbaf68ea3486384997d53740bfa9c3307ce150a59dd.exe
File created	C:\Windows\projone\potcm\actmon64.dll	ec4a958ab73fa233b4bb5cbaf68ea3486384997d53740bfa9c3307ce150a59dd.exe
File created	C:\Windows\projone\potcm\intcap64.dll	ec4a958ab73fa233b4bb5cbaf68ea3486384997d53740bfa9c3307ce150a59dd.exe
File created	C:\Windows\projone\potcm\lang\lang-2052.dll	ec4a958ab73fa233b4bb5cbaf68ea3486384997d53740bfa9c3307ce150a59dd.exe
File created	C:\Windows\projone\potcm\skin\enced_offline.ico	ec4a958ab73fa233b4bb5cbaf68ea3486384997d53740bfa9c3307ce150a59dd.exe
File created	C:\Windows\projone\potcm\skin\woumgr	ec4a958ab73fa233b4bb5cbaf68ea3486384997d53740bfa9c3307ce150a59dd.exe
File created	C:\Windows\projone\potcm\log\pobus64\20240428105151_pobus64-0.log	pobus64.exe
File created	C:\Windows\projone\potcm\log\pobus64\20240428105228_pobus64-0.log	pobus64.exe
File created	C:\Windows\projone\potcm\skin\enced_normal.ico	ec4a958ab73fa233b4bb5cbaf68ea3486384997d53740bfa9c3307ce150a59dd.exe
File created	C:\Windows\projone\potcm\clientstat.exe	ec4a958ab73fa233b4bb5cbaf68ea3486384997d53740bfa9c3307ce150a59dd.exe
File created	C:\Windows\projone\potcm\libcrypto-3.dll	ec4a958ab73fa233b4bb5cbaf68ea3486384997d53740bfa9c3307ce150a59dd.exe
File created	C:\Windows\projone\potcm\pomqc364.dll	ec4a958ab73fa233b4bb5cbaf68ea3486384997d53740bfa9c3307ce150a59dd.exe
File created	C:\Windows\projone\potcm\cache\dump\pobus64_20240428105114_pid_2096\exception.log	rundll32.exe
File created	C:\Windows\projone\potcm\ffmpeg.exe	pobus64.exe
File created	C:\Windows\projone\potcm\skin\wfchost	ec4a958ab73fa233b4bb5cbaf68ea3486384997d53740bfa9c3307ce150a59dd.exe
File created	C:\Windows\projone\potcm\skin\clientinfo	ec4a958ab73fa233b4bb5cbaf68ea3486384997d53740bfa9c3307ce150a59dd.exe
File created	C:\Windows\projone\potcm\assisthost.exe	ec4a958ab73fa233b4bb5cbaf68ea3486384997d53740bfa9c3307ce150a59dd.exe
File created	C:\Windows\projone\potcm\nnagent32.dll	ec4a958ab73fa233b4bb5cbaf68ea3486384997d53740bfa9c3307ce150a59dd.exe
File created	C:\Windows\projone\potcm\winpcap_inst.exe	ec4a958ab73fa233b4bb5cbaf68ea3486384997d53740bfa9c3307ce150a59dd.exe
File created	C:\Windows\projone\potcm\poscsaver.exe	ec4a958ab73fa233b4bb5cbaf68ea3486384997d53740bfa9c3307ce150a59dd.exe
File created	C:\Windows\projone\potcm\shlext64.dll	ec4a958ab73fa233b4bb5cbaf68ea3486384997d53740bfa9c3307ce150a59dd.exe
File created	C:\Windows\projone\potcm\docscanner64.dll	ec4a958ab73fa233b4bb5cbaf68ea3486384997d53740bfa9c3307ce150a59dd.exe
File opened for modification	C:\Windows\projone\potcm\log\pobus64\20240428105139_pobus64-0.log	pobus64.exe
File created	C:\Windows\projone\potcm\log\pobus64\20240428105203_pobus64-0.log	pobus64.exe
File created	C:\Windows\projone\potcm\log\pobus64\20240428105101_pobus64-0.log	pobus64.exe
File created	C:\Windows\projone\potcm\log\poda64\20240428105102_poda64-0.log	poda64.exe
File created	C:\Windows\projone\potcm\skin\sscannerwnd	ec4a958ab73fa233b4bb5cbaf68ea3486384997d53740bfa9c3307ce150a59dd.exe
File created	C:\Windows\projone\potcm\skin\dtescanner	ec4a958ab73fa233b4bb5cbaf68ea3486384997d53740bfa9c3307ce150a59dd.exe
File created	C:\Windows\projone\potcm\libcurl32.dll	ec4a958ab73fa233b4bb5cbaf68ea3486384997d53740bfa9c3307ce150a59dd.exe
File created	C:\Windows\projone\potcm\pobus64.exe	ec4a958ab73fa233b4bb5cbaf68ea3486384997d53740bfa9c3307ce150a59dd.exe
File created	C:\Windows\projone\potcm\sqlcipher64.dll	ec4a958ab73fa233b4bb5cbaf68ea3486384997d53740bfa9c3307ce150a59dd.exe
File created	C:\Windows\projone\potcm\poprotect664.sys	ec4a958ab73fa233b4bb5cbaf68ea3486384997d53740bfa9c3307ce150a59dd.exe
File opened for modification	C:\Windows\projone\potcm\log\pobus64\20240428105139_pobus64-0.log	pobus64.exe
File created	C:\Windows\projone\potcm\pomqc3.dll	ec4a958ab73fa233b4bb5cbaf68ea3486384997d53740bfa9c3307ce150a59dd.exe
File created	C:\Windows\projone\potcm\doced64.dll	ec4a958ab73fa233b4bb5cbaf68ea3486384997d53740bfa9c3307ce150a59dd.exe
File opened for modification	C:\Windows\projone\potcm\cache\dump\pobus64_20240428105126_pid_1040\minidump.dmp	rundll32.exe
File created	C:\Windows\projone\potcm\skin\sscreator	ec4a958ab73fa233b4bb5cbaf68ea3486384997d53740bfa9c3307ce150a59dd.exe
File created	C:\Windows\projone\potcm\skin\wfviewer	ec4a958ab73fa233b4bb5cbaf68ea3486384997d53740bfa9c3307ce150a59dd.exe
File created	C:\Windows\projone\potcm\nfwfp64.sys	ec4a958ab73fa233b4bb5cbaf68ea3486384997d53740bfa9c3307ce150a59dd.exe
File created	C:\Windows\projone\potcm\siriuv32.dll	ec4a958ab73fa233b4bb5cbaf68ea3486384997d53740bfa9c3307ce150a59dd.exe
File created	C:\Windows\projone\potcm\assisths.exe	ec4a958ab73fa233b4bb5cbaf68ea3486384997d53740bfa9c3307ce150a59dd.exe

Executes dropped EXE 64 IoCs

Processes:

pobus64.exepobus64.exepoda32.exeassisths.exepoda64.exeassisths.exeassisths.exeassisths.execlientstat.exeassisths.exeassisths.exeassisths.exeassisths.exeassisths.exeassisths.exeassisths.exeassisths.exeassisths.exeassisths.exeassisths.exeassisths.exeassisths.exeassisths.exeassisths.exeassisths.exeassisths.exeassisths.exeassisths.exeassisths.exeassisths.exeassisths.exeassisths.exeassisths.exeassisths.exeassisths.exeassisths.exeassisths.exeassisths.exeassisths.exeassisths.exepobus64.exepobus64.exeassisths.exeassisths.exeassisths.exeassisths.exeassisths.exeassisths.exeassisths.exeassisths.exeassisths.exeassisths.exeassisths.exeassisths.exeassisths.exeassisths.exeassisths.exeassisths.exeassisths.exeassisths.exeassisths.exeassisths.exeassisths.exeassisths.exe

pid	process
3848	pobus64.exe
2096	pobus64.exe
436	poda32.exe
2772	assisths.exe
2152	poda64.exe
1296	assisths.exe
1624	assisths.exe
2452	assisths.exe
1732	clientstat.exe
4012	assisths.exe
3500	assisths.exe
2092	assisths.exe
4956	assisths.exe
3460	assisths.exe
4220	assisths.exe
4140	assisths.exe
3144	assisths.exe
1660	assisths.exe
4100	assisths.exe
908	assisths.exe
2476	assisths.exe
4616	assisths.exe
2100	assisths.exe
1444	assisths.exe
3532	assisths.exe
4892	assisths.exe
1380	assisths.exe
2084	assisths.exe
576	assisths.exe
1804	assisths.exe
3968	assisths.exe
2828	assisths.exe
4144	assisths.exe
248	assisths.exe
3200	assisths.exe
2760	assisths.exe
1908	assisths.exe
3048	assisths.exe
3556	assisths.exe
1180	assisths.exe
2244	pobus64.exe
1040	pobus64.exe
3044	assisths.exe
4532	assisths.exe
3860	assisths.exe
2108	assisths.exe
3632	assisths.exe
4048	assisths.exe
3924	assisths.exe
4880	assisths.exe
2184	assisths.exe
1460	assisths.exe
900	assisths.exe
4040	assisths.exe
4960	assisths.exe
1948	assisths.exe
968	assisths.exe
4388	assisths.exe
412	assisths.exe
2780	assisths.exe
672	assisths.exe
2072	assisths.exe
1784	assisths.exe
1388	assisths.exe

Loads dropped DLL 64 IoCs

Processes:

ec4a958ab73fa233b4bb5cbaf68ea3486384997d53740bfa9c3307ce150a59dd.exepobus64.exeregsvr32.exeregsvr32.exepoda32.exe

pid	process
4108	ec4a958ab73fa233b4bb5cbaf68ea3486384997d53740bfa9c3307ce150a59dd.exe
4108	ec4a958ab73fa233b4bb5cbaf68ea3486384997d53740bfa9c3307ce150a59dd.exe
4108	ec4a958ab73fa233b4bb5cbaf68ea3486384997d53740bfa9c3307ce150a59dd.exe
2096	pobus64.exe
2096	pobus64.exe
2096	pobus64.exe
2096	pobus64.exe
2096	pobus64.exe
1248	regsvr32.exe
4912	regsvr32.exe
436	poda32.exe
436	poda32.exe
436	poda32.exe
436	poda32.exe
2096	pobus64.exe
2096	pobus64.exe
2096	pobus64.exe
2096	pobus64.exe
2096	pobus64.exe
2096	pobus64.exe
2096	pobus64.exe
2096	pobus64.exe
2096	pobus64.exe
2096	pobus64.exe
2096	pobus64.exe
2096	pobus64.exe
2096	pobus64.exe
2096	pobus64.exe
436	poda32.exe
2096	pobus64.exe
2096	pobus64.exe
436	poda32.exe
2096	pobus64.exe
2096	pobus64.exe
2096	pobus64.exe
2096	pobus64.exe
2096	pobus64.exe
2096	pobus64.exe
2096	pobus64.exe
436	poda32.exe
2096	pobus64.exe
2096	pobus64.exe
2096	pobus64.exe
2096	pobus64.exe
436	poda32.exe
2096	pobus64.exe
436	poda32.exe
436	poda32.exe
436	poda32.exe
2096	pobus64.exe
2096	pobus64.exe
436	poda32.exe
436	poda32.exe
436	poda32.exe
436	poda32.exe
436	poda32.exe
436	poda32.exe
436	poda32.exe
436	poda32.exe
436	poda32.exe
436	poda32.exe
436	poda32.exe
436	poda32.exe
436	poda32.exe

Registers COM server for autorun 1 TTPs 38 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Processes:

regsvr32.exeregsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0AFAB9F9-59CA-4B59-BBA7-6E3C783FDEBD}\InprocServer32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0AFAB9F9-59CA-4B59-BBA7-6E3C783FDEBD}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{940232A8-FAF8-4B70-A1C6-A0A184579DE2}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0AFAB9F9-59CA-4B59-BBA7-6E3C783FDEBD}\InprocServer32\ = "C:\\Windows\\projone\\potcm\\shlext64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0AFAB9F9-59CA-4B59-BBA7-6E3C783FDEBD}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D4CA1384-016E-436C-970E-49E89C56D16A}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D4CA1384-016E-436C-970E-49E89C56D16C}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0AFAB9F9-59CA-4B59-BBA7-6E3C783FDEBD}\InprocServer32\ = "C:\\Windows\\projone\\potcm\\shlext64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{940232A8-FAF8-4B70-A1C6-A0A184579DE2}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D4CA1384-016E-436C-970E-49E89C56D16C}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D4CA1384-016E-436C-970E-49E89C56D16B}\InprocServer32\ = "C:\\Windows\\projone\\potcm\\shlext64.dll"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D4CA1384-016E-436C-970E-49E89C56D16C}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D4CA1384-016E-436C-970E-49E89C56D16C}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D4CA1384-016E-436C-970E-49E89C56D16A}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D4CA1384-016E-436C-970E-49E89C56D16A}\InprocServer32\ = "C:\\Windows\\projone\\potcm\\shlext64.dll"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D4CA1384-016E-436C-970E-49E89C56D16B}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{940232A8-FAF8-4B70-A1C6-A0A184579DE2}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D4CA1384-016E-436C-970E-49E89C56D16B}\InprocServer32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{940232A8-FAF8-4B70-A1C6-A0A184579DE2}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{940232A8-FAF8-4B70-A1C6-A0A184579DE2}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D4CA1384-016E-436C-970E-49E89C56D16C}\InprocServer32\ = "C:\\Windows\\projone\\potcm\\shlext64.dll"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D4CA1384-016E-436C-970E-49E89C56D16A}\InprocServer32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D4CA1384-016E-436C-970E-49E89C56D16C}\InprocServer32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D4CA1384-016E-436C-970E-49E89C56D16B}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D4CA1384-016E-436C-970E-49E89C56D16C}\InprocServer32\ = "C:\\Windows\\projone\\potcm\\shlext64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D4CA1384-016E-436C-970E-49E89C56D16B}\InprocServer32\ = "C:\\Windows\\projone\\potcm\\shlext64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D4CA1384-016E-436C-970E-49E89C56D16B}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D4CA1384-016E-436C-970E-49E89C56D16A}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0AFAB9F9-59CA-4B59-BBA7-6E3C783FDEBD}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D4CA1384-016E-436C-970E-49E89C56D16A}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D4CA1384-016E-436C-970E-49E89C56D16A}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D4CA1384-016E-436C-970E-49E89C56D16B}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{940232A8-FAF8-4B70-A1C6-A0A184579DE2}\InprocServer32\ = "C:\\Windows\\projone\\potcm\\shlext64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D4CA1384-016E-436C-970E-49E89C56D16B}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D4CA1384-016E-436C-970E-49E89C56D16C}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{940232A8-FAF8-4B70-A1C6-A0A184579DE2}\InprocServer32\ = "C:\\Windows\\projone\\potcm\\shlext64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D4CA1384-016E-436C-970E-49E89C56D16A}\InprocServer32\ = "C:\\Windows\\projone\\potcm\\shlext64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0AFAB9F9-59CA-4B59-BBA7-6E3C783FDEBD}\InprocServer32	regsvr32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 64 IoCs

Processes:

regsvr32.exeregsvr32.exepoda32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B9837E26-E9CA-48A0-9AF4-88804B91E316}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\shlext.PoOverlayIcon2.1\CLSID\ = "{D4CA1384-016E-436C-970E-49E89C56D16B}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{340A2687-D23B-4F55-968A-459C697CD02B}\ = "IDtePropSheet"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D4CA1384-016E-436C-970E-49E89C56D16A}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\shlext.PoOverlayIcon3.1\CLSID\ = "{D4CA1384-016E-436C-970E-49E89C56D16C}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0AFAB9F9-59CA-4B59-BBA7-6E3C783FDEBD}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B9837E26-E9CA-48A0-9AF4-88804B91E316}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B9837E26-E9CA-48A0-9AF4-88804B91E316}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\offlineRule\shell	poda32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D4CA1384-016E-436C-970E-49E89C56D16A}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\poshlext\ = "{0AFAB9F9-59CA-4B59-BBA7-6E3C783FDEBD}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\shlext.PoOverlayIcon2.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\shlext.PoOverlayIcon3\ = "PoOverlayIcon3 Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\shlext.PoOverlayIcon3\CurVer	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D4CA1384-016E-436C-970E-49E89C56D16A}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\poshlext	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D4CA1384-016E-436C-970E-49E89C56D16A}\ = "PoOverlayIcon Class"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D4CA1384-016E-436C-970E-49E89C56D16B}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0AFAB9F9-59CA-4B59-BBA7-6E3C783FDEBD}\ = "PoContextMenu Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{940232A8-FAF8-4B70-A1C6-A0A184579DE2}\ = "DtePropSheet Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{940232A8-FAF8-4B70-A1C6-A0A184579DE2}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B32B8169-BE6B-43AC-BE93-20D5BDD0A275}\1.0\ = "shlext 1.0 ÀàÐÍ¿â"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D4CA1384-016E-436C-970E-49E89C56D16C}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0AFAB9F9-59CA-4B59-BBA7-6E3C783FDEBD}\InprocServer32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{940232A8-FAF8-4B70-A1C6-A0A184579DE2}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{940232A8-FAF8-4B70-A1C6-A0A184579DE2}\VersionIndependentProgID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D4CA1384-016E-436C-970E-49E89C56D16B}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B32B8169-BE6B-43AC-BE93-20D5BDD0A275}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\offlineRule\shell\open	poda32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\gxdteSecShares\shell\open	poda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D4CA1384-016E-436C-970E-49E89C56D16C}\TypeLib\ = "{B32B8169-BE6B-43AC-BE93-20D5BDD0A275}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\shlext.DtePropSheet\CLSID\ = "{940232A8-FAF8-4B70-A1C6-A0A184579DE2}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\shlext.DtePropSheet\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{940232A8-FAF8-4B70-A1C6-A0A184579DE2}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\shlext.PoOverlayIcon2\CurVer\ = "shlext.PoOverlayIcon2.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D4CA1384-016E-436C-970E-49E89C56D16B}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0AFAB9F9-59CA-4B59-BBA7-6E3C783FDEBD}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\background\shellex\ContextMenuHandlers\poshlext\ = "{0AFAB9F9-59CA-4B59-BBA7-6E3C783FDEBD}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\shlext.PoOverlayIcon3\CLSID\ = "{D4CA1384-016E-436C-970E-49E89C56D16C}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D4CA1384-016E-436C-970E-49E89C56D16A}\ProgID\ = "shlext.PoOverlayIcon.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\shlext.PoOverlayIcon2\ = "PoOverlayIcon2 Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B9837E26-E9CA-48A0-9AF4-88804B91E316}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{340A2687-D23B-4F55-968A-459C697CD02B}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\offlineRule	poda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D4CA1384-016E-436C-970E-49E89C56D16B}\ProgID\ = "shlext.PoOverlayIcon2.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D4CA1384-016E-436C-970E-49E89C56D16C}\TypeLib	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{940232A8-FAF8-4B70-A1C6-A0A184579DE2}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\shlext.PoOverlayIcon3.1\ = "PoOverlayIcon3 Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D4CA1384-016E-436C-970E-49E89C56D16B}\InprocServer32\ = "C:\\Windows\\projone\\potcm\\shlext64.dll"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D4CA1384-016E-436C-970E-49E89C56D16A}\Programmable	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D4CA1384-016E-436C-970E-49E89C56D16C}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B32B8169-BE6B-43AC-BE93-20D5BDD0A275}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{243FE571-9597-4E21-9261-4DF793DBE86C}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D4CA1384-016E-436C-970E-49E89C56D16A}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\shlext.DtePropSheet\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{340A2687-D23B-4F55-968A-459C697CD02B}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\shlext.PoOverlayIcon.1\CLSID\ = "{D4CA1384-016E-436C-970E-49E89C56D16A}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\poshlext	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D4CA1384-016E-436C-970E-49E89C56D16B}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{940232A8-FAF8-4B70-A1C6-A0A184579DE2}\TypeLib\ = "{B32B8169-BE6B-43AC-BE93-20D5BDD0A275}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B32B8169-BE6B-43AC-BE93-20D5BDD0A275}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\shlext.PoOverlayIcon.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{243FE571-9597-4E21-9261-4DF793DBE86C}\TypeLib\ = "{B32B8169-BE6B-43AC-BE93-20D5BDD0A275}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\offlineRule\DefaultIcon	poda32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

pobus64.exepoda64.exe

pid	process
2096	pobus64.exe
2096	pobus64.exe
2096	pobus64.exe
2096	pobus64.exe
2096	pobus64.exe
2096	pobus64.exe
2096	pobus64.exe
2096	pobus64.exe
2096	pobus64.exe
2096	pobus64.exe
2096	pobus64.exe
2096	pobus64.exe
2152	poda64.exe
2152	poda64.exe
2152	poda64.exe
2152	poda64.exe
2152	poda64.exe
2152	poda64.exe
2152	poda64.exe
2152	poda64.exe
2152	poda64.exe
2152	poda64.exe
2152	poda64.exe
2152	poda64.exe
2152	poda64.exe
2152	poda64.exe
2152	poda64.exe
2152	poda64.exe
2152	poda64.exe
2152	poda64.exe
2152	poda64.exe
2152	poda64.exe
2152	poda64.exe
2152	poda64.exe
2152	poda64.exe
2152	poda64.exe
2152	poda64.exe
2152	poda64.exe
2152	poda64.exe
2152	poda64.exe
2152	poda64.exe
2152	poda64.exe
2152	poda64.exe
2152	poda64.exe
2152	poda64.exe
2152	poda64.exe
2152	poda64.exe
2152	poda64.exe
2152	poda64.exe
2152	poda64.exe
2152	poda64.exe
2152	poda64.exe
2152	poda64.exe
2152	poda64.exe
2152	poda64.exe
2152	poda64.exe
2152	poda64.exe
2152	poda64.exe
2152	poda64.exe
2152	poda64.exe
2152	poda64.exe
2152	poda64.exe
2152	poda64.exe
2152	poda64.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

Processes:

ec4a958ab73fa233b4bb5cbaf68ea3486384997d53740bfa9c3307ce150a59dd.exepobus64.exepoda32.exepoda64.exepobus64.exepobus64.exepobus64.exepobus64.exepobus64.exepobus64.exepobus64.exe

description	pid	process
Token: SeDebugPrivilege	4108	ec4a958ab73fa233b4bb5cbaf68ea3486384997d53740bfa9c3307ce150a59dd.exe
Token: SeDebugPrivilege	2096	pobus64.exe
Token: SeDebugPrivilege	436	poda32.exe
Token: SeDebugPrivilege	2096	pobus64.exe
Token: SeImpersonatePrivilege	2096	pobus64.exe
Token: SeShutdownPrivilege	2096	pobus64.exe
Token: SeShutdownPrivilege	436	poda32.exe
Token: SeDebugPrivilege	2152	poda64.exe
Token: SeDebugPrivilege	2152	poda64.exe
Token: SeImpersonatePrivilege	2152	poda64.exe
Token: SeDebugPrivilege	1040	pobus64.exe
Token: SeDebugPrivilege	1040	pobus64.exe
Token: SeImpersonatePrivilege	1040	pobus64.exe
Token: SeShutdownPrivilege	1040	pobus64.exe
Token: SeDebugPrivilege	4048	pobus64.exe
Token: SeDebugPrivilege	4048	pobus64.exe
Token: SeImpersonatePrivilege	4048	pobus64.exe
Token: SeShutdownPrivilege	4048	pobus64.exe
Token: SeDebugPrivilege	1520	pobus64.exe
Token: SeDebugPrivilege	1520	pobus64.exe
Token: SeImpersonatePrivilege	1520	pobus64.exe
Token: SeShutdownPrivilege	1520	pobus64.exe
Token: SeDebugPrivilege	2660	pobus64.exe
Token: SeDebugPrivilege	2660	pobus64.exe
Token: SeImpersonatePrivilege	2660	pobus64.exe
Token: SeShutdownPrivilege	2660	pobus64.exe
Token: SeDebugPrivilege	3436	pobus64.exe
Token: SeDebugPrivilege	3436	pobus64.exe
Token: SeImpersonatePrivilege	3436	pobus64.exe
Token: SeShutdownPrivilege	3436	pobus64.exe
Token: SeDebugPrivilege	1904	pobus64.exe
Token: SeDebugPrivilege	1904	pobus64.exe
Token: SeImpersonatePrivilege	1904	pobus64.exe
Token: SeShutdownPrivilege	1904	pobus64.exe
Token: SeDebugPrivilege	3936	pobus64.exe

Suspicious use of FindShellTrayWindow 47 IoCs

Processes:

poda32.exepoda64.exe

pid	process
436	poda32.exe
436	poda32.exe
2152	poda64.exe
436	poda32.exe
2152	poda64.exe
2152	poda64.exe
436	poda32.exe
2152	poda64.exe
436	poda32.exe
2152	poda64.exe
2152	poda64.exe
436	poda32.exe
2152	poda64.exe
2152	poda64.exe
436	poda32.exe
2152	poda64.exe
436	poda32.exe
2152	poda64.exe
2152	poda64.exe
436	poda32.exe
2152	poda64.exe
2152	poda64.exe
436	poda32.exe
2152	poda64.exe
436	poda32.exe
2152	poda64.exe
2152	poda64.exe
436	poda32.exe
2152	poda64.exe
2152	poda64.exe
436	poda32.exe
2152	poda64.exe
436	poda32.exe
2152	poda64.exe
2152	poda64.exe
436	poda32.exe
2152	poda64.exe
2152	poda64.exe
436	poda32.exe
2152	poda64.exe
436	poda32.exe
2152	poda64.exe
2152	poda64.exe
436	poda32.exe
2152	poda64.exe
2152	poda64.exe
436	poda32.exe

Suspicious use of SendNotifyMessage 47 IoCs

Processes:

poda32.exepoda64.exe

pid	process
436	poda32.exe
436	poda32.exe
2152	poda64.exe
436	poda32.exe
2152	poda64.exe
2152	poda64.exe
436	poda32.exe
2152	poda64.exe
436	poda32.exe
2152	poda64.exe
2152	poda64.exe
436	poda32.exe
2152	poda64.exe
2152	poda64.exe
436	poda32.exe
2152	poda64.exe
436	poda32.exe
2152	poda64.exe
2152	poda64.exe
436	poda32.exe
2152	poda64.exe
2152	poda64.exe
436	poda32.exe
2152	poda64.exe
436	poda32.exe
2152	poda64.exe
2152	poda64.exe
436	poda32.exe
2152	poda64.exe
2152	poda64.exe
436	poda32.exe
2152	poda64.exe
436	poda32.exe
2152	poda64.exe
2152	poda64.exe
436	poda32.exe
2152	poda64.exe
2152	poda64.exe
436	poda32.exe
2152	poda64.exe
436	poda32.exe
2152	poda64.exe
2152	poda64.exe
436	poda32.exe
2152	poda64.exe
2152	poda64.exe
436	poda32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ec4a958ab73fa233b4bb5cbaf68ea3486384997d53740bfa9c3307ce150a59dd.exeregsvr32.exepobus64.exepoda32.exe

description	pid	process	target process
PID 4108 wrote to memory of 3848	4108	ec4a958ab73fa233b4bb5cbaf68ea3486384997d53740bfa9c3307ce150a59dd.exe	pobus64.exe
PID 4108 wrote to memory of 3848	4108	ec4a958ab73fa233b4bb5cbaf68ea3486384997d53740bfa9c3307ce150a59dd.exe	pobus64.exe
PID 4108 wrote to memory of 1248	4108	ec4a958ab73fa233b4bb5cbaf68ea3486384997d53740bfa9c3307ce150a59dd.exe	regsvr32.exe
PID 4108 wrote to memory of 1248	4108	ec4a958ab73fa233b4bb5cbaf68ea3486384997d53740bfa9c3307ce150a59dd.exe	regsvr32.exe
PID 4108 wrote to memory of 1248	4108	ec4a958ab73fa233b4bb5cbaf68ea3486384997d53740bfa9c3307ce150a59dd.exe	regsvr32.exe
PID 1248 wrote to memory of 4912	1248	regsvr32.exe	regsvr32.exe
PID 1248 wrote to memory of 4912	1248	regsvr32.exe	regsvr32.exe
PID 2096 wrote to memory of 436	2096	pobus64.exe	poda32.exe
PID 2096 wrote to memory of 436	2096	pobus64.exe	poda32.exe
PID 2096 wrote to memory of 436	2096	pobus64.exe	poda32.exe
PID 2096 wrote to memory of 2772	2096	pobus64.exe	assisths.exe
PID 2096 wrote to memory of 2772	2096	pobus64.exe	assisths.exe
PID 2096 wrote to memory of 2772	2096	pobus64.exe	assisths.exe
PID 436 wrote to memory of 2152	436	poda32.exe	poda64.exe
PID 436 wrote to memory of 2152	436	poda32.exe	poda64.exe
PID 2096 wrote to memory of 1296	2096	pobus64.exe	assisths.exe
PID 2096 wrote to memory of 1296	2096	pobus64.exe	assisths.exe
PID 2096 wrote to memory of 1296	2096	pobus64.exe	assisths.exe
PID 2096 wrote to memory of 1624	2096	pobus64.exe	assisths.exe
PID 2096 wrote to memory of 1624	2096	pobus64.exe	assisths.exe
PID 2096 wrote to memory of 1624	2096	pobus64.exe	assisths.exe
PID 2096 wrote to memory of 2452	2096	pobus64.exe	assisths.exe
PID 2096 wrote to memory of 2452	2096	pobus64.exe	assisths.exe
PID 2096 wrote to memory of 2452	2096	pobus64.exe	assisths.exe
PID 436 wrote to memory of 1732	436	poda32.exe	clientstat.exe
PID 436 wrote to memory of 1732	436	poda32.exe	clientstat.exe
PID 436 wrote to memory of 1732	436	poda32.exe	clientstat.exe
PID 2096 wrote to memory of 4012	2096	pobus64.exe	assisths.exe
PID 2096 wrote to memory of 4012	2096	pobus64.exe	assisths.exe
PID 2096 wrote to memory of 4012	2096	pobus64.exe	assisths.exe
PID 2096 wrote to memory of 3500	2096	pobus64.exe	assisths.exe
PID 2096 wrote to memory of 3500	2096	pobus64.exe	assisths.exe
PID 2096 wrote to memory of 3500	2096	pobus64.exe	assisths.exe
PID 2096 wrote to memory of 2092	2096	pobus64.exe	assisths.exe
PID 2096 wrote to memory of 2092	2096	pobus64.exe	assisths.exe
PID 2096 wrote to memory of 2092	2096	pobus64.exe	assisths.exe
PID 2096 wrote to memory of 4956	2096	pobus64.exe	assisths.exe
PID 2096 wrote to memory of 4956	2096	pobus64.exe	assisths.exe
PID 2096 wrote to memory of 4956	2096	pobus64.exe	assisths.exe
PID 2096 wrote to memory of 3460	2096	pobus64.exe	assisths.exe
PID 2096 wrote to memory of 3460	2096	pobus64.exe	assisths.exe
PID 2096 wrote to memory of 3460	2096	pobus64.exe	assisths.exe
PID 2096 wrote to memory of 4220	2096	pobus64.exe	assisths.exe
PID 2096 wrote to memory of 4220	2096	pobus64.exe	assisths.exe
PID 2096 wrote to memory of 4220	2096	pobus64.exe	assisths.exe
PID 2096 wrote to memory of 4140	2096	pobus64.exe	assisths.exe
PID 2096 wrote to memory of 4140	2096	pobus64.exe	assisths.exe
PID 2096 wrote to memory of 4140	2096	pobus64.exe	assisths.exe
PID 2096 wrote to memory of 3144	2096	pobus64.exe	assisths.exe
PID 2096 wrote to memory of 3144	2096	pobus64.exe	assisths.exe
PID 2096 wrote to memory of 3144	2096	pobus64.exe	assisths.exe
PID 2096 wrote to memory of 1660	2096	pobus64.exe	assisths.exe
PID 2096 wrote to memory of 1660	2096	pobus64.exe	assisths.exe
PID 2096 wrote to memory of 1660	2096	pobus64.exe	assisths.exe
PID 2096 wrote to memory of 4100	2096	pobus64.exe	assisths.exe
PID 2096 wrote to memory of 4100	2096	pobus64.exe	assisths.exe
PID 2096 wrote to memory of 4100	2096	pobus64.exe	assisths.exe
PID 2096 wrote to memory of 908	2096	pobus64.exe	assisths.exe
PID 2096 wrote to memory of 908	2096	pobus64.exe	assisths.exe
PID 2096 wrote to memory of 908	2096	pobus64.exe	assisths.exe
PID 2096 wrote to memory of 2476	2096	pobus64.exe	assisths.exe
PID 2096 wrote to memory of 2476	2096	pobus64.exe	assisths.exe
PID 2096 wrote to memory of 2476	2096	pobus64.exe	assisths.exe
PID 2096 wrote to memory of 4616	2096	pobus64.exe	assisths.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

pobus64.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System	pobus64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\SoftwareSASGeneration = "1"	pobus64.exe

C:\Users\Admin\AppData\Local\Temp\ec4a958ab73fa233b4bb5cbaf68ea3486384997d53740bfa9c3307ce150a59dd.exe
"C:\Users\Admin\AppData\Local\Temp\ec4a958ab73fa233b4bb5cbaf68ea3486384997d53740bfa9c3307ce150a59dd.exe"
1⤵
- Drops file in Windows directory
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4108

C:\Windows\projone\potcm\pobus64.exe
C:\Windows\projone\potcm\pobus64.exe /i
2⤵
- Drops file in Windows directory
- Executes dropped EXE
PID:3848

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s C:\Windows\projone\potcm\shlext64.dll
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1248

C:\Windows\system32\regsvr32.exe
/s C:\Windows\projone\potcm\shlext64.dll
3⤵
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
PID:4912

C:\Windows\projone\potcm\pobus64.exe
C:\Windows\projone\potcm\pobus64.exe
1⤵
- Enumerates connected drives
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2096

C:\Windows\projone\potcm\poda32.exe
C:\Windows\projone\potcm\poda32.exe 7439ed87
2⤵
- Enumerates connected drives
- Drops file in Windows directory
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:436

C:\Windows\projone\potcm\poda64.exe
C:\Windows\projone\potcm\poda64.exe 7439ed87_64
3⤵
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Enumerates connected drives
- Drops file in Windows directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2152

C:\Windows\system32\regsvr32.exe
regsvr32.exe /s "C:\Windows\projone\potcm\shlext64.dll"
4⤵
- Registers COM server for autorun
- Modifies registry class
PID:2472

C:\Windows\projone\potcm\clientstat.exe
C:\Windows\projone\potcm\clientstat.exe
3⤵
- Executes dropped EXE
PID:1732

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
- Executes dropped EXE
PID:2772

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
- Executes dropped EXE
PID:1296

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
- Executes dropped EXE
PID:1624

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
- Executes dropped EXE
PID:2452

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
- Executes dropped EXE
PID:4012

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
- Executes dropped EXE
PID:3500

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
- Executes dropped EXE
PID:2092

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
- Executes dropped EXE
PID:4956

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
- Executes dropped EXE
PID:3460

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
- Executes dropped EXE
PID:4220

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
- Executes dropped EXE
PID:4140

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
- Executes dropped EXE
PID:3144

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
- Executes dropped EXE
PID:1660

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
- Executes dropped EXE
PID:4100

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
- Executes dropped EXE
PID:908

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
- Executes dropped EXE
PID:2476

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
- Executes dropped EXE
PID:4616

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
- Executes dropped EXE
PID:2100

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
- Executes dropped EXE
PID:1444

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
- Executes dropped EXE
PID:3532

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
- Executes dropped EXE
PID:4892

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
- Executes dropped EXE
PID:1380

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
- Executes dropped EXE
PID:2084

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
- Executes dropped EXE
PID:576

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
- Executes dropped EXE
PID:1804

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
- Executes dropped EXE
PID:3968

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
- Executes dropped EXE
PID:2828

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
- Executes dropped EXE
PID:4144

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
- Executes dropped EXE
PID:248

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
- Executes dropped EXE
PID:3200

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
- Executes dropped EXE
PID:2760

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
- Executes dropped EXE
PID:1908

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
- Executes dropped EXE
PID:3048

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
- Executes dropped EXE
PID:3556

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\projone\potcm\podumper64.dll",RundllFun QABAAHAAaQBkADoAMgAwADkANgBAAEAAZABpAHIAOgBDADoAXABXAGkAbgBkAG8AdwBzAFwAcAByAG8AagBvAG4AZQBcAHAAbwB0AGMAbQBcAGMAYQBjAGgAZQBcAGQAdQBtAHAAQABAAHAAYQByAGEAbQA6AHoAVwBSAGMAVAAvAHQAOAAzADMANAA2AEEARgBjAEEAYQBRAEIAdQBBAEcAUQBBAGIAdwBCADMAQQBIAE0AQQBJAEEAQQB4AEEARABFAEEASQBBAEIAUQBBAEgASQBBAGIAdwBCAG0AQQBHAFUAQQBjAHcAQgB6AEEARwBrAEEAYgB3AEIAdQBBAEcARQBBAGIAQQBBAGcAQQBFAFUAQQBaAEEAQgBwAEEASABRAEEAYQBRAEIAdgBBAEcANABBAEkAQQBBADIAQQBEAFEAQQBMAFEAQgBpAEEARwBrAEEAZABBAEEATgBBAEEAbwBBAEQAUQBBAEsAQQBDADkAVQBxAEYATAAyAFoAZgBTAFYATwBnAEEAeQBBAEQAQQBBAE0AZwBBADAAQQBDADAAQQBNAEEAQQAwAEEAQwAwAEEATQBnAEEANABBAEMAQQBBAE0AUQBBAHcAQQBEAG8AQQBOAFEAQQB4AEEARABvAEEATQBBAEEAeABBAEMAQQBBAE4AZwBBADAAQQBEAFEAQQBEAFEAQQBLAEEAQQBKAGYATwBGADcAMgBaAGYAUwBWAE8AZwBBAHkAQQBEAEEAQQBNAGcAQQAwAEEAQwAwAEEATQBBAEEAMABBAEMAMABBAE0AZwBBADQAQQBDAEEAQQBNAFEAQQB3AEEARABvAEEATgBRAEEAeABBAEQAbwBBAE0AUQBBADAAQQBDAEEAQQBNAFEAQQAxAEEARABRAEEARABRAEEASwBBAEEASgBmAE8ARgA0AEIAZQBEAG8AQQBNAEEAQgA0AEEARwBNAEEATQBBAEEAdwBBAEQAQQBBAE0AQQBBAHcAQQBEAEEAQQBOAFEAQQBvAEEAQwAwAEEATQBRAEEAdwBBAEQAYwBBAE0AdwBBADMAQQBEAFEAQQBNAFEAQQA0AEEARABFAEEATwBRAEEAcABBAEMAdwBBAEkAQQBEAEMAVQB3AE8AQQA0AFUAOQB2AFkARABvAEEAaABWAEYAWQBXADcAKwBMADcAcABVAEMAWAB6AGgAZQBEAFEAQQBLAEEAQQBKAGYATwBGADQAdwBWADAAQgBYAE8AZwBBAHcAQQBIAGcAQQBNAEEAQQB3AEEARABBAEEATQBBAEEAMwBBAEUAWQBBAFIAZwBBADMAQQBEAFEAQQBOAFEAQgBFAEEARQBFAEEAUQBnAEEAeABBAEQARQBBAE4AQQBBAE4AQQBBAG8AQQBBAGwAOAA0AFgAcwA5AGoAOABJADgAdwBWADAAQgBYAE8AZwBBAHcAQQBIAGcAQQBNAEEAQQB3AEEARABBAEEATQBBAEEAdwBBAEQAQQBBAE0AQQBBAHcAQQBEAEEAQQBOAEEAQQB6AEEARABnAEEAUgBnAEEAegBBAEUAWQBBAE0AQQBBAG8AQQBIAGMAQQBhAFEAQgB1AEEARwBRAEEAWQBnAEIAbgBBAEMAQQBBAEwAZwBCAGwAQQBIAGcAQQBjAGcAQgA5AFYATwBSAE8ANQBXAGMATABkAHkAawBBAEQAUQBBAEsAQQBBAEoAZgBPAEYANABLAFQAZwB0AE8AaAAyAFUAdwBWADAAQgBYAE8AZwBBAHcAQQBIAGcAQQBNAEEAQQB3AEEARABBAEEATQBBAEEAdwBBAEQAQQBBAE0AQQBBAHcAQQBEAEEAQQBOAEEAQQB6AEEARABnAEEAUgBRAEIARwBBAEQAQQBBAE0AQQBBAG8AQQBIAGMAQQBhAFEAQgB1AEEARwBRAEEAWQBnAEIAbgBBAEMAQQBBAEwAZwBCAGoAQQBIAGcAQQBjAGcAQgA5AFYATwBSAE8ANQBXAGMATABkAHkAawBBAEQAUQBBAEsAQQBBAEEAQQA=
2⤵
- Drops file in Windows directory
PID:4656

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
- Executes dropped EXE
PID:1180

C:\Windows\projone\potcm\pobus64.exe
C:\Windows\projone\potcm\pobus64.exe /i
1⤵
- Executes dropped EXE
PID:2244

C:\Windows\projone\potcm\pobus64.exe
C:\Windows\projone\potcm\pobus64.exe
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1040

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
- Executes dropped EXE
PID:3044

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
- Executes dropped EXE
PID:4532

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
- Executes dropped EXE
PID:3860

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
- Executes dropped EXE
PID:2108

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
- Executes dropped EXE
PID:3632

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
- Executes dropped EXE
PID:4048

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
- Executes dropped EXE
PID:3924

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
- Executes dropped EXE
PID:4880

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
- Executes dropped EXE
PID:2184

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
- Executes dropped EXE
PID:1460

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
- Executes dropped EXE
PID:900

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
- Executes dropped EXE
PID:4040

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
- Executes dropped EXE
PID:4960

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
- Executes dropped EXE
PID:1948

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
- Executes dropped EXE
PID:968

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
- Executes dropped EXE
PID:4388

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
- Executes dropped EXE
PID:412

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
- Executes dropped EXE
PID:2780

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
- Executes dropped EXE
PID:672

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
- Executes dropped EXE
PID:2072

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
- Executes dropped EXE
PID:1784

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
- Executes dropped EXE
PID:1388

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:1436

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:3048

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:3156

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:3900

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:2088

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:3352

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:4792

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:1180

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:3412

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:1660

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:1736

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:3860

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:2108

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\projone\potcm\podumper64.dll",RundllFun QABAAHAAaQBkADoAMQAwADQAMABAAEAAZABpAHIAOgBDADoAXABXAGkAbgBkAG8AdwBzAFwAcAByAG8AagBvAG4AZQBcAHAAbwB0AGMAbQBcAGMAYQBjAGgAZQBcAGQAdQBtAHAAQABAAHAAYQByAGEAbQA6AHoAVwBSAGMAVAAvAHQAOAAzADMANAA2AEEARgBjAEEAYQBRAEIAdQBBAEcAUQBBAGIAdwBCADMAQQBIAE0AQQBJAEEAQQB4AEEARABFAEEASQBBAEIAUQBBAEgASQBBAGIAdwBCAG0AQQBHAFUAQQBjAHcAQgB6AEEARwBrAEEAYgB3AEIAdQBBAEcARQBBAGIAQQBBAGcAQQBFAFUAQQBaAEEAQgBwAEEASABRAEEAYQBRAEIAdgBBAEcANABBAEkAQQBBADIAQQBEAFEAQQBMAFEAQgBpAEEARwBrAEEAZABBAEEATgBBAEEAbwBBAEQAUQBBAEsAQQBDADkAVQBxAEYATAAyAFoAZgBTAFYATwBnAEEAeQBBAEQAQQBBAE0AZwBBADAAQQBDADAAQQBNAEEAQQAwAEEAQwAwAEEATQBnAEEANABBAEMAQQBBAE0AUQBBAHcAQQBEAG8AQQBOAFEAQQB4AEEARABvAEEATQBRAEEAMABBAEMAQQBBAE0AdwBBAHgAQQBEAFEAQQBEAFEAQQBLAEEAQQBKAGYATwBGADcAMgBaAGYAUwBWAE8AZwBBAHkAQQBEAEEAQQBNAGcAQQAwAEEAQwAwAEEATQBBAEEAMABBAEMAMABBAE0AZwBBADQAQQBDAEEAQQBNAFEAQQB3AEEARABvAEEATgBRAEEAeABBAEQAbwBBAE0AZwBBADIAQQBDAEEAQQBOAFEAQQAyAEEARABBAEEARABRAEEASwBBAEEASgBmAE8ARgA0AEIAZQBEAG8AQQBNAEEAQgA0AEEARwBNAEEATQBBAEEAdwBBAEQAQQBBAE0AQQBBAHcAQQBEAEEAQQBOAFEAQQBvAEEAQwAwAEEATQBRAEEAdwBBAEQAYwBBAE0AdwBBADMAQQBEAFEAQQBNAFEAQQA0AEEARABFAEEATwBRAEEAcABBAEMAdwBBAEkAQQBEAEMAVQB3AE8AQQA0AFUAOQB2AFkARABvAEEAaABWAEYAWQBXADcAKwBMADcAcABVAEMAWAB6AGgAZQBEAFEAQQBLAEEAQQBKAGYATwBGADQAdwBWADAAQgBYAE8AZwBBAHcAQQBIAGcAQQBNAEEAQQB3AEEARABBAEEATQBBAEEAMwBBAEUAWQBBAFIAZwBBADMAQQBEAFEAQQBOAFEAQgBFAEEARQBFAEEAUQBnAEEAeABBAEQARQBBAE4AQQBBAE4AQQBBAG8AQQBBAGwAOAA0AFgAcwA5AGoAOABJADgAdwBWADAAQgBYAE8AZwBBAHcAQQBIAGcAQQBNAEEAQQB3AEEARABBAEEATQBBAEEAdwBBAEQAQQBBAE0AQQBBAHcAQQBEAEEAQQBNAHcAQgBFAEEARABNAEEAUgBnAEEAMQBBAEUAWQBBAE0AQQBBAG8AQQBIAGMAQQBhAFEAQgB1AEEARwBRAEEAWQBnAEIAbgBBAEMAQQBBAEwAZwBCAGwAQQBIAGcAQQBjAGcAQgA5AFYATwBSAE8ANQBXAGMATABkAHkAawBBAEQAUQBBAEsAQQBBAEoAZgBPAEYANABLAFQAZwB0AE8AaAAyAFUAdwBWADAAQgBYAE8AZwBBAHcAQQBIAGcAQQBNAEEAQQB3AEEARABBAEEATQBBAEEAdwBBAEQAQQBBAE0AQQBBAHcAQQBEAEEAQQBNAHcAQgBFAEEARABNAEEAUgBnAEEAeABBAEQAQQBBAE0AQQBBAG8AQQBIAGMAQQBhAFEAQgB1AEEARwBRAEEAWQBnAEIAbgBBAEMAQQBBAEwAZwBCAGoAQQBIAGcAQQBjAGcAQgA5AFYATwBSAE8ANQBXAGMATABkAHkAawBBAEQAUQBBAEsAQQBBAEEAQQA=
2⤵
- Drops file in Windows directory
PID:2440

C:\Windows\projone\potcm\pobus64.exe
C:\Windows\projone\potcm\pobus64.exe /i
1⤵
- Drops file in Windows directory
PID:2788

C:\Windows\projone\potcm\pobus64.exe
C:\Windows\projone\potcm\pobus64.exe
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:4048

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:4416

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:900

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:1828

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:2400

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:4336

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:1700

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:4484

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:1940

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:3724

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:392

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:3544

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:2760

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:1296

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:3612

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:3536

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:4648

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:2008

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:244

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:4872

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:2096

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:3500

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:4596

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:1256

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:396

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:784

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:2576

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:4220

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:4140

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:2092

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:8

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:1064

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:4352

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:4416

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:2788

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:1248

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:576

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:1804

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\projone\potcm\podumper64.dll",RundllFun QABAAHAAaQBkADoANAAwADQAOABAAEAAZABpAHIAOgBDADoAXABXAGkAbgBkAG8AdwBzAFwAcAByAG8AagBvAG4AZQBcAHAAbwB0AGMAbQBcAGMAYQBjAGgAZQBcAGQAdQBtAHAAQABAAHAAYQByAGEAbQA6AHoAVwBSAGMAVAAvAHQAOAAzADMANAA2AEEARgBjAEEAYQBRAEIAdQBBAEcAUQBBAGIAdwBCADMAQQBIAE0AQQBJAEEAQQB4AEEARABFAEEASQBBAEIAUQBBAEgASQBBAGIAdwBCAG0AQQBHAFUAQQBjAHcAQgB6AEEARwBrAEEAYgB3AEIAdQBBAEcARQBBAGIAQQBBAGcAQQBFAFUAQQBaAEEAQgBwAEEASABRAEEAYQBRAEIAdgBBAEcANABBAEkAQQBBADIAQQBEAFEAQQBMAFEAQgBpAEEARwBrAEEAZABBAEEATgBBAEEAbwBBAEQAUQBBAEsAQQBDADkAVQBxAEYATAAyAFoAZgBTAFYATwBnAEEAeQBBAEQAQQBBAE0AZwBBADAAQQBDADAAQQBNAEEAQQAwAEEAQwAwAEEATQBnAEEANABBAEMAQQBBAE0AUQBBAHcAQQBEAG8AQQBOAFEAQQB4AEEARABvAEEATQBnAEEAMgBBAEMAQQBBAE4AdwBBADIAQQBEAEUAQQBEAFEAQQBLAEEAQQBKAGYATwBGADcAMgBaAGYAUwBWAE8AZwBBAHkAQQBEAEEAQQBNAGcAQQAwAEEAQwAwAEEATQBBAEEAMABBAEMAMABBAE0AZwBBADQAQQBDAEEAQQBNAFEAQQB3AEEARABvAEEATgBRAEEAeABBAEQAbwBBAE0AdwBBADQAQQBDAEEAQQBPAFEAQQB4AEEARABrAEEARABRAEEASwBBAEEASgBmAE8ARgA0AEIAZQBEAG8AQQBNAEEAQgA0AEEARwBNAEEATQBBAEEAdwBBAEQAQQBBAE0AQQBBAHcAQQBEAEEAQQBOAFEAQQBvAEEAQwAwAEEATQBRAEEAdwBBAEQAYwBBAE0AdwBBADMAQQBEAFEAQQBNAFEAQQA0AEEARABFAEEATwBRAEEAcABBAEMAdwBBAEkAQQBEAEMAVQB3AE8AQQA0AFUAOQB2AFkARABvAEEAaABWAEYAWQBXADcAKwBMADcAcABVAEMAWAB6AGgAZQBEAFEAQQBLAEEAQQBKAGYATwBGADQAdwBWADAAQgBYAE8AZwBBAHcAQQBIAGcAQQBNAEEAQQB3AEEARABBAEEATQBBAEEAMwBBAEUAWQBBAFIAZwBBADMAQQBEAFEAQQBOAFEAQgBFAEEARQBFAEEAUQBnAEEAeABBAEQARQBBAE4AQQBBAE4AQQBBAG8AQQBBAGwAOAA0AFgAcwA5AGoAOABJADgAdwBWADAAQgBYAE8AZwBBAHcAQQBIAGcAQQBNAEEAQQB3AEEARABBAEEATQBBAEEAdwBBAEQAQQBBAE0AQQBBAHcAQQBEAEEAQQBNAHcAQQB6AEEARQBVAEEAUgBnAEEAegBBAEQAYwBBAE0AQQBBAG8AQQBIAGMAQQBhAFEAQgB1AEEARwBRAEEAWQBnAEIAbgBBAEMAQQBBAEwAZwBCAGwAQQBIAGcAQQBjAGcAQgA5AFYATwBSAE8ANQBXAGMATABkAHkAawBBAEQAUQBBAEsAQQBBAEoAZgBPAEYANABLAFQAZwB0AE8AaAAyAFUAdwBWADAAQgBYAE8AZwBBAHcAQQBIAGcAQQBNAEEAQQB3AEEARABBAEEATQBBAEEAdwBBAEQAQQBBAE0AQQBBAHcAQQBEAEEAQQBNAHcAQQB6AEEARQBVAEEAUgBRAEIARgBBAEQAZwBBAE0AQQBBAG8AQQBIAGMAQQBhAFEAQgB1AEEARwBRAEEAWQBnAEIAbgBBAEMAQQBBAEwAZwBCAGoAQQBIAGcAQQBjAGcAQgA5AFYATwBSAE8ANQBXAGMATABkAHkAawBBAEQAUQBBAEsAQQBBAEEAQQA=
2⤵
PID:768

C:\Windows\projone\potcm\pobus64.exe
C:\Windows\projone\potcm\pobus64.exe /i
1⤵
- Drops file in Windows directory
PID:3212

C:\Windows\projone\potcm\pobus64.exe
C:\Windows\projone\potcm\pobus64.exe
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1520

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:4780

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:4632

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:1344

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:3616

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:3712

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:1836

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:3172

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:3128

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:4364

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:3144

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:2384

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:1972

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:1256

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:396

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:4740

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:4640

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:1896

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:3844

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:2440

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:3360

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:4592

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:4052

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:560

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:4288

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:5056

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:2036

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:2956

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:456

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:4436

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:3060

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:4388

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:1388

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:1440

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:5024

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:4464

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:3064

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:3356

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\projone\potcm\podumper64.dll",RundllFun QABAAHAAaQBkADoAMQA1ADIAMABAAEAAZABpAHIAOgBDADoAXABXAGkAbgBkAG8AdwBzAFwAcAByAG8AagBvAG4AZQBcAHAAbwB0AGMAbQBcAGMAYQBjAGgAZQBcAGQAdQBtAHAAQABAAHAAYQByAGEAbQA6AHoAVwBSAGMAVAAvAHQAOAAzADMANAA2AEEARgBjAEEAYQBRAEIAdQBBAEcAUQBBAGIAdwBCADMAQQBIAE0AQQBJAEEAQQB4AEEARABFAEEASQBBAEIAUQBBAEgASQBBAGIAdwBCAG0AQQBHAFUAQQBjAHcAQgB6AEEARwBrAEEAYgB3AEIAdQBBAEcARQBBAGIAQQBBAGcAQQBFAFUAQQBaAEEAQgBwAEEASABRAEEAYQBRAEIAdgBBAEcANABBAEkAQQBBADIAQQBEAFEAQQBMAFEAQgBpAEEARwBrAEEAZABBAEEATgBBAEEAbwBBAEQAUQBBAEsAQQBDADkAVQBxAEYATAAyAFoAZgBTAFYATwBnAEEAeQBBAEQAQQBBAE0AZwBBADAAQQBDADAAQQBNAEEAQQAwAEEAQwAwAEEATQBnAEEANABBAEMAQQBBAE0AUQBBAHcAQQBEAG8AQQBOAFEAQQB4AEEARABvAEEATQB3AEEANQBBAEMAQQBBAE0AQQBBADQAQQBEAGcAQQBEAFEAQQBLAEEAQQBKAGYATwBGADcAMgBaAGYAUwBWAE8AZwBBAHkAQQBEAEEAQQBNAGcAQQAwAEEAQwAwAEEATQBBAEEAMABBAEMAMABBAE0AZwBBADQAQQBDAEEAQQBNAFEAQQB3AEEARABvAEEATgBRAEEAeABBAEQAbwBBAE4AUQBBAHgAQQBDAEEAQQBNAHcAQQAxAEEARABZAEEARABRAEEASwBBAEEASgBmAE8ARgA0AEIAZQBEAG8AQQBNAEEAQgA0AEEARwBNAEEATQBBAEEAdwBBAEQAQQBBAE0AQQBBAHcAQQBEAEEAQQBOAFEAQQBvAEEAQwAwAEEATQBRAEEAdwBBAEQAYwBBAE0AdwBBADMAQQBEAFEAQQBNAFEAQQA0AEEARABFAEEATwBRAEEAcABBAEMAdwBBAEkAQQBEAEMAVQB3AE8AQQA0AFUAOQB2AFkARABvAEEAaABWAEYAWQBXADcAKwBMADcAcABVAEMAWAB6AGgAZQBEAFEAQQBLAEEAQQBKAGYATwBGADQAdwBWADAAQgBYAE8AZwBBAHcAQQBIAGcAQQBNAEEAQQB3AEEARABBAEEATQBBAEEAMwBBAEUAWQBBAFIAZwBBADMAQQBEAFEAQQBOAFEAQgBFAEEARQBFAEEAUQBnAEEAeABBAEQARQBBAE4AQQBBAE4AQQBBAG8AQQBBAGwAOAA0AFgAcwA5AGoAOABJADgAdwBWADAAQgBYAE8AZwBBAHcAQQBIAGcAQQBNAEEAQQB3AEEARABBAEEATQBBAEEAdwBBAEQAQQBBAE0AQQBBAHcAQQBEAEEAQQBNAHcAQQB6AEEARQBVAEEAUgBnAEEAegBBAEQATQBBAE0AQQBBAG8AQQBIAGMAQQBhAFEAQgB1AEEARwBRAEEAWQBnAEIAbgBBAEMAQQBBAEwAZwBCAGwAQQBIAGcAQQBjAGcAQgA5AFYATwBSAE8ANQBXAGMATABkAHkAawBBAEQAUQBBAEsAQQBBAEoAZgBPAEYANABLAFQAZwB0AE8AaAAyAFUAdwBWADAAQgBYAE8AZwBBAHcAQQBIAGcAQQBNAEEAQQB3AEEARABBAEEATQBBAEEAdwBBAEQAQQBBAE0AQQBBAHcAQQBEAEEAQQBNAHcAQQB6AEEARQBVAEEAUgBRAEIARgBBAEQAUQBBAE0AQQBBAG8AQQBIAGMAQQBhAFEAQgB1AEEARwBRAEEAWQBnAEIAbgBBAEMAQQBBAEwAZwBCAGoAQQBIAGcAQQBjAGcAQgA5AFYATwBSAE8ANQBXAGMATABkAHkAawBBAEQAUQBBAEsAQQBBAEEAQQA=
2⤵
PID:4792

C:\Windows\projone\potcm\pobus64.exe
C:\Windows\projone\potcm\pobus64.exe /i
1⤵
- Drops file in Windows directory
PID:3076

C:\Windows\projone\potcm\pobus64.exe
C:\Windows\projone\potcm\pobus64.exe
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2660

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:1256

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:4692

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:3648

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:1768

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:972

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:4492

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:2092

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:1020

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:3464

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:3492

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:1888

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:2084

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:3444

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:2488

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:4112

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:3968

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:1444

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:1560

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:4916

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:4816

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:4048

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:4144

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:828

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:1392

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:4772

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:3156

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:244

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:3456

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:3380

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:1720

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:1156

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:2276

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:3724

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:1780

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:1164

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:2248

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:5068

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\projone\potcm\podumper64.dll",RundllFun QABAAHAAaQBkADoAMgA2ADYAMABAAEAAZABpAHIAOgBDADoAXABXAGkAbgBkAG8AdwBzAFwAcAByAG8AagBvAG4AZQBcAHAAbwB0AGMAbQBcAGMAYQBjAGgAZQBcAGQAdQBtAHAAQABAAHAAYQByAGEAbQA6AHoAVwBSAGMAVAAvAHQAOAAzADMANAA2AEEARgBjAEEAYQBRAEIAdQBBAEcAUQBBAGIAdwBCADMAQQBIAE0AQQBJAEEAQQB4AEEARABFAEEASQBBAEIAUQBBAEgASQBBAGIAdwBCAG0AQQBHAFUAQQBjAHcAQgB6AEEARwBrAEEAYgB3AEIAdQBBAEcARQBBAGIAQQBBAGcAQQBFAFUAQQBaAEEAQgBwAEEASABRAEEAYQBRAEIAdgBBAEcANABBAEkAQQBBADIAQQBEAFEAQQBMAFEAQgBpAEEARwBrAEEAZABBAEEATgBBAEEAbwBBAEQAUQBBAEsAQQBDADkAVQBxAEYATAAyAFoAZgBTAFYATwBnAEEAeQBBAEQAQQBBAE0AZwBBADAAQQBDADAAQQBNAEEAQQAwAEEAQwAwAEEATQBnAEEANABBAEMAQQBBAE0AUQBBAHcAQQBEAG8AQQBOAFEAQQB4AEEARABvAEEATgBRAEEAeABBAEMAQQBBAE4AQQBBADIAQQBEAE0AQQBEAFEAQQBLAEEAQQBKAGYATwBGADcAMgBaAGYAUwBWAE8AZwBBAHkAQQBEAEEAQQBNAGcAQQAwAEEAQwAwAEEATQBBAEEAMABBAEMAMABBAE0AZwBBADQAQQBDAEEAQQBNAFEAQQB3AEEARABvAEEATgBRAEEAeQBBAEQAbwBBAE0AQQBBAHoAQQBDAEEAQQBOAGcAQQA0AEEARABnAEEARABRAEEASwBBAEEASgBmAE8ARgA0AEIAZQBEAG8AQQBNAEEAQgA0AEEARwBNAEEATQBBAEEAdwBBAEQAQQBBAE0AQQBBAHcAQQBEAEEAQQBOAFEAQQBvAEEAQwAwAEEATQBRAEEAdwBBAEQAYwBBAE0AdwBBADMAQQBEAFEAQQBNAFEAQQA0AEEARABFAEEATwBRAEEAcABBAEMAdwBBAEkAQQBEAEMAVQB3AE8AQQA0AFUAOQB2AFkARABvAEEAaABWAEYAWQBXADcAKwBMADcAcABVAEMAWAB6AGgAZQBEAFEAQQBLAEEAQQBKAGYATwBGADQAdwBWADAAQgBYAE8AZwBBAHcAQQBIAGcAQQBNAEEAQQB3AEEARABBAEEATQBBAEEAMwBBAEUAWQBBAFIAZwBBADMAQQBEAFEAQQBOAFEAQgBFAEEARQBFAEEAUQBnAEEAeABBAEQARQBBAE4AQQBBAE4AQQBBAG8AQQBBAGwAOAA0AFgAcwA5AGoAOABJADgAdwBWADAAQgBYAE8AZwBBAHcAQQBIAGcAQQBNAEEAQQB3AEEARABBAEEATQBBAEEAdwBBAEQAQQBBAE0AQQBBAHcAQQBEAEEAQQBNAHcAQQAxAEEARQBZAEEAUgBnAEEAMwBBAEUAWQBBAE0AQQBBAG8AQQBIAGMAQQBhAFEAQgB1AEEARwBRAEEAWQBnAEIAbgBBAEMAQQBBAEwAZwBCAGwAQQBIAGcAQQBjAGcAQgA5AFYATwBSAE8ANQBXAGMATABkAHkAawBBAEQAUQBBAEsAQQBBAEoAZgBPAEYANABLAFQAZwB0AE8AaAAyAFUAdwBWADAAQgBYAE8AZwBBAHcAQQBIAGcAQQBNAEEAQQB3AEEARABBAEEATQBBAEEAdwBBAEQAQQBBAE0AQQBBAHcAQQBEAEEAQQBNAHcAQQAxAEEARQBZAEEAUgBnAEEAegBBAEQAQQBBAE0AQQBBAG8AQQBIAGMAQQBhAFEAQgB1AEEARwBRAEEAWQBnAEIAbgBBAEMAQQBBAEwAZwBCAGoAQQBIAGcAQQBjAGcAQgA5AFYATwBSAE8ANQBXAGMATABkAHkAawBBAEQAUQBBAEsAQQBBAEEAQQA=
2⤵
PID:2932

C:\Windows\projone\potcm\pobus64.exe
C:\Windows\projone\potcm\pobus64.exe /i
1⤵
- Drops file in Windows directory
PID:4956

C:\Windows\projone\potcm\pobus64.exe
C:\Windows\projone\potcm\pobus64.exe
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3436

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:4892

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:2200

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:1888

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:1008

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:4480

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:3512

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:1620

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:1088

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:2168

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:4108

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:456

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:4436

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:3060

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:1640

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:1296

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:1344

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:5024

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:4648

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:3188

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:4872

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:4412

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:3196

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:4432

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:2820

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:2336

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:3356

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:700

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:2476

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:4920

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:744

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:240

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:3448

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:3152

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:1736

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:4140

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:1432

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:4416

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\projone\potcm\podumper64.dll",RundllFun QABAAHAAaQBkADoAMwA0ADMANgBAAEAAZABpAHIAOgBDADoAXABXAGkAbgBkAG8AdwBzAFwAcAByAG8AagBvAG4AZQBcAHAAbwB0AGMAbQBcAGMAYQBjAGgAZQBcAGQAdQBtAHAAQABAAHAAYQByAGEAbQA6AHoAVwBSAGMAVAAvAHQAOAAzADMANAA2AEEARgBjAEEAYQBRAEIAdQBBAEcAUQBBAGIAdwBCADMAQQBIAE0AQQBJAEEAQQB4AEEARABFAEEASQBBAEIAUQBBAEgASQBBAGIAdwBCAG0AQQBHAFUAQQBjAHcAQgB6AEEARwBrAEEAYgB3AEIAdQBBAEcARQBBAGIAQQBBAGcAQQBFAFUAQQBaAEEAQgBwAEEASABRAEEAYQBRAEIAdgBBAEcANABBAEkAQQBBADIAQQBEAFEAQQBMAFEAQgBpAEEARwBrAEEAZABBAEEATgBBAEEAbwBBAEQAUQBBAEsAQQBDADkAVQBxAEYATAAyAFoAZgBTAFYATwBnAEEAeQBBAEQAQQBBAE0AZwBBADAAQQBDADAAQQBNAEEAQQAwAEEAQwAwAEEATQBnAEEANABBAEMAQQBBAE0AUQBBAHcAQQBEAG8AQQBOAFEAQQB5AEEARABvAEEATQBBAEEAegBBAEMAQQBBAE8AQQBBADAAQQBEAGMAQQBEAFEAQQBLAEEAQQBKAGYATwBGADcAMgBaAGYAUwBWAE8AZwBBAHkAQQBEAEEAQQBNAGcAQQAwAEEAQwAwAEEATQBBAEEAMABBAEMAMABBAE0AZwBBADQAQQBDAEEAQQBNAFEAQQB3AEEARABvAEEATgBRAEEAeQBBAEQAbwBBAE0AUQBBADIAQQBDAEEAQQBNAEEAQQB6AEEARABFAEEARABRAEEASwBBAEEASgBmAE8ARgA0AEIAZQBEAG8AQQBNAEEAQgA0AEEARwBNAEEATQBBAEEAdwBBAEQAQQBBAE0AQQBBAHcAQQBEAEEAQQBOAFEAQQBvAEEAQwAwAEEATQBRAEEAdwBBAEQAYwBBAE0AdwBBADMAQQBEAFEAQQBNAFEAQQA0AEEARABFAEEATwBRAEEAcABBAEMAdwBBAEkAQQBEAEMAVQB3AE8AQQA0AFUAOQB2AFkARABvAEEAaABWAEYAWQBXADcAKwBMADcAcABVAEMAWAB6AGgAZQBEAFEAQQBLAEEAQQBKAGYATwBGADQAdwBWADAAQgBYAE8AZwBBAHcAQQBIAGcAQQBNAEEAQQB3AEEARABBAEEATQBBAEEAMwBBAEUAWQBBAFIAZwBBADMAQQBEAFEAQQBOAFEAQgBFAEEARQBFAEEAUQBnAEEAeABBAEQARQBBAE4AQQBBAE4AQQBBAG8AQQBBAGwAOAA0AFgAcwA5AGoAOABJADgAdwBWADAAQgBYAE8AZwBBAHcAQQBIAGcAQQBNAEEAQQB3AEEARABBAEEATQBBAEEAdwBBAEQAQQBBAE0AQQBBAHcAQQBEAEEAQQBOAEEAQQB4AEEARABFAEEAUgBnAEEAdwBBAEQAYwBBAE0AQQBBAG8AQQBIAGMAQQBhAFEAQgB1AEEARwBRAEEAWQBnAEIAbgBBAEMAQQBBAEwAZwBCAGwAQQBIAGcAQQBjAGcAQgA5AFYATwBSAE8ANQBXAGMATABkAHkAawBBAEQAUQBBAEsAQQBBAEoAZgBPAEYANABLAFQAZwB0AE8AaAAyAFUAdwBWADAAQgBYAE8AZwBBAHcAQQBIAGcAQQBNAEEAQQB3AEEARABBAEEATQBBAEEAdwBBAEQAQQBBAE0AQQBBAHcAQQBEAEEAQQBOAEEAQQB4AEEARABFAEEAUgBRAEIAQwBBAEQAZwBBAE0AQQBBAG8AQQBIAGMAQQBhAFEAQgB1AEEARwBRAEEAWQBnAEIAbgBBAEMAQQBBAEwAZwBCAGoAQQBIAGcAQQBjAGcAQgA5AFYATwBSAE8ANQBXAGMATABkAHkAawBBAEQAUQBBAEsAQQBBAEEAQQA=
2⤵
- Drops file in Windows directory
PID:1384

C:\Windows\projone\potcm\pobus64.exe
C:\Windows\projone\potcm\pobus64.exe /i
1⤵
PID:2080

C:\Windows\projone\potcm\pobus64.exe
C:\Windows\projone\potcm\pobus64.exe
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1904

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:1292

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:4212

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:3112

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:3924

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:2100

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:3060

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:1640

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:4972

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:2452

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:4772

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:2252

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:2356

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:1480

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:540

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:1728

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:1500

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:1156

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:2132

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:4792

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:3656

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:3076

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:876

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:4120

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:772

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:2260

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:1052

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:3412

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:3448

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:3860

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:2932

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:1556

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:1544

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:4924

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:4960

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:4044

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:3820

C:\Windows\projone\potcm\assisths.exe
C:\Windows\projone\potcm\assisths.exe
2⤵
PID:3992

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\projone\potcm\podumper64.dll",RundllFun QABAAHAAaQBkADoAMQA5ADAANABAAEAAZABpAHIAOgBDADoAXABXAGkAbgBkAG8AdwBzAFwAcAByAG8AagBvAG4AZQBcAHAAbwB0AGMAbQBcAGMAYQBjAGgAZQBcAGQAdQBtAHAAQABAAHAAYQByAGEAbQA6AHoAVwBSAGMAVAAvAHQAOAAzADMANAA2AEEARgBjAEEAYQBRAEIAdQBBAEcAUQBBAGIAdwBCADMAQQBIAE0AQQBJAEEAQQB4AEEARABFAEEASQBBAEIAUQBBAEgASQBBAGIAdwBCAG0AQQBHAFUAQQBjAHcAQgB6AEEARwBrAEEAYgB3AEIAdQBBAEcARQBBAGIAQQBBAGcAQQBFAFUAQQBaAEEAQgBwAEEASABRAEEAYQBRAEIAdgBBAEcANABBAEkAQQBBADIAQQBEAFEAQQBMAFEAQgBpAEEARwBrAEEAZABBAEEATgBBAEEAbwBBAEQAUQBBAEsAQQBDADkAVQBxAEYATAAyAFoAZgBTAFYATwBnAEEAeQBBAEQAQQBBAE0AZwBBADAAQQBDADAAQQBNAEEAQQAwAEEAQwAwAEEATQBnAEEANABBAEMAQQBBAE0AUQBBAHcAQQBEAG8AQQBOAFEAQQB5AEEARABvAEEATQBRAEEAMgBBAEMAQQBBAE0AUQBBADUAQQBEAFkAQQBEAFEAQQBLAEEAQQBKAGYATwBGADcAMgBaAGYAUwBWAE8AZwBBAHkAQQBEAEEAQQBNAGcAQQAwAEEAQwAwAEEATQBBAEEAMABBAEMAMABBAE0AZwBBADQAQQBDAEEAQQBNAFEAQQB3AEEARABvAEEATgBRAEEAeQBBAEQAbwBBAE0AZwBBADQAQQBDAEEAQQBOAEEAQQB6AEEARABnAEEARABRAEEASwBBAEEASgBmAE8ARgA0AEIAZQBEAG8AQQBNAEEAQgA0AEEARwBNAEEATQBBAEEAdwBBAEQAQQBBAE0AQQBBAHcAQQBEAEEAQQBOAFEAQQBvAEEAQwAwAEEATQBRAEEAdwBBAEQAYwBBAE0AdwBBADMAQQBEAFEAQQBNAFEAQQA0AEEARABFAEEATwBRAEEAcABBAEMAdwBBAEkAQQBEAEMAVQB3AE8AQQA0AFUAOQB2AFkARABvAEEAaABWAEYAWQBXADcAKwBMADcAcABVAEMAWAB6AGgAZQBEAFEAQQBLAEEAQQBKAGYATwBGADQAdwBWADAAQgBYAE8AZwBBAHcAQQBIAGcAQQBNAEEAQQB3AEEARABBAEEATQBBAEEAMwBBAEUAWQBBAFIAZwBBADMAQQBEAFEAQQBOAFEAQgBFAEEARQBFAEEAUQBnAEEAeABBAEQARQBBAE4AQQBBAE4AQQBBAG8AQQBBAGwAOAA0AFgAcwA5AGoAOABJADgAdwBWADAAQgBYAE8AZwBBAHcAQQBIAGcAQQBNAEEAQQB3AEEARABBAEEATQBBAEEAdwBBAEQAQQBBAE0AQQBBAHcAQQBEAEEAQQBNAHcAQgBFAEEARABNAEEAUgBnAEEAeABBAEQAYwBBAE0AQQBBAG8AQQBIAGMAQQBhAFEAQgB1AEEARwBRAEEAWQBnAEIAbgBBAEMAQQBBAEwAZwBCAGwAQQBIAGcAQQBjAGcAQgA5AFYATwBSAE8ANQBXAGMATABkAHkAawBBAEQAUQBBAEsAQQBBAEoAZgBPAEYANABLAFQAZwB0AE8AaAAyAFUAdwBWADAAQgBYAE8AZwBBAHcAQQBIAGcAQQBNAEEAQQB3AEEARABBAEEATQBBAEEAdwBBAEQAQQBBAE0AQQBBAHcAQQBEAEEAQQBNAHcAQgBFAEEARABNAEEAUgBRAEIARABBAEQAZwBBAE0AQQBBAG8AQQBIAGMAQQBhAFEAQgB1AEEARwBRAEEAWQBnAEIAbgBBAEMAQQBBAEwAZwBCAGoAQQBIAGcAQQBjAGcAQgA5AFYATwBSAE8ANQBXAGMATABkAHkAawBBAEQAUQBBAEsAQQBBAEEAQQA=
2⤵
PID:3056

C:\Windows\projone\potcm\pobus64.exe
C:\Windows\projone\potcm\pobus64.exe /i
1⤵
PID:1828

C:\Windows\projone\potcm\pobus64.exe
C:\Windows\projone\potcm\pobus64.exe
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsg56DC.tmp\System.dll

Filesize
11KB

MD5
fbe295e5a1acfbd0a6271898f885fe6a

SHA1
d6d205922e61635472efb13c2bb92c9ac6cb96da

SHA256
a1390a78533c47e55cc364e97af431117126d04a7faed49390210ea3e89dd0e1

SHA512
2cb596971e504eaf1ce8e3f09719ebfb3f6234cea5ca7b0d33ec7500832ff4b97ec2bbe15a1fbf7e6a5b02c59db824092b9562cd8991f4d027feab6fd3177b06

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg56DC.tmp\modern-wizard.bmp

Filesize
25KB

MD5
cbe40fd2b1ec96daedc65da172d90022

SHA1
366c216220aa4329dff6c485fd0e9b0f4f0a7944

SHA256
3ad2dc318056d0a2024af1804ea741146cfc18cc404649a44610cbf8b2056cf2

SHA512
62990cb16e37b6b4eff6ab03571c3a82dcaa21a1d393c3cb01d81f62287777fb0b4b27f8852b5fa71bc975feab5baa486d33f2c58660210e115de7e2bd34ea63

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg56DC.tmp\nsDialogs.dll

Filesize
9KB

MD5
ab101f38562c8545a641e95172c354b4

SHA1
ec47ac5449f6ee4b14f6dd7ddde841a3e723e567

SHA256
3cdf3e24c87666ed5c582b8b028c01ee6ac16d5a9b8d8d684ae67605376786ea

SHA512
72d4b6dc439f40b7d68b03353a748fc3ad7ed10b0401741c5030705d9b1adef856406075e9ce4f1a08e4345a16e1c759f636c38ad92a57ef369867a9533b7037

Download Submit
C:\Users\Admin\AppData\Local\Temp\setuphlpr.dll

Filesize
264KB

MD5
5b8659339fb6f998f25f3d7055b90a8c

SHA1
f28ec774744fbd6e2fc9f594bd4d31ef2adb8276

SHA256
c9bfcea372292fbd29f5a5f6cb51f97143d80e036133830fcb74f0994de51050

SHA512
37515fee58d2b2df3f3e9d270ec9d4f83f49333411a41c5a7d0514a5745c747ea5d79de2bffc543a2d54124ac49476805d99c18dc9ec0550be538eb9ecac3d99

Download Submit
C:\Windows\projone\potcm\SSLEAY64.dll

Filesize
430KB

MD5
d1cfbeb0e72ef69e3394e5c8be867053

SHA1
9aee512d080c67137855a12fda60c24efa1d0a4e

SHA256
fe1b87754b602c27d6c06f31e3c3c955b7ea627b061025ca0de5839832cc4669

SHA512
a3c938a19f67b88b1d127c69e5c97843e80574060150da6014a2039eeadf3e82a74688ac5acdc1109c7b490fdd1a6cd6ffa54ed483eaf293ee1ff0fbff93eaac

Download Submit
C:\Windows\projone\potcm\actmon64.dll

Filesize
849KB

MD5
f233b81a84b8915c62a495dfb7125000

SHA1
1bda81e391fb3b23edc29664ec7fb346a98e8854

SHA256
633cbb883bc40647fad5b0d6fb5f1dfbc624ec7779a6684a02e465e16fc2d552

SHA512
368488df1d1932bb765862add1febc2c0878bca0feb5d77a42c7a7043880a307b0e8bd1cc16ab2671725f1e886cc0c9cad1833ab3945d480e97c05fb4728caa9

Download Submit
C:\Windows\projone\potcm\anyconn64.dll

Filesize
328KB

MD5
6d0205592b52e5365b293885b6568775

SHA1
4dca9945313999e9f29c5d9fc831737111474454

SHA256
dc9349a92a4c624c93a14bdbdbe229e1fb055fbafe45c9cc36981bbba779d063

SHA512
b6a6c23bd497ab82258ce95e1e8ef2a6d886524b5bd116a2effb864ae0ecfb9fd034c50f45b772cf61d8fc8d394988600363a761176caea54d523b0ee2088e49

Download Submit
C:\Windows\projone\potcm\athens64.dll

Filesize
11B

MD5
6a99c575ab87f8c7d1ed1e52e7e349ce

SHA1
ff55435345834a3fe224936776c2aa15f6ed5358

SHA256
4097889236a2af26c293033feb964c4cf118c0224e0d063fec0a89e9d0569ef2

SHA512
7b486b49113b3585e6ca81bb6809516eefd5825cbb6a4ff8764a829c1d38e3e547fb1b8990cc22206b760b8c4143cdae9bb030b0e5ffaefcad9f81e56fa8b3b3

Download Submit
C:\Windows\projone\potcm\athenw32.dll

Filesize
661KB

MD5
6ff490b7f5ffed18743cc1a5b106f5ee

SHA1
a43b85c975538b2e5a7ec894a9170f7706c4c94d

SHA256
b793f6fa49f43f38b7b273bc75bf3b4bd29747e06cf34c611353316d219ef839

SHA512
8f9a893ffd46d46f6614e41e3fd3304a00722e3dc14cbf149984398bbbf3f71124cb97025a41885fa33cf400ec10870a7e50211a8f660201fbb4538558b30e1f

Download Submit
C:\Windows\projone\potcm\athenw64.dll

Filesize
916KB

MD5
9e9eb61877f77f6d5c36948d8de9f27d

SHA1
b3fbac9ff631127081cfa7138ca6afcf66db118a

SHA256
932f94b1755a5f2f13bd3b2ac832d3b88d3f7b7ca507675ca06e6cd775161d92

SHA512
b735c3e6ff3ae9d4232dac335d1aef12f63e16690883682fad08552b20cac8718782ad506051b68e462800d94dfb809d57d7747c4caca0d59e14e4e8c2ffd8a6

Download Submit
C:\Windows\projone\potcm\athenx32.dll

Filesize
8B

MD5
23c38b13fa624d71c9d73ad6216b70d2

SHA1
83e7b148253a4b2b933fe6152d7f531a4c31061c

SHA256
3e12179790d01c772a631ea24de933f00b24bff433828d17881f1cfefc0dc87e

SHA512
78e82b85fe1b8050c5042bbfecc58ee7537683c7511731627933a591bdb861e84ff0e2efc8ac2d266c0ca8d15d4126336e103351b03bbe4dfd1a2f2d12d15e0f

Download Submit
C:\Windows\projone\potcm\athenx64.dll

Filesize
8B

MD5
13e8a3c20341ad0586f92fa42eb7b23e

SHA1
e5c98e25503724809dcb92482a622d24722310eb

SHA256
550d70359b7d02c8c03352892dea80a1332426d948d0c74437caba69c8b95199

SHA512
d761763c4cf32cec2cbc20b1237d99ea26f910551819115391a84d3fb36b5b6fe76b8e20990c562bb95d73e8d0ed366420c97cab884a3648069a9b5efd18afc6

Download Submit
C:\Windows\projone\potcm\backup64.dll

Filesize
582KB

MD5
53aa3954f0d7de73b5558ce721041f81

SHA1
6978656a4247698815b45904db9fdcbdebb56508

SHA256
f17f38deca1fdf5bbedda681c768d8123eb1aa77d8be886ead9493ba45b68f9a

SHA512
b9829f7f63e67892e61a8cb69a7350b342781ad6b286006c43ffd3cc858755eaf612cbf1b76b588452afaed6d72f841cb707761f498e1ed04c2a0d43e535596b

Download Submit
C:\Windows\projone\potcm\clientbase32.dll

Filesize
489KB

MD5
3c841006e9e36961671623e8cf7157e6

SHA1
ff5d3fb23fd5be87bb602c88ab67eaaa453d6446

SHA256
61334cea2fbb76dae46ceeec13ccae466d64c45951e3330487db446c5d4a766c

SHA512
0cd8c3adc3d06edb64693058a0f442831bb5ece5c61ac399ab496cc0beb34ab7b438c1c57d48f10ce3e9a737df09ce64fbb6c0f6925dc429d626b942773e3fec

Download Submit
C:\Windows\projone\potcm\clientbase64.dll

Filesize
676KB

MD5
a796a385470158ba892ee5ced5d805e4

SHA1
d348dc568ec646aecaddd5aa4a438422e1f000f0

SHA256
16eae537802a82fc8961f5ab5c5250a3dfdc7c91d2fe58c9e1a878b2f3bdd333

SHA512
87ce99b825cbfa411a4d16521c75cd490273e6f45920deac973782915058e0e9caa116aaeccc6a76caaa62a3ad8a000586f2f35f3d9558a6521fed8571bcee2a

Download Submit
C:\Windows\projone\potcm\compress32.dll

Filesize
933KB

MD5
ae88317cd9d27c31d786a9ec3c5606b5

SHA1
a08375645ebbdadcaa147612bad341a5a5c9cc34

SHA256
e4bc29d5ab712e271e03815753f9425248af4f55516b31814cbe378537ddf001

SHA512
d1388932d083d406b4559734a136f4a9c17e4983b6ff8cc87e99116d75b32c47d0ced2ad2bfd5ffb9eba0706cb67c0f2923c9830060183d0d9be4a5321287a86

Download Submit
C:\Windows\projone\potcm\compress64.dll

Filesize
1.5MB

MD5
b73bca6ec271f912e1dcef900d8c0a0a

SHA1
d9fb64ce0a6cb02f765847dd61488a44d4da06ee

SHA256
94663d7c84d2afd3b4378a49aad7a8891649bfc61bb2ae8240a65fcfd0ecac4d

SHA512
3970bd07678c624b46c48f5bcdb247d5b3fa5a2c7e758d1fb3a85822dcc2bd6f4a8b2691f2573eb89f3abec96ee3183a11c942d27f35d14d0a1ecd796cc50b12

Download Submit
C:\Windows\projone\potcm\cryptdt.dll

Filesize
56KB

MD5
2d434517d33b1af2380b735986860c21

SHA1
e8810f7263561348af8bfe8203182a73e790d071

SHA256
e65ebc3c507d64cc8eadde673a3af56b3b83462c784d269e0485ddae03910a99

SHA512
e52089bc9e5efec4508afea69f70a6f553a8737fc474dc128c5d038e407d1a3e80ea80df94239f5b8aefdbfb7b35c6bd84ba26492efd00f6f032d978f25eaf95

Download Submit
C:\Windows\projone\potcm\ctask64.dll

Filesize
367KB

MD5
20a70989b00ba5f674ecfc5927f0ef5a

SHA1
eb75d2a41ac2833381c50404a861ed6c1d370ea1

SHA256
a32ad31460f6714651fb9a222a88a8fb6c0a0611852c241d119ce41800f0777c

SHA512
1480b3a392a1aa775280a5bb5cb78ba9156be95ca1166b14a91a01803d7877f04621222d8f9bc89f3b7e7fadb047dffcfd082466abeb91c4ead8f5c8487b3d74

Download Submit
C:\Windows\projone\potcm\deskmgr32.dll

Filesize
570KB

MD5
5030ef25589eee5c1eec4555cb09f21d

SHA1
b2a2a292f48ac576920973fa3affee427b6c0f33

SHA256
0aa558b7df045b740e0e10c702e33da67cd0f3d3e3adc240a493d9c95da4c317

SHA512
87995ac36cf9b015c498f1ece074db349a411aea436612612ce403fe1b1ea7020ef7fd1b522edb97e1c48724ed7dc2bfd63e45ffa70203201d602bfc492c02dc

Download Submit
C:\Windows\projone\potcm\doced64.dll

Filesize
532KB

MD5
e81610d99ac14b86be8796a6b85c5d8e

SHA1
6b4c6a7cdd7f8e1a38b8bbf3cf7bd387859d5905

SHA256
3c1ba823941ec333e311ef34a63f83d3a2fd2ce046ed3581237d631b867d57c6

SHA512
84ebb871c0e1be9aad47137ea2c01915fe46ff3ab84ab49754d187c0d2b43d737d580024e920978fac2f501a7f16619fa46b02fe6061a30b7325b9b59be6f43e

Download Submit
C:\Windows\projone\potcm\docext.dll

Filesize
205KB

MD5
7faf30db3961c9e28f5737efca00924f

SHA1
bf59f3339ac3314e8e6490a8ad35fcdd0afe7f5f

SHA256
4549df5a6de2bfc3fcebc7c465d605c6f071c6352348431052c39ad10e6d5262

SHA512
c6814c9a6da1e8e1dee63b0f695074cb10a57902d4ea2ddbd2a17063ddbb4c180c4e654daccb5fd1148a993391156d0a237dc4a998ed787298ff5d316743bcb2

Download Submit
C:\Windows\projone\potcm\docguard64.dll

Filesize
522KB

MD5
d0b3790119729f76d9421d70caf5732c

SHA1
9d1810a098f016f24c46d2728796cf6bc2d7cc2f

SHA256
8d4cd61e2bf00ba7198769a7b255f3d44535191a3cf79352d6bc84e78771a1ad

SHA512
43fb33fc98c0698ee0fc0485829986149481a92f50195ca54e8174bdc901f26233ce04a78d94e4fd35eb3cf641e120fcc81de85dc8395577e76467c96c1ddcb0

Download Submit
C:\Windows\projone\potcm\docscanner64.dll

Filesize
849KB

MD5
074d5c0c7780d00b19590fc6a6b29a0d

SHA1
945001819b386c899416039205c7ce2163cf7666

SHA256
e307bd84faeda474e59036290831dbf5dd4e4319bb1430db08e4da88e7258b3e

SHA512
3ce5b2f018226d03fc9a93af2598014c49ba5021cb46e12589c2586dd271c6a48c81109fd572973e234e104379a2f3e3e38eec7d4745eb5d79fbefbc05ad502f

Download Submit
C:\Windows\projone\potcm\docwm32.dll

Filesize
271KB

MD5
25c6c51cc1240c0b9b2c023cb453344f

SHA1
01d7e78643d011485b91a3e58ab7e736024b4973

SHA256
78e5a72ddc3a83ce462b393a9bfb34082cc02d087bd977ed338aa25053daa6dd

SHA512
3e2cc4db569197c692fa14ab66028e3dc9bd336cad0a2b022ec6dcc6bc640084b5d165df7fba72a4852d12ec9eb6846d922a949eecae745a4db3e4c5faaa752f

Download Submit
C:\Windows\projone\potcm\filedp64.dll

Filesize
383KB

MD5
fd500b28d2d77fcf5463094b3b0ba097

SHA1
cedf81e5a8615ee3892da978049335c5cd626659

SHA256
d3987c73c7e81b393ad9035c2d8edf0e53a4d31f65ace1af8f0a062f411b6d10

SHA512
a59ed9a9bcb5195a4711c863378d788b24d453414fcceccbc09128f581c9d977865030c95f5e1c0a2e84f34900db49ceb36c8b5ec43d7eb236781d31d3343ee1

Download Submit
C:\Windows\projone\potcm\frcinst32.dll

Filesize
227KB

MD5
a446fd351c77f2f560fd9cb1d13d8756

SHA1
ce9e58cdc859f998f4a4a067e4e6e3ba0d138a74

SHA256
82bcfe06edcd52f35db1b1709254cf42669d18fa6bd5abd8f3832b8bb8561c94

SHA512
d3ea42fd81b498e022079132a813cf5da1e223ec770d8ddfe0c5bda6745c85f40a411c85f982344f592560ba67f97b1e138665a8c2352c589a2a20397b3f4fb8

Download Submit
C:\Windows\projone\potcm\gxdte64.dll

Filesize
719KB

MD5
c4a061ef553c330f052674b60504ebd2

SHA1
c366cbbe215847fb83f80400c7708a39e1917455

SHA256
d19753aeff1b9a9c0503887c3273306539eb05f7c4c3df15690287f4a50b02ec

SHA512
02c0b22acc8cd5e3196f33d3adfc897b8327e50bb4da1ca71733f845126657c8b91d10aec7da8cfac170b8a35da225b561af892543359d15a75cb04977d72094

Download Submit
C:\Windows\projone\potcm\hecate32.dll

Filesize
313KB

MD5
7dc8792af32bce713853357a8694c3ce

SHA1
b90ca24a5e6e9c9f0b63f1f58b2efab67aee4085

SHA256
a403734c3d2d623157f198eac02ab6daca5f76f30276a71dae5ccf6178301435

SHA512
31a5170edc387ac1058382a56e1a396788c50c74827d70dccbcdb3311f27fb95bd73b2ffecd16082e00627fb375199fd136b111b13cd748e56633585b896c77d

Download Submit
C:\Windows\projone\potcm\libcurl32.dll

Filesize
419KB

MD5
42d6766509cfe037ea45efab0f06bd3a

SHA1
fcb6307f9f24762d484828e2f576b406405b3453

SHA256
b56052c5a6037badd469626ee8f57f04a5ec5056a732802b7f02ef328c3c2f1d

SHA512
2c71b004803c62dda9114e33ce97bcd15a436d467ace26384f4a23f5abff31f619a8f519086deec496e139604bcf74c4226b99213f99d4d19dce6b278d87da93

Download Submit
C:\Windows\projone\potcm\libcurl64.dll

Filesize
499KB

MD5
45766f221a6988f1fd0185ec4291dfee

SHA1
aa16fbdf5824e46767fe03b7646704cbb4274b55

SHA256
e777ded2132f91d6e42e40d37a50a7065cebbd2f84efa1557ad93322a0195392

SHA512
3d84bb62018e7d73f31efe5107eb7b37b3a0c851fe5db8695081b95c3bc9609307596439ec7307199b27c9c5510df69653a5dbd58fa86f7f7b5ced21e54bbdb0

Download Submit
C:\Windows\projone\potcm\libeay32.dll

Filesize
1.3MB

MD5
34f31522fadb94d074024065f60a2619

SHA1
5c299590038a8add456e610295e560b940e7c706

SHA256
496134cf94370bf1df575829439888dcefed18c4c1a4c0274572eff27c5278b6

SHA512
301e9bae37e96893a83125409b930965b157995e2e373ed4e2e2c7bf093ea56c19eb78f03654c1f24257450610e3bc5043d1c14622cea988dae74820bd234cd2

Download Submit
C:\Windows\projone\potcm\libeay64.dll

Filesize
2.1MB

MD5
f4a3e88e57657ae7347264521b188ba6

SHA1
42d63613163ea16424a6a8b056b06419585032d3

SHA256
9aaf8dc2b9f6d89ff9e8b180cfada6ce02e7d577c369257d3b6498a144f974ad

SHA512
03f6fd5cea8a3636a4a324fbea931de5f926c5ca3a5ab90d9ca936bb8a4a4ae97b8fb595c1fccf3d113f7c0485e6bf29699360eb30ef64c95294cdb050cceba4

Download Submit
C:\Windows\projone\potcm\log\pobus64\20240428105101_pobus64-0.log

Filesize
21KB

MD5
c3604f6e3c50087becfc519203e24a9d

SHA1
fca8b2b234caf6eb242bd69093c4722a504c4156

SHA256
6d9761230aed45065a3c41c275140cbf905388d60b0dba671854a68d354e7f3b

SHA512
784820a93f04699c44da80d8131904fc1da64f7bd4b096fffd2c4328831d89b1f4d9908c014db33c39011f73e8a99d72137b978093a8ee4cf99d0db80a98d04e

Download Submit
C:\Windows\projone\potcm\pobus64.exe

Filesize
1.0MB

MD5
2e966ac5b359d8f1f7156b369b1c30c1

SHA1
56154a24bd3a47e1de3ad6efcddaca0cd72262f1

SHA256
ccb81015a5b76f46b57ba43900f7dc5cd58dbdda88d66c4d55a65d1d84613d30

SHA512
1989a0ad8aa4bef8c58c6b30506c37e664927cfdbae893c5ffab221ba7876e8e95517c897c61160ac20925b0c4352708293f108179366264e71a6ef89ae17395

Download Submit
C:\Windows\projone\potcm\poda32.exe

Filesize
374KB

MD5
9ceff7a1cb8df994e224d14819689253

SHA1
b667b0c04ebbce3d5fdb109e75f95335fc96e373

SHA256
4c18ab54e1322ce5032219b326d18bc46af4b4ec1bb34c93fbcf2b1dcc0b9206

SHA512
e4d18bac9c17832918211a442bc50710fa9804a2d15e40b3536c3fc8b94dec47dcf7f4da31683d8fbf3ba77be661a9423b705ce3bda5de70cdecd15c1186ab67

Download Submit
C:\Windows\projone\potcm\shlext64.dll

Filesize
735KB

MD5
ac59cf438ab7be02489e915ef1023028

SHA1
18ad6c56ee779932fb4df0840a9676679b16c9ef

SHA256
23391cc2ce3a2af2ae52c89815de459e1834c5c53ec588380cb4692ac11f97ca

SHA512
97c240f540b3535da78449ba48352f47fcc0351531322b796b320fd6523b424a9ce65d6d303bc53ddd81df3d586eb6d54723f984296111a61469400500eaf48c

Download Submit
C:\Windows\projone\potcm\sqlcipher64.dll

Filesize
681KB

MD5
20c42c467fda982977e0e94299215c67

SHA1
0268661c4e8f05e014a34d2b1eaa932449dd5bcf

SHA256
45538da9e3c060ff4fc42b0ccb8db01389822bc9c63a4b170bf13ba67bd9ca1a

SHA512
5b7539e6c9dd68bc6078704feb5c3a5c9a5df8b37ae139a6f8d52ad65dc6637c02608a0069a82fec0bd54f860caf2c0b77d4e615c33b6fe181c8507d2570f0c0

Download Submit
C:\Windows\projone\potcm\ssleay32.dll

Filesize
344KB

MD5
355152cca9e9493de9fde0fde7c5d21f

SHA1
a1687ce7793a38e82db3eeeafacb439c44aa78a5

SHA256
a076c5707b4ae82d3a62f7300023a2a933dbf3cc3f83b4bb8edc6867105be013

SHA512
89db321f17fef11a7c3eac39de1bd58e550114cdb77e48e4016f059537e81acc0de7f378b923597d2f534f597e708b9db82de05b35d074d42eb86cbc08da2076

Download Submit
memory/436-203-0x000000006E9D0000-0x000000006E9E0000-memory.dmp

Filesize
64KB

Download
memory/436-200-0x000000006E180000-0x000000006E190000-memory.dmp

Filesize
64KB

Download
memory/436-160-0x0000000001430000-0x0000000001488000-memory.dmp

Filesize
352KB

Download
memory/1040-225-0x0000000001AB0000-0x0000000001B1D000-memory.dmp

Filesize
436KB

Download
memory/1520-253-0x00000000010E0000-0x000000000114D000-memory.dmp

Filesize
436KB

Download
memory/1732-213-0x00000000010D0000-0x0000000001217000-memory.dmp

Filesize
1.3MB

Download
memory/1904-300-0x0000000001410000-0x000000000147D000-memory.dmp

Filesize
436KB

Download
memory/2096-145-0x0000000001F40000-0x0000000002167000-memory.dmp

Filesize
2.2MB

Download
memory/2096-201-0x00007FFF165E0000-0x00007FFF165F0000-memory.dmp

Filesize
64KB

Download
memory/2152-205-0x00000000015F0000-0x000000000165D000-memory.dmp

Filesize
436KB

Download
memory/2152-206-0x00007FFF170B0000-0x00007FFF170C0000-memory.dmp

Filesize
64KB

Download
memory/2660-272-0x0000000000E20000-0x0000000000E8D000-memory.dmp

Filesize
436KB

Download
memory/3436-284-0x0000000001990000-0x00000000019FD000-memory.dmp

Filesize
436KB

Download
memory/3936-312-0x00000000014B0000-0x000000000151D000-memory.dmp

Filesize
436KB

Download
memory/4048-237-0x0000000001170000-0x00000000011DD000-memory.dmp

Filesize
436KB

Download