6909ba3d32e35efbf1710839ffd611e05c35aea8492b3611a8ac999e65f78472

Analysis

max time kernel
64s
max time network
56s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
25-11-2022 08:55

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

6909ba3d32e35efbf1710839ffd611e05c35aea8492b3611a8ac999e65f78472.exe
Size

533KB
MD5

8b9b3e8175fe8a11c442f19e1fd55e65
SHA1

8de36ddfdecbc0189449d8e2fa9394c9552c2c93
SHA256

6909ba3d32e35efbf1710839ffd611e05c35aea8492b3611a8ac999e65f78472
SHA512

7bf6062f6c64e53a44803cc84fc849db75b5537264f2a5e849912bb870304893df7d5c59d665dc4b906cccfa31238437054140487aad48124213854c8e5278f0
SSDEEP

3072:aSsvihLlTQz9z71iURo2SJJmY6uFNcgifDbmeTXwVdBR:rsqhJMxzJiU5SeLmNSbmebW1

Score

10^/10

persistence spyware stealer

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

1PvIJWnoIcqXetMjYTM8Evldgm6niaTWoNrMnohhl.exe

description pid process target process

PID 1584 created 584 1584 1PvIJWnoIcqXetMjYTM8Evldgm6niaTWoNrMnohhl.exe svchost.exe

description	pid	process	target process
PID 1584 created 584	1584	1PvIJWnoIcqXetMjYTM8Evldgm6niaTWoNrMnohhl.exe	svchost.exe

Adds policy Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

6909ba3d32e35efbf1710839ffd611e05c35aea8492b3611a8ac999e65f78472.exe1PvIJWnoIcqXetMjYTM8Evldgm6niaTWoNrMnohhl.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\iwv3qbnj.default-release\\storage\\permanent\\chrome\\idb\\1657114595AmcateirvtiSty.files\\GRdF2i4TWNELCnG.exe\" O"	6909ba3d32e35efbf1710839ffd611e05c35aea8492b3611a8ac999e65f78472.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Public\\Libraries\\TIuvynxR2cEboahRPsHcYPze0yFAA6fZGnMDkQG.exe\" O"	6909ba3d32e35efbf1710839ffd611e05c35aea8492b3611a8ac999e65f78472.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	1PvIJWnoIcqXetMjYTM8Evldgm6niaTWoNrMnohhl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Inbox\\h1pN5ygU.exe\" O"	1PvIJWnoIcqXetMjYTM8Evldgm6niaTWoNrMnohhl.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	6909ba3d32e35efbf1710839ffd611e05c35aea8492b3611a8ac999e65f78472.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\YH8UCllK6UPNHqhZ0fe9lqjKNVOREum296Fe0mo9GdoHuq01wLvz0veAfVrsdME0KJ.exe\" O"	6909ba3d32e35efbf1710839ffd611e05c35aea8492b3611a8ac999e65f78472.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	6909ba3d32e35efbf1710839ffd611e05c35aea8492b3611a8ac999e65f78472.exe

Executes dropped EXE 2 IoCs

Processes:

1PvIJWnoIcqXetMjYTM8Evldgm6niaTWoNrMnohhl.exe1PvIJWnoIcqXetMjYTM8Evldgm6niaTWoNrMnohhl.exe

pid process

1584 1PvIJWnoIcqXetMjYTM8Evldgm6niaTWoNrMnohhl.exe
1484 1PvIJWnoIcqXetMjYTM8Evldgm6niaTWoNrMnohhl.exe

pid	process
1584	1PvIJWnoIcqXetMjYTM8Evldgm6niaTWoNrMnohhl.exe
1484	1PvIJWnoIcqXetMjYTM8Evldgm6niaTWoNrMnohhl.exe

Sets file execution options in registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

1PvIJWnoIcqXetMjYTM8Evldgm6niaTWoNrMnohhl.exe1PvIJWnoIcqXetMjYTM8Evldgm6niaTWoNrMnohhl.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\Debugger = " "	1PvIJWnoIcqXetMjYTM8Evldgm6niaTWoNrMnohhl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe	1PvIJWnoIcqXetMjYTM8Evldgm6niaTWoNrMnohhl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = " "	1PvIJWnoIcqXetMjYTM8Evldgm6niaTWoNrMnohhl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe	1PvIJWnoIcqXetMjYTM8Evldgm6niaTWoNrMnohhl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\Debugger = " "	1PvIJWnoIcqXetMjYTM8Evldgm6niaTWoNrMnohhl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe	1PvIJWnoIcqXetMjYTM8Evldgm6niaTWoNrMnohhl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = " "	1PvIJWnoIcqXetMjYTM8Evldgm6niaTWoNrMnohhl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe	1PvIJWnoIcqXetMjYTM8Evldgm6niaTWoNrMnohhl.exe

Loads dropped DLL 3 IoCs

Processes:

gpscript.exe1PvIJWnoIcqXetMjYTM8Evldgm6niaTWoNrMnohhl.exe

pid process

1816 gpscript.exe
1816 gpscript.exe
1584 1PvIJWnoIcqXetMjYTM8Evldgm6niaTWoNrMnohhl.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1816	gpscript.exe
1816	gpscript.exe
1584	1PvIJWnoIcqXetMjYTM8Evldgm6niaTWoNrMnohhl.exe

Modifies data under HKEY_USERS 59 IoCs

Processes:

gpscript.exe6909ba3d32e35efbf1710839ffd611e05c35aea8492b3611a8ac999e65f78472.exe1PvIJWnoIcqXetMjYTM8Evldgm6niaTWoNrMnohhl.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{6C467336-8281-4E60-8204-430CED96822D} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 01000000000000007049043ee700d901	gpscript.exe
Key created	\REGISTRY\USER\S-1-5-20	6909ba3d32e35efbf1710839ffd611e05c35aea8492b3611a8ac999e65f78472.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows	6909ba3d32e35efbf1710839ffd611e05c35aea8492b3611a8ac999e65f78472.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion	6909ba3d32e35efbf1710839ffd611e05c35aea8492b3611a8ac999e65f78472.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\6.0\\41\\zGKeSjQjkFnMT1t3OPw3ItJjM3ZL1Nc6u9uEyTUxFTSY4cY7OVHd.exe\" O"	6909ba3d32e35efbf1710839ffd611e05c35aea8492b3611a8ac999e65f78472.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	6909ba3d32e35efbf1710839ffd611e05c35aea8492b3611a8ac999e65f78472.exe
Key created	\REGISTRY\USER\.DEFAULT	6909ba3d32e35efbf1710839ffd611e05c35aea8492b3611a8ac999e65f78472.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	6909ba3d32e35efbf1710839ffd611e05c35aea8492b3611a8ac999e65f78472.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	1PvIJWnoIcqXetMjYTM8Evldgm6niaTWoNrMnohhl.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	6909ba3d32e35efbf1710839ffd611e05c35aea8492b3611a8ac999e65f78472.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	6909ba3d32e35efbf1710839ffd611e05c35aea8492b3611a8ac999e65f78472.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion	6909ba3d32e35efbf1710839ffd611e05c35aea8492b3611a8ac999e65f78472.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	1PvIJWnoIcqXetMjYTM8Evldgm6niaTWoNrMnohhl.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	6909ba3d32e35efbf1710839ffd611e05c35aea8492b3611a8ac999e65f78472.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE	6909ba3d32e35efbf1710839ffd611e05c35aea8492b3611a8ac999e65f78472.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft	6909ba3d32e35efbf1710839ffd611e05c35aea8492b3611a8ac999e65f78472.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows	6909ba3d32e35efbf1710839ffd611e05c35aea8492b3611a8ac999e65f78472.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	6909ba3d32e35efbf1710839ffd611e05c35aea8492b3611a8ac999e65f78472.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	6909ba3d32e35efbf1710839ffd611e05c35aea8492b3611a8ac999e65f78472.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion	6909ba3d32e35efbf1710839ffd611e05c35aea8492b3611a8ac999e65f78472.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\IOVmdeHTiFeQ4PIi0SFaxiVKE89KhPuv3o77f63mkG0uiELpLOSr.exe\" O"	1PvIJWnoIcqXetMjYTM8Evldgm6niaTWoNrMnohhl.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{7BD29E01-76C1-11CF-9DD0-00A0C9034933} {000214E6-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000f0363842e700d901	1PvIJWnoIcqXetMjYTM8Evldgm6niaTWoNrMnohhl.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	6909ba3d32e35efbf1710839ffd611e05c35aea8492b3611a8ac999e65f78472.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	6909ba3d32e35efbf1710839ffd611e05c35aea8492b3611a8ac999e65f78472.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	gpscript.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache\\3ycyspc24uRcxM8njaq.exe\" O 2>NUL"	1PvIJWnoIcqXetMjYTM8Evldgm6niaTWoNrMnohhl.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\6.0\\23\\IyhPrqL8GVq7Zo0D8E3PsI0VAvUrFtIF0AirKCUU1LXh74GiZl4ZuE8s.exe\" O 2>NUL"	6909ba3d32e35efbf1710839ffd611e05c35aea8492b3611a8ac999e65f78472.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\GZ4ajSjmCU4788vtoGsLCmgaFZhmj8JPBp14c8nSsjUGZAWpMH2VtTVpUD7JNuTaMlZ.exe\" O"	1PvIJWnoIcqXetMjYTM8Evldgm6niaTWoNrMnohhl.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\Search\\Data\\Applications\\Windows\\GatherLogs\\cfM0IivSH4.exe\" O 2>NUL"	6909ba3d32e35efbf1710839ffd611e05c35aea8492b3611a8ac999e65f78472.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	1PvIJWnoIcqXetMjYTM8Evldgm6niaTWoNrMnohhl.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Tablet PC\\TnP4bVWVeVUeSvpyzDC9g8Fi73OjKGwApjvIfTOFMVtcAQuJNpP.exe\" O 2>NUL"	1PvIJWnoIcqXetMjYTM8Evldgm6niaTWoNrMnohhl.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\fr-FR\\r2xNCUxO1lF4J3DnaFK4jkxAmKZEcLt52.exe\" O"	1PvIJWnoIcqXetMjYTM8Evldgm6niaTWoNrMnohhl.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	1PvIJWnoIcqXetMjYTM8Evldgm6niaTWoNrMnohhl.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\Pictures\\FwRnkhx30y301KmplNK0LvOJyQS76OSHB8ugBFy5sK3qEKL3JJwhLjsefBo.exe\" O 2>NUL"	6909ba3d32e35efbf1710839ffd611e05c35aea8492b3611a8ac999e65f78472.exe
Key created	\REGISTRY\USER\S-1-5-19	6909ba3d32e35efbf1710839ffd611e05c35aea8492b3611a8ac999e65f78472.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	1PvIJWnoIcqXetMjYTM8Evldgm6niaTWoNrMnohhl.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\NonCritical_x64_14581a24ae3cd03160d66be822236893de867_cab_065c531e\\FFCjLjl5CvSvMRDK3KBIXv0U.exe\" O"	1PvIJWnoIcqXetMjYTM8Evldgm6niaTWoNrMnohhl.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Default\\AppData\\Local\\Microsoft\\QYQH7AhxfcLNHczobsoUpb1RWsKEkh7faSApWSs2tgAz6fL.exe\" O"	6909ba3d32e35efbf1710839ffd611e05c35aea8492b3611a8ac999e65f78472.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Device Stage\\ynqN7REmLP43jqcL60qIiBSj9oY5.exe\" O"	1PvIJWnoIcqXetMjYTM8Evldgm6niaTWoNrMnohhl.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	1PvIJWnoIcqXetMjYTM8Evldgm6niaTWoNrMnohhl.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%windir%\System32\ie4uinit.exe",-732 = "Finds and displays information and Web sites on the Internet."	1PvIJWnoIcqXetMjYTM8Evldgm6niaTWoNrMnohhl.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Code Cache\\wasm\\index-dir\\dsDOIWGnVuRHT3Y0sNUMch127fcfGdKQJk2vEis0ms4GOhPNfPj1qHNdX2YTsT.exe\" O"	6909ba3d32e35efbf1710839ffd611e05c35aea8492b3611a8ac999e65f78472.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\iwv3qbnj.default-release\\EqXAh47Pkp.exe\" O 2>NUL"	1PvIJWnoIcqXetMjYTM8Evldgm6niaTWoNrMnohhl.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%systemroot%\system32\windowspowershell\v1.0\powershell.exe",-111 = "Performs object-based (command-line) functions"	1PvIJWnoIcqXetMjYTM8Evldgm6niaTWoNrMnohhl.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft	6909ba3d32e35efbf1710839ffd611e05c35aea8492b3611a8ac999e65f78472.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	6909ba3d32e35efbf1710839ffd611e05c35aea8492b3611a8ac999e65f78472.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	1PvIJWnoIcqXetMjYTM8Evldgm6niaTWoNrMnohhl.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%windir%\System32\ie4uinit.exe",-738 = "Start Internet Explorer without ActiveX controls or browser extensions."	1PvIJWnoIcqXetMjYTM8Evldgm6niaTWoNrMnohhl.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	6909ba3d32e35efbf1710839ffd611e05c35aea8492b3611a8ac999e65f78472.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	6909ba3d32e35efbf1710839ffd611e05c35aea8492b3611a8ac999e65f78472.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	6909ba3d32e35efbf1710839ffd611e05c35aea8492b3611a8ac999e65f78472.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE	6909ba3d32e35efbf1710839ffd611e05c35aea8492b3611a8ac999e65f78472.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\Dso1PYEaa8x1I47slUkhhRCMVUl9sY49F37n97zn5mQNob.exe\" O 2>NUL"	1PvIJWnoIcqXetMjYTM8Evldgm6niaTWoNrMnohhl.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft Office\\Kj3MIqDLevhJWTkHuHbCnHiMCmCUoDxcX1ViTKBVqBbhrXod73ccFcoAPCuLM9QWFfO.exe\" O 2>NUL"	6909ba3d32e35efbf1710839ffd611e05c35aea8492b3611a8ac999e65f78472.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows	6909ba3d32e35efbf1710839ffd611e05c35aea8492b3611a8ac999e65f78472.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	1PvIJWnoIcqXetMjYTM8Evldgm6niaTWoNrMnohhl.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Office\\Groove\\User\\VGzHJEYN7sI4mpZWz6fXOP98ZzFPM9MU5fVZ0ccifU8ugsDnz2CG0GLOmbWoW.exe\" O"	6909ba3d32e35efbf1710839ffd611e05c35aea8492b3611a8ac999e65f78472.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	6909ba3d32e35efbf1710839ffd611e05c35aea8492b3611a8ac999e65f78472.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Games\\we8DHWTnSISNrlBpxNTcJq3QANG6pn6vrjc2A5JivrVG3jmPNASecwLTpu.exe\" O 2>NUL"	1PvIJWnoIcqXetMjYTM8Evldgm6niaTWoNrMnohhl.exe

Modifies registry class 12 IoCs

Processes:

6909ba3d32e35efbf1710839ffd611e05c35aea8492b3611a8ac999e65f78472.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	6909ba3d32e35efbf1710839ffd611e05c35aea8492b3611a8ac999e65f78472.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\SOFTWARE\Microsoft\Windows	6909ba3d32e35efbf1710839ffd611e05c35aea8492b3611a8ac999e65f78472.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	6909ba3d32e35efbf1710839ffd611e05c35aea8492b3611a8ac999e65f78472.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	6909ba3d32e35efbf1710839ffd611e05c35aea8492b3611a8ac999e65f78472.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\CjrN486qoSkLPRAaiWEFKiwD.exe\" O"	6909ba3d32e35efbf1710839ffd611e05c35aea8492b3611a8ac999e65f78472.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\SOFTWARE	6909ba3d32e35efbf1710839ffd611e05c35aea8492b3611a8ac999e65f78472.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\SOFTWARE\Microsoft	6909ba3d32e35efbf1710839ffd611e05c35aea8492b3611a8ac999e65f78472.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\SOFTWARE\Microsoft\Command Processor	6909ba3d32e35efbf1710839ffd611e05c35aea8492b3611a8ac999e65f78472.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	6909ba3d32e35efbf1710839ffd611e05c35aea8492b3611a8ac999e65f78472.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_Classes\SOFTWARE\Microsoft\Command Processor	6909ba3d32e35efbf1710839ffd611e05c35aea8492b3611a8ac999e65f78472.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\fr-FR\\p6lOET55018EJO07GE5A1f7VxFsW0xHc3VYOgmAIJbjzmN6oNGmpxRmRuKC.exe\" O 2>NUL"	6909ba3d32e35efbf1710839ffd611e05c35aea8492b3611a8ac999e65f78472.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion	6909ba3d32e35efbf1710839ffd611e05c35aea8492b3611a8ac999e65f78472.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

1PvIJWnoIcqXetMjYTM8Evldgm6niaTWoNrMnohhl.exe

pid process

1484 1PvIJWnoIcqXetMjYTM8Evldgm6niaTWoNrMnohhl.exe
1484 1PvIJWnoIcqXetMjYTM8Evldgm6niaTWoNrMnohhl.exe

pid	process
1484	1PvIJWnoIcqXetMjYTM8Evldgm6niaTWoNrMnohhl.exe
1484	1PvIJWnoIcqXetMjYTM8Evldgm6niaTWoNrMnohhl.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

6909ba3d32e35efbf1710839ffd611e05c35aea8492b3611a8ac999e65f78472.exeAUDIODG.EXE1PvIJWnoIcqXetMjYTM8Evldgm6niaTWoNrMnohhl.exe1PvIJWnoIcqXetMjYTM8Evldgm6niaTWoNrMnohhl.exe

description	pid	process
Token: SeBackupPrivilege	1440	6909ba3d32e35efbf1710839ffd611e05c35aea8492b3611a8ac999e65f78472.exe
Token: SeRestorePrivilege	1440	6909ba3d32e35efbf1710839ffd611e05c35aea8492b3611a8ac999e65f78472.exe
Token: SeShutdownPrivilege	1440	6909ba3d32e35efbf1710839ffd611e05c35aea8492b3611a8ac999e65f78472.exe
Token: 33	1348	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1348	AUDIODG.EXE
Token: 33	1348	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1348	AUDIODG.EXE
Token: SeDebugPrivilege	1584	1PvIJWnoIcqXetMjYTM8Evldgm6niaTWoNrMnohhl.exe
Token: SeRestorePrivilege	1584	1PvIJWnoIcqXetMjYTM8Evldgm6niaTWoNrMnohhl.exe
Token: SeDebugPrivilege	1484	1PvIJWnoIcqXetMjYTM8Evldgm6niaTWoNrMnohhl.exe
Token: SeRestorePrivilege	1484	1PvIJWnoIcqXetMjYTM8Evldgm6niaTWoNrMnohhl.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

gpscript.exe1PvIJWnoIcqXetMjYTM8Evldgm6niaTWoNrMnohhl.exe

description	pid	process	target process
PID 1816 wrote to memory of 1584	1816	gpscript.exe	1PvIJWnoIcqXetMjYTM8Evldgm6niaTWoNrMnohhl.exe
PID 1816 wrote to memory of 1584	1816	gpscript.exe	1PvIJWnoIcqXetMjYTM8Evldgm6niaTWoNrMnohhl.exe
PID 1816 wrote to memory of 1584	1816	gpscript.exe	1PvIJWnoIcqXetMjYTM8Evldgm6niaTWoNrMnohhl.exe
PID 1584 wrote to memory of 1484	1584	1PvIJWnoIcqXetMjYTM8Evldgm6niaTWoNrMnohhl.exe	1PvIJWnoIcqXetMjYTM8Evldgm6niaTWoNrMnohhl.exe
PID 1584 wrote to memory of 1484	1584	1PvIJWnoIcqXetMjYTM8Evldgm6niaTWoNrMnohhl.exe	1PvIJWnoIcqXetMjYTM8Evldgm6niaTWoNrMnohhl.exe
PID 1584 wrote to memory of 1484	1584	1PvIJWnoIcqXetMjYTM8Evldgm6niaTWoNrMnohhl.exe	1PvIJWnoIcqXetMjYTM8Evldgm6niaTWoNrMnohhl.exe

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
1⤵
PID:584

C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\62\1PvIJWnoIcqXetMjYTM8Evldgm6niaTWoNrMnohhl.exe
"C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\62\1PvIJWnoIcqXetMjYTM8Evldgm6niaTWoNrMnohhl.exe" 2
2⤵
- Executes dropped EXE
- Sets file execution options in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1484

C:\Users\Admin\AppData\Local\Temp\6909ba3d32e35efbf1710839ffd611e05c35aea8492b3611a8ac999e65f78472.exe
"C:\Users\Admin\AppData\Local\Temp\6909ba3d32e35efbf1710839ffd611e05c35aea8492b3611a8ac999e65f78472.exe"
1⤵
- Adds policy Run key to start application
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1440

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1976

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x480
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1348

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:1184

C:\Windows\system32\gpscript.exe
gpscript.exe /Shutdown
1⤵
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1816

C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\62\1PvIJWnoIcqXetMjYTM8Evldgm6niaTWoNrMnohhl.exe
"C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\62\1PvIJWnoIcqXetMjYTM8Evldgm6niaTWoNrMnohhl.exe" 1
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Adds policy Run key to start application
- Executes dropped EXE
- Sets file execution options in registry
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1584

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows Defender\Support\2yU0IA1QW.cmd
Filesize
1.4MB

MD5
7e822f482d6ec945b3750a3746c3676d

SHA1
c283163d07a73c2d20ac95c7bac579869af30b4e

SHA256
6b7fd6d44737b03127e90e89df1e7561d553352961ca5fe6b89c1d04507c7fd6

SHA512
4d5557108709729d361c5958a22d9fc68ed2c70f5b0610fa7d0d893353663c7fd105363371f0d7fc1cb09d07ca053f703ead210414eaecba7e0e9d952e8f6ed5

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office\Kj3MIqDLevhJWTkHuHbCnHiMCmCUoDxcX1ViTKBVqBbhrXod73ccFcoAPCuLM9QWFfO.exe
Filesize
942KB

MD5
6247d0509653961f1882c87fb92652db

SHA1
ede16ea0c00ae7894c1869c4fa6d77ab2a5c335b

SHA256
1c3f59b11b08c4adc055690a3b3df1a98770529c5d2f04972dd7ada6d697f565

SHA512
d9648b1b49f6a1a2eddaa244e4d4e00cf9c6cc32f484b5364c71d91a8c3eb8cb01aa4c60186a19386d03bc453c746b85ab6b77ff6403a4454dd6b2e29e7190e1

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\23\IyhPrqL8GVq7Zo0D8E3PsI0VAvUrFtIF0AirKCUU1LXh74GiZl4ZuE8s.exe
Filesize
703KB

MD5
8290fb05db9f9d575a4cd43ce6e9f3ba

SHA1
0930714ea7bdb33608474d56ae53212831e4eb1b

SHA256
1e70aeb9f1028f233d61333d8f73ec68e0d63a785a3bb49cbbf2cb5e5686386e

SHA512
60167fffa9eb73f419c594b76b2bb8d2c6c155cc98d4152c90b35e824e13a90d619a5ef5a83f0ecb6a442f5fa5dae069c0566bc1da209b59cdcbe61fcf001f91

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\41\zGKeSjQjkFnMT1t3OPw3ItJjM3ZL1Nc6u9uEyTUxFTSY4cY7OVHd.exe
Filesize
1006KB

MD5
e9c3cf96fd477b260c4739a12cd7ec70

SHA1
fc140d7da23655b747828ec8e097370caddf4fbb

SHA256
436c1841bad9fb7f159cfe03b471f4c981b7ee697b7752f5b8f8c72fe2160f65

SHA512
1982342880f881779111897438b0caa45abc415b148c025d0d4f8d6615b64d1ef87767f561ee54bcd110091a6132f96838989adec47a0ee0ad63edc00157efcb

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\62\1PvIJWnoIcqXetMjYTM8Evldgm6niaTWoNrMnohhl.exe
Filesize
731KB

MD5
277546feb3864786de7f0485464ab91e

SHA1
3552420edd12065b9103c779a10b9490d40b53e8

SHA256
7eea00b239c9cc955c25b35aecfa1f90e82cf2a02e1fb59b0dc22d3593e1097b

SHA512
b79d97678418658e7a49964795e56ce04452d86c4665206b718ad1752fe25fbe8cfbe97aaebd4d204d0b6079f44aad1d34c278fb4e77712a1c320e635dd56817

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\62\1PvIJWnoIcqXetMjYTM8Evldgm6niaTWoNrMnohhl.exe
Filesize
731KB

MD5
277546feb3864786de7f0485464ab91e

SHA1
3552420edd12065b9103c779a10b9490d40b53e8

SHA256
7eea00b239c9cc955c25b35aecfa1f90e82cf2a02e1fb59b0dc22d3593e1097b

SHA512
b79d97678418658e7a49964795e56ce04452d86c4665206b718ad1752fe25fbe8cfbe97aaebd4d204d0b6079f44aad1d34c278fb4e77712a1c320e635dd56817

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\62\1PvIJWnoIcqXetMjYTM8Evldgm6niaTWoNrMnohhl.exe
Filesize
731KB

MD5
277546feb3864786de7f0485464ab91e

SHA1
3552420edd12065b9103c779a10b9490d40b53e8

SHA256
7eea00b239c9cc955c25b35aecfa1f90e82cf2a02e1fb59b0dc22d3593e1097b

SHA512
b79d97678418658e7a49964795e56ce04452d86c4665206b718ad1752fe25fbe8cfbe97aaebd4d204d0b6079f44aad1d34c278fb4e77712a1c320e635dd56817

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir\dsDOIWGnVuRHT3Y0sNUMch127fcfGdKQJk2vEis0ms4GOhPNfPj1qHNdX2YTsT.exe
Filesize
935KB

MD5
bcc44040203a572773e922b4a3217a92

SHA1
27bf65f682f303d71f49fc4e8c3b47440eb9411a

SHA256
a68f27d0440c2d03bcec1c3a3c4b3c9b3a60575b022e3d58fcef72190a398cc1

SHA512
3f870a477fe4f939c58fb355bd668e6733c83cffbb351569dc55b678f81446a2b4197513af2acb61b15de0607eb70b07cd2b51035dbc430488e54fb5b2fde16f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\History\4moQCqBYOXVgA3jhGrN1uolqXC1omt5eB4tLI7bhy2PeBVD.exe
Filesize
723KB

MD5
7d7e597259528bd8c1a024c75ffe1505

SHA1
1bdb46dea9c84bf1c4c2fc1250e3e6b9c65b7491

SHA256
94fef43587b081b786b94c83d408ef10d7a0c30d656bf61ba03e872358aa5186

SHA512
c4e33f7239492d78ff38241ed9041cccbe005ed87c4e8394d525b9ab6b06b9617760e078efa1f6cb1eee44ce99174b9b0cc9328ba6d6fb4679bda32263c86c1f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iwv3qbnj.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.files\GRdF2i4TWNELCnG.exe
Filesize
553KB

MD5
e545851e2266fa438226dad59e353bd9

SHA1
8202037c58b78ab37ecbedf9812fea810444d5b9

SHA256
1cfaace82aa3c29888cbd703e0fa8387e2a9a44cd842cf5d413428fb71d39ca3

SHA512
5f034c92f481d71957fca7bde7e00076343159d8df68c6a2048c5b02c7877dcd7c31fdbe717e63f1748bbe5a9fbd1300e2e949b1a6ec27294eb32aa4a2f8f9d2

Download Submit
C:\Users\Admin\Pictures\FwRnkhx30y301KmplNK0LvOJyQS76OSHB8ugBFy5sK3qEKL3JJwhLjsefBo.exe
Filesize
595KB

MD5
cdfce4aa125f303e258c046dfe1ad95b

SHA1
fafa855b3d916a8c532c67bfbe4bda5a144ad9c2

SHA256
c9a5b4e32a8fc73a59a689b5c677b6bcf3c75aef7060c730d1cc5da14616adae

SHA512
91dc35742c88439a035d22ced2eb0c09aeb2d38e4af585e07915b65bcccc75ee4b41e6617f1db989f55cbfe29ec72f8e9ef48234c66dc91a2b2914f78a2600dd

Download Submit
C:\Users\Admin\Saved Games\9iyCrOBoZOgspu8yRCJSSSRf3SSpGFwezIHw3F0SnXC.cmd
Filesize
1.3MB

MD5
0d37640023318630d49238d71a74d1b9

SHA1
d4f852e0eb176d4c48a5f02a8245f146a91b5262

SHA256
251ce3e862395e10dd13027516773e31954e1ef42aaa56d1f22ab31f0d7aa923

SHA512
6652af80d701135b4c405da222d256a0f6524e6336ce9964c917a1bef5b278868afc0e571ad54a1445ba13c73dd2a6ef4c45018e8bc6a32210c009ea7c446a2b

Download Submit
C:\Users\Default\AppData\Local\Microsoft\QYQH7AhxfcLNHczobsoUpb1RWsKEkh7faSApWSs2tgAz6fL.exe
Filesize
822KB

MD5
25a727029fdcc84f68dbced342e07b59

SHA1
d55b8095f8d656e96be7dea0943c55e3191eea65

SHA256
861a43b95cc8b46f7939753066ffbaac5f5190541c3cb41781c872982a6575ab

SHA512
6daa032f68a97b7e9fdc11b7e07af14d2992e31c84b57ac97489522f6f68556ce94131d580dfae760fe5d6f2b24d6396ff175873761333c55ac07d26c6856fc7

Download Submit
\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\62\1PvIJWnoIcqXetMjYTM8Evldgm6niaTWoNrMnohhl.exe
Filesize
731KB

MD5
277546feb3864786de7f0485464ab91e

SHA1
3552420edd12065b9103c779a10b9490d40b53e8

SHA256
7eea00b239c9cc955c25b35aecfa1f90e82cf2a02e1fb59b0dc22d3593e1097b

SHA512
b79d97678418658e7a49964795e56ce04452d86c4665206b718ad1752fe25fbe8cfbe97aaebd4d204d0b6079f44aad1d34c278fb4e77712a1c320e635dd56817

Download Submit
\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\62\1PvIJWnoIcqXetMjYTM8Evldgm6niaTWoNrMnohhl.exe
Filesize
731KB

MD5
277546feb3864786de7f0485464ab91e

SHA1
3552420edd12065b9103c779a10b9490d40b53e8

SHA256
7eea00b239c9cc955c25b35aecfa1f90e82cf2a02e1fb59b0dc22d3593e1097b

SHA512
b79d97678418658e7a49964795e56ce04452d86c4665206b718ad1752fe25fbe8cfbe97aaebd4d204d0b6079f44aad1d34c278fb4e77712a1c320e635dd56817

Download Submit
\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\62\1PvIJWnoIcqXetMjYTM8Evldgm6niaTWoNrMnohhl.exe
Filesize
731KB

MD5
277546feb3864786de7f0485464ab91e

SHA1
3552420edd12065b9103c779a10b9490d40b53e8

SHA256
7eea00b239c9cc955c25b35aecfa1f90e82cf2a02e1fb59b0dc22d3593e1097b

SHA512
b79d97678418658e7a49964795e56ce04452d86c4665206b718ad1752fe25fbe8cfbe97aaebd4d204d0b6079f44aad1d34c278fb4e77712a1c320e635dd56817

Download Submit
memory/1440-54-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1440-56-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1484-83-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1484-80-0x0000000000000000-mapping.dmp

Download
memory/1584-78-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1584-72-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1584-82-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1584-62-0x0000000000000000-mapping.dmp

Download
memory/1816-77-0x0000000000FE0000-0x000000000100D000-memory.dmp

Filesize
180KB

Download
memory/1816-76-0x0000000000FE0000-0x000000000100D000-memory.dmp

Filesize
180KB

Download
memory/1816-70-0x0000000000FE0000-0x000000000100D000-memory.dmp

Filesize
180KB

Download
memory/1816-71-0x0000000000FE0000-0x000000000100D000-memory.dmp

Filesize
180KB

Download
memory/1976-55-0x000007FEFC621000-0x000007FEFC623000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads