fcf9dc0f5c06bbe1c0487601059d8d6b645c161fc3f60b884fc03d5618b2c6cd

Analysis

max time kernel
104s
max time network
78s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
25-11-2022 09:19

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

fcf9dc0f5c06bbe1c0487601059d8d6b645c161fc3f60b884fc03d5618b2c6cd.exe
Size

2.0MB
MD5

70aa7b630a72ead99360bf588efbd99c
SHA1

40349aa11b3e2f7c61e01f6457d88e205de2a673
SHA256

fcf9dc0f5c06bbe1c0487601059d8d6b645c161fc3f60b884fc03d5618b2c6cd
SHA512

274373875fe437754ef4481b034a9ef05533f6f7ce8c237bec3a629077d0f0def1cf8ff71304855390a3dbff0262529f7d243c3efc9c7502f265d0dc26bf5f10
SSDEEP

3072:aSsvihLlTQz9z71iURo2SJJmY6uFNcgifDbmeTXwVdBR:rsqhJMxzJiU5SeLmNSbmebW1

Score

10^/10

persistence spyware stealer

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

klvvT0UPwLoYaVdsvG8SRylhtgMOYBtRsPTLI4dyoyXRxfYjFOntcYaijuCvBfD2aY2l8X.cmd

description pid process target process

PID 680 created 596 680 klvvT0UPwLoYaVdsvG8SRylhtgMOYBtRsPTLI4dyoyXRxfYjFOntcYaijuCvBfD2aY2l8X.cmd svchost.exe

description	pid	process	target process
PID 680 created 596	680	klvvT0UPwLoYaVdsvG8SRylhtgMOYBtRsPTLI4dyoyXRxfYjFOntcYaijuCvBfD2aY2l8X.cmd	svchost.exe

Adds policy Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

fcf9dc0f5c06bbe1c0487601059d8d6b645c161fc3f60b884fc03d5618b2c6cd.exeklvvT0UPwLoYaVdsvG8SRylhtgMOYBtRsPTLI4dyoyXRxfYjFOntcYaijuCvBfD2aY2l8X.cmd

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	fcf9dc0f5c06bbe1c0487601059d8d6b645c161fc3f60b884fc03d5618b2c6cd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8by27av1.default-release\\storage\\xscScpJDqG5ufCLwxnUImHcblSx0T9maCL4joQ4zP2T7sT.exe\" O"	fcf9dc0f5c06bbe1c0487601059d8d6b645c161fc3f60b884fc03d5618b2c6cd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	fcf9dc0f5c06bbe1c0487601059d8d6b645c161fc3f60b884fc03d5618b2c6cd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Public\\Recorded TV\\Sample Media\\VV5dIiwvWH3HMLCmcz1mFIXQ2mnBzIn8wHpYhnxF6Q2C3atz71CrfDKFoRIZDDS.exe\" O"	fcf9dc0f5c06bbe1c0487601059d8d6b645c161fc3f60b884fc03d5618b2c6cd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8by27av1.default-release\\datareporting\\LaO1OQmqcWFntD4oH.exe\" O"	fcf9dc0f5c06bbe1c0487601059d8d6b645c161fc3f60b884fc03d5618b2c6cd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	klvvT0UPwLoYaVdsvG8SRylhtgMOYBtRsPTLI4dyoyXRxfYjFOntcYaijuCvBfD2aY2l8X.cmd
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Adobe\\Updater6\\5JUFruyDZolT0uZhd2aOV1tIgcSm4Tr.exe\" O"	klvvT0UPwLoYaVdsvG8SRylhtgMOYBtRsPTLI4dyoyXRxfYjFOntcYaijuCvBfD2aY2l8X.cmd

Executes dropped EXE 2 IoCs

Processes:

klvvT0UPwLoYaVdsvG8SRylhtgMOYBtRsPTLI4dyoyXRxfYjFOntcYaijuCvBfD2aY2l8X.cmdklvvT0UPwLoYaVdsvG8SRylhtgMOYBtRsPTLI4dyoyXRxfYjFOntcYaijuCvBfD2aY2l8X.cmd

pid	process
680	klvvT0UPwLoYaVdsvG8SRylhtgMOYBtRsPTLI4dyoyXRxfYjFOntcYaijuCvBfD2aY2l8X.cmd
884	klvvT0UPwLoYaVdsvG8SRylhtgMOYBtRsPTLI4dyoyXRxfYjFOntcYaijuCvBfD2aY2l8X.cmd

Sets file execution options in registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

klvvT0UPwLoYaVdsvG8SRylhtgMOYBtRsPTLI4dyoyXRxfYjFOntcYaijuCvBfD2aY2l8X.cmdklvvT0UPwLoYaVdsvG8SRylhtgMOYBtRsPTLI4dyoyXRxfYjFOntcYaijuCvBfD2aY2l8X.cmd

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\Debugger = " "	klvvT0UPwLoYaVdsvG8SRylhtgMOYBtRsPTLI4dyoyXRxfYjFOntcYaijuCvBfD2aY2l8X.cmd
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe	klvvT0UPwLoYaVdsvG8SRylhtgMOYBtRsPTLI4dyoyXRxfYjFOntcYaijuCvBfD2aY2l8X.cmd
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = " "	klvvT0UPwLoYaVdsvG8SRylhtgMOYBtRsPTLI4dyoyXRxfYjFOntcYaijuCvBfD2aY2l8X.cmd
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe	klvvT0UPwLoYaVdsvG8SRylhtgMOYBtRsPTLI4dyoyXRxfYjFOntcYaijuCvBfD2aY2l8X.cmd
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\Debugger = " "	klvvT0UPwLoYaVdsvG8SRylhtgMOYBtRsPTLI4dyoyXRxfYjFOntcYaijuCvBfD2aY2l8X.cmd
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe	klvvT0UPwLoYaVdsvG8SRylhtgMOYBtRsPTLI4dyoyXRxfYjFOntcYaijuCvBfD2aY2l8X.cmd
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = " "	klvvT0UPwLoYaVdsvG8SRylhtgMOYBtRsPTLI4dyoyXRxfYjFOntcYaijuCvBfD2aY2l8X.cmd
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe	klvvT0UPwLoYaVdsvG8SRylhtgMOYBtRsPTLI4dyoyXRxfYjFOntcYaijuCvBfD2aY2l8X.cmd

Loads dropped DLL 3 IoCs

Processes:

gpscript.exeklvvT0UPwLoYaVdsvG8SRylhtgMOYBtRsPTLI4dyoyXRxfYjFOntcYaijuCvBfD2aY2l8X.cmd

pid process

1064 gpscript.exe
1064 gpscript.exe
680 klvvT0UPwLoYaVdsvG8SRylhtgMOYBtRsPTLI4dyoyXRxfYjFOntcYaijuCvBfD2aY2l8X.cmd
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1064	gpscript.exe
1064	gpscript.exe
680	klvvT0UPwLoYaVdsvG8SRylhtgMOYBtRsPTLI4dyoyXRxfYjFOntcYaijuCvBfD2aY2l8X.cmd

Modifies data under HKEY_USERS 57 IoCs

Processes:

fcf9dc0f5c06bbe1c0487601059d8d6b645c161fc3f60b884fc03d5618b2c6cd.exeklvvT0UPwLoYaVdsvG8SRylhtgMOYBtRsPTLI4dyoyXRxfYjFOntcYaijuCvBfD2aY2l8X.cmdgpscript.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Public\\Pictures\\1R2aHHew8QyICxFSze38hKyTMAk7ClZyUlGlzlOuWs4gt3HSJuySMWgp4MKqVt.exe\" O 2>NUL"	fcf9dc0f5c06bbe1c0487601059d8d6b645c161fc3f60b884fc03d5618b2c6cd.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\6.0\\63\\090RDXWxtUP2i1Q7JXgj1AqTbn0I7lLnLctvaSRDlDTxE0k9E3KLaqfqU3NqEOg6.exe\" O"	fcf9dc0f5c06bbe1c0487601059d8d6b645c161fc3f60b884fc03d5618b2c6cd.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	klvvT0UPwLoYaVdsvG8SRylhtgMOYBtRsPTLI4dyoyXRxfYjFOntcYaijuCvBfD2aY2l8X.cmd
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	fcf9dc0f5c06bbe1c0487601059d8d6b645c161fc3f60b884fc03d5618b2c6cd.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	fcf9dc0f5c06bbe1c0487601059d8d6b645c161fc3f60b884fc03d5618b2c6cd.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	fcf9dc0f5c06bbe1c0487601059d8d6b645c161fc3f60b884fc03d5618b2c6cd.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	fcf9dc0f5c06bbe1c0487601059d8d6b645c161fc3f60b884fc03d5618b2c6cd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	gpscript.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	klvvT0UPwLoYaVdsvG8SRylhtgMOYBtRsPTLI4dyoyXRxfYjFOntcYaijuCvBfD2aY2l8X.cmd
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	fcf9dc0f5c06bbe1c0487601059d8d6b645c161fc3f60b884fc03d5618b2c6cd.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\KzX2EkiMoF50u5RsU0njCoIkc7gWs9FacVrdysUIEqyKQ4AcmRLN.exe\" O 2>NUL"	fcf9dc0f5c06bbe1c0487601059d8d6b645c161fc3f60b884fc03d5618b2c6cd.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	fcf9dc0f5c06bbe1c0487601059d8d6b645c161fc3f60b884fc03d5618b2c6cd.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	fcf9dc0f5c06bbe1c0487601059d8d6b645c161fc3f60b884fc03d5618b2c6cd.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows	fcf9dc0f5c06bbe1c0487601059d8d6b645c161fc3f60b884fc03d5618b2c6cd.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad\\reports\\iQXsyV7DR6SmDUIzmf2oNQOTbm4ztYU3ibLEsKAlVP32i4aupHfCggKcba.exe\" O"	klvvT0UPwLoYaVdsvG8SRylhtgMOYBtRsPTLI4dyoyXRxfYjFOntcYaijuCvBfD2aY2l8X.cmd
Key created	\REGISTRY\USER\.DEFAULT	fcf9dc0f5c06bbe1c0487601059d8d6b645c161fc3f60b884fc03d5618b2c6cd.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\fqCfPUn2Q84.exe\" O"	fcf9dc0f5c06bbe1c0487601059d8d6b645c161fc3f60b884fc03d5618b2c6cd.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\8by27av1.default-release\\cache2\\entries\\45DMHCdjf78LOotCw7xk0p.exe\" O 2>NUL"	klvvT0UPwLoYaVdsvG8SRylhtgMOYBtRsPTLI4dyoyXRxfYjFOntcYaijuCvBfD2aY2l8X.cmd
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%windir%\System32\ie4uinit.exe",-732 = "Finds and displays information and Web sites on the Internet."	klvvT0UPwLoYaVdsvG8SRylhtgMOYBtRsPTLI4dyoyXRxfYjFOntcYaijuCvBfD2aY2l8X.cmd
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\Device Stage\\Device\\CfNsYnNM59DOFfHtyWt88qEhoNcImauJxk02hng53wnWLl.exe\" O 2>NUL"	klvvT0UPwLoYaVdsvG8SRylhtgMOYBtRsPTLI4dyoyXRxfYjFOntcYaijuCvBfD2aY2l8X.cmd
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\n8nxDy5C9br2NXyKX8BiMiHlEqjCpx31k97L1txYkRTWEEKcT.exe\" O 2>NUL"	fcf9dc0f5c06bbe1c0487601059d8d6b645c161fc3f60b884fc03d5618b2c6cd.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Package Cache\\{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}v14.30.30704\\s2PAUJZUq9pPXNzwTpP52qP4sreaB8oIcIlU3zCaUKxhb2hlYBe2KoXa7G.exe\" O"	fcf9dc0f5c06bbe1c0487601059d8d6b645c161fc3f60b884fc03d5618b2c6cd.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	fcf9dc0f5c06bbe1c0487601059d8d6b645c161fc3f60b884fc03d5618b2c6cd.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft	fcf9dc0f5c06bbe1c0487601059d8d6b645c161fc3f60b884fc03d5618b2c6cd.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion	fcf9dc0f5c06bbe1c0487601059d8d6b645c161fc3f60b884fc03d5618b2c6cd.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	klvvT0UPwLoYaVdsvG8SRylhtgMOYBtRsPTLI4dyoyXRxfYjFOntcYaijuCvBfD2aY2l8X.cmd
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\6.0\\51\\ypFZXQBFcS1J2JuOw7VDwVBLlqYmGc8Fv77ycgjH8bGPCumJGl.exe\" O"	klvvT0UPwLoYaVdsvG8SRylhtgMOYBtRsPTLI4dyoyXRxfYjFOntcYaijuCvBfD2aY2l8X.cmd
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%systemroot%\system32\windowspowershell\v1.0\powershell.exe",-111 = "Performs object-based (command-line) functions"	klvvT0UPwLoYaVdsvG8SRylhtgMOYBtRsPTLI4dyoyXRxfYjFOntcYaijuCvBfD2aY2l8X.cmd
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Windows PowerShell\\497rtlNxzefem1CTUtTgVmq6fEzAIzqZwjPt42TnsNl2JK.exe\" O 2>NUL"	klvvT0UPwLoYaVdsvG8SRylhtgMOYBtRsPTLI4dyoyXRxfYjFOntcYaijuCvBfD2aY2l8X.cmd
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows	fcf9dc0f5c06bbe1c0487601059d8d6b645c161fc3f60b884fc03d5618b2c6cd.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion	fcf9dc0f5c06bbe1c0487601059d8d6b645c161fc3f60b884fc03d5618b2c6cd.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	fcf9dc0f5c06bbe1c0487601059d8d6b645c161fc3f60b884fc03d5618b2c6cd.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	fcf9dc0f5c06bbe1c0487601059d8d6b645c161fc3f60b884fc03d5618b2c6cd.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE	fcf9dc0f5c06bbe1c0487601059d8d6b645c161fc3f60b884fc03d5618b2c6cd.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft	fcf9dc0f5c06bbe1c0487601059d8d6b645c161fc3f60b884fc03d5618b2c6cd.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	klvvT0UPwLoYaVdsvG8SRylhtgMOYBtRsPTLI4dyoyXRxfYjFOntcYaijuCvBfD2aY2l8X.cmd
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	fcf9dc0f5c06bbe1c0487601059d8d6b645c161fc3f60b884fc03d5618b2c6cd.exe
Key created	\REGISTRY\USER\S-1-5-19	fcf9dc0f5c06bbe1c0487601059d8d6b645c161fc3f60b884fc03d5618b2c6cd.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\Documents\\KMJbHHllCmd2RaiWFHH4uCkjeacxhQh8CIRVHFA09VFhjYchZbjVv8z6yKP6.exe\" O"	fcf9dc0f5c06bbe1c0487601059d8d6b645c161fc3f60b884fc03d5618b2c6cd.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\6.0\\9\\8TdHLsIR9Xoi8KGMfU5kOtVsygmDHSBve8bv7jPyinPZH5TNjxT.exe\" O 2>NUL"	klvvT0UPwLoYaVdsvG8SRylhtgMOYBtRsPTLI4dyoyXRxfYjFOntcYaijuCvBfD2aY2l8X.cmd
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	klvvT0UPwLoYaVdsvG8SRylhtgMOYBtRsPTLI4dyoyXRxfYjFOntcYaijuCvBfD2aY2l8X.cmd
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE	fcf9dc0f5c06bbe1c0487601059d8d6b645c161fc3f60b884fc03d5618b2c6cd.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{6C467336-8281-4E60-8204-430CED96822D} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000c048850feb00d901	gpscript.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\6.0\\27\\DuQ0bJ9ji3BrHOTQqpuWE3FIkntmGr6ZrWxmQOeFsUQvCpUJMKJB4bhwqoctKUAawySEEU8.exe\" O 2>NUL"	klvvT0UPwLoYaVdsvG8SRylhtgMOYBtRsPTLI4dyoyXRxfYjFOntcYaijuCvBfD2aY2l8X.cmd
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%windir%\System32\ie4uinit.exe",-738 = "Start Internet Explorer without ActiveX controls or browser extensions."	klvvT0UPwLoYaVdsvG8SRylhtgMOYBtRsPTLI4dyoyXRxfYjFOntcYaijuCvBfD2aY2l8X.cmd
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	fcf9dc0f5c06bbe1c0487601059d8d6b645c161fc3f60b884fc03d5618b2c6cd.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	fcf9dc0f5c06bbe1c0487601059d8d6b645c161fc3f60b884fc03d5618b2c6cd.exe
Key created	\REGISTRY\USER\S-1-5-20	fcf9dc0f5c06bbe1c0487601059d8d6b645c161fc3f60b884fc03d5618b2c6cd.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	klvvT0UPwLoYaVdsvG8SRylhtgMOYBtRsPTLI4dyoyXRxfYjFOntcYaijuCvBfD2aY2l8X.cmd
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\GrShaderCache\\92jEOEJ5JjxLB7c2HtzbyQrgikHum0lriDNksj8.exe\" O"	klvvT0UPwLoYaVdsvG8SRylhtgMOYBtRsPTLI4dyoyXRxfYjFOntcYaijuCvBfD2aY2l8X.cmd
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\ThirdPartyModuleList64\\IKyOFr2LhnUEY6wHuiK4urdJpfSa9rLhDOh7wCQtcZOyD.exe\" O 2>NUL"	fcf9dc0f5c06bbe1c0487601059d8d6b645c161fc3f60b884fc03d5618b2c6cd.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows	fcf9dc0f5c06bbe1c0487601059d8d6b645c161fc3f60b884fc03d5618b2c6cd.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion	fcf9dc0f5c06bbe1c0487601059d8d6b645c161fc3f60b884fc03d5618b2c6cd.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	klvvT0UPwLoYaVdsvG8SRylhtgMOYBtRsPTLI4dyoyXRxfYjFOntcYaijuCvBfD2aY2l8X.cmd
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\GrShaderCache\\3W6svhMBwm0QyMvpRS1AKAr.exe\" O"	klvvT0UPwLoYaVdsvG8SRylhtgMOYBtRsPTLI4dyoyXRxfYjFOntcYaijuCvBfD2aY2l8X.cmd
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US\\0Xp2aZcGW5YKTI4NgERSq4umrAtNbXJ7gYhBeqj9jULLxF.exe\" O"	klvvT0UPwLoYaVdsvG8SRylhtgMOYBtRsPTLI4dyoyXRxfYjFOntcYaijuCvBfD2aY2l8X.cmd
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	fcf9dc0f5c06bbe1c0487601059d8d6b645c161fc3f60b884fc03d5618b2c6cd.exe

Modifies registry class 12 IoCs

Processes:

fcf9dc0f5c06bbe1c0487601059d8d6b645c161fc3f60b884fc03d5618b2c6cd.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\SOFTWARE	fcf9dc0f5c06bbe1c0487601059d8d6b645c161fc3f60b884fc03d5618b2c6cd.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\SOFTWARE\Microsoft	fcf9dc0f5c06bbe1c0487601059d8d6b645c161fc3f60b884fc03d5618b2c6cd.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\SOFTWARE\Microsoft\Command Processor	fcf9dc0f5c06bbe1c0487601059d8d6b645c161fc3f60b884fc03d5618b2c6cd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Package Cache\\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\\RpI2U1UZfDndzeRaf7xuk8B0czDmYt5LDvFOlJWezkcDjrg2Tx.exe\" O 2>NUL"	fcf9dc0f5c06bbe1c0487601059d8d6b645c161fc3f60b884fc03d5618b2c6cd.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	fcf9dc0f5c06bbe1c0487601059d8d6b645c161fc3f60b884fc03d5618b2c6cd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\6.0\\6\\llDbk0K1PfJbdz.exe\" O"	fcf9dc0f5c06bbe1c0487601059d8d6b645c161fc3f60b884fc03d5618b2c6cd.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_Classes\SOFTWARE\Microsoft\Command Processor	fcf9dc0f5c06bbe1c0487601059d8d6b645c161fc3f60b884fc03d5618b2c6cd.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	fcf9dc0f5c06bbe1c0487601059d8d6b645c161fc3f60b884fc03d5618b2c6cd.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\SOFTWARE\Microsoft\Windows	fcf9dc0f5c06bbe1c0487601059d8d6b645c161fc3f60b884fc03d5618b2c6cd.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion	fcf9dc0f5c06bbe1c0487601059d8d6b645c161fc3f60b884fc03d5618b2c6cd.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	fcf9dc0f5c06bbe1c0487601059d8d6b645c161fc3f60b884fc03d5618b2c6cd.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	fcf9dc0f5c06bbe1c0487601059d8d6b645c161fc3f60b884fc03d5618b2c6cd.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

klvvT0UPwLoYaVdsvG8SRylhtgMOYBtRsPTLI4dyoyXRxfYjFOntcYaijuCvBfD2aY2l8X.cmd

pid	process
884	klvvT0UPwLoYaVdsvG8SRylhtgMOYBtRsPTLI4dyoyXRxfYjFOntcYaijuCvBfD2aY2l8X.cmd
884	klvvT0UPwLoYaVdsvG8SRylhtgMOYBtRsPTLI4dyoyXRxfYjFOntcYaijuCvBfD2aY2l8X.cmd

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

fcf9dc0f5c06bbe1c0487601059d8d6b645c161fc3f60b884fc03d5618b2c6cd.exeAUDIODG.EXEklvvT0UPwLoYaVdsvG8SRylhtgMOYBtRsPTLI4dyoyXRxfYjFOntcYaijuCvBfD2aY2l8X.cmdklvvT0UPwLoYaVdsvG8SRylhtgMOYBtRsPTLI4dyoyXRxfYjFOntcYaijuCvBfD2aY2l8X.cmd

description	pid	process
Token: SeBackupPrivilege	1280	fcf9dc0f5c06bbe1c0487601059d8d6b645c161fc3f60b884fc03d5618b2c6cd.exe
Token: SeRestorePrivilege	1280	fcf9dc0f5c06bbe1c0487601059d8d6b645c161fc3f60b884fc03d5618b2c6cd.exe
Token: SeShutdownPrivilege	1280	fcf9dc0f5c06bbe1c0487601059d8d6b645c161fc3f60b884fc03d5618b2c6cd.exe
Token: 33	1096	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1096	AUDIODG.EXE
Token: 33	1096	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1096	AUDIODG.EXE
Token: SeDebugPrivilege	680	klvvT0UPwLoYaVdsvG8SRylhtgMOYBtRsPTLI4dyoyXRxfYjFOntcYaijuCvBfD2aY2l8X.cmd
Token: SeRestorePrivilege	680	klvvT0UPwLoYaVdsvG8SRylhtgMOYBtRsPTLI4dyoyXRxfYjFOntcYaijuCvBfD2aY2l8X.cmd
Token: SeDebugPrivilege	884	klvvT0UPwLoYaVdsvG8SRylhtgMOYBtRsPTLI4dyoyXRxfYjFOntcYaijuCvBfD2aY2l8X.cmd
Token: SeRestorePrivilege	884	klvvT0UPwLoYaVdsvG8SRylhtgMOYBtRsPTLI4dyoyXRxfYjFOntcYaijuCvBfD2aY2l8X.cmd

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

gpscript.exeklvvT0UPwLoYaVdsvG8SRylhtgMOYBtRsPTLI4dyoyXRxfYjFOntcYaijuCvBfD2aY2l8X.cmd

description	pid	process	target process
PID 1064 wrote to memory of 680	1064	gpscript.exe	klvvT0UPwLoYaVdsvG8SRylhtgMOYBtRsPTLI4dyoyXRxfYjFOntcYaijuCvBfD2aY2l8X.cmd
PID 1064 wrote to memory of 680	1064	gpscript.exe	klvvT0UPwLoYaVdsvG8SRylhtgMOYBtRsPTLI4dyoyXRxfYjFOntcYaijuCvBfD2aY2l8X.cmd
PID 1064 wrote to memory of 680	1064	gpscript.exe	klvvT0UPwLoYaVdsvG8SRylhtgMOYBtRsPTLI4dyoyXRxfYjFOntcYaijuCvBfD2aY2l8X.cmd
PID 680 wrote to memory of 884	680	klvvT0UPwLoYaVdsvG8SRylhtgMOYBtRsPTLI4dyoyXRxfYjFOntcYaijuCvBfD2aY2l8X.cmd	klvvT0UPwLoYaVdsvG8SRylhtgMOYBtRsPTLI4dyoyXRxfYjFOntcYaijuCvBfD2aY2l8X.cmd
PID 680 wrote to memory of 884	680	klvvT0UPwLoYaVdsvG8SRylhtgMOYBtRsPTLI4dyoyXRxfYjFOntcYaijuCvBfD2aY2l8X.cmd	klvvT0UPwLoYaVdsvG8SRylhtgMOYBtRsPTLI4dyoyXRxfYjFOntcYaijuCvBfD2aY2l8X.cmd
PID 680 wrote to memory of 884	680	klvvT0UPwLoYaVdsvG8SRylhtgMOYBtRsPTLI4dyoyXRxfYjFOntcYaijuCvBfD2aY2l8X.cmd	klvvT0UPwLoYaVdsvG8SRylhtgMOYBtRsPTLI4dyoyXRxfYjFOntcYaijuCvBfD2aY2l8X.cmd

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
1⤵
PID:596

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8by27av1.default-release\storage\default\klvvT0UPwLoYaVdsvG8SRylhtgMOYBtRsPTLI4dyoyXRxfYjFOntcYaijuCvBfD2aY2l8X.cmd
"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8by27av1.default-release\storage\default\klvvT0UPwLoYaVdsvG8SRylhtgMOYBtRsPTLI4dyoyXRxfYjFOntcYaijuCvBfD2aY2l8X.cmd" 2
2⤵
- Executes dropped EXE
- Sets file execution options in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:884

C:\Users\Admin\AppData\Local\Temp\fcf9dc0f5c06bbe1c0487601059d8d6b645c161fc3f60b884fc03d5618b2c6cd.exe
"C:\Users\Admin\AppData\Local\Temp\fcf9dc0f5c06bbe1c0487601059d8d6b645c161fc3f60b884fc03d5618b2c6cd.exe"
1⤵
- Adds policy Run key to start application
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1280

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:272

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x578
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1096

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:1548

C:\Windows\system32\gpscript.exe
gpscript.exe /Shutdown
1⤵
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1064

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8by27av1.default-release\storage\default\klvvT0UPwLoYaVdsvG8SRylhtgMOYBtRsPTLI4dyoyXRxfYjFOntcYaijuCvBfD2aY2l8X.cmd
"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8by27av1.default-release\storage\default\klvvT0UPwLoYaVdsvG8SRylhtgMOYBtRsPTLI4dyoyXRxfYjFOntcYaijuCvBfD2aY2l8X.cmd" 1
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Adds policy Run key to start application
- Executes dropped EXE
- Sets file execution options in registry
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:680

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\OFFICE\UICaptions\3082\n8nxDy5C9br2NXyKX8BiMiHlEqjCpx31k97L1txYkRTWEEKcT.exe
Filesize
3.7MB

MD5
435d60e0a7005fc7eaaba066989208d8

SHA1
89fc2127c898e77556819350f0059c7c783edf0f

SHA256
26852a52beb894b27073ef0eda14a046db086050b523f69d657696572315dbf0

SHA512
002515dbcad125b850b51354ec17faa0ec5569961b5cab65a89a591d1f7b265b239ccaf2b603fb1442ec7cf09eb0b58a6699606925fbb39e8390a5b99e859f7e

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStore\xEgBSCNDcljHLSF5tFhN8seQQNAmHS90ZEMCWWmmBOyhZu1LDhXD.bat
Filesize
4.4MB

MD5
d81097a0012567ecb32e48e7ab4bc264

SHA1
3f3c773d4ae1764b50bdea1649a55d940f0c2628

SHA256
f17b7d70f1f99b4a1f1d2451760d33611d73fe6cab8f1de46d2bddda2ebf4878

SHA512
1081e60a3d962f82c6dfe9c87836fbd288f29fb0e2b3cc268e28fb3b23dcb8508405a28acc1c4df1ba305400bde0c54839671646575fd198abc1334de95d4dbd

Download Submit
C:\ProgramData\Package Cache\{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}v14.30.30704\s2PAUJZUq9pPXNzwTpP52qP4sreaB8oIcIlU3zCaUKxhb2hlYBe2KoXa7G.exe
Filesize
3.4MB

MD5
38fe6f650754e87ab733bca93c158a5f

SHA1
aeeb073ab0ac8836386a5245b05026b0320ddf3e

SHA256
e77a462c73e06ec8cfecaef67c5b4e3df0f26083566dbef7322c955e0768a9c6

SHA512
85756b8063aedb5f1c95eaacc29ea972c3af8d9eda48128de2b6314b6d4a6780a34439d3b9ae037fbf0e97b7b0c7efcff049a77cc33dd48a57a009913790ce3b

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\63\090RDXWxtUP2i1Q7JXgj1AqTbn0I7lLnLctvaSRDlDTxE0k9E3KLaqfqU3NqEOg6.exe
Filesize
3.6MB

MD5
fbdccef15d83255dc3d5616c470929cc

SHA1
3cf6f27d671fc6166af39911af5fe23d2b0ab2dd

SHA256
e781c0a651cde8f10824983b397527857e3a825761f93bfefc98a5d2443fdd32

SHA512
3c65f23be52781f821f6a0d2ac68e952f12694118cbf4727c435c1eaf7c2e71be2350c6108b4b0714bef08ffd5a29c2d297469de63732898a51a61678aae9ed8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Session Storage\P5cpcFdP2cgqZFaBui18Nr1vbxxp.exe
Filesize
2.2MB

MD5
3fd0864b9746c300bf1c2387232248f2

SHA1
04dc212a07df851494e4bcf858bd3d9a4263e08d

SHA256
f7e601091587d1b1a040e781efbdc05fcb00337ced5d2e6702892faa17acad4a

SHA512
40ee5ce363ff0b58273653b6c2f3533f73c63b682e99b21fec079df9b06dbead69df9ab6bbb9cff9fda0c06ae5ee1d968756a19515ee49e9c860b6cba34dbe51

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8by27av1.default-release\storage\default\klvvT0UPwLoYaVdsvG8SRylhtgMOYBtRsPTLI4dyoyXRxfYjFOntcYaijuCvBfD2aY2l8X.cmd
Filesize
3.0MB

MD5
872c8d6b8ae7852bc6899aa0e2e70155

SHA1
5cc74b60f79595003fa6172c1be9c4b8d55c4ab3

SHA256
a686ce107e72ef6f07f5f2bbd3369403dd0f186840ade4926897653b371aee2d

SHA512
18159d9ebcd0baee73c19de2b15e6bae4bf3359f05d066012e0f20021e98b5d533077de4513acd8783b62f466a0d247c0fd667d63133e8a2d164b2d614d7655b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8by27av1.default-release\storage\default\klvvT0UPwLoYaVdsvG8SRylhtgMOYBtRsPTLI4dyoyXRxfYjFOntcYaijuCvBfD2aY2l8X.cmd
Filesize
3.0MB

MD5
872c8d6b8ae7852bc6899aa0e2e70155

SHA1
5cc74b60f79595003fa6172c1be9c4b8d55c4ab3

SHA256
a686ce107e72ef6f07f5f2bbd3369403dd0f186840ade4926897653b371aee2d

SHA512
18159d9ebcd0baee73c19de2b15e6bae4bf3359f05d066012e0f20021e98b5d533077de4513acd8783b62f466a0d247c0fd667d63133e8a2d164b2d614d7655b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8by27av1.default-release\storage\default\klvvT0UPwLoYaVdsvG8SRylhtgMOYBtRsPTLI4dyoyXRxfYjFOntcYaijuCvBfD2aY2l8X.cmd
Filesize
3.0MB

MD5
872c8d6b8ae7852bc6899aa0e2e70155

SHA1
5cc74b60f79595003fa6172c1be9c4b8d55c4ab3

SHA256
a686ce107e72ef6f07f5f2bbd3369403dd0f186840ade4926897653b371aee2d

SHA512
18159d9ebcd0baee73c19de2b15e6bae4bf3359f05d066012e0f20021e98b5d533077de4513acd8783b62f466a0d247c0fd667d63133e8a2d164b2d614d7655b

Download Submit
C:\Users\Admin\Documents\KMJbHHllCmd2RaiWFHH4uCkjeacxhQh8CIRVHFA09VFhjYchZbjVv8z6yKP6.exe
Filesize
2.1MB

MD5
3f420bfd4795c2e3a2f85622b5c7da3e

SHA1
e5d002bae474989ed16c31bc7b649d35cb3f1c0a

SHA256
050e3ab0ad9037372af0587c6049385faa78e8a078536a32e08072c0de42cc3f

SHA512
00a7751c9c4f90fb31efb7c9b855bd68acb3e9c594cf1dc72eb8cfcd6afeef3fc2f0906c5cc9bacc5f1e98dff74bad355afea1d88558fba9533de1e1b505ac08

Download Submit
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Cookies\guNIo7FKNbNT8kQVY4gAS6l3EAc5kSWuUAw8MJpXDI3oS5atcVX3Qvwd.cmd
Filesize
4.7MB

MD5
0e05623db13f89f4e3aa30db10a1617c

SHA1
814dde04e51fdb0859127ca263a5e2f64c2318a9

SHA256
e7b43d46da1f72b8c7c214d7051417f8fd7cca1fa38181f86ba53ab0c15026bc

SHA512
efd8510a9d20300cc4fa3dcd307270ae1c1e25b17076b37f76d8fec5b5b79519ac62c0a867d5f507948ff1e59cff032e7acb8453a990b9f627058fa1e686f100

Download Submit
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent\KzX2EkiMoF50u5RsU0njCoIkc7gWs9FacVrdysUIEqyKQ4AcmRLN.exe
Filesize
3.6MB

MD5
64ed03218ce4e35b799b8e2f32a15ccd

SHA1
7ffaa969f6326c01a884a2b0b515c8fb7bf03804

SHA256
ea5359bfd861ea5cb84b4f3c28e6a6da43d4a117db148c6ade2e7ac422be6508

SHA512
56c0394b9d79d2492d3f6182ab3649c4ddbc06d35301868913b86fb50a8ece836504beeeee9f0375cd027fa5a3bc496481016cd12ba451ff1f9412241c1d63f9

Download Submit
C:\Users\Public\Pictures\1R2aHHew8QyICxFSze38hKyTMAk7ClZyUlGlzlOuWs4gt3HSJuySMWgp4MKqVt.exe
Filesize
3.3MB

MD5
b162d58f096831b9ddeeb19448729a5a

SHA1
7f7388c9f214dbff386e48bdf8d0250af42e8c2d

SHA256
813b1c3caf13d85febe0b02f718f543b13ae0a832fd5c898710264aeb55ae7a9

SHA512
376e6631e9760e08ff10529c256753716d18894cb0f455aa901cc2edde201d6ab0136f9cfaaf2cdcf43ac9cafead50b020fb77e1918d896195779d5c917ca7bd

Download Submit
C:\Users\Public\Recorded TV\Sample Media\VV5dIiwvWH3HMLCmcz1mFIXQ2mnBzIn8wHpYhnxF6Q2C3atz71CrfDKFoRIZDDS.exe
Filesize
3.8MB

MD5
dab0539012d147a61f7284309b6367a8

SHA1
e0377e709726b840a9e2a3d482da555a39aaaa81

SHA256
29c3b8ac0980f62c6ae3934d9618155c3462b98a5b7144c382f28ad78cc33c75

SHA512
c481fcbc5483b8231df694a342fcf27ddfc4a3fa0e176e7925c5cd3bfad90f3312288ba3fec98daf68a2c3f542ba071f2edfe098d36889c7938e09ac13c71dd2

Download Submit
\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8by27av1.default-release\storage\default\klvvT0UPwLoYaVdsvG8SRylhtgMOYBtRsPTLI4dyoyXRxfYjFOntcYaijuCvBfD2aY2l8X.cmd
Filesize
3.0MB

MD5
872c8d6b8ae7852bc6899aa0e2e70155

SHA1
5cc74b60f79595003fa6172c1be9c4b8d55c4ab3

SHA256
a686ce107e72ef6f07f5f2bbd3369403dd0f186840ade4926897653b371aee2d

SHA512
18159d9ebcd0baee73c19de2b15e6bae4bf3359f05d066012e0f20021e98b5d533077de4513acd8783b62f466a0d247c0fd667d63133e8a2d164b2d614d7655b

Download Submit
\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8by27av1.default-release\storage\default\klvvT0UPwLoYaVdsvG8SRylhtgMOYBtRsPTLI4dyoyXRxfYjFOntcYaijuCvBfD2aY2l8X.cmd
Filesize
3.0MB

MD5
872c8d6b8ae7852bc6899aa0e2e70155

SHA1
5cc74b60f79595003fa6172c1be9c4b8d55c4ab3

SHA256
a686ce107e72ef6f07f5f2bbd3369403dd0f186840ade4926897653b371aee2d

SHA512
18159d9ebcd0baee73c19de2b15e6bae4bf3359f05d066012e0f20021e98b5d533077de4513acd8783b62f466a0d247c0fd667d63133e8a2d164b2d614d7655b

Download Submit
\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8by27av1.default-release\storage\default\klvvT0UPwLoYaVdsvG8SRylhtgMOYBtRsPTLI4dyoyXRxfYjFOntcYaijuCvBfD2aY2l8X.cmd
Filesize
3.0MB

MD5
872c8d6b8ae7852bc6899aa0e2e70155

SHA1
5cc74b60f79595003fa6172c1be9c4b8d55c4ab3

SHA256
a686ce107e72ef6f07f5f2bbd3369403dd0f186840ade4926897653b371aee2d

SHA512
18159d9ebcd0baee73c19de2b15e6bae4bf3359f05d066012e0f20021e98b5d533077de4513acd8783b62f466a0d247c0fd667d63133e8a2d164b2d614d7655b

Download Submit
memory/272-55-0x000007FEFB931000-0x000007FEFB933000-memory.dmp

Filesize
8KB

Download
memory/680-62-0x0000000000000000-mapping.dmp

Download
memory/680-79-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/680-67-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/680-76-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/884-78-0x0000000000000000-mapping.dmp

Download
memory/884-83-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1064-75-0x0000000000D30000-0x0000000000D5D000-memory.dmp

Filesize
180KB

Download
memory/1064-64-0x0000000000D30000-0x0000000000D5D000-memory.dmp

Filesize
180KB

Download
memory/1280-54-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1280-56-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads