b5970ed558461a6f17512c70fb4f2e5c28b40914389e28aa2f0bb67e87f521a4

Analysis

max time kernel
40s
max time network
32s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
25-11-2022 09:05

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

b5970ed558461a6f17512c70fb4f2e5c28b40914389e28aa2f0bb67e87f521a4.exe
Size

318KB
MD5

c38674135a648df803c2253f03dbc454
SHA1

804fe6541d91f493498b9a464faa58d60011b434
SHA256

b5970ed558461a6f17512c70fb4f2e5c28b40914389e28aa2f0bb67e87f521a4
SHA512

e44db875a786d239454f099500645fdd1cac22f6ed3333594148843b4d84f7cc87bba5c82b6ab10dd29e9fb513f0c5bcbfe322528358ec0b76e88b53a1a0f265
SSDEEP

3072:dSsvihLlTQz9z71iURo2SJJmY6uFNcgifDbMtJyVdyw:ssqhJMxzJiU5SeLmNSbMtJU5

Score

10^/10

persistence spyware stealer

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

baS3122UTLYrWFcgomsXWvaHetI6Ao2EPCZDeQENo2jLFN6ZFHDxEEfCb7xx4Kf5a.bat

description pid process target process

PID 1812 created 584 1812 baS3122UTLYrWFcgomsXWvaHetI6Ao2EPCZDeQENo2jLFN6ZFHDxEEfCb7xx4Kf5a.bat svchost.exe

description	pid	process	target process
PID 1812 created 584	1812	baS3122UTLYrWFcgomsXWvaHetI6Ao2EPCZDeQENo2jLFN6ZFHDxEEfCb7xx4Kf5a.bat	svchost.exe

Adds policy Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

b5970ed558461a6f17512c70fb4f2e5c28b40914389e28aa2f0bb67e87f521a4.exebaS3122UTLYrWFcgomsXWvaHetI6Ao2EPCZDeQENo2jLFN6ZFHDxEEfCb7xx4Kf5a.bat

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\SwReporter\\qxiNl67ox4tHs9hZfhlFw.exe\" O"	b5970ed558461a6f17512c70fb4f2e5c28b40914389e28aa2f0bb67e87f521a4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	baS3122UTLYrWFcgomsXWvaHetI6Ao2EPCZDeQENo2jLFN6ZFHDxEEfCb7xx4Kf5a.bat
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Java\\iwkj7uK7T.exe\" O"	baS3122UTLYrWFcgomsXWvaHetI6Ao2EPCZDeQENo2jLFN6ZFHDxEEfCb7xx4Kf5a.bat
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	b5970ed558461a6f17512c70fb4f2e5c28b40914389e28aa2f0bb67e87f521a4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\es-ES\\EKRq7jcpPE1xXts2AlOgfwZVF.exe\" O"	b5970ed558461a6f17512c70fb4f2e5c28b40914389e28aa2f0bb67e87f521a4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	b5970ed558461a6f17512c70fb4f2e5c28b40914389e28aa2f0bb67e87f521a4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\4gq1sglk.default-release\\sessionstore-backups\\MrLj0RhUvv1HRUC.exe\" O"	b5970ed558461a6f17512c70fb4f2e5c28b40914389e28aa2f0bb67e87f521a4.exe

Executes dropped EXE 2 IoCs

Processes:

baS3122UTLYrWFcgomsXWvaHetI6Ao2EPCZDeQENo2jLFN6ZFHDxEEfCb7xx4Kf5a.batbaS3122UTLYrWFcgomsXWvaHetI6Ao2EPCZDeQENo2jLFN6ZFHDxEEfCb7xx4Kf5a.bat

pid	process
1812	baS3122UTLYrWFcgomsXWvaHetI6Ao2EPCZDeQENo2jLFN6ZFHDxEEfCb7xx4Kf5a.bat
640	baS3122UTLYrWFcgomsXWvaHetI6Ao2EPCZDeQENo2jLFN6ZFHDxEEfCb7xx4Kf5a.bat

Sets file execution options in registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

baS3122UTLYrWFcgomsXWvaHetI6Ao2EPCZDeQENo2jLFN6ZFHDxEEfCb7xx4Kf5a.batbaS3122UTLYrWFcgomsXWvaHetI6Ao2EPCZDeQENo2jLFN6ZFHDxEEfCb7xx4Kf5a.bat

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe	baS3122UTLYrWFcgomsXWvaHetI6Ao2EPCZDeQENo2jLFN6ZFHDxEEfCb7xx4Kf5a.bat
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\Debugger = " "	baS3122UTLYrWFcgomsXWvaHetI6Ao2EPCZDeQENo2jLFN6ZFHDxEEfCb7xx4Kf5a.bat
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe	baS3122UTLYrWFcgomsXWvaHetI6Ao2EPCZDeQENo2jLFN6ZFHDxEEfCb7xx4Kf5a.bat
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = " "	baS3122UTLYrWFcgomsXWvaHetI6Ao2EPCZDeQENo2jLFN6ZFHDxEEfCb7xx4Kf5a.bat
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe	baS3122UTLYrWFcgomsXWvaHetI6Ao2EPCZDeQENo2jLFN6ZFHDxEEfCb7xx4Kf5a.bat
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\Debugger = " "	baS3122UTLYrWFcgomsXWvaHetI6Ao2EPCZDeQENo2jLFN6ZFHDxEEfCb7xx4Kf5a.bat
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe	baS3122UTLYrWFcgomsXWvaHetI6Ao2EPCZDeQENo2jLFN6ZFHDxEEfCb7xx4Kf5a.bat
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = " "	baS3122UTLYrWFcgomsXWvaHetI6Ao2EPCZDeQENo2jLFN6ZFHDxEEfCb7xx4Kf5a.bat

Loads dropped DLL 3 IoCs

Processes:

gpscript.exebaS3122UTLYrWFcgomsXWvaHetI6Ao2EPCZDeQENo2jLFN6ZFHDxEEfCb7xx4Kf5a.bat

pid process

1268 gpscript.exe
1268 gpscript.exe
1812 baS3122UTLYrWFcgomsXWvaHetI6Ao2EPCZDeQENo2jLFN6ZFHDxEEfCb7xx4Kf5a.bat
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1268	gpscript.exe
1268	gpscript.exe
1812	baS3122UTLYrWFcgomsXWvaHetI6Ao2EPCZDeQENo2jLFN6ZFHDxEEfCb7xx4Kf5a.bat

Modifies data under HKEY_USERS 59 IoCs

Processes:

b5970ed558461a6f17512c70fb4f2e5c28b40914389e28aa2f0bb67e87f521a4.exebaS3122UTLYrWFcgomsXWvaHetI6Ao2EPCZDeQENo2jLFN6ZFHDxEEfCb7xx4Kf5a.batgpscript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	b5970ed558461a6f17512c70fb4f2e5c28b40914389e28aa2f0bb67e87f521a4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\Documents\\zIpzyZ4QB4Alx44uiyjorY1ds.exe\" O 2>NUL"	b5970ed558461a6f17512c70fb4f2e5c28b40914389e28aa2f0bb67e87f521a4.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	baS3122UTLYrWFcgomsXWvaHetI6Ao2EPCZDeQENo2jLFN6ZFHDxEEfCb7xx4Kf5a.bat
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	baS3122UTLYrWFcgomsXWvaHetI6Ao2EPCZDeQENo2jLFN6ZFHDxEEfCb7xx4Kf5a.bat
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{7BD29E01-76C1-11CF-9DD0-00A0C9034933} {000214E6-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000b0603a81df00d901	baS3122UTLYrWFcgomsXWvaHetI6Ao2EPCZDeQENo2jLFN6ZFHDxEEfCb7xx4Kf5a.bat
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%windir%\System32\ie4uinit.exe",-738 = "Start Internet Explorer without ActiveX controls or browser extensions."	baS3122UTLYrWFcgomsXWvaHetI6Ao2EPCZDeQENo2jLFN6ZFHDxEEfCb7xx4Kf5a.bat
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	b5970ed558461a6f17512c70fb4f2e5c28b40914389e28aa2f0bb67e87f521a4.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\6.0\\14\\KisOZbNYMIgER7ZrkHTURLHx7Sgt5AMYw9if3RGfTMPN70Qr7VFGHfZHOQ.exe\" O 2>NUL"	b5970ed558461a6f17512c70fb4f2e5c28b40914389e28aa2f0bb67e87f521a4.exe
Key created	\REGISTRY\USER\S-1-5-19	b5970ed558461a6f17512c70fb4f2e5c28b40914389e28aa2f0bb67e87f521a4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\6.0\\14\\JbQOj5ibzNejI0HHf2YFfc.exe\" O"	baS3122UTLYrWFcgomsXWvaHetI6Ao2EPCZDeQENo2jLFN6ZFHDxEEfCb7xx4Kf5a.bat
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows	b5970ed558461a6f17512c70fb4f2e5c28b40914389e28aa2f0bb67e87f521a4.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE	b5970ed558461a6f17512c70fb4f2e5c28b40914389e28aa2f0bb67e87f521a4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Default\\AppData\\Local\\iwYAJPuFlebLFgCv.exe\" O"	baS3122UTLYrWFcgomsXWvaHetI6Ao2EPCZDeQENo2jLFN6ZFHDxEEfCb7xx4Kf5a.bat
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion	b5970ed558461a6f17512c70fb4f2e5c28b40914389e28aa2f0bb67e87f521a4.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft	b5970ed558461a6f17512c70fb4f2e5c28b40914389e28aa2f0bb67e87f521a4.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	b5970ed558461a6f17512c70fb4f2e5c28b40914389e28aa2f0bb67e87f521a4.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows	b5970ed558461a6f17512c70fb4f2e5c28b40914389e28aa2f0bb67e87f521a4.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{6C467336-8281-4E60-8204-430CED96822D} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 010000000000000010ba737fdf00d901	gpscript.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	baS3122UTLYrWFcgomsXWvaHetI6Ao2EPCZDeQENo2jLFN6ZFHDxEEfCb7xx4Kf5a.bat
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	baS3122UTLYrWFcgomsXWvaHetI6Ao2EPCZDeQENo2jLFN6ZFHDxEEfCb7xx4Kf5a.bat
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\bJW9rVng30V1zXD4qwRwjzHA.exe\" O 2>NUL"	baS3122UTLYrWFcgomsXWvaHetI6Ao2EPCZDeQENo2jLFN6ZFHDxEEfCb7xx4Kf5a.bat
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\RAC\\sR463BYL19p7Q9czCTkvmEKOGtEeuC8PT2cBmirwKWpVjVez8tOGJJh3kcyUK0PFWsw.exe\" O"	baS3122UTLYrWFcgomsXWvaHetI6Ao2EPCZDeQENo2jLFN6ZFHDxEEfCb7xx4Kf5a.bat
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	b5970ed558461a6f17512c70fb4f2e5c28b40914389e28aa2f0bb67e87f521a4.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	b5970ed558461a6f17512c70fb4f2e5c28b40914389e28aa2f0bb67e87f521a4.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\fUDS2UjljC6MgBJlmyVQquUYlJ5YOn0zEMdW4OcC3gmjU0Ym8F2zMDJj5kIwadpy.exe\" O"	b5970ed558461a6f17512c70fb4f2e5c28b40914389e28aa2f0bb67e87f521a4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%windir%\System32\ie4uinit.exe",-732 = "Finds and displays information and Web sites on the Internet."	baS3122UTLYrWFcgomsXWvaHetI6Ao2EPCZDeQENo2jLFN6ZFHDxEEfCb7xx4Kf5a.bat
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows	b5970ed558461a6f17512c70fb4f2e5c28b40914389e28aa2f0bb67e87f521a4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Package Cache\\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}v14.30.30704\\packages\\vcRuntimeAdditional_amd64\\jBSrKRDVZodGF2y960RwAFurl4v0JQbDaeU0cNevBTPIQ.exe\" O"	b5970ed558461a6f17512c70fb4f2e5c28b40914389e28aa2f0bb67e87f521a4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\\baSchX4Ft6JWA81A9oFwegFbxnCAtQnkcObVS2grU34tRkVzS4brkNTV.exe\" O 2>NUL"	baS3122UTLYrWFcgomsXWvaHetI6Ao2EPCZDeQENo2jLFN6ZFHDxEEfCb7xx4Kf5a.bat
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	baS3122UTLYrWFcgomsXWvaHetI6Ao2EPCZDeQENo2jLFN6ZFHDxEEfCb7xx4Kf5a.bat
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	b5970ed558461a6f17512c70fb4f2e5c28b40914389e28aa2f0bb67e87f521a4.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\6.0\\2\\oLIO7DMWGTq8DqCFxRR9zF6yclWx950podLJQsffFM1EKMc.exe\" O"	b5970ed558461a6f17512c70fb4f2e5c28b40914389e28aa2f0bb67e87f521a4.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	b5970ed558461a6f17512c70fb4f2e5c28b40914389e28aa2f0bb67e87f521a4.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\IduKLb6sbgKey2iJFnuomS.exe\" O"	baS3122UTLYrWFcgomsXWvaHetI6Ao2EPCZDeQENo2jLFN6ZFHDxEEfCb7xx4Kf5a.bat
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\QZChPbaT5ZdClhmNX9pE.exe\" O"	baS3122UTLYrWFcgomsXWvaHetI6Ao2EPCZDeQENo2jLFN6ZFHDxEEfCb7xx4Kf5a.bat
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	baS3122UTLYrWFcgomsXWvaHetI6Ao2EPCZDeQENo2jLFN6ZFHDxEEfCb7xx4Kf5a.bat
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Adobe\\Updater6\\klhaBK4NiwjxgHZPDCr1C9ClqcagKArooN3398LBrhq73kwGFKHRK9CSpPRG7wcV.exe\" O 2>NUL"	b5970ed558461a6f17512c70fb4f2e5c28b40914389e28aa2f0bb67e87f521a4.exe
Key created	\REGISTRY\USER\.DEFAULT	b5970ed558461a6f17512c70fb4f2e5c28b40914389e28aa2f0bb67e87f521a4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	gpscript.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	b5970ed558461a6f17512c70fb4f2e5c28b40914389e28aa2f0bb67e87f521a4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%systemroot%\system32\windowspowershell\v1.0\powershell.exe",-111 = "Performs object-based (command-line) functions"	baS3122UTLYrWFcgomsXWvaHetI6Ao2EPCZDeQENo2jLFN6ZFHDxEEfCb7xx4Kf5a.bat
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	b5970ed558461a6f17512c70fb4f2e5c28b40914389e28aa2f0bb67e87f521a4.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Default\\NIFdtyC78FJcyQ4E1Qbd7S33d8aRyhwBsMGGA7elmVz1F.exe\" O 2>NUL"	baS3122UTLYrWFcgomsXWvaHetI6Ao2EPCZDeQENo2jLFN6ZFHDxEEfCb7xx4Kf5a.bat
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\Search\\Data\\Applications\\Windows\\Projects\\SystemIndex\\3AQmHC4tJjLv37CFwUbysokSO.exe\" O 2>NUL"	b5970ed558461a6f17512c70fb4f2e5c28b40914389e28aa2f0bb67e87f521a4.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	b5970ed558461a6f17512c70fb4f2e5c28b40914389e28aa2f0bb67e87f521a4.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE	b5970ed558461a6f17512c70fb4f2e5c28b40914389e28aa2f0bb67e87f521a4.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	baS3122UTLYrWFcgomsXWvaHetI6Ao2EPCZDeQENo2jLFN6ZFHDxEEfCb7xx4Kf5a.bat
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	b5970ed558461a6f17512c70fb4f2e5c28b40914389e28aa2f0bb67e87f521a4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\e5pUv47JAmWnI.exe\" O"	b5970ed558461a6f17512c70fb4f2e5c28b40914389e28aa2f0bb67e87f521a4.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion	b5970ed558461a6f17512c70fb4f2e5c28b40914389e28aa2f0bb67e87f521a4.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft	b5970ed558461a6f17512c70fb4f2e5c28b40914389e28aa2f0bb67e87f521a4.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	baS3122UTLYrWFcgomsXWvaHetI6Ao2EPCZDeQENo2jLFN6ZFHDxEEfCb7xx4Kf5a.bat
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	b5970ed558461a6f17512c70fb4f2e5c28b40914389e28aa2f0bb67e87f521a4.exe
Key created	\REGISTRY\USER\S-1-5-20	b5970ed558461a6f17512c70fb4f2e5c28b40914389e28aa2f0bb67e87f521a4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Internet Explorer\\urmBrR6XJfBJUniW2CzfztHSqZHORLsrrhnRjw7gwl.exe\" O 2>NUL"	baS3122UTLYrWFcgomsXWvaHetI6Ao2EPCZDeQENo2jLFN6ZFHDxEEfCb7xx4Kf5a.bat
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\System Tools\\enUvUnydaIxbHX5xsXJFklOXHS.exe\" O 2>NUL"	baS3122UTLYrWFcgomsXWvaHetI6Ao2EPCZDeQENo2jLFN6ZFHDxEEfCb7xx4Kf5a.bat
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	b5970ed558461a6f17512c70fb4f2e5c28b40914389e28aa2f0bb67e87f521a4.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	b5970ed558461a6f17512c70fb4f2e5c28b40914389e28aa2f0bb67e87f521a4.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion	b5970ed558461a6f17512c70fb4f2e5c28b40914389e28aa2f0bb67e87f521a4.exe

Modifies registry class 12 IoCs

Processes:

b5970ed558461a6f17512c70fb4f2e5c28b40914389e28aa2f0bb67e87f521a4.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_Classes\SOFTWARE\Microsoft\Command Processor	b5970ed558461a6f17512c70fb4f2e5c28b40914389e28aa2f0bb67e87f521a4.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\SOFTWARE	b5970ed558461a6f17512c70fb4f2e5c28b40914389e28aa2f0bb67e87f521a4.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\SOFTWARE\Microsoft\Command Processor	b5970ed558461a6f17512c70fb4f2e5c28b40914389e28aa2f0bb67e87f521a4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\yQntvHEUGyzgYnI0MgLPWx6xeM1t3YLUtg8FvFDtIYr.exe\" O"	b5970ed558461a6f17512c70fb4f2e5c28b40914389e28aa2f0bb67e87f521a4.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	b5970ed558461a6f17512c70fb4f2e5c28b40914389e28aa2f0bb67e87f521a4.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\SOFTWARE\Microsoft	b5970ed558461a6f17512c70fb4f2e5c28b40914389e28aa2f0bb67e87f521a4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache\\AHOHEqK9LSKor7gNDDDH8OSCSLvZnZ.exe\" O 2>NUL"	b5970ed558461a6f17512c70fb4f2e5c28b40914389e28aa2f0bb67e87f521a4.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	b5970ed558461a6f17512c70fb4f2e5c28b40914389e28aa2f0bb67e87f521a4.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\SOFTWARE\Microsoft\Windows	b5970ed558461a6f17512c70fb4f2e5c28b40914389e28aa2f0bb67e87f521a4.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion	b5970ed558461a6f17512c70fb4f2e5c28b40914389e28aa2f0bb67e87f521a4.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	b5970ed558461a6f17512c70fb4f2e5c28b40914389e28aa2f0bb67e87f521a4.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	b5970ed558461a6f17512c70fb4f2e5c28b40914389e28aa2f0bb67e87f521a4.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

baS3122UTLYrWFcgomsXWvaHetI6Ao2EPCZDeQENo2jLFN6ZFHDxEEfCb7xx4Kf5a.bat

pid	process
640	baS3122UTLYrWFcgomsXWvaHetI6Ao2EPCZDeQENo2jLFN6ZFHDxEEfCb7xx4Kf5a.bat
640	baS3122UTLYrWFcgomsXWvaHetI6Ao2EPCZDeQENo2jLFN6ZFHDxEEfCb7xx4Kf5a.bat

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

b5970ed558461a6f17512c70fb4f2e5c28b40914389e28aa2f0bb67e87f521a4.exeAUDIODG.EXEbaS3122UTLYrWFcgomsXWvaHetI6Ao2EPCZDeQENo2jLFN6ZFHDxEEfCb7xx4Kf5a.batbaS3122UTLYrWFcgomsXWvaHetI6Ao2EPCZDeQENo2jLFN6ZFHDxEEfCb7xx4Kf5a.bat

description	pid	process
Token: SeBackupPrivilege	2016	b5970ed558461a6f17512c70fb4f2e5c28b40914389e28aa2f0bb67e87f521a4.exe
Token: SeRestorePrivilege	2016	b5970ed558461a6f17512c70fb4f2e5c28b40914389e28aa2f0bb67e87f521a4.exe
Token: SeShutdownPrivilege	2016	b5970ed558461a6f17512c70fb4f2e5c28b40914389e28aa2f0bb67e87f521a4.exe
Token: 33	656	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	656	AUDIODG.EXE
Token: 33	656	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	656	AUDIODG.EXE
Token: SeDebugPrivilege	1812	baS3122UTLYrWFcgomsXWvaHetI6Ao2EPCZDeQENo2jLFN6ZFHDxEEfCb7xx4Kf5a.bat
Token: SeRestorePrivilege	1812	baS3122UTLYrWFcgomsXWvaHetI6Ao2EPCZDeQENo2jLFN6ZFHDxEEfCb7xx4Kf5a.bat
Token: SeDebugPrivilege	640	baS3122UTLYrWFcgomsXWvaHetI6Ao2EPCZDeQENo2jLFN6ZFHDxEEfCb7xx4Kf5a.bat
Token: SeRestorePrivilege	640	baS3122UTLYrWFcgomsXWvaHetI6Ao2EPCZDeQENo2jLFN6ZFHDxEEfCb7xx4Kf5a.bat

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

gpscript.exebaS3122UTLYrWFcgomsXWvaHetI6Ao2EPCZDeQENo2jLFN6ZFHDxEEfCb7xx4Kf5a.bat

description	pid	process	target process
PID 1268 wrote to memory of 1812	1268	gpscript.exe	baS3122UTLYrWFcgomsXWvaHetI6Ao2EPCZDeQENo2jLFN6ZFHDxEEfCb7xx4Kf5a.bat
PID 1268 wrote to memory of 1812	1268	gpscript.exe	baS3122UTLYrWFcgomsXWvaHetI6Ao2EPCZDeQENo2jLFN6ZFHDxEEfCb7xx4Kf5a.bat
PID 1268 wrote to memory of 1812	1268	gpscript.exe	baS3122UTLYrWFcgomsXWvaHetI6Ao2EPCZDeQENo2jLFN6ZFHDxEEfCb7xx4Kf5a.bat
PID 1812 wrote to memory of 640	1812	baS3122UTLYrWFcgomsXWvaHetI6Ao2EPCZDeQENo2jLFN6ZFHDxEEfCb7xx4Kf5a.bat	baS3122UTLYrWFcgomsXWvaHetI6Ao2EPCZDeQENo2jLFN6ZFHDxEEfCb7xx4Kf5a.bat
PID 1812 wrote to memory of 640	1812	baS3122UTLYrWFcgomsXWvaHetI6Ao2EPCZDeQENo2jLFN6ZFHDxEEfCb7xx4Kf5a.bat	baS3122UTLYrWFcgomsXWvaHetI6Ao2EPCZDeQENo2jLFN6ZFHDxEEfCb7xx4Kf5a.bat
PID 1812 wrote to memory of 640	1812	baS3122UTLYrWFcgomsXWvaHetI6Ao2EPCZDeQENo2jLFN6ZFHDxEEfCb7xx4Kf5a.bat	baS3122UTLYrWFcgomsXWvaHetI6Ao2EPCZDeQENo2jLFN6ZFHDxEEfCb7xx4Kf5a.bat

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
1⤵
PID:584

C:\Users\Admin\AppData\Local\Microsoft\Media Player\Sync Playlists\baS3122UTLYrWFcgomsXWvaHetI6Ao2EPCZDeQENo2jLFN6ZFHDxEEfCb7xx4Kf5a.bat
"C:\Users\Admin\AppData\Local\Microsoft\Media Player\Sync Playlists\baS3122UTLYrWFcgomsXWvaHetI6Ao2EPCZDeQENo2jLFN6ZFHDxEEfCb7xx4Kf5a.bat" 2
2⤵
- Executes dropped EXE
- Sets file execution options in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:640

C:\Users\Admin\AppData\Local\Temp\b5970ed558461a6f17512c70fb4f2e5c28b40914389e28aa2f0bb67e87f521a4.exe
"C:\Users\Admin\AppData\Local\Temp\b5970ed558461a6f17512c70fb4f2e5c28b40914389e28aa2f0bb67e87f521a4.exe"
1⤵
- Adds policy Run key to start application
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2016

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1892

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x574
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:656

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:848

C:\Windows\system32\gpscript.exe
gpscript.exe /Shutdown
1⤵
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1268

C:\Users\Admin\AppData\Local\Microsoft\Media Player\Sync Playlists\baS3122UTLYrWFcgomsXWvaHetI6Ao2EPCZDeQENo2jLFN6ZFHDxEEfCb7xx4Kf5a.bat
"C:\Users\Admin\AppData\Local\Microsoft\Media Player\Sync Playlists\baS3122UTLYrWFcgomsXWvaHetI6Ao2EPCZDeQENo2jLFN6ZFHDxEEfCb7xx4Kf5a.bat" 1
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Adds policy Run key to start application
- Executes dropped EXE
- Sets file execution options in registry
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1812

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Adobe\Updater6\klhaBK4NiwjxgHZPDCr1C9ClqcagKArooN3398LBrhq73kwGFKHRK9CSpPRG7wcV.exe
Filesize
578KB

MD5
6b4fb4407fe25075b1e39a60d9778210

SHA1
377137a1f41a447d4fe8d44213ebd39352c20425

SHA256
bfa8c72eb7f10d6b71c1ff3e92c5c533e2a52cda79821a45022e3e695b73a902

SHA512
b845970c0005104941cf2a78827f5beb704c978fee89b519bfd1bcc6897fbb8cf2cbff39440da17ca665c573e35d6094f9636e7efb8e68ad4bd594a74ecc6ce3

Download Submit
C:\ProgramData\Microsoft\OfficeSoftwareProtectionPlatform\fUDS2UjljC6MgBJlmyVQquUYlJ5YOn0zEMdW4OcC3gmjU0Ym8F2zMDJj5kIwadpy.exe
Filesize
456KB

MD5
de58f7317d45bf797f3d8486cc9da043

SHA1
0546377ca807abd078d8e492943e5435bd21e144

SHA256
142d8d364c818affa2c15bcc241be311284a6d2e951ac410ace1e5cb1bf4fa27

SHA512
cb16919e08270fc6946d872a544f9262af882804929ed0b4f43a8bd06f3bb4778da2f3e249d0550a298c89d32a40e9ac8050a7f42bd177e2f5812ccfc1d1f9bf

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\3AQmHC4tJjLv37CFwUbysokSO.exe
Filesize
526KB

MD5
56c1f098de62445acad750a6cf928049

SHA1
a1c1cf07499c8fac474617fe32833400a9dce3d7

SHA256
e280b16ccb5e4ee3b8e5f6b76942e72f7d1ca60c42d2a2113ff93474e44cee4b

SHA512
42fe024e228436964f99356e3611dc1f2c61d60ec4c273cc60baeedf976cb51b5a0dc3d1a2eb816095f86df0834a0446d508c38214cbfc3c32978e36c15f24da

Download Submit
C:\ProgramData\Package Cache\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\packages\Patch\x64\K1S5ZeZ1X1ZmAXfzda3S2w3OxSV6LQWQh.exe
Filesize
631KB

MD5
413951ee1cd167461aaca226d7e1df10

SHA1
d5d0ff36185c6e8bb79cd995b33408bdea4703f8

SHA256
5dfde8c263314a25b1a9f9a3355bb15f15d17c39f86a5bc7a910603cd2f8327d

SHA512
d734d4feb28adcd0cf04ca3c02c38562194067787a3afa73c759ae0f0852c00ea48a95427ccbfd8538df765deeddba1db9107d5230e553efaebff57635d43f8b

Download Submit
C:\ProgramData\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\packages\vcRuntimeMinimum_amd64\8BvDTPJSxxweRUimoWTEW4EHVlmfYpiGTo9xPxouZ938r6oUskuHRQSayQew7QWpNmstly.exe
Filesize
946KB

MD5
d80c5771048d2835c289821ec11f334b

SHA1
90377b322f98c8494ffaec2409607eb98430b05b

SHA256
7f870fdb4f9a0e9bf0155f8a9ce7f839d7275ca0b374003c60f2338aa1201ba9

SHA512
54dcf3ec09e9bae330967eeb8f7afe742e5f32e97bf6e7789ff456d01cf31cc4fd19c8473f9e7e99a6e4c98f0e7a7e744ab9e2aaec81cf8f4fe51c3d442bffbb

Download Submit
C:\ProgramData\Package Cache\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}v14.30.30704\packages\vcRuntimeAdditional_amd64\jBSrKRDVZodGF2y960RwAFurl4v0JQbDaeU0cNevBTPIQ.exe
Filesize
556KB

MD5
e89e40a560e6243ee99c01fe64198a5f

SHA1
1a6f2dd30f006b6f69d018417bf10bded3873a87

SHA256
ca424da0bc6c83d0cdd81569819c5a7b3806ce923ad7787003bc21c31d338613

SHA512
aaefc073b2765da3f46d58bb97970546d00908548af509f94f6a7a5cbbaea2cecaf39786b67ed6beb28c0e997625c221085f21ac6d0c3d2444d59d938ef780bf

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\14\KisOZbNYMIgER7ZrkHTURLHx7Sgt5AMYw9if3RGfTMPN70Qr7VFGHfZHOQ.exe
Filesize
364KB

MD5
2ff0ad7f10b3e753201d38909d074c28

SHA1
2b9a2babc72d3cacfc92279e4ac4ae34a67caa0a

SHA256
7280baa61b91d703b0028ecb28c2cfc264da3b0094146e211560790f4cdc1307

SHA512
a664b76e200420c86dda2cbd1e6554536b9aa96f0eb99d12a463f3c90b52cd1632c9f09794837312f40da17f28994ff4bc182ff558fe08ec2d0f9cf7a2fce22e

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\2\oLIO7DMWGTq8DqCFxRR9zF6yclWx950podLJQsffFM1EKMc.exe
Filesize
442KB

MD5
970c0a653e70bfcfdf8ec195f568ab49

SHA1
9ff7b19b15dde9921cae139277018801b81637c4

SHA256
b5563a466e616f69f085396ee788b2fb0bd15671417649683f28119cbb522817

SHA512
fa297d3ab9dbd5ceb8f659c5f33872710ea75773a3148ce0437d17c2a2866bf9aea766d8013bf4e7a759fdebe349e988fd2c8a18fbb21e5a05cbd926e0ecafe7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\Sync Playlists\baS3122UTLYrWFcgomsXWvaHetI6Ao2EPCZDeQENo2jLFN6ZFHDxEEfCb7xx4Kf5a.bat
Filesize
536KB

MD5
c87692adbbada6b5de880c9975492656

SHA1
7970a7ba81626932daf04528504388a2b5e719be

SHA256
a2a64aa6322aa042944cde9ee93da83d26f5db60cd1fc07dbe6fa82297c8735a

SHA512
3d43b0ab357daf7bfd80ab070adf1cb40cb7cad3d53d824bc4b1fb585b8d0abc75296fa56430882df763eb4db18f2bddee952bb57e40dc4e34cac070f4406d91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\Sync Playlists\baS3122UTLYrWFcgomsXWvaHetI6Ao2EPCZDeQENo2jLFN6ZFHDxEEfCb7xx4Kf5a.bat
Filesize
536KB

MD5
c87692adbbada6b5de880c9975492656

SHA1
7970a7ba81626932daf04528504388a2b5e719be

SHA256
a2a64aa6322aa042944cde9ee93da83d26f5db60cd1fc07dbe6fa82297c8735a

SHA512
3d43b0ab357daf7bfd80ab070adf1cb40cb7cad3d53d824bc4b1fb585b8d0abc75296fa56430882df763eb4db18f2bddee952bb57e40dc4e34cac070f4406d91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\Sync Playlists\baS3122UTLYrWFcgomsXWvaHetI6Ao2EPCZDeQENo2jLFN6ZFHDxEEfCb7xx4Kf5a.bat
Filesize
536KB

MD5
c87692adbbada6b5de880c9975492656

SHA1
7970a7ba81626932daf04528504388a2b5e719be

SHA256
a2a64aa6322aa042944cde9ee93da83d26f5db60cd1fc07dbe6fa82297c8735a

SHA512
3d43b0ab357daf7bfd80ab070adf1cb40cb7cad3d53d824bc4b1fb585b8d0abc75296fa56430882df763eb4db18f2bddee952bb57e40dc4e34cac070f4406d91

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4gq1sglk.default-release\cache2\entries\eSSlAYr3xRwtl.cmd
Filesize
821KB

MD5
1a8d8eb0909e3cc1b9f5aaf2f378ee1a

SHA1
631f9d768342bf8399324d8d500b98147da03837

SHA256
e8c83b1ae20b97d9fe89eea4327b4acf665eb5ddfaffd19ef7eb71d485f85b9d

SHA512
04550f8c97dccdd804a324d4b65863e5ee8e79819ace4ea143dbe309ecfef0f2a776318ff78f3191c2244d1b5729193280cef13be0448fd8e816869c3b48e557

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4gq1sglk.default-release\sessionstore-backups\MrLj0RhUvv1HRUC.exe
Filesize
473KB

MD5
2a11cce2454445f4396475282f4ff6cf

SHA1
7563fe2efdb0e27107530f9099b603d3c583ddb8

SHA256
72b86b7708f469d942d5dcf6cc0fa53bc00106a30e6d8513d722ec1efd750df9

SHA512
3b33cb071dad2a27847607a829217d04f2af7a706e0e3e50fcb217bc1ac295c5910426021c6da127b921b493a40ea8923e502be553075b3fd6c71834f426dda5

Download Submit
\Users\Admin\AppData\Local\Microsoft\Media Player\Sync Playlists\baS3122UTLYrWFcgomsXWvaHetI6Ao2EPCZDeQENo2jLFN6ZFHDxEEfCb7xx4Kf5a.bat
Filesize
536KB

MD5
c87692adbbada6b5de880c9975492656

SHA1
7970a7ba81626932daf04528504388a2b5e719be

SHA256
a2a64aa6322aa042944cde9ee93da83d26f5db60cd1fc07dbe6fa82297c8735a

SHA512
3d43b0ab357daf7bfd80ab070adf1cb40cb7cad3d53d824bc4b1fb585b8d0abc75296fa56430882df763eb4db18f2bddee952bb57e40dc4e34cac070f4406d91

Download Submit
\Users\Admin\AppData\Local\Microsoft\Media Player\Sync Playlists\baS3122UTLYrWFcgomsXWvaHetI6Ao2EPCZDeQENo2jLFN6ZFHDxEEfCb7xx4Kf5a.bat
Filesize
536KB

MD5
c87692adbbada6b5de880c9975492656

SHA1
7970a7ba81626932daf04528504388a2b5e719be

SHA256
a2a64aa6322aa042944cde9ee93da83d26f5db60cd1fc07dbe6fa82297c8735a

SHA512
3d43b0ab357daf7bfd80ab070adf1cb40cb7cad3d53d824bc4b1fb585b8d0abc75296fa56430882df763eb4db18f2bddee952bb57e40dc4e34cac070f4406d91

Download Submit
\Users\Admin\AppData\Local\Microsoft\Media Player\Sync Playlists\baS3122UTLYrWFcgomsXWvaHetI6Ao2EPCZDeQENo2jLFN6ZFHDxEEfCb7xx4Kf5a.bat
Filesize
536KB

MD5
c87692adbbada6b5de880c9975492656

SHA1
7970a7ba81626932daf04528504388a2b5e719be

SHA256
a2a64aa6322aa042944cde9ee93da83d26f5db60cd1fc07dbe6fa82297c8735a

SHA512
3d43b0ab357daf7bfd80ab070adf1cb40cb7cad3d53d824bc4b1fb585b8d0abc75296fa56430882df763eb4db18f2bddee952bb57e40dc4e34cac070f4406d91

Download Submit
memory/640-82-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/640-77-0x0000000000000000-mapping.dmp

Download
memory/1268-71-0x0000000000FE0000-0x000000000100D000-memory.dmp

Filesize
180KB

Download
memory/1268-72-0x0000000000FE0000-0x000000000100D000-memory.dmp

Filesize
180KB

Download
memory/1812-79-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1812-73-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1812-62-0x0000000000000000-mapping.dmp

Download
memory/1892-56-0x000007FEFC2F1000-0x000007FEFC2F3000-memory.dmp

Filesize
8KB

Download
memory/2016-54-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2016-55-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads