remcos | f5277278370d2ba066b6c402183d0c4204a6367a6f92ef261e18b1c40484b92c

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05/11/2024, 19:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

50509dce2f200a500fad2972b0a230aee615d266e5c2580a2fd827def2bc06a5.exe
Size

1.7MB
MD5

e11163415bb29e335c39e3e0cdd31236
SHA1

20a78eb7af384a9a8c3ed5e75719be5f15b13bb0
SHA256

50509dce2f200a500fad2972b0a230aee615d266e5c2580a2fd827def2bc06a5
SHA512

bbb6ad1793ff1e9978d7cfb961e37df849fd717888b3fdeb3ddea11122f53aa7a15440d3ba32b3f1fe437c99917dbd7fd9a8fcde78fbec846e1cd2e4127ff46c
SSDEEP

49152:TBElfECiDlVyH97018dX6GUuKgDm47Sf0i18UjnFqT2OlapPme6dxBsPAp6yBjmi:cvtYxjAsw

Score

10^/10

remcos hopa discovery execution persistence rat

Malware Config

Extracted

Family

remcos

Version

3.3.0 Pro

Botnet

hopa

178.20.44.131:2405

my.bingoroll20.net:2405

my.bingoroll19.net:2405

my.bingoroll18.net:2405

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
winmap.exe
copy_folder
winmap
delete_file
true
hide_file
true
hide_keylog_file
false
install_flag
true
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
pidron-PXIKI2
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
winmap
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
notepad;solitaire;

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	50509dce2f200a500fad2972b0a230aee615d266e5c2580a2fd827def2bc06a5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\winmap = "\"C:\\Users\\Admin\\AppData\\Roaming\\winmap\\winmap.exe\""	50509dce2f200a500fad2972b0a230aee615d266e5c2580a2fd827def2bc06a5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	winmap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\winmap = "\"C:\\Users\\Admin\\AppData\\Roaming\\winmap\\winmap.exe\""	winmap.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3168	powershell.exe
4340	powershell.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	50509dce2f200a500fad2972b0a230aee615d266e5c2580a2fd827def2bc06a5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	50509dce2f200a500fad2972b0a230aee615d266e5c2580a2fd827def2bc06a5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	winmap.exe

Deletes itself 1 IoCs

pid	Process
1968	WScript.exe

Executes dropped EXE 2 IoCs

pid	Process
4404	winmap.exe
3748	winmap.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winmap = "\"C:\\Users\\Admin\\AppData\\Roaming\\winmap\\winmap.exe\""	winmap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\winmap = "\"C:\\Users\\Admin\\AppData\\Roaming\\winmap\\winmap.exe\""	winmap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winmap = "\"C:\\Users\\Admin\\AppData\\Roaming\\winmap\\winmap.exe\""	50509dce2f200a500fad2972b0a230aee615d266e5c2580a2fd827def2bc06a5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\winmap = "\"C:\\Users\\Admin\\AppData\\Roaming\\winmap\\winmap.exe\""	50509dce2f200a500fad2972b0a230aee615d266e5c2580a2fd827def2bc06a5.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2864 set thread context of 5116	2864	50509dce2f200a500fad2972b0a230aee615d266e5c2580a2fd827def2bc06a5.exe	98
PID 4404 set thread context of 3748	4404	winmap.exe	106

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	50509dce2f200a500fad2972b0a230aee615d266e5c2580a2fd827def2bc06a5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winmap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winmap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	50509dce2f200a500fad2972b0a230aee615d266e5c2580a2fd827def2bc06a5.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	50509dce2f200a500fad2972b0a230aee615d266e5c2580a2fd827def2bc06a5.exe

Modifies system certificate store 2 TTPs 11 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	50509dce2f200a500fad2972b0a230aee615d266e5c2580a2fd827def2bc06a5.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	50509dce2f200a500fad2972b0a230aee615d266e5c2580a2fd827def2bc06a5.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 0400000001000000100000001bfe69d191b71933a372a80fe155e5b50300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e0b00000001000000100000005300650063007400690067006f0000001d0000000100000010000000885010358d29a38f059b028559c95f901400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd253000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483190000000100000010000000ea6089055218053dd01e37e1d806eedf2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	50509dce2f200a500fad2972b0a230aee615d266e5c2580a2fd827def2bc06a5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	winmap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E	50509dce2f200a500fad2972b0a230aee615d266e5c2580a2fd827def2bc06a5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	50509dce2f200a500fad2972b0a230aee615d266e5c2580a2fd827def2bc06a5.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 5c000000010000000400000000100000190000000100000010000000ea6089055218053dd01e37e1d806eedf0f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e0400000001000000100000001bfe69d191b71933a372a80fe155e5b52000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	50509dce2f200a500fad2972b0a230aee615d266e5c2580a2fd827def2bc06a5.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	winmap.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800001900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	winmap.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 0f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	50509dce2f200a500fad2972b0a230aee615d266e5c2580a2fd827def2bc06a5.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 190000000100000010000000ea6089055218053dd01e37e1d806eedf0f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	50509dce2f200a500fad2972b0a230aee615d266e5c2580a2fd827def2bc06a5.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2864	50509dce2f200a500fad2972b0a230aee615d266e5c2580a2fd827def2bc06a5.exe
2864	50509dce2f200a500fad2972b0a230aee615d266e5c2580a2fd827def2bc06a5.exe
3168	powershell.exe
3168	powershell.exe
4404	winmap.exe
4404	winmap.exe
4340	powershell.exe
4340	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2864	50509dce2f200a500fad2972b0a230aee615d266e5c2580a2fd827def2bc06a5.exe
Token: SeDebugPrivilege	3168	powershell.exe
Token: SeDebugPrivilege	4404	winmap.exe
Token: SeDebugPrivilege	4340	powershell.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2864 wrote to memory of 3168	2864	50509dce2f200a500fad2972b0a230aee615d266e5c2580a2fd827def2bc06a5.exe	97
PID 2864 wrote to memory of 3168	2864	50509dce2f200a500fad2972b0a230aee615d266e5c2580a2fd827def2bc06a5.exe	97
PID 2864 wrote to memory of 3168	2864	50509dce2f200a500fad2972b0a230aee615d266e5c2580a2fd827def2bc06a5.exe	97
PID 2864 wrote to memory of 5116	2864	50509dce2f200a500fad2972b0a230aee615d266e5c2580a2fd827def2bc06a5.exe	98
PID 2864 wrote to memory of 5116	2864	50509dce2f200a500fad2972b0a230aee615d266e5c2580a2fd827def2bc06a5.exe	98
PID 2864 wrote to memory of 5116	2864	50509dce2f200a500fad2972b0a230aee615d266e5c2580a2fd827def2bc06a5.exe	98
PID 2864 wrote to memory of 5116	2864	50509dce2f200a500fad2972b0a230aee615d266e5c2580a2fd827def2bc06a5.exe	98
PID 2864 wrote to memory of 5116	2864	50509dce2f200a500fad2972b0a230aee615d266e5c2580a2fd827def2bc06a5.exe	98
PID 2864 wrote to memory of 5116	2864	50509dce2f200a500fad2972b0a230aee615d266e5c2580a2fd827def2bc06a5.exe	98
PID 2864 wrote to memory of 5116	2864	50509dce2f200a500fad2972b0a230aee615d266e5c2580a2fd827def2bc06a5.exe	98
PID 2864 wrote to memory of 5116	2864	50509dce2f200a500fad2972b0a230aee615d266e5c2580a2fd827def2bc06a5.exe	98
PID 2864 wrote to memory of 5116	2864	50509dce2f200a500fad2972b0a230aee615d266e5c2580a2fd827def2bc06a5.exe	98
PID 2864 wrote to memory of 5116	2864	50509dce2f200a500fad2972b0a230aee615d266e5c2580a2fd827def2bc06a5.exe	98
PID 2864 wrote to memory of 5116	2864	50509dce2f200a500fad2972b0a230aee615d266e5c2580a2fd827def2bc06a5.exe	98
PID 2864 wrote to memory of 5116	2864	50509dce2f200a500fad2972b0a230aee615d266e5c2580a2fd827def2bc06a5.exe	98
PID 5116 wrote to memory of 1968	5116	50509dce2f200a500fad2972b0a230aee615d266e5c2580a2fd827def2bc06a5.exe	100
PID 5116 wrote to memory of 1968	5116	50509dce2f200a500fad2972b0a230aee615d266e5c2580a2fd827def2bc06a5.exe	100
PID 5116 wrote to memory of 1968	5116	50509dce2f200a500fad2972b0a230aee615d266e5c2580a2fd827def2bc06a5.exe	100
PID 1968 wrote to memory of 992	1968	WScript.exe	101
PID 1968 wrote to memory of 992	1968	WScript.exe	101
PID 1968 wrote to memory of 992	1968	WScript.exe	101
PID 992 wrote to memory of 4404	992	cmd.exe	103
PID 992 wrote to memory of 4404	992	cmd.exe	103
PID 992 wrote to memory of 4404	992	cmd.exe	103
PID 4404 wrote to memory of 4340	4404	winmap.exe	105
PID 4404 wrote to memory of 4340	4404	winmap.exe	105
PID 4404 wrote to memory of 4340	4404	winmap.exe	105
PID 4404 wrote to memory of 3748	4404	winmap.exe	106
PID 4404 wrote to memory of 3748	4404	winmap.exe	106
PID 4404 wrote to memory of 3748	4404	winmap.exe	106
PID 4404 wrote to memory of 3748	4404	winmap.exe	106
PID 4404 wrote to memory of 3748	4404	winmap.exe	106
PID 4404 wrote to memory of 3748	4404	winmap.exe	106
PID 4404 wrote to memory of 3748	4404	winmap.exe	106
PID 4404 wrote to memory of 3748	4404	winmap.exe	106
PID 4404 wrote to memory of 3748	4404	winmap.exe	106
PID 4404 wrote to memory of 3748	4404	winmap.exe	106
PID 4404 wrote to memory of 3748	4404	winmap.exe	106
PID 4404 wrote to memory of 3748	4404	winmap.exe	106
PID 3748 wrote to memory of 536	3748	winmap.exe	108
PID 3748 wrote to memory of 536	3748	winmap.exe	108
PID 3748 wrote to memory of 536	3748	winmap.exe	108

C:\Users\Admin\AppData\Local\Temp\50509dce2f200a500fad2972b0a230aee615d266e5c2580a2fd827def2bc06a5.exe
"C:\Users\Admin\AppData\Local\Temp\50509dce2f200a500fad2972b0a230aee615d266e5c2580a2fd827def2bc06a5.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2864
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\50509dce2f200a500fad2972b0a230aee615d266e5c2580a2fd827def2bc06a5.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3168
- C:\Users\Admin\AppData\Local\Temp\50509dce2f200a500fad2972b0a230aee615d266e5c2580a2fd827def2bc06a5.exe
  "C:\Users\Admin\AppData\Local\Temp\50509dce2f200a500fad2972b0a230aee615d266e5c2580a2fd827def2bc06a5.exe"
  2⤵
  - Adds policy Run key to start application
  - Checks computer location settings
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:5116
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
    3⤵
    - Checks computer location settings
    - Deletes itself
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1968
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\winmap\winmap.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:992
    - - C:\Users\Admin\AppData\Roaming\winmap\winmap.exe
        
        C:\Users\Admin\AppData\Roaming\winmap\winmap.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4404
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\winmap\winmap.exe"
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4340
      - C:\Users\Admin\AppData\Roaming\winmap\winmap.exe
        
        "C:\Users\Admin\AppData\Roaming\winmap\winmap.exe"
        6⤵
        Adds policy Run key to start application
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3748
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        7⤵
        
        PID:536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5080DC7A65DB6A5960ECD874088F3328_79CFD3DF2894C4BFDA2ADFD6675FA18B

Filesize
2KB

MD5
c6802d08e714dfd3311082e3deb308bc

SHA1
ae8a6ce71ad984f04e80c8f37c7ef46948a561a1

SHA256
a8598ff0010012ee07186d1da8eff9be506541e5d7f0f484e346dc8cafeb19c5

SHA512
efe5aff5d6ed3c90e0a542cf61d7210acf0e04c1198a3fa51daabb16079a5824eb3bffd374b2dd83a1b8fbfd63a2f716f26111dcbb091d8abda22c86b616cb79

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7D11549FC90445E1CE90F96A21958A17_047DE46FB5B79F63345693B180860281

Filesize
509B

MD5
a97994f34117a5f31609af7bc559343b

SHA1
38021b33f4323af5b50929090b9f3298594f710d

SHA256
c7598edcf72c7793029ab7b81d7c9cfcdf0cd81740c7cbd7e37ea7c94b03a8b7

SHA512
066d5415a6dff873516c288fe56e1e234b82c97481ee68b6f36f947f546da10815bb3c2dbe8e6cdb9bd31bc8d698050736a4843290b2e634e820ab456ba5720c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_2DBE917624E9880FE0C7C5570D56E691

Filesize
1KB

MD5
c539e5c9b9a9c1513643d14ac6e9f48f

SHA1
fcd2bd19c2555cc71f78909da3ceeb1adee6390d

SHA256
def5a01e5607ff3e32eb0728d0f3b4a4d0883be65db11f42f5f35211e79cb044

SHA512
72938a2cc59b9fbd1f35e6d24a56262dcc0252bdaae2346211086b337537f7f329e97c22f45d5d3ee1e251f292e8f4b96b9531b0202a95489c2f880e536b2eb4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5080DC7A65DB6A5960ECD874088F3328_79CFD3DF2894C4BFDA2ADFD6675FA18B

Filesize
490B

MD5
cda7af4ed3b4025b3f0c65a8e2bd0148

SHA1
8c1786a1383771999e0b82b618ccae89afe28acf

SHA256
e4574a6d82f522f36154ff02e0ef0f1c1293f0d53fb4435365c1a08842c8ad77

SHA512
2cd39bf7f5e66be8ca2bd12b7d22f9242cce4aca58c56cc58c5286b5706434191e062de4852b42d1c5cc063ee354000fc1a8864217984bf4f18e19779d00510f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7D11549FC90445E1CE90F96A21958A17_047DE46FB5B79F63345693B180860281

Filesize
494B

MD5
6a302a2b1176c49c7b9cae934d9a24b1

SHA1
a2826ab16bccabef979a0a5278637504e69191e1

SHA256
82e2fe271cecd60f94ba18155a4cad99d3e5833ce8877684341fc702a3baf87f

SHA512
9dbb17fa54ec962a6d4abd64d63efe4b53b6c216805b821e13f1fc2f4eede3ebc0a0652f5c5212a90966a24512c0e02d987151bc13de93f98c678b460309afcc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_2DBE917624E9880FE0C7C5570D56E691

Filesize
486B

MD5
c3249130a682c5c06ebc67ef0bd14348

SHA1
de12229df5ed6388fdfcef357bbfe8194d510c57

SHA256
428305ab416aef99fee9893c614e48a370c371f3f43c380de5635910193471ef

SHA512
22b5fdea976a49e293d3e7bbd9272dbb12aa13d5b7ffaa49872c1f503b2cc95b73bfc40afbc25c0f7ef3af24848ad2dfe9396fe36c6375143a7c243f814ed374

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
71f57e2b4d488629c10d6593ace0a5c0

SHA1
790509ca50479f79871cf5f85275fcccd42fbc20

SHA256
dcbb5cc5beb1e4bfad1e0aa07abde34d0590768b992afb72492645dbe7393a3c

SHA512
e1bf39773dbd5ad7acda539b0a280fc022e8a71567e1073d0a7fa992042ab1e454d56502e9580918fe03df801ebee4652143bdda363805b29756a7e5b4856f52

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rpmsyrom.dji.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.vbs

Filesize
658B

MD5
2bdb26fcbf4d705dada16ba81a54d59a

SHA1
ef654d84c1040998aff911685167411b37910599

SHA256
57f78664265e9010fe3a39c97dc5844c3bc57a1b0bb550d9a81f04db82243bc4

SHA512
50e9566184913b6d138b1c936cb2527b29b15213e5e248b03c4e36da3e5b21b2b703cb3e1efa46be80afdc1382173b64a7976598d26e728e1cb498e34d863737

Download Submit
C:\Users\Admin\AppData\Roaming\winmap\winmap.exe

Filesize
1.7MB

MD5
e11163415bb29e335c39e3e0cdd31236

SHA1
20a78eb7af384a9a8c3ed5e75719be5f15b13bb0

SHA256
50509dce2f200a500fad2972b0a230aee615d266e5c2580a2fd827def2bc06a5

SHA512
bbb6ad1793ff1e9978d7cfb961e37df849fd717888b3fdeb3ddea11122f53aa7a15440d3ba32b3f1fe437c99917dbd7fd9a8fcde78fbec846e1cd2e4127ff46c

Download Submit
memory/2864-21-0x0000000007570000-0x000000000760E000-memory.dmp

Filesize
632KB

Download
memory/2864-20-0x0000000074EF0000-0x00000000756A0000-memory.dmp

Filesize
7.7MB

Download
memory/2864-19-0x0000000074EFE000-0x0000000074EFF000-memory.dmp

Filesize
4KB

Download
memory/2864-18-0x0000000006360000-0x0000000006372000-memory.dmp

Filesize
72KB

Download
memory/2864-30-0x0000000074EF0000-0x00000000756A0000-memory.dmp

Filesize
7.7MB

Download
memory/2864-17-0x0000000006400000-0x000000000649C000-memory.dmp

Filesize
624KB

Download
memory/2864-5-0x0000000074EF0000-0x00000000756A0000-memory.dmp

Filesize
7.7MB

Download
memory/2864-4-0x00000000051A0000-0x00000000051AA000-memory.dmp

Filesize
40KB

Download
memory/2864-3-0x00000000050F0000-0x0000000005182000-memory.dmp

Filesize
584KB

Download
memory/2864-0-0x0000000074EFE000-0x0000000074EFF000-memory.dmp

Filesize
4KB

Download
memory/2864-2-0x00000000055B0000-0x0000000005B54000-memory.dmp

Filesize
5.6MB

Download
memory/2864-1-0x0000000000520000-0x00000000006DE000-memory.dmp

Filesize
1.7MB

Download
memory/3168-72-0x0000000007650000-0x000000000766A000-memory.dmp

Filesize
104KB

Download
memory/3168-84-0x0000000007990000-0x00000000079AA000-memory.dmp

Filesize
104KB

Download
memory/3168-42-0x0000000005B30000-0x0000000005B96000-memory.dmp

Filesize
408KB

Download
memory/3168-40-0x0000000005A20000-0x0000000005A42000-memory.dmp

Filesize
136KB

Download
memory/3168-52-0x0000000006120000-0x0000000006474000-memory.dmp

Filesize
3.3MB

Download
memory/3168-53-0x0000000005EA0000-0x0000000005EBE000-memory.dmp

Filesize
120KB

Download
memory/3168-54-0x0000000005EF0000-0x0000000005F3C000-memory.dmp

Filesize
304KB

Download
memory/3168-55-0x00000000068E0000-0x0000000006912000-memory.dmp

Filesize
200KB

Download
memory/3168-56-0x0000000070B70000-0x0000000070BBC000-memory.dmp

Filesize
304KB

Download
memory/3168-66-0x00000000072F0000-0x000000000730E000-memory.dmp

Filesize
120KB

Download
memory/3168-67-0x0000000007320000-0x00000000073C3000-memory.dmp

Filesize
652KB

Download
memory/3168-88-0x0000000074E40000-0x00000000755F0000-memory.dmp

Filesize
7.7MB

Download
memory/3168-71-0x0000000007C90000-0x000000000830A000-memory.dmp

Filesize
6.5MB

Download
memory/3168-37-0x0000000074E40000-0x00000000755F0000-memory.dmp

Filesize
7.7MB

Download
memory/3168-73-0x00000000076C0000-0x00000000076CA000-memory.dmp

Filesize
40KB

Download
memory/3168-74-0x00000000078D0000-0x0000000007966000-memory.dmp

Filesize
600KB

Download
memory/3168-75-0x0000000007850000-0x0000000007861000-memory.dmp

Filesize
68KB

Download
memory/3168-38-0x00000000053C0000-0x00000000059E8000-memory.dmp

Filesize
6.2MB

Download
memory/3168-35-0x0000000004CF0000-0x0000000004D26000-memory.dmp

Filesize
216KB

Download
memory/3168-34-0x0000000074E40000-0x00000000755F0000-memory.dmp

Filesize
7.7MB

Download
memory/3168-33-0x0000000074E4E000-0x0000000074E4F000-memory.dmp

Filesize
4KB

Download
memory/3168-85-0x0000000007970000-0x0000000007978000-memory.dmp

Filesize
32KB

Download
memory/3168-41-0x0000000005AC0000-0x0000000005B26000-memory.dmp

Filesize
408KB

Download
memory/3168-82-0x0000000007880000-0x000000000788E000-memory.dmp

Filesize
56KB

Download
memory/3168-83-0x0000000007890000-0x00000000078A4000-memory.dmp

Filesize
80KB

Download
memory/3748-128-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3748-129-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3748-134-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3748-92-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3748-91-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3748-97-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3748-96-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3748-133-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3748-132-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3748-130-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3748-127-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3748-126-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3748-125-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3748-131-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4340-121-0x0000000006ED0000-0x0000000006F73000-memory.dmp

Filesize
652KB

Download
memory/4340-111-0x00000000714A0000-0x00000000714EC000-memory.dmp

Filesize
304KB

Download
memory/4340-110-0x0000000005C60000-0x0000000005CAC000-memory.dmp

Filesize
304KB

Download
memory/4340-123-0x00000000071A0000-0x00000000071B4000-memory.dmp

Filesize
80KB

Download
memory/4340-122-0x0000000007160000-0x0000000007171000-memory.dmp

Filesize
68KB

Download
memory/4340-108-0x00000000056B0000-0x0000000005A04000-memory.dmp

Filesize
3.3MB

Download
memory/5116-25-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/5116-24-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/5116-22-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/5116-23-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/5116-36-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download