0ace968ae7c85f6c1c0dcefc46d59e9625625a2f6b316de0e35fb5bfa00012a8

Analysis

max time kernel
81s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2022 08:58

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

0ace968ae7c85f6c1c0dcefc46d59e9625625a2f6b316de0e35fb5bfa00012a8.exe
Size

515KB
MD5

52b63db08080ad73be76914a7b93d795
SHA1

534e983d73ecec65ff8b8e4ef7337292b7070a9a
SHA256

0ace968ae7c85f6c1c0dcefc46d59e9625625a2f6b316de0e35fb5bfa00012a8
SHA512

1df366278c8a12c1b4b9b9d00f2849771966f2972cbfba86b0c99a0cc6e73a9dd4332ca9eea536c56545fc42d3d0ee022e22c06beb4a22619635b99e8e49b0c8
SSDEEP

3072:dSsvihLlTQz9z71iURo2SJJmY6uFNcgifDbMtJyVdyw:ssqhJMxzJiU5SeLmNSbMtJU5

Score

10^/10

persistence spyware stealer

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

aKLM5psNzwwWIOA1rr66g41aY5rEFopHCIAoF2izlmzQf5TLsuLxVbZ6U.cmd

description pid process target process

PID 4500 created 672 4500 aKLM5psNzwwWIOA1rr66g41aY5rEFopHCIAoF2izlmzQf5TLsuLxVbZ6U.cmd lsass.exe

description	pid	process	target process
PID 4500 created 672	4500	aKLM5psNzwwWIOA1rr66g41aY5rEFopHCIAoF2izlmzQf5TLsuLxVbZ6U.cmd	lsass.exe

Adds policy Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

0ace968ae7c85f6c1c0dcefc46d59e9625625a2f6b316de0e35fb5bfa00012a8.exeaKLM5psNzwwWIOA1rr66g41aY5rEFopHCIAoF2izlmzQf5TLsuLxVbZ6U.cmd

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	0ace968ae7c85f6c1c0dcefc46d59e9625625a2f6b316de0e35fb5bfa00012a8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\AC\\INetCache\\ytndjFGh0REnuOif7.exe\" O"	0ace968ae7c85f6c1c0dcefc46d59e9625625a2f6b316de0e35fb5bfa00012a8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	0ace968ae7c85f6c1c0dcefc46d59e9625625a2f6b316de0e35fb5bfa00012a8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\6.0\\43\\eLQiB81351VniD81ZbwIUh3XUp4dW7rNtffXxkBG9s5jl8wxDk.exe\" O"	0ace968ae7c85f6c1c0dcefc46d59e9625625a2f6b316de0e35fb5bfa00012a8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessibility\\8OttamSwlDp.exe\" O"	0ace968ae7c85f6c1c0dcefc46d59e9625625a2f6b316de0e35fb5bfa00012a8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	aKLM5psNzwwWIOA1rr66g41aY5rEFopHCIAoF2izlmzQf5TLsuLxVbZ6U.cmd
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\PenWorkspace\\qQCG3SNX2H8YbKD3nLhURYye8G52EqwnqR9js5lS7URAPgKG6ZxDIe.exe\" O"	aKLM5psNzwwWIOA1rr66g41aY5rEFopHCIAoF2izlmzQf5TLsuLxVbZ6U.cmd

Executes dropped EXE 2 IoCs

Processes:

aKLM5psNzwwWIOA1rr66g41aY5rEFopHCIAoF2izlmzQf5TLsuLxVbZ6U.cmdaKLM5psNzwwWIOA1rr66g41aY5rEFopHCIAoF2izlmzQf5TLsuLxVbZ6U.cmd

pid process

4500 aKLM5psNzwwWIOA1rr66g41aY5rEFopHCIAoF2izlmzQf5TLsuLxVbZ6U.cmd
3860 aKLM5psNzwwWIOA1rr66g41aY5rEFopHCIAoF2izlmzQf5TLsuLxVbZ6U.cmd

pid	process
4500	aKLM5psNzwwWIOA1rr66g41aY5rEFopHCIAoF2izlmzQf5TLsuLxVbZ6U.cmd
3860	aKLM5psNzwwWIOA1rr66g41aY5rEFopHCIAoF2izlmzQf5TLsuLxVbZ6U.cmd

Sets file execution options in registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

aKLM5psNzwwWIOA1rr66g41aY5rEFopHCIAoF2izlmzQf5TLsuLxVbZ6U.cmdaKLM5psNzwwWIOA1rr66g41aY5rEFopHCIAoF2izlmzQf5TLsuLxVbZ6U.cmd

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe	aKLM5psNzwwWIOA1rr66g41aY5rEFopHCIAoF2izlmzQf5TLsuLxVbZ6U.cmd
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = " "	aKLM5psNzwwWIOA1rr66g41aY5rEFopHCIAoF2izlmzQf5TLsuLxVbZ6U.cmd
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe	aKLM5psNzwwWIOA1rr66g41aY5rEFopHCIAoF2izlmzQf5TLsuLxVbZ6U.cmd
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\Debugger = " "	aKLM5psNzwwWIOA1rr66g41aY5rEFopHCIAoF2izlmzQf5TLsuLxVbZ6U.cmd
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe	aKLM5psNzwwWIOA1rr66g41aY5rEFopHCIAoF2izlmzQf5TLsuLxVbZ6U.cmd
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = " "	aKLM5psNzwwWIOA1rr66g41aY5rEFopHCIAoF2izlmzQf5TLsuLxVbZ6U.cmd
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe	aKLM5psNzwwWIOA1rr66g41aY5rEFopHCIAoF2izlmzQf5TLsuLxVbZ6U.cmd
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\Debugger = " "	aKLM5psNzwwWIOA1rr66g41aY5rEFopHCIAoF2izlmzQf5TLsuLxVbZ6U.cmd

Drops startup file 2 IoCs

Processes:

aKLM5psNzwwWIOA1rr66g41aY5rEFopHCIAoF2izlmzQf5TLsuLxVbZ6U.cmd

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BoOajKwAWd9lDC9k6FN1cVZPM2hmxrBU2K6GAEMTTOG.cmd	aKLM5psNzwwWIOA1rr66g41aY5rEFopHCIAoF2izlmzQf5TLsuLxVbZ6U.cmd
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\WJFeEm3M1y4wBzNBlaxbzD5imyKKDvczNfJ9HK7OfUtkos6DopCKklheUeszrB.bat	aKLM5psNzwwWIOA1rr66g41aY5rEFopHCIAoF2izlmzQf5TLsuLxVbZ6U.cmd

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 64 IoCs

Processes:

0ace968ae7c85f6c1c0dcefc46d59e9625625a2f6b316de0e35fb5bfa00012a8.exeLogonUI.exeaKLM5psNzwwWIOA1rr66g41aY5rEFopHCIAoF2izlmzQf5TLsuLxVbZ6U.cmdgpscript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	0ace968ae7c85f6c1c0dcefc46d59e9625625a2f6b316de0e35fb5bfa00012a8.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	0ace968ae7c85f6c1c0dcefc46d59e9625625a2f6b316de0e35fb5bfa00012a8.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	aKLM5psNzwwWIOA1rr66g41aY5rEFopHCIAoF2izlmzQf5TLsuLxVbZ6U.cmd
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	0ace968ae7c85f6c1c0dcefc46d59e9625625a2f6b316de0e35fb5bfa00012a8.exe
Key created	\REGISTRY\USER\S-1-5-19	0ace968ae7c85f6c1c0dcefc46d59e9625625a2f6b316de0e35fb5bfa00012a8.exe
Key created	\REGISTRY\USER\S-1-5-20	0ace968ae7c85f6c1c0dcefc46d59e9625625a2f6b316de0e35fb5bfa00012a8.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	0ace968ae7c85f6c1c0dcefc46d59e9625625a2f6b316de0e35fb5bfa00012a8.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\input\\hu-HU\\OdIndmqHgtmdPi.exe\" O 2>NUL"	0ace968ae7c85f6c1c0dcefc46d59e9625625a2f6b316de0e35fb5bfa00012a8.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	0ace968ae7c85f6c1c0dcefc46d59e9625625a2f6b316de0e35fb5bfa00012a8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Publishers\\8wekyb3d8bbwe\\N6azUQaxaAOIii4RUGrALtUr8yb1ES5H3.exe\" O"	0ace968ae7c85f6c1c0dcefc46d59e9625625a2f6b316de0e35fb5bfa00012a8.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\DRM\\Server\\iH6T31LWAK6pzMDX92TVUyC1GTOSwcbbSvdf4MWr4M48L2BomHH5m.exe\" O 2>NUL"	aKLM5psNzwwWIOA1rr66g41aY5rEFopHCIAoF2izlmzQf5TLsuLxVbZ6U.cmd
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AC\\INetHistory\\vw87rJKPtlCqARSTrAXSTX91.exe\" O 2>NUL"	aKLM5psNzwwWIOA1rr66g41aY5rEFopHCIAoF2izlmzQf5TLsuLxVbZ6U.cmd
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Windows\\AppRepository\\Packages\\Microsoft.Windows.ContentDeliveryManager_10.0.19041.1023_neutral_neutral_cw5n1h2txyewy\\28ILi7kF6wcdnjivaAHMb4WC0ARt4VRPpYRI1XfHFMC54NpR9lAGPLLs.exe\" O"	aKLM5psNzwwWIOA1rr66g41aY5rEFopHCIAoF2izlmzQf5TLsuLxVbZ6U.cmd
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	aKLM5psNzwwWIOA1rr66g41aY5rEFopHCIAoF2izlmzQf5TLsuLxVbZ6U.cmd
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	0ace968ae7c85f6c1c0dcefc46d59e9625625a2f6b316de0e35fb5bfa00012a8.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	0ace968ae7c85f6c1c0dcefc46d59e9625625a2f6b316de0e35fb5bfa00012a8.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\ta\\xONvZZIx3jQ5VrCX35sFULZCPPIH7c0af0uAIIfdXvIVNqB7aHTn2u8GRCJ085Jd8oEX.exe\" O"	0ace968ae7c85f6c1c0dcefc46d59e9625625a2f6b316de0e35fb5bfa00012a8.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "174"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft	0ace968ae7c85f6c1c0dcefc46d59e9625625a2f6b316de0e35fb5bfa00012a8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\0fx48ci0.default-release\\storage\\permanent\\chrome\\idb\\3870112724rsegmnoittet-es.files\\r4aeTab4DqAVbwlUxqgM4yl1XRjpdbVYpMsYxJRa8VO.exe\" O"	0ace968ae7c85f6c1c0dcefc46d59e9625625a2f6b316de0e35fb5bfa00012a8.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	aKLM5psNzwwWIOA1rr66g41aY5rEFopHCIAoF2izlmzQf5TLsuLxVbZ6U.cmd
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE	0ace968ae7c85f6c1c0dcefc46d59e9625625a2f6b316de0e35fb5bfa00012a8.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion	0ace968ae7c85f6c1c0dcefc46d59e9625625a2f6b316de0e35fb5bfa00012a8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\da\\aNBpezcwHCaIpzN6IvcQMdExT1x.exe\" O"	aKLM5psNzwwWIOA1rr66g41aY5rEFopHCIAoF2izlmzQf5TLsuLxVbZ6U.cmd
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\SlowContextMenuEntries = 6024b221ea3a6910a2dc08002b30309d9c0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	gpscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	0ace968ae7c85f6c1c0dcefc46d59e9625625a2f6b316de0e35fb5bfa00012a8.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	0ace968ae7c85f6c1c0dcefc46d59e9625625a2f6b316de0e35fb5bfa00012a8.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	0ace968ae7c85f6c1c0dcefc46d59e9625625a2f6b316de0e35fb5bfa00012a8.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Windows\\NJ975qQyQVrAwOmPk6uIV2W1HgyrNdqHbvbs2F10e.exe\" O"	aKLM5psNzwwWIOA1rr66g41aY5rEFopHCIAoF2izlmzQf5TLsuLxVbZ6U.cmd
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows	0ace968ae7c85f6c1c0dcefc46d59e9625625a2f6b316de0e35fb5bfa00012a8.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows	0ace968ae7c85f6c1c0dcefc46d59e9625625a2f6b316de0e35fb5bfa00012a8.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion	0ace968ae7c85f6c1c0dcefc46d59e9625625a2f6b316de0e35fb5bfa00012a8.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\TempState\\sGDm9nuVONmlEXPIFQAXkXEz.exe\" O"	0ace968ae7c85f6c1c0dcefc46d59e9625625a2f6b316de0e35fb5bfa00012a8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\PlaceholderTileLogoFolder\\C9nXdiL2Mf2ar8cy9T7TF.exe\" O 2>NUL"	aKLM5psNzwwWIOA1rr66g41aY5rEFopHCIAoF2izlmzQf5TLsuLxVbZ6U.cmd
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	aKLM5psNzwwWIOA1rr66g41aY5rEFopHCIAoF2izlmzQf5TLsuLxVbZ6U.cmd
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\6EOy2Ow3hft4hd3J.exe\" O 2>NUL"	0ace968ae7c85f6c1c0dcefc46d59e9625625a2f6b316de0e35fb5bfa00012a8.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding\\AJAWivfxQm10YNyIRhWl1kD5exJnVgDYl3zLWnc9seZhOznbjXaQrgPugjMz.exe\" O 2>NUL"	0ace968ae7c85f6c1c0dcefc46d59e9625625a2f6b316de0e35fb5bfa00012a8.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	0ace968ae7c85f6c1c0dcefc46d59e9625625a2f6b316de0e35fb5bfa00012a8.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	0ace968ae7c85f6c1c0dcefc46d59e9625625a2f6b316de0e35fb5bfa00012a8.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	0ace968ae7c85f6c1c0dcefc46d59e9625625a2f6b316de0e35fb5bfa00012a8.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	0ace968ae7c85f6c1c0dcefc46d59e9625625a2f6b316de0e35fb5bfa00012a8.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies	0ace968ae7c85f6c1c0dcefc46d59e9625625a2f6b316de0e35fb5bfa00012a8.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	0ace968ae7c85f6c1c0dcefc46d59e9625625a2f6b316de0e35fb5bfa00012a8.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{4234D49B-0245-4DF3-B780-3893943456E1} {000214E6-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000c10ca1bae700d901	aKLM5psNzwwWIOA1rr66g41aY5rEFopHCIAoF2izlmzQf5TLsuLxVbZ6U.cmd
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.NarratorQuickStart_8wekyb3d8bbwe\\avrtNjirg4dRin6xLCyXemIj8P8XR.exe\" O 2>NUL"	0ace968ae7c85f6c1c0dcefc46d59e9625625a2f6b316de0e35fb5bfa00012a8.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft	0ace968ae7c85f6c1c0dcefc46d59e9625625a2f6b316de0e35fb5bfa00012a8.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	gpscript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\kk\\KkUOwkvYRufiX9zgbqEiMb8q.exe\" O 2>NUL"	aKLM5psNzwwWIOA1rr66g41aY5rEFopHCIAoF2izlmzQf5TLsuLxVbZ6U.cmd
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\AsbpiGgVCq.exe\" O 2>NUL"	aKLM5psNzwwWIOA1rr66g41aY5rEFopHCIAoF2izlmzQf5TLsuLxVbZ6U.cmd
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	aKLM5psNzwwWIOA1rr66g41aY5rEFopHCIAoF2izlmzQf5TLsuLxVbZ6U.cmd
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE	0ace968ae7c85f6c1c0dcefc46d59e9625625a2f6b316de0e35fb5bfa00012a8.exe

Modifies registry class 10 IoCs

Processes:

0ace968ae7c85f6c1c0dcefc46d59e9625625a2f6b316de0e35fb5bfa00012a8.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Win32WebViewHost_cw5n1h2txyewy\\SystemAppData\\nYO4wwK7MoWyEdMXw7xC51i8gk34v8T4BhACpOSztMG5IPAQAsw9X7XD16BNwOsr9u.exe\" O 2>NUL"	0ace968ae7c85f6c1c0dcefc46d59e9625625a2f6b316de0e35fb5bfa00012a8.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	0ace968ae7c85f6c1c0dcefc46d59e9625625a2f6b316de0e35fb5bfa00012a8.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	0ace968ae7c85f6c1c0dcefc46d59e9625625a2f6b316de0e35fb5bfa00012a8.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\SOFTWARE\Microsoft\Windows	0ace968ae7c85f6c1c0dcefc46d59e9625625a2f6b316de0e35fb5bfa00012a8.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion	0ace968ae7c85f6c1c0dcefc46d59e9625625a2f6b316de0e35fb5bfa00012a8.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	0ace968ae7c85f6c1c0dcefc46d59e9625625a2f6b316de0e35fb5bfa00012a8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\INetCookies\\5zlmcwyru87fixHOuTkWvb7R6l.exe\" O"	0ace968ae7c85f6c1c0dcefc46d59e9625625a2f6b316de0e35fb5bfa00012a8.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\SOFTWARE\Microsoft\Command Processor	0ace968ae7c85f6c1c0dcefc46d59e9625625a2f6b316de0e35fb5bfa00012a8.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\SOFTWARE	0ace968ae7c85f6c1c0dcefc46d59e9625625a2f6b316de0e35fb5bfa00012a8.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\SOFTWARE\Microsoft	0ace968ae7c85f6c1c0dcefc46d59e9625625a2f6b316de0e35fb5bfa00012a8.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

aKLM5psNzwwWIOA1rr66g41aY5rEFopHCIAoF2izlmzQf5TLsuLxVbZ6U.cmd

pid process

3860 aKLM5psNzwwWIOA1rr66g41aY5rEFopHCIAoF2izlmzQf5TLsuLxVbZ6U.cmd
3860 aKLM5psNzwwWIOA1rr66g41aY5rEFopHCIAoF2izlmzQf5TLsuLxVbZ6U.cmd

pid	process
3860	aKLM5psNzwwWIOA1rr66g41aY5rEFopHCIAoF2izlmzQf5TLsuLxVbZ6U.cmd
3860	aKLM5psNzwwWIOA1rr66g41aY5rEFopHCIAoF2izlmzQf5TLsuLxVbZ6U.cmd

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

0ace968ae7c85f6c1c0dcefc46d59e9625625a2f6b316de0e35fb5bfa00012a8.exeaKLM5psNzwwWIOA1rr66g41aY5rEFopHCIAoF2izlmzQf5TLsuLxVbZ6U.cmdaKLM5psNzwwWIOA1rr66g41aY5rEFopHCIAoF2izlmzQf5TLsuLxVbZ6U.cmd

description	pid	process
Token: SeBackupPrivilege	4460	0ace968ae7c85f6c1c0dcefc46d59e9625625a2f6b316de0e35fb5bfa00012a8.exe
Token: SeRestorePrivilege	4460	0ace968ae7c85f6c1c0dcefc46d59e9625625a2f6b316de0e35fb5bfa00012a8.exe
Token: SeShutdownPrivilege	4460	0ace968ae7c85f6c1c0dcefc46d59e9625625a2f6b316de0e35fb5bfa00012a8.exe
Token: SeDebugPrivilege	4500	aKLM5psNzwwWIOA1rr66g41aY5rEFopHCIAoF2izlmzQf5TLsuLxVbZ6U.cmd
Token: SeRestorePrivilege	4500	aKLM5psNzwwWIOA1rr66g41aY5rEFopHCIAoF2izlmzQf5TLsuLxVbZ6U.cmd
Token: SeDebugPrivilege	3860	aKLM5psNzwwWIOA1rr66g41aY5rEFopHCIAoF2izlmzQf5TLsuLxVbZ6U.cmd
Token: SeRestorePrivilege	3860	aKLM5psNzwwWIOA1rr66g41aY5rEFopHCIAoF2izlmzQf5TLsuLxVbZ6U.cmd

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

LogonUI.exe

pid process

5064 LogonUI.exe

pid	process
5064	LogonUI.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

gpscript.exeaKLM5psNzwwWIOA1rr66g41aY5rEFopHCIAoF2izlmzQf5TLsuLxVbZ6U.cmd

description	pid	process	target process
PID 3088 wrote to memory of 4500	3088	gpscript.exe	aKLM5psNzwwWIOA1rr66g41aY5rEFopHCIAoF2izlmzQf5TLsuLxVbZ6U.cmd
PID 3088 wrote to memory of 4500	3088	gpscript.exe	aKLM5psNzwwWIOA1rr66g41aY5rEFopHCIAoF2izlmzQf5TLsuLxVbZ6U.cmd
PID 4500 wrote to memory of 3860	4500	aKLM5psNzwwWIOA1rr66g41aY5rEFopHCIAoF2izlmzQf5TLsuLxVbZ6U.cmd	aKLM5psNzwwWIOA1rr66g41aY5rEFopHCIAoF2izlmzQf5TLsuLxVbZ6U.cmd
PID 4500 wrote to memory of 3860	4500	aKLM5psNzwwWIOA1rr66g41aY5rEFopHCIAoF2izlmzQf5TLsuLxVbZ6U.cmd	aKLM5psNzwwWIOA1rr66g41aY5rEFopHCIAoF2izlmzQf5TLsuLxVbZ6U.cmd

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:672

C:\ProgramData\Microsoft\Windows NT\MSFax\SentItems\aKLM5psNzwwWIOA1rr66g41aY5rEFopHCIAoF2izlmzQf5TLsuLxVbZ6U.cmd
"C:\ProgramData\Microsoft\Windows NT\MSFax\SentItems\aKLM5psNzwwWIOA1rr66g41aY5rEFopHCIAoF2izlmzQf5TLsuLxVbZ6U.cmd" 2
2⤵
- Executes dropped EXE
- Sets file execution options in registry
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3860

C:\Users\Admin\AppData\Local\Temp\0ace968ae7c85f6c1c0dcefc46d59e9625625a2f6b316de0e35fb5bfa00012a8.exe
"C:\Users\Admin\AppData\Local\Temp\0ace968ae7c85f6c1c0dcefc46d59e9625625a2f6b316de0e35fb5bfa00012a8.exe"
1⤵
- Adds policy Run key to start application
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4460

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39e7855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:5064

C:\Windows\system32\gpscript.exe
gpscript.exe /Shutdown
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:3088

C:\ProgramData\Microsoft\Windows NT\MSFax\SentItems\aKLM5psNzwwWIOA1rr66g41aY5rEFopHCIAoF2izlmzQf5TLsuLxVbZ6U.cmd
"C:\ProgramData\Microsoft\Windows NT\MSFax\SentItems\aKLM5psNzwwWIOA1rr66g41aY5rEFopHCIAoF2izlmzQf5TLsuLxVbZ6U.cmd" 1
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Adds policy Run key to start application
- Executes dropped EXE
- Sets file execution options in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4500

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Diagnosis\SoftLanding\AJAWivfxQm10YNyIRhWl1kD5exJnVgDYl3zLWnc9seZhOznbjXaQrgPugjMz.exe
Filesize
889KB

MD5
51916e65d48d85aa5d636b5ad61933ce

SHA1
53538f5126ef952e14fcb09d514b755b5ff18e61

SHA256
3e3b537372c2a82fed03501d8c6e6c15a76ec3887f6056b2b1ac86e0a9128bee

SHA512
5c24d765b6ffe1c0024f47efb4891bb8cdaecfee3df98a6b02109b97d0827109d425d5539fe1b90bd5922e12403f13f90593d1c2afb5a3a3fe2582c9b980f777

Download Submit
C:\ProgramData\Microsoft\Windows NT\MSFax\SentItems\aKLM5psNzwwWIOA1rr66g41aY5rEFopHCIAoF2izlmzQf5TLsuLxVbZ6U.cmd
Filesize
672KB

MD5
049c6bce9875570dc5e0c13bb6ffc802

SHA1
552ec320ac5e89234fc27a35daf176abd47b3eea

SHA256
2362004b88f4e49d45d3580377965c6265287a0abf3bde055ee5f3444031d81f

SHA512
76c8c36bedbe1598087696f56d79d073e5409d1d26e4e6fa3ca61212454c214b55a485a629ab3120d5b6063dff00df64c45fd91988e0747bd8be7ce6bd33264c

Download Submit
C:\ProgramData\Microsoft\Windows NT\MSFax\SentItems\aKLM5psNzwwWIOA1rr66g41aY5rEFopHCIAoF2izlmzQf5TLsuLxVbZ6U.cmd
Filesize
672KB

MD5
049c6bce9875570dc5e0c13bb6ffc802

SHA1
552ec320ac5e89234fc27a35daf176abd47b3eea

SHA256
2362004b88f4e49d45d3580377965c6265287a0abf3bde055ee5f3444031d81f

SHA512
76c8c36bedbe1598087696f56d79d073e5409d1d26e4e6fa3ca61212454c214b55a485a629ab3120d5b6063dff00df64c45fd91988e0747bd8be7ce6bd33264c

Download Submit
C:\ProgramData\Microsoft\Windows NT\MSFax\SentItems\aKLM5psNzwwWIOA1rr66g41aY5rEFopHCIAoF2izlmzQf5TLsuLxVbZ6U.cmd
Filesize
672KB

MD5
049c6bce9875570dc5e0c13bb6ffc802

SHA1
552ec320ac5e89234fc27a35daf176abd47b3eea

SHA256
2362004b88f4e49d45d3580377965c6265287a0abf3bde055ee5f3444031d81f

SHA512
76c8c36bedbe1598087696f56d79d073e5409d1d26e4e6fa3ca61212454c214b55a485a629ab3120d5b6063dff00df64c45fd91988e0747bd8be7ce6bd33264c

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\43\eLQiB81351VniD81ZbwIUh3XUp4dW7rNtffXxkBG9s5jl8wxDk.exe
Filesize
831KB

MD5
b2df90e7acf6b9e9212ad2c2de1d7ad3

SHA1
575b883cd4638ffdbb2483d522858963bb25c02e

SHA256
d124f1746dc5611848d577f51beeac5ca771df191beddf8f0c9f98459618a3d6

SHA512
7cdc477e296ae7cde2515c1941b0c0a34aca1651c64b70a88ee8b7c7d501875d0a0c71dfaf3338faf231ad2b12802872c2f12f0fd1590893e6350c1cd206c6e7

Download Submit
C:\Users\Admin\AppData\Local\ConnectedDevicesPlatform\L.Admin\Dw9jH90fQyfsB2Q2FMH8mJDWieLfzxiQH6Jj.exe
Filesize
990KB

MD5
4bea9d40656b597fb3993d9157907140

SHA1
01089657c24611d97ed50c7aa3d85d737a53fe77

SHA256
ab74a524a0bf3e24c0bd41e43fd3843cbb233864c5a1229aa908fa7229bbdfe5

SHA512
516325c80e9702df68bfdf3688d247f5fb2cfd117be07a105ef83fe2f11b0d303af552045d48c123b6a93a18eb04eaf770a71ac50f004ab27fe96232a74eb911

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ta\xONvZZIx3jQ5VrCX35sFULZCPPIH7c0af0uAIIfdXvIVNqB7aHTn2u8GRCJ085Jd8oEX.exe
Filesize
771KB

MD5
02cc7bf31dc4f1f6e512a7f2b2b622fe

SHA1
4c658b8989003abe01565184ad5e51df068e0e55

SHA256
b6161a58a5a0e7eaae7c6d8cd11f3ed7bdc3cbc7fd09ff60f0a86197384035da

SHA512
66b277ada2a4cc4dc76f74b24f6ed8332d7b5acf18d1efe5aa58b5bd9219460976e21a1a81cd15c355fbccaa7f0afc786a0edd429c5f5ee4102142877f423638

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\input\hu-HU\OdIndmqHgtmdPi.exe
Filesize
714KB

MD5
458066800cc17d6bf2012d14bb8b2b67

SHA1
9539349f75ddd87609a0032b17b3e51445890bac

SHA256
c94252efc1825a9599e73985b403b5994d7e85fd497f83a71884752d2f871ce4

SHA512
d69c7751a8c299f312950844caa3527060f7aa236b0c2b538b4feec2aad215311c2ac4a7cbb28d80036e050dc7602431e373c668fb30c65eca7c71f005908b86

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.AccountsControl_cw5n1h2txyewy\TempState\sGDm9nuVONmlEXPIFQAXkXEz.exe
Filesize
708KB

MD5
f5ed9fd69b70ef157c208e5764194ad6

SHA1
7568cfa2ec30b3b49b50a459b52972098738b4e0

SHA256
d74a5cd2b7b025a9a61a59cf5e78a7b14d14ede19621a21d984e576fc987665e

SHA512
3328e0270b3931594d0313de93ee99e5c883ca33911606fc08b2610818a6a16d8c3e8504321d23b3ee35007bf723eb36bb2f31ad35a5b3570fea239189ac1fe1

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\0DQLmlnlcMzRfIGMZ3A0OgjAVPjY.exe
Filesize
810KB

MD5
165d9b52d5c83760a13faa84a6d10aa4

SHA1
f281ccc8d3cafef41befb4e8e9ca9e0597da842f

SHA256
edcca54877839038b466aed49c65e67c6635caf39165f446e55ba930390a31a2

SHA512
02a9198ecb7cc10af691e455a4cb0e746adcc7cf2579ba734688e29b8cea102cfd1221f7f4ebd8da6f7f53c9299c19d0319849a93ecb41b4c15c60dda5bb5566

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.NarratorQuickStart_8wekyb3d8bbwe\avrtNjirg4dRin6xLCyXemIj8P8XR.exe
Filesize
723KB

MD5
94f4159d08d2c5f80baef0421063d99a

SHA1
301df72dc8436e9ac02c00206433336e0f1be624

SHA256
7c444322da454c6c58e3a2e2ac6da17de4c24951ffd580cdd9824af0f76bd207

SHA512
f51be2ec7639f2e0ca1a1b93947488c56f9702d9f4c048057d4d07ff8ceda8e0bae8d7746ad32eaae506650d81456f2987ac27a0b4ad23cf53b91eae02f4fa4e

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\RoamingState\kMO66QOuSyKp.bat
Filesize
1.0MB

MD5
4063b04d4b91f193bcf8b3d96ca2fc25

SHA1
2a53eceb3df3d51c8b63b59e3d5e62b38f7f8a58

SHA256
63070375b844d913df9f5adb61e650e9e7a9954149f03c04755a2ed49ec9d8a2

SHA512
ae20cacb532f1c0257b042f33f779c3638485be2253d82b162458a900ed77be331b72ecdfef0e53fda6389d856da8353639f4157cb5e442b821e386a001fda06

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0fx48ci0.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.files\r4aeTab4DqAVbwlUxqgM4yl1XRjpdbVYpMsYxJRa8VO.exe
Filesize
552KB

MD5
a96184adfff25a261c9350ca778d6fc8

SHA1
b4b3864dd3e84c6453e78af9343f3e48a0a02d83

SHA256
f3b166cc0ca8263d0a2b170ca349c5797f46b60470a55b25d98410f70817e1ab

SHA512
0935da7556bc29b1d6095e8940ee74de332114a5a3ec7bd5913b1a3bcd397a95d8ef343e37d02fa8560921e31b06bc32b71d7cee9e0ad93e01905bb9998356e1

Download Submit
memory/3860-147-0x0000000000000000-mapping.dmp

Download
memory/3860-150-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3860-153-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4460-133-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4460-132-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4500-146-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4500-149-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4500-145-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4500-134-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads