834a7429f98efdb62b6dc6cd76922e6108906810e4b169e8af18081c9db6a7a2

Analysis

max time kernel
43s
max time network
44s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
25-11-2022 08:51

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

834a7429f98efdb62b6dc6cd76922e6108906810e4b169e8af18081c9db6a7a2.exe
Size

1.7MB
MD5

7ba4cbd920088fa5a9bf5a144c9834bb
SHA1

caa83f4ec6286d58ecc56fc9dfaa650f765b6868
SHA256

834a7429f98efdb62b6dc6cd76922e6108906810e4b169e8af18081c9db6a7a2
SHA512

0311af7730177fdfa09c0faf41abe73c2a3ef800edfce78cb999912449cafabd006ca15d1f2e231b06372c240ab97f9cc203f01b5e2ed2d04afefb98d0a66d87
SSDEEP

3072:aSsvihLlTQz9z71iURo2SJJmY6uFNcgifDbmeTXwVdBR:rsqhJMxzJiU5SeLmNSbmebW1

Score

10^/10

persistence spyware stealer

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

xXkvZHHjfp4E97h9alUiyC6l7iVu0jXGtOl4.cmd

description pid process target process

PID 1376 created 580 1376 xXkvZHHjfp4E97h9alUiyC6l7iVu0jXGtOl4.cmd svchost.exe

description	pid	process	target process
PID 1376 created 580	1376	xXkvZHHjfp4E97h9alUiyC6l7iVu0jXGtOl4.cmd	svchost.exe

Adds policy Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

xXkvZHHjfp4E97h9alUiyC6l7iVu0jXGtOl4.cmd834a7429f98efdb62b6dc6cd76922e6108906810e4b169e8af18081c9db6a7a2.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\BIgjBXKmKVqvpp3owqk5DEDPU8OWBR6i0FlAL89HBa218wwHcugjHVK9HXRHpTUJFDhw.exe\" O"	xXkvZHHjfp4E97h9alUiyC6l7iVu0jXGtOl4.cmd
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	834a7429f98efdb62b6dc6cd76922e6108906810e4b169e8af18081c9db6a7a2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US\\B9umSPSaeTBAS63PLlr2KOzBfpmaFMJ.exe\" O"	834a7429f98efdb62b6dc6cd76922e6108906810e4b169e8af18081c9db6a7a2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	834a7429f98efdb62b6dc6cd76922e6108906810e4b169e8af18081c9db6a7a2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\de-DE\\hZ1CvMF7E1DNThGvkxRIvoQWlwmD1sPk5uic06r5OIw4.exe\" O"	834a7429f98efdb62b6dc6cd76922e6108906810e4b169e8af18081c9db6a7a2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache\\Low\\kE0c9gSjQZSv615fRBL0EFR1bKKIp0LLzFSUrFmq7N.exe\" O"	834a7429f98efdb62b6dc6cd76922e6108906810e4b169e8af18081c9db6a7a2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	xXkvZHHjfp4E97h9alUiyC6l7iVu0jXGtOl4.cmd

Executes dropped EXE 2 IoCs

Processes:

xXkvZHHjfp4E97h9alUiyC6l7iVu0jXGtOl4.cmdxXkvZHHjfp4E97h9alUiyC6l7iVu0jXGtOl4.cmd

pid process

1376 xXkvZHHjfp4E97h9alUiyC6l7iVu0jXGtOl4.cmd
880 xXkvZHHjfp4E97h9alUiyC6l7iVu0jXGtOl4.cmd

pid	process
1376	xXkvZHHjfp4E97h9alUiyC6l7iVu0jXGtOl4.cmd
880	xXkvZHHjfp4E97h9alUiyC6l7iVu0jXGtOl4.cmd

Sets file execution options in registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

xXkvZHHjfp4E97h9alUiyC6l7iVu0jXGtOl4.cmdxXkvZHHjfp4E97h9alUiyC6l7iVu0jXGtOl4.cmd

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe	xXkvZHHjfp4E97h9alUiyC6l7iVu0jXGtOl4.cmd
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\Debugger = " "	xXkvZHHjfp4E97h9alUiyC6l7iVu0jXGtOl4.cmd
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe	xXkvZHHjfp4E97h9alUiyC6l7iVu0jXGtOl4.cmd
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = " "	xXkvZHHjfp4E97h9alUiyC6l7iVu0jXGtOl4.cmd
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe	xXkvZHHjfp4E97h9alUiyC6l7iVu0jXGtOl4.cmd
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\Debugger = " "	xXkvZHHjfp4E97h9alUiyC6l7iVu0jXGtOl4.cmd
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe	xXkvZHHjfp4E97h9alUiyC6l7iVu0jXGtOl4.cmd
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = " "	xXkvZHHjfp4E97h9alUiyC6l7iVu0jXGtOl4.cmd

Loads dropped DLL 3 IoCs

Processes:

gpscript.exexXkvZHHjfp4E97h9alUiyC6l7iVu0jXGtOl4.cmd

pid process

512 gpscript.exe
512 gpscript.exe
1376 xXkvZHHjfp4E97h9alUiyC6l7iVu0jXGtOl4.cmd
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
512	gpscript.exe
512	gpscript.exe
1376	xXkvZHHjfp4E97h9alUiyC6l7iVu0jXGtOl4.cmd

Modifies data under HKEY_USERS 59 IoCs

Processes:

834a7429f98efdb62b6dc6cd76922e6108906810e4b169e8af18081c9db6a7a2.exexXkvZHHjfp4E97h9alUiyC6l7iVu0jXGtOl4.cmdgpscript.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\SharePoint\\tqPuNuhchA08ZWGagn0AMm7mnJtTLdte2tAWZ9gDlIeeA.exe\" O"	834a7429f98efdb62b6dc6cd76922e6108906810e4b169e8af18081c9db6a7a2.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{7BD29E01-76C1-11CF-9DD0-00A0C9034933} {000214E6-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000a082ade5e600d901	xXkvZHHjfp4E97h9alUiyC6l7iVu0jXGtOl4.cmd
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\SwReporter\\aWGlNDN9Jjp.exe\" O 2>NUL"	xXkvZHHjfp4E97h9alUiyC6l7iVu0jXGtOl4.cmd
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\Downloads\\Y5HeBbJ95nxIG7fAUnGVhma2iT3FZHYu8WMYCa7QxhKcRDH34ovL6qoTf.exe\" O"	xXkvZHHjfp4E97h9alUiyC6l7iVu0jXGtOl4.cmd
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft	834a7429f98efdb62b6dc6cd76922e6108906810e4b169e8af18081c9db6a7a2.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion	834a7429f98efdb62b6dc6cd76922e6108906810e4b169e8af18081c9db6a7a2.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	xXkvZHHjfp4E97h9alUiyC6l7iVu0jXGtOl4.cmd
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\Saved Games\\4jslfIrD1aikMCvRFGqubjsyqwThRoC1Dkh75yS3ba5WVi.exe\" O"	834a7429f98efdb62b6dc6cd76922e6108906810e4b169e8af18081c9db6a7a2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Package Cache\\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\\AfzkhDDWA0e7QqeV3Q.exe\" O 2>NUL"	xXkvZHHjfp4E97h9alUiyC6l7iVu0jXGtOl4.cmd
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	834a7429f98efdb62b6dc6cd76922e6108906810e4b169e8af18081c9db6a7a2.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE	834a7429f98efdb62b6dc6cd76922e6108906810e4b169e8af18081c9db6a7a2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%windir%\System32\ie4uinit.exe",-732 = "Finds and displays information and Web sites on the Internet."	xXkvZHHjfp4E97h9alUiyC6l7iVu0jXGtOl4.cmd
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	xXkvZHHjfp4E97h9alUiyC6l7iVu0jXGtOl4.cmd
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	xXkvZHHjfp4E97h9alUiyC6l7iVu0jXGtOl4.cmd
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	xXkvZHHjfp4E97h9alUiyC6l7iVu0jXGtOl4.cmd
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Storage\\ext\\gfdkimpbcpahaombhbimeihdjnejgicl\\def\\Local Storage\\leveldb\\s8wEyy5gitRjyJFUSQINedF3SUjEh.exe\" O"	834a7429f98efdb62b6dc6cd76922e6108906810e4b169e8af18081c9db6a7a2.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows	834a7429f98efdb62b6dc6cd76922e6108906810e4b169e8af18081c9db6a7a2.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	gpscript.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	834a7429f98efdb62b6dc6cd76922e6108906810e4b169e8af18081c9db6a7a2.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	834a7429f98efdb62b6dc6cd76922e6108906810e4b169e8af18081c9db6a7a2.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE	834a7429f98efdb62b6dc6cd76922e6108906810e4b169e8af18081c9db6a7a2.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\mozilla-temp-files\\Huj4awQqj6bBh2JUZUVb0UAas92OTBALgUa0R.exe\" O 2>NUL"	834a7429f98efdb62b6dc6cd76922e6108906810e4b169e8af18081c9db6a7a2.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows	834a7429f98efdb62b6dc6cd76922e6108906810e4b169e8af18081c9db6a7a2.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	834a7429f98efdb62b6dc6cd76922e6108906810e4b169e8af18081c9db6a7a2.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	834a7429f98efdb62b6dc6cd76922e6108906810e4b169e8af18081c9db6a7a2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Credentials\\bSaGC0RTFsydPdjfX.exe\" O 2>NUL"	xXkvZHHjfp4E97h9alUiyC6l7iVu0jXGtOl4.cmd
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Public\\Downloads\\xT6irqXJPIbGxACVFIiIuXoTboeFGqWS8zoHCWjeXkrqkapeCnrU02pa5ZX2zH7TPY2Q.exe\" O 2>NUL"	xXkvZHHjfp4E97h9alUiyC6l7iVu0jXGtOl4.cmd
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows	834a7429f98efdb62b6dc6cd76922e6108906810e4b169e8af18081c9db6a7a2.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	xXkvZHHjfp4E97h9alUiyC6l7iVu0jXGtOl4.cmd
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	xXkvZHHjfp4E97h9alUiyC6l7iVu0jXGtOl4.cmd
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\YHNcxhajWHh4WxuoIzdaC1fps4OhzwjB6PFdYHZ1.exe\" O"	xXkvZHHjfp4E97h9alUiyC6l7iVu0jXGtOl4.cmd
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%windir%\System32\ie4uinit.exe",-738 = "Start Internet Explorer without ActiveX controls or browser extensions."	xXkvZHHjfp4E97h9alUiyC6l7iVu0jXGtOl4.cmd
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	834a7429f98efdb62b6dc6cd76922e6108906810e4b169e8af18081c9db6a7a2.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	834a7429f98efdb62b6dc6cd76922e6108906810e4b169e8af18081c9db6a7a2.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Package Cache\\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\\packages\\FobfdWpxbRvHsEX5bTI1pr3Hc68uyHWTrd8WtkjgoK.exe\" O"	xXkvZHHjfp4E97h9alUiyC6l7iVu0jXGtOl4.cmd
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	834a7429f98efdb62b6dc6cd76922e6108906810e4b169e8af18081c9db6a7a2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\kh7Wm8zkcrueDbI4gKC9xK9FMnUn4TxIMeNERTOFQbBrg5jKFsK15r.exe\" O 2>NUL"	834a7429f98efdb62b6dc6cd76922e6108906810e4b169e8af18081c9db6a7a2.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion	834a7429f98efdb62b6dc6cd76922e6108906810e4b169e8af18081c9db6a7a2.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion	834a7429f98efdb62b6dc6cd76922e6108906810e4b169e8af18081c9db6a7a2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\\t4Cnqos4vTRCk3aCU6ldz582JmHUTRZir0hZeYJFEMgvDvqkywNo5RrlcBDhV.exe\" O"	xXkvZHHjfp4E97h9alUiyC6l7iVu0jXGtOl4.cmd
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\6.0\\56\\QDv298PjkSrWm30WEgbLYocZeMOnGU2stMceriEeMLGh9QmvlYktzD.exe\" O 2>NUL"	834a7429f98efdb62b6dc6cd76922e6108906810e4b169e8af18081c9db6a7a2.exe
Key created	\REGISTRY\USER\.DEFAULT	834a7429f98efdb62b6dc6cd76922e6108906810e4b169e8af18081c9db6a7a2.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	834a7429f98efdb62b6dc6cd76922e6108906810e4b169e8af18081c9db6a7a2.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\au9ni2dm.default-release\\safebrowsing\\VZxb5RpyRJXAQtqRK8JJLWUlDxFbwjbRJEYwMh5O5ra7lURcZJsDcXrdrwpUam1.exe\" O 2>NUL"	834a7429f98efdb62b6dc6cd76922e6108906810e4b169e8af18081c9db6a7a2.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft	834a7429f98efdb62b6dc6cd76922e6108906810e4b169e8af18081c9db6a7a2.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	xXkvZHHjfp4E97h9alUiyC6l7iVu0jXGtOl4.cmd
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{6C467336-8281-4E60-8204-430CED96822D} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 01000000000000004069b1e2e600d901	gpscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\7COyYFam3pFdxSdLbu1dZb1q3j1bfRuGs236Z.exe\" O 2>NUL"	xXkvZHHjfp4E97h9alUiyC6l7iVu0jXGtOl4.cmd
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\ShaderCache\\GPUCache\\utTYYnjjs8uk5pajhZKFSQqHkyFrQFhm5dUHYHXnQrzsqWPXybIFy4KSKmoF.exe\" O"	xXkvZHHjfp4E97h9alUiyC6l7iVu0jXGtOl4.cmd
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	834a7429f98efdb62b6dc6cd76922e6108906810e4b169e8af18081c9db6a7a2.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	834a7429f98efdb62b6dc6cd76922e6108906810e4b169e8af18081c9db6a7a2.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	834a7429f98efdb62b6dc6cd76922e6108906810e4b169e8af18081c9db6a7a2.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	834a7429f98efdb62b6dc6cd76922e6108906810e4b169e8af18081c9db6a7a2.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Windows\\Caches\\CXAlbpfycbR5twngVkddPi2cIHluOr3y8R3L.exe\" O"	834a7429f98efdb62b6dc6cd76922e6108906810e4b169e8af18081c9db6a7a2.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	xXkvZHHjfp4E97h9alUiyC6l7iVu0jXGtOl4.cmd
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%systemroot%\system32\windowspowershell\v1.0\powershell.exe",-111 = "Performs object-based (command-line) functions"	xXkvZHHjfp4E97h9alUiyC6l7iVu0jXGtOl4.cmd
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	834a7429f98efdb62b6dc6cd76922e6108906810e4b169e8af18081c9db6a7a2.exe
Key created	\REGISTRY\USER\S-1-5-19	834a7429f98efdb62b6dc6cd76922e6108906810e4b169e8af18081c9db6a7a2.exe
Key created	\REGISTRY\USER\S-1-5-20	834a7429f98efdb62b6dc6cd76922e6108906810e4b169e8af18081c9db6a7a2.exe

Modifies registry class 12 IoCs

Processes:

834a7429f98efdb62b6dc6cd76922e6108906810e4b169e8af18081c9db6a7a2.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\SOFTWARE	834a7429f98efdb62b6dc6cd76922e6108906810e4b169e8af18081c9db6a7a2.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\SOFTWARE\Microsoft\Command Processor	834a7429f98efdb62b6dc6cd76922e6108906810e4b169e8af18081c9db6a7a2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Flash Player\\9SjIkcfkhKRcHpjAvRG4f9Ui5VQtWbMWOyQfUNF.exe\" O 2>NUL"	834a7429f98efdb62b6dc6cd76922e6108906810e4b169e8af18081c9db6a7a2.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	834a7429f98efdb62b6dc6cd76922e6108906810e4b169e8af18081c9db6a7a2.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion	834a7429f98efdb62b6dc6cd76922e6108906810e4b169e8af18081c9db6a7a2.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	834a7429f98efdb62b6dc6cd76922e6108906810e4b169e8af18081c9db6a7a2.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_Classes\SOFTWARE\Microsoft\Command Processor	834a7429f98efdb62b6dc6cd76922e6108906810e4b169e8af18081c9db6a7a2.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\SOFTWARE\Microsoft	834a7429f98efdb62b6dc6cd76922e6108906810e4b169e8af18081c9db6a7a2.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\SOFTWARE\Microsoft\Windows	834a7429f98efdb62b6dc6cd76922e6108906810e4b169e8af18081c9db6a7a2.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	834a7429f98efdb62b6dc6cd76922e6108906810e4b169e8af18081c9db6a7a2.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	834a7429f98efdb62b6dc6cd76922e6108906810e4b169e8af18081c9db6a7a2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\au9ni2dm.default-release\\cache2\\doomed\\sMYs8EXK4p.exe\" O"	834a7429f98efdb62b6dc6cd76922e6108906810e4b169e8af18081c9db6a7a2.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

xXkvZHHjfp4E97h9alUiyC6l7iVu0jXGtOl4.cmd

pid process

880 xXkvZHHjfp4E97h9alUiyC6l7iVu0jXGtOl4.cmd
880 xXkvZHHjfp4E97h9alUiyC6l7iVu0jXGtOl4.cmd

pid	process
880	xXkvZHHjfp4E97h9alUiyC6l7iVu0jXGtOl4.cmd
880	xXkvZHHjfp4E97h9alUiyC6l7iVu0jXGtOl4.cmd

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

834a7429f98efdb62b6dc6cd76922e6108906810e4b169e8af18081c9db6a7a2.exeAUDIODG.EXExXkvZHHjfp4E97h9alUiyC6l7iVu0jXGtOl4.cmdxXkvZHHjfp4E97h9alUiyC6l7iVu0jXGtOl4.cmd

description	pid	process
Token: SeBackupPrivilege	1976	834a7429f98efdb62b6dc6cd76922e6108906810e4b169e8af18081c9db6a7a2.exe
Token: SeRestorePrivilege	1976	834a7429f98efdb62b6dc6cd76922e6108906810e4b169e8af18081c9db6a7a2.exe
Token: SeShutdownPrivilege	1976	834a7429f98efdb62b6dc6cd76922e6108906810e4b169e8af18081c9db6a7a2.exe
Token: 33	1428	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1428	AUDIODG.EXE
Token: 33	1428	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1428	AUDIODG.EXE
Token: SeDebugPrivilege	1376	xXkvZHHjfp4E97h9alUiyC6l7iVu0jXGtOl4.cmd
Token: SeRestorePrivilege	1376	xXkvZHHjfp4E97h9alUiyC6l7iVu0jXGtOl4.cmd
Token: SeDebugPrivilege	880	xXkvZHHjfp4E97h9alUiyC6l7iVu0jXGtOl4.cmd
Token: SeRestorePrivilege	880	xXkvZHHjfp4E97h9alUiyC6l7iVu0jXGtOl4.cmd

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

gpscript.exexXkvZHHjfp4E97h9alUiyC6l7iVu0jXGtOl4.cmd

description	pid	process	target process
PID 512 wrote to memory of 1376	512	gpscript.exe	xXkvZHHjfp4E97h9alUiyC6l7iVu0jXGtOl4.cmd
PID 512 wrote to memory of 1376	512	gpscript.exe	xXkvZHHjfp4E97h9alUiyC6l7iVu0jXGtOl4.cmd
PID 512 wrote to memory of 1376	512	gpscript.exe	xXkvZHHjfp4E97h9alUiyC6l7iVu0jXGtOl4.cmd
PID 1376 wrote to memory of 880	1376	xXkvZHHjfp4E97h9alUiyC6l7iVu0jXGtOl4.cmd	xXkvZHHjfp4E97h9alUiyC6l7iVu0jXGtOl4.cmd
PID 1376 wrote to memory of 880	1376	xXkvZHHjfp4E97h9alUiyC6l7iVu0jXGtOl4.cmd	xXkvZHHjfp4E97h9alUiyC6l7iVu0jXGtOl4.cmd
PID 1376 wrote to memory of 880	1376	xXkvZHHjfp4E97h9alUiyC6l7iVu0jXGtOl4.cmd	xXkvZHHjfp4E97h9alUiyC6l7iVu0jXGtOl4.cmd

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
1⤵
PID:580

C:\Users\Admin\AppData\Local\Adobe\xXkvZHHjfp4E97h9alUiyC6l7iVu0jXGtOl4.cmd
"C:\Users\Admin\AppData\Local\Adobe\xXkvZHHjfp4E97h9alUiyC6l7iVu0jXGtOl4.cmd" 2
2⤵
- Executes dropped EXE
- Sets file execution options in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:880

C:\Users\Admin\AppData\Local\Temp\834a7429f98efdb62b6dc6cd76922e6108906810e4b169e8af18081c9db6a7a2.exe
"C:\Users\Admin\AppData\Local\Temp\834a7429f98efdb62b6dc6cd76922e6108906810e4b169e8af18081c9db6a7a2.exe"
1⤵
- Adds policy Run key to start application
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1976

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:588

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0xc8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1428

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:1040

C:\Windows\system32\gpscript.exe
gpscript.exe /Shutdown
1⤵
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:512

C:\Users\Admin\AppData\Local\Adobe\xXkvZHHjfp4E97h9alUiyC6l7iVu0jXGtOl4.cmd
"C:\Users\Admin\AppData\Local\Adobe\xXkvZHHjfp4E97h9alUiyC6l7iVu0jXGtOl4.cmd" 1
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Adds policy Run key to start application
- Executes dropped EXE
- Sets file execution options in registry
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1376

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Assistance\Client\1.0\es-ES\yOd5EcKtqbfUn.cmd
Filesize
2.9MB

MD5
e316f7f47a83fae09ec41abaf9900ee6

SHA1
d01a0210cb03ab86f6db17ae0aea57e87ae406da

SHA256
5d311ee9edc27d55d2a5551e28ba954b06ddff73f257257483ed16ad5174a180

SHA512
a9765d30d51033c836aea0c6ec3f6b886a88fc9e73814b89e7e6cbc672494bb21b479702a1662df3b1830a311bdf72fe04165950ae7cb84f8be735353f519428

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Lf4l9OadS9MmjNHMrld9bMhrqlDDTc24jAkHLDtanCIaKa20Adgc.exe
Filesize
1.8MB

MD5
5687e76dbf16cce3706ba58a1f2640dd

SHA1
d9b35f863f6a0cfcf789f0c76c5f098f5ae9dd99

SHA256
37d37105dfd8fbf01ddd73ec95e0e06dbb9830884061c0fe00e02148495e5800

SHA512
0e4a14c90e8ede59c8b01f53ce493a9cca746f0488d360a92975bed7416d12f6e60353f5cc17d2363cc92141cfaf6525f2ac6509f56130c3838e98c21db506f4

Download Submit
C:\ProgramData\Microsoft\Windows NT\MSFax\VirtualInbox\de-DE\hZ1CvMF7E1DNThGvkxRIvoQWlwmD1sPk5uic06r5OIw4.exe
Filesize
3.3MB

MD5
020a61fa95f3830e1e1b6e71419a9461

SHA1
b5b1b064b576493d886a4e7548ae344b2be50edb

SHA256
76da03fe3bd93d2a5efeac1ba441b416da38d2b4a1d3f2345af1238b36cfc8c3

SHA512
549f4eb3a8a35bd4533b77b6ccfa999755b5c1bb643ad981c62603c493dfba6843572fe4e1ee75f24fc48afa4e4b0b8c3431e861e1222b94b86b1723fb6e7f8c

Download Submit
C:\ProgramData\Microsoft\Windows\Caches\CXAlbpfycbR5twngVkddPi2cIHluOr3y8R3L.exe
Filesize
2.5MB

MD5
e067f199ff5e0ebcdc183263af1dbc45

SHA1
94355eca7e8ef14478f6f42eb4bd4ff8e3f94314

SHA256
a29f07546957c23da91221aee157373571895a1d3201cbdb96ec26ed165be472

SHA512
635081d432be2c2918c27b9837827e46aaf3f4498722e91130dc657123c69e8a690ebb21c84ce47d5b7eda948fcecb5bc9a432ace3b1d45049bc6c0d5740bf54

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SharePoint\tqPuNuhchA08ZWGagn0AMm7mnJtTLdte2tAWZ9gDlIeeA.exe
Filesize
2.5MB

MD5
da86cc35b0b033a292e9d9e6a85ab570

SHA1
bd91e5dfef3bf2b99d9efdb45aaaee30d74fe361

SHA256
9638be707828ff6bd345fb35017730b538ba07944d9c7695a828ffec2b64e822

SHA512
ef036c7925061b4b94c80a55b4699739dc3e6075701e01b3dacacff148341699b90419f974fbd62354980f46e13a86d44502be80467e072aec1279607e297ab5

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\9e0l0iuZnfdH7YLgYond3NINd2Qvw0DgXW.exe
Filesize
4.5MB

MD5
1b0f80ccc838eec3ad9f35b0b873981d

SHA1
9cb0925216071ad86e9be302c73e3b20cc01699c

SHA256
7cc3166610d13ced19bf0ddd2e1d243b3ecf24966ff7c629b37c04e8dfa46f78

SHA512
9a83b412f20cb1a784090aca5b79875721e71e591f6d57681d5bb66d33de1560f5554028f20c04733113672f83dfa6cfde181ba4583f8a45415a43b53c6758ec

Download Submit
C:\Users\Admin\AppData\Local\Adobe\xXkvZHHjfp4E97h9alUiyC6l7iVu0jXGtOl4.cmd
Filesize
2.3MB

MD5
caa3d1de99a4ce1b696807440f30f9cf

SHA1
2c50b20e64c60f7c467f4c2189df6e3174846d53

SHA256
a0e0eb2410c30ff49bf2ffd50e113b82be001fd38eefb61e773038485fe14c12

SHA512
42ee20e0246f10f38e69a18ceef36884de9a535774c9be240a048451c0ac3ae8920bafa28ba61e4577eef15ea605cf16dd7f45361e1290b6cb8293916f23bc98

Download Submit
C:\Users\Admin\AppData\Local\Adobe\xXkvZHHjfp4E97h9alUiyC6l7iVu0jXGtOl4.cmd
Filesize
2.3MB

MD5
caa3d1de99a4ce1b696807440f30f9cf

SHA1
2c50b20e64c60f7c467f4c2189df6e3174846d53

SHA256
a0e0eb2410c30ff49bf2ffd50e113b82be001fd38eefb61e773038485fe14c12

SHA512
42ee20e0246f10f38e69a18ceef36884de9a535774c9be240a048451c0ac3ae8920bafa28ba61e4577eef15ea605cf16dd7f45361e1290b6cb8293916f23bc98

Download Submit
C:\Users\Admin\AppData\Local\Adobe\xXkvZHHjfp4E97h9alUiyC6l7iVu0jXGtOl4.cmd
Filesize
2.3MB

MD5
caa3d1de99a4ce1b696807440f30f9cf

SHA1
2c50b20e64c60f7c467f4c2189df6e3174846d53

SHA256
a0e0eb2410c30ff49bf2ffd50e113b82be001fd38eefb61e773038485fe14c12

SHA512
42ee20e0246f10f38e69a18ceef36884de9a535774c9be240a048451c0ac3ae8920bafa28ba61e4577eef15ea605cf16dd7f45361e1290b6cb8293916f23bc98

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Local Storage\leveldb\s8wEyy5gitRjyJFUSQINedF3SUjEh.exe
Filesize
3.3MB

MD5
bd818db895a9adb2da26a023ee6fabfc

SHA1
13eef5044151d03276da020dc1bd6c7b9870d7b5

SHA256
6e66a2ff6a7cb921cda822a95018a6a26e79d8231e83fa8288c6d29f26d8d57a

SHA512
4e2d4a244cbfa87dc6051a8aaa8392c518923f5a20aeb3c815bc6a0e937f73aa31724ee5f188d9aec4be408725aa3242d46628c314386132b86055a7ef4c7d1f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\au9ni2dm.default-release\safebrowsing\VZxb5RpyRJXAQtqRK8JJLWUlDxFbwjbRJEYwMh5O5ra7lURcZJsDcXrdrwpUam1.exe
Filesize
3.1MB

MD5
6c1c54c73cb2c6bebc4ba89cf5000317

SHA1
6a7f5f055b409b146963d12adb7619f7519e5a79

SHA256
f4a696158af473f299cb3b8663308d8cf81fffdaaf4a22ec33d2eaee237f776f

SHA512
29020401e23fa93b3be7f7ba6a4694ac890eac7bf75f045d8789b05431724fbca07b0efff5b6461f933d032a1c7cc41382f6e81486e4554937be613748f52cc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\Huj4awQqj6bBh2JUZUVb0UAas92OTBALgUa0R.exe
Filesize
2.0MB

MD5
7e19a36e3ddf425768583527865fde34

SHA1
ee12af01a773c1107fb942af2a96365def95efa1

SHA256
c15dfc8e69eaaa72ca1238e555d56223753e2cd2b6e37af56073edaeb8772f40

SHA512
1f4f3b51afc05b44690aa65b9f46125bae73d05b389bbd1f1b727f9fbc9921e0215cc9801f77b6e879d3f7928c91581b6471347960db852e0844dacc38c2bc42

Download Submit
C:\Users\Admin\kh7Wm8zkcrueDbI4gKC9xK9FMnUn4TxIMeNERTOFQbBrg5jKFsK15r.exe
Filesize
2.5MB

MD5
be1d113d1e9582b8779bc568e02024db

SHA1
17a18b6a55e42d2a2057d936ac3f97c54c3a71f2

SHA256
ac05aa7607035ca5869690ac5a724f6d2d7a0ea089ab9b69d4988f84e6cc2041

SHA512
c7b29372040fb0c90547d65f18e8aceb8a6988608629f4c51d737d4a66b89a29d053b9a457920d16a24446b9106e922f77ccfb6aa3b3fba4c2307450856e114c

Download Submit
\Users\Admin\AppData\Local\Adobe\xXkvZHHjfp4E97h9alUiyC6l7iVu0jXGtOl4.cmd
Filesize
2.3MB

MD5
caa3d1de99a4ce1b696807440f30f9cf

SHA1
2c50b20e64c60f7c467f4c2189df6e3174846d53

SHA256
a0e0eb2410c30ff49bf2ffd50e113b82be001fd38eefb61e773038485fe14c12

SHA512
42ee20e0246f10f38e69a18ceef36884de9a535774c9be240a048451c0ac3ae8920bafa28ba61e4577eef15ea605cf16dd7f45361e1290b6cb8293916f23bc98

Download Submit
\Users\Admin\AppData\Local\Adobe\xXkvZHHjfp4E97h9alUiyC6l7iVu0jXGtOl4.cmd
Filesize
2.3MB

MD5
caa3d1de99a4ce1b696807440f30f9cf

SHA1
2c50b20e64c60f7c467f4c2189df6e3174846d53

SHA256
a0e0eb2410c30ff49bf2ffd50e113b82be001fd38eefb61e773038485fe14c12

SHA512
42ee20e0246f10f38e69a18ceef36884de9a535774c9be240a048451c0ac3ae8920bafa28ba61e4577eef15ea605cf16dd7f45361e1290b6cb8293916f23bc98

Download Submit
\Users\Admin\AppData\Local\Adobe\xXkvZHHjfp4E97h9alUiyC6l7iVu0jXGtOl4.cmd
Filesize
2.3MB

MD5
caa3d1de99a4ce1b696807440f30f9cf

SHA1
2c50b20e64c60f7c467f4c2189df6e3174846d53

SHA256
a0e0eb2410c30ff49bf2ffd50e113b82be001fd38eefb61e773038485fe14c12

SHA512
42ee20e0246f10f38e69a18ceef36884de9a535774c9be240a048451c0ac3ae8920bafa28ba61e4577eef15ea605cf16dd7f45361e1290b6cb8293916f23bc98

Download Submit
memory/512-65-0x0000000000DA0000-0x0000000000DCD000-memory.dmp

Filesize
180KB

Download
memory/512-66-0x0000000000DA0000-0x0000000000DCD000-memory.dmp

Filesize
180KB

Download
memory/588-55-0x000007FEFB531000-0x000007FEFB533000-memory.dmp

Filesize
8KB

Download
memory/880-77-0x0000000000000000-mapping.dmp

Download
memory/880-80-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1376-62-0x0000000000000000-mapping.dmp

Download
memory/1376-79-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1376-67-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1976-54-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1976-56-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads