fcf9dc0f5c06bbe1c0487601059d8d6b645c161fc3f60b884fc03d5618b2c6cd

Analysis

max time kernel
138s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2022 09:19

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

fcf9dc0f5c06bbe1c0487601059d8d6b645c161fc3f60b884fc03d5618b2c6cd.exe
Size

2.0MB
MD5

70aa7b630a72ead99360bf588efbd99c
SHA1

40349aa11b3e2f7c61e01f6457d88e205de2a673
SHA256

fcf9dc0f5c06bbe1c0487601059d8d6b645c161fc3f60b884fc03d5618b2c6cd
SHA512

274373875fe437754ef4481b034a9ef05533f6f7ce8c237bec3a629077d0f0def1cf8ff71304855390a3dbff0262529f7d243c3efc9c7502f265d0dc26bf5f10
SSDEEP

3072:aSsvihLlTQz9z71iURo2SJJmY6uFNcgifDbmeTXwVdBR:rsqhJMxzJiU5SeLmNSbmebW1

Score

10^/10

persistence spyware stealer

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

H5ybWuXYZ0P6TgAM39ttStJH3OiaYS9WO8dn1QqEVvi7Wqu9d.cmd

description pid process target process

PID 1212 created 648 1212 H5ybWuXYZ0P6TgAM39ttStJH3OiaYS9WO8dn1QqEVvi7Wqu9d.cmd lsass.exe

description	pid	process	target process
PID 1212 created 648	1212	H5ybWuXYZ0P6TgAM39ttStJH3OiaYS9WO8dn1QqEVvi7Wqu9d.cmd	lsass.exe

Adds policy Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

fcf9dc0f5c06bbe1c0487601059d8d6b645c161fc3f60b884fc03d5618b2c6cd.exeH5ybWuXYZ0P6TgAM39ttStJH3OiaYS9WO8dn1QqEVvi7Wqu9d.cmd

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	fcf9dc0f5c06bbe1c0487601059d8d6b645c161fc3f60b884fc03d5618b2c6cd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\LocalState\\rUTyp2b6TVCGfZGIGo1bbBTsFu4VKwwN8lnJenq.exe\" O"	fcf9dc0f5c06bbe1c0487601059d8d6b645c161fc3f60b884fc03d5618b2c6cd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Windows\\ClipSVC\\Archive\\Apps\\hwvh7mpVHXmpHRtqT3Eg64FkLpTqv3k.exe\" O"	fcf9dc0f5c06bbe1c0487601059d8d6b645c161fc3f60b884fc03d5618b2c6cd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	H5ybWuXYZ0P6TgAM39ttStJH3OiaYS9WO8dn1QqEVvi7Wqu9d.cmd
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\LTnyrUUJzKu3mlJGq1dhpaePnceZEoDxoyuGlUGNwpJOSyqUC0kCyNL.exe\" O"	H5ybWuXYZ0P6TgAM39ttStJH3OiaYS9WO8dn1QqEVvi7Wqu9d.cmd
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	fcf9dc0f5c06bbe1c0487601059d8d6b645c161fc3f60b884fc03d5618b2c6cd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Diagnosis\\ScenariosSqlStore\\85A1frJiGkLWAslblQsjK0Yzg0ZBNSUNoh4WsHGPh8lSxS.exe\" O"	fcf9dc0f5c06bbe1c0487601059d8d6b645c161fc3f60b884fc03d5618b2c6cd.exe

Executes dropped EXE 2 IoCs

Processes:

H5ybWuXYZ0P6TgAM39ttStJH3OiaYS9WO8dn1QqEVvi7Wqu9d.cmdH5ybWuXYZ0P6TgAM39ttStJH3OiaYS9WO8dn1QqEVvi7Wqu9d.cmd

pid process

1212 H5ybWuXYZ0P6TgAM39ttStJH3OiaYS9WO8dn1QqEVvi7Wqu9d.cmd
1028 H5ybWuXYZ0P6TgAM39ttStJH3OiaYS9WO8dn1QqEVvi7Wqu9d.cmd

pid	process
1212	H5ybWuXYZ0P6TgAM39ttStJH3OiaYS9WO8dn1QqEVvi7Wqu9d.cmd
1028	H5ybWuXYZ0P6TgAM39ttStJH3OiaYS9WO8dn1QqEVvi7Wqu9d.cmd

Sets file execution options in registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

H5ybWuXYZ0P6TgAM39ttStJH3OiaYS9WO8dn1QqEVvi7Wqu9d.cmdH5ybWuXYZ0P6TgAM39ttStJH3OiaYS9WO8dn1QqEVvi7Wqu9d.cmd

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = " "	H5ybWuXYZ0P6TgAM39ttStJH3OiaYS9WO8dn1QqEVvi7Wqu9d.cmd
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe	H5ybWuXYZ0P6TgAM39ttStJH3OiaYS9WO8dn1QqEVvi7Wqu9d.cmd
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\Debugger = " "	H5ybWuXYZ0P6TgAM39ttStJH3OiaYS9WO8dn1QqEVvi7Wqu9d.cmd
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe	H5ybWuXYZ0P6TgAM39ttStJH3OiaYS9WO8dn1QqEVvi7Wqu9d.cmd
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = " "	H5ybWuXYZ0P6TgAM39ttStJH3OiaYS9WO8dn1QqEVvi7Wqu9d.cmd
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe	H5ybWuXYZ0P6TgAM39ttStJH3OiaYS9WO8dn1QqEVvi7Wqu9d.cmd
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\Debugger = " "	H5ybWuXYZ0P6TgAM39ttStJH3OiaYS9WO8dn1QqEVvi7Wqu9d.cmd
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe	H5ybWuXYZ0P6TgAM39ttStJH3OiaYS9WO8dn1QqEVvi7Wqu9d.cmd

Drops startup file 26 IoCs

Processes:

H5ybWuXYZ0P6TgAM39ttStJH3OiaYS9WO8dn1QqEVvi7Wqu9d.cmd

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\62uUiBgaa6Un65LdfgWueAA3rqxS3FUF7MNrnIje4TrntsyVAjDo1FoCey1IyfTgxhLch.cmd	H5ybWuXYZ0P6TgAM39ttStJH3OiaYS9WO8dn1QqEVvi7Wqu9d.cmd
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LywhbSbncJ2ImtNp3pG2HxwhOWS3ze6IYSASJElpvW02filmgcJrT8uPedRg28PVdOL.bat	H5ybWuXYZ0P6TgAM39ttStJH3OiaYS9WO8dn1QqEVvi7Wqu9d.cmd
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\C9QiNIyVW.exe	H5ybWuXYZ0P6TgAM39ttStJH3OiaYS9WO8dn1QqEVvi7Wqu9d.cmd
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AeBlkKzMC6K0UGUrrejPUuxRYn5t840g2MRBpWxqHuVJ1I1v3L1DgFY8oB3.bat	H5ybWuXYZ0P6TgAM39ttStJH3OiaYS9WO8dn1QqEVvi7Wqu9d.cmd
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\PEaMK61C6vCymsxxT.exe	H5ybWuXYZ0P6TgAM39ttStJH3OiaYS9WO8dn1QqEVvi7Wqu9d.cmd
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NXPz3L2LnwVq6jQ66gCQZlp6N8CKKWsGOjIyq4DzlaXrh.cmd	H5ybWuXYZ0P6TgAM39ttStJH3OiaYS9WO8dn1QqEVvi7Wqu9d.cmd
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\h0RzgitAgp9s.exe	H5ybWuXYZ0P6TgAM39ttStJH3OiaYS9WO8dn1QqEVvi7Wqu9d.cmd
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vE52hWybtLrXvfXHdb67ZN3SdiLqF.cmd	H5ybWuXYZ0P6TgAM39ttStJH3OiaYS9WO8dn1QqEVvi7Wqu9d.cmd
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\FDiXiU1KvG4U588wLiHcK0jiuKj8ia5aVzWuJfWnrYllppOjdr7XNyvc6IXdhKD9BBm.cmd	H5ybWuXYZ0P6TgAM39ttStJH3OiaYS9WO8dn1QqEVvi7Wqu9d.cmd
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\tigueYXqCryPjgQImatyRjj2NQAAjdxTpNTMZBqlFMfrQ.cmd	H5ybWuXYZ0P6TgAM39ttStJH3OiaYS9WO8dn1QqEVvi7Wqu9d.cmd
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\1Z5Cql7RcDIWPr2GSDSRPImX.exe	H5ybWuXYZ0P6TgAM39ttStJH3OiaYS9WO8dn1QqEVvi7Wqu9d.cmd
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Y5nvCe07BoPNPT6r.bat	H5ybWuXYZ0P6TgAM39ttStJH3OiaYS9WO8dn1QqEVvi7Wqu9d.cmd
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\3jwx7TyCuMIRq3bdLY70Oig9YFFkcx1AFmJr1XT1e.cmd	H5ybWuXYZ0P6TgAM39ttStJH3OiaYS9WO8dn1QqEVvi7Wqu9d.cmd
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\FHQbOctKrR5wwx.bat	H5ybWuXYZ0P6TgAM39ttStJH3OiaYS9WO8dn1QqEVvi7Wqu9d.cmd
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\KcrQGafiHFBk8p9Zvw7xJSFuKPjg5.bat	H5ybWuXYZ0P6TgAM39ttStJH3OiaYS9WO8dn1QqEVvi7Wqu9d.cmd
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RbqBTZ4yB88NjdfbB4rISpCud7xQeH5hOjMngqpZXFdHaldZl4TjChrI.bat	H5ybWuXYZ0P6TgAM39ttStJH3OiaYS9WO8dn1QqEVvi7Wqu9d.cmd
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Oa9joehlTakUUq1JcTXUzK2lQ9Z5tVfyrF7B6ALh7ys0BtUm2WL488d9iGsIs2qu4v5pp.bat	H5ybWuXYZ0P6TgAM39ttStJH3OiaYS9WO8dn1QqEVvi7Wqu9d.cmd
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\um8g1ZGDFang1dxrPsHcgqZnBfLofPeB3qGvzrLb0Cmwm5.cmd	H5ybWuXYZ0P6TgAM39ttStJH3OiaYS9WO8dn1QqEVvi7Wqu9d.cmd
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JtfgNHvW.exe	H5ybWuXYZ0P6TgAM39ttStJH3OiaYS9WO8dn1QqEVvi7Wqu9d.cmd
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZCkjDoXZcexmi9Y.cmd	H5ybWuXYZ0P6TgAM39ttStJH3OiaYS9WO8dn1QqEVvi7Wqu9d.cmd
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\53g6mD58HhSxBM9UowJJqVsOeDWC6NhRLSj8O5d9TmabZhK2zAABgXGmiJrifnL9p4iqJ.bat	H5ybWuXYZ0P6TgAM39ttStJH3OiaYS9WO8dn1QqEVvi7Wqu9d.cmd
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8SxAnkytyxVRCTnjj6sZl8KagIV7IqIj6gIh2SPfAYOOFTyiYWpKJy.bat	H5ybWuXYZ0P6TgAM39ttStJH3OiaYS9WO8dn1QqEVvi7Wqu9d.cmd
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\LT22UXlA44K.bat	H5ybWuXYZ0P6TgAM39ttStJH3OiaYS9WO8dn1QqEVvi7Wqu9d.cmd
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\lwywmJh3tN8JufoGwdPTQ4m0LHZzSO2WMdTxzOCoCqyBytG0kbBCuEj5H44fRKXy.exe	H5ybWuXYZ0P6TgAM39ttStJH3OiaYS9WO8dn1QqEVvi7Wqu9d.cmd
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\8qRviPnsLfjsNLuWOTchBPetope0xMcsMocoRRoc7vSNa2p.cmd	H5ybWuXYZ0P6TgAM39ttStJH3OiaYS9WO8dn1QqEVvi7Wqu9d.cmd
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tPm3KUFkZs2AnYpFvFQXpQIGjRETCjfaRsY92wnlPmfsk.bat	H5ybWuXYZ0P6TgAM39ttStJH3OiaYS9WO8dn1QqEVvi7Wqu9d.cmd

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 64 IoCs

Processes:

fcf9dc0f5c06bbe1c0487601059d8d6b645c161fc3f60b884fc03d5618b2c6cd.exeLogonUI.exeH5ybWuXYZ0P6TgAM39ttStJH3OiaYS9WO8dn1QqEVvi7Wqu9d.cmdgpscript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-20	fcf9dc0f5c06bbe1c0487601059d8d6b645c161fc3f60b884fc03d5618b2c6cd.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "169"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	H5ybWuXYZ0P6TgAM39ttStJH3OiaYS9WO8dn1QqEVvi7Wqu9d.cmd
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	H5ybWuXYZ0P6TgAM39ttStJH3OiaYS9WO8dn1QqEVvi7Wqu9d.cmd
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows	fcf9dc0f5c06bbe1c0487601059d8d6b645c161fc3f60b884fc03d5618b2c6cd.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	H5ybWuXYZ0P6TgAM39ttStJH3OiaYS9WO8dn1QqEVvi7Wqu9d.cmd
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Internet Explorer\\5aRdxhdP.exe\" O"	H5ybWuXYZ0P6TgAM39ttStJH3OiaYS9WO8dn1QqEVvi7Wqu9d.cmd
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft	fcf9dc0f5c06bbe1c0487601059d8d6b645c161fc3f60b884fc03d5618b2c6cd.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\6.0\\49\\kaWIBXi370LONMmAhzupiZQmTlAMiX1j6y91daBSS.exe\" O 2>NUL"	fcf9dc0f5c06bbe1c0487601059d8d6b645c161fc3f60b884fc03d5618b2c6cd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	fcf9dc0f5c06bbe1c0487601059d8d6b645c161fc3f60b884fc03d5618b2c6cd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	gpscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\TokenBroker\\Cache\\JQZ10f7qfoJ7ES35HSTpoqYj3qsPK5bDfTBjkNLRQEkM9YdRjiBiqOoU7xSk6Eq.exe\" O 2>NUL"	fcf9dc0f5c06bbe1c0487601059d8d6b645c161fc3f60b884fc03d5618b2c6cd.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion	fcf9dc0f5c06bbe1c0487601059d8d6b645c161fc3f60b884fc03d5618b2c6cd.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion	fcf9dc0f5c06bbe1c0487601059d8d6b645c161fc3f60b884fc03d5618b2c6cd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	fcf9dc0f5c06bbe1c0487601059d8d6b645c161fc3f60b884fc03d5618b2c6cd.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Word\\5WKrwrlllRCm4XZ3zxfNfLHHT3TBYu3381I8B86QNOXr1jcACwTOJe844s.exe\" O"	fcf9dc0f5c06bbe1c0487601059d8d6b645c161fc3f60b884fc03d5618b2c6cd.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\SlowContextMenuEntries = 6024b221ea3a6910a2dc08002b30309d9c0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	gpscript.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\LocalCache\\nNdVSGwn2scbvRgIGJCFbkqpPf1nvU9AzN7Mjqax8e29ph12X6feFNNR1K2DkRzsv57cylV.exe\" O"	H5ybWuXYZ0P6TgAM39ttStJH3OiaYS9WO8dn1QqEVvi7Wqu9d.cmd
Key created	\REGISTRY\USER\S-1-5-19	fcf9dc0f5c06bbe1c0487601059d8d6b645c161fc3f60b884fc03d5618b2c6cd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	fcf9dc0f5c06bbe1c0487601059d8d6b645c161fc3f60b884fc03d5618b2c6cd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies	fcf9dc0f5c06bbe1c0487601059d8d6b645c161fc3f60b884fc03d5618b2c6cd.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Queue\\Ijr7Rh4Qw7orwIj0tgxH8qPBduYuX5yCuZcKYP3SzNKNZ87FYhO4Z.exe\" O"	fcf9dc0f5c06bbe1c0487601059d8d6b645c161fc3f60b884fc03d5618b2c6cd.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE	fcf9dc0f5c06bbe1c0487601059d8d6b645c161fc3f60b884fc03d5618b2c6cd.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	fcf9dc0f5c06bbe1c0487601059d8d6b645c161fc3f60b884fc03d5618b2c6cd.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\6.0\\10\\uYYfmO0XliQKG0CSf9djbiAiJQL0N9I1PB494tZswdayqHiaN0MI6P488.exe\" O 2>NUL"	H5ybWuXYZ0P6TgAM39ttStJH3OiaYS9WO8dn1QqEVvi7Wqu9d.cmd
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	fcf9dc0f5c06bbe1c0487601059d8d6b645c161fc3f60b884fc03d5618b2c6cd.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows	fcf9dc0f5c06bbe1c0487601059d8d6b645c161fc3f60b884fc03d5618b2c6cd.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\dS0dCsE1lRYp7UHlmTtzd2MMcnmTApNPqAh06yol8J4shJOvFShUEJd8ietwzDyv.exe\" O"	fcf9dc0f5c06bbe1c0487601059d8d6b645c161fc3f60b884fc03d5618b2c6cd.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Search\\Data\\Applications\\BmTYfUOwA6Ihf84RKlv7aDytWFWRvU46Ed2opc29lyCm6vzIU4NPrxiwf9vBa8.exe\" O"	H5ybWuXYZ0P6TgAM39ttStJH3OiaYS9WO8dn1QqEVvi7Wqu9d.cmd
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\\SystemAppData\\UhmC7iVbBGWliG6.exe\" O"	H5ybWuXYZ0P6TgAM39ttStJH3OiaYS9WO8dn1QqEVvi7Wqu9d.cmd
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	fcf9dc0f5c06bbe1c0487601059d8d6b645c161fc3f60b884fc03d5618b2c6cd.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\input\\es-US\\PrXcBINdPn3Y.exe\" O 2>NUL"	H5ybWuXYZ0P6TgAM39ttStJH3OiaYS9WO8dn1QqEVvi7Wqu9d.cmd
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	fcf9dc0f5c06bbe1c0487601059d8d6b645c161fc3f60b884fc03d5618b2c6cd.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Office\\Licenses\\5\\VQmTht6Lr1vO.exe\" O 2>NUL"	H5ybWuXYZ0P6TgAM39ttStJH3OiaYS9WO8dn1QqEVvi7Wqu9d.cmd
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	H5ybWuXYZ0P6TgAM39ttStJH3OiaYS9WO8dn1QqEVvi7Wqu9d.cmd
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE	fcf9dc0f5c06bbe1c0487601059d8d6b645c161fc3f60b884fc03d5618b2c6cd.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\PlayReady\\Internet Explorer\\InPrivate\\Desktop\\ZsakDa1UBVDx5bMP7mIfbo37O92.exe\" O 2>NUL"	H5ybWuXYZ0P6TgAM39ttStJH3OiaYS9WO8dn1QqEVvi7Wqu9d.cmd
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	H5ybWuXYZ0P6TgAM39ttStJH3OiaYS9WO8dn1QqEVvi7Wqu9d.cmd
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	fcf9dc0f5c06bbe1c0487601059d8d6b645c161fc3f60b884fc03d5618b2c6cd.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	fcf9dc0f5c06bbe1c0487601059d8d6b645c161fc3f60b884fc03d5618b2c6cd.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\3L9Ftitqq3Dlm6uNRJCwm6MbC2V4IzGJGvN2s.exe\" O"	fcf9dc0f5c06bbe1c0487601059d8d6b645c161fc3f60b884fc03d5618b2c6cd.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft	fcf9dc0f5c06bbe1c0487601059d8d6b645c161fc3f60b884fc03d5618b2c6cd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	fcf9dc0f5c06bbe1c0487601059d8d6b645c161fc3f60b884fc03d5618b2c6cd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	fcf9dc0f5c06bbe1c0487601059d8d6b645c161fc3f60b884fc03d5618b2c6cd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	fcf9dc0f5c06bbe1c0487601059d8d6b645c161fc3f60b884fc03d5618b2c6cd.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	fcf9dc0f5c06bbe1c0487601059d8d6b645c161fc3f60b884fc03d5618b2c6cd.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	fcf9dc0f5c06bbe1c0487601059d8d6b645c161fc3f60b884fc03d5618b2c6cd.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\pt-BR\\K8EAI6XHoyZiILSBQ5X1217y8P4juad6WQehNXThZRN3Ic01yUEv.exe\" O 2>NUL"	H5ybWuXYZ0P6TgAM39ttStJH3OiaYS9WO8dn1QqEVvi7Wqu9d.cmd
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	fcf9dc0f5c06bbe1c0487601059d8d6b645c161fc3f60b884fc03d5618b2c6cd.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\E2A4F912-2574-4A75-9BB0-0D023378592B_cw5n1h2txyewy\\AC\\INetHistory\\zjmk21YyowTURVo05bAqh9IbYer9eoMTYbqPzJCJRNGh7VcP25r.exe\" O"	H5ybWuXYZ0P6TgAM39ttStJH3OiaYS9WO8dn1QqEVvi7Wqu9d.cmd
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	fcf9dc0f5c06bbe1c0487601059d8d6b645c161fc3f60b884fc03d5618b2c6cd.exe

Modifies registry class 10 IoCs

Processes:

fcf9dc0f5c06bbe1c0487601059d8d6b645c161fc3f60b884fc03d5618b2c6cd.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SOFTWARE\Microsoft	fcf9dc0f5c06bbe1c0487601059d8d6b645c161fc3f60b884fc03d5618b2c6cd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\\TempState\\73QJrVA9RxJ8U7XsZ1K4FidEpxbbv5BP4No2B9ybqEOufLnaUucyfOiZP.exe\" O 2>NUL"	fcf9dc0f5c06bbe1c0487601059d8d6b645c161fc3f60b884fc03d5618b2c6cd.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	fcf9dc0f5c06bbe1c0487601059d8d6b645c161fc3f60b884fc03d5618b2c6cd.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SOFTWARE\Microsoft\Windows	fcf9dc0f5c06bbe1c0487601059d8d6b645c161fc3f60b884fc03d5618b2c6cd.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion	fcf9dc0f5c06bbe1c0487601059d8d6b645c161fc3f60b884fc03d5618b2c6cd.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	fcf9dc0f5c06bbe1c0487601059d8d6b645c161fc3f60b884fc03d5618b2c6cd.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	fcf9dc0f5c06bbe1c0487601059d8d6b645c161fc3f60b884fc03d5618b2c6cd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\kUOgVEJt7ABBeI2I17gWNXQxdSQ0bK2Svv3iZyQSeLI4e2pZ0bX6VhL.exe\" O"	fcf9dc0f5c06bbe1c0487601059d8d6b645c161fc3f60b884fc03d5618b2c6cd.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SOFTWARE\Microsoft\Command Processor	fcf9dc0f5c06bbe1c0487601059d8d6b645c161fc3f60b884fc03d5618b2c6cd.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SOFTWARE	fcf9dc0f5c06bbe1c0487601059d8d6b645c161fc3f60b884fc03d5618b2c6cd.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

H5ybWuXYZ0P6TgAM39ttStJH3OiaYS9WO8dn1QqEVvi7Wqu9d.cmd

pid process

1028 H5ybWuXYZ0P6TgAM39ttStJH3OiaYS9WO8dn1QqEVvi7Wqu9d.cmd
1028 H5ybWuXYZ0P6TgAM39ttStJH3OiaYS9WO8dn1QqEVvi7Wqu9d.cmd

pid	process
1028	H5ybWuXYZ0P6TgAM39ttStJH3OiaYS9WO8dn1QqEVvi7Wqu9d.cmd
1028	H5ybWuXYZ0P6TgAM39ttStJH3OiaYS9WO8dn1QqEVvi7Wqu9d.cmd

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

fcf9dc0f5c06bbe1c0487601059d8d6b645c161fc3f60b884fc03d5618b2c6cd.exeH5ybWuXYZ0P6TgAM39ttStJH3OiaYS9WO8dn1QqEVvi7Wqu9d.cmdH5ybWuXYZ0P6TgAM39ttStJH3OiaYS9WO8dn1QqEVvi7Wqu9d.cmd

description	pid	process
Token: SeBackupPrivilege	1260	fcf9dc0f5c06bbe1c0487601059d8d6b645c161fc3f60b884fc03d5618b2c6cd.exe
Token: SeRestorePrivilege	1260	fcf9dc0f5c06bbe1c0487601059d8d6b645c161fc3f60b884fc03d5618b2c6cd.exe
Token: SeShutdownPrivilege	1260	fcf9dc0f5c06bbe1c0487601059d8d6b645c161fc3f60b884fc03d5618b2c6cd.exe
Token: SeDebugPrivilege	1212	H5ybWuXYZ0P6TgAM39ttStJH3OiaYS9WO8dn1QqEVvi7Wqu9d.cmd
Token: SeRestorePrivilege	1212	H5ybWuXYZ0P6TgAM39ttStJH3OiaYS9WO8dn1QqEVvi7Wqu9d.cmd
Token: SeDebugPrivilege	1028	H5ybWuXYZ0P6TgAM39ttStJH3OiaYS9WO8dn1QqEVvi7Wqu9d.cmd
Token: SeRestorePrivilege	1028	H5ybWuXYZ0P6TgAM39ttStJH3OiaYS9WO8dn1QqEVvi7Wqu9d.cmd

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

LogonUI.exe

pid process

3188 LogonUI.exe

pid	process
3188	LogonUI.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

gpscript.exeH5ybWuXYZ0P6TgAM39ttStJH3OiaYS9WO8dn1QqEVvi7Wqu9d.cmd

description	pid	process	target process
PID 4304 wrote to memory of 1212	4304	gpscript.exe	H5ybWuXYZ0P6TgAM39ttStJH3OiaYS9WO8dn1QqEVvi7Wqu9d.cmd
PID 4304 wrote to memory of 1212	4304	gpscript.exe	H5ybWuXYZ0P6TgAM39ttStJH3OiaYS9WO8dn1QqEVvi7Wqu9d.cmd
PID 1212 wrote to memory of 1028	1212	H5ybWuXYZ0P6TgAM39ttStJH3OiaYS9WO8dn1QqEVvi7Wqu9d.cmd	H5ybWuXYZ0P6TgAM39ttStJH3OiaYS9WO8dn1QqEVvi7Wqu9d.cmd
PID 1212 wrote to memory of 1028	1212	H5ybWuXYZ0P6TgAM39ttStJH3OiaYS9WO8dn1QqEVvi7Wqu9d.cmd	H5ybWuXYZ0P6TgAM39ttStJH3OiaYS9WO8dn1QqEVvi7Wqu9d.cmd

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:648

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\H5ybWuXYZ0P6TgAM39ttStJH3OiaYS9WO8dn1QqEVvi7Wqu9d.cmd
"C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\H5ybWuXYZ0P6TgAM39ttStJH3OiaYS9WO8dn1QqEVvi7Wqu9d.cmd" 2
2⤵
- Executes dropped EXE
- Sets file execution options in registry
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1028

C:\Users\Admin\AppData\Local\Temp\fcf9dc0f5c06bbe1c0487601059d8d6b645c161fc3f60b884fc03d5618b2c6cd.exe
"C:\Users\Admin\AppData\Local\Temp\fcf9dc0f5c06bbe1c0487601059d8d6b645c161fc3f60b884fc03d5618b2c6cd.exe"
1⤵
- Adds policy Run key to start application
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1260

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39eb855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3188

C:\Windows\system32\gpscript.exe
gpscript.exe /Shutdown
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:4304

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\H5ybWuXYZ0P6TgAM39ttStJH3OiaYS9WO8dn1QqEVvi7Wqu9d.cmd
"C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\H5ybWuXYZ0P6TgAM39ttStJH3OiaYS9WO8dn1QqEVvi7Wqu9d.cmd" 1
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Adds policy Run key to start application
- Executes dropped EXE
- Sets file execution options in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1212

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\3L9Ftitqq3Dlm6uNRJCwm6MbC2V4IzGJGvN2s.exe
Filesize
2.3MB

MD5
da9c9e9d0fd2c40e278773f19d157dd6

SHA1
c57480878386b7d959ae1f74cc5ab5dcf9acbcd6

SHA256
5da7e187c9e816cac6f1d6ac39cf3989b53538df792acf587709ac85de748247

SHA512
0a26c81e83ec1dc74de305f8da998178ce2bb1bc9da208d965e4565b1e40f9800a63ac33b712ec6e3eea1370289c1087e0e4a596cc12127a35eda28d05e201ba

Download Submit
C:\Users\Admin\AppData\LocalLow\Oracle\Java\42ul7EEai13qlZQQuqFKmMA4rb9E8.exe
Filesize
2.1MB

MD5
bf97a13c3f8d03dd4030177e0aa59b3e

SHA1
164e7cfcb99227837298f3f71ebeb7f499787654

SHA256
8eab760d97381a88dfda70782d31ae76566eec1648859af2296b09800518e8a1

SHA512
a41ff02eab8ead915903470eb69c206dbeab941d484e641f38ea0ec5592ab0973a17888f1c3e694c3311bcfebd1b99607fc2feaaaa0146f1d69045d30eb4bcbb

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\49\kaWIBXi370LONMmAhzupiZQmTlAMiX1j6y91daBSS.exe
Filesize
3.7MB

MD5
d46b3569984ad3eb17c9ed2a96e178bb

SHA1
d0368bd0d8bdcd7bd1445e42a576bde406c74e1e

SHA256
59e0de4727a22c6eadb78b71e78e4d296daee4966a5f12fd12c455b5c28b4813

SHA512
3661b0a7d555fcb87d17bc005647446ba694ddb992fc4c1d8e4e899057130c3148506d21feeea34f6cff00ddece3fc92f238af88bcd1bc3cfa7ad0213fb2bc43

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\pJrH9S2UqTmXbfz680.exe
Filesize
5.6MB

MD5
ef93f9e1fe70c1ed7f0be0f5415f711d

SHA1
4ac04150da0f9fd342ecb05158f65e969eb6f86e

SHA256
790b60eea0a983b4607959001819f5baea77b88eb3d054366a2290e592ea5f80

SHA512
081170f13b83d1c107ad15d7875ac8478564fc515cf1f159a0d9ddcd9db49a385e7e006a1eaa45bd99d9e7dc01a7d9f2f945d2654a43680ed0a4843116b65f17

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\JQZ10f7qfoJ7ES35HSTpoqYj3qsPK5bDfTBjkNLRQEkM9YdRjiBiqOoU7xSk6Eq.exe
Filesize
3.7MB

MD5
71dfe314afce844c9168525b1cf5ab2c

SHA1
67a7d3a6bd1dffa45d8070c43645cd1064a3fb90

SHA256
87b6009bb473794c307511eaf7b71a8e5049a2cb5928fa0aaefaab23ee8d346b

SHA512
f2f7a8234622f8e56ef06c87de1fbb81b480694377dcd071dc62d41db83902862e236db1c701ba60fea417441a4cc2cc37409d41bc57cb500e0045877282b802

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.ECApp_8wekyb3d8bbwe\LocalState\ptBoGF0Z4YGj7BO2XBCqQJifDbSnd.bat
Filesize
4.8MB

MD5
6a7eee8ab546dcb84278fcd7cd9e9c9f

SHA1
2b42a6784de51fc46c1b9444e922b6a3918df72a

SHA256
2545cf657d5123a88a1f6f7ba9ba97035e39ba18865dd5a1ab2fbef6735d2538

SHA512
bd04d7baa4533fd0a17e407513034eb4e402711df7ca6cd7d501ef01a5fb195ab92cfc956fa35907bc64df5296e22385a097aa3e7489e025d35baf471ecfbcc3

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\88000165\HHBORJwAV5RZu3OXrgtFoFzF9LUzNxPt8K2Y73cmNi65dkRi2nQhIZrVJesICpn2fUkCDFH.exe
Filesize
3.0MB

MD5
1ac5ca59674a6adcc506df4e39261cfa

SHA1
984a6c1ca6a23b173c362d5a08728d34877e083a

SHA256
9755273471e5f8e4f567551d4e909425a164f8fbe84590f7751e9c5190c7bbe1

SHA512
ee16d7602f75d6894370a966aa0f7ab3329ef86634ac99e5eb10cbe24057cb74a341cb5cccde8aaabed8673140533267891f85ac7067e0b88d2206456eeeb4b0

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\H5ybWuXYZ0P6TgAM39ttStJH3OiaYS9WO8dn1QqEVvi7Wqu9d.cmd
Filesize
3.9MB

MD5
34902d464cf280a4715201abe3f3885f

SHA1
a6c372519df09a2148b14b62f709079fe02c47ca

SHA256
ca2f70ee89549fc3878e172436e4300990b64502d735cc42a2986fb256749726

SHA512
dea1165bd23e69f06d67eb3367a63d68ecbabece7538b1cbed6b2a6886aacad759878337cafb349bbb6a09168ad4cd9da6714d9ae5a97af954c9fb7774b94670

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\H5ybWuXYZ0P6TgAM39ttStJH3OiaYS9WO8dn1QqEVvi7Wqu9d.cmd
Filesize
3.9MB

MD5
34902d464cf280a4715201abe3f3885f

SHA1
a6c372519df09a2148b14b62f709079fe02c47ca

SHA256
ca2f70ee89549fc3878e172436e4300990b64502d735cc42a2986fb256749726

SHA512
dea1165bd23e69f06d67eb3367a63d68ecbabece7538b1cbed6b2a6886aacad759878337cafb349bbb6a09168ad4cd9da6714d9ae5a97af954c9fb7774b94670

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\H5ybWuXYZ0P6TgAM39ttStJH3OiaYS9WO8dn1QqEVvi7Wqu9d.cmd
Filesize
3.9MB

MD5
34902d464cf280a4715201abe3f3885f

SHA1
a6c372519df09a2148b14b62f709079fe02c47ca

SHA256
ca2f70ee89549fc3878e172436e4300990b64502d735cc42a2986fb256749726

SHA512
dea1165bd23e69f06d67eb3367a63d68ecbabece7538b1cbed6b2a6886aacad759878337cafb349bbb6a09168ad4cd9da6714d9ae5a97af954c9fb7774b94670

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\rUTyp2b6TVCGfZGIGo1bbBTsFu4VKwwN8lnJenq.exe
Filesize
3.0MB

MD5
af4f8ab049362a09872a75c51de6e9ee

SHA1
b1330298e3bdf1bf537eb166a88c2087d8a1b760

SHA256
ce05b9290cd566275f4b37b47816b46f2279171b927df4109aca08edd7d879cd

SHA512
f3269925bebc675291e47b813931894159a2e40c2b182f7526b6ee9de1ea4d1ca5435f6fe346e1d85cba910e54cd04e8f84bd53313eef17efa43e6198dda7e20

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Word\5WKrwrlllRCm4XZ3zxfNfLHHT3TBYu3381I8B86QNOXr1jcACwTOJe844s.exe
Filesize
3.1MB

MD5
48d6aed2f29f6ad8ef0a7fb7728ff7de

SHA1
b29edb396124ccb9cd03360d11e61d8f58bf9057

SHA256
c9d3af3f6b4b311a52196ca2acea74c51590fc8c541c2b8854fba38348396570

SHA512
82af505ca62456265c71daf4e0542a46da4240aa6a580e16eaa0c5ce64ff7a187c5c4e0d1209657348d8d1d0e2cb6072e8ff6680fe3abd475cd1abf0320eca74

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\dS0dCsE1lRYp7UHlmTtzd2MMcnmTApNPqAh06yol8J4shJOvFShUEJd8ietwzDyv.exe
Filesize
2.3MB

MD5
30657f1bc36e03f40df423a152a1dd81

SHA1
27effb9755a1780b6cbbd606bc202f45c141b1e9

SHA256
e711e880e0db7f5ec17764b80bc86ae5ecf19b840634c3416a41cdb6fdd0079e

SHA512
4e34728bfb37f96860f76a006348a405292eef0d495df55d35a7d0b5f8d02686549d37ce75cc230020e387d3fd3dd80787a3047726fb997c2308ea638ff8c88c

Download Submit
memory/1028-147-0x0000000000000000-mapping.dmp

Download
memory/1028-152-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1212-143-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1212-149-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1212-137-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1212-134-0x0000000000000000-mapping.dmp

Download
memory/1260-132-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1260-133-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads