808bcbf367c67385e00e9d54cdfed9d99b449b25bcbe50a2015044065370d6da

Analysis

max time kernel
87s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2022 08:50

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

808bcbf367c67385e00e9d54cdfed9d99b449b25bcbe50a2015044065370d6da.exe
Size

2.1MB
MD5

b322484e73005048a50faa38667754b7
SHA1

b177d083b24fda398aa1f496ee69bafa7525a3a3
SHA256

808bcbf367c67385e00e9d54cdfed9d99b449b25bcbe50a2015044065370d6da
SHA512

a7c46b90ce90103a88677f4613afaa30c7e38b4bdbc067b38f747a1b5c550a23b7678bda977282f07aa7be3f55f76f61c0a42de0081ad4694e8cd6a06e711b24
SSDEEP

3072:aSsvihLlTQz9z71iURo2SJJmY6uFNcgifDbmeTXwVdBR:rsqhJMxzJiU5SeLmNSbmebW1

Score

10^/10

persistence spyware stealer

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

1ZDnQiscsNQf1mKHTYNZJEp7kjrjFxERjQXhxder6p2aSdCMDFbwGFXZmWcY7hZ.exe

description pid process target process

PID 2456 created 656 2456 1ZDnQiscsNQf1mKHTYNZJEp7kjrjFxERjQXhxder6p2aSdCMDFbwGFXZmWcY7hZ.exe lsass.exe

description	pid	process	target process
PID 2456 created 656	2456	1ZDnQiscsNQf1mKHTYNZJEp7kjrjFxERjQXhxder6p2aSdCMDFbwGFXZmWcY7hZ.exe	lsass.exe

Adds policy Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

808bcbf367c67385e00e9d54cdfed9d99b449b25bcbe50a2015044065370d6da.exe1ZDnQiscsNQf1mKHTYNZJEp7kjrjFxERjQXhxder6p2aSdCMDFbwGFXZmWcY7hZ.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	808bcbf367c67385e00e9d54cdfed9d99b449b25bcbe50a2015044065370d6da.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Default\\Saved Games\\nPhKZODhuUdCAXHZJVx08fJFslImXEATqdBvJ53AAxkNDG.exe\" O"	808bcbf367c67385e00e9d54cdfed9d99b449b25bcbe50a2015044065370d6da.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	808bcbf367c67385e00e9d54cdfed9d99b449b25bcbe50a2015044065370d6da.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\\AC\\INetCookies\\mB5PbCsNLJkyjcBennMIio.exe\" O"	808bcbf367c67385e00e9d54cdfed9d99b449b25bcbe50a2015044065370d6da.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\GameExplorer\\H59EhwUn2SfQcVHHU4yTG4ocRKgI.exe\" O"	808bcbf367c67385e00e9d54cdfed9d99b449b25bcbe50a2015044065370d6da.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	1ZDnQiscsNQf1mKHTYNZJEp7kjrjFxERjQXhxder6p2aSdCMDFbwGFXZmWcY7hZ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Public\\Documents\\o5qRYAjMl6wAzn1qIK88nGfwFSt.exe\" O"	1ZDnQiscsNQf1mKHTYNZJEp7kjrjFxERjQXhxder6p2aSdCMDFbwGFXZmWcY7hZ.exe

Executes dropped EXE 2 IoCs

Processes:

1ZDnQiscsNQf1mKHTYNZJEp7kjrjFxERjQXhxder6p2aSdCMDFbwGFXZmWcY7hZ.exe1ZDnQiscsNQf1mKHTYNZJEp7kjrjFxERjQXhxder6p2aSdCMDFbwGFXZmWcY7hZ.exe

pid	process
2456	1ZDnQiscsNQf1mKHTYNZJEp7kjrjFxERjQXhxder6p2aSdCMDFbwGFXZmWcY7hZ.exe
2684	1ZDnQiscsNQf1mKHTYNZJEp7kjrjFxERjQXhxder6p2aSdCMDFbwGFXZmWcY7hZ.exe

Sets file execution options in registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

1ZDnQiscsNQf1mKHTYNZJEp7kjrjFxERjQXhxder6p2aSdCMDFbwGFXZmWcY7hZ.exe1ZDnQiscsNQf1mKHTYNZJEp7kjrjFxERjQXhxder6p2aSdCMDFbwGFXZmWcY7hZ.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\Debugger = " "	1ZDnQiscsNQf1mKHTYNZJEp7kjrjFxERjQXhxder6p2aSdCMDFbwGFXZmWcY7hZ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe	1ZDnQiscsNQf1mKHTYNZJEp7kjrjFxERjQXhxder6p2aSdCMDFbwGFXZmWcY7hZ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = " "	1ZDnQiscsNQf1mKHTYNZJEp7kjrjFxERjQXhxder6p2aSdCMDFbwGFXZmWcY7hZ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe	1ZDnQiscsNQf1mKHTYNZJEp7kjrjFxERjQXhxder6p2aSdCMDFbwGFXZmWcY7hZ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\Debugger = " "	1ZDnQiscsNQf1mKHTYNZJEp7kjrjFxERjQXhxder6p2aSdCMDFbwGFXZmWcY7hZ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe	1ZDnQiscsNQf1mKHTYNZJEp7kjrjFxERjQXhxder6p2aSdCMDFbwGFXZmWcY7hZ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = " "	1ZDnQiscsNQf1mKHTYNZJEp7kjrjFxERjQXhxder6p2aSdCMDFbwGFXZmWcY7hZ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe	1ZDnQiscsNQf1mKHTYNZJEp7kjrjFxERjQXhxder6p2aSdCMDFbwGFXZmWcY7hZ.exe

Drops startup file 2 IoCs

Processes:

1ZDnQiscsNQf1mKHTYNZJEp7kjrjFxERjQXhxder6p2aSdCMDFbwGFXZmWcY7hZ.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iJdhU5tgM8DGnJnrDHnjlXqIFDf9oIFkjHBtpaOngwUAQseJB5.cmd	1ZDnQiscsNQf1mKHTYNZJEp7kjrjFxERjQXhxder6p2aSdCMDFbwGFXZmWcY7hZ.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\zVKwKQ3pp5zehHPrYaQSZTlYPilzm1eRXkBxZTQUk7D1MjGYDqn1DR.exe	1ZDnQiscsNQf1mKHTYNZJEp7kjrjFxERjQXhxder6p2aSdCMDFbwGFXZmWcY7hZ.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 64 IoCs

Processes:

LogonUI.exe1ZDnQiscsNQf1mKHTYNZJEp7kjrjFxERjQXhxder6p2aSdCMDFbwGFXZmWcY7hZ.exe808bcbf367c67385e00e9d54cdfed9d99b449b25bcbe50a2015044065370d6da.exegpscript.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\1527c705-839a-4832-9118-54d4Bd6a0c89_cw5n1h2txyewy\\AC\\INetCookies\\y11WHEBj1QCL.exe\" O 2>NUL"	1ZDnQiscsNQf1mKHTYNZJEp7kjrjFxERjQXhxder6p2aSdCMDFbwGFXZmWcY7hZ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\0OwLwetFo12DC4ZKgipk0GzXvRYxfpv5dLHyxMeObxbmeqhPXtA9fP.exe\" O"	1ZDnQiscsNQf1mKHTYNZJEp7kjrjFxERjQXhxder6p2aSdCMDFbwGFXZmWcY7hZ.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\7253iOEq8r.exe\" O 2>NUL"	808bcbf367c67385e00e9d54cdfed9d99b449b25bcbe50a2015044065370d6da.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion	808bcbf367c67385e00e9d54cdfed9d99b449b25bcbe50a2015044065370d6da.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft	808bcbf367c67385e00e9d54cdfed9d99b449b25bcbe50a2015044065370d6da.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	808bcbf367c67385e00e9d54cdfed9d99b449b25bcbe50a2015044065370d6da.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	808bcbf367c67385e00e9d54cdfed9d99b449b25bcbe50a2015044065370d6da.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.CallingShellApp_cw5n1h2txyewy\\AppData\\hJWYnMzdP0cqHExQElKtrknH2IpzBTdFcHRvNWcSSY7ve4u3xln9I02oKe.exe\" O 2>NUL"	808bcbf367c67385e00e9d54cdfed9d99b449b25bcbe50a2015044065370d6da.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	808bcbf367c67385e00e9d54cdfed9d99b449b25bcbe50a2015044065370d6da.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows	808bcbf367c67385e00e9d54cdfed9d99b449b25bcbe50a2015044065370d6da.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	808bcbf367c67385e00e9d54cdfed9d99b449b25bcbe50a2015044065370d6da.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	808bcbf367c67385e00e9d54cdfed9d99b449b25bcbe50a2015044065370d6da.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	808bcbf367c67385e00e9d54cdfed9d99b449b25bcbe50a2015044065370d6da.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	1ZDnQiscsNQf1mKHTYNZJEp7kjrjFxERjQXhxder6p2aSdCMDFbwGFXZmWcY7hZ.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "174"	LogonUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Package Cache\\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\\packages\\vcRuntimeMinimum_amd64\\Rf4O8DvxM4wqYnNIPnWYEQAALOEemLJiUvWpO0Nd0Pa.exe\" O 2>NUL"	1ZDnQiscsNQf1mKHTYNZJEp7kjrjFxERjQXhxder6p2aSdCMDFbwGFXZmWcY7hZ.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	1ZDnQiscsNQf1mKHTYNZJEp7kjrjFxERjQXhxder6p2aSdCMDFbwGFXZmWcY7hZ.exe
Key created	\REGISTRY\USER\S-1-5-19	808bcbf367c67385e00e9d54cdfed9d99b449b25bcbe50a2015044065370d6da.exe
Key created	\REGISTRY\USER\S-1-5-20	808bcbf367c67385e00e9d54cdfed9d99b449b25bcbe50a2015044065370d6da.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion	808bcbf367c67385e00e9d54cdfed9d99b449b25bcbe50a2015044065370d6da.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\310093\\L9x4PVPIfRJ63ifqqGtDMOKH.exe\" O"	808bcbf367c67385e00e9d54cdfed9d99b449b25bcbe50a2015044065370d6da.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	1ZDnQiscsNQf1mKHTYNZJEp7kjrjFxERjQXhxder6p2aSdCMDFbwGFXZmWcY7hZ.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	808bcbf367c67385e00e9d54cdfed9d99b449b25bcbe50a2015044065370d6da.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	1ZDnQiscsNQf1mKHTYNZJEp7kjrjFxERjQXhxder6p2aSdCMDFbwGFXZmWcY7hZ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\6.0\\37\\uygSi3zLvdktXGNaNyLMBoXeqkcWGNulUAXv3IpsnVOhEmyLAZnlWbdXeRuU.exe\" O"	1ZDnQiscsNQf1mKHTYNZJEp7kjrjFxERjQXhxder6p2aSdCMDFbwGFXZmWcY7hZ.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\SlowContextMenuEntries = 6024b221ea3a6910a2dc08002b30309d9c0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	gpscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Search\\Data\\Applications\\UWsuNbwSS9JJEa6TWSafyNfDSBCujWwVUf2u12vMR3rSFpfpmDjrCA.exe\" O"	1ZDnQiscsNQf1mKHTYNZJEp7kjrjFxERjQXhxder6p2aSdCMDFbwGFXZmWcY7hZ.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{4234D49B-0245-4DF3-B780-3893943456E1} {000214E6-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000caed11b7e600d901	1ZDnQiscsNQf1mKHTYNZJEp7kjrjFxERjQXhxder6p2aSdCMDFbwGFXZmWcY7hZ.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	808bcbf367c67385e00e9d54cdfed9d99b449b25bcbe50a2015044065370d6da.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies	808bcbf367c67385e00e9d54cdfed9d99b449b25bcbe50a2015044065370d6da.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\B11EF506-7DE1-455F-8E20-67264DD4AF60\\SKp74QuIT.exe\" O"	808bcbf367c67385e00e9d54cdfed9d99b449b25bcbe50a2015044065370d6da.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	808bcbf367c67385e00e9d54cdfed9d99b449b25bcbe50a2015044065370d6da.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft	808bcbf367c67385e00e9d54cdfed9d99b449b25bcbe50a2015044065370d6da.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\\AC\\INetCookies\\H0X9tzJztVmIPAY09IP.exe\" O 2>NUL"	1ZDnQiscsNQf1mKHTYNZJEp7kjrjFxERjQXhxder6p2aSdCMDFbwGFXZmWcY7hZ.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\\Settings\\lTmQuHB0.exe\" O 2>NUL"	1ZDnQiscsNQf1mKHTYNZJEp7kjrjFxERjQXhxder6p2aSdCMDFbwGFXZmWcY7hZ.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	1ZDnQiscsNQf1mKHTYNZJEp7kjrjFxERjQXhxder6p2aSdCMDFbwGFXZmWcY7hZ.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	808bcbf367c67385e00e9d54cdfed9d99b449b25bcbe50a2015044065370d6da.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	808bcbf367c67385e00e9d54cdfed9d99b449b25bcbe50a2015044065370d6da.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\0fx48ci0.default-release\\bookmarkbackups\\zDOvZG5wz0GkQFrcl5TJ6TV1pn.exe\" O"	808bcbf367c67385e00e9d54cdfed9d99b449b25bcbe50a2015044065370d6da.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE	808bcbf367c67385e00e9d54cdfed9d99b449b25bcbe50a2015044065370d6da.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	1ZDnQiscsNQf1mKHTYNZJEp7kjrjFxERjQXhxder6p2aSdCMDFbwGFXZmWcY7hZ.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	808bcbf367c67385e00e9d54cdfed9d99b449b25bcbe50a2015044065370d6da.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE	808bcbf367c67385e00e9d54cdfed9d99b449b25bcbe50a2015044065370d6da.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\INetCache\\ZDNBAiP4v.exe\" O"	1ZDnQiscsNQf1mKHTYNZJEp7kjrjFxERjQXhxder6p2aSdCMDFbwGFXZmWcY7hZ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\ActiveSync\\1G51jE1emQMzdxUe5tkA4Lacqk8vKdf1E91veW.exe\" O"	808bcbf367c67385e00e9d54cdfed9d99b449b25bcbe50a2015044065370d6da.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	808bcbf367c67385e00e9d54cdfed9d99b449b25bcbe50a2015044065370d6da.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	gpscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\qml\\QtQuick\\Controls\\Styles\\Flat\\tWXB2BWkXoCB8NFLYPoZtUybSvyHiAzFNJjZJVjcyhLbceqXX3.exe\" O 2>NUL"	808bcbf367c67385e00e9d54cdfed9d99b449b25bcbe50a2015044065370d6da.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\WinMSIPC\\oUEH8elSSD2Sh9x77DCjiddiZxbOCl2IwYV84.exe\" O 2>NUL"	1ZDnQiscsNQf1mKHTYNZJEp7kjrjFxERjQXhxder6p2aSdCMDFbwGFXZmWcY7hZ.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\GameExplorer\\dD2D8WFA2FYv3Aorx14MqmQ.exe\" O"	1ZDnQiscsNQf1mKHTYNZJEp7kjrjFxERjQXhxder6p2aSdCMDFbwGFXZmWcY7hZ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.CredDialogHost_cw5n1h2txyewy\\AC\\Temp\\msBwOvNajRI5GU.exe\" O 2>NUL"	808bcbf367c67385e00e9d54cdfed9d99b449b25bcbe50a2015044065370d6da.exe

Modifies registry class 10 IoCs

Processes:

808bcbf367c67385e00e9d54cdfed9d99b449b25bcbe50a2015044065370d6da.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\SOFTWARE	808bcbf367c67385e00e9d54cdfed9d99b449b25bcbe50a2015044065370d6da.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\SOFTWARE\Microsoft	808bcbf367c67385e00e9d54cdfed9d99b449b25bcbe50a2015044065370d6da.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\SOFTWARE\Microsoft\Windows	808bcbf367c67385e00e9d54cdfed9d99b449b25bcbe50a2015044065370d6da.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion	808bcbf367c67385e00e9d54cdfed9d99b449b25bcbe50a2015044065370d6da.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\AC\\PhsYt0Ljv94If177iQo2b9ds7PhSJ6BVU96S44bL.exe\" O"	808bcbf367c67385e00e9d54cdfed9d99b449b25bcbe50a2015044065370d6da.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\SOFTWARE\Microsoft\Command Processor	808bcbf367c67385e00e9d54cdfed9d99b449b25bcbe50a2015044065370d6da.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\ajz3eM6g7zcWcHcwOWixS6HazUp0OLwJACPzxelfuWaWalOBcIo0S4X2xPFOQ1nVTmX.exe\" O 2>NUL"	808bcbf367c67385e00e9d54cdfed9d99b449b25bcbe50a2015044065370d6da.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	808bcbf367c67385e00e9d54cdfed9d99b449b25bcbe50a2015044065370d6da.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	808bcbf367c67385e00e9d54cdfed9d99b449b25bcbe50a2015044065370d6da.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	808bcbf367c67385e00e9d54cdfed9d99b449b25bcbe50a2015044065370d6da.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

1ZDnQiscsNQf1mKHTYNZJEp7kjrjFxERjQXhxder6p2aSdCMDFbwGFXZmWcY7hZ.exe

pid	process
2684	1ZDnQiscsNQf1mKHTYNZJEp7kjrjFxERjQXhxder6p2aSdCMDFbwGFXZmWcY7hZ.exe
2684	1ZDnQiscsNQf1mKHTYNZJEp7kjrjFxERjQXhxder6p2aSdCMDFbwGFXZmWcY7hZ.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

808bcbf367c67385e00e9d54cdfed9d99b449b25bcbe50a2015044065370d6da.exe1ZDnQiscsNQf1mKHTYNZJEp7kjrjFxERjQXhxder6p2aSdCMDFbwGFXZmWcY7hZ.exe1ZDnQiscsNQf1mKHTYNZJEp7kjrjFxERjQXhxder6p2aSdCMDFbwGFXZmWcY7hZ.exe

description	pid	process
Token: SeBackupPrivilege	4240	808bcbf367c67385e00e9d54cdfed9d99b449b25bcbe50a2015044065370d6da.exe
Token: SeRestorePrivilege	4240	808bcbf367c67385e00e9d54cdfed9d99b449b25bcbe50a2015044065370d6da.exe
Token: SeShutdownPrivilege	4240	808bcbf367c67385e00e9d54cdfed9d99b449b25bcbe50a2015044065370d6da.exe
Token: SeDebugPrivilege	2456	1ZDnQiscsNQf1mKHTYNZJEp7kjrjFxERjQXhxder6p2aSdCMDFbwGFXZmWcY7hZ.exe
Token: SeRestorePrivilege	2456	1ZDnQiscsNQf1mKHTYNZJEp7kjrjFxERjQXhxder6p2aSdCMDFbwGFXZmWcY7hZ.exe
Token: SeDebugPrivilege	2684	1ZDnQiscsNQf1mKHTYNZJEp7kjrjFxERjQXhxder6p2aSdCMDFbwGFXZmWcY7hZ.exe
Token: SeRestorePrivilege	2684	1ZDnQiscsNQf1mKHTYNZJEp7kjrjFxERjQXhxder6p2aSdCMDFbwGFXZmWcY7hZ.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

LogonUI.exe

pid process

2628 LogonUI.exe

pid	process
2628	LogonUI.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

gpscript.exe1ZDnQiscsNQf1mKHTYNZJEp7kjrjFxERjQXhxder6p2aSdCMDFbwGFXZmWcY7hZ.exe

description	pid	process	target process
PID 4388 wrote to memory of 2456	4388	gpscript.exe	1ZDnQiscsNQf1mKHTYNZJEp7kjrjFxERjQXhxder6p2aSdCMDFbwGFXZmWcY7hZ.exe
PID 4388 wrote to memory of 2456	4388	gpscript.exe	1ZDnQiscsNQf1mKHTYNZJEp7kjrjFxERjQXhxder6p2aSdCMDFbwGFXZmWcY7hZ.exe
PID 2456 wrote to memory of 2684	2456	1ZDnQiscsNQf1mKHTYNZJEp7kjrjFxERjQXhxder6p2aSdCMDFbwGFXZmWcY7hZ.exe	1ZDnQiscsNQf1mKHTYNZJEp7kjrjFxERjQXhxder6p2aSdCMDFbwGFXZmWcY7hZ.exe
PID 2456 wrote to memory of 2684	2456	1ZDnQiscsNQf1mKHTYNZJEp7kjrjFxERjQXhxder6p2aSdCMDFbwGFXZmWcY7hZ.exe	1ZDnQiscsNQf1mKHTYNZJEp7kjrjFxERjQXhxder6p2aSdCMDFbwGFXZmWcY7hZ.exe

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:656

C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\32\1ZDnQiscsNQf1mKHTYNZJEp7kjrjFxERjQXhxder6p2aSdCMDFbwGFXZmWcY7hZ.exe
"C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\32\1ZDnQiscsNQf1mKHTYNZJEp7kjrjFxERjQXhxder6p2aSdCMDFbwGFXZmWcY7hZ.exe" 2
2⤵
- Executes dropped EXE
- Sets file execution options in registry
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2684

C:\Users\Admin\AppData\Local\Temp\808bcbf367c67385e00e9d54cdfed9d99b449b25bcbe50a2015044065370d6da.exe
"C:\Users\Admin\AppData\Local\Temp\808bcbf367c67385e00e9d54cdfed9d99b449b25bcbe50a2015044065370d6da.exe"
1⤵
- Adds policy Run key to start application
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4240

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39db055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2628

C:\Windows\system32\gpscript.exe
gpscript.exe /Shutdown
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:4388

C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\32\1ZDnQiscsNQf1mKHTYNZJEp7kjrjFxERjQXhxder6p2aSdCMDFbwGFXZmWcY7hZ.exe
"C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\32\1ZDnQiscsNQf1mKHTYNZJEp7kjrjFxERjQXhxder6p2aSdCMDFbwGFXZmWcY7hZ.exe" 1
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Adds policy Run key to start application
- Executes dropped EXE
- Sets file execution options in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2456

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\ClickToRun\ProductReleases\B11EF506-7DE1-455F-8E20-67264DD4AF60\SKp74QuIT.exe
Filesize
2.3MB

MD5
57c8217433c940ca5dcde8cc6e21dd59

SHA1
a31a4ba3bf7ad0d6b561f11e9407be30dcc805b7

SHA256
2d9ddaba371ab63661515ebf03c2f36fbcdb5894174f46d05b7a10b71dad904f

SHA512
bfe60f3dce740a7fc9ec2504389332db478a465164a3eac04825327715e418e9ac8930ab8d9e4c329dc2f3c5c2d36c5f68250257fb42911698eb75aa5419e101

Download Submit
C:\ProgramData\Microsoft\Diagnosis\CustomTraceProfiles\cEXcHemYUU602Uuhn8YpnHNwMifafX5QPdkOvIZTDD9AxLHJYly4Xhpzi5F.exe
Filesize
3.0MB

MD5
8f569c1d0f826933dd1d2cf18e56cbef

SHA1
70e9551266bd2b2d599193ec5356b3e4199d7532

SHA256
683992c196ccb0fcebecd7804b7291ffa8d759397ad6dafff769d961487c998f

SHA512
a0da045e529b81a6b300279444d573dbb5d10c1381f98c00023d6947dfe7deafb577309d128bc82aa404b8a8fe938812b7f61b7e662ac46612417bdb82796b22

Download Submit
C:\ProgramData\Package Cache\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\packages\7253iOEq8r.exe
Filesize
3.6MB

MD5
804445e7bf21d4fba3712480ab08303a

SHA1
f85dc1405c20350d4f9def61da62d45f632ee842

SHA256
e763ac8a76cf925dbe60cf1881610a2285446140687c19326d0ba838566726f0

SHA512
ce4e4a187440d0bb5e94db43c16e241c4b69026bbc7d3a57ecb38f4e1f7b6a0ebc14e2a13588105825912fd6e325fd031d19e63cefbe215e2f8401b02a1e7b1d

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\32\1ZDnQiscsNQf1mKHTYNZJEp7kjrjFxERjQXhxder6p2aSdCMDFbwGFXZmWcY7hZ.exe
Filesize
2.5MB

MD5
5c2c78717b9c76fda480f733579a051e

SHA1
7edb0b73ec2d11b74de8b23f61c5559c9012a284

SHA256
26d1c76bf288fecdb89b1af9f44b6f73335989ec2ad73b850f569e6eab2a547b

SHA512
2060076955c378e4764ff2d5c4bd95a8a173ff74ec09c21ef357d5c4d862379378a735575846c5f2ca27f362a2fbcf45fa2b388a47a79094bad9d89129b6cbde

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\32\1ZDnQiscsNQf1mKHTYNZJEp7kjrjFxERjQXhxder6p2aSdCMDFbwGFXZmWcY7hZ.exe
Filesize
2.5MB

MD5
5c2c78717b9c76fda480f733579a051e

SHA1
7edb0b73ec2d11b74de8b23f61c5559c9012a284

SHA256
26d1c76bf288fecdb89b1af9f44b6f73335989ec2ad73b850f569e6eab2a547b

SHA512
2060076955c378e4764ff2d5c4bd95a8a173ff74ec09c21ef357d5c4d862379378a735575846c5f2ca27f362a2fbcf45fa2b388a47a79094bad9d89129b6cbde

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\32\1ZDnQiscsNQf1mKHTYNZJEp7kjrjFxERjQXhxder6p2aSdCMDFbwGFXZmWcY7hZ.exe
Filesize
2.5MB

MD5
5c2c78717b9c76fda480f733579a051e

SHA1
7edb0b73ec2d11b74de8b23f61c5559c9012a284

SHA256
26d1c76bf288fecdb89b1af9f44b6f73335989ec2ad73b850f569e6eab2a547b

SHA512
2060076955c378e4764ff2d5c4bd95a8a173ff74ec09c21ef357d5c4d862379378a735575846c5f2ca27f362a2fbcf45fa2b388a47a79094bad9d89129b6cbde

Download Submit
C:\Users\Admin\AppData\Local\Adobe\9sqHd0ZV91egqqCt8O3qoC3p9uSVwe7VjX.exe
Filesize
2.9MB

MD5
8085cf024b41f74d18b3a20fbb523c6f

SHA1
c6c041853cebcab7bc2c5101a0d0f6c448e87a71

SHA256
3e6e8f85b07c106de9016ce758a46b364583ebe4e71ae20b7cdf10a49efe47d1

SHA512
58d04d9cd3230410567afe7a1ed79121785e2441df628f98375df3e1224f542c823bcf41df7b0aec724124fedce1a9b9ff412aa2289cd0824f65d63ad56b0986

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\qml\QtQuick\Controls\Styles\Flat\tWXB2BWkXoCB8NFLYPoZtUybSvyHiAzFNJjZJVjcyhLbceqXX3.exe
Filesize
2.5MB

MD5
dbe83d7931bc6ca1983dacae4e7050a8

SHA1
6d668ace3e358539dafa017112fc9210286cb1e1

SHA256
41893a22e56bbf4311646a5d1366e08fdbf5bfff73645de838aa3858b9529266

SHA512
1088285c90a46fdef2224d24755ec811287e26a2b2722c454e1cf8cf35b6c97d0c210914d497d1e5e2ff46900adb30a73012535b92e6b5b7282b4a803a0632ae

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\AC\INetCookies\mB5PbCsNLJkyjcBennMIio.exe
Filesize
3.9MB

MD5
097774e57e876bbb55e71d0562cb3040

SHA1
eab0957ff4ab344b081f3651dd1bf69a1cc63c44

SHA256
f77b3fe94c4373a6898053707728e50e936369511ae3af42067266d2cf42d541

SHA512
c3e875dadd3f8b67ba2c1eaf7cc784e56418aa525a6a556d020f2c5894e90ad80c31ac44595a93dddee320205ffe9b5d048816bfe8376252a607276aac41f8dc

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.CallingShellApp_cw5n1h2txyewy\AppData\hJWYnMzdP0cqHExQElKtrknH2IpzBTdFcHRvNWcSSY7ve4u3xln9I02oKe.exe
Filesize
4.0MB

MD5
247a1d242cdd32e6e5f36c0dde0289e8

SHA1
49aa689b138f7571bc66b2fbb1ada5b958f6afd9

SHA256
166728d73d4ce0181eda84e31c112a9f394c4af157ee1f1f027b16671bc96186

SHA512
6719471da04254ec2187acc934a82b7f02c5ff0245981dc009c5799c93ff0bba6609e75d602ea08489164cce0b9c35da53af3c29c44599ab04433f411341dfe7

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\310093\L9x4PVPIfRJ63ifqqGtDMOKH.exe
Filesize
3.2MB

MD5
a98b77c38736d5f7e156319ada778c63

SHA1
b29ef9a071eae24ad349b26deb0ab0d5816a914b

SHA256
a66d7bacc16dd54127b9520253929b92e66f8ca46d8c019d354b69c1c902a2ec

SHA512
bbba35df1ab3b9ec4680e80984763c72be84d701741b442ba057861c9b1360bd5f43cdf13a096c34229ffe6258b734f54d76c700118cd9e9f9fc25bdd32ff7c7

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\AC\Temp\E66rxdPZpzOLCeIwPPs34q73JlxPgKKsR38qGrlujRa.cmd
Filesize
4.8MB

MD5
c3e629d3e5bd352a6b4b1a9ca8f5f91e

SHA1
82257be5d9964b41b5b6355f5028feacc63c5888

SHA256
54834a778602ecc7211e2f08cf00494e68a0c7158332f8940f2548d436677c7b

SHA512
7486814c1e5162ecd0574a6d465c37432298f2b33fba7e1f485eda4026d2db2a3f34b57b10872ffa3090c1762f5f982debbd4d2af7e5b17e40a3ccd6a124889d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0fx48ci0.default-release\bookmarkbackups\zDOvZG5wz0GkQFrcl5TJ6TV1pn.exe
Filesize
3.0MB

MD5
2e0906e6e15842013077f6b4c7f7cfbb

SHA1
2ecbd81b0e1494c9e2800619a9e290a6e86ac567

SHA256
9756ab7ac5bbae38ba9001d4a115ded2b92faa066f22a2e7bca6a4fb341996d0

SHA512
9ae8b486db8f7fd7378d13452287625cd40dac69ed250bfd12a3879e69a756642f1ea88a0b734221565f79297a14e4f38c82a12af7fde44017d141a536904208

Download Submit
memory/2456-137-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2456-146-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2456-149-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2456-135-0x0000000000000000-mapping.dmp

Download
memory/2684-147-0x0000000000000000-mapping.dmp

Download
memory/2684-152-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4240-132-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4240-133-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads