5460d559b800cf81b6e2406d2e30b27c11471d69e234ed1d64d5d0926fb9228e

Analysis

max time kernel
32s
max time network
29s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
25-11-2022 09:04

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

5460d559b800cf81b6e2406d2e30b27c11471d69e234ed1d64d5d0926fb9228e.exe
Size

1.0MB
MD5

a63d517c0e122e367e484cf75edbf34f
SHA1

f8538f5d687c5e36f05da55ea56c2ab8fb355b63
SHA256

5460d559b800cf81b6e2406d2e30b27c11471d69e234ed1d64d5d0926fb9228e
SHA512

c7a40453d2053be2b043e0e3359e13f3cbfd6bb357e72d853af040add9f1aaf33f6e7158b82fe8bd926cc94f1736a2be67ba48adae79b12ddc5972f9d634df69
SSDEEP

3072:aSsvihLlTQz9z71iURo2SJJmY6uFNcgifDbmeTXwVdBR:rsqhJMxzJiU5SeLmNSbmebW1

Score

10^/10

persistence spyware stealer

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

c2ltr0VZrIF7NmqqRoDuJCtxiIdAQeyiuMfbYiWtS02JwkRy0hCKReIPT1.cmd

description pid process target process

PID 1368 created 576 1368 c2ltr0VZrIF7NmqqRoDuJCtxiIdAQeyiuMfbYiWtS02JwkRy0hCKReIPT1.cmd svchost.exe

description	pid	process	target process
PID 1368 created 576	1368	c2ltr0VZrIF7NmqqRoDuJCtxiIdAQeyiuMfbYiWtS02JwkRy0hCKReIPT1.cmd	svchost.exe

Adds policy Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5460d559b800cf81b6e2406d2e30b27c11471d69e234ed1d64d5d0926fb9228e.exec2ltr0VZrIF7NmqqRoDuJCtxiIdAQeyiuMfbYiWtS02JwkRy0hCKReIPT1.cmd

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	5460d559b800cf81b6e2406d2e30b27c11471d69e234ed1d64d5d0926fb9228e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\0tYvTjpSOIofBbOhxCj7U1M.exe\" O"	5460d559b800cf81b6e2406d2e30b27c11471d69e234ed1d64d5d0926fb9228e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	5460d559b800cf81b6e2406d2e30b27c11471d69e234ed1d64d5d0926fb9228e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\13gNFrPxfTpvCNrA2aAGv6EeJTNkxsbXyvhX05RJCRkSq2TDdEE407GU.exe\" O"	5460d559b800cf81b6e2406d2e30b27c11471d69e234ed1d64d5d0926fb9228e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Adobe\\Color\\Profiles\\71MRa1oifYdJeanydZE6lFMyYe7UlrFqKdzEpIIYoB5vqcG4JiAiRDVbUBmldl6QBWXDex.exe\" O"	5460d559b800cf81b6e2406d2e30b27c11471d69e234ed1d64d5d0926fb9228e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	c2ltr0VZrIF7NmqqRoDuJCtxiIdAQeyiuMfbYiWtS02JwkRy0hCKReIPT1.cmd
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\egJB1TR8hhsBFAvIdIDV1hzvATYwuRHJXsxIimHK5w4YMOzl3WEjfozz1t9fGbm.exe\" O"	c2ltr0VZrIF7NmqqRoDuJCtxiIdAQeyiuMfbYiWtS02JwkRy0hCKReIPT1.cmd

Executes dropped EXE 2 IoCs

Processes:

c2ltr0VZrIF7NmqqRoDuJCtxiIdAQeyiuMfbYiWtS02JwkRy0hCKReIPT1.cmdc2ltr0VZrIF7NmqqRoDuJCtxiIdAQeyiuMfbYiWtS02JwkRy0hCKReIPT1.cmd

pid process

1368 c2ltr0VZrIF7NmqqRoDuJCtxiIdAQeyiuMfbYiWtS02JwkRy0hCKReIPT1.cmd
1924 c2ltr0VZrIF7NmqqRoDuJCtxiIdAQeyiuMfbYiWtS02JwkRy0hCKReIPT1.cmd

pid	process
1368	c2ltr0VZrIF7NmqqRoDuJCtxiIdAQeyiuMfbYiWtS02JwkRy0hCKReIPT1.cmd
1924	c2ltr0VZrIF7NmqqRoDuJCtxiIdAQeyiuMfbYiWtS02JwkRy0hCKReIPT1.cmd

Sets file execution options in registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

c2ltr0VZrIF7NmqqRoDuJCtxiIdAQeyiuMfbYiWtS02JwkRy0hCKReIPT1.cmdc2ltr0VZrIF7NmqqRoDuJCtxiIdAQeyiuMfbYiWtS02JwkRy0hCKReIPT1.cmd

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\Debugger = " "	c2ltr0VZrIF7NmqqRoDuJCtxiIdAQeyiuMfbYiWtS02JwkRy0hCKReIPT1.cmd
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe	c2ltr0VZrIF7NmqqRoDuJCtxiIdAQeyiuMfbYiWtS02JwkRy0hCKReIPT1.cmd
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = " "	c2ltr0VZrIF7NmqqRoDuJCtxiIdAQeyiuMfbYiWtS02JwkRy0hCKReIPT1.cmd
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe	c2ltr0VZrIF7NmqqRoDuJCtxiIdAQeyiuMfbYiWtS02JwkRy0hCKReIPT1.cmd
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\Debugger = " "	c2ltr0VZrIF7NmqqRoDuJCtxiIdAQeyiuMfbYiWtS02JwkRy0hCKReIPT1.cmd
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe	c2ltr0VZrIF7NmqqRoDuJCtxiIdAQeyiuMfbYiWtS02JwkRy0hCKReIPT1.cmd
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = " "	c2ltr0VZrIF7NmqqRoDuJCtxiIdAQeyiuMfbYiWtS02JwkRy0hCKReIPT1.cmd
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe	c2ltr0VZrIF7NmqqRoDuJCtxiIdAQeyiuMfbYiWtS02JwkRy0hCKReIPT1.cmd

Loads dropped DLL 3 IoCs

Processes:

gpscript.exec2ltr0VZrIF7NmqqRoDuJCtxiIdAQeyiuMfbYiWtS02JwkRy0hCKReIPT1.cmd

pid process

720 gpscript.exe
720 gpscript.exe
1368 c2ltr0VZrIF7NmqqRoDuJCtxiIdAQeyiuMfbYiWtS02JwkRy0hCKReIPT1.cmd
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
720	gpscript.exe
720	gpscript.exe
1368	c2ltr0VZrIF7NmqqRoDuJCtxiIdAQeyiuMfbYiWtS02JwkRy0hCKReIPT1.cmd

Modifies data under HKEY_USERS 59 IoCs

Processes:

c2ltr0VZrIF7NmqqRoDuJCtxiIdAQeyiuMfbYiWtS02JwkRy0hCKReIPT1.cmd5460d559b800cf81b6e2406d2e30b27c11471d69e234ed1d64d5d0926fb9228e.exegpscript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	c2ltr0VZrIF7NmqqRoDuJCtxiIdAQeyiuMfbYiWtS02JwkRy0hCKReIPT1.cmd
Set value (str)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Search\\Data\\Applications\\Windows\\GatherLogs\\SystemIndex\\4h2RJAQLKMmlpoMLwZcn045o1zuFQuuKpVKnyaI8loSfUrZvlpmCodpDM0jIe.exe\" O"	c2ltr0VZrIF7NmqqRoDuJCtxiIdAQeyiuMfbYiWtS02JwkRy0hCKReIPT1.cmd
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE	5460d559b800cf81b6e2406d2e30b27c11471d69e234ed1d64d5d0926fb9228e.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	5460d559b800cf81b6e2406d2e30b27c11471d69e234ed1d64d5d0926fb9228e.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	c2ltr0VZrIF7NmqqRoDuJCtxiIdAQeyiuMfbYiWtS02JwkRy0hCKReIPT1.cmd
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\NKMF7VTL\\RBjN17wuMNd.exe\" O 2>NUL"	c2ltr0VZrIF7NmqqRoDuJCtxiIdAQeyiuMfbYiWtS02JwkRy0hCKReIPT1.cmd
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	5460d559b800cf81b6e2406d2e30b27c11471d69e234ed1d64d5d0926fb9228e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%windir%\System32\ie4uinit.exe",-732 = "Finds and displays information and Web sites on the Internet."	c2ltr0VZrIF7NmqqRoDuJCtxiIdAQeyiuMfbYiWtS02JwkRy0hCKReIPT1.cmd
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	5460d559b800cf81b6e2406d2e30b27c11471d69e234ed1d64d5d0926fb9228e.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft	5460d559b800cf81b6e2406d2e30b27c11471d69e234ed1d64d5d0926fb9228e.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	c2ltr0VZrIF7NmqqRoDuJCtxiIdAQeyiuMfbYiWtS02JwkRy0hCKReIPT1.cmd
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{7BD29E01-76C1-11CF-9DD0-00A0C9034933} {000214E6-0000-0000-C000-000000000046} 0xFFFF = 010000000000000020ed1365df00d901	c2ltr0VZrIF7NmqqRoDuJCtxiIdAQeyiuMfbYiWtS02JwkRy0hCKReIPT1.cmd
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	5460d559b800cf81b6e2406d2e30b27c11471d69e234ed1d64d5d0926fb9228e.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\Windows Defender\\Quarantine\\G4vGCEWhIwr0.exe\" O 2>NUL"	c2ltr0VZrIF7NmqqRoDuJCtxiIdAQeyiuMfbYiWtS02JwkRy0hCKReIPT1.cmd
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\Search\\Data\\Applications\\Windows\\GatherLogs\\BH7gj9nS.exe\" O 2>NUL"	5460d559b800cf81b6e2406d2e30b27c11471d69e234ed1d64d5d0926fb9228e.exe
Key created	\REGISTRY\USER\S-1-5-19	5460d559b800cf81b6e2406d2e30b27c11471d69e234ed1d64d5d0926fb9228e.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	c2ltr0VZrIF7NmqqRoDuJCtxiIdAQeyiuMfbYiWtS02JwkRy0hCKReIPT1.cmd
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%systemroot%\system32\windowspowershell\v1.0\powershell.exe",-111 = "Performs object-based (command-line) functions"	c2ltr0VZrIF7NmqqRoDuJCtxiIdAQeyiuMfbYiWtS02JwkRy0hCKReIPT1.cmd
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance\\X9G2ZKKX.exe\" O"	c2ltr0VZrIF7NmqqRoDuJCtxiIdAQeyiuMfbYiWtS02JwkRy0hCKReIPT1.cmd
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%windir%\System32\ie4uinit.exe",-738 = "Start Internet Explorer without ActiveX controls or browser extensions."	c2ltr0VZrIF7NmqqRoDuJCtxiIdAQeyiuMfbYiWtS02JwkRy0hCKReIPT1.cmd
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Inbox\\H7Ts5ZPjiLqvm7qiLZNO5YjVEg.exe\" O 2>NUL"	5460d559b800cf81b6e2406d2e30b27c11471d69e234ed1d64d5d0926fb9228e.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	5460d559b800cf81b6e2406d2e30b27c11471d69e234ed1d64d5d0926fb9228e.exe
Key created	\REGISTRY\USER\S-1-5-20	5460d559b800cf81b6e2406d2e30b27c11471d69e234ed1d64d5d0926fb9228e.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE	5460d559b800cf81b6e2406d2e30b27c11471d69e234ed1d64d5d0926fb9228e.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	c2ltr0VZrIF7NmqqRoDuJCtxiIdAQeyiuMfbYiWtS02JwkRy0hCKReIPT1.cmd
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	5460d559b800cf81b6e2406d2e30b27c11471d69e234ed1d64d5d0926fb9228e.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows	5460d559b800cf81b6e2406d2e30b27c11471d69e234ed1d64d5d0926fb9228e.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows	5460d559b800cf81b6e2406d2e30b27c11471d69e234ed1d64d5d0926fb9228e.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft	5460d559b800cf81b6e2406d2e30b27c11471d69e234ed1d64d5d0926fb9228e.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	c2ltr0VZrIF7NmqqRoDuJCtxiIdAQeyiuMfbYiWtS02JwkRy0hCKReIPT1.cmd
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Office\\Groove\\System\\ICjCJbcY0OM9Htc.exe\" O 2>NUL"	5460d559b800cf81b6e2406d2e30b27c11471d69e234ed1d64d5d0926fb9228e.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\\dWXiT6Wsjkxde2pPcO5lbNLIfYHHjd1eXuH2.exe\" O 2>NUL"	5460d559b800cf81b6e2406d2e30b27c11471d69e234ed1d64d5d0926fb9228e.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	5460d559b800cf81b6e2406d2e30b27c11471d69e234ed1d64d5d0926fb9228e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Device Stage\\olSIKfb3pr8ysl5QOQbrFB.exe\" O"	5460d559b800cf81b6e2406d2e30b27c11471d69e234ed1d64d5d0926fb9228e.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Office\\Groove\\User\\K5H9SJBNpVzTO4Lb5Jui4JaWbRCLNn5CvnkNwwiYKdYRxkCFLOYhr9Gmv1xJ.exe\" O"	5460d559b800cf81b6e2406d2e30b27c11471d69e234ed1d64d5d0926fb9228e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\4XsoscsG6H.exe\" O 2>NUL"	c2ltr0VZrIF7NmqqRoDuJCtxiIdAQeyiuMfbYiWtS02JwkRy0hCKReIPT1.cmd
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	5460d559b800cf81b6e2406d2e30b27c11471d69e234ed1d64d5d0926fb9228e.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	5460d559b800cf81b6e2406d2e30b27c11471d69e234ed1d64d5d0926fb9228e.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows	5460d559b800cf81b6e2406d2e30b27c11471d69e234ed1d64d5d0926fb9228e.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	5460d559b800cf81b6e2406d2e30b27c11471d69e234ed1d64d5d0926fb9228e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\6.0\\32\\riBv40fKEdR7CpEwmN5aLlsytep.exe\" O"	c2ltr0VZrIF7NmqqRoDuJCtxiIdAQeyiuMfbYiWtS02JwkRy0hCKReIPT1.cmd
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	5460d559b800cf81b6e2406d2e30b27c11471d69e234ed1d64d5d0926fb9228e.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	5460d559b800cf81b6e2406d2e30b27c11471d69e234ed1d64d5d0926fb9228e.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	gpscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Windows\\UP632JV3ajzZmLb5pQcSlhg6n4yfkDZJgw2654hmbAhm9Vr.exe\" O"	c2ltr0VZrIF7NmqqRoDuJCtxiIdAQeyiuMfbYiWtS02JwkRy0hCKReIPT1.cmd
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{6C467336-8281-4E60-8204-430CED96822D} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000a0542e63df00d901	gpscript.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\6.0\\5\\UHWspUzuylnAnBEvmdoFVJn.exe\" O 2>NUL"	c2ltr0VZrIF7NmqqRoDuJCtxiIdAQeyiuMfbYiWtS02JwkRy0hCKReIPT1.cmd
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Tablet PC\\9Coby4Rs3php7hg2uUK.exe\" O"	c2ltr0VZrIF7NmqqRoDuJCtxiIdAQeyiuMfbYiWtS02JwkRy0hCKReIPT1.cmd
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion	5460d559b800cf81b6e2406d2e30b27c11471d69e234ed1d64d5d0926fb9228e.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion	5460d559b800cf81b6e2406d2e30b27c11471d69e234ed1d64d5d0926fb9228e.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	5460d559b800cf81b6e2406d2e30b27c11471d69e234ed1d64d5d0926fb9228e.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	5460d559b800cf81b6e2406d2e30b27c11471d69e234ed1d64d5d0926fb9228e.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion	5460d559b800cf81b6e2406d2e30b27c11471d69e234ed1d64d5d0926fb9228e.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\4gq1sglk.default-release\\minidumps\\MQncsZDH.exe\" O"	5460d559b800cf81b6e2406d2e30b27c11471d69e234ed1d64d5d0926fb9228e.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	c2ltr0VZrIF7NmqqRoDuJCtxiIdAQeyiuMfbYiWtS02JwkRy0hCKReIPT1.cmd
Key created	\REGISTRY\USER\.DEFAULT	5460d559b800cf81b6e2406d2e30b27c11471d69e234ed1d64d5d0926fb9228e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\GNipKhALjQ6p4Y8vebd7B9DuKsdfcbOcSGDtQhiZmy0CRSIMSwL3tWwp.exe\" O"	5460d559b800cf81b6e2406d2e30b27c11471d69e234ed1d64d5d0926fb9228e.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	c2ltr0VZrIF7NmqqRoDuJCtxiIdAQeyiuMfbYiWtS02JwkRy0hCKReIPT1.cmd
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Storage\\ext\\gfdkimpbcpahaombhbimeihdjnejgicl\\def\\Code Cache\\wasm\\U4Wcd0ORBHdJvHcgZ2VcXUQCY8FFe1s2fAOhZrKUBsUMRfC2nO1i7eC5gKY2evdoyNfXC.exe\" O 2>NUL"	c2ltr0VZrIF7NmqqRoDuJCtxiIdAQeyiuMfbYiWtS02JwkRy0hCKReIPT1.cmd

Modifies registry class 12 IoCs

Processes:

5460d559b800cf81b6e2406d2e30b27c11471d69e234ed1d64d5d0926fb9228e.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	5460d559b800cf81b6e2406d2e30b27c11471d69e234ed1d64d5d0926fb9228e.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	5460d559b800cf81b6e2406d2e30b27c11471d69e234ed1d64d5d0926fb9228e.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_Classes\SOFTWARE\Microsoft\Command Processor	5460d559b800cf81b6e2406d2e30b27c11471d69e234ed1d64d5d0926fb9228e.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\SOFTWARE	5460d559b800cf81b6e2406d2e30b27c11471d69e234ed1d64d5d0926fb9228e.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\SOFTWARE\Microsoft	5460d559b800cf81b6e2406d2e30b27c11471d69e234ed1d64d5d0926fb9228e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\PxK9bH7GFpHSigEu81ROST7OUDUgSvvn740dGiXdzCNCkPpsByQmU1Wj9ltxjd0.exe\" O 2>NUL"	5460d559b800cf81b6e2406d2e30b27c11471d69e234ed1d64d5d0926fb9228e.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion	5460d559b800cf81b6e2406d2e30b27c11471d69e234ed1d64d5d0926fb9228e.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\SOFTWARE\Microsoft\Command Processor	5460d559b800cf81b6e2406d2e30b27c11471d69e234ed1d64d5d0926fb9228e.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	5460d559b800cf81b6e2406d2e30b27c11471d69e234ed1d64d5d0926fb9228e.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\SOFTWARE\Microsoft\Windows	5460d559b800cf81b6e2406d2e30b27c11471d69e234ed1d64d5d0926fb9228e.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	5460d559b800cf81b6e2406d2e30b27c11471d69e234ed1d64d5d0926fb9228e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\ThirdPartyModuleList64\\RktTo3r0g4M8Gy8X62Src6g3S2iHQULCrrIdHBmIVDBBYeabu.exe\" O"	5460d559b800cf81b6e2406d2e30b27c11471d69e234ed1d64d5d0926fb9228e.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

c2ltr0VZrIF7NmqqRoDuJCtxiIdAQeyiuMfbYiWtS02JwkRy0hCKReIPT1.cmd

pid process

1924 c2ltr0VZrIF7NmqqRoDuJCtxiIdAQeyiuMfbYiWtS02JwkRy0hCKReIPT1.cmd
1924 c2ltr0VZrIF7NmqqRoDuJCtxiIdAQeyiuMfbYiWtS02JwkRy0hCKReIPT1.cmd

pid	process
1924	c2ltr0VZrIF7NmqqRoDuJCtxiIdAQeyiuMfbYiWtS02JwkRy0hCKReIPT1.cmd
1924	c2ltr0VZrIF7NmqqRoDuJCtxiIdAQeyiuMfbYiWtS02JwkRy0hCKReIPT1.cmd

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

5460d559b800cf81b6e2406d2e30b27c11471d69e234ed1d64d5d0926fb9228e.exeAUDIODG.EXEc2ltr0VZrIF7NmqqRoDuJCtxiIdAQeyiuMfbYiWtS02JwkRy0hCKReIPT1.cmdc2ltr0VZrIF7NmqqRoDuJCtxiIdAQeyiuMfbYiWtS02JwkRy0hCKReIPT1.cmd

description	pid	process
Token: SeBackupPrivilege	1104	5460d559b800cf81b6e2406d2e30b27c11471d69e234ed1d64d5d0926fb9228e.exe
Token: SeRestorePrivilege	1104	5460d559b800cf81b6e2406d2e30b27c11471d69e234ed1d64d5d0926fb9228e.exe
Token: SeShutdownPrivilege	1104	5460d559b800cf81b6e2406d2e30b27c11471d69e234ed1d64d5d0926fb9228e.exe
Token: 33	268	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	268	AUDIODG.EXE
Token: 33	268	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	268	AUDIODG.EXE
Token: SeDebugPrivilege	1368	c2ltr0VZrIF7NmqqRoDuJCtxiIdAQeyiuMfbYiWtS02JwkRy0hCKReIPT1.cmd
Token: SeRestorePrivilege	1368	c2ltr0VZrIF7NmqqRoDuJCtxiIdAQeyiuMfbYiWtS02JwkRy0hCKReIPT1.cmd
Token: SeDebugPrivilege	1924	c2ltr0VZrIF7NmqqRoDuJCtxiIdAQeyiuMfbYiWtS02JwkRy0hCKReIPT1.cmd
Token: SeRestorePrivilege	1924	c2ltr0VZrIF7NmqqRoDuJCtxiIdAQeyiuMfbYiWtS02JwkRy0hCKReIPT1.cmd

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

gpscript.exec2ltr0VZrIF7NmqqRoDuJCtxiIdAQeyiuMfbYiWtS02JwkRy0hCKReIPT1.cmd

description	pid	process	target process
PID 720 wrote to memory of 1368	720	gpscript.exe	c2ltr0VZrIF7NmqqRoDuJCtxiIdAQeyiuMfbYiWtS02JwkRy0hCKReIPT1.cmd
PID 720 wrote to memory of 1368	720	gpscript.exe	c2ltr0VZrIF7NmqqRoDuJCtxiIdAQeyiuMfbYiWtS02JwkRy0hCKReIPT1.cmd
PID 720 wrote to memory of 1368	720	gpscript.exe	c2ltr0VZrIF7NmqqRoDuJCtxiIdAQeyiuMfbYiWtS02JwkRy0hCKReIPT1.cmd
PID 1368 wrote to memory of 1924	1368	c2ltr0VZrIF7NmqqRoDuJCtxiIdAQeyiuMfbYiWtS02JwkRy0hCKReIPT1.cmd	c2ltr0VZrIF7NmqqRoDuJCtxiIdAQeyiuMfbYiWtS02JwkRy0hCKReIPT1.cmd
PID 1368 wrote to memory of 1924	1368	c2ltr0VZrIF7NmqqRoDuJCtxiIdAQeyiuMfbYiWtS02JwkRy0hCKReIPT1.cmd	c2ltr0VZrIF7NmqqRoDuJCtxiIdAQeyiuMfbYiWtS02JwkRy0hCKReIPT1.cmd
PID 1368 wrote to memory of 1924	1368	c2ltr0VZrIF7NmqqRoDuJCtxiIdAQeyiuMfbYiWtS02JwkRy0hCKReIPT1.cmd	c2ltr0VZrIF7NmqqRoDuJCtxiIdAQeyiuMfbYiWtS02JwkRy0hCKReIPT1.cmd

C:\Users\Admin\AppData\Local\Temp\5460d559b800cf81b6e2406d2e30b27c11471d69e234ed1d64d5d0926fb9228e.exe
"C:\Users\Admin\AppData\Local\Temp\5460d559b800cf81b6e2406d2e30b27c11471d69e234ed1d64d5d0926fb9228e.exe"
1⤵
- Adds policy Run key to start application
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1104

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
1⤵
PID:576

C:\ProgramData\Package Cache\{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}v14.30.30704\c2ltr0VZrIF7NmqqRoDuJCtxiIdAQeyiuMfbYiWtS02JwkRy0hCKReIPT1.cmd
"C:\ProgramData\Package Cache\{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}v14.30.30704\c2ltr0VZrIF7NmqqRoDuJCtxiIdAQeyiuMfbYiWtS02JwkRy0hCKReIPT1.cmd" 2
2⤵
- Executes dropped EXE
- Sets file execution options in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1924

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:648

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x49c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:268

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:1612

C:\Windows\system32\gpscript.exe
gpscript.exe /Shutdown
1⤵
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:720

C:\ProgramData\Package Cache\{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}v14.30.30704\c2ltr0VZrIF7NmqqRoDuJCtxiIdAQeyiuMfbYiWtS02JwkRy0hCKReIPT1.cmd
"C:\ProgramData\Package Cache\{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}v14.30.30704\c2ltr0VZrIF7NmqqRoDuJCtxiIdAQeyiuMfbYiWtS02JwkRy0hCKReIPT1.cmd" 1
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Adds policy Run key to start application
- Executes dropped EXE
- Sets file execution options in registry
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1368

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Device Stage\olSIKfb3pr8ysl5QOQbrFB.exe
Filesize
1.9MB

MD5
dc62f08fbb53ac659f7829658516cfb1

SHA1
fd56f60e754f6440b61f0e7bed5adfba796b3d4f

SHA256
0cdf88d2d4e89de69aab5b1226e19d9ef4ab587c3fd4de367499e39f31b694a9

SHA512
f2aaa887747e4c78192733793a83227cd381248d03a828209f041f0037a259da626f056d5746383dcddc2302c4f2bdebe7ec63f00bfc675502b28751c0a27a5c

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\GatherLogs\BH7gj9nS.exe
Filesize
1.7MB

MD5
5202986cf1b96d25487d2456bc31b19f

SHA1
826643729e43a0371dfd9c2c3a77fd960efefca8

SHA256
8d53e084c04fe42f30037c1134863e00b87cf5b495efe851702007582aa9341f

SHA512
92ead267d39aecf01aa1039257938c3d55376815c1cea0bd71c9dbe525473b95aef7e867cbf6077f2b12b672f188ae236cd4957e889f2730d595c91d3fb99ebb

Download Submit
C:\ProgramData\Microsoft\Windows NT\MSFax\Inbox\H7Ts5ZPjiLqvm7qiLZNO5YjVEg.exe
Filesize
1.6MB

MD5
f17cd9fa123a71fed67e424e8a2056b1

SHA1
f68b26b446aa2560c16cbb6a0007493e22f3393b

SHA256
ba7cf74c50d7a96b416ba6ec7d8d1359362420e1c822fa2f32e6a284bd60da4c

SHA512
07533994138bdccc30423bee906c19d105246a0c4540fa6a4d21a02e17d552f2a5890036f1d8d607ecd5bda3a5b16b5a6fa898e2179b9c70cc5cadeab0969626

Download Submit
C:\ProgramData\Package Cache\{7DAD0258-515C-3DD4-8964-BD714199E0F7}v12.0.40660\packages\65PKtPN6kMUMEAjl955xvthxJG.cmd
Filesize
2.0MB

MD5
f2170af24deb6e6f5c316e88b66e5fe0

SHA1
5145ad0c13ba09151a394e20fdabd10b5bb76a09

SHA256
b5fa8175e9bf6c17060b1338a1f1bbbded357b7936dca0cc383ba563d1cab704

SHA512
15991abe1c2643a9e145c4bb1104b4c50427ef7aae93186a9b2557d47731af5d00e998f1d7179136767b5b58b04d767576651ea404c607121a479f74aa28ad11

Download Submit
C:\ProgramData\Package Cache\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\packages\vcRuntimeMinimum_x86\13gNFrPxfTpvCNrA2aAGv6EeJTNkxsbXyvhX05RJCRkSq2TDdEE407GU.exe
Filesize
1.4MB

MD5
8877909bca4ed410d8c4e3ce656576ce

SHA1
6c4ea7f9af4cb800677be00d3a401d2ed8a2e5c1

SHA256
b442c9d4e4c1c90885d268b110778dba8156641aacbeff91039ca6cf61c76889

SHA512
ae51405ab22a5bc893f31afa14176e04f6da48c9fd1c11960026982a16981f4eefb4789943f28e70399acb47b0e670b707190dc1111fac49f0efe84864135fa7

Download Submit
C:\ProgramData\Package Cache\{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}v14.30.30704\c2ltr0VZrIF7NmqqRoDuJCtxiIdAQeyiuMfbYiWtS02JwkRy0hCKReIPT1.cmd
Filesize
1.4MB

MD5
df5cb894be79861f9b17e0a3341a7d33

SHA1
6f743fe439a89f57fa531042c557197d7e163d0d

SHA256
b14b0e3a422e489800f0301a096c90c03fe583be86fddd61bea49c893f769a12

SHA512
fdde3df0796a75f7e338a1d32287da4a62db0d70fe826ef4a429d37c81de5e193381dec93d8f34e34f79769c5443fbdeb962f9a4fcaae41d05e7a1b8e83ef6eb

Download Submit
C:\ProgramData\Package Cache\{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}v14.30.30704\c2ltr0VZrIF7NmqqRoDuJCtxiIdAQeyiuMfbYiWtS02JwkRy0hCKReIPT1.cmd
Filesize
1.4MB

MD5
df5cb894be79861f9b17e0a3341a7d33

SHA1
6f743fe439a89f57fa531042c557197d7e163d0d

SHA256
b14b0e3a422e489800f0301a096c90c03fe583be86fddd61bea49c893f769a12

SHA512
fdde3df0796a75f7e338a1d32287da4a62db0d70fe826ef4a429d37c81de5e193381dec93d8f34e34f79769c5443fbdeb962f9a4fcaae41d05e7a1b8e83ef6eb

Download Submit
C:\ProgramData\Package Cache\{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}v14.30.30704\c2ltr0VZrIF7NmqqRoDuJCtxiIdAQeyiuMfbYiWtS02JwkRy0hCKReIPT1.cmd
Filesize
1.4MB

MD5
df5cb894be79861f9b17e0a3341a7d33

SHA1
6f743fe439a89f57fa531042c557197d7e163d0d

SHA256
b14b0e3a422e489800f0301a096c90c03fe583be86fddd61bea49c893f769a12

SHA512
fdde3df0796a75f7e338a1d32287da4a62db0d70fe826ef4a429d37c81de5e193381dec93d8f34e34f79769c5443fbdeb962f9a4fcaae41d05e7a1b8e83ef6eb

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\AG62ZXTLyrIOfv9l.exe
Filesize
1.1MB

MD5
b3657f04413d48fa190a27f41475d9ee

SHA1
c1a762c9b8037f930c5175030b803047e5b89972

SHA256
e196fe189801845814b954897e2c615ff84bf700ac697dd0c96296f87b1510b7

SHA512
882c18e894164c51f54308f466916d73e52abfc64190ec1ca66a15ebc4dc0a4c7479de1a0c5534cede5c1b52fb6dc137d2e7d9c6618be082be546485c192290d

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\32\IG50ZU3zCi1UYZrTwpvlbT7mZtIGTfYy1HfccMtFLp3HP51Dg4webSO.cmd
Filesize
1.4MB

MD5
dc69e03ea3288e47d06d6a82fc15d26a

SHA1
35a28b7b0385a3fc22fc48f55dda4448e91c0920

SHA256
c07d6290f6f9b1aa962db1900b2aa34a50c0f50aeb31ef1ba40a474fdef094dc

SHA512
80e6a65f5309974c3992794c6918b34cd4fb7b47dced9db2ef26b3d26018d4786d2415fb1955dc31213cd486ad57f5e5ca1472f045a27fba0398d021a65377e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\Groove\User\K5H9SJBNpVzTO4Lb5Jui4JaWbRCLNn5CvnkNwwiYKdYRxkCFLOYhr9Gmv1xJ.exe
Filesize
1.4MB

MD5
cc165a16b814506420d77df61f687748

SHA1
78e47b3144d9c5c020aa62f5e8b934704b1a8ccf

SHA256
0cb750a413391be05194b9278a86cab58a58988ea29d874baf835f21c5e7eac9

SHA512
d82ef88d5d51dff99973d581ec0c1d990a88c6ba68e03b11f14ccd73fc34ce3d0443b65b9095f2220efa0050cbc7a2695819aa4ab2fa6f9124c3038bea1d0599

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\dWXiT6Wsjkxde2pPcO5lbNLIfYHHjd1eXuH2.exe
Filesize
1.6MB

MD5
a5de2791d17721ca94a61e786f048e10

SHA1
b3430e49440e0b9dd4a9275d977641494b476adb

SHA256
aa4959cd58639275d308b80b0df0762e4ba2c8fe143bc9d0aa30ad23012098c4

SHA512
e41a0b0e91cd8e63e1120b8840a8576a5f63efde1b2b2a4a9d2c87ca0ad9075df74fb5bb1dcf37b34b4fb4db9d91801e7ed970e62818a0f21ee3c71aa496d3e6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4gq1sglk.default-release\minidumps\MQncsZDH.exe
Filesize
1.0MB

MD5
5ce0274ff9492275f7987d6d9ed29fea

SHA1
0a79be132c9ffb7000531a9b56e898f0e6dfdcd8

SHA256
4d5f27d6666a0527e4ee759bfa917c90f5d83e57288ca310fa98b56a3a0a8aeb

SHA512
5b89dea3d02ff3dca0719dc603e6d86b62ace018d4f378c6e4307cee1dd1915607a74391a857436a211d2827adaeb9e3830c10cd89ad57fc9bef2b00a8c43faa

Download Submit
\ProgramData\Package Cache\{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}v14.30.30704\c2ltr0VZrIF7NmqqRoDuJCtxiIdAQeyiuMfbYiWtS02JwkRy0hCKReIPT1.cmd
Filesize
1.4MB

MD5
df5cb894be79861f9b17e0a3341a7d33

SHA1
6f743fe439a89f57fa531042c557197d7e163d0d

SHA256
b14b0e3a422e489800f0301a096c90c03fe583be86fddd61bea49c893f769a12

SHA512
fdde3df0796a75f7e338a1d32287da4a62db0d70fe826ef4a429d37c81de5e193381dec93d8f34e34f79769c5443fbdeb962f9a4fcaae41d05e7a1b8e83ef6eb

Download Submit
\ProgramData\Package Cache\{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}v14.30.30704\c2ltr0VZrIF7NmqqRoDuJCtxiIdAQeyiuMfbYiWtS02JwkRy0hCKReIPT1.cmd
Filesize
1.4MB

MD5
df5cb894be79861f9b17e0a3341a7d33

SHA1
6f743fe439a89f57fa531042c557197d7e163d0d

SHA256
b14b0e3a422e489800f0301a096c90c03fe583be86fddd61bea49c893f769a12

SHA512
fdde3df0796a75f7e338a1d32287da4a62db0d70fe826ef4a429d37c81de5e193381dec93d8f34e34f79769c5443fbdeb962f9a4fcaae41d05e7a1b8e83ef6eb

Download Submit
\ProgramData\Package Cache\{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}v14.30.30704\c2ltr0VZrIF7NmqqRoDuJCtxiIdAQeyiuMfbYiWtS02JwkRy0hCKReIPT1.cmd
Filesize
1.4MB

MD5
df5cb894be79861f9b17e0a3341a7d33

SHA1
6f743fe439a89f57fa531042c557197d7e163d0d

SHA256
b14b0e3a422e489800f0301a096c90c03fe583be86fddd61bea49c893f769a12

SHA512
fdde3df0796a75f7e338a1d32287da4a62db0d70fe826ef4a429d37c81de5e193381dec93d8f34e34f79769c5443fbdeb962f9a4fcaae41d05e7a1b8e83ef6eb

Download Submit
memory/648-55-0x000007FEFBDB1000-0x000007FEFBDB3000-memory.dmp

Filesize
8KB

Download
memory/720-69-0x0000000000FD0000-0x0000000000FFD000-memory.dmp

Filesize
180KB

Download
memory/720-68-0x0000000000FD0000-0x0000000000FFD000-memory.dmp

Filesize
180KB

Download
memory/1104-54-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1104-56-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1368-70-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1368-79-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1368-62-0x0000000000000000-mapping.dmp

Download
memory/1924-77-0x0000000000000000-mapping.dmp

Download
memory/1924-82-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads