e2575680a9a2d591cd9a98a3f6e8d96e76e3b41e074fec20d27e59f3a71d8ace

Analysis

max time kernel
120s
max time network
122s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
25-11-2022 08:54

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

e2575680a9a2d591cd9a98a3f6e8d96e76e3b41e074fec20d27e59f3a71d8ace.exe
Size

762KB
MD5

d4613fbc01b0bbae29b551d2b488c340
SHA1

64b44d40edd7ba7eec619d24d5af38caa74ecf35
SHA256

e2575680a9a2d591cd9a98a3f6e8d96e76e3b41e074fec20d27e59f3a71d8ace
SHA512

7cccb0caccb0b135da6d9404775d46f8798f4e626787c93c21c256626d1e902202eda6a013d6784eda140d79ff95150fe55e5e605199ae981562c0eebd53d8cb
SSDEEP

3072:aSsvihLlTQz9z71iURo2SJJmY6uFNcgifDbmeTXwVdBR:rsqhJMxzJiU5SeLmNSbmebW1

Score

10^/10

persistence spyware stealer

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

9wyna9wpPdyCU6rO5xttyMNqcOSCJAmmipySvpWDnyzVHEkpTyTfDcxObckTC3JCbA.bat

description pid process target process

PID 1428 created 592 1428 9wyna9wpPdyCU6rO5xttyMNqcOSCJAmmipySvpWDnyzVHEkpTyTfDcxObckTC3JCbA.bat svchost.exe

description	pid	process	target process
PID 1428 created 592	1428	9wyna9wpPdyCU6rO5xttyMNqcOSCJAmmipySvpWDnyzVHEkpTyTfDcxObckTC3JCbA.bat	svchost.exe

Adds policy Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

e2575680a9a2d591cd9a98a3f6e8d96e76e3b41e074fec20d27e59f3a71d8ace.exe9wyna9wpPdyCU6rO5xttyMNqcOSCJAmmipySvpWDnyzVHEkpTyTfDcxObckTC3JCbA.bat

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\pA1gOOAZDxKjwzZmakMADKF0EGyJk3dAix0rd8nISvFUuUXwNwX9uLwNz0YD0r0E.exe\" O"	e2575680a9a2d591cd9a98a3f6e8d96e76e3b41e074fec20d27e59f3a71d8ace.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	e2575680a9a2d591cd9a98a3f6e8d96e76e3b41e074fec20d27e59f3a71d8ace.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\iwv3qbnj.default-release\\storage\\temporary\\KgeADUp0SWG0RPDuVpUEWNwJ.exe\" O"	e2575680a9a2d591cd9a98a3f6e8d96e76e3b41e074fec20d27e59f3a71d8ace.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\blob_storage\\5ecd537a-725e-4365-9320-993317592ce3\\xP3HOMLf6jly0gaXCaEo2.exe\" O"	e2575680a9a2d591cd9a98a3f6e8d96e76e3b41e074fec20d27e59f3a71d8ace.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	9wyna9wpPdyCU6rO5xttyMNqcOSCJAmmipySvpWDnyzVHEkpTyTfDcxObckTC3JCbA.bat
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\6.0\\SwzgG50WYA1Sp0rGPzqOlQa2aX6Q8waGBBb93a9cUvlF1Zfdv4kKQDj50m02CRLk.exe\" O"	9wyna9wpPdyCU6rO5xttyMNqcOSCJAmmipySvpWDnyzVHEkpTyTfDcxObckTC3JCbA.bat
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	e2575680a9a2d591cd9a98a3f6e8d96e76e3b41e074fec20d27e59f3a71d8ace.exe

Executes dropped EXE 2 IoCs

Processes:

9wyna9wpPdyCU6rO5xttyMNqcOSCJAmmipySvpWDnyzVHEkpTyTfDcxObckTC3JCbA.bat9wyna9wpPdyCU6rO5xttyMNqcOSCJAmmipySvpWDnyzVHEkpTyTfDcxObckTC3JCbA.bat

pid	process
1428	9wyna9wpPdyCU6rO5xttyMNqcOSCJAmmipySvpWDnyzVHEkpTyTfDcxObckTC3JCbA.bat
1328	9wyna9wpPdyCU6rO5xttyMNqcOSCJAmmipySvpWDnyzVHEkpTyTfDcxObckTC3JCbA.bat

Sets file execution options in registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

9wyna9wpPdyCU6rO5xttyMNqcOSCJAmmipySvpWDnyzVHEkpTyTfDcxObckTC3JCbA.bat9wyna9wpPdyCU6rO5xttyMNqcOSCJAmmipySvpWDnyzVHEkpTyTfDcxObckTC3JCbA.bat

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\Debugger = " "	9wyna9wpPdyCU6rO5xttyMNqcOSCJAmmipySvpWDnyzVHEkpTyTfDcxObckTC3JCbA.bat
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe	9wyna9wpPdyCU6rO5xttyMNqcOSCJAmmipySvpWDnyzVHEkpTyTfDcxObckTC3JCbA.bat
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = " "	9wyna9wpPdyCU6rO5xttyMNqcOSCJAmmipySvpWDnyzVHEkpTyTfDcxObckTC3JCbA.bat
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe	9wyna9wpPdyCU6rO5xttyMNqcOSCJAmmipySvpWDnyzVHEkpTyTfDcxObckTC3JCbA.bat
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\Debugger = " "	9wyna9wpPdyCU6rO5xttyMNqcOSCJAmmipySvpWDnyzVHEkpTyTfDcxObckTC3JCbA.bat
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe	9wyna9wpPdyCU6rO5xttyMNqcOSCJAmmipySvpWDnyzVHEkpTyTfDcxObckTC3JCbA.bat
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = " "	9wyna9wpPdyCU6rO5xttyMNqcOSCJAmmipySvpWDnyzVHEkpTyTfDcxObckTC3JCbA.bat
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe	9wyna9wpPdyCU6rO5xttyMNqcOSCJAmmipySvpWDnyzVHEkpTyTfDcxObckTC3JCbA.bat

Loads dropped DLL 3 IoCs

Processes:

gpscript.exe9wyna9wpPdyCU6rO5xttyMNqcOSCJAmmipySvpWDnyzVHEkpTyTfDcxObckTC3JCbA.bat

pid process

1732 gpscript.exe
1732 gpscript.exe
1428 9wyna9wpPdyCU6rO5xttyMNqcOSCJAmmipySvpWDnyzVHEkpTyTfDcxObckTC3JCbA.bat
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1732	gpscript.exe
1732	gpscript.exe
1428	9wyna9wpPdyCU6rO5xttyMNqcOSCJAmmipySvpWDnyzVHEkpTyTfDcxObckTC3JCbA.bat

Modifies data under HKEY_USERS 62 IoCs

Processes:

e2575680a9a2d591cd9a98a3f6e8d96e76e3b41e074fec20d27e59f3a71d8ace.exe9wyna9wpPdyCU6rO5xttyMNqcOSCJAmmipySvpWDnyzVHEkpTyTfDcxObckTC3JCbA.batgpscript.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	e2575680a9a2d591cd9a98a3f6e8d96e76e3b41e074fec20d27e59f3a71d8ace.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\CT2NNQ1uyTYJVCKuztAHO7KtiWz4PUxunMKTYhJ3bb0sDWGBmpOKxncFPfytjSiM2EG.exe\" O"	e2575680a9a2d591cd9a98a3f6e8d96e76e3b41e074fec20d27e59f3a71d8ace.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	e2575680a9a2d591cd9a98a3f6e8d96e76e3b41e074fec20d27e59f3a71d8ace.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\E05NbzRlFQwptcGVLxjbHr4xhwQftW.exe\" O 2>NUL"	9wyna9wpPdyCU6rO5xttyMNqcOSCJAmmipySvpWDnyzVHEkpTyTfDcxObckTC3JCbA.bat
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Package Cache\\{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}v14.30.30704\\4MBnHcChyAGFV2GqutdyTByBeTdGIFAZ.exe\" O 2>NUL"	9wyna9wpPdyCU6rO5xttyMNqcOSCJAmmipySvpWDnyzVHEkpTyTfDcxObckTC3JCbA.bat
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{FF393560-C2A7-11CF-BFF4-444553540000} {000214E6-0000-0000-C000-000000000046} 0xFFFF = 010000000000000070ca1287e600d901	9wyna9wpPdyCU6rO5xttyMNqcOSCJAmmipySvpWDnyzVHEkpTyTfDcxObckTC3JCbA.bat
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	9wyna9wpPdyCU6rO5xttyMNqcOSCJAmmipySvpWDnyzVHEkpTyTfDcxObckTC3JCbA.bat
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%systemroot%\system32\windowspowershell\v1.0\powershell.exe",-111 = "Performs object-based (command-line) functions"	9wyna9wpPdyCU6rO5xttyMNqcOSCJAmmipySvpWDnyzVHEkpTyTfDcxObckTC3JCbA.bat
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows	e2575680a9a2d591cd9a98a3f6e8d96e76e3b41e074fec20d27e59f3a71d8ace.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft	e2575680a9a2d591cd9a98a3f6e8d96e76e3b41e074fec20d27e59f3a71d8ace.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft	e2575680a9a2d591cd9a98a3f6e8d96e76e3b41e074fec20d27e59f3a71d8ace.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	9wyna9wpPdyCU6rO5xttyMNqcOSCJAmmipySvpWDnyzVHEkpTyTfDcxObckTC3JCbA.bat
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows	e2575680a9a2d591cd9a98a3f6e8d96e76e3b41e074fec20d27e59f3a71d8ace.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion	e2575680a9a2d591cd9a98a3f6e8d96e76e3b41e074fec20d27e59f3a71d8ace.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	e2575680a9a2d591cd9a98a3f6e8d96e76e3b41e074fec20d27e59f3a71d8ace.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{7BD29E01-76C1-11CF-9DD0-00A0C9034933} {000214E6-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000f0833189e600d901	9wyna9wpPdyCU6rO5xttyMNqcOSCJAmmipySvpWDnyzVHEkpTyTfDcxObckTC3JCbA.bat
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	gpscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\C6i0Oo7hJmyEQzVTT58JKLxQ0a85Lidefif2yw5Lg5vrs7YkJ0Pu8EmGgcv3VnQaf.exe\" O 2>NUL"	9wyna9wpPdyCU6rO5xttyMNqcOSCJAmmipySvpWDnyzVHEkpTyTfDcxObckTC3JCbA.bat
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%windir%\System32\ie4uinit.exe",-732 = "Finds and displays information and Web sites on the Internet."	9wyna9wpPdyCU6rO5xttyMNqcOSCJAmmipySvpWDnyzVHEkpTyTfDcxObckTC3JCbA.bat
Key created	\REGISTRY\USER\.DEFAULT	e2575680a9a2d591cd9a98a3f6e8d96e76e3b41e074fec20d27e59f3a71d8ace.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%windir%\System32\ie4uinit.exe",-738 = "Start Internet Explorer without ActiveX controls or browser extensions."	9wyna9wpPdyCU6rO5xttyMNqcOSCJAmmipySvpWDnyzVHEkpTyTfDcxObckTC3JCbA.bat
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	e2575680a9a2d591cd9a98a3f6e8d96e76e3b41e074fec20d27e59f3a71d8ace.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\iwv3qbnj.default-release\\storage\\permanent\\chrome\\idb\\3561288849sdhlie.files\\zDgihWI4CHqtDFQSamB8ENG3OpjywTxZKFE07kAOBfqIQ7udK2hSnjBZOCty7WTcBsNVeSJ.exe\" O"	e2575680a9a2d591cd9a98a3f6e8d96e76e3b41e074fec20d27e59f3a71d8ace.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{6C467336-8281-4E60-8204-430CED96822D} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000703b1b86e600d901	gpscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\blob_storage\\qzfuAmu7yXVMBapLXteINyNlobGIwcYX0Y.exe\" O 2>NUL"	e2575680a9a2d591cd9a98a3f6e8d96e76e3b41e074fec20d27e59f3a71d8ace.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\AutofillStates\\kFna2sLCYh.exe\" O"	e2575680a9a2d591cd9a98a3f6e8d96e76e3b41e074fec20d27e59f3a71d8ace.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{B155BDF8-02F0-451E-9A26-AE317CFD7779} {ADD8BA80-002B-11D0-8F0F-00C04FD7D062} 0xFFFF = 010000000000000030982a87e600d901	9wyna9wpPdyCU6rO5xttyMNqcOSCJAmmipySvpWDnyzVHEkpTyTfDcxObckTC3JCbA.bat
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	9wyna9wpPdyCU6rO5xttyMNqcOSCJAmmipySvpWDnyzVHEkpTyTfDcxObckTC3JCbA.bat
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\DQWmQOh42Uy6QaHZMFd3Afzk9kxkNDRf.exe\" O"	9wyna9wpPdyCU6rO5xttyMNqcOSCJAmmipySvpWDnyzVHEkpTyTfDcxObckTC3JCbA.bat
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE	e2575680a9a2d591cd9a98a3f6e8d96e76e3b41e074fec20d27e59f3a71d8ace.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows	e2575680a9a2d591cd9a98a3f6e8d96e76e3b41e074fec20d27e59f3a71d8ace.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	9wyna9wpPdyCU6rO5xttyMNqcOSCJAmmipySvpWDnyzVHEkpTyTfDcxObckTC3JCbA.bat
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	e2575680a9a2d591cd9a98a3f6e8d96e76e3b41e074fec20d27e59f3a71d8ace.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\hsperfdata_Admin\\IniUtMw97.exe\" O 2>NUL"	e2575680a9a2d591cd9a98a3f6e8d96e76e3b41e074fec20d27e59f3a71d8ace.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	e2575680a9a2d591cd9a98a3f6e8d96e76e3b41e074fec20d27e59f3a71d8ace.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	e2575680a9a2d591cd9a98a3f6e8d96e76e3b41e074fec20d27e59f3a71d8ace.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\fr-FR\\WCnh4HYinnrxJZjIDkgMmKChK6vj9BEBPV8ILz7ujLgiW8kU2wn3.exe\" O"	9wyna9wpPdyCU6rO5xttyMNqcOSCJAmmipySvpWDnyzVHEkpTyTfDcxObckTC3JCbA.bat
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Crypto\\u2EOBpoxQOFL8kI1xy.exe\" O"	9wyna9wpPdyCU6rO5xttyMNqcOSCJAmmipySvpWDnyzVHEkpTyTfDcxObckTC3JCbA.bat
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	e2575680a9a2d591cd9a98a3f6e8d96e76e3b41e074fec20d27e59f3a71d8ace.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	9wyna9wpPdyCU6rO5xttyMNqcOSCJAmmipySvpWDnyzVHEkpTyTfDcxObckTC3JCbA.bat
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Sync Data\\LevelDB\\wiI2h1r3IZsdSOPgiVSNFtTGqA82hVKpxH5awT1mMQCKz1b1psCVbgIl.exe\" O"	9wyna9wpPdyCU6rO5xttyMNqcOSCJAmmipySvpWDnyzVHEkpTyTfDcxObckTC3JCbA.bat
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\Favorites\\Windows Live\\SJBLDgwtrqns1EpXznboj6rYXeJkDHxBhedkfKbQfROSaoiHBuxXseMcBLvUSGH.exe\" O 2>NUL"	9wyna9wpPdyCU6rO5xttyMNqcOSCJAmmipySvpWDnyzVHEkpTyTfDcxObckTC3JCbA.bat
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Adobe\\Color\\gpYe1sn2slAKNcSLYmPZHwh2TJRgb1HbxqwENlqmHs.exe\" O"	9wyna9wpPdyCU6rO5xttyMNqcOSCJAmmipySvpWDnyzVHEkpTyTfDcxObckTC3JCbA.bat
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\6.0\\44\\zUQWvrbV6IBAiDaNxTyVUUYTaKtDGGFiiT2WQUPsLocrbsTOMPFR0yZLOiFrLB.exe\" O 2>NUL"	e2575680a9a2d591cd9a98a3f6e8d96e76e3b41e074fec20d27e59f3a71d8ace.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	e2575680a9a2d591cd9a98a3f6e8d96e76e3b41e074fec20d27e59f3a71d8ace.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion	e2575680a9a2d591cd9a98a3f6e8d96e76e3b41e074fec20d27e59f3a71d8ace.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE	e2575680a9a2d591cd9a98a3f6e8d96e76e3b41e074fec20d27e59f3a71d8ace.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	9wyna9wpPdyCU6rO5xttyMNqcOSCJAmmipySvpWDnyzVHEkpTyTfDcxObckTC3JCbA.bat
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{35786D3C-B075-49B9-88DD-029876E11C01} {ADD8BA80-002B-11D0-8F0F-00C04FD7D062} 0xFFFF = 0100000000000000b0122187e600d901	9wyna9wpPdyCU6rO5xttyMNqcOSCJAmmipySvpWDnyzVHEkpTyTfDcxObckTC3JCbA.bat
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	e2575680a9a2d591cd9a98a3f6e8d96e76e3b41e074fec20d27e59f3a71d8ace.exe
Key created	\REGISTRY\USER\S-1-5-19	e2575680a9a2d591cd9a98a3f6e8d96e76e3b41e074fec20d27e59f3a71d8ace.exe
Key created	\REGISTRY\USER\S-1-5-20	e2575680a9a2d591cd9a98a3f6e8d96e76e3b41e074fec20d27e59f3a71d8ace.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion	e2575680a9a2d591cd9a98a3f6e8d96e76e3b41e074fec20d27e59f3a71d8ace.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	e2575680a9a2d591cd9a98a3f6e8d96e76e3b41e074fec20d27e59f3a71d8ace.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	9wyna9wpPdyCU6rO5xttyMNqcOSCJAmmipySvpWDnyzVHEkpTyTfDcxObckTC3JCbA.bat
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	e2575680a9a2d591cd9a98a3f6e8d96e76e3b41e074fec20d27e59f3a71d8ace.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Windows\\DeviceMetadataStore\\fq7DaSCiRnx7Yg9VxGI2ZREtoMIwK0TeGBcv1vwahr6d2v4rh4QB.exe\" O"	e2575680a9a2d591cd9a98a3f6e8d96e76e3b41e074fec20d27e59f3a71d8ace.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\de-DE\\rrLWQ6CZBSp8oI7I4WDDOXsu7rMOyNiHNUC.exe\" O 2>NUL"	9wyna9wpPdyCU6rO5xttyMNqcOSCJAmmipySvpWDnyzVHEkpTyTfDcxObckTC3JCbA.bat
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	9wyna9wpPdyCU6rO5xttyMNqcOSCJAmmipySvpWDnyzVHEkpTyTfDcxObckTC3JCbA.bat
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Acrobat\\9.0\\Collab\\5kgtuJm3F2GzQanvNmp3bK5lZpgO99Ev405PoA1hKU3bFYXyJnsJj1oBhbBXiTgj8.exe\" O 2>NUL"	e2575680a9a2d591cd9a98a3f6e8d96e76e3b41e074fec20d27e59f3a71d8ace.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	e2575680a9a2d591cd9a98a3f6e8d96e76e3b41e074fec20d27e59f3a71d8ace.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	e2575680a9a2d591cd9a98a3f6e8d96e76e3b41e074fec20d27e59f3a71d8ace.exe

Modifies registry class 12 IoCs

Processes:

e2575680a9a2d591cd9a98a3f6e8d96e76e3b41e074fec20d27e59f3a71d8ace.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_Classes\SOFTWARE\Microsoft\Command Processor	e2575680a9a2d591cd9a98a3f6e8d96e76e3b41e074fec20d27e59f3a71d8ace.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\SOFTWARE	e2575680a9a2d591cd9a98a3f6e8d96e76e3b41e074fec20d27e59f3a71d8ace.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	e2575680a9a2d591cd9a98a3f6e8d96e76e3b41e074fec20d27e59f3a71d8ace.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion	e2575680a9a2d591cd9a98a3f6e8d96e76e3b41e074fec20d27e59f3a71d8ace.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	e2575680a9a2d591cd9a98a3f6e8d96e76e3b41e074fec20d27e59f3a71d8ace.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	e2575680a9a2d591cd9a98a3f6e8d96e76e3b41e074fec20d27e59f3a71d8ace.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\SOFTWARE\Microsoft	e2575680a9a2d591cd9a98a3f6e8d96e76e3b41e074fec20d27e59f3a71d8ace.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\SOFTWARE\Microsoft\Command Processor	e2575680a9a2d591cd9a98a3f6e8d96e76e3b41e074fec20d27e59f3a71d8ace.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\6.0\\21\\tA6kOTNh9kEgSMdG0ji08kr6JNkLBsHFsEWGjna.exe\" O 2>NUL"	e2575680a9a2d591cd9a98a3f6e8d96e76e3b41e074fec20d27e59f3a71d8ace.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\SOFTWARE\Microsoft\Windows	e2575680a9a2d591cd9a98a3f6e8d96e76e3b41e074fec20d27e59f3a71d8ace.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	e2575680a9a2d591cd9a98a3f6e8d96e76e3b41e074fec20d27e59f3a71d8ace.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\bBEz9oCrQ7QAn28TOFeeoH40NiGuSInPZqRUFN7kFaEXN38GeqAYzQeOgECfggGKHXt.exe\" O"	e2575680a9a2d591cd9a98a3f6e8d96e76e3b41e074fec20d27e59f3a71d8ace.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

9wyna9wpPdyCU6rO5xttyMNqcOSCJAmmipySvpWDnyzVHEkpTyTfDcxObckTC3JCbA.bat

pid	process
1328	9wyna9wpPdyCU6rO5xttyMNqcOSCJAmmipySvpWDnyzVHEkpTyTfDcxObckTC3JCbA.bat
1328	9wyna9wpPdyCU6rO5xttyMNqcOSCJAmmipySvpWDnyzVHEkpTyTfDcxObckTC3JCbA.bat

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

e2575680a9a2d591cd9a98a3f6e8d96e76e3b41e074fec20d27e59f3a71d8ace.exeAUDIODG.EXE9wyna9wpPdyCU6rO5xttyMNqcOSCJAmmipySvpWDnyzVHEkpTyTfDcxObckTC3JCbA.bat9wyna9wpPdyCU6rO5xttyMNqcOSCJAmmipySvpWDnyzVHEkpTyTfDcxObckTC3JCbA.bat

description	pid	process
Token: SeBackupPrivilege	1744	e2575680a9a2d591cd9a98a3f6e8d96e76e3b41e074fec20d27e59f3a71d8ace.exe
Token: SeRestorePrivilege	1744	e2575680a9a2d591cd9a98a3f6e8d96e76e3b41e074fec20d27e59f3a71d8ace.exe
Token: SeShutdownPrivilege	1744	e2575680a9a2d591cd9a98a3f6e8d96e76e3b41e074fec20d27e59f3a71d8ace.exe
Token: 33	1980	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1980	AUDIODG.EXE
Token: 33	1980	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1980	AUDIODG.EXE
Token: SeDebugPrivilege	1428	9wyna9wpPdyCU6rO5xttyMNqcOSCJAmmipySvpWDnyzVHEkpTyTfDcxObckTC3JCbA.bat
Token: SeRestorePrivilege	1428	9wyna9wpPdyCU6rO5xttyMNqcOSCJAmmipySvpWDnyzVHEkpTyTfDcxObckTC3JCbA.bat
Token: SeDebugPrivilege	1328	9wyna9wpPdyCU6rO5xttyMNqcOSCJAmmipySvpWDnyzVHEkpTyTfDcxObckTC3JCbA.bat
Token: SeRestorePrivilege	1328	9wyna9wpPdyCU6rO5xttyMNqcOSCJAmmipySvpWDnyzVHEkpTyTfDcxObckTC3JCbA.bat

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

gpscript.exe9wyna9wpPdyCU6rO5xttyMNqcOSCJAmmipySvpWDnyzVHEkpTyTfDcxObckTC3JCbA.bat

description	pid	process	target process
PID 1732 wrote to memory of 1428	1732	gpscript.exe	9wyna9wpPdyCU6rO5xttyMNqcOSCJAmmipySvpWDnyzVHEkpTyTfDcxObckTC3JCbA.bat
PID 1732 wrote to memory of 1428	1732	gpscript.exe	9wyna9wpPdyCU6rO5xttyMNqcOSCJAmmipySvpWDnyzVHEkpTyTfDcxObckTC3JCbA.bat
PID 1732 wrote to memory of 1428	1732	gpscript.exe	9wyna9wpPdyCU6rO5xttyMNqcOSCJAmmipySvpWDnyzVHEkpTyTfDcxObckTC3JCbA.bat
PID 1428 wrote to memory of 1328	1428	9wyna9wpPdyCU6rO5xttyMNqcOSCJAmmipySvpWDnyzVHEkpTyTfDcxObckTC3JCbA.bat	9wyna9wpPdyCU6rO5xttyMNqcOSCJAmmipySvpWDnyzVHEkpTyTfDcxObckTC3JCbA.bat
PID 1428 wrote to memory of 1328	1428	9wyna9wpPdyCU6rO5xttyMNqcOSCJAmmipySvpWDnyzVHEkpTyTfDcxObckTC3JCbA.bat	9wyna9wpPdyCU6rO5xttyMNqcOSCJAmmipySvpWDnyzVHEkpTyTfDcxObckTC3JCbA.bat
PID 1428 wrote to memory of 1328	1428	9wyna9wpPdyCU6rO5xttyMNqcOSCJAmmipySvpWDnyzVHEkpTyTfDcxObckTC3JCbA.bat	9wyna9wpPdyCU6rO5xttyMNqcOSCJAmmipySvpWDnyzVHEkpTyTfDcxObckTC3JCbA.bat

C:\Users\Admin\AppData\Local\Temp\e2575680a9a2d591cd9a98a3f6e8d96e76e3b41e074fec20d27e59f3a71d8ace.exe
"C:\Users\Admin\AppData\Local\Temp\e2575680a9a2d591cd9a98a3f6e8d96e76e3b41e074fec20d27e59f3a71d8ace.exe"
1⤵
- Adds policy Run key to start application
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1744

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
1⤵
PID:592

C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9wyna9wpPdyCU6rO5xttyMNqcOSCJAmmipySvpWDnyzVHEkpTyTfDcxObckTC3JCbA.bat
"C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9wyna9wpPdyCU6rO5xttyMNqcOSCJAmmipySvpWDnyzVHEkpTyTfDcxObckTC3JCbA.bat" 2
2⤵
- Executes dropped EXE
- Sets file execution options in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1328

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1772

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x558
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1980

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:1280

C:\Windows\system32\gpscript.exe
gpscript.exe /Shutdown
1⤵
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1732

C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9wyna9wpPdyCU6rO5xttyMNqcOSCJAmmipySvpWDnyzVHEkpTyTfDcxObckTC3JCbA.bat
"C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9wyna9wpPdyCU6rO5xttyMNqcOSCJAmmipySvpWDnyzVHEkpTyTfDcxObckTC3JCbA.bat" 1
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Adds policy Run key to start application
- Executes dropped EXE
- Sets file execution options in registry
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1428

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Search\Data\Temp\U8k9b1XZoBlmORkcqpVdagfUlTy274wy5yOo7fmfIKFlhDtn.bat
Filesize
1.5MB

MD5
969b97989e498d443693577b07ef5c24

SHA1
c92145f3813b708922c4db15b1630fee0825a329

SHA256
aae5bf50111546cb5c12bb83d70ea46946a4a80d8b21979cadfd2529f2e59058

SHA512
1164490528483d37d1f8a7b499cef13f12ba079edfb342ff37b975709ae4693ec8a064310551281d29a4a8a50fe5422a9755e6308ed6a2e12525c11988d67a65

Download Submit
C:\ProgramData\Microsoft\Windows\AIT\9IovQk66.cmd
Filesize
1.0MB

MD5
ef15d5fd50f145d45955c13732d99eab

SHA1
46c294c0dd55afa17483a5139d5e118657001df9

SHA256
a1b1b663a616f5de105b376237f813f34ad762cf4e60410cea01c198a0145436

SHA512
2823e69de294a9414fd937cf4bad12e12799d8daf7e72198dad1cf6e3a67372a538b41f580e69eb760334b849bdd1b5514c049c302fef3208d95370067a35216

Download Submit
C:\ProgramData\Microsoft\Windows\DeviceMetadataStore\fq7DaSCiRnx7Yg9VxGI2ZREtoMIwK0TeGBcv1vwahr6d2v4rh4QB.exe
Filesize
1.1MB

MD5
166985cd3a2878c22f03a5ee3b720435

SHA1
09898fc9c08fe557422d8f815a52682a1ca7b243

SHA256
6b4ac3323a30150d167272342078fa5e8561dac0f868db2ebcb850aa10a48634

SHA512
b699b69356ae1d76cd36b69a994e4147ddc2c4004b8da093f527634badab2ff18cca007356837ec75ab2aeb060ff9f0fcbbbd4d78b7109bc4015911dffa5fac7

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9wyna9wpPdyCU6rO5xttyMNqcOSCJAmmipySvpWDnyzVHEkpTyTfDcxObckTC3JCbA.bat
Filesize
971KB

MD5
7e1adc4418959ed4104753e62ad34b78

SHA1
91a72f7864a2f0c8eadbd5f3ea7fc14dae0ac943

SHA256
4733be536a423556c7799df7227272e4b3c5ef984924526e151351cecf4b95e8

SHA512
53da02338c7c6deed35464f4e00a76d63f74b0b3c4fd1137e52caa4737c841eb219c5fa360de002efc36368aa5a2d9b0dfd3b741c2a10c587ff93de98a69d64b

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9wyna9wpPdyCU6rO5xttyMNqcOSCJAmmipySvpWDnyzVHEkpTyTfDcxObckTC3JCbA.bat
Filesize
971KB

MD5
7e1adc4418959ed4104753e62ad34b78

SHA1
91a72f7864a2f0c8eadbd5f3ea7fc14dae0ac943

SHA256
4733be536a423556c7799df7227272e4b3c5ef984924526e151351cecf4b95e8

SHA512
53da02338c7c6deed35464f4e00a76d63f74b0b3c4fd1137e52caa4737c841eb219c5fa360de002efc36368aa5a2d9b0dfd3b741c2a10c587ff93de98a69d64b

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9wyna9wpPdyCU6rO5xttyMNqcOSCJAmmipySvpWDnyzVHEkpTyTfDcxObckTC3JCbA.bat
Filesize
971KB

MD5
7e1adc4418959ed4104753e62ad34b78

SHA1
91a72f7864a2f0c8eadbd5f3ea7fc14dae0ac943

SHA256
4733be536a423556c7799df7227272e4b3c5ef984924526e151351cecf4b95e8

SHA512
53da02338c7c6deed35464f4e00a76d63f74b0b3c4fd1137e52caa4737c841eb219c5fa360de002efc36368aa5a2d9b0dfd3b741c2a10c587ff93de98a69d64b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\AutofillStates\kFna2sLCYh.exe
Filesize
1.3MB

MD5
2287cf7ca7331d487e34f7b3a4f3449f

SHA1
2ec2d03070f9b56efc990b921770b9f0a833e748

SHA256
9c4f983cbd04f0fe5de4c05727c6fc5d2b9065f9d624e80bd3f2272aecf643ce

SHA512
add063a431e35e6a49e795e9d5a27755fc52ff44f097acc23aeb860391950b80fbafced1080acc5c34e25413dd1890c42ca600afe57edd63799455335846f99e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\blob_storage\qzfuAmu7yXVMBapLXteINyNlobGIwcYX0Y.exe
Filesize
999KB

MD5
00eb8b621d4e32eee2da1e6de36651fe

SHA1
4ce3c8f077a9109847c6c9a1fe0bf8edeb782f59

SHA256
b423b0e25f902cac794d5caeebd964916d47c66032a4601d4974eaaaebd2fca2

SHA512
189d2332201b5c058b97c7470e7887896b832e3a8dc6bde87e7114aa6a66f498374038f15145ebcf2c2b384fddcf415dbceb0dc63efd8f582e2ec885567cf7e1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Subresource Filter\iCC0ZywY2wb7upRuibNBzWLJW6UyWS3KRRNt8emCL7EEDwEAZQWMigwmmQ5m.exe
Filesize
1.1MB

MD5
da7a87eadf8a9286e416e639cd24dfd7

SHA1
d2047087b7f998e2eb45dbd70479c7d8381720d6

SHA256
c15fc5ecc36497c41de14c3bbcb5e2450fed5d02f571c5c72ac0c0653eeda7fe

SHA512
782ac5d76b643e1de46f4480b83a4d058655da8de981a22a44bc3927297358ddde32182d3106eba05c6dca46b0203129e95f36503a3d06e533f24e5fafbf9cb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\IniUtMw97.exe
Filesize
1.4MB

MD5
31dea38eac30e9d62785fee2a7247276

SHA1
0b23538cc0e5c58bbdfef12db1fe38867bbf5a27

SHA256
5e6654fa1156ea245dfbe375779de6df47ea66c9c556d05f9eb2560a99fb89bc

SHA512
3e2bd203ccbab5adfe58ed51d2102f3f625ec6798c380dd442a60c7140b2e1844858de898e7c7451fb7c4b5b441d16fa0396d5d1256cdde886c0daa9cb274972

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\Collab\5kgtuJm3F2GzQanvNmp3bK5lZpgO99Ev405PoA1hKU3bFYXyJnsJj1oBhbBXiTgj8.exe
Filesize
991KB

MD5
f02d1541dbb2f87ad1ad18273d4901b8

SHA1
87dbc06ef0762edfaa4752a65ea3de1e7062f0ab

SHA256
2d8ea21ca434006b9540e4d84e696bf858132290b958c20cdc3eb00538c42a20

SHA512
421cf7e18ba19409f2c1379c8fca39ab64c84e40512b54f57cf4881b4614c85f0ba7eb45314ac5b245934f3678b8a166cd70a374a21b07f6683c97a9ff048a33

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iwv3qbnj.default-release\storage\permanent\chrome\idb\3561288849sdhlie.files\zDgihWI4CHqtDFQSamB8ENG3OpjywTxZKFE07kAOBfqIQ7udK2hSnjBZOCty7WTcBsNVeSJ.exe
Filesize
1.2MB

MD5
b720ee5b1b13595910e3ccce22ad0cad

SHA1
d6bb847ed48220bc491b6f5e48e858b486263efa

SHA256
32900c4f7a4f2e5ccfb621a292bb4564d791640c2dd04b4d0c1fd3583ddec533

SHA512
99ba6242efa73303fa95480cb85575bee831be02e90e122a10a25612724c768bbbe860700cc723bfdaa3cec3fe0be646e0f85b8f55a9b61b981b5b0b9c3dccf2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iwv3qbnj.default-release\storage\temporary\KgeADUp0SWG0RPDuVpUEWNwJ.exe
Filesize
938KB

MD5
fd37730499128bae22da441879fd135e

SHA1
38ee97351bff6a794c6583881eaa94a42e9398e6

SHA256
01a9dc7e625d957fa5c3c7769c900c54d79c6d68c696ee220afdf3d54d0a0ef7

SHA512
e290240b68beb6e0cb7c8cd20a773cefe3cfa17f73f3a9d514a43d43956f908e8a72a03ed378e0366fec141c6118a542383ab9fdbd7daaa574c58cbb4e6a3d66

Download Submit
\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9wyna9wpPdyCU6rO5xttyMNqcOSCJAmmipySvpWDnyzVHEkpTyTfDcxObckTC3JCbA.bat
Filesize
971KB

MD5
7e1adc4418959ed4104753e62ad34b78

SHA1
91a72f7864a2f0c8eadbd5f3ea7fc14dae0ac943

SHA256
4733be536a423556c7799df7227272e4b3c5ef984924526e151351cecf4b95e8

SHA512
53da02338c7c6deed35464f4e00a76d63f74b0b3c4fd1137e52caa4737c841eb219c5fa360de002efc36368aa5a2d9b0dfd3b741c2a10c587ff93de98a69d64b

Download Submit
\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9wyna9wpPdyCU6rO5xttyMNqcOSCJAmmipySvpWDnyzVHEkpTyTfDcxObckTC3JCbA.bat
Filesize
971KB

MD5
7e1adc4418959ed4104753e62ad34b78

SHA1
91a72f7864a2f0c8eadbd5f3ea7fc14dae0ac943

SHA256
4733be536a423556c7799df7227272e4b3c5ef984924526e151351cecf4b95e8

SHA512
53da02338c7c6deed35464f4e00a76d63f74b0b3c4fd1137e52caa4737c841eb219c5fa360de002efc36368aa5a2d9b0dfd3b741c2a10c587ff93de98a69d64b

Download Submit
\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9wyna9wpPdyCU6rO5xttyMNqcOSCJAmmipySvpWDnyzVHEkpTyTfDcxObckTC3JCbA.bat
Filesize
971KB

MD5
7e1adc4418959ed4104753e62ad34b78

SHA1
91a72f7864a2f0c8eadbd5f3ea7fc14dae0ac943

SHA256
4733be536a423556c7799df7227272e4b3c5ef984924526e151351cecf4b95e8

SHA512
53da02338c7c6deed35464f4e00a76d63f74b0b3c4fd1137e52caa4737c841eb219c5fa360de002efc36368aa5a2d9b0dfd3b741c2a10c587ff93de98a69d64b

Download Submit
memory/1328-87-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1328-84-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1328-80-0x0000000000000000-mapping.dmp

Download
memory/1428-78-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1428-62-0x0000000000000000-mapping.dmp

Download
memory/1428-82-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1428-83-0x0000000001A90000-0x0000000001ABD000-memory.dmp

Filesize
180KB

Download
memory/1428-70-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1428-88-0x0000000001A90000-0x0000000001ABD000-memory.dmp

Filesize
180KB

Download
memory/1732-77-0x0000000001120000-0x000000000114D000-memory.dmp

Filesize
180KB

Download
memory/1732-67-0x0000000001120000-0x000000000114D000-memory.dmp

Filesize
180KB

Download
memory/1732-76-0x0000000001120000-0x000000000114D000-memory.dmp

Filesize
180KB

Download
memory/1732-69-0x0000000001120000-0x000000000114D000-memory.dmp

Filesize
180KB

Download
memory/1744-54-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1744-55-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1772-56-0x000007FEFC481000-0x000007FEFC483000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads