d53612557b5266cdc7b68f433ac079f52d2fca618f239a1a788a904eecec3a9f

Analysis

max time kernel
31s
max time network
25s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
25-11-2022 08:48

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

d53612557b5266cdc7b68f433ac079f52d2fca618f239a1a788a904eecec3a9f.exe
Size

2.2MB
MD5

918e8a42969bf7116f9fee3920f69452
SHA1

36f62373783a63c52f7987cb696c3a00c8ad3ddb
SHA256

d53612557b5266cdc7b68f433ac079f52d2fca618f239a1a788a904eecec3a9f
SHA512

745e2df16ede25dfbba03e6a359b5c48177121643931f5b861701455c34e1e45c00eff80e29fddbf62d60be9b0714158f726ee3a5582442ad342c9b21c540645
SSDEEP

3072:aSsvihLlTQz9z71iURo2SJJmY6uFNcgifDbmeTXwVdBR:rsqhJMxzJiU5SeLmNSbmebW1

Score

10^/10

persistence spyware stealer

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

dsXtJKNjwZq7tCGKn1ldCAs3SFMuEvkBFalKgmWVhsjYH1mfRpEHik.cmd

description pid process target process

PID 1684 created 592 1684 dsXtJKNjwZq7tCGKn1ldCAs3SFMuEvkBFalKgmWVhsjYH1mfRpEHik.cmd svchost.exe

description	pid	process	target process
PID 1684 created 592	1684	dsXtJKNjwZq7tCGKn1ldCAs3SFMuEvkBFalKgmWVhsjYH1mfRpEHik.cmd	svchost.exe

Adds policy Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

d53612557b5266cdc7b68f433ac079f52d2fca618f239a1a788a904eecec3a9f.exedsXtJKNjwZq7tCGKn1ldCAs3SFMuEvkBFalKgmWVhsjYH1mfRpEHik.cmd

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\GPUCache\\fKgHH6I9dRF2J0z9SvAG.exe\" O"	d53612557b5266cdc7b68f433ac079f52d2fca618f239a1a788a904eecec3a9f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	d53612557b5266cdc7b68f433ac079f52d2fca618f239a1a788a904eecec3a9f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\Z4TAQ562\\0c48PepJsYTaKABOwBih.exe\" O"	d53612557b5266cdc7b68f433ac079f52d2fca618f239a1a788a904eecec3a9f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\6.0\\53\\305lXYawVx8lJBvX3BOAy03gKswLH7HHVJe8oXnV48z.exe\" O"	d53612557b5266cdc7b68f433ac079f52d2fca618f239a1a788a904eecec3a9f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	dsXtJKNjwZq7tCGKn1ldCAs3SFMuEvkBFalKgmWVhsjYH1mfRpEHik.cmd
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\History\\xK0deGHbJimOQNfZQfHaMf1qBArIJ2EtWVHNOAOUg8vD4MascVR5zpdz.exe\" O"	dsXtJKNjwZq7tCGKn1ldCAs3SFMuEvkBFalKgmWVhsjYH1mfRpEHik.cmd
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	d53612557b5266cdc7b68f433ac079f52d2fca618f239a1a788a904eecec3a9f.exe

Executes dropped EXE 2 IoCs

Processes:

dsXtJKNjwZq7tCGKn1ldCAs3SFMuEvkBFalKgmWVhsjYH1mfRpEHik.cmddsXtJKNjwZq7tCGKn1ldCAs3SFMuEvkBFalKgmWVhsjYH1mfRpEHik.cmd

pid process

1684 dsXtJKNjwZq7tCGKn1ldCAs3SFMuEvkBFalKgmWVhsjYH1mfRpEHik.cmd
1728 dsXtJKNjwZq7tCGKn1ldCAs3SFMuEvkBFalKgmWVhsjYH1mfRpEHik.cmd

pid	process
1684	dsXtJKNjwZq7tCGKn1ldCAs3SFMuEvkBFalKgmWVhsjYH1mfRpEHik.cmd
1728	dsXtJKNjwZq7tCGKn1ldCAs3SFMuEvkBFalKgmWVhsjYH1mfRpEHik.cmd

Sets file execution options in registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

dsXtJKNjwZq7tCGKn1ldCAs3SFMuEvkBFalKgmWVhsjYH1mfRpEHik.cmddsXtJKNjwZq7tCGKn1ldCAs3SFMuEvkBFalKgmWVhsjYH1mfRpEHik.cmd

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\Debugger = " "	dsXtJKNjwZq7tCGKn1ldCAs3SFMuEvkBFalKgmWVhsjYH1mfRpEHik.cmd
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe	dsXtJKNjwZq7tCGKn1ldCAs3SFMuEvkBFalKgmWVhsjYH1mfRpEHik.cmd
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = " "	dsXtJKNjwZq7tCGKn1ldCAs3SFMuEvkBFalKgmWVhsjYH1mfRpEHik.cmd
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe	dsXtJKNjwZq7tCGKn1ldCAs3SFMuEvkBFalKgmWVhsjYH1mfRpEHik.cmd
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\Debugger = " "	dsXtJKNjwZq7tCGKn1ldCAs3SFMuEvkBFalKgmWVhsjYH1mfRpEHik.cmd
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe	dsXtJKNjwZq7tCGKn1ldCAs3SFMuEvkBFalKgmWVhsjYH1mfRpEHik.cmd
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = " "	dsXtJKNjwZq7tCGKn1ldCAs3SFMuEvkBFalKgmWVhsjYH1mfRpEHik.cmd
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe	dsXtJKNjwZq7tCGKn1ldCAs3SFMuEvkBFalKgmWVhsjYH1mfRpEHik.cmd

Loads dropped DLL 3 IoCs

Processes:

gpscript.exedsXtJKNjwZq7tCGKn1ldCAs3SFMuEvkBFalKgmWVhsjYH1mfRpEHik.cmd

pid process

1540 gpscript.exe
1540 gpscript.exe
1684 dsXtJKNjwZq7tCGKn1ldCAs3SFMuEvkBFalKgmWVhsjYH1mfRpEHik.cmd
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1540	gpscript.exe
1540	gpscript.exe
1684	dsXtJKNjwZq7tCGKn1ldCAs3SFMuEvkBFalKgmWVhsjYH1mfRpEHik.cmd

Modifies data under HKEY_USERS 62 IoCs

Processes:

d53612557b5266cdc7b68f433ac079f52d2fca618f239a1a788a904eecec3a9f.exegpscript.exedsXtJKNjwZq7tCGKn1ldCAs3SFMuEvkBFalKgmWVhsjYH1mfRpEHik.cmd

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	d53612557b5266cdc7b68f433ac079f52d2fca618f239a1a788a904eecec3a9f.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	gpscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Xea8a8wlV.exe\" O"	dsXtJKNjwZq7tCGKn1ldCAs3SFMuEvkBFalKgmWVhsjYH1mfRpEHik.cmd
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	d53612557b5266cdc7b68f433ac079f52d2fca618f239a1a788a904eecec3a9f.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	d53612557b5266cdc7b68f433ac079f52d2fca618f239a1a788a904eecec3a9f.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE	d53612557b5266cdc7b68f433ac079f52d2fca618f239a1a788a904eecec3a9f.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	d53612557b5266cdc7b68f433ac079f52d2fca618f239a1a788a904eecec3a9f.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows	d53612557b5266cdc7b68f433ac079f52d2fca618f239a1a788a904eecec3a9f.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\it-IT\\Fb1x1hS6xQB8qGaHTa1TbsNu0rSON8SZqh1xnWUHLg9m6FLHigrt0EjQneKDuXyK.exe\" O"	d53612557b5266cdc7b68f433ac079f52d2fca618f239a1a788a904eecec3a9f.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion	d53612557b5266cdc7b68f433ac079f52d2fca618f239a1a788a904eecec3a9f.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	dsXtJKNjwZq7tCGKn1ldCAs3SFMuEvkBFalKgmWVhsjYH1mfRpEHik.cmd
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion	d53612557b5266cdc7b68f433ac079f52d2fca618f239a1a788a904eecec3a9f.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\Deployment\\jRsw86SYV3gSG9XQ0tilNeS85h2BE.exe\" O 2>NUL"	dsXtJKNjwZq7tCGKn1ldCAs3SFMuEvkBFalKgmWVhsjYH1mfRpEHik.cmd
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\High\\YA6oM2IV39ueOaJWuxDibcKRbjLoAePQ8sxnwHOTaOY6nevv9YKwNGxZchl22LQs5y.exe\" O"	dsXtJKNjwZq7tCGKn1ldCAs3SFMuEvkBFalKgmWVhsjYH1mfRpEHik.cmd
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	d53612557b5266cdc7b68f433ac079f52d2fca618f239a1a788a904eecec3a9f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\6.0\\22\\cX0Whq6beYFEtYlfti74bxV5gHkxWt2EiSajvXFm0Mkp0ngUWNILKzWbt9PhSl39PsOFvb.exe\" O"	dsXtJKNjwZq7tCGKn1ldCAs3SFMuEvkBFalKgmWVhsjYH1mfRpEHik.cmd
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	dsXtJKNjwZq7tCGKn1ldCAs3SFMuEvkBFalKgmWVhsjYH1mfRpEHik.cmd
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	d53612557b5266cdc7b68f433ac079f52d2fca618f239a1a788a904eecec3a9f.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	d53612557b5266cdc7b68f433ac079f52d2fca618f239a1a788a904eecec3a9f.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\4gq1sglk.Admin\\mrJlGgq2y.exe\" O 2>NUL"	d53612557b5266cdc7b68f433ac079f52d2fca618f239a1a788a904eecec3a9f.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	d53612557b5266cdc7b68f433ac079f52d2fca618f239a1a788a904eecec3a9f.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{6C467336-8281-4E60-8204-430CED96822D} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000308237f9dc00d901	gpscript.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	d53612557b5266cdc7b68f433ac079f52d2fca618f239a1a788a904eecec3a9f.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	d53612557b5266cdc7b68f433ac079f52d2fca618f239a1a788a904eecec3a9f.exe
Key created	\REGISTRY\USER\S-1-5-19	d53612557b5266cdc7b68f433ac079f52d2fca618f239a1a788a904eecec3a9f.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE	d53612557b5266cdc7b68f433ac079f52d2fca618f239a1a788a904eecec3a9f.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Office\\Groove\\pLagYFrl8Fn5g1JcR5ZF5umDmFPiw8BFC1SfhIzJ.exe\" O"	dsXtJKNjwZq7tCGKn1ldCAs3SFMuEvkBFalKgmWVhsjYH1mfRpEHik.cmd
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%windir%\System32\ie4uinit.exe",-732 = "Finds and displays information and Web sites on the Internet."	dsXtJKNjwZq7tCGKn1ldCAs3SFMuEvkBFalKgmWVhsjYH1mfRpEHik.cmd
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows	d53612557b5266cdc7b68f433ac079f52d2fca618f239a1a788a904eecec3a9f.exe
Key created	\REGISTRY\USER\.DEFAULT	d53612557b5266cdc7b68f433ac079f52d2fca618f239a1a788a904eecec3a9f.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	d53612557b5266cdc7b68f433ac079f52d2fca618f239a1a788a904eecec3a9f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\aFe85HDuULX3gsbhAacQOFTVe0qRV9DoIERIQf7byr3pfmTLFBz0kKWz6XRx.exe\" O"	d53612557b5266cdc7b68f433ac079f52d2fca618f239a1a788a904eecec3a9f.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	d53612557b5266cdc7b68f433ac079f52d2fca618f239a1a788a904eecec3a9f.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{7BD29E01-76C1-11CF-9DD0-00A0C9034933} {000214E6-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000d007c5fadc00d901	dsXtJKNjwZq7tCGKn1ldCAs3SFMuEvkBFalKgmWVhsjYH1mfRpEHik.cmd
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%systemroot%\system32\windowspowershell\v1.0\powershell.exe",-111 = "Performs object-based (command-line) functions"	dsXtJKNjwZq7tCGKn1ldCAs3SFMuEvkBFalKgmWVhsjYH1mfRpEHik.cmd
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion	d53612557b5266cdc7b68f433ac079f52d2fca618f239a1a788a904eecec3a9f.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	dsXtJKNjwZq7tCGKn1ldCAs3SFMuEvkBFalKgmWVhsjYH1mfRpEHik.cmd
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Package Cache\\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\\packages\\vcRuntimeAdditional_x86\\pj04Vpu8A7zxoz1cbET5vXKIUeP4IMYc1PFxEyL6JgQ26c4lu.exe\" O 2>NUL"	dsXtJKNjwZq7tCGKn1ldCAs3SFMuEvkBFalKgmWVhsjYH1mfRpEHik.cmd
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Public\\Videos\\Sample Videos\\eZ4hGIgCMkS27T72bHA3X3H4REHVQYaRSTOZeZrj5gDXo.exe\" O 2>NUL"	dsXtJKNjwZq7tCGKn1ldCAs3SFMuEvkBFalKgmWVhsjYH1mfRpEHik.cmd
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows	d53612557b5266cdc7b68f433ac079f52d2fca618f239a1a788a904eecec3a9f.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	dsXtJKNjwZq7tCGKn1ldCAs3SFMuEvkBFalKgmWVhsjYH1mfRpEHik.cmd
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	dsXtJKNjwZq7tCGKn1ldCAs3SFMuEvkBFalKgmWVhsjYH1mfRpEHik.cmd
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	dsXtJKNjwZq7tCGKn1ldCAs3SFMuEvkBFalKgmWVhsjYH1mfRpEHik.cmd
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\p441fvtfkuY.exe\" O 2>NUL"	d53612557b5266cdc7b68f433ac079f52d2fca618f239a1a788a904eecec3a9f.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	d53612557b5266cdc7b68f433ac079f52d2fca618f239a1a788a904eecec3a9f.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft	d53612557b5266cdc7b68f433ac079f52d2fca618f239a1a788a904eecec3a9f.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\de-DE\\WAeUryxuUGgdh5Jv3od83bXGEX6VjHDM7lEZAy.exe\" O"	d53612557b5266cdc7b68f433ac079f52d2fca618f239a1a788a904eecec3a9f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Feeds Cache\\888ITVQR\\YiB53AHF3rMhwvDhGNVnz8RzpzV8B5v179ftk.exe\" O 2>NUL"	dsXtJKNjwZq7tCGKn1ldCAs3SFMuEvkBFalKgmWVhsjYH1mfRpEHik.cmd
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\hyphen-data\\k4wGvOuMpbDjz.exe\" O"	dsXtJKNjwZq7tCGKn1ldCAs3SFMuEvkBFalKgmWVhsjYH1mfRpEHik.cmd
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{B155BDF8-02F0-451E-9A26-AE317CFD7779} {ADD8BA80-002B-11D0-8F0F-00C04FD7D062} 0xFFFF = 0100000000000000703270fddc00d901	dsXtJKNjwZq7tCGKn1ldCAs3SFMuEvkBFalKgmWVhsjYH1mfRpEHik.cmd
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft	d53612557b5266cdc7b68f433ac079f52d2fca618f239a1a788a904eecec3a9f.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	dsXtJKNjwZq7tCGKn1ldCAs3SFMuEvkBFalKgmWVhsjYH1mfRpEHik.cmd
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	dsXtJKNjwZq7tCGKn1ldCAs3SFMuEvkBFalKgmWVhsjYH1mfRpEHik.cmd
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{35786D3C-B075-49B9-88DD-029876E11C01} {ADD8BA80-002B-11D0-8F0F-00C04FD7D062} 0xFFFF = 010000000000000010d16dfddc00d901	dsXtJKNjwZq7tCGKn1ldCAs3SFMuEvkBFalKgmWVhsjYH1mfRpEHik.cmd
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Storage\\ext\\gfdkimpbcpahaombhbimeihdjnejgicl\\def\\Code Cache\\js\\index-dir\\LdD115nqjf4lD.exe\" O 2>NUL"	d53612557b5266cdc7b68f433ac079f52d2fca618f239a1a788a904eecec3a9f.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	d53612557b5266cdc7b68f433ac079f52d2fca618f239a1a788a904eecec3a9f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\vNbcC4jpFn7IqGuGOKR2LhLN7mh.exe\" O"	d53612557b5266cdc7b68f433ac079f52d2fca618f239a1a788a904eecec3a9f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%windir%\System32\ie4uinit.exe",-738 = "Start Internet Explorer without ActiveX controls or browser extensions."	dsXtJKNjwZq7tCGKn1ldCAs3SFMuEvkBFalKgmWVhsjYH1mfRpEHik.cmd
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\iYdgOo14uREu9O3j4FOAGVjKgXT4EMldns2hIowOjcqKlCJ6rU1Tew.exe\" O 2>NUL"	d53612557b5266cdc7b68f433ac079f52d2fca618f239a1a788a904eecec3a9f.exe
Key created	\REGISTRY\USER\S-1-5-20	d53612557b5266cdc7b68f433ac079f52d2fca618f239a1a788a904eecec3a9f.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Internet Explorer\\imagestore\\309axvf\\Un9GfOuoQbpcaHfD.exe\" O 2>NUL"	dsXtJKNjwZq7tCGKn1ldCAs3SFMuEvkBFalKgmWVhsjYH1mfRpEHik.cmd
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{FF393560-C2A7-11CF-BFF4-444553540000} {000214E6-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000b06f6bfddc00d901	dsXtJKNjwZq7tCGKn1ldCAs3SFMuEvkBFalKgmWVhsjYH1mfRpEHik.cmd

Modifies registry class 12 IoCs

Processes:

d53612557b5266cdc7b68f433ac079f52d2fca618f239a1a788a904eecec3a9f.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	d53612557b5266cdc7b68f433ac079f52d2fca618f239a1a788a904eecec3a9f.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	d53612557b5266cdc7b68f433ac079f52d2fca618f239a1a788a904eecec3a9f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Package Cache\\{CB0836EC-B072-368D-82B2-D3470BF95707}v12.0.40660\\TOg1EwulxMo.exe\" O"	d53612557b5266cdc7b68f433ac079f52d2fca618f239a1a788a904eecec3a9f.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_Classes\SOFTWARE\Microsoft\Command Processor	d53612557b5266cdc7b68f433ac079f52d2fca618f239a1a788a904eecec3a9f.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\SOFTWARE\Microsoft\Command Processor	d53612557b5266cdc7b68f433ac079f52d2fca618f239a1a788a904eecec3a9f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\Device Stage\\Device\\NOOo3Q59JNndt01mTEKR6Jwxct1hBc6LgEZ78xObhJnWdE4WoYBsYrrQ.exe\" O 2>NUL"	d53612557b5266cdc7b68f433ac079f52d2fca618f239a1a788a904eecec3a9f.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	d53612557b5266cdc7b68f433ac079f52d2fca618f239a1a788a904eecec3a9f.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	d53612557b5266cdc7b68f433ac079f52d2fca618f239a1a788a904eecec3a9f.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\SOFTWARE	d53612557b5266cdc7b68f433ac079f52d2fca618f239a1a788a904eecec3a9f.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\SOFTWARE\Microsoft	d53612557b5266cdc7b68f433ac079f52d2fca618f239a1a788a904eecec3a9f.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\SOFTWARE\Microsoft\Windows	d53612557b5266cdc7b68f433ac079f52d2fca618f239a1a788a904eecec3a9f.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion	d53612557b5266cdc7b68f433ac079f52d2fca618f239a1a788a904eecec3a9f.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

dsXtJKNjwZq7tCGKn1ldCAs3SFMuEvkBFalKgmWVhsjYH1mfRpEHik.cmd

pid process

1728 dsXtJKNjwZq7tCGKn1ldCAs3SFMuEvkBFalKgmWVhsjYH1mfRpEHik.cmd
1728 dsXtJKNjwZq7tCGKn1ldCAs3SFMuEvkBFalKgmWVhsjYH1mfRpEHik.cmd

pid	process
1728	dsXtJKNjwZq7tCGKn1ldCAs3SFMuEvkBFalKgmWVhsjYH1mfRpEHik.cmd
1728	dsXtJKNjwZq7tCGKn1ldCAs3SFMuEvkBFalKgmWVhsjYH1mfRpEHik.cmd

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

d53612557b5266cdc7b68f433ac079f52d2fca618f239a1a788a904eecec3a9f.exeAUDIODG.EXEdsXtJKNjwZq7tCGKn1ldCAs3SFMuEvkBFalKgmWVhsjYH1mfRpEHik.cmddsXtJKNjwZq7tCGKn1ldCAs3SFMuEvkBFalKgmWVhsjYH1mfRpEHik.cmd

description	pid	process
Token: SeBackupPrivilege	1464	d53612557b5266cdc7b68f433ac079f52d2fca618f239a1a788a904eecec3a9f.exe
Token: SeRestorePrivilege	1464	d53612557b5266cdc7b68f433ac079f52d2fca618f239a1a788a904eecec3a9f.exe
Token: SeShutdownPrivilege	1464	d53612557b5266cdc7b68f433ac079f52d2fca618f239a1a788a904eecec3a9f.exe
Token: 33	600	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	600	AUDIODG.EXE
Token: 33	600	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	600	AUDIODG.EXE
Token: SeDebugPrivilege	1684	dsXtJKNjwZq7tCGKn1ldCAs3SFMuEvkBFalKgmWVhsjYH1mfRpEHik.cmd
Token: SeRestorePrivilege	1684	dsXtJKNjwZq7tCGKn1ldCAs3SFMuEvkBFalKgmWVhsjYH1mfRpEHik.cmd
Token: SeDebugPrivilege	1728	dsXtJKNjwZq7tCGKn1ldCAs3SFMuEvkBFalKgmWVhsjYH1mfRpEHik.cmd
Token: SeRestorePrivilege	1728	dsXtJKNjwZq7tCGKn1ldCAs3SFMuEvkBFalKgmWVhsjYH1mfRpEHik.cmd

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

gpscript.exedsXtJKNjwZq7tCGKn1ldCAs3SFMuEvkBFalKgmWVhsjYH1mfRpEHik.cmd

description	pid	process	target process
PID 1540 wrote to memory of 1684	1540	gpscript.exe	dsXtJKNjwZq7tCGKn1ldCAs3SFMuEvkBFalKgmWVhsjYH1mfRpEHik.cmd
PID 1540 wrote to memory of 1684	1540	gpscript.exe	dsXtJKNjwZq7tCGKn1ldCAs3SFMuEvkBFalKgmWVhsjYH1mfRpEHik.cmd
PID 1540 wrote to memory of 1684	1540	gpscript.exe	dsXtJKNjwZq7tCGKn1ldCAs3SFMuEvkBFalKgmWVhsjYH1mfRpEHik.cmd
PID 1684 wrote to memory of 1728	1684	dsXtJKNjwZq7tCGKn1ldCAs3SFMuEvkBFalKgmWVhsjYH1mfRpEHik.cmd	dsXtJKNjwZq7tCGKn1ldCAs3SFMuEvkBFalKgmWVhsjYH1mfRpEHik.cmd
PID 1684 wrote to memory of 1728	1684	dsXtJKNjwZq7tCGKn1ldCAs3SFMuEvkBFalKgmWVhsjYH1mfRpEHik.cmd	dsXtJKNjwZq7tCGKn1ldCAs3SFMuEvkBFalKgmWVhsjYH1mfRpEHik.cmd
PID 1684 wrote to memory of 1728	1684	dsXtJKNjwZq7tCGKn1ldCAs3SFMuEvkBFalKgmWVhsjYH1mfRpEHik.cmd	dsXtJKNjwZq7tCGKn1ldCAs3SFMuEvkBFalKgmWVhsjYH1mfRpEHik.cmd

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
1⤵
PID:592

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\WidevineCdm\dsXtJKNjwZq7tCGKn1ldCAs3SFMuEvkBFalKgmWVhsjYH1mfRpEHik.cmd
"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\WidevineCdm\dsXtJKNjwZq7tCGKn1ldCAs3SFMuEvkBFalKgmWVhsjYH1mfRpEHik.cmd" 2
2⤵
- Executes dropped EXE
- Sets file execution options in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1728

C:\Users\Admin\AppData\Local\Temp\d53612557b5266cdc7b68f433ac079f52d2fca618f239a1a788a904eecec3a9f.exe
"C:\Users\Admin\AppData\Local\Temp\d53612557b5266cdc7b68f433ac079f52d2fca618f239a1a788a904eecec3a9f.exe"
1⤵
- Adds policy Run key to start application
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1464

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:820

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2e4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:600

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:1924

C:\Windows\system32\gpscript.exe
gpscript.exe /Shutdown
1⤵
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1540

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\WidevineCdm\dsXtJKNjwZq7tCGKn1ldCAs3SFMuEvkBFalKgmWVhsjYH1mfRpEHik.cmd
"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\WidevineCdm\dsXtJKNjwZq7tCGKn1ldCAs3SFMuEvkBFalKgmWVhsjYH1mfRpEHik.cmd" 1
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Adds policy Run key to start application
- Executes dropped EXE
- Sets file execution options in registry
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1684

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\it-IT\Fb1x1hS6xQB8qGaHTa1TbsNu0rSON8SZqh1xnWUHLg9m6FLHigrt0EjQneKDuXyK.exe
Filesize
2.6MB

MD5
46fe6cbbc5558d1e2c08f747479063b8

SHA1
d60ede493a8470eac4bfbad0bb40ac7bc10736b7

SHA256
10a8b096108af2d5ad9a94109be6cbd489785f171c35438d2b341d2e584a2b30

SHA512
2b93fa521d87a71dc499faed4c6bb50904b451b1af5d1a9d581da760194285d12471a9f4fb357b107b619d4b53e7e13ef56bd201f1dbe073a6d174bb364f3350

Download Submit
C:\ProgramData\Microsoft\Windows NT\MSFax\VirtualInbox\de-DE\WAeUryxuUGgdh5Jv3od83bXGEX6VjHDM7lEZAy.exe
Filesize
3.2MB

MD5
30e428720251daebef72296514c194e1

SHA1
47f1bfd74bd1fb5877336ce1d6bff6b02d91f0db

SHA256
55cbefb0d829bde3021faf6b5f119b045b18268a806666fb252887a04e866af2

SHA512
fefbef80055a51b97771bf09549d12f48700f7b4c24e3f14f907b2d9ae0557dfe9b118d7a6dd3c3e4f5a81c92d1974b89e283ba5434d9a204605bb76452c2397

Download Submit
C:\ProgramData\Package Cache\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\packages\Patch\vNbcC4jpFn7IqGuGOKR2LhLN7mh.exe
Filesize
3.6MB

MD5
2c93e2ade96675f0eba26b40aaee617e

SHA1
1c57ca857cae9f9ae78915afc5f7560b8976be50

SHA256
fe91a616501d7e2a26a357ea7542d6b79a2f880061948bec6e44c2104f329b54

SHA512
2850ccff914de0f243da06c22c3fd53cdb5a71bc5bea9c0976112272d9da8b16dc8672dda8905add0370435fefa9353fdaa7a4fd2a225387e0e2f951ddbdec6e

Download Submit
C:\ProgramData\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\packages\zMwHccBsgvFWnlvGJyjoGyTIY4NXk32M08GZfbu999foxIfqh6eJTSlFAYRj.exe
Filesize
2.9MB

MD5
55f934cc8a2b3f966b1b5ad93d4a5585

SHA1
ec61f8a2354efe22247844c828286d44d02d44cb

SHA256
7de88664bed53c3f4da2a048a4d5ad7b2d6d41b1d1b9df72f4b1c3c3141e9bc0

SHA512
4400e941879d600ac477326c8dbeeafd9ea5ebf844839b749d73b60c8f046a58e1a8f7bdb810613168116baf4d2856e6c24aa624f94a071084a8c22bb1025a78

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\iYdgOo14uREu9O3j4FOAGVjKgXT4EMldns2hIowOjcqKlCJ6rU1Tew.exe
Filesize
3.3MB

MD5
9d2b9c6b919b65a9213aac8be0a8dfd5

SHA1
e0eea0632af6e0c7b8d17c67551ec7fb7c51359f

SHA256
6443b3c135c2110d4c812e4c981b461e7050e703e96f0bf693da1e29dd6fcc4f

SHA512
7a0d33fc31d6ab95b75e5f0cc13aa9930bb9d36a0949026ba80804932d67d73fe2bffa852bb78c2e8b81d9a4c6ba9748b880dff158fb86891d208eafffddb309

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Code Cache\js\index-dir\LdD115nqjf4lD.exe
Filesize
3.2MB

MD5
d2c98a3eb20c6d256740d114cf3fac5f

SHA1
4e89e7edae071683eb13557aef85ecc2d3dbf18c

SHA256
9de4f25f807801471757dc5ee1a100186873267381d610a65561d5d1f8e5430b

SHA512
664bdaf6860f18a530f5fe1548b30a69b991ed3c33ab8b75dc99fb961a362911a4ba238b46814d350145e6e02f31f8c9548bb7c1626fcaf0e7e6f5534f536957

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\WidevineCdm\dsXtJKNjwZq7tCGKn1ldCAs3SFMuEvkBFalKgmWVhsjYH1mfRpEHik.cmd
Filesize
3.9MB

MD5
76346a744d67161c29cd0e9517dbf667

SHA1
28d13e3fcc59029fd7de6ab27cc8856fe0a709e2

SHA256
8a286788d382b576403e1a648be1ab8484788b84036dfa65d4982109296d0a63

SHA512
15d70ff7e838238f57deaeea55b9f2927f70b3aab1a7202ccb74c3df6a9bff15a0b32cd9966ec8fe5454c52d8de5ee07969a2d45846277d2c4b5d2a6f2071e53

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\WidevineCdm\dsXtJKNjwZq7tCGKn1ldCAs3SFMuEvkBFalKgmWVhsjYH1mfRpEHik.cmd
Filesize
3.9MB

MD5
76346a744d67161c29cd0e9517dbf667

SHA1
28d13e3fcc59029fd7de6ab27cc8856fe0a709e2

SHA256
8a286788d382b576403e1a648be1ab8484788b84036dfa65d4982109296d0a63

SHA512
15d70ff7e838238f57deaeea55b9f2927f70b3aab1a7202ccb74c3df6a9bff15a0b32cd9966ec8fe5454c52d8de5ee07969a2d45846277d2c4b5d2a6f2071e53

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\WidevineCdm\dsXtJKNjwZq7tCGKn1ldCAs3SFMuEvkBFalKgmWVhsjYH1mfRpEHik.cmd
Filesize
3.9MB

MD5
76346a744d67161c29cd0e9517dbf667

SHA1
28d13e3fcc59029fd7de6ab27cc8856fe0a709e2

SHA256
8a286788d382b576403e1a648be1ab8484788b84036dfa65d4982109296d0a63

SHA512
15d70ff7e838238f57deaeea55b9f2927f70b3aab1a7202ccb74c3df6a9bff15a0b32cd9966ec8fe5454c52d8de5ee07969a2d45846277d2c4b5d2a6f2071e53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\NFAXYLRV\gEu8sRRqM60fNEI0uZ.bat
Filesize
4.9MB

MD5
c584a4de24e7139ffe9305b50bd48f62

SHA1
bee2cf14ea205fb38b61a1862c1e424fbdbc73f2

SHA256
c4fecd9665edd1841bbe7d808dc67828d79b0b291ac428f9b48b27fed814bdd3

SHA512
5ab0ae713a793757d6aef4f90030ae10c071b54dda30d395052535535081538ad72c11b7e04e63c5bb9fac3b20c2069beb7d4cab256f829c0ed082809e2a0137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z4TAQ562\0c48PepJsYTaKABOwBih.exe
Filesize
3.2MB

MD5
2c8ee4003ddf77ca3b9d6f4266a9f20b

SHA1
b1ff267b2405e1929804dc4dad3843873b5e218e

SHA256
d7031aaac4f3c4e8bff89c90f0c170b574f5a4a575912148074abe31817cb429

SHA512
ea03f0b1edaf1d052ca2c6c687e1c004a8f9678c6519e53c577f781dbfab4dfea87a60fa50bb154ba7863d46cd4c5b2b4b2f57e0118b8f21ac29141e076a9680

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4gq1sglk.Admin\mrJlGgq2y.exe
Filesize
2.8MB

MD5
e61942b0b8d64514157656b5f4fa1834

SHA1
2b6ae68ca32c1ced818b1f51b5b541c17fa6d8bb

SHA256
4d509c0e1826c7f4fcfcddf092be43207e584f3614bd453c8ceb80cbf0e83caa

SHA512
a74dca22686a86351ab0e6a654e850bb013689cb911d71fa78c1565a673831790bd4e4ae88f30712a6a3bf0bad8e73fb3409723a3659154c15d6a972e97f1142

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PrivacIE\Low\rPjzxigZMg.bat
Filesize
3.9MB

MD5
c598f17c4bf890a22d28984a69b5e2ae

SHA1
93d62072008e85f08c81f33fa8bb1141840f5a05

SHA256
275e4121d663b50bf14b8855a8a537dafe275c4d2bc85b15a0e6d16e8f5de6fa

SHA512
07ac88ef67e57767b36f969bc4b7582e8c235a9a846c354baaf2f95f63c298f06f68cafe0761717d0a381595bad3c02c6109e2a9294abbc739468613f9ce2f31

Download Submit
\Users\Admin\AppData\Local\Google\Chrome\User Data\WidevineCdm\dsXtJKNjwZq7tCGKn1ldCAs3SFMuEvkBFalKgmWVhsjYH1mfRpEHik.cmd
Filesize
3.9MB

MD5
76346a744d67161c29cd0e9517dbf667

SHA1
28d13e3fcc59029fd7de6ab27cc8856fe0a709e2

SHA256
8a286788d382b576403e1a648be1ab8484788b84036dfa65d4982109296d0a63

SHA512
15d70ff7e838238f57deaeea55b9f2927f70b3aab1a7202ccb74c3df6a9bff15a0b32cd9966ec8fe5454c52d8de5ee07969a2d45846277d2c4b5d2a6f2071e53

Download Submit
\Users\Admin\AppData\Local\Google\Chrome\User Data\WidevineCdm\dsXtJKNjwZq7tCGKn1ldCAs3SFMuEvkBFalKgmWVhsjYH1mfRpEHik.cmd
Filesize
3.9MB

MD5
76346a744d67161c29cd0e9517dbf667

SHA1
28d13e3fcc59029fd7de6ab27cc8856fe0a709e2

SHA256
8a286788d382b576403e1a648be1ab8484788b84036dfa65d4982109296d0a63

SHA512
15d70ff7e838238f57deaeea55b9f2927f70b3aab1a7202ccb74c3df6a9bff15a0b32cd9966ec8fe5454c52d8de5ee07969a2d45846277d2c4b5d2a6f2071e53

Download Submit
\Users\Admin\AppData\Local\Google\Chrome\User Data\WidevineCdm\dsXtJKNjwZq7tCGKn1ldCAs3SFMuEvkBFalKgmWVhsjYH1mfRpEHik.cmd
Filesize
3.9MB

MD5
76346a744d67161c29cd0e9517dbf667

SHA1
28d13e3fcc59029fd7de6ab27cc8856fe0a709e2

SHA256
8a286788d382b576403e1a648be1ab8484788b84036dfa65d4982109296d0a63

SHA512
15d70ff7e838238f57deaeea55b9f2927f70b3aab1a7202ccb74c3df6a9bff15a0b32cd9966ec8fe5454c52d8de5ee07969a2d45846277d2c4b5d2a6f2071e53

Download Submit
memory/820-55-0x000007FEFB9E1000-0x000007FEFB9E3000-memory.dmp

Filesize
8KB

Download
memory/1464-54-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1464-56-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1540-66-0x0000000000E20000-0x0000000000E4D000-memory.dmp

Filesize
180KB

Download
memory/1540-67-0x0000000000E20000-0x0000000000E4D000-memory.dmp

Filesize
180KB

Download
memory/1684-79-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1684-68-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1684-78-0x00000000004A0000-0x00000000004CD000-memory.dmp

Filesize
180KB

Download
memory/1684-62-0x0000000000000000-mapping.dmp

Download
memory/1728-77-0x0000000000000000-mapping.dmp

Download
memory/1728-83-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads