b52596e423a7ca9294f4b7f8c634687b1760828176f286f3cf96f2859b5fd508

Analysis

max time kernel
68s
max time network
59s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
25-11-2022 08:50

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

b52596e423a7ca9294f4b7f8c634687b1760828176f286f3cf96f2859b5fd508.exe
Size

724KB
MD5

431cb076190eab9926c375b75ef3b251
SHA1

adcb489a32d0aa3e91fb2e866d1666355fd2761d
SHA256

b52596e423a7ca9294f4b7f8c634687b1760828176f286f3cf96f2859b5fd508
SHA512

b605459a332e445472b61c63a70351606e1e1e13bdd7ecfa68ad4bdd63a596ea033e818227b68f29b1c2d7c06b47226724db96dfebc121b07c512896328c32e5
SSDEEP

3072:aSsvihLlTQz9z71iURo2SJJmY6uFNcgifDbmeTXwVdBR:rsqhJMxzJiU5SeLmNSbmebW1

Score

10^/10

persistence spyware stealer

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

XXg60dEAWUIh66PgD8Xu4qhwMRreuatN6s.cmd

description pid process target process

PID 812 created 600 812 XXg60dEAWUIh66PgD8Xu4qhwMRreuatN6s.cmd svchost.exe

description	pid	process	target process
PID 812 created 600	812	XXg60dEAWUIh66PgD8Xu4qhwMRreuatN6s.cmd	svchost.exe

Adds policy Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

b52596e423a7ca9294f4b7f8c634687b1760828176f286f3cf96f2859b5fd508.exeXXg60dEAWUIh66PgD8Xu4qhwMRreuatN6s.cmd

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\High\\Last Active\\6vly8goQVd9mcNRQtqrruwZz1ispqoPxhVAVUtSY3aItGuRDJ.exe\" O"	b52596e423a7ca9294f4b7f8c634687b1760828176f286f3cf96f2859b5fd508.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	b52596e423a7ca9294f4b7f8c634687b1760828176f286f3cf96f2859b5fd508.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\V8eK96A0Wj8hTOhTsWgz3WgS.exe\" O"	b52596e423a7ca9294f4b7f8c634687b1760828176f286f3cf96f2859b5fd508.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\6.0\\22\\DFrv0FoVKiWEFYwrNR3AdTb1lmJ8ls3HnNpxWjDRezBAA3iKx4pbsPahqAGf10R.exe\" O"	b52596e423a7ca9294f4b7f8c634687b1760828176f286f3cf96f2859b5fd508.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	XXg60dEAWUIh66PgD8Xu4qhwMRreuatN6s.cmd
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad\\9Z386TH9qeJvSBG1oovAJqYj5iH8WDJC52JVtnJoeV.exe\" O"	XXg60dEAWUIh66PgD8Xu4qhwMRreuatN6s.cmd
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	b52596e423a7ca9294f4b7f8c634687b1760828176f286f3cf96f2859b5fd508.exe

Executes dropped EXE 2 IoCs

Processes:

XXg60dEAWUIh66PgD8Xu4qhwMRreuatN6s.cmdXXg60dEAWUIh66PgD8Xu4qhwMRreuatN6s.cmd

pid process

812 XXg60dEAWUIh66PgD8Xu4qhwMRreuatN6s.cmd
1484 XXg60dEAWUIh66PgD8Xu4qhwMRreuatN6s.cmd

pid	process
812	XXg60dEAWUIh66PgD8Xu4qhwMRreuatN6s.cmd
1484	XXg60dEAWUIh66PgD8Xu4qhwMRreuatN6s.cmd

Sets file execution options in registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

XXg60dEAWUIh66PgD8Xu4qhwMRreuatN6s.cmdXXg60dEAWUIh66PgD8Xu4qhwMRreuatN6s.cmd

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe	XXg60dEAWUIh66PgD8Xu4qhwMRreuatN6s.cmd
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = " "	XXg60dEAWUIh66PgD8Xu4qhwMRreuatN6s.cmd
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe	XXg60dEAWUIh66PgD8Xu4qhwMRreuatN6s.cmd
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\Debugger = " "	XXg60dEAWUIh66PgD8Xu4qhwMRreuatN6s.cmd
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe	XXg60dEAWUIh66PgD8Xu4qhwMRreuatN6s.cmd
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = " "	XXg60dEAWUIh66PgD8Xu4qhwMRreuatN6s.cmd
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe	XXg60dEAWUIh66PgD8Xu4qhwMRreuatN6s.cmd
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\Debugger = " "	XXg60dEAWUIh66PgD8Xu4qhwMRreuatN6s.cmd

Loads dropped DLL 3 IoCs

Processes:

gpscript.exeXXg60dEAWUIh66PgD8Xu4qhwMRreuatN6s.cmd

pid process

1568 gpscript.exe
1568 gpscript.exe
812 XXg60dEAWUIh66PgD8Xu4qhwMRreuatN6s.cmd
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1568	gpscript.exe
1568	gpscript.exe
812	XXg60dEAWUIh66PgD8Xu4qhwMRreuatN6s.cmd

Modifies data under HKEY_USERS 62 IoCs

Processes:

b52596e423a7ca9294f4b7f8c634687b1760828176f286f3cf96f2859b5fd508.exegpscript.exeXXg60dEAWUIh66PgD8Xu4qhwMRreuatN6s.cmd

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	b52596e423a7ca9294f4b7f8c634687b1760828176f286f3cf96f2859b5fd508.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\BG9XQTG0\\A5Ht9TjCzN9azDXVyARo4eLjwN4XYxkuVtURRMHmIYTj78cV6lqHHoi7hkg2w772DLCpd.exe\" O 2>NUL"	b52596e423a7ca9294f4b7f8c634687b1760828176f286f3cf96f2859b5fd508.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	b52596e423a7ca9294f4b7f8c634687b1760828176f286f3cf96f2859b5fd508.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	gpscript.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	XXg60dEAWUIh66PgD8Xu4qhwMRreuatN6s.cmd
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%windir%\System32\ie4uinit.exe",-738 = "Start Internet Explorer without ActiveX controls or browser extensions."	XXg60dEAWUIh66PgD8Xu4qhwMRreuatN6s.cmd
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{7BD29E01-76C1-11CF-9DD0-00A0C9034933} {000214E6-0000-0000-C000-000000000046} 0xFFFF = 010000000000000090b533e2e600d901	XXg60dEAWUIh66PgD8Xu4qhwMRreuatN6s.cmd
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	b52596e423a7ca9294f4b7f8c634687b1760828176f286f3cf96f2859b5fd508.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	b52596e423a7ca9294f4b7f8c634687b1760828176f286f3cf96f2859b5fd508.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\iwv3qbnj.default-release\\datareporting\\archived\\LIwgsNIFjnwBbaZMoMKk8LOMUCPwMrXBgVBxN2iLNIg6WYUeU4TiqPw1bF8ft48rz.exe\" O"	b52596e423a7ca9294f4b7f8c634687b1760828176f286f3cf96f2859b5fd508.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Adobe\\Acrobat\\9.0\\S0TqoWR3Vm1LK9GlTXXTYEGtymHFNFsWSS9cUWNkblZid.exe\" O"	b52596e423a7ca9294f4b7f8c634687b1760828176f286f3cf96f2859b5fd508.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	XXg60dEAWUIh66PgD8Xu4qhwMRreuatN6s.cmd
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	XXg60dEAWUIh66PgD8Xu4qhwMRreuatN6s.cmd
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\it-IT\\SAlWqQ9ghEt5yM1jP3JX30zTKgn4TGz3wjiKohyR.exe\" O 2>NUL"	b52596e423a7ca9294f4b7f8c634687b1760828176f286f3cf96f2859b5fd508.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Package Cache\\{61087a79-ac85-455c-934d-1fa22cc64f36}\\EyAqSHWskAJcq4KfjKqATBFv7rJxDpjvjdvXcfiqtCzbGe4vZ9fTPZMkaki.exe\" O 2>NUL"	b52596e423a7ca9294f4b7f8c634687b1760828176f286f3cf96f2859b5fd508.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows	b52596e423a7ca9294f4b7f8c634687b1760828176f286f3cf96f2859b5fd508.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE	b52596e423a7ca9294f4b7f8c634687b1760828176f286f3cf96f2859b5fd508.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows	b52596e423a7ca9294f4b7f8c634687b1760828176f286f3cf96f2859b5fd508.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Feeds\\jF3UqrCahkPBHend.exe\" O"	XXg60dEAWUIh66PgD8Xu4qhwMRreuatN6s.cmd
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{35786D3C-B075-49B9-88DD-029876E11C01} {ADD8BA80-002B-11D0-8F0F-00C04FD7D062} 0xFFFF = 010000000000000070fca0e4e600d901	XXg60dEAWUIh66PgD8Xu4qhwMRreuatN6s.cmd
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion	b52596e423a7ca9294f4b7f8c634687b1760828176f286f3cf96f2859b5fd508.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	b52596e423a7ca9294f4b7f8c634687b1760828176f286f3cf96f2859b5fd508.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\Windows\\Sqm\\WNmJp09ECd63Ns33rJywoav3XSTJcyhrQAXFl.exe\" O 2>NUL"	XXg60dEAWUIh66PgD8Xu4qhwMRreuatN6s.cmd
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	b52596e423a7ca9294f4b7f8c634687b1760828176f286f3cf96f2859b5fd508.exe
Key created	\REGISTRY\USER\S-1-5-20	b52596e423a7ca9294f4b7f8c634687b1760828176f286f3cf96f2859b5fd508.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\6ORS647J\\LpbhGFGJuZBhUpn7aCxP7MiDyftaQDQwgXhyB2fUTtj.exe\" O"	XXg60dEAWUIh66PgD8Xu4qhwMRreuatN6s.cmd
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{FF393560-C2A7-11CF-BFF4-444553540000} {000214E6-0000-0000-C000-000000000046} 0xFFFF = 010000000000000050d899e4e600d901	XXg60dEAWUIh66PgD8Xu4qhwMRreuatN6s.cmd
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%windir%\System32\ie4uinit.exe",-732 = "Finds and displays information and Web sites on the Internet."	XXg60dEAWUIh66PgD8Xu4qhwMRreuatN6s.cmd
Key created	\REGISTRY\USER\.DEFAULT	b52596e423a7ca9294f4b7f8c634687b1760828176f286f3cf96f2859b5fd508.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft	b52596e423a7ca9294f4b7f8c634687b1760828176f286f3cf96f2859b5fd508.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\mozilla-temp-files\\ZyvHMSdL4PfKHv4aymNQjpOD0LGbVhv.exe\" O 2>NUL"	XXg60dEAWUIh66PgD8Xu4qhwMRreuatN6s.cmd
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	XXg60dEAWUIh66PgD8Xu4qhwMRreuatN6s.cmd
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	b52596e423a7ca9294f4b7f8c634687b1760828176f286f3cf96f2859b5fd508.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion	b52596e423a7ca9294f4b7f8c634687b1760828176f286f3cf96f2859b5fd508.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Office\\Groove\\Cg4VXs7T4m6EtNFOko39fix6EseVW5ckjvoFu7qq3rWQIv0l33kq52PRI6bk.exe\" O"	XXg60dEAWUIh66PgD8Xu4qhwMRreuatN6s.cmd
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\EVfbdDK8OGRNMjt2jk1.exe\" O"	XXg60dEAWUIh66PgD8Xu4qhwMRreuatN6s.cmd
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	b52596e423a7ca9294f4b7f8c634687b1760828176f286f3cf96f2859b5fd508.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	b52596e423a7ca9294f4b7f8c634687b1760828176f286f3cf96f2859b5fd508.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	b52596e423a7ca9294f4b7f8c634687b1760828176f286f3cf96f2859b5fd508.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Tablet PC\\suyG1yc0Euz1Cp6P0Vu8jvJFulzgwb8W7Y.exe\" O"	b52596e423a7ca9294f4b7f8c634687b1760828176f286f3cf96f2859b5fd508.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	XXg60dEAWUIh66PgD8Xu4qhwMRreuatN6s.cmd
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	XXg60dEAWUIh66PgD8Xu4qhwMRreuatN6s.cmd
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\SafetyTips\\6f8B3Zsa781x8rZBT0SHpVgO9NPiDDiXyY2cZPWQC4VsZVfLLSF3J23MJd.exe\" O 2>NUL"	b52596e423a7ca9294f4b7f8c634687b1760828176f286f3cf96f2859b5fd508.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Queue\\kWTdYyZGLnvt8I1Ohn1kfLpazlfr6QQZtTchHx7MVD.exe\" O 2>NUL"	XXg60dEAWUIh66PgD8Xu4qhwMRreuatN6s.cmd
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	XXg60dEAWUIh66PgD8Xu4qhwMRreuatN6s.cmd
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows	b52596e423a7ca9294f4b7f8c634687b1760828176f286f3cf96f2859b5fd508.exe
Key created	\REGISTRY\USER\S-1-5-19	b52596e423a7ca9294f4b7f8c634687b1760828176f286f3cf96f2859b5fd508.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	b52596e423a7ca9294f4b7f8c634687b1760828176f286f3cf96f2859b5fd508.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\U1gBtXFRRKzVr0I8uY.exe\" O"	b52596e423a7ca9294f4b7f8c634687b1760828176f286f3cf96f2859b5fd508.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE	b52596e423a7ca9294f4b7f8c634687b1760828176f286f3cf96f2859b5fd508.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	b52596e423a7ca9294f4b7f8c634687b1760828176f286f3cf96f2859b5fd508.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\ltFlhKcp01WWWL2ByMDWwUI5YtCOgwuHZUCKymprRW6uwyBaC0R18j0HkOG.exe\" O"	XXg60dEAWUIh66PgD8Xu4qhwMRreuatN6s.cmd
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{6C467336-8281-4E60-8204-430CED96822D} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000b06ec6dfe600d901	gpscript.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	b52596e423a7ca9294f4b7f8c634687b1760828176f286f3cf96f2859b5fd508.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion	b52596e423a7ca9294f4b7f8c634687b1760828176f286f3cf96f2859b5fd508.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft	b52596e423a7ca9294f4b7f8c634687b1760828176f286f3cf96f2859b5fd508.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Network Shortcuts\\6SfkGqN2UkhZ3P8lmiWymetJ2p3Fu.exe\" O 2>NUL"	XXg60dEAWUIh66PgD8Xu4qhwMRreuatN6s.cmd
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	XXg60dEAWUIh66PgD8Xu4qhwMRreuatN6s.cmd
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{B155BDF8-02F0-451E-9A26-AE317CFD7779} {ADD8BA80-002B-11D0-8F0F-00C04FD7D062} 0xFFFF = 01000000000000009020a8e4e600d901	XXg60dEAWUIh66PgD8Xu4qhwMRreuatN6s.cmd
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	b52596e423a7ca9294f4b7f8c634687b1760828176f286f3cf96f2859b5fd508.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\Floc\\ybNvUtLywOoOICbuBVi9W.exe\" O 2>NUL"	XXg60dEAWUIh66PgD8Xu4qhwMRreuatN6s.cmd
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%systemroot%\system32\windowspowershell\v1.0\powershell.exe",-111 = "Performs object-based (command-line) functions"	XXg60dEAWUIh66PgD8Xu4qhwMRreuatN6s.cmd

Modifies registry class 12 IoCs

Processes:

b52596e423a7ca9294f4b7f8c634687b1760828176f286f3cf96f2859b5fd508.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	b52596e423a7ca9294f4b7f8c634687b1760828176f286f3cf96f2859b5fd508.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion	b52596e423a7ca9294f4b7f8c634687b1760828176f286f3cf96f2859b5fd508.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	b52596e423a7ca9294f4b7f8c634687b1760828176f286f3cf96f2859b5fd508.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	b52596e423a7ca9294f4b7f8c634687b1760828176f286f3cf96f2859b5fd508.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\SOFTWARE	b52596e423a7ca9294f4b7f8c634687b1760828176f286f3cf96f2859b5fd508.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\SOFTWARE\Microsoft	b52596e423a7ca9294f4b7f8c634687b1760828176f286f3cf96f2859b5fd508.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\SOFTWARE\Microsoft\Command Processor	b52596e423a7ca9294f4b7f8c634687b1760828176f286f3cf96f2859b5fd508.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	b52596e423a7ca9294f4b7f8c634687b1760828176f286f3cf96f2859b5fd508.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\mozilla-temp-files\\y5Lb6uIaDTbJsUjO7JjrgcAIsM7oZWDdW.exe\" O"	b52596e423a7ca9294f4b7f8c634687b1760828176f286f3cf96f2859b5fd508.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_Classes\SOFTWARE\Microsoft\Command Processor	b52596e423a7ca9294f4b7f8c634687b1760828176f286f3cf96f2859b5fd508.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Network Shortcuts\\3lsU4fRxTsfoHsHcSKs33GkFKCTBa7uO7uANh5V5vbpnpBksj8HH.exe\" O 2>NUL"	b52596e423a7ca9294f4b7f8c634687b1760828176f286f3cf96f2859b5fd508.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\SOFTWARE\Microsoft\Windows	b52596e423a7ca9294f4b7f8c634687b1760828176f286f3cf96f2859b5fd508.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

XXg60dEAWUIh66PgD8Xu4qhwMRreuatN6s.cmd

pid process

1484 XXg60dEAWUIh66PgD8Xu4qhwMRreuatN6s.cmd
1484 XXg60dEAWUIh66PgD8Xu4qhwMRreuatN6s.cmd

pid	process
1484	XXg60dEAWUIh66PgD8Xu4qhwMRreuatN6s.cmd
1484	XXg60dEAWUIh66PgD8Xu4qhwMRreuatN6s.cmd

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

b52596e423a7ca9294f4b7f8c634687b1760828176f286f3cf96f2859b5fd508.exeAUDIODG.EXEXXg60dEAWUIh66PgD8Xu4qhwMRreuatN6s.cmdXXg60dEAWUIh66PgD8Xu4qhwMRreuatN6s.cmd

description	pid	process
Token: SeBackupPrivilege	2032	b52596e423a7ca9294f4b7f8c634687b1760828176f286f3cf96f2859b5fd508.exe
Token: SeRestorePrivilege	2032	b52596e423a7ca9294f4b7f8c634687b1760828176f286f3cf96f2859b5fd508.exe
Token: SeShutdownPrivilege	2032	b52596e423a7ca9294f4b7f8c634687b1760828176f286f3cf96f2859b5fd508.exe
Token: 33	1172	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1172	AUDIODG.EXE
Token: 33	1172	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1172	AUDIODG.EXE
Token: SeDebugPrivilege	812	XXg60dEAWUIh66PgD8Xu4qhwMRreuatN6s.cmd
Token: SeRestorePrivilege	812	XXg60dEAWUIh66PgD8Xu4qhwMRreuatN6s.cmd
Token: SeDebugPrivilege	1484	XXg60dEAWUIh66PgD8Xu4qhwMRreuatN6s.cmd
Token: SeRestorePrivilege	1484	XXg60dEAWUIh66PgD8Xu4qhwMRreuatN6s.cmd

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

gpscript.exeXXg60dEAWUIh66PgD8Xu4qhwMRreuatN6s.cmd

description	pid	process	target process
PID 1568 wrote to memory of 812	1568	gpscript.exe	XXg60dEAWUIh66PgD8Xu4qhwMRreuatN6s.cmd
PID 1568 wrote to memory of 812	1568	gpscript.exe	XXg60dEAWUIh66PgD8Xu4qhwMRreuatN6s.cmd
PID 1568 wrote to memory of 812	1568	gpscript.exe	XXg60dEAWUIh66PgD8Xu4qhwMRreuatN6s.cmd
PID 812 wrote to memory of 1484	812	XXg60dEAWUIh66PgD8Xu4qhwMRreuatN6s.cmd	XXg60dEAWUIh66PgD8Xu4qhwMRreuatN6s.cmd
PID 812 wrote to memory of 1484	812	XXg60dEAWUIh66PgD8Xu4qhwMRreuatN6s.cmd	XXg60dEAWUIh66PgD8Xu4qhwMRreuatN6s.cmd
PID 812 wrote to memory of 1484	812	XXg60dEAWUIh66PgD8Xu4qhwMRreuatN6s.cmd	XXg60dEAWUIh66PgD8Xu4qhwMRreuatN6s.cmd

C:\Users\Admin\AppData\Local\Temp\b52596e423a7ca9294f4b7f8c634687b1760828176f286f3cf96f2859b5fd508.exe
"C:\Users\Admin\AppData\Local\Temp\b52596e423a7ca9294f4b7f8c634687b1760828176f286f3cf96f2859b5fd508.exe"
1⤵
- Adds policy Run key to start application
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2032

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
1⤵
PID:600

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Session Storage\XXg60dEAWUIh66PgD8Xu4qhwMRreuatN6s.cmd
"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Session Storage\XXg60dEAWUIh66PgD8Xu4qhwMRreuatN6s.cmd" 2
2⤵
- Executes dropped EXE
- Sets file execution options in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1484

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1280

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x540
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1172

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:392

C:\Windows\system32\gpscript.exe
gpscript.exe /Shutdown
1⤵
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1568

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Session Storage\XXg60dEAWUIh66PgD8Xu4qhwMRreuatN6s.cmd
"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Session Storage\XXg60dEAWUIh66PgD8Xu4qhwMRreuatN6s.cmd" 1
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Adds policy Run key to start application
- Executes dropped EXE
- Sets file execution options in registry
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:812

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Adobe\Acrobat\9.0\S0TqoWR3Vm1LK9GlTXXTYEGtymHFNFsWSS9cUWNkblZid.exe
Filesize
1014KB

MD5
9b9ecf21f5d73213a3b4e86f7dd38e3c

SHA1
854a3b11b672d3b0fd8bf40d8fae0864809ab6bc

SHA256
c9ab0236ebcc986d12f8b402025966a5d56ee99077fbf9829cb203c87d1ab7de

SHA512
96b6ee80b4430546ed4e90f8e6c225ae48d65984aa2e89abaafa3522548cc2c46a790320e6828be7d7b495f7ec76205cd973ad6a8f79dd39ab4fa790d6b6c54d

Download Submit
C:\ProgramData\Microsoft\Windows NT\MSFax\Common Coverpages\it-IT\SAlWqQ9ghEt5yM1jP3JX30zTKgn4TGz3wjiKohyR.exe
Filesize
903KB

MD5
7ff8a60f287e972bf67f1e3459ef9d18

SHA1
1397d03dc82e5f508e0ac4a5d08fe009d9f4a7d1

SHA256
046dbe9c029c891be2bc8a8c43a1ac78154a9a74a4faf6c28e8518fb8b750f49

SHA512
e10038690b79a517b32b027c61cf182499d6950bb76dc3ff6e31029ae850d39f7cd42c7ec4a72b9ec9c7354d29fc1abf91c6b82499f9ac550f42f362df102211

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Tablet PC\suyG1yc0Euz1Cp6P0Vu8jvJFulzgwb8W7Y.exe
Filesize
1.2MB

MD5
ec0eb68217268198a7ef05d12449e6c3

SHA1
f878129e09fa1605255b2b7a702060cec22a35e5

SHA256
4ec3975a340eed10c64ad34158fd59ddfc49182f24efe77e6a6fd21ced707a65

SHA512
d34a82c47f9f422c19f2d8a3756f65e875de6ecb74418e7698c55477b16dac78bf97393a2aaefaf07f29a0b00d5946550e8ba9524f64f51e051c9c59ad70f1b6

Download Submit
C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\1Fn9j3qtJpq8h3pT1x0WjiYoEFuu2joE5uOVZPLklyRXHJsEjXr9mffA.exe
Filesize
949KB

MD5
a3a0619b08e7d40e9747ea1cf84fea83

SHA1
d20c61731abd1ac4f5b16fb06656e7f303bb40fb

SHA256
a0f903713131d3d9cd75fc73df7f1b96475861dea464159db91cf5bb98547dbb

SHA512
1c35f235b686d58b69d96f1e6efc3107194634ff483178a74cd87bc161637b1d1d91e3867d801454c3634ec7142c02249f5d72811b961acee7b86398583f1a0a

Download Submit
C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\EyAqSHWskAJcq4KfjKqATBFv7rJxDpjvjdvXcfiqtCzbGe4vZ9fTPZMkaki.exe
Filesize
1.3MB

MD5
2929b3c405ac498dad489f8337c5e7ff

SHA1
886d06aad52b502e3cd6879c95f6a60e047e30f5

SHA256
abfe88cfab3a12e1462914a3db1505d5eb6ddd34bdb2aff9f4368c6b88ec4ddb

SHA512
87f4845c331ad2a353800e847fd2b93982e949af899b366b6120065b73a26a9c83b97a8e7a8101e979f27b3e0554132d3c47b65eab2986966b7fec43f5044bba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\o6Wk3CkhvjI9IrjpSYfK3KUsWMwUsTV1QnlTJV2McMbeHIBxPTeJVCVhHk.cmd
Filesize
1.5MB

MD5
6d99770f7584bef272cc9b00fa1a4574

SHA1
614d83ba177f154bb3be19cef31513176d675aa9

SHA256
f8b81acffc85e35bdf801c9034198fc8ddb210d82f32db995b8a9fc6fd9d94df

SHA512
d84aed998b6c866ad8f4a67ed4a42a5740734e348015184e2f323d9568e6a133966a254e2168c202bc3ddbc4d059d8cfccea97589c0488a0b027eef545056031

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Session Storage\XXg60dEAWUIh66PgD8Xu4qhwMRreuatN6s.cmd
Filesize
772KB

MD5
4d7f31c63ea116c0381a6028a6511c0e

SHA1
15262d6c69354a7dfb8f4deb1ee38af3c0a02293

SHA256
e9762465d89eaea9b100e7366dda648949185eeb2c23288880bdb40c7a185914

SHA512
6f672357d3c6d2b2b0a746874df316402c1e210d657ba09981f3f1be66b113be8571a53680d87aff50dcab7ac72bc38c6ecff24b6563bc9e4e21e8db596f12c4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Session Storage\XXg60dEAWUIh66PgD8Xu4qhwMRreuatN6s.cmd
Filesize
772KB

MD5
4d7f31c63ea116c0381a6028a6511c0e

SHA1
15262d6c69354a7dfb8f4deb1ee38af3c0a02293

SHA256
e9762465d89eaea9b100e7366dda648949185eeb2c23288880bdb40c7a185914

SHA512
6f672357d3c6d2b2b0a746874df316402c1e210d657ba09981f3f1be66b113be8571a53680d87aff50dcab7ac72bc38c6ecff24b6563bc9e4e21e8db596f12c4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Session Storage\XXg60dEAWUIh66PgD8Xu4qhwMRreuatN6s.cmd
Filesize
772KB

MD5
4d7f31c63ea116c0381a6028a6511c0e

SHA1
15262d6c69354a7dfb8f4deb1ee38af3c0a02293

SHA256
e9762465d89eaea9b100e7366dda648949185eeb2c23288880bdb40c7a185914

SHA512
6f672357d3c6d2b2b0a746874df316402c1e210d657ba09981f3f1be66b113be8571a53680d87aff50dcab7ac72bc38c6ecff24b6563bc9e4e21e8db596f12c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BG9XQTG0\A5Ht9TjCzN9azDXVyARo4eLjwN4XYxkuVtURRMHmIYTj78cV6lqHHoi7hkg2w772DLCpd.exe
Filesize
1.4MB

MD5
135c065d2822e2ceda7488e148327ba5

SHA1
07e77e18bea65d81c108c6ac7a12b114ae81318a

SHA256
b71ff561786c8a94d33a86af72e944aadaa16f001408a06b082dda224ec95d01

SHA512
39bb50227d9dcde2a98ac28aced621d2200a9f88605a447b3fb20d658c0c36d6e70ddebd7195f581256358590b31ae1389fbf8992be5694baf0a624df1fca820

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\V8eK96A0Wj8hTOhTsWgz3WgS.exe
Filesize
1.3MB

MD5
b8bf78ccb23ed1c16716748a2c8f8549

SHA1
bf301775e7de588e184c95685b8bd223fc390eba

SHA256
1e2673e37ace986a476f1dfb37eb0fb98faaa62e1c75c8240df360c399b80ade

SHA512
5c101adb13fb14fe39f50df3d3d3b7f0f0c8ec7b3809e9802628a93de4de9e116aa77d36f00536dcc96e564705f229df8780f9a7cb15432564b255e761ca0e8f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\U1gBtXFRRKzVr0I8uY.exe
Filesize
953KB

MD5
fbd4353b50d14e15fbdcb66374bac8e7

SHA1
ca6528c258205a7db26e3de8ac0bde7908991f77

SHA256
afe4ac71d172a781b28c089c54e6442b6ed5aa30b865c734b3e0b328f8fd7a17

SHA512
6932222ddef1dfcdff0ba25a0e97c8674e205308ddfa9dda49cb176c04ad7440c32bcccef45ba63d4936fe8547149941d77db5479e6a32408e3b7ad4e1472036

Download Submit
C:\Users\Public\Pictures\1ur7gCCb8MIElvwYAPtl5xT8vUtIBSDAomB2PWq69DX2ToAJkd7bbyUphs853hi.exe
Filesize
1.3MB

MD5
ac0df99f36aa3f29073744818d3d069e

SHA1
47f09bdc3900d8a905d35f17f195321a491e0b34

SHA256
2265d1b65bbcae251b8bf9c044c63e748d04920f39b58ce868ae15d343c3fd9d

SHA512
e829e92e8b0b72b1410cbd5ec4495c74eb19018e7e84e806f47b3f5de211b1e8e43a231456eab66181317e8513383ac667e46d705c802379079761b89d552502

Download Submit
\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Session Storage\XXg60dEAWUIh66PgD8Xu4qhwMRreuatN6s.cmd
Filesize
772KB

MD5
4d7f31c63ea116c0381a6028a6511c0e

SHA1
15262d6c69354a7dfb8f4deb1ee38af3c0a02293

SHA256
e9762465d89eaea9b100e7366dda648949185eeb2c23288880bdb40c7a185914

SHA512
6f672357d3c6d2b2b0a746874df316402c1e210d657ba09981f3f1be66b113be8571a53680d87aff50dcab7ac72bc38c6ecff24b6563bc9e4e21e8db596f12c4

Download Submit
\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Session Storage\XXg60dEAWUIh66PgD8Xu4qhwMRreuatN6s.cmd
Filesize
772KB

MD5
4d7f31c63ea116c0381a6028a6511c0e

SHA1
15262d6c69354a7dfb8f4deb1ee38af3c0a02293

SHA256
e9762465d89eaea9b100e7366dda648949185eeb2c23288880bdb40c7a185914

SHA512
6f672357d3c6d2b2b0a746874df316402c1e210d657ba09981f3f1be66b113be8571a53680d87aff50dcab7ac72bc38c6ecff24b6563bc9e4e21e8db596f12c4

Download Submit
\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Session Storage\XXg60dEAWUIh66PgD8Xu4qhwMRreuatN6s.cmd
Filesize
772KB

MD5
4d7f31c63ea116c0381a6028a6511c0e

SHA1
15262d6c69354a7dfb8f4deb1ee38af3c0a02293

SHA256
e9762465d89eaea9b100e7366dda648949185eeb2c23288880bdb40c7a185914

SHA512
6f672357d3c6d2b2b0a746874df316402c1e210d657ba09981f3f1be66b113be8571a53680d87aff50dcab7ac72bc38c6ecff24b6563bc9e4e21e8db596f12c4

Download Submit
memory/812-62-0x0000000000000000-mapping.dmp

Download
memory/812-74-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/812-78-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1280-55-0x000007FEFB731000-0x000007FEFB733000-memory.dmp

Filesize
8KB

Download
memory/1484-76-0x0000000000000000-mapping.dmp

Download
memory/1484-81-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1568-73-0x0000000000F40000-0x0000000000F6D000-memory.dmp

Filesize
180KB

Download
memory/2032-54-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2032-56-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads