932fca7149854c7d62e52ed4311e7bc9a336be1f967a656e435cdc7762dd1fe8

Analysis

max time kernel
47s
max time network
42s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
25-11-2022 08:39

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

932fca7149854c7d62e52ed4311e7bc9a336be1f967a656e435cdc7762dd1fe8.exe
Size

392KB
MD5

e147c8db84bae5cee75b28b69ab5f2da
SHA1

118d1a98f8cccdcc1e942dc75f5fe8b2053cfb61
SHA256

932fca7149854c7d62e52ed4311e7bc9a336be1f967a656e435cdc7762dd1fe8
SHA512

b68c83eba50224d947524bd3ddffcc7f29d5570b01aa184bd8d3111f26a7d8bbb756db6c7d0e4f9c6df7684d148cb34bbbaa080c3064cf5c1a40bc68adb699a8
SSDEEP

3072:dSsvihLlTQz9z71iURo2SJJmY6uFNcgifDbMtJyVdyw:ssqhJMxzJiU5SeLmNSbMtJU5

Score

10^/10

persistence spyware stealer

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

WbLE3UTfC8dORbn9NzciXOFQfA0TaFXwX5JRfHQIH9W29fZJE.exe

description pid process target process

PID 956 created 592 956 WbLE3UTfC8dORbn9NzciXOFQfA0TaFXwX5JRfHQIH9W29fZJE.exe svchost.exe

description	pid	process	target process
PID 956 created 592	956	WbLE3UTfC8dORbn9NzciXOFQfA0TaFXwX5JRfHQIH9W29fZJE.exe	svchost.exe

Adds policy Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

932fca7149854c7d62e52ed4311e7bc9a336be1f967a656e435cdc7762dd1fe8.exeWbLE3UTfC8dORbn9NzciXOFQfA0TaFXwX5JRfHQIH9W29fZJE.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\5g0mjQ2nv.exe\" O"	932fca7149854c7d62e52ed4311e7bc9a336be1f967a656e435cdc7762dd1fe8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	932fca7149854c7d62e52ed4311e7bc9a336be1f967a656e435cdc7762dd1fe8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Default\\AppData\\Local\\Microsoft\\AVXGeNkqzMr49rHzJtrJPtjU1aW5b3Xh94NEXQjB96c4F8dbUORl9wN7SdQTA.exe\" O"	932fca7149854c7d62e52ed4311e7bc9a336be1f967a656e435cdc7762dd1fe8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\IdentityCRL\\DkTQLBeUI.exe\" O"	932fca7149854c7d62e52ed4311e7bc9a336be1f967a656e435cdc7762dd1fe8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WbLE3UTfC8dORbn9NzciXOFQfA0TaFXwX5JRfHQIH9W29fZJE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\xtchzcQE3ZMlrtlL94f5W7dlPIH108favnHCF7RWLhRJ0bewX6OkMWIwuHvTirJpB.exe\" O"	WbLE3UTfC8dORbn9NzciXOFQfA0TaFXwX5JRfHQIH9W29fZJE.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	932fca7149854c7d62e52ed4311e7bc9a336be1f967a656e435cdc7762dd1fe8.exe

Executes dropped EXE 2 IoCs

Processes:

WbLE3UTfC8dORbn9NzciXOFQfA0TaFXwX5JRfHQIH9W29fZJE.exeWbLE3UTfC8dORbn9NzciXOFQfA0TaFXwX5JRfHQIH9W29fZJE.exe

pid process

956 WbLE3UTfC8dORbn9NzciXOFQfA0TaFXwX5JRfHQIH9W29fZJE.exe
700 WbLE3UTfC8dORbn9NzciXOFQfA0TaFXwX5JRfHQIH9W29fZJE.exe

pid	process
956	WbLE3UTfC8dORbn9NzciXOFQfA0TaFXwX5JRfHQIH9W29fZJE.exe
700	WbLE3UTfC8dORbn9NzciXOFQfA0TaFXwX5JRfHQIH9W29fZJE.exe

Sets file execution options in registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

WbLE3UTfC8dORbn9NzciXOFQfA0TaFXwX5JRfHQIH9W29fZJE.exeWbLE3UTfC8dORbn9NzciXOFQfA0TaFXwX5JRfHQIH9W29fZJE.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\Debugger = " "	WbLE3UTfC8dORbn9NzciXOFQfA0TaFXwX5JRfHQIH9W29fZJE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe	WbLE3UTfC8dORbn9NzciXOFQfA0TaFXwX5JRfHQIH9W29fZJE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = " "	WbLE3UTfC8dORbn9NzciXOFQfA0TaFXwX5JRfHQIH9W29fZJE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe	WbLE3UTfC8dORbn9NzciXOFQfA0TaFXwX5JRfHQIH9W29fZJE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\Debugger = " "	WbLE3UTfC8dORbn9NzciXOFQfA0TaFXwX5JRfHQIH9W29fZJE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe	WbLE3UTfC8dORbn9NzciXOFQfA0TaFXwX5JRfHQIH9W29fZJE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = " "	WbLE3UTfC8dORbn9NzciXOFQfA0TaFXwX5JRfHQIH9W29fZJE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe	WbLE3UTfC8dORbn9NzciXOFQfA0TaFXwX5JRfHQIH9W29fZJE.exe

Loads dropped DLL 3 IoCs

Processes:

gpscript.exeWbLE3UTfC8dORbn9NzciXOFQfA0TaFXwX5JRfHQIH9W29fZJE.exe

pid process

324 gpscript.exe
324 gpscript.exe
956 WbLE3UTfC8dORbn9NzciXOFQfA0TaFXwX5JRfHQIH9W29fZJE.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
324	gpscript.exe
324	gpscript.exe
956	WbLE3UTfC8dORbn9NzciXOFQfA0TaFXwX5JRfHQIH9W29fZJE.exe

Modifies data under HKEY_USERS 59 IoCs

Processes:

932fca7149854c7d62e52ed4311e7bc9a336be1f967a656e435cdc7762dd1fe8.exeWbLE3UTfC8dORbn9NzciXOFQfA0TaFXwX5JRfHQIH9W29fZJE.exegpscript.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	932fca7149854c7d62e52ed4311e7bc9a336be1f967a656e435cdc7762dd1fe8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\MSDN\\8.0\\NOFPmlGrIbQbXNk.exe\" O 2>NUL"	932fca7149854c7d62e52ed4311e7bc9a336be1f967a656e435cdc7762dd1fe8.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE	932fca7149854c7d62e52ed4311e7bc9a336be1f967a656e435cdc7762dd1fe8.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\au9ni2dm.default-release\\storage\\permanent\\chrome\\idb\\1657114595AmcateirvtiSty.files\\NaOKFFXaJV1HvSfepOUJBAtw0x5DHsZyhOp5OPI5kKZcgBXY.exe\" O"	932fca7149854c7d62e52ed4311e7bc9a336be1f967a656e435cdc7762dd1fe8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%windir%\System32\ie4uinit.exe",-738 = "Start Internet Explorer without ActiveX controls or browser extensions."	WbLE3UTfC8dORbn9NzciXOFQfA0TaFXwX5JRfHQIH9W29fZJE.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	932fca7149854c7d62e52ed4311e7bc9a336be1f967a656e435cdc7762dd1fe8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\UA6nyJT1Tkwbw215yJ9YePIZ5HeLcE47dwLkhnvagx3Zo.exe\" O"	932fca7149854c7d62e52ed4311e7bc9a336be1f967a656e435cdc7762dd1fe8.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	gpscript.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{6C467336-8281-4E60-8204-430CED96822D} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 010000000000000000d31af2e400d901	gpscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	WbLE3UTfC8dORbn9NzciXOFQfA0TaFXwX5JRfHQIH9W29fZJE.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{7BD29E01-76C1-11CF-9DD0-00A0C9034933} {000214E6-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000e02c64f6e400d901	WbLE3UTfC8dORbn9NzciXOFQfA0TaFXwX5JRfHQIH9W29fZJE.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\QAWF50BJcqcYjMsIsm5HMc2d.exe\" O"	WbLE3UTfC8dORbn9NzciXOFQfA0TaFXwX5JRfHQIH9W29fZJE.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	932fca7149854c7d62e52ed4311e7bc9a336be1f967a656e435cdc7762dd1fe8.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	932fca7149854c7d62e52ed4311e7bc9a336be1f967a656e435cdc7762dd1fe8.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	932fca7149854c7d62e52ed4311e7bc9a336be1f967a656e435cdc7762dd1fe8.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\FileTypePolicies\\BE4JJG6Wdo1FQR73DEvHNBf3MJkF7gEtmQEAqMxc0n9W7tcZcuEuEIMrRMpXdjiajM0c6.exe\" O 2>NUL"	WbLE3UTfC8dORbn9NzciXOFQfA0TaFXwX5JRfHQIH9W29fZJE.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WbLE3UTfC8dORbn9NzciXOFQfA0TaFXwX5JRfHQIH9W29fZJE.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	932fca7149854c7d62e52ed4311e7bc9a336be1f967a656e435cdc7762dd1fe8.exe
Key created	\REGISTRY\USER\S-1-5-19	932fca7149854c7d62e52ed4311e7bc9a336be1f967a656e435cdc7762dd1fe8.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\Search\\Data\\Applications\\Windows\\Projects\\SystemIndex\\Indexer\\CiFiles\\wVT3gd7GB4tIMhUMCFWvTfRWE60pwBmLE1SRDuwYjpu.exe\" O 2>NUL"	932fca7149854c7d62e52ed4311e7bc9a336be1f967a656e435cdc7762dd1fe8.exe
Key created	\REGISTRY\USER\.DEFAULT	932fca7149854c7d62e52ed4311e7bc9a336be1f967a656e435cdc7762dd1fe8.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	932fca7149854c7d62e52ed4311e7bc9a336be1f967a656e435cdc7762dd1fe8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\ja-JP\\enzvNLTCcVousbtLq26dx2KsVIIGL.exe\" O"	WbLE3UTfC8dORbn9NzciXOFQfA0TaFXwX5JRfHQIH9W29fZJE.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\cFJBKh8ij5hxp08bqi4dxb6fVLUkvlB.exe\" O"	WbLE3UTfC8dORbn9NzciXOFQfA0TaFXwX5JRfHQIH9W29fZJE.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	WbLE3UTfC8dORbn9NzciXOFQfA0TaFXwX5JRfHQIH9W29fZJE.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\ActivityLog\\peOGFEIidwt8YwoJJiN.exe\" O"	WbLE3UTfC8dORbn9NzciXOFQfA0TaFXwX5JRfHQIH9W29fZJE.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	WbLE3UTfC8dORbn9NzciXOFQfA0TaFXwX5JRfHQIH9W29fZJE.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft	932fca7149854c7d62e52ed4311e7bc9a336be1f967a656e435cdc7762dd1fe8.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion	932fca7149854c7d62e52ed4311e7bc9a336be1f967a656e435cdc7762dd1fe8.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	932fca7149854c7d62e52ed4311e7bc9a336be1f967a656e435cdc7762dd1fe8.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\DRM\\Server\\fCIaD7vFuwjVGhqoolUCuCiJIy9rtrUoNJvLgh72sqItezzZ4xOZrtuyLsqflN.exe\" O"	932fca7149854c7d62e52ed4311e7bc9a336be1f967a656e435cdc7762dd1fe8.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	WbLE3UTfC8dORbn9NzciXOFQfA0TaFXwX5JRfHQIH9W29fZJE.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance\\1A1Sy67Hg67R17AK8zMDM.exe\" O 2>NUL"	932fca7149854c7d62e52ed4311e7bc9a336be1f967a656e435cdc7762dd1fe8.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\System Tools\\EdnNP8RM.exe\" O 2>NUL"	932fca7149854c7d62e52ed4311e7bc9a336be1f967a656e435cdc7762dd1fe8.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows	932fca7149854c7d62e52ed4311e7bc9a336be1f967a656e435cdc7762dd1fe8.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	932fca7149854c7d62e52ed4311e7bc9a336be1f967a656e435cdc7762dd1fe8.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion	932fca7149854c7d62e52ed4311e7bc9a336be1f967a656e435cdc7762dd1fe8.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion	932fca7149854c7d62e52ed4311e7bc9a336be1f967a656e435cdc7762dd1fe8.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows	932fca7149854c7d62e52ed4311e7bc9a336be1f967a656e435cdc7762dd1fe8.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	932fca7149854c7d62e52ed4311e7bc9a336be1f967a656e435cdc7762dd1fe8.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft	932fca7149854c7d62e52ed4311e7bc9a336be1f967a656e435cdc7762dd1fe8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Internet Explorer\\imagestore\\82Egd7fXzEsZLHaDErdqxrqQz9949MjoOj33J8JmAbTxODbCjFvwRwF.exe\" O 2>NUL"	WbLE3UTfC8dORbn9NzciXOFQfA0TaFXwX5JRfHQIH9W29fZJE.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	WbLE3UTfC8dORbn9NzciXOFQfA0TaFXwX5JRfHQIH9W29fZJE.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\Burn\\eSA0Nmn4vd2.exe\" O 2>NUL"	WbLE3UTfC8dORbn9NzciXOFQfA0TaFXwX5JRfHQIH9W29fZJE.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%systemroot%\system32\windowspowershell\v1.0\powershell.exe",-111 = "Performs object-based (command-line) functions"	WbLE3UTfC8dORbn9NzciXOFQfA0TaFXwX5JRfHQIH9W29fZJE.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	932fca7149854c7d62e52ed4311e7bc9a336be1f967a656e435cdc7762dd1fe8.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows	932fca7149854c7d62e52ed4311e7bc9a336be1f967a656e435cdc7762dd1fe8.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE	932fca7149854c7d62e52ed4311e7bc9a336be1f967a656e435cdc7762dd1fe8.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WbLE3UTfC8dORbn9NzciXOFQfA0TaFXwX5JRfHQIH9W29fZJE.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\rS9AvzdZLr0GOk9rC6IOnN.exe\" O"	WbLE3UTfC8dORbn9NzciXOFQfA0TaFXwX5JRfHQIH9W29fZJE.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	932fca7149854c7d62e52ed4311e7bc9a336be1f967a656e435cdc7762dd1fe8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\au9ni2dm.default-release\\crashes\\c4WcRkobHAxJdSvxq0dp3mdRfHblAcGfG3UFowcK0SNzHh.exe\" O"	932fca7149854c7d62e52ed4311e7bc9a336be1f967a656e435cdc7762dd1fe8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\4Kbr7n4GWBhG7hLaeVukNNKtXfnN.exe\" O 2>NUL"	WbLE3UTfC8dORbn9NzciXOFQfA0TaFXwX5JRfHQIH9W29fZJE.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WbLE3UTfC8dORbn9NzciXOFQfA0TaFXwX5JRfHQIH9W29fZJE.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%windir%\System32\ie4uinit.exe",-732 = "Finds and displays information and Web sites on the Internet."	WbLE3UTfC8dORbn9NzciXOFQfA0TaFXwX5JRfHQIH9W29fZJE.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	932fca7149854c7d62e52ed4311e7bc9a336be1f967a656e435cdc7762dd1fe8.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	932fca7149854c7d62e52ed4311e7bc9a336be1f967a656e435cdc7762dd1fe8.exe
Key created	\REGISTRY\USER\S-1-5-20	932fca7149854c7d62e52ed4311e7bc9a336be1f967a656e435cdc7762dd1fe8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\Safe Browsing\\7zOQ45Ao0xPRmBbu9w7cYO.exe\" O 2>NUL"	WbLE3UTfC8dORbn9NzciXOFQfA0TaFXwX5JRfHQIH9W29fZJE.exe

Modifies registry class 12 IoCs

Processes:

932fca7149854c7d62e52ed4311e7bc9a336be1f967a656e435cdc7762dd1fe8.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Windows\\JSWhznbWiYzSzRXimRjNY4jxZxp2RhaGJrLATPKobhEcYthGxuknzm.exe\" O"	932fca7149854c7d62e52ed4311e7bc9a336be1f967a656e435cdc7762dd1fe8.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_Classes\SOFTWARE\Microsoft\Command Processor	932fca7149854c7d62e52ed4311e7bc9a336be1f967a656e435cdc7762dd1fe8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Code Cache\\wasm\\99AoXvuu9S7uLvpEY4cfcfX1wY0IwpXzEjO6XLXdz2pAueqRoVSQ.exe\" O 2>NUL"	932fca7149854c7d62e52ed4311e7bc9a336be1f967a656e435cdc7762dd1fe8.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion	932fca7149854c7d62e52ed4311e7bc9a336be1f967a656e435cdc7762dd1fe8.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	932fca7149854c7d62e52ed4311e7bc9a336be1f967a656e435cdc7762dd1fe8.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	932fca7149854c7d62e52ed4311e7bc9a336be1f967a656e435cdc7762dd1fe8.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	932fca7149854c7d62e52ed4311e7bc9a336be1f967a656e435cdc7762dd1fe8.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\SOFTWARE	932fca7149854c7d62e52ed4311e7bc9a336be1f967a656e435cdc7762dd1fe8.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\SOFTWARE\Microsoft	932fca7149854c7d62e52ed4311e7bc9a336be1f967a656e435cdc7762dd1fe8.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\SOFTWARE\Microsoft\Command Processor	932fca7149854c7d62e52ed4311e7bc9a336be1f967a656e435cdc7762dd1fe8.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	932fca7149854c7d62e52ed4311e7bc9a336be1f967a656e435cdc7762dd1fe8.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\SOFTWARE\Microsoft\Windows	932fca7149854c7d62e52ed4311e7bc9a336be1f967a656e435cdc7762dd1fe8.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

WbLE3UTfC8dORbn9NzciXOFQfA0TaFXwX5JRfHQIH9W29fZJE.exe

pid process

700 WbLE3UTfC8dORbn9NzciXOFQfA0TaFXwX5JRfHQIH9W29fZJE.exe
700 WbLE3UTfC8dORbn9NzciXOFQfA0TaFXwX5JRfHQIH9W29fZJE.exe

pid	process
700	WbLE3UTfC8dORbn9NzciXOFQfA0TaFXwX5JRfHQIH9W29fZJE.exe
700	WbLE3UTfC8dORbn9NzciXOFQfA0TaFXwX5JRfHQIH9W29fZJE.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

932fca7149854c7d62e52ed4311e7bc9a336be1f967a656e435cdc7762dd1fe8.exeAUDIODG.EXEWbLE3UTfC8dORbn9NzciXOFQfA0TaFXwX5JRfHQIH9W29fZJE.exeWbLE3UTfC8dORbn9NzciXOFQfA0TaFXwX5JRfHQIH9W29fZJE.exe

description	pid	process
Token: SeBackupPrivilege	576	932fca7149854c7d62e52ed4311e7bc9a336be1f967a656e435cdc7762dd1fe8.exe
Token: SeRestorePrivilege	576	932fca7149854c7d62e52ed4311e7bc9a336be1f967a656e435cdc7762dd1fe8.exe
Token: SeShutdownPrivilege	576	932fca7149854c7d62e52ed4311e7bc9a336be1f967a656e435cdc7762dd1fe8.exe
Token: 33	1472	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1472	AUDIODG.EXE
Token: 33	1472	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1472	AUDIODG.EXE
Token: SeDebugPrivilege	956	WbLE3UTfC8dORbn9NzciXOFQfA0TaFXwX5JRfHQIH9W29fZJE.exe
Token: SeRestorePrivilege	956	WbLE3UTfC8dORbn9NzciXOFQfA0TaFXwX5JRfHQIH9W29fZJE.exe
Token: SeDebugPrivilege	700	WbLE3UTfC8dORbn9NzciXOFQfA0TaFXwX5JRfHQIH9W29fZJE.exe
Token: SeRestorePrivilege	700	WbLE3UTfC8dORbn9NzciXOFQfA0TaFXwX5JRfHQIH9W29fZJE.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

gpscript.exeWbLE3UTfC8dORbn9NzciXOFQfA0TaFXwX5JRfHQIH9W29fZJE.exe

description	pid	process	target process
PID 324 wrote to memory of 956	324	gpscript.exe	WbLE3UTfC8dORbn9NzciXOFQfA0TaFXwX5JRfHQIH9W29fZJE.exe
PID 324 wrote to memory of 956	324	gpscript.exe	WbLE3UTfC8dORbn9NzciXOFQfA0TaFXwX5JRfHQIH9W29fZJE.exe
PID 324 wrote to memory of 956	324	gpscript.exe	WbLE3UTfC8dORbn9NzciXOFQfA0TaFXwX5JRfHQIH9W29fZJE.exe
PID 956 wrote to memory of 700	956	WbLE3UTfC8dORbn9NzciXOFQfA0TaFXwX5JRfHQIH9W29fZJE.exe	WbLE3UTfC8dORbn9NzciXOFQfA0TaFXwX5JRfHQIH9W29fZJE.exe
PID 956 wrote to memory of 700	956	WbLE3UTfC8dORbn9NzciXOFQfA0TaFXwX5JRfHQIH9W29fZJE.exe	WbLE3UTfC8dORbn9NzciXOFQfA0TaFXwX5JRfHQIH9W29fZJE.exe
PID 956 wrote to memory of 700	956	WbLE3UTfC8dORbn9NzciXOFQfA0TaFXwX5JRfHQIH9W29fZJE.exe	WbLE3UTfC8dORbn9NzciXOFQfA0TaFXwX5JRfHQIH9W29fZJE.exe

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
1⤵
PID:592

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\WbLE3UTfC8dORbn9NzciXOFQfA0TaFXwX5JRfHQIH9W29fZJE.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\WbLE3UTfC8dORbn9NzciXOFQfA0TaFXwX5JRfHQIH9W29fZJE.exe" 2
2⤵
- Executes dropped EXE
- Sets file execution options in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:700

C:\Users\Admin\AppData\Local\Temp\932fca7149854c7d62e52ed4311e7bc9a336be1f967a656e435cdc7762dd1fe8.exe
"C:\Users\Admin\AppData\Local\Temp\932fca7149854c7d62e52ed4311e7bc9a336be1f967a656e435cdc7762dd1fe8.exe"
1⤵
- Adds policy Run key to start application
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:576

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1664

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x44c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1472

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:1076

C:\Windows\system32\gpscript.exe
gpscript.exe /Shutdown
1⤵
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:324

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\WbLE3UTfC8dORbn9NzciXOFQfA0TaFXwX5JRfHQIH9W29fZJE.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\WbLE3UTfC8dORbn9NzciXOFQfA0TaFXwX5JRfHQIH9W29fZJE.exe" 1
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Adds policy Run key to start application
- Executes dropped EXE
- Sets file execution options in registry
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:956

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\DRM\Server\fCIaD7vFuwjVGhqoolUCuCiJIy9rtrUoNJvLgh72sqItezzZ4xOZrtuyLsqflN.exe
Filesize
596KB

MD5
34bb64f68104cdb322d52ffb89a5658d

SHA1
c4c6cc46bd4ceef737de56d3eb860e073bca484b

SHA256
9e7ba936b07e18059f985f493c6525effa5b3245419fd774c038ae611ff2a925

SHA512
81a0b2267dee54a94a511783f23ae772606c7cf149e0209a53507ce5b56dd39b59e0d91e11b0c7e40505856a5bdf9af6991d2d4e6976fb6991e20309db552719

Download Submit
C:\ProgramData\Microsoft\MSDN\8.0\NOFPmlGrIbQbXNk.exe
Filesize
481KB

MD5
37e9fdc9cef14aa49dd646c3a804b776

SHA1
5206b8e6d4c0d85515b3f87f1bcc31af34a66f09

SHA256
a5752ef7e1e18642525ae943626c51260902529c7c8a4b424f3b22588a876e75

SHA512
5370023f52e6f297dc9cd37f96df8805d6fc953bc06ed828e1f5d0df0427495ef34fc29fbca34cbca86d2dd0212aab921a3ebb356a4f08c24bdce482a9c70a41

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\wVT3gd7GB4tIMhUMCFWvTfRWE60pwBmLE1SRDuwYjpu.exe
Filesize
479KB

MD5
4e70e2b5ade9ba96429d01dc49d0ecfa

SHA1
05cd2e11d1a221cdc60a5b174be1ba91ad7dd9b0

SHA256
18ed1de99790dddf15f95838ba9f5dc9d29f97a69002ef30f33cfb0bd5462519

SHA512
8263b9297d3ebbdf848c10fed546ca53b5ddddfbfe3d56b3f83f65e1bb769e149215f3c8d97e158f0d6ca20367de6fb71605e0752c3b680bc21d47d3dc07d901

Download Submit
C:\ProgramData\Microsoft\Windows NT\MSFax\Common Coverpages\en-US\RHfV3HEevKahUTPU6Wa7YUYZUEvjBHpxhZ.exe
Filesize
739KB

MD5
f10ddaa9298747af17c8ac8580702cb4

SHA1
301ca9fced7ae5b8ef2fa18636058b8231e4f207

SHA256
a949e5c27bd3d3f3aefb79129224d0f2004d7beb1f7ecc8409d174aa7a0275aa

SHA512
2202abdd763bd3dacb0f28dd57c3b819a1f67ceafe68d006aa2a9e4c6beab9016823ace65423a5c5ba3a7843c221c938e8f6a369a234a828d07eb8dd20d5e7cb

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\EdnNP8RM.exe
Filesize
689KB

MD5
90ca2807919e828111eab1e7f23799c0

SHA1
732ab64885be4a4bcba4518603b24f3e86cb8931

SHA256
302a45a5d42b8dd9e92f454e027040ec0b43fab407d4765f2484beb83e63a672

SHA512
db8c34802e993b290fd3fb9b7c016421274b88e79b065dec8364d1e1764178510d7434b118a376e23051441835aa86117c0f73cfc6740ccdd41e1adb8e777d55

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\8\O7t4X8OijEtT4.bat
Filesize
557KB

MD5
9394bce82509be167ade6c9afbe53026

SHA1
b1cae8bb20c0fc370f09c8e7eda773bf921614bf

SHA256
27f2a151f74bbf340e5d9987f9b439dcfed926f8e98edf0e6e32cca75fc75f77

SHA512
1deba78760dca8564cbd5e02c9ad51a8a711e166ca6543fdf60c94dc8e6fc351bd3c459b8faafb34b15fe3b8fb02d7252f2d38a94861bb280967a1b730001e5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\Sj92DB4XI.cmd
Filesize
1.0MB

MD5
516cc4855fdba072e26bceda1cfba9d4

SHA1
9b89bce5c891a3cd51884d1948f399ac4d3ba0c4

SHA256
1ae161c79df71b35d5083cb57767fdcc58d8aa48e8a409d48f58739421dab00b

SHA512
fe610c60228363494b23d1995457b67c854a75cf33bd205646a0b56a839517c88a902fb750cfecb5e2a815f2c211c91b97103d3d74a8c76d0b3946d675cd12c8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\WbLE3UTfC8dORbn9NzciXOFQfA0TaFXwX5JRfHQIH9W29fZJE.exe
Filesize
544KB

MD5
fff47bf2b1f649d27ab472881869de6d

SHA1
9fbec6fad86202fa17e0765cdce58c17d0ca37be

SHA256
93c75e62306f20b30342c712c09802c03461c82a932dfd1d3b92588d58dfd1b6

SHA512
e77f735f591db0bcaa25f7b0b6314c1714041bacc7c26fc79bd34c23d2071cbcdb805b6280589e88e175d50c88eb473a206b5adc0970240a44a972dbe353d111

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\WbLE3UTfC8dORbn9NzciXOFQfA0TaFXwX5JRfHQIH9W29fZJE.exe
Filesize
544KB

MD5
fff47bf2b1f649d27ab472881869de6d

SHA1
9fbec6fad86202fa17e0765cdce58c17d0ca37be

SHA256
93c75e62306f20b30342c712c09802c03461c82a932dfd1d3b92588d58dfd1b6

SHA512
e77f735f591db0bcaa25f7b0b6314c1714041bacc7c26fc79bd34c23d2071cbcdb805b6280589e88e175d50c88eb473a206b5adc0970240a44a972dbe353d111

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\WbLE3UTfC8dORbn9NzciXOFQfA0TaFXwX5JRfHQIH9W29fZJE.exe
Filesize
544KB

MD5
fff47bf2b1f649d27ab472881869de6d

SHA1
9fbec6fad86202fa17e0765cdce58c17d0ca37be

SHA256
93c75e62306f20b30342c712c09802c03461c82a932dfd1d3b92588d58dfd1b6

SHA512
e77f735f591db0bcaa25f7b0b6314c1714041bacc7c26fc79bd34c23d2071cbcdb805b6280589e88e175d50c88eb473a206b5adc0970240a44a972dbe353d111

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\au9ni2dm.default-release\crashes\c4WcRkobHAxJdSvxq0dp3mdRfHblAcGfG3UFowcK0SNzHh.exe
Filesize
416KB

MD5
cc0069c6677b7fd61c4cb27e814a2c59

SHA1
e72cb601619ced3f3f60ba3ff33bd8c370e40638

SHA256
5b151b1302ef03c3c024edce3f50ba350130a3407fe8c559592c4778731bdc3c

SHA512
6cf66691b874411f903a2e2cdaf45987ec0b3ee5bf5437723f4c3ca508a5a1eec2545833c66fc84e175b1ef7a3e6cb620d53d6ee272a85fad18e509128e9ac74

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\au9ni2dm.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.files\NaOKFFXaJV1HvSfepOUJBAtw0x5DHsZyhOp5OPI5kKZcgBXY.exe
Filesize
579KB

MD5
b80c17fb75ff4552977df989b9bb2760

SHA1
052e3084fd3abcc9b7c6964e370b1eb878df0f6a

SHA256
a1f2149963e0ac847307930688e8ce7752b1247ea8ad868bed2417b90c8c4f22

SHA512
c03c88052277ed8059cbb80b40a928a76d0301613f72a97bb8109ff04bb2e6fdd308838a887eba4513c5c9c413359aaa332bb49025060c3091f6630afe3d5275

Download Submit
C:\Users\Default\AppData\Local\Microsoft\AVXGeNkqzMr49rHzJtrJPtjU1aW5b3Xh94NEXQjB96c4F8dbUORl9wN7SdQTA.exe
Filesize
512KB

MD5
d5b61a779348289221f026e2e31ae448

SHA1
34a0123e2804c77588e4db8c534e9fb45aed7e93

SHA256
2ddf4e897e51d5be72ee6380113234fc738376400bfde22b890c44623c3e6f64

SHA512
513899acb3451d07c5be778ced47dd9a19e413ea8ff9d80a017b88752aa221cddb6071d0a4746e597742bbcb8a5fd320d5c8bf6ca605661575d181315088a3c2

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\WbLE3UTfC8dORbn9NzciXOFQfA0TaFXwX5JRfHQIH9W29fZJE.exe
Filesize
544KB

MD5
fff47bf2b1f649d27ab472881869de6d

SHA1
9fbec6fad86202fa17e0765cdce58c17d0ca37be

SHA256
93c75e62306f20b30342c712c09802c03461c82a932dfd1d3b92588d58dfd1b6

SHA512
e77f735f591db0bcaa25f7b0b6314c1714041bacc7c26fc79bd34c23d2071cbcdb805b6280589e88e175d50c88eb473a206b5adc0970240a44a972dbe353d111

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\WbLE3UTfC8dORbn9NzciXOFQfA0TaFXwX5JRfHQIH9W29fZJE.exe
Filesize
544KB

MD5
fff47bf2b1f649d27ab472881869de6d

SHA1
9fbec6fad86202fa17e0765cdce58c17d0ca37be

SHA256
93c75e62306f20b30342c712c09802c03461c82a932dfd1d3b92588d58dfd1b6

SHA512
e77f735f591db0bcaa25f7b0b6314c1714041bacc7c26fc79bd34c23d2071cbcdb805b6280589e88e175d50c88eb473a206b5adc0970240a44a972dbe353d111

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\WbLE3UTfC8dORbn9NzciXOFQfA0TaFXwX5JRfHQIH9W29fZJE.exe
Filesize
544KB

MD5
fff47bf2b1f649d27ab472881869de6d

SHA1
9fbec6fad86202fa17e0765cdce58c17d0ca37be

SHA256
93c75e62306f20b30342c712c09802c03461c82a932dfd1d3b92588d58dfd1b6

SHA512
e77f735f591db0bcaa25f7b0b6314c1714041bacc7c26fc79bd34c23d2071cbcdb805b6280589e88e175d50c88eb473a206b5adc0970240a44a972dbe353d111

Download Submit
memory/324-69-0x0000000000CC0000-0x0000000000CED000-memory.dmp

Filesize
180KB

Download
memory/324-68-0x0000000000CC0000-0x0000000000CED000-memory.dmp

Filesize
180KB

Download
memory/576-54-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/576-56-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/700-77-0x0000000000000000-mapping.dmp

Download
memory/700-82-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/956-70-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/956-62-0x0000000000000000-mapping.dmp

Download
memory/956-79-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1664-55-0x000007FEFBF01000-0x000007FEFBF03000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads