d3f787bd2d6fc6d5f17b89757d05260cd8e880e20f03f1145f8d1cf3e2e8a093

Analysis

max time kernel
208s
max time network
234s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2022 08:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d3f787bd2d6fc6d5f17b89757d05260cd8e880e20f03f1145f8d1cf3e2e8a093.exe
Size

905KB
MD5

960bb89f9be3934abba2bad6d26bd1a7
SHA1

1d3d8b2910b725d4e472ea1b90f6b10c0614c060
SHA256

d3f787bd2d6fc6d5f17b89757d05260cd8e880e20f03f1145f8d1cf3e2e8a093
SHA512

d4423d6fbc84c3359c391d5b29097d33d10794bb636718cbff2b98cfc4c1f2ff40b671fa6c50fa097f299bd90c7c32650bca31e0081921cf65a2548e7c36d8a3
SSDEEP

3072:aSsvihLlTQz9z71iURo2SJJmY6uFNcgifDbmeTXwVdBR:rsqhJMxzJiU5SeLmNSbmebW1

Score

8^/10

persistence spyware stealer

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

d3f787bd2d6fc6d5f17b89757d05260cd8e880e20f03f1145f8d1cf3e2e8a093.exeJ7ECcvU7r4nKZ4gaxA681pFcTpZGOzcYAhRcBBHezAjem2Ld1k2iBe0r9YR.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\gl\\ZP9Z8VHEpR.exe\" O"	d3f787bd2d6fc6d5f17b89757d05260cd8e880e20f03f1145f8d1cf3e2e8a093.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\input\\eu-ES\\WdnCQJqmOg33LZ1iHVqFSLQGX3WINYBLdPowipfFA6oZAa.exe\" O"	d3f787bd2d6fc6d5f17b89757d05260cd8e880e20f03f1145f8d1cf3e2e8a093.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	J7ECcvU7r4nKZ4gaxA681pFcTpZGOzcYAhRcBBHezAjem2Ld1k2iBe0r9YR.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\uz-Latn-UZ\\KMDmlVrJh2HrcGn.exe\" O"	J7ECcvU7r4nKZ4gaxA681pFcTpZGOzcYAhRcBBHezAjem2Ld1k2iBe0r9YR.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	d3f787bd2d6fc6d5f17b89757d05260cd8e880e20f03f1145f8d1cf3e2e8a093.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\LocalState\\BEsRdNXjKxZmUwNL.exe\" O"	d3f787bd2d6fc6d5f17b89757d05260cd8e880e20f03f1145f8d1cf3e2e8a093.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	d3f787bd2d6fc6d5f17b89757d05260cd8e880e20f03f1145f8d1cf3e2e8a093.exe

Executes dropped EXE 1 IoCs

Processes:

J7ECcvU7r4nKZ4gaxA681pFcTpZGOzcYAhRcBBHezAjem2Ld1k2iBe0r9YR.exe

pid process

1172 J7ECcvU7r4nKZ4gaxA681pFcTpZGOzcYAhRcBBHezAjem2Ld1k2iBe0r9YR.exe

pid	process
1172	J7ECcvU7r4nKZ4gaxA681pFcTpZGOzcYAhRcBBHezAjem2Ld1k2iBe0r9YR.exe

Sets file execution options in registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

J7ECcvU7r4nKZ4gaxA681pFcTpZGOzcYAhRcBBHezAjem2Ld1k2iBe0r9YR.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe	J7ECcvU7r4nKZ4gaxA681pFcTpZGOzcYAhRcBBHezAjem2Ld1k2iBe0r9YR.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = " "	J7ECcvU7r4nKZ4gaxA681pFcTpZGOzcYAhRcBBHezAjem2Ld1k2iBe0r9YR.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe	J7ECcvU7r4nKZ4gaxA681pFcTpZGOzcYAhRcBBHezAjem2Ld1k2iBe0r9YR.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\Debugger = " "	J7ECcvU7r4nKZ4gaxA681pFcTpZGOzcYAhRcBBHezAjem2Ld1k2iBe0r9YR.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Modifies data under HKEY_USERS 64 IoCs

Processes:

d3f787bd2d6fc6d5f17b89757d05260cd8e880e20f03f1145f8d1cf3e2e8a093.exeJ7ECcvU7r4nKZ4gaxA681pFcTpZGOzcYAhRcBBHezAjem2Ld1k2iBe0r9YR.exeLogonUI.exegpscript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	d3f787bd2d6fc6d5f17b89757d05260cd8e880e20f03f1145f8d1cf3e2e8a093.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	d3f787bd2d6fc6d5f17b89757d05260cd8e880e20f03f1145f8d1cf3e2e8a093.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\INetCookies\\ESE\\TcQ6w0sCofaNIk1oUTQcPHxpMxJdNSBiNKBquWyGL0c0MMZjzGKKSlimmP.exe\" O 2>NUL"	J7ECcvU7r4nKZ4gaxA681pFcTpZGOzcYAhRcBBHezAjem2Ld1k2iBe0r9YR.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Roaming\\Sun\\Java\\j1E8eM15IQwx69DyLH869zJ3PnLNa0rT8.exe\" O 2>NUL"	J7ECcvU7r4nKZ4gaxA681pFcTpZGOzcYAhRcBBHezAjem2Ld1k2iBe0r9YR.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\tkblmjt0.default-release\\storage\\default\\moz-extension+++8e456f36-69ae-4519-a752-fcd5b08f5716^userContextId=4294967295\\e8Pg0mh4bocJeIUN3h83XkBMK2kYsGUyxp9wG9QwxOveiTr2a9z5bpGo.exe\" O 2>NUL"	d3f787bd2d6fc6d5f17b89757d05260cd8e880e20f03f1145f8d1cf3e2e8a093.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	d3f787bd2d6fc6d5f17b89757d05260cd8e880e20f03f1145f8d1cf3e2e8a093.exe
Key created	\REGISTRY\USER\S-1-5-19	d3f787bd2d6fc6d5f17b89757d05260cd8e880e20f03f1145f8d1cf3e2e8a093.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	d3f787bd2d6fc6d5f17b89757d05260cd8e880e20f03f1145f8d1cf3e2e8a093.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	J7ECcvU7r4nKZ4gaxA681pFcTpZGOzcYAhRcBBHezAjem2Ld1k2iBe0r9YR.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\input\\fr-CA\\nvtohs3As4hr4rpfGhsQhRyvFlCkWVKWH0F.exe\" O 2>NUL"	d3f787bd2d6fc6d5f17b89757d05260cd8e880e20f03f1145f8d1cf3e2e8a093.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft	d3f787bd2d6fc6d5f17b89757d05260cd8e880e20f03f1145f8d1cf3e2e8a093.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Windows\\RetailDemo\\OfflineContent\\Packages\\dPn7lH8IqZtYm7PxAuXzUdObazi7teR1HtfMs70qz0o.exe\" O"	d3f787bd2d6fc6d5f17b89757d05260cd8e880e20f03f1145f8d1cf3e2e8a093.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\SlowContextMenuEntries = 6024b221ea3a6910a2dc08002b30309d9c0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	gpscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	J7ECcvU7r4nKZ4gaxA681pFcTpZGOzcYAhRcBBHezAjem2Ld1k2iBe0r9YR.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{4234D49B-0245-4DF3-B780-3893943456E1} {000214E6-0000-0000-C000-000000000046} 0xFFFF = 01000000000000002aafd94de500d901	J7ECcvU7r4nKZ4gaxA681pFcTpZGOzcYAhRcBBHezAjem2Ld1k2iBe0r9YR.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Default\\AppData\\Local\\Temp\\tx6bZ7x6ttDdUyrhTj09H52ZoXkruZH8eYEM.exe\" O 2>NUL"	d3f787bd2d6fc6d5f17b89757d05260cd8e880e20f03f1145f8d1cf3e2e8a093.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	d3f787bd2d6fc6d5f17b89757d05260cd8e880e20f03f1145f8d1cf3e2e8a093.exe
Key created	\REGISTRY\USER\S-1-5-20	d3f787bd2d6fc6d5f17b89757d05260cd8e880e20f03f1145f8d1cf3e2e8a093.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	d3f787bd2d6fc6d5f17b89757d05260cd8e880e20f03f1145f8d1cf3e2e8a093.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	J7ECcvU7r4nKZ4gaxA681pFcTpZGOzcYAhRcBBHezAjem2Ld1k2iBe0r9YR.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE	d3f787bd2d6fc6d5f17b89757d05260cd8e880e20f03f1145f8d1cf3e2e8a093.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\input\\uk-UA\\JsxPoialzcNOnGj8Gj5MI.exe\" O 2>NUL"	J7ECcvU7r4nKZ4gaxA681pFcTpZGOzcYAhRcBBHezAjem2Ld1k2iBe0r9YR.exe
Key created	\REGISTRY\USER\.DEFAULT	d3f787bd2d6fc6d5f17b89757d05260cd8e880e20f03f1145f8d1cf3e2e8a093.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	d3f787bd2d6fc6d5f17b89757d05260cd8e880e20f03f1145f8d1cf3e2e8a093.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	J7ECcvU7r4nKZ4gaxA681pFcTpZGOzcYAhRcBBHezAjem2Ld1k2iBe0r9YR.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	d3f787bd2d6fc6d5f17b89757d05260cd8e880e20f03f1145f8d1cf3e2e8a093.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	d3f787bd2d6fc6d5f17b89757d05260cd8e880e20f03f1145f8d1cf3e2e8a093.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows	d3f787bd2d6fc6d5f17b89757d05260cd8e880e20f03f1145f8d1cf3e2e8a093.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	J7ECcvU7r4nKZ4gaxA681pFcTpZGOzcYAhRcBBHezAjem2Ld1k2iBe0r9YR.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Package Cache\\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}v14.30.30704\\packages\\oBSiCeAjJ12aIijMtKqGN0o.exe\" O"	d3f787bd2d6fc6d5f17b89757d05260cd8e880e20f03f1145f8d1cf3e2e8a093.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	d3f787bd2d6fc6d5f17b89757d05260cd8e880e20f03f1145f8d1cf3e2e8a093.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\PenWorkspace\\oWljPcjrrLIoqLuYCkJDlhY83gbXddc.exe\" O"	d3f787bd2d6fc6d5f17b89757d05260cd8e880e20f03f1145f8d1cf3e2e8a093.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "147"	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.3_0\\_locales\\bg\\h9IOV9K59ixctacARsiPT57D8Pl9D0BbR5zmDtgP.exe\" O 2>NUL"	J7ECcvU7r4nKZ4gaxA681pFcTpZGOzcYAhRcBBHezAjem2Ld1k2iBe0r9YR.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\MFUgOHDAigwQD5UqR5hLOPFzKSQuy6oLyFmf0SG3XL8EtVM3daJE636wK3P.exe\" O"	J7ECcvU7r4nKZ4gaxA681pFcTpZGOzcYAhRcBBHezAjem2Ld1k2iBe0r9YR.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies	d3f787bd2d6fc6d5f17b89757d05260cd8e880e20f03f1145f8d1cf3e2e8a093.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\AC\\5jEsS4itlKmRdddQUshE1dtxjg0eMdkt9kmAdcZEZHx.exe\" O"	d3f787bd2d6fc6d5f17b89757d05260cd8e880e20f03f1145f8d1cf3e2e8a093.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\\SystemAppData\\KK0dRuqzzv1U.exe\" O"	J7ECcvU7r4nKZ4gaxA681pFcTpZGOzcYAhRcBBHezAjem2Ld1k2iBe0r9YR.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	d3f787bd2d6fc6d5f17b89757d05260cd8e880e20f03f1145f8d1cf3e2e8a093.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	J7ECcvU7r4nKZ4gaxA681pFcTpZGOzcYAhRcBBHezAjem2Ld1k2iBe0r9YR.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\88000163\\GZtrEI5NZ2w0gVwnaDvJYJQ7cXA91tP8NbNARaA.exe\" O"	J7ECcvU7r4nKZ4gaxA681pFcTpZGOzcYAhRcBBHezAjem2Ld1k2iBe0r9YR.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft	d3f787bd2d6fc6d5f17b89757d05260cd8e880e20f03f1145f8d1cf3e2e8a093.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion	d3f787bd2d6fc6d5f17b89757d05260cd8e880e20f03f1145f8d1cf3e2e8a093.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	d3f787bd2d6fc6d5f17b89757d05260cd8e880e20f03f1145f8d1cf3e2e8a093.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\6.0\\5\\LA3272y58BA.exe\" O 2>NUL"	J7ECcvU7r4nKZ4gaxA681pFcTpZGOzcYAhRcBBHezAjem2Ld1k2iBe0r9YR.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	d3f787bd2d6fc6d5f17b89757d05260cd8e880e20f03f1145f8d1cf3e2e8a093.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	d3f787bd2d6fc6d5f17b89757d05260cd8e880e20f03f1145f8d1cf3e2e8a093.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	d3f787bd2d6fc6d5f17b89757d05260cd8e880e20f03f1145f8d1cf3e2e8a093.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion	d3f787bd2d6fc6d5f17b89757d05260cd8e880e20f03f1145f8d1cf3e2e8a093.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.3_0\\_locales\\el\\2y2ZcBtwdLEnHWWCGb6skJBPDQSik1PCXrDpMUn.exe\" O 2>NUL"	d3f787bd2d6fc6d5f17b89757d05260cd8e880e20f03f1145f8d1cf3e2e8a093.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows	d3f787bd2d6fc6d5f17b89757d05260cd8e880e20f03f1145f8d1cf3e2e8a093.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	gpscript.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\RoamingState\\nyxZCUT35rq.exe\" O"	J7ECcvU7r4nKZ4gaxA681pFcTpZGOzcYAhRcBBHezAjem2Ld1k2iBe0r9YR.exe

Modifies registry class 10 IoCs

Processes:

d3f787bd2d6fc6d5f17b89757d05260cd8e880e20f03f1145f8d1cf3e2e8a093.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\SOFTWARE\Microsoft\Command Processor	d3f787bd2d6fc6d5f17b89757d05260cd8e880e20f03f1145f8d1cf3e2e8a093.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\SOFTWARE	d3f787bd2d6fc6d5f17b89757d05260cd8e880e20f03f1145f8d1cf3e2e8a093.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\ShutdownLogger\\0T9eG1Xw16Jf9X1IsNbXiKirM.exe\" O 2>NUL"	d3f787bd2d6fc6d5f17b89757d05260cd8e880e20f03f1145f8d1cf3e2e8a093.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	d3f787bd2d6fc6d5f17b89757d05260cd8e880e20f03f1145f8d1cf3e2e8a093.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\SOFTWARE\Microsoft	d3f787bd2d6fc6d5f17b89757d05260cd8e880e20f03f1145f8d1cf3e2e8a093.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	d3f787bd2d6fc6d5f17b89757d05260cd8e880e20f03f1145f8d1cf3e2e8a093.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\SOFTWARE\Microsoft\Windows	d3f787bd2d6fc6d5f17b89757d05260cd8e880e20f03f1145f8d1cf3e2e8a093.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion	d3f787bd2d6fc6d5f17b89757d05260cd8e880e20f03f1145f8d1cf3e2e8a093.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	d3f787bd2d6fc6d5f17b89757d05260cd8e880e20f03f1145f8d1cf3e2e8a093.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\ar\\tsAnUxRgFG2PMXwouhF8p1IbB0F9nA2kT6W7oli5kPm2iaWye.exe\" O"	d3f787bd2d6fc6d5f17b89757d05260cd8e880e20f03f1145f8d1cf3e2e8a093.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

d3f787bd2d6fc6d5f17b89757d05260cd8e880e20f03f1145f8d1cf3e2e8a093.exeJ7ECcvU7r4nKZ4gaxA681pFcTpZGOzcYAhRcBBHezAjem2Ld1k2iBe0r9YR.exe

description	pid	process
Token: SeBackupPrivilege	220	d3f787bd2d6fc6d5f17b89757d05260cd8e880e20f03f1145f8d1cf3e2e8a093.exe
Token: SeRestorePrivilege	220	d3f787bd2d6fc6d5f17b89757d05260cd8e880e20f03f1145f8d1cf3e2e8a093.exe
Token: SeShutdownPrivilege	220	d3f787bd2d6fc6d5f17b89757d05260cd8e880e20f03f1145f8d1cf3e2e8a093.exe
Token: SeDebugPrivilege	1172	J7ECcvU7r4nKZ4gaxA681pFcTpZGOzcYAhRcBBHezAjem2Ld1k2iBe0r9YR.exe
Token: SeRestorePrivilege	1172	J7ECcvU7r4nKZ4gaxA681pFcTpZGOzcYAhRcBBHezAjem2Ld1k2iBe0r9YR.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

LogonUI.exe

pid process

2528 LogonUI.exe

pid	process
2528	LogonUI.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

gpscript.exe

description	pid	process	target process
PID 3324 wrote to memory of 1172	3324	gpscript.exe	J7ECcvU7r4nKZ4gaxA681pFcTpZGOzcYAhRcBBHezAjem2Ld1k2iBe0r9YR.exe
PID 3324 wrote to memory of 1172	3324	gpscript.exe	J7ECcvU7r4nKZ4gaxA681pFcTpZGOzcYAhRcBBHezAjem2Ld1k2iBe0r9YR.exe

C:\Users\Admin\AppData\Local\Temp\d3f787bd2d6fc6d5f17b89757d05260cd8e880e20f03f1145f8d1cf3e2e8a093.exe
"C:\Users\Admin\AppData\Local\Temp\d3f787bd2d6fc6d5f17b89757d05260cd8e880e20f03f1145f8d1cf3e2e8a093.exe"
1⤵
- Adds policy Run key to start application
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:220

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa399b055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2528

C:\Windows\system32\gpscript.exe
gpscript.exe /Shutdown
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:3324

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\J7ECcvU7r4nKZ4gaxA681pFcTpZGOzcYAhRcBBHezAjem2Ld1k2iBe0r9YR.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\J7ECcvU7r4nKZ4gaxA681pFcTpZGOzcYAhRcBBHezAjem2Ld1k2iBe0r9YR.exe" 1
2⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Sets file execution options in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1172

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\RetailDemo\OfflineContent\Packages\dPn7lH8IqZtYm7PxAuXzUdObazi7teR1HtfMs70qz0o.exe
Filesize
1.7MB

MD5
86c0b3e3d6886ddfaa69ad414583371c

SHA1
26e68105d7d1a5c7225a00eb89c827732b56621e

SHA256
ed3241497cdc2096ed266472ec7320809ec906dd50d2211f69386117bd4bbcab

SHA512
158463c61bcb64f2431a08c98462a2af7b5cf87aa5e2f226695fd6fd728e63aedc43451f4ebc7d036f49ba5bc3326ca84f200a784cc89b297099c0bafdf25e79

Download Submit
C:\ProgramData\Package Cache\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}v14.30.30704\packages\oBSiCeAjJ12aIijMtKqGN0o.exe
Filesize
1.8MB

MD5
5b120ead16a6b34b09570e942056a394

SHA1
bcca46c857ab5944ae40bdeb8f2217d5c8c04e07

SHA256
1167acd967c72d9ecfc7977dcd49620abad94f59ce1db1a1f189c3fd7f382ba9

SHA512
436383d03fc81c3c8601ff71b25d8a6004cc24324c671a96598f2aaca47bbc5f4e0d2db7416881923de3aa1aea7a80c2f7b62495ee3e05edea4b66b4525e4cf3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\gl\ZP9Z8VHEpR.exe
Filesize
1.7MB

MD5
7578fc85725f5239324474898e31cabc

SHA1
d34514ad489f53aa4e17cc9312e3c538d8bb9504

SHA256
91e0704fff29d0b96f2cafb5cd328afd0c2aee0a93d5f6d072c33cbd2e98c208

SHA512
097d3c73af437a5e21b47be96339cbf8b88b1005a07f35f08874559d10984f541e0b94bde09834422b77310d927ef68e84f842c3cb1879380d0fd6f6c4ce9e36

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\input\fr-CA\nvtohs3As4hr4rpfGhsQhRyvFlCkWVKWH0F.exe
Filesize
1.4MB

MD5
9959c8cbaaa68756e77c0a6d5eb2c174

SHA1
ce33b646f861f42e0357de1fb5ee9cdfad5e1285

SHA256
a285242ed41c3717f159010603a1c5c369e0b2f5ddf08b8ef10ceda9edb0e046

SHA512
660036337239022db3f7b9ad4635bcd49e4cd5521e0f1428ef95fbb9dc75bca1405837a0fac72b379f858aedba9ae9883607a8811554183e08b04c8d33a756c5

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.LockApp_cw5n1h2txyewy\AC\5jEsS4itlKmRdddQUshE1dtxjg0eMdkt9kmAdcZEZHx.exe
Filesize
998KB

MD5
6063e39a04951f0e2a2a66a62bec1bfe

SHA1
53292ce53d33a39d4ba3cf83afa7f45812078ca7

SHA256
270231ae6c6b5a58d1a9cdca0b153223c2fe97284de32c2da829ff1c5ef3fb11

SHA512
a48b23bf91c5648f6d15a8a786f8618265ae982d820c2e89dd67221c4f482e71dcc75128d3c1b2a87e99b1acd68bae4c1a3b7f4afe7db0ad2056cce1f7b631bd

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.NarratorQuickStart_8wekyb3d8bbwe\AC\zyhSYPH2oRh72QsOOgxRwNb7auOeAUqIno6tpwL8cIRztd3ZqUhv4.exe
Filesize
959KB

MD5
a046e24bee9d04765ce84790a7d58d2f

SHA1
708cba5f6a640f105e618fd2812037418d3726fb

SHA256
b9c983a4f72a5d2f388858a6a184010d2fb2d01c13561857ad32ae6c37895cdb

SHA512
0e98871bfdde4a6bafab5e9175215aa5d1e8256b6222422904c9e38243fd3d66201ef8ac3484bf79081e928c8d893467b8313278462d7b6b3b6518c89450354a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\J7ECcvU7r4nKZ4gaxA681pFcTpZGOzcYAhRcBBHezAjem2Ld1k2iBe0r9YR.exe
Filesize
1.7MB

MD5
83b415139b3188f77623b0f39095993a

SHA1
8ba6e370f6eb41e6a9000e1253e0dfdf7b9f90a5

SHA256
c8cb7640cc0a2ac88c3facf93f407822525e6a9df0fa30de02e2fbf7c58f2c3c

SHA512
a8bcaf820820d4013955145bb2490b91006b3dfc9f2a8ae7a94afb2fcc6311bbf9e6780a290ed8a1255d4b73aa7a4e4eb5b1ed0ca2902c8ede765e7df598efd6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\J7ECcvU7r4nKZ4gaxA681pFcTpZGOzcYAhRcBBHezAjem2Ld1k2iBe0r9YR.exe
Filesize
1.7MB

MD5
83b415139b3188f77623b0f39095993a

SHA1
8ba6e370f6eb41e6a9000e1253e0dfdf7b9f90a5

SHA256
c8cb7640cc0a2ac88c3facf93f407822525e6a9df0fa30de02e2fbf7c58f2c3c

SHA512
a8bcaf820820d4013955145bb2490b91006b3dfc9f2a8ae7a94afb2fcc6311bbf9e6780a290ed8a1255d4b73aa7a4e4eb5b1ed0ca2902c8ede765e7df598efd6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tkblmjt0.default-release\storage\default\moz-extension+++8e456f36-69ae-4519-a752-fcd5b08f5716^userContextId=4294967295\e8Pg0mh4bocJeIUN3h83XkBMK2kYsGUyxp9wG9QwxOveiTr2a9z5bpGo.exe
Filesize
1.1MB

MD5
a331950c56bd594bbb9a7c570d444507

SHA1
a4d7ad2495a293bc00b294a816e78792a23f1a08

SHA256
b37332c161d24618431b939ec027e11a076524c2eee6e6c1f325f13222cd6ee3

SHA512
9d2618c866b4f5331ab11b069310f1140295cedbf07bd5e7964b2de6083d03ad66b6f41185dbe30fd878866844c58dd14194f95c1d137f7efc2ca68b7374be92

Download Submit
C:\Users\Default\AppData\Local\Temp\tx6bZ7x6ttDdUyrhTj09H52ZoXkruZH8eYEM.exe
Filesize
1.4MB

MD5
6fb1aefea9d3b5b0f0322381e9663d41

SHA1
f34b45247437b35a18482a32f8c546f9eae2f719

SHA256
19e5c3336f14fe70774ec190d59ee001a8e20690d42a430a372975899da90b66

SHA512
003573b5049190822cbdd1a7fc98a2f21a166e8d277b1f543be44ff9170ea82d060a3a414bf6ffb766a16f7397bc8ccb40fd5f04478c811a3deb30bff7b6faac

Download Submit
memory/220-132-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/220-134-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/220-133-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1172-138-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1172-136-0x0000000000000000-mapping.dmp

Download
memory/1172-145-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download