a6d79208ffd797d53bfaf8bebb9988f4400c138d0f3ecd466f6e6adb13cb4e59

Analysis

max time kernel
39s
max time network
29s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
25/11/2022, 10:02

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

a6d79208ffd797d53bfaf8bebb9988f4400c138d0f3ecd466f6e6adb13cb4e59.exe
Size

759KB
MD5

d9ea4f8848c1349ce785e76c04f9c603
SHA1

31933f0a34d0bdac3007b0248adfbe16916a9a7d
SHA256

a6d79208ffd797d53bfaf8bebb9988f4400c138d0f3ecd466f6e6adb13cb4e59
SHA512

ab257a38c41d4b1e32828ce418b238bbdba2ca969c5f66354a39958751ba2c9d72935a595901c890bcddb109de797042f7279e12b314967edcfd4db463d668ef
SSDEEP

3072:aSsvihLlTQz9z71iURo2SJJmY6uFNcgifDbmeTXwVdBR:rsqhJMxzJiU5SeLmNSbmebW1

Score

10^/10

persistence spyware stealer

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 2024 created 588	2024	fkhFPIvIJlQIeIdK.exe	17

Adds policy Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	a6d79208ffd797d53bfaf8bebb9988f4400c138d0f3ecd466f6e6adb13cb4e59.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Macromedia\\Flash Player\\89wd9V0clGHNJ9iVZ5F5wn4cS7UwWSG0aVcLYEAb.exe\" O"	a6d79208ffd797d53bfaf8bebb9988f4400c138d0f3ecd466f6e6adb13cb4e59.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	a6d79208ffd797d53bfaf8bebb9988f4400c138d0f3ecd466f6e6adb13cb4e59.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\GPUCache\\hwPbD5otUZREven24sAP.exe\" O"	a6d79208ffd797d53bfaf8bebb9988f4400c138d0f3ecd466f6e6adb13cb4e59.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\6.0\\1\\IoBWodRgQPrP08fTL5BvCx5iKip8IAaEY3ZONzq6FJHe55.exe\" O"	a6d79208ffd797d53bfaf8bebb9988f4400c138d0f3ecd466f6e6adb13cb4e59.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	fkhFPIvIJlQIeIdK.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Updates\\kqDsl7XYHYGSgGeyAhgDDDibhcPjeQXM2QylVTJC0XQ.exe\" O"	fkhFPIvIJlQIeIdK.exe

Executes dropped EXE 2 IoCs

pid	Process
2024	fkhFPIvIJlQIeIdK.exe
1816	fkhFPIvIJlQIeIdK.exe

Sets file execution options in registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe	fkhFPIvIJlQIeIdK.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\Debugger = " "	fkhFPIvIJlQIeIdK.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe	fkhFPIvIJlQIeIdK.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = " "	fkhFPIvIJlQIeIdK.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe	fkhFPIvIJlQIeIdK.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\Debugger = " "	fkhFPIvIJlQIeIdK.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe	fkhFPIvIJlQIeIdK.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = " "	fkhFPIvIJlQIeIdK.exe

Loads dropped DLL 3 IoCs

pid	Process
1176	gpscript.exe
1176	gpscript.exe
2024	fkhFPIvIJlQIeIdK.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 60 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	a6d79208ffd797d53bfaf8bebb9988f4400c138d0f3ecd466f6e6adb13cb4e59.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	fkhFPIvIJlQIeIdK.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{7BD29E01-76C1-11CF-9DD0-00A0C9034933} {000214E6-0000-0000-C000-000000000046} 0xFFFF = 01000000000000006084986fe700d901	fkhFPIvIJlQIeIdK.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%windir%\System32\ie4uinit.exe",-732 = "Finds and displays information and Web sites on the Internet."	fkhFPIvIJlQIeIdK.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%systemroot%\system32\windowspowershell\v1.0\powershell.exe",-111 = "Performs object-based (command-line) functions"	fkhFPIvIJlQIeIdK.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	a6d79208ffd797d53bfaf8bebb9988f4400c138d0f3ecd466f6e6adb13cb4e59.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Extensions\\zeSuP4McGElD8teZeqwIrEGufUvOvAsXPs9bavWJd2ltIkW5QtOZCwlHVcvxQw3GM.exe\" O"	a6d79208ffd797d53bfaf8bebb9988f4400c138d0f3ecd466f6e6adb13cb4e59.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{6C467336-8281-4E60-8204-430CED96822D} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000e0076d6ae700d901	gpscript.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Default\\Saved Games\\0mCVKkgGGr5ae0Ux9v476YF41rSEOEaHxPvFPREKrgCRVQDkB4EiqvSfv.exe\" O 2>NUL"	fkhFPIvIJlQIeIdK.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\PtGHF4BzwnvDwsGHLBi4QMwvgVAs6.exe\" O 2>NUL"	a6d79208ffd797d53bfaf8bebb9988f4400c138d0f3ecd466f6e6adb13cb4e59.exe
Key created	\REGISTRY\USER\.DEFAULT	a6d79208ffd797d53bfaf8bebb9988f4400c138d0f3ecd466f6e6adb13cb4e59.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	a6d79208ffd797d53bfaf8bebb9988f4400c138d0f3ecd466f6e6adb13cb4e59.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	a6d79208ffd797d53bfaf8bebb9988f4400c138d0f3ecd466f6e6adb13cb4e59.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	a6d79208ffd797d53bfaf8bebb9988f4400c138d0f3ecd466f6e6adb13cb4e59.exe
Key created	\REGISTRY\USER\S-1-5-19	a6d79208ffd797d53bfaf8bebb9988f4400c138d0f3ecd466f6e6adb13cb4e59.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\UpuBAyeTp46iz2.exe\" O"	fkhFPIvIJlQIeIdK.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\Xg0gmrUEYO.exe\" O"	fkhFPIvIJlQIeIdK.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE	a6d79208ffd797d53bfaf8bebb9988f4400c138d0f3ecd466f6e6adb13cb4e59.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	fkhFPIvIJlQIeIdK.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\WidevineCdm\\NEKoNqx0wgGaE35doljv2TDFemTqRiwLjtuEjXO13PZl5zgsXceTLzUYLIjL7xE0IRdXOYX.exe\" O 2>NUL"	a6d79208ffd797d53bfaf8bebb9988f4400c138d0f3ecd466f6e6adb13cb4e59.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	gpscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\Search\\Data\\Applications\\Windows\\Projects\\SystemIndex\\SecStore\\bdQHsAn207HZ0yUEbNX94rp0TXMZg6hYwrk7WScbzl0DEdniIUSkHIpNZpV4nRg86l.exe\" O 2>NUL"	fkhFPIvIJlQIeIdK.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\4gq1sglk.default-release\\storage\\permanent\\chrome\\idb\\2823318777ntouromlalnodry--naod.files\\oUq727w8QNtGD2jUiVfGfRwd5Bvf0jIzyhZnbNWVvfqU2V.exe\" O 2>NUL"	fkhFPIvIJlQIeIdK.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	fkhFPIvIJlQIeIdK.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%windir%\System32\ie4uinit.exe",-738 = "Start Internet Explorer without ActiveX controls or browser extensions."	fkhFPIvIJlQIeIdK.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	a6d79208ffd797d53bfaf8bebb9988f4400c138d0f3ecd466f6e6adb13cb4e59.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft	a6d79208ffd797d53bfaf8bebb9988f4400c138d0f3ecd466f6e6adb13cb4e59.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	a6d79208ffd797d53bfaf8bebb9988f4400c138d0f3ecd466f6e6adb13cb4e59.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Package Cache\\{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}v12.0.40660\\packages\\vcRuntimeMinimum_x86\\45XoI6HHFZ88N0KDnsoc1MPkmCaZCcop5.exe\" O"	fkhFPIvIJlQIeIdK.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\NetFramework\\BreadcrumbStore\\X1xJWbtuKKnmCv6pWhbqwDc5UJyCl.exe\" O"	a6d79208ffd797d53bfaf8bebb9988f4400c138d0f3ecd466f6e6adb13cb4e59.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\History\\iQ7C0hcLKodegUw0X6xUOssgBm0n9zd6dRveiif7bb.exe\" O"	a6d79208ffd797d53bfaf8bebb9988f4400c138d0f3ecd466f6e6adb13cb4e59.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	fkhFPIvIJlQIeIdK.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	a6d79208ffd797d53bfaf8bebb9988f4400c138d0f3ecd466f6e6adb13cb4e59.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\6.0\\21\\vwLEIzcAVBJWH49ovOQQkD.exe\" O 2>NUL"	a6d79208ffd797d53bfaf8bebb9988f4400c138d0f3ecd466f6e6adb13cb4e59.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies	a6d79208ffd797d53bfaf8bebb9988f4400c138d0f3ecd466f6e6adb13cb4e59.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	a6d79208ffd797d53bfaf8bebb9988f4400c138d0f3ecd466f6e6adb13cb4e59.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache\\Low\\HPV7qsVILDGa8C5e2I1IblhfmmZwVYT8pDa3TcBm7Hy21IjjFv.exe\" O"	fkhFPIvIJlQIeIdK.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	fkhFPIvIJlQIeIdK.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Package Cache\\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}v12.0.40660\\TS5piKvbX5DaqO8qFdREIApUaGkLimuhPjzsPtO0fZG0HEAewkU.exe\" O"	a6d79208ffd797d53bfaf8bebb9988f4400c138d0f3ecd466f6e6adb13cb4e59.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	a6d79208ffd797d53bfaf8bebb9988f4400c138d0f3ecd466f6e6adb13cb4e59.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	fkhFPIvIJlQIeIdK.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	fkhFPIvIJlQIeIdK.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows	a6d79208ffd797d53bfaf8bebb9988f4400c138d0f3ecd466f6e6adb13cb4e59.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion	a6d79208ffd797d53bfaf8bebb9988f4400c138d0f3ecd466f6e6adb13cb4e59.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE	a6d79208ffd797d53bfaf8bebb9988f4400c138d0f3ecd466f6e6adb13cb4e59.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft	a6d79208ffd797d53bfaf8bebb9988f4400c138d0f3ecd466f6e6adb13cb4e59.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows	a6d79208ffd797d53bfaf8bebb9988f4400c138d0f3ecd466f6e6adb13cb4e59.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Internet Explorer\\Tiles\\pin-2845162440\\MiUwozNwzStPlmrd4K3RXtE0Kvb3XAu7zpkIe323mk.exe\" O"	fkhFPIvIJlQIeIdK.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	a6d79208ffd797d53bfaf8bebb9988f4400c138d0f3ecd466f6e6adb13cb4e59.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	a6d79208ffd797d53bfaf8bebb9988f4400c138d0f3ecd466f6e6adb13cb4e59.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	a6d79208ffd797d53bfaf8bebb9988f4400c138d0f3ecd466f6e6adb13cb4e59.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	a6d79208ffd797d53bfaf8bebb9988f4400c138d0f3ecd466f6e6adb13cb4e59.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	fkhFPIvIJlQIeIdK.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	a6d79208ffd797d53bfaf8bebb9988f4400c138d0f3ecd466f6e6adb13cb4e59.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\7-Zip\\aKyINV18rox9sKmnGToYdGe.exe\" O 2>NUL"	a6d79208ffd797d53bfaf8bebb9988f4400c138d0f3ecd466f6e6adb13cb4e59.exe
Key created	\REGISTRY\USER\S-1-5-20	a6d79208ffd797d53bfaf8bebb9988f4400c138d0f3ecd466f6e6adb13cb4e59.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\NonCritical_x64_3eb5ea8473594499407cacbd9887e2953d50fd80_cab_06f0976e\\zmT0PqgvcWHunLfPhDvveiNS.exe\" O 2>NUL"	fkhFPIvIJlQIeIdK.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion	a6d79208ffd797d53bfaf8bebb9988f4400c138d0f3ecd466f6e6adb13cb4e59.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	a6d79208ffd797d53bfaf8bebb9988f4400c138d0f3ecd466f6e6adb13cb4e59.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Updates\\h0QFg7AnUkTJ6zq8pcNJ3pl8n7M01MGi.exe\" O 2>NUL"	fkhFPIvIJlQIeIdK.exe

Modifies registry class 12 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	a6d79208ffd797d53bfaf8bebb9988f4400c138d0f3ecd466f6e6adb13cb4e59.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\SOFTWARE\Microsoft	a6d79208ffd797d53bfaf8bebb9988f4400c138d0f3ecd466f6e6adb13cb4e59.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\6.0\\55\\ihTkQPnOORnrKC4RVnKsBYnCKYdrqGAfkigMjvQm0I0N4j9O.exe\" O 2>NUL"	a6d79208ffd797d53bfaf8bebb9988f4400c138d0f3ecd466f6e6adb13cb4e59.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	a6d79208ffd797d53bfaf8bebb9988f4400c138d0f3ecd466f6e6adb13cb4e59.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\SOFTWARE\Microsoft\Windows	a6d79208ffd797d53bfaf8bebb9988f4400c138d0f3ecd466f6e6adb13cb4e59.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion	a6d79208ffd797d53bfaf8bebb9988f4400c138d0f3ecd466f6e6adb13cb4e59.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	a6d79208ffd797d53bfaf8bebb9988f4400c138d0f3ecd466f6e6adb13cb4e59.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	a6d79208ffd797d53bfaf8bebb9988f4400c138d0f3ecd466f6e6adb13cb4e59.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Adobe\\Color\\Profiles\\MGzEHgifULcJeLW1IT4QZ67zMSHAiyaPryMPWN0nC7ErFi2PH.exe\" O"	a6d79208ffd797d53bfaf8bebb9988f4400c138d0f3ecd466f6e6adb13cb4e59.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_Classes\SOFTWARE\Microsoft\Command Processor	a6d79208ffd797d53bfaf8bebb9988f4400c138d0f3ecd466f6e6adb13cb4e59.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\SOFTWARE	a6d79208ffd797d53bfaf8bebb9988f4400c138d0f3ecd466f6e6adb13cb4e59.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\SOFTWARE\Microsoft\Command Processor	a6d79208ffd797d53bfaf8bebb9988f4400c138d0f3ecd466f6e6adb13cb4e59.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1816	fkhFPIvIJlQIeIdK.exe
1816	fkhFPIvIJlQIeIdK.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeBackupPrivilege	1196	a6d79208ffd797d53bfaf8bebb9988f4400c138d0f3ecd466f6e6adb13cb4e59.exe
Token: SeRestorePrivilege	1196	a6d79208ffd797d53bfaf8bebb9988f4400c138d0f3ecd466f6e6adb13cb4e59.exe
Token: SeShutdownPrivilege	1196	a6d79208ffd797d53bfaf8bebb9988f4400c138d0f3ecd466f6e6adb13cb4e59.exe
Token: 33	528	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	528	AUDIODG.EXE
Token: 33	528	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	528	AUDIODG.EXE
Token: SeDebugPrivilege	2024	fkhFPIvIJlQIeIdK.exe
Token: SeRestorePrivilege	2024	fkhFPIvIJlQIeIdK.exe
Token: SeDebugPrivilege	1816	fkhFPIvIJlQIeIdK.exe
Token: SeRestorePrivilege	1816	fkhFPIvIJlQIeIdK.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1176 wrote to memory of 2024	1176	gpscript.exe	31
PID 1176 wrote to memory of 2024	1176	gpscript.exe	31
PID 1176 wrote to memory of 2024	1176	gpscript.exe	31
PID 2024 wrote to memory of 1816	2024	fkhFPIvIJlQIeIdK.exe	32
PID 2024 wrote to memory of 1816	2024	fkhFPIvIJlQIeIdK.exe	32
PID 2024 wrote to memory of 1816	2024	fkhFPIvIJlQIeIdK.exe	32

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
1⤵
PID:588
- C:\ProgramData\Mozilla\fkhFPIvIJlQIeIdK.exe
  "C:\ProgramData\Mozilla\fkhFPIvIJlQIeIdK.exe" 2
  2⤵
  - Executes dropped EXE
  - Sets file execution options in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1816

C:\Users\Admin\AppData\Local\Temp\a6d79208ffd797d53bfaf8bebb9988f4400c138d0f3ecd466f6e6adb13cb4e59.exe
"C:\Users\Admin\AppData\Local\Temp\a6d79208ffd797d53bfaf8bebb9988f4400c138d0f3ecd466f6e6adb13cb4e59.exe"
1⤵
- Adds policy Run key to start application
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1196

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1708

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x1d4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:528

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:1188

C:\Windows\system32\gpscript.exe
gpscript.exe /Shutdown
1⤵
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1176
- C:\ProgramData\Mozilla\fkhFPIvIJlQIeIdK.exe
  "C:\ProgramData\Mozilla\fkhFPIvIJlQIeIdK.exe" 1
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Adds policy Run key to start application
  - Executes dropped EXE
  - Sets file execution options in registry
  - Loads dropped DLL
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2024

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\X1xJWbtuKKnmCv6pWhbqwDc5UJyCl.exe

Filesize
771KB

MD5
93bdab7f861cc7a449d88c572adecc81

SHA1
4a5a8e4784052959e0341dfdaed7297dac95c78f

SHA256
5676fba2b417453a53d0820475a4d7842fdb3ab0afd51603351b109b57626eb3

SHA512
a6b045913cb183bd8256eaaef0f6625144db6eec0805de5548ed284c28faed0bbef45fcb981f11fd3a0cae9628e7f20f9d4d6f1abc2dd127a5a5d2f464985a7a

Download Submit
C:\ProgramData\Microsoft\Vault\521THfDXn1XdvtDZRnk3PYx06INqx4dIO05O1iyPtEXITv9C.cmd

Filesize
1.1MB

MD5
6a9967a261cb387ff684edbcd0ee6590

SHA1
c6bb34965d97c73fc80c3ce466b03d90e4874d06

SHA256
6087ea9ed12eb85803f12adc5c2dc12dc9dbffeea751a195080f8329a067c35b

SHA512
b67f1d1086650419794b9a84e31a8705d978837ba741e7237754d7913114a1b877fd90d9b2c569bbc781814346366e685ee0e7e6d2dd6b7ac0bd6c7e571bfb1d

Download Submit
C:\ProgramData\Microsoft\Windows Defender\Quarantine\8SgXiXaH5Ewen4c8B75NFLbOhpUSYliCoGR7lM47sM5bobLjQWMsdKpQ8lZT0.bat

Filesize
1.5MB

MD5
f6db28718ff46568e1c37f0b6c02ae94

SHA1
11c433a64c79e3f18230294c7126573adf4f7ef2

SHA256
7845351053c48cd55d6fe6618d5ff6756b5d75d411f1eacef1d2ef4c302a6b80

SHA512
2501b85a12d98d4a37d0b206b75bec286268f72f0a2052741751aa6eb0727a7a6d98e9b68040014ee76ee047db6962a0a6cafe183967cabe3497dedb2eab2709

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip\aKyINV18rox9sKmnGToYdGe.exe

Filesize
769KB

MD5
970e2ead492e8acb6c389a40f0d79919

SHA1
b055ef6872ae81dcc3dc54803eaf572e08073530

SHA256
be171a361e4e2e3d96f818809d32c5fe95b971062c60be0b03364778355c7f62

SHA512
b878c5e298e8ce173709dfab496fcae233f0777bcee6748248641a7c0a7320bf28469dc6d64dbcf3ae907aa98fe33963072c0b66af292016d290ca3d0fc441f1

Download Submit
C:\ProgramData\Mozilla\fkhFPIvIJlQIeIdK.exe

Filesize
1005KB

MD5
aa02d0c693a16d7c6e1f23e38a575d08

SHA1
384306cb4d8ee2c871e0c54cfe4d1f3f705afa5f

SHA256
86d3d630e2527725dde89c46e1fdd52425b41416524243a95fb13c04d2fedfd5

SHA512
f7b59f1a28298096fdd7d63c52162720a1efd69cdf99e4785a7fffb1974a3d0ae1111be7eec479e4f5ae6a0b654de602534854b04a1a15a1a4711b4c1a076942

Download Submit
C:\ProgramData\Mozilla\fkhFPIvIJlQIeIdK.exe

Filesize
1005KB

MD5
aa02d0c693a16d7c6e1f23e38a575d08

SHA1
384306cb4d8ee2c871e0c54cfe4d1f3f705afa5f

SHA256
86d3d630e2527725dde89c46e1fdd52425b41416524243a95fb13c04d2fedfd5

SHA512
f7b59f1a28298096fdd7d63c52162720a1efd69cdf99e4785a7fffb1974a3d0ae1111be7eec479e4f5ae6a0b654de602534854b04a1a15a1a4711b4c1a076942

Download Submit
C:\ProgramData\Mozilla\fkhFPIvIJlQIeIdK.exe

Filesize
1005KB

MD5
aa02d0c693a16d7c6e1f23e38a575d08

SHA1
384306cb4d8ee2c871e0c54cfe4d1f3f705afa5f

SHA256
86d3d630e2527725dde89c46e1fdd52425b41416524243a95fb13c04d2fedfd5

SHA512
f7b59f1a28298096fdd7d63c52162720a1efd69cdf99e4785a7fffb1974a3d0ae1111be7eec479e4f5ae6a0b654de602534854b04a1a15a1a4711b4c1a076942

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\21\vwLEIzcAVBJWH49ovOQQkD.exe

Filesize
1.4MB

MD5
d0e76a3551f9c0b3b6d0f083fc86c69b

SHA1
e873a3a3641106762135cddc6b4f6f42d153301c

SHA256
083b416e4ac33529111e291177f426924373684aaa4b4c65cd5b967dd67fef0d

SHA512
b34d0215ee8e332f5a4dc0017167e88e01b940963813cd26f15eed09fb5f7eb90207151c0a722eced4276ae60d6005d0f0ae0965780b6e55b50b3299a52e92c1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\hwPbD5otUZREven24sAP.exe

Filesize
1.4MB

MD5
4bf7133e4e96fdad76443e51169b2940

SHA1
3e5f6d206672f0f731266bda6e3b6e024cb8ff99

SHA256
e0dc8bd10db0b8f09b199542bac6d2e3259dab599433afb6b431c78b0446dcea

SHA512
1a8a0e6c8aa094cae64743cde87b7c456a1989aa93f5a4430329be71a1640cef7fa51f3bfd2da2b4078463c915634e0c382c95a3ff4131351b309b6eb3a663cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\History\iQ7C0hcLKodegUw0X6xUOssgBm0n9zd6dRveiif7bb.exe

Filesize
867KB

MD5
34638016a8dc30bfe340cb5c4d529fc0

SHA1
b944f1fa2a3a0282c271413361084e6e6282f1b7

SHA256
d4221666d089807e0759682938c0bc80d9b74160abe0bacd842150e97bbab8b0

SHA512
425ea867bad9f444547c33d61cfdf9fef88ebd9a0ae15405fb718f2f4378824f9e6481b4722441e8e9094696cc665dff43b9777dce6d4e0198aff707e633f727

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\PtGHF4BzwnvDwsGHLBi4QMwvgVAs6.exe

Filesize
1.5MB

MD5
9899060e65187455fc1e560a5266ab49

SHA1
325a54c91a5b681902cd5c9fbe8e73a045d278ff

SHA256
fd0e7015c01cda8fc6cfcc96997848fd03726c1994d6d321f89164466b78f194

SHA512
8bda3cc88f6029b99cb4e8a751ce2aa94af76989bacdecc8f1a3ba5267050f101fb4ca60116f6f70e44aeeb7444db4cc43d41986414dd11970a6523793ec8b9a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Extensions\zeSuP4McGElD8teZeqwIrEGufUvOvAsXPs9bavWJd2ltIkW5QtOZCwlHVcvxQw3GM.exe

Filesize
1.4MB

MD5
8e4b8945446d25cd6a8710bdf2b7f3e5

SHA1
3fa95b0be14868fa988da1723b393cdd33448063

SHA256
4b3c45166d73651b68d67fbea800da36b132dada21d27134d17a61f7d114f47c

SHA512
66b65e02872dd57fe668e17ca524d17c1e05bfc16f46e7e0f0f5552bbadb2178c118ecdf4224f28aa72c978dad1df22bda22cd3f297649d2dcea8714aa92028e

Download Submit
C:\Users\Default\0C5kI4Mdp2cy.exe

Filesize
1.4MB

MD5
a074585e94bbfb898dc5ef4cc90b1a27

SHA1
b9475b8c7d11e508b4a261c3aa73847091ca894b

SHA256
ca8f9cb88da2ff468d5180af29995406ccde03f756ae5845004558494518b8d6

SHA512
c84e91bc9bdc70593577aa8300589f899a1bccb318ad178bba9a9822bcc3b3cafcb7e9af8d6462489bc443fff9a8a645cdbed3cab68d7f6ce09a03ef281a66b9

Download Submit
\ProgramData\Mozilla\fkhFPIvIJlQIeIdK.exe

Filesize
1005KB

MD5
aa02d0c693a16d7c6e1f23e38a575d08

SHA1
384306cb4d8ee2c871e0c54cfe4d1f3f705afa5f

SHA256
86d3d630e2527725dde89c46e1fdd52425b41416524243a95fb13c04d2fedfd5

SHA512
f7b59f1a28298096fdd7d63c52162720a1efd69cdf99e4785a7fffb1974a3d0ae1111be7eec479e4f5ae6a0b654de602534854b04a1a15a1a4711b4c1a076942

Download Submit
\ProgramData\Mozilla\fkhFPIvIJlQIeIdK.exe

Filesize
1005KB

MD5
aa02d0c693a16d7c6e1f23e38a575d08

SHA1
384306cb4d8ee2c871e0c54cfe4d1f3f705afa5f

SHA256
86d3d630e2527725dde89c46e1fdd52425b41416524243a95fb13c04d2fedfd5

SHA512
f7b59f1a28298096fdd7d63c52162720a1efd69cdf99e4785a7fffb1974a3d0ae1111be7eec479e4f5ae6a0b654de602534854b04a1a15a1a4711b4c1a076942

Download Submit
\ProgramData\Mozilla\fkhFPIvIJlQIeIdK.exe

Filesize
1005KB

MD5
aa02d0c693a16d7c6e1f23e38a575d08

SHA1
384306cb4d8ee2c871e0c54cfe4d1f3f705afa5f

SHA256
86d3d630e2527725dde89c46e1fdd52425b41416524243a95fb13c04d2fedfd5

SHA512
f7b59f1a28298096fdd7d63c52162720a1efd69cdf99e4785a7fffb1974a3d0ae1111be7eec479e4f5ae6a0b654de602534854b04a1a15a1a4711b4c1a076942

Download Submit
memory/1176-64-0x0000000000F50000-0x0000000000F7D000-memory.dmp

Filesize
180KB

Download
memory/1176-65-0x0000000000F50000-0x0000000000F7D000-memory.dmp

Filesize
180KB

Download
memory/1196-54-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1196-56-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1708-55-0x000007FEFB641000-0x000007FEFB643000-memory.dmp

Filesize
8KB

Download
memory/1816-82-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2024-66-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2024-79-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads