f6559927cc22b1399c7e374e106514669a5b16f6adf04b93f1bc95e1b5b9e5a8

Analysis

max time kernel
151s
max time network
137s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
25-11-2022 09:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f6559927cc22b1399c7e374e106514669a5b16f6adf04b93f1bc95e1b5b9e5a8.exe
Size

382KB
MD5

0be752959742a3ca66a19d41641ee50d
SHA1

ad963d1a4a49e8f3ca21c9cbf409a714afb6d77f
SHA256

f6559927cc22b1399c7e374e106514669a5b16f6adf04b93f1bc95e1b5b9e5a8
SHA512

407abfddcf8b6648c89f6b773954466c17179b634eda991e40ce65b0f059599f05960e3b128f0cab891ba3ef4c53dc1003a40135b418b69d2d4188cc7222abb2
SSDEEP

3072:dSsvihLlTQz9z71iURo2SJJmY6uFNcgifDbMtJyVdyw:ssqhJMxzJiU5SeLmNSbMtJU5

Score

10^/10

persistence spyware stealer

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

ln7YkAJ5ogPa2RTPM5ArUKkUT8bCHJ3bKGw4YhUAtEsDTEOAzL0TjTo.cmd

description pid process target process

PID 1692 created 600 1692 ln7YkAJ5ogPa2RTPM5ArUKkUT8bCHJ3bKGw4YhUAtEsDTEOAzL0TjTo.cmd svchost.exe

description	pid	process	target process
PID 1692 created 600	1692	ln7YkAJ5ogPa2RTPM5ArUKkUT8bCHJ3bKGw4YhUAtEsDTEOAzL0TjTo.cmd	svchost.exe

Adds policy Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

f6559927cc22b1399c7e374e106514669a5b16f6adf04b93f1bc95e1b5b9e5a8.exeln7YkAJ5ogPa2RTPM5ArUKkUT8bCHJ3bKGw4YhUAtEsDTEOAzL0TjTo.cmd

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	f6559927cc22b1399c7e374e106514669a5b16f6adf04b93f1bc95e1b5b9e5a8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\it-IT\\lADuuGrlh16cZGKblEj2U5nIJX.exe\" O"	f6559927cc22b1399c7e374e106514669a5b16f6adf04b93f1bc95e1b5b9e5a8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	f6559927cc22b1399c7e374e106514669a5b16f6adf04b93f1bc95e1b5b9e5a8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Feeds Cache\\8PENRVY0\\eqekQVUAnvsMAVWO.exe\" O"	f6559927cc22b1399c7e374e106514669a5b16f6adf04b93f1bc95e1b5b9e5a8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\168JUGlvclI.exe\" O"	f6559927cc22b1399c7e374e106514669a5b16f6adf04b93f1bc95e1b5b9e5a8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	ln7YkAJ5ogPa2RTPM5ArUKkUT8bCHJ3bKGw4YhUAtEsDTEOAzL0TjTo.cmd
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\IdentityCRL\\Ll9JfQxBYyyGY3Avfp0u0XJcB0iTWlbixGzfoK8R2b23BhkkQhnsK1hOqn9ZO2b77XigvRl.exe\" O"	ln7YkAJ5ogPa2RTPM5ArUKkUT8bCHJ3bKGw4YhUAtEsDTEOAzL0TjTo.cmd

Executes dropped EXE 2 IoCs

Processes:

ln7YkAJ5ogPa2RTPM5ArUKkUT8bCHJ3bKGw4YhUAtEsDTEOAzL0TjTo.cmdln7YkAJ5ogPa2RTPM5ArUKkUT8bCHJ3bKGw4YhUAtEsDTEOAzL0TjTo.cmd

pid process

1692 ln7YkAJ5ogPa2RTPM5ArUKkUT8bCHJ3bKGw4YhUAtEsDTEOAzL0TjTo.cmd
556 ln7YkAJ5ogPa2RTPM5ArUKkUT8bCHJ3bKGw4YhUAtEsDTEOAzL0TjTo.cmd

pid	process
1692	ln7YkAJ5ogPa2RTPM5ArUKkUT8bCHJ3bKGw4YhUAtEsDTEOAzL0TjTo.cmd
556	ln7YkAJ5ogPa2RTPM5ArUKkUT8bCHJ3bKGw4YhUAtEsDTEOAzL0TjTo.cmd

Sets file execution options in registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ln7YkAJ5ogPa2RTPM5ArUKkUT8bCHJ3bKGw4YhUAtEsDTEOAzL0TjTo.cmdln7YkAJ5ogPa2RTPM5ArUKkUT8bCHJ3bKGw4YhUAtEsDTEOAzL0TjTo.cmd

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\Debugger = " "	ln7YkAJ5ogPa2RTPM5ArUKkUT8bCHJ3bKGw4YhUAtEsDTEOAzL0TjTo.cmd
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe	ln7YkAJ5ogPa2RTPM5ArUKkUT8bCHJ3bKGw4YhUAtEsDTEOAzL0TjTo.cmd
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = " "	ln7YkAJ5ogPa2RTPM5ArUKkUT8bCHJ3bKGw4YhUAtEsDTEOAzL0TjTo.cmd
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe	ln7YkAJ5ogPa2RTPM5ArUKkUT8bCHJ3bKGw4YhUAtEsDTEOAzL0TjTo.cmd
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\Debugger = " "	ln7YkAJ5ogPa2RTPM5ArUKkUT8bCHJ3bKGw4YhUAtEsDTEOAzL0TjTo.cmd
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe	ln7YkAJ5ogPa2RTPM5ArUKkUT8bCHJ3bKGw4YhUAtEsDTEOAzL0TjTo.cmd
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = " "	ln7YkAJ5ogPa2RTPM5ArUKkUT8bCHJ3bKGw4YhUAtEsDTEOAzL0TjTo.cmd
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe	ln7YkAJ5ogPa2RTPM5ArUKkUT8bCHJ3bKGw4YhUAtEsDTEOAzL0TjTo.cmd

Drops startup file 1 IoCs

Processes:

ln7YkAJ5ogPa2RTPM5ArUKkUT8bCHJ3bKGw4YhUAtEsDTEOAzL0TjTo.cmd

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EnoQ6rcnYfUs2AstlqXpe6S7JdGtxhwX1twTkuYlVG9A.exe	ln7YkAJ5ogPa2RTPM5ArUKkUT8bCHJ3bKGw4YhUAtEsDTEOAzL0TjTo.cmd

Loads dropped DLL 3 IoCs

Processes:

gpscript.exeln7YkAJ5ogPa2RTPM5ArUKkUT8bCHJ3bKGw4YhUAtEsDTEOAzL0TjTo.cmd

pid process

1776 gpscript.exe
1776 gpscript.exe
1692 ln7YkAJ5ogPa2RTPM5ArUKkUT8bCHJ3bKGw4YhUAtEsDTEOAzL0TjTo.cmd
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1776	gpscript.exe
1776	gpscript.exe
1692	ln7YkAJ5ogPa2RTPM5ArUKkUT8bCHJ3bKGw4YhUAtEsDTEOAzL0TjTo.cmd

Modifies data under HKEY_USERS 59 IoCs

Processes:

ln7YkAJ5ogPa2RTPM5ArUKkUT8bCHJ3bKGw4YhUAtEsDTEOAzL0TjTo.cmdf6559927cc22b1399c7e374e106514669a5b16f6adf04b93f1bc95e1b5b9e5a8.exegpscript.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\NK8Kji6X4YmNTSjSIzr2.exe\" O 2>NUL"	ln7YkAJ5ogPa2RTPM5ArUKkUT8bCHJ3bKGw4YhUAtEsDTEOAzL0TjTo.cmd
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	ln7YkAJ5ogPa2RTPM5ArUKkUT8bCHJ3bKGw4YhUAtEsDTEOAzL0TjTo.cmd
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	f6559927cc22b1399c7e374e106514669a5b16f6adf04b93f1bc95e1b5b9e5a8.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft	f6559927cc22b1399c7e374e106514669a5b16f6adf04b93f1bc95e1b5b9e5a8.exe
Key created	\REGISTRY\USER\S-1-5-19	f6559927cc22b1399c7e374e106514669a5b16f6adf04b93f1bc95e1b5b9e5a8.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	f6559927cc22b1399c7e374e106514669a5b16f6adf04b93f1bc95e1b5b9e5a8.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion	f6559927cc22b1399c7e374e106514669a5b16f6adf04b93f1bc95e1b5b9e5a8.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion	f6559927cc22b1399c7e374e106514669a5b16f6adf04b93f1bc95e1b5b9e5a8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Feeds Cache\\EPDHTW9E\\NQJ3lNBdfYUwDOaacvsRAuBbBbwFpg7H2p7GJfNCizILb7rdBjgE.exe\" O 2>NUL"	ln7YkAJ5ogPa2RTPM5ArUKkUT8bCHJ3bKGw4YhUAtEsDTEOAzL0TjTo.cmd
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\Subresource Filter\\vTHcMVJwQ.exe\" O 2>NUL"	f6559927cc22b1399c7e374e106514669a5b16f6adf04b93f1bc95e1b5b9e5a8.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	f6559927cc22b1399c7e374e106514669a5b16f6adf04b93f1bc95e1b5b9e5a8.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	f6559927cc22b1399c7e374e106514669a5b16f6adf04b93f1bc95e1b5b9e5a8.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	gpscript.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\User Account Pictures\\I5pakSxawkaoEmfAH35qGUAs3.exe\" O 2>NUL"	ln7YkAJ5ogPa2RTPM5ArUKkUT8bCHJ3bKGw4YhUAtEsDTEOAzL0TjTo.cmd
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	ln7YkAJ5ogPa2RTPM5ArUKkUT8bCHJ3bKGw4YhUAtEsDTEOAzL0TjTo.cmd
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	f6559927cc22b1399c7e374e106514669a5b16f6adf04b93f1bc95e1b5b9e5a8.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	f6559927cc22b1399c7e374e106514669a5b16f6adf04b93f1bc95e1b5b9e5a8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\Network\\Connections\\2TV6WujGPclPcPFwGH2l4YwSirElyPbI6yJBTPgO5hItJ.exe\" O 2>NUL"	f6559927cc22b1399c7e374e106514669a5b16f6adf04b93f1bc95e1b5b9e5a8.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	f6559927cc22b1399c7e374e106514669a5b16f6adf04b93f1bc95e1b5b9e5a8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Media Center Programs\\VBNqGOkV5B7P1SzqyuXetRC6byed67i22PZSsMVJwsCZBMqOC0J5D7Yu9kzcLM.exe\" O"	ln7YkAJ5ogPa2RTPM5ArUKkUT8bCHJ3bKGw4YhUAtEsDTEOAzL0TjTo.cmd
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Office\\Groove\\User\\oKL6fbRfyw2kfov12TdMf7mVpnsO7R35EXX2EFnSgZtch7SAlqHI3HnQ6vuSlYl94J.exe\" O 2>NUL"	f6559927cc22b1399c7e374e106514669a5b16f6adf04b93f1bc95e1b5b9e5a8.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	f6559927cc22b1399c7e374e106514669a5b16f6adf04b93f1bc95e1b5b9e5a8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Crypto\\Keys\\alU2MQ9W6ofeU4wLLyZQhcb.exe\" O"	ln7YkAJ5ogPa2RTPM5ArUKkUT8bCHJ3bKGw4YhUAtEsDTEOAzL0TjTo.cmd
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache\\dTbvSWNj841gF5IMNYlqAm2M7l0s.exe\" O"	ln7YkAJ5ogPa2RTPM5ArUKkUT8bCHJ3bKGw4YhUAtEsDTEOAzL0TjTo.cmd
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	ln7YkAJ5ogPa2RTPM5ArUKkUT8bCHJ3bKGw4YhUAtEsDTEOAzL0TjTo.cmd
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%windir%\System32\ie4uinit.exe",-732 = "Finds and displays information and Web sites on the Internet."	ln7YkAJ5ogPa2RTPM5ArUKkUT8bCHJ3bKGw4YhUAtEsDTEOAzL0TjTo.cmd
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows	f6559927cc22b1399c7e374e106514669a5b16f6adf04b93f1bc95e1b5b9e5a8.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Network Shortcuts\\E9pGNZgdQULnIU.exe\" O"	f6559927cc22b1399c7e374e106514669a5b16f6adf04b93f1bc95e1b5b9e5a8.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	f6559927cc22b1399c7e374e106514669a5b16f6adf04b93f1bc95e1b5b9e5a8.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8by27av1.default-release\\storage\\permanent\\chrome\\idb\\3870112724rsegmnoittet-es.files\\AAqswDwKjEJjvmrIOmZYmGKPcA8eyzPO56YcgG7PeMc33oIQtW7uYjSpW.exe\" O 2>NUL"	ln7YkAJ5ogPa2RTPM5ArUKkUT8bCHJ3bKGw4YhUAtEsDTEOAzL0TjTo.cmd
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows	f6559927cc22b1399c7e374e106514669a5b16f6adf04b93f1bc95e1b5b9e5a8.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows	f6559927cc22b1399c7e374e106514669a5b16f6adf04b93f1bc95e1b5b9e5a8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%systemroot%\system32\windowspowershell\v1.0\powershell.exe",-111 = "Performs object-based (command-line) functions"	ln7YkAJ5ogPa2RTPM5ArUKkUT8bCHJ3bKGw4YhUAtEsDTEOAzL0TjTo.cmd
Key created	\REGISTRY\USER\.DEFAULT	f6559927cc22b1399c7e374e106514669a5b16f6adf04b93f1bc95e1b5b9e5a8.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{7BD29E01-76C1-11CF-9DD0-00A0C9034933} {000214E6-0000-0000-C000-000000000046} 0xFFFF = 010000000000000090da654feb00d901	ln7YkAJ5ogPa2RTPM5ArUKkUT8bCHJ3bKGw4YhUAtEsDTEOAzL0TjTo.cmd
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	ln7YkAJ5ogPa2RTPM5ArUKkUT8bCHJ3bKGw4YhUAtEsDTEOAzL0TjTo.cmd
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	ln7YkAJ5ogPa2RTPM5ArUKkUT8bCHJ3bKGw4YhUAtEsDTEOAzL0TjTo.cmd
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE	f6559927cc22b1399c7e374e106514669a5b16f6adf04b93f1bc95e1b5b9e5a8.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	f6559927cc22b1399c7e374e106514669a5b16f6adf04b93f1bc95e1b5b9e5a8.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\wRyiG16vpK7PM523s1LnDpZ6VGcmoeQTxPbbckf4iMk0BmXl8DYGbxjR67F3.exe\" O"	ln7YkAJ5ogPa2RTPM5ArUKkUT8bCHJ3bKGw4YhUAtEsDTEOAzL0TjTo.cmd
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	ln7YkAJ5ogPa2RTPM5ArUKkUT8bCHJ3bKGw4YhUAtEsDTEOAzL0TjTo.cmd
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Roaming\\Macromedia\\3miETmoA6C88NjrqZtRxskwRd8LrhoUJpV1ddr2cb2TVdVwBxe9cCUyJhozf73AGx4VB0.exe\" O 2>NUL"	f6559927cc22b1399c7e374e106514669a5b16f6adf04b93f1bc95e1b5b9e5a8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Search\\Data\\Applications\\Windows\\Projects\\SystemIndex\\SecStore\\ZDRw1oj08I73a.exe\" O"	f6559927cc22b1399c7e374e106514669a5b16f6adf04b93f1bc95e1b5b9e5a8.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{6C467336-8281-4E60-8204-430CED96822D} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 01000000000000005032f64ceb00d901	gpscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	ln7YkAJ5ogPa2RTPM5ArUKkUT8bCHJ3bKGw4YhUAtEsDTEOAzL0TjTo.cmd
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	f6559927cc22b1399c7e374e106514669a5b16f6adf04b93f1bc95e1b5b9e5a8.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion	f6559927cc22b1399c7e374e106514669a5b16f6adf04b93f1bc95e1b5b9e5a8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%windir%\System32\ie4uinit.exe",-738 = "Start Internet Explorer without ActiveX controls or browser extensions."	ln7YkAJ5ogPa2RTPM5ArUKkUT8bCHJ3bKGw4YhUAtEsDTEOAzL0TjTo.cmd
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Package Cache\\{61087a79-ac85-455c-934d-1fa22cc64f36}\\mUcxGTgLIUtC7roG.exe\" O"	f6559927cc22b1399c7e374e106514669a5b16f6adf04b93f1bc95e1b5b9e5a8.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\Searches\\PHE95RMGDFpxnZkZy.exe\" O"	f6559927cc22b1399c7e374e106514669a5b16f6adf04b93f1bc95e1b5b9e5a8.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft	f6559927cc22b1399c7e374e106514669a5b16f6adf04b93f1bc95e1b5b9e5a8.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\fr-FR\\42vTPtdITBcSLDOD6ah.exe\" O 2>NUL"	ln7YkAJ5ogPa2RTPM5ArUKkUT8bCHJ3bKGw4YhUAtEsDTEOAzL0TjTo.cmd
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	f6559927cc22b1399c7e374e106514669a5b16f6adf04b93f1bc95e1b5b9e5a8.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	f6559927cc22b1399c7e374e106514669a5b16f6adf04b93f1bc95e1b5b9e5a8.exe
Key created	\REGISTRY\USER\S-1-5-20	f6559927cc22b1399c7e374e106514669a5b16f6adf04b93f1bc95e1b5b9e5a8.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	ln7YkAJ5ogPa2RTPM5ArUKkUT8bCHJ3bKGw4YhUAtEsDTEOAzL0TjTo.cmd
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Package Cache\\{61087a79-ac85-455c-934d-1fa22cc64f36}\\PGWJBDFSbKMdippLdj8cVogkgMlBVyWDFBCnf102J.exe\" O"	ln7YkAJ5ogPa2RTPM5ArUKkUT8bCHJ3bKGw4YhUAtEsDTEOAzL0TjTo.cmd
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	f6559927cc22b1399c7e374e106514669a5b16f6adf04b93f1bc95e1b5b9e5a8.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE	f6559927cc22b1399c7e374e106514669a5b16f6adf04b93f1bc95e1b5b9e5a8.exe

Modifies registry class 12 IoCs

Processes:

f6559927cc22b1399c7e374e106514669a5b16f6adf04b93f1bc95e1b5b9e5a8.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8by27av1.default-release\\bookmarkbackups\\szlgHFs51A7CfWr.exe\" O"	f6559927cc22b1399c7e374e106514669a5b16f6adf04b93f1bc95e1b5b9e5a8.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\SOFTWARE	f6559927cc22b1399c7e374e106514669a5b16f6adf04b93f1bc95e1b5b9e5a8.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\SOFTWARE\Microsoft\Command Processor	f6559927cc22b1399c7e374e106514669a5b16f6adf04b93f1bc95e1b5b9e5a8.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	f6559927cc22b1399c7e374e106514669a5b16f6adf04b93f1bc95e1b5b9e5a8.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion	f6559927cc22b1399c7e374e106514669a5b16f6adf04b93f1bc95e1b5b9e5a8.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	f6559927cc22b1399c7e374e106514669a5b16f6adf04b93f1bc95e1b5b9e5a8.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	f6559927cc22b1399c7e374e106514669a5b16f6adf04b93f1bc95e1b5b9e5a8.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_Classes\SOFTWARE\Microsoft\Command Processor	f6559927cc22b1399c7e374e106514669a5b16f6adf04b93f1bc95e1b5b9e5a8.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\SOFTWARE\Microsoft	f6559927cc22b1399c7e374e106514669a5b16f6adf04b93f1bc95e1b5b9e5a8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Public\\Downloads\\xgnzUjsPpmJC008ujiuGLoEObc1bA793EMq54kxFe4B.exe\" O 2>NUL"	f6559927cc22b1399c7e374e106514669a5b16f6adf04b93f1bc95e1b5b9e5a8.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\SOFTWARE\Microsoft\Windows	f6559927cc22b1399c7e374e106514669a5b16f6adf04b93f1bc95e1b5b9e5a8.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	f6559927cc22b1399c7e374e106514669a5b16f6adf04b93f1bc95e1b5b9e5a8.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

ln7YkAJ5ogPa2RTPM5ArUKkUT8bCHJ3bKGw4YhUAtEsDTEOAzL0TjTo.cmd

pid process

556 ln7YkAJ5ogPa2RTPM5ArUKkUT8bCHJ3bKGw4YhUAtEsDTEOAzL0TjTo.cmd
556 ln7YkAJ5ogPa2RTPM5ArUKkUT8bCHJ3bKGw4YhUAtEsDTEOAzL0TjTo.cmd

pid	process
556	ln7YkAJ5ogPa2RTPM5ArUKkUT8bCHJ3bKGw4YhUAtEsDTEOAzL0TjTo.cmd
556	ln7YkAJ5ogPa2RTPM5ArUKkUT8bCHJ3bKGw4YhUAtEsDTEOAzL0TjTo.cmd

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

f6559927cc22b1399c7e374e106514669a5b16f6adf04b93f1bc95e1b5b9e5a8.exeAUDIODG.EXEln7YkAJ5ogPa2RTPM5ArUKkUT8bCHJ3bKGw4YhUAtEsDTEOAzL0TjTo.cmdln7YkAJ5ogPa2RTPM5ArUKkUT8bCHJ3bKGw4YhUAtEsDTEOAzL0TjTo.cmd

description	pid	process
Token: SeBackupPrivilege	908	f6559927cc22b1399c7e374e106514669a5b16f6adf04b93f1bc95e1b5b9e5a8.exe
Token: SeRestorePrivilege	908	f6559927cc22b1399c7e374e106514669a5b16f6adf04b93f1bc95e1b5b9e5a8.exe
Token: SeShutdownPrivilege	908	f6559927cc22b1399c7e374e106514669a5b16f6adf04b93f1bc95e1b5b9e5a8.exe
Token: 33	1452	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1452	AUDIODG.EXE
Token: 33	1452	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1452	AUDIODG.EXE
Token: SeDebugPrivilege	1692	ln7YkAJ5ogPa2RTPM5ArUKkUT8bCHJ3bKGw4YhUAtEsDTEOAzL0TjTo.cmd
Token: SeRestorePrivilege	1692	ln7YkAJ5ogPa2RTPM5ArUKkUT8bCHJ3bKGw4YhUAtEsDTEOAzL0TjTo.cmd
Token: SeDebugPrivilege	556	ln7YkAJ5ogPa2RTPM5ArUKkUT8bCHJ3bKGw4YhUAtEsDTEOAzL0TjTo.cmd
Token: SeRestorePrivilege	556	ln7YkAJ5ogPa2RTPM5ArUKkUT8bCHJ3bKGw4YhUAtEsDTEOAzL0TjTo.cmd

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

gpscript.exeln7YkAJ5ogPa2RTPM5ArUKkUT8bCHJ3bKGw4YhUAtEsDTEOAzL0TjTo.cmd

description	pid	process	target process
PID 1776 wrote to memory of 1692	1776	gpscript.exe	ln7YkAJ5ogPa2RTPM5ArUKkUT8bCHJ3bKGw4YhUAtEsDTEOAzL0TjTo.cmd
PID 1776 wrote to memory of 1692	1776	gpscript.exe	ln7YkAJ5ogPa2RTPM5ArUKkUT8bCHJ3bKGw4YhUAtEsDTEOAzL0TjTo.cmd
PID 1776 wrote to memory of 1692	1776	gpscript.exe	ln7YkAJ5ogPa2RTPM5ArUKkUT8bCHJ3bKGw4YhUAtEsDTEOAzL0TjTo.cmd
PID 1692 wrote to memory of 556	1692	ln7YkAJ5ogPa2RTPM5ArUKkUT8bCHJ3bKGw4YhUAtEsDTEOAzL0TjTo.cmd	ln7YkAJ5ogPa2RTPM5ArUKkUT8bCHJ3bKGw4YhUAtEsDTEOAzL0TjTo.cmd
PID 1692 wrote to memory of 556	1692	ln7YkAJ5ogPa2RTPM5ArUKkUT8bCHJ3bKGw4YhUAtEsDTEOAzL0TjTo.cmd	ln7YkAJ5ogPa2RTPM5ArUKkUT8bCHJ3bKGw4YhUAtEsDTEOAzL0TjTo.cmd
PID 1692 wrote to memory of 556	1692	ln7YkAJ5ogPa2RTPM5ArUKkUT8bCHJ3bKGw4YhUAtEsDTEOAzL0TjTo.cmd	ln7YkAJ5ogPa2RTPM5ArUKkUT8bCHJ3bKGw4YhUAtEsDTEOAzL0TjTo.cmd

C:\Users\Admin\AppData\Local\Temp\f6559927cc22b1399c7e374e106514669a5b16f6adf04b93f1bc95e1b5b9e5a8.exe
"C:\Users\Admin\AppData\Local\Temp\f6559927cc22b1399c7e374e106514669a5b16f6adf04b93f1bc95e1b5b9e5a8.exe"
1⤵
- Adds policy Run key to start application
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:908

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
1⤵
PID:600

C:\Users\Admin\AppData\Local\Microsoft\Office\Groove\User\ln7YkAJ5ogPa2RTPM5ArUKkUT8bCHJ3bKGw4YhUAtEsDTEOAzL0TjTo.cmd
"C:\Users\Admin\AppData\Local\Microsoft\Office\Groove\User\ln7YkAJ5ogPa2RTPM5ArUKkUT8bCHJ3bKGw4YhUAtEsDTEOAzL0TjTo.cmd" 2
2⤵
- Executes dropped EXE
- Sets file execution options in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:556

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:948

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0xc8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1452

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:1888

C:\Windows\system32\gpscript.exe
gpscript.exe /Shutdown
1⤵
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1776

C:\Users\Admin\AppData\Local\Microsoft\Office\Groove\User\ln7YkAJ5ogPa2RTPM5ArUKkUT8bCHJ3bKGw4YhUAtEsDTEOAzL0TjTo.cmd
"C:\Users\Admin\AppData\Local\Microsoft\Office\Groove\User\ln7YkAJ5ogPa2RTPM5ArUKkUT8bCHJ3bKGw4YhUAtEsDTEOAzL0TjTo.cmd" 1
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Adds policy Run key to start application
- Executes dropped EXE
- Sets file execution options in registry
- Drops startup file
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1692

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Network\Connections\2TV6WujGPclPcPFwGH2l4YwSirElyPbI6yJBTPgO5hItJ.exe
Filesize
451KB

MD5
c6044763574cfeed9e3425ca4d3dc886

SHA1
2c92c92a9bbd5d61d1b0d4cc5b99a3a1250e6103

SHA256
49277ac6fd01b04a494ee7548de11809e52d2479e09524464039101bf3690fb4

SHA512
bfeb818e76e4f0f46ec1e0f19675bfc89c9023cd74ffa027dd762bf73511e85b1cf61d92330e7698901ecb28fd4301f19d9dddfeec4807ac7506f034e26f3b1e

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStore\ZDRw1oj08I73a.exe
Filesize
465KB

MD5
420ad01c2f6e7d1a44541af3e14ffb14

SHA1
bc973768f008fdb70ecb0371f9fa57d589a48e11

SHA256
9089034bbb4366988d5709410126925c400b20605b13891f20b0c26ddd4eaad6

SHA512
ed8de7b5c4c62f39f1e834d738f815e45fed28a1372eeb66e9da444011af8fae57f7d47b8461cced7923b43d6318705e2d4b8020733c6be6cedf0349ee37e24e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\NDcHm6QJnmxGGmZea.bat
Filesize
888KB

MD5
73e88a065bad4b67028239554c787ceb

SHA1
99bbd5874538373ffc10b7144f921c22a01ce44e

SHA256
8347797efa0c5c710fd45322cd65ea982c439bdc713f2079f00e10657c4389ad

SHA512
ae79666e6ec1600a3529f74c0ea74c894ea9b584f71ad287488e789aa478f3f06bb224fef8589d288313f80e9ea91f8e6b32cb75ca17f5302ed499f091d2f1eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\8PENRVY0\eqekQVUAnvsMAVWO.exe
Filesize
728KB

MD5
5a28b758f4bca578fad7bc8bae233d41

SHA1
b58d17cc5cdc0d3285b502ce277eed4d95d5711c

SHA256
a814ac21ee7c02eb9b56e832083f5f3716d02743ca93a7f3d8b10fe6af1f5ae3

SHA512
c7a311ebfa06eaec448db5886109a7009e8bb3052234bfd4987dcad0f229de3cec469f3e2bfff397e28de7c62baf35bad43581ed55d8399d61b7faf5acd229ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\N740L7ZB\a85OnIxZzpanunkBUG9yvenIc9yfv61UmZfjkopDqNyZyaWt1M2ZouvU7eYHehZCGuDWO.cmd
Filesize
529KB

MD5
cf4ccacf7569b1ec7f513f7a3cd469df

SHA1
19f50688f50cce3a08966df3bf3c1acf627e2c6c

SHA256
11fb97ad0f61cc1026c5549b81ddd79bad518310a68e6a2346bf01646a0bebc6

SHA512
c78d17d767364bd8b3fea5188fca0fd187ef72c97563bb9d1f190d2c73c08f13102e6c7fddf0eb02f7beb0eb329fe0c4025ec8bad5c4ba36f3a985f8c6b85c33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\Groove\User\ln7YkAJ5ogPa2RTPM5ArUKkUT8bCHJ3bKGw4YhUAtEsDTEOAzL0TjTo.cmd
Filesize
502KB

MD5
7a5ddee3f31bec5b16efe91463a0bbce

SHA1
dd6b7a3d043e00f59e511288fc4a3bbcc45f3616

SHA256
29a472a023d44d99a6efc82fd74e0ac2fc4986d3212ad04fbc18af441508eb4c

SHA512
0205d0c95178248fe2451ef9ba7eaeebea8e23ac4d2194f44053c9e301f35f6d0fc435408c8aa36eacd921d7c89a0056f0ae8ba12cbf7e3ccfff1814b06b8b98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\Groove\User\ln7YkAJ5ogPa2RTPM5ArUKkUT8bCHJ3bKGw4YhUAtEsDTEOAzL0TjTo.cmd
Filesize
502KB

MD5
7a5ddee3f31bec5b16efe91463a0bbce

SHA1
dd6b7a3d043e00f59e511288fc4a3bbcc45f3616

SHA256
29a472a023d44d99a6efc82fd74e0ac2fc4986d3212ad04fbc18af441508eb4c

SHA512
0205d0c95178248fe2451ef9ba7eaeebea8e23ac4d2194f44053c9e301f35f6d0fc435408c8aa36eacd921d7c89a0056f0ae8ba12cbf7e3ccfff1814b06b8b98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\Groove\User\ln7YkAJ5ogPa2RTPM5ArUKkUT8bCHJ3bKGw4YhUAtEsDTEOAzL0TjTo.cmd
Filesize
502KB

MD5
7a5ddee3f31bec5b16efe91463a0bbce

SHA1
dd6b7a3d043e00f59e511288fc4a3bbcc45f3616

SHA256
29a472a023d44d99a6efc82fd74e0ac2fc4986d3212ad04fbc18af441508eb4c

SHA512
0205d0c95178248fe2451ef9ba7eaeebea8e23ac4d2194f44053c9e301f35f6d0fc435408c8aa36eacd921d7c89a0056f0ae8ba12cbf7e3ccfff1814b06b8b98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\Groove\User\oKL6fbRfyw2kfov12TdMf7mVpnsO7R35EXX2EFnSgZtch7SAlqHI3HnQ6vuSlYl94J.exe
Filesize
645KB

MD5
f2e443c7d84d5cbb8b62f31905b7ba6d

SHA1
ff807efdd55cd62266be9b502e38c24cf678e2ff

SHA256
f78eb3d700247fcbaa5f650315f9c47a5bdf31305a0f57c752de6d1a73010aea

SHA512
c480f6b0f36feb4aa4b4d39b7ab9c655dd49ea880815858bf108ae48dfc9870a8d345b0ba8635f3f88777b55efa0cd65a2715f8c2586b3149ebb4c5c9d62825b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Ringtones\F9QF6TnLxIVxerjAyhIQa5zSih.exe
Filesize
510KB

MD5
ced41d666cc653cb959c1f8d50b0d633

SHA1
02187b6eea0833ef3cedcdaab83247da82a9e21c

SHA256
b68395f43aca688571e46e4809682ea23b50f4bfa2439b214ec145f89bc0f2b7

SHA512
e05035c948661c2c2db786a66c3f5dc01f70410d2cf47d92e095d285279ee986d6a5aff074e338db9b50b819d6ca78b95941ae81acb34914671090ef5be06316

Download Submit
C:\Users\Admin\AppData\Roaming\Macromedia\3miETmoA6C88NjrqZtRxskwRd8LrhoUJpV1ddr2cb2TVdVwBxe9cCUyJhozf73AGx4VB0.exe
Filesize
566KB

MD5
e329f93ec27a37f366a7d546f0e73110

SHA1
e08e83b9edfda9ae64c420071a040a22945de588

SHA256
ec7f574d6ca09d78ca20d6508dc2d016c6110a84668565a38c0b06564f775205

SHA512
f2a0db93e62c2244230adcab5c49d61dda07f3ef85b66e65ad1b53b382cbf406cfc39242afbafbf942748edc48cf9062da229ffa96da91457f2899bb28dd12d4

Download Submit
C:\Users\Admin\Searches\PHE95RMGDFpxnZkZy.exe
Filesize
732KB

MD5
d0b232db71f2a7203ce6375f6b39576e

SHA1
f70c62852978b70d8f193992cc2ba8e06deb2274

SHA256
4abeea22cc0ef18a76054b91972ffb9a9d11e53b48d5312843edb55c4e1806dd

SHA512
6bfd495a920d5df316b37e9e5bffdb21ef24045a9fa20be2136a22cc1779c57870fda78a277378becebeebb928c12a5ea995319539366c0ebe8a0316dd82f507

Download Submit
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\E9pGNZgdQULnIU.exe
Filesize
427KB

MD5
64ea33854c0b8f90dc10cfb3d1e024c2

SHA1
7142e22bc070e8de6d304d4e77182e399a96e5ca

SHA256
cbc6806b09ab5ad943190fef779407b0c44f96b748587de6dea2798fa92c6f62

SHA512
72eda9851b963e7d8f3c63d20116ba4458e5a215848d1541a48e9aaf8e9161a1f48bed8e3c4bf62c052b34ee31d05b8c0fc7caeda8955195f3d297a6e0e026b0

Download Submit
\Users\Admin\AppData\Local\Microsoft\Office\Groove\User\ln7YkAJ5ogPa2RTPM5ArUKkUT8bCHJ3bKGw4YhUAtEsDTEOAzL0TjTo.cmd
Filesize
502KB

MD5
7a5ddee3f31bec5b16efe91463a0bbce

SHA1
dd6b7a3d043e00f59e511288fc4a3bbcc45f3616

SHA256
29a472a023d44d99a6efc82fd74e0ac2fc4986d3212ad04fbc18af441508eb4c

SHA512
0205d0c95178248fe2451ef9ba7eaeebea8e23ac4d2194f44053c9e301f35f6d0fc435408c8aa36eacd921d7c89a0056f0ae8ba12cbf7e3ccfff1814b06b8b98

Download Submit
\Users\Admin\AppData\Local\Microsoft\Office\Groove\User\ln7YkAJ5ogPa2RTPM5ArUKkUT8bCHJ3bKGw4YhUAtEsDTEOAzL0TjTo.cmd
Filesize
502KB

MD5
7a5ddee3f31bec5b16efe91463a0bbce

SHA1
dd6b7a3d043e00f59e511288fc4a3bbcc45f3616

SHA256
29a472a023d44d99a6efc82fd74e0ac2fc4986d3212ad04fbc18af441508eb4c

SHA512
0205d0c95178248fe2451ef9ba7eaeebea8e23ac4d2194f44053c9e301f35f6d0fc435408c8aa36eacd921d7c89a0056f0ae8ba12cbf7e3ccfff1814b06b8b98

Download Submit
\Users\Admin\AppData\Local\Microsoft\Office\Groove\User\ln7YkAJ5ogPa2RTPM5ArUKkUT8bCHJ3bKGw4YhUAtEsDTEOAzL0TjTo.cmd
Filesize
502KB

MD5
7a5ddee3f31bec5b16efe91463a0bbce

SHA1
dd6b7a3d043e00f59e511288fc4a3bbcc45f3616

SHA256
29a472a023d44d99a6efc82fd74e0ac2fc4986d3212ad04fbc18af441508eb4c

SHA512
0205d0c95178248fe2451ef9ba7eaeebea8e23ac4d2194f44053c9e301f35f6d0fc435408c8aa36eacd921d7c89a0056f0ae8ba12cbf7e3ccfff1814b06b8b98

Download Submit
memory/556-85-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/556-80-0x0000000000000000-mapping.dmp

Download
memory/908-54-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/908-56-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/948-55-0x000007FEFBF41000-0x000007FEFBF43000-memory.dmp

Filesize
8KB

Download
memory/1692-73-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1692-78-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1692-82-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1692-62-0x0000000000000000-mapping.dmp

Download
memory/1776-72-0x0000000000ED0000-0x0000000000EFD000-memory.dmp

Filesize
180KB

Download
memory/1776-77-0x0000000000ED0000-0x0000000000EFD000-memory.dmp

Filesize
180KB

Download
memory/1776-76-0x0000000000ED0000-0x0000000000EFD000-memory.dmp

Filesize
180KB

Download
memory/1776-71-0x0000000000ED0000-0x0000000000EFD000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads