8988ee4cebf1f1ccef196d2c5ffc1ab2dd2cd81efee45567dadd54f3fb3acfd6

Analysis

max time kernel
185s
max time network
150s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
25-11-2022 09:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8988ee4cebf1f1ccef196d2c5ffc1ab2dd2cd81efee45567dadd54f3fb3acfd6.exe
Size

720KB
MD5

76d4d6064bf443f45b37bc2a3d7fe680
SHA1

809eb5b3913cb071848033d7d7dc4408bf36189e
SHA256

8988ee4cebf1f1ccef196d2c5ffc1ab2dd2cd81efee45567dadd54f3fb3acfd6
SHA512

554e737ae5935c1a4077def48e29f6dc2f98da08f0802c134c6ca34cbe3ec4e2e3e17b50bcd83cd206577615cbc139b580e2ebf7d80d741182863b546528b69a
SSDEEP

3072:aSsvihLlTQz9z71iURo2SJJmY6uFNcgifDbmeTXwVdBR:rsqhJMxzJiU5SeLmNSbmebW1

Score

10^/10

persistence spyware stealer

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

BizcespwRbKKGDMxaMveqRQPeKgMJjVHvDHjAEOiOc8MF2UzUiiJW0p97L4bVsRlLjaem2t.cmd

description pid process target process

PID 1036 created 600 1036 BizcespwRbKKGDMxaMveqRQPeKgMJjVHvDHjAEOiOc8MF2UzUiiJW0p97L4bVsRlLjaem2t.cmd svchost.exe

description	pid	process	target process
PID 1036 created 600	1036	BizcespwRbKKGDMxaMveqRQPeKgMJjVHvDHjAEOiOc8MF2UzUiiJW0p97L4bVsRlLjaem2t.cmd	svchost.exe

Adds policy Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

8988ee4cebf1f1ccef196d2c5ffc1ab2dd2cd81efee45567dadd54f3fb3acfd6.exeBizcespwRbKKGDMxaMveqRQPeKgMJjVHvDHjAEOiOc8MF2UzUiiJW0p97L4bVsRlLjaem2t.cmd

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Feeds Cache\\R44JSJ2X\\w9aH26hHU24BVqVT7PBzlDXXLhF6yyy7CQPIo9K9tUv9UOGCLao50JRwzEno3iDcVf.exe\" O"	8988ee4cebf1f1ccef196d2c5ffc1ab2dd2cd81efee45567dadd54f3fb3acfd6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	BizcespwRbKKGDMxaMveqRQPeKgMJjVHvDHjAEOiOc8MF2UzUiiJW0p97L4bVsRlLjaem2t.cmd
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\6.0\\20\\cTaF4qkTW9EH9tR0Z0BiHy7Y6OxVF1jNHcOhquTFOOiuhWGdKcjCeaolYMLbr9T.exe\" O"	BizcespwRbKKGDMxaMveqRQPeKgMJjVHvDHjAEOiOc8MF2UzUiiJW0p97L4bVsRlLjaem2t.cmd
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	8988ee4cebf1f1ccef196d2c5ffc1ab2dd2cd81efee45567dadd54f3fb3acfd6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\RPrS21xpHbAXksR4LgesovosGKiZBl0XXZV.exe\" O"	8988ee4cebf1f1ccef196d2c5ffc1ab2dd2cd81efee45567dadd54f3fb3acfd6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	8988ee4cebf1f1ccef196d2c5ffc1ab2dd2cd81efee45567dadd54f3fb3acfd6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\oT7WRLq4nQVlVmoDodfZ7DInFomWG0fYgwLnGDQpOihosZRNKskX4fPVAF2KMVsA.exe\" O"	8988ee4cebf1f1ccef196d2c5ffc1ab2dd2cd81efee45567dadd54f3fb3acfd6.exe

Executes dropped EXE 2 IoCs

Processes:

BizcespwRbKKGDMxaMveqRQPeKgMJjVHvDHjAEOiOc8MF2UzUiiJW0p97L4bVsRlLjaem2t.cmdBizcespwRbKKGDMxaMveqRQPeKgMJjVHvDHjAEOiOc8MF2UzUiiJW0p97L4bVsRlLjaem2t.cmd

pid	process
1036	BizcespwRbKKGDMxaMveqRQPeKgMJjVHvDHjAEOiOc8MF2UzUiiJW0p97L4bVsRlLjaem2t.cmd
788	BizcespwRbKKGDMxaMveqRQPeKgMJjVHvDHjAEOiOc8MF2UzUiiJW0p97L4bVsRlLjaem2t.cmd

Sets file execution options in registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

BizcespwRbKKGDMxaMveqRQPeKgMJjVHvDHjAEOiOc8MF2UzUiiJW0p97L4bVsRlLjaem2t.cmdBizcespwRbKKGDMxaMveqRQPeKgMJjVHvDHjAEOiOc8MF2UzUiiJW0p97L4bVsRlLjaem2t.cmd

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\Debugger = " "	BizcespwRbKKGDMxaMveqRQPeKgMJjVHvDHjAEOiOc8MF2UzUiiJW0p97L4bVsRlLjaem2t.cmd
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe	BizcespwRbKKGDMxaMveqRQPeKgMJjVHvDHjAEOiOc8MF2UzUiiJW0p97L4bVsRlLjaem2t.cmd
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = " "	BizcespwRbKKGDMxaMveqRQPeKgMJjVHvDHjAEOiOc8MF2UzUiiJW0p97L4bVsRlLjaem2t.cmd
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe	BizcespwRbKKGDMxaMveqRQPeKgMJjVHvDHjAEOiOc8MF2UzUiiJW0p97L4bVsRlLjaem2t.cmd
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\Debugger = " "	BizcespwRbKKGDMxaMveqRQPeKgMJjVHvDHjAEOiOc8MF2UzUiiJW0p97L4bVsRlLjaem2t.cmd
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe	BizcespwRbKKGDMxaMveqRQPeKgMJjVHvDHjAEOiOc8MF2UzUiiJW0p97L4bVsRlLjaem2t.cmd
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = " "	BizcespwRbKKGDMxaMveqRQPeKgMJjVHvDHjAEOiOc8MF2UzUiiJW0p97L4bVsRlLjaem2t.cmd
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe	BizcespwRbKKGDMxaMveqRQPeKgMJjVHvDHjAEOiOc8MF2UzUiiJW0p97L4bVsRlLjaem2t.cmd

Loads dropped DLL 3 IoCs

Processes:

gpscript.exeBizcespwRbKKGDMxaMveqRQPeKgMJjVHvDHjAEOiOc8MF2UzUiiJW0p97L4bVsRlLjaem2t.cmd

pid process

1560 gpscript.exe
1560 gpscript.exe
1036 BizcespwRbKKGDMxaMveqRQPeKgMJjVHvDHjAEOiOc8MF2UzUiiJW0p97L4bVsRlLjaem2t.cmd
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1560	gpscript.exe
1560	gpscript.exe
1036	BizcespwRbKKGDMxaMveqRQPeKgMJjVHvDHjAEOiOc8MF2UzUiiJW0p97L4bVsRlLjaem2t.cmd

Modifies data under HKEY_USERS 59 IoCs

Processes:

BizcespwRbKKGDMxaMveqRQPeKgMJjVHvDHjAEOiOc8MF2UzUiiJW0p97L4bVsRlLjaem2t.cmd8988ee4cebf1f1ccef196d2c5ffc1ab2dd2cd81efee45567dadd54f3fb3acfd6.exegpscript.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%windir%\System32\ie4uinit.exe",-732 = "Finds and displays information and Web sites on the Internet."	BizcespwRbKKGDMxaMveqRQPeKgMJjVHvDHjAEOiOc8MF2UzUiiJW0p97L4bVsRlLjaem2t.cmd
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft	8988ee4cebf1f1ccef196d2c5ffc1ab2dd2cd81efee45567dadd54f3fb3acfd6.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	8988ee4cebf1f1ccef196d2c5ffc1ab2dd2cd81efee45567dadd54f3fb3acfd6.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\MSDN\\8.0\\TFO1fDk1UbbwHCEBBIXDnqbzV00SJMAGSDMu1JOkcH3chGenhFJmQ.exe\" O 2>NUL"	BizcespwRbKKGDMxaMveqRQPeKgMJjVHvDHjAEOiOc8MF2UzUiiJW0p97L4bVsRlLjaem2t.cmd
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	8988ee4cebf1f1ccef196d2c5ffc1ab2dd2cd81efee45567dadd54f3fb3acfd6.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	8988ee4cebf1f1ccef196d2c5ffc1ab2dd2cd81efee45567dadd54f3fb3acfd6.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{6C467336-8281-4E60-8204-430CED96822D} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000504ac93eeb00d901	gpscript.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	8988ee4cebf1f1ccef196d2c5ffc1ab2dd2cd81efee45567dadd54f3fb3acfd6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%systemroot%\system32\windowspowershell\v1.0\powershell.exe",-111 = "Performs object-based (command-line) functions"	BizcespwRbKKGDMxaMveqRQPeKgMJjVHvDHjAEOiOc8MF2UzUiiJW0p97L4bVsRlLjaem2t.cmd
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	BizcespwRbKKGDMxaMveqRQPeKgMJjVHvDHjAEOiOc8MF2UzUiiJW0p97L4bVsRlLjaem2t.cmd
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	BizcespwRbKKGDMxaMveqRQPeKgMJjVHvDHjAEOiOc8MF2UzUiiJW0p97L4bVsRlLjaem2t.cmd
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	BizcespwRbKKGDMxaMveqRQPeKgMJjVHvDHjAEOiOc8MF2UzUiiJW0p97L4bVsRlLjaem2t.cmd
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	8988ee4cebf1f1ccef196d2c5ffc1ab2dd2cd81efee45567dadd54f3fb3acfd6.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	8988ee4cebf1f1ccef196d2c5ffc1ab2dd2cd81efee45567dadd54f3fb3acfd6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\Crowd Deny\\3GSYzbgOexIHiPfdkPVQsUfuFiJzc5KtzUYC4cleyIFhVCZVnLNE78.exe\" O 2>NUL"	BizcespwRbKKGDMxaMveqRQPeKgMJjVHvDHjAEOiOc8MF2UzUiiJW0p97L4bVsRlLjaem2t.cmd
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\ro4wZ3q0M0UcE71p9g4diDkMF32UijBq5fnl9qyNyU.exe\" O"	BizcespwRbKKGDMxaMveqRQPeKgMJjVHvDHjAEOiOc8MF2UzUiiJW0p97L4bVsRlLjaem2t.cmd
Key created	\REGISTRY\USER\.DEFAULT	8988ee4cebf1f1ccef196d2c5ffc1ab2dd2cd81efee45567dadd54f3fb3acfd6.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	8988ee4cebf1f1ccef196d2c5ffc1ab2dd2cd81efee45567dadd54f3fb3acfd6.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows	8988ee4cebf1f1ccef196d2c5ffc1ab2dd2cd81efee45567dadd54f3fb3acfd6.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE	8988ee4cebf1f1ccef196d2c5ffc1ab2dd2cd81efee45567dadd54f3fb3acfd6.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	gpscript.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	BizcespwRbKKGDMxaMveqRQPeKgMJjVHvDHjAEOiOc8MF2UzUiiJW0p97L4bVsRlLjaem2t.cmd
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Windows\\AIT\\lBTnYQwzUm.exe\" O"	BizcespwRbKKGDMxaMveqRQPeKgMJjVHvDHjAEOiOc8MF2UzUiiJW0p97L4bVsRlLjaem2t.cmd
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	8988ee4cebf1f1ccef196d2c5ffc1ab2dd2cd81efee45567dadd54f3fb3acfd6.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	8988ee4cebf1f1ccef196d2c5ffc1ab2dd2cd81efee45567dadd54f3fb3acfd6.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\WwanSvc\\sThQDwKSDX69CNeb1pRGfk6GTBFgmxDX8ZqjuFFeKObjd.exe\" O 2>NUL"	BizcespwRbKKGDMxaMveqRQPeKgMJjVHvDHjAEOiOc8MF2UzUiiJW0p97L4bVsRlLjaem2t.cmd
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft	8988ee4cebf1f1ccef196d2c5ffc1ab2dd2cd81efee45567dadd54f3fb3acfd6.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	BizcespwRbKKGDMxaMveqRQPeKgMJjVHvDHjAEOiOc8MF2UzUiiJW0p97L4bVsRlLjaem2t.cmd
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%windir%\System32\ie4uinit.exe",-738 = "Start Internet Explorer without ActiveX controls or browser extensions."	BizcespwRbKKGDMxaMveqRQPeKgMJjVHvDHjAEOiOc8MF2UzUiiJW0p97L4bVsRlLjaem2t.cmd
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion	8988ee4cebf1f1ccef196d2c5ffc1ab2dd2cd81efee45567dadd54f3fb3acfd6.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Windows\\AIT\\iTem48DAI65cweeFMkDWgYbC7oYUx3kkSzvh2hsu9V8jIfjPxgJdh1GqQVxC5.exe\" O"	BizcespwRbKKGDMxaMveqRQPeKgMJjVHvDHjAEOiOc8MF2UzUiiJW0p97L4bVsRlLjaem2t.cmd
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	8988ee4cebf1f1ccef196d2c5ffc1ab2dd2cd81efee45567dadd54f3fb3acfd6.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE	8988ee4cebf1f1ccef196d2c5ffc1ab2dd2cd81efee45567dadd54f3fb3acfd6.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion	8988ee4cebf1f1ccef196d2c5ffc1ab2dd2cd81efee45567dadd54f3fb3acfd6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\6.0\\dEiyit67qvKXsD0MGzDMonS02Emte5JrF0dxXcwOSc44NtagMoiaPQ8oOpY2AaukhM.exe\" O"	BizcespwRbKKGDMxaMveqRQPeKgMJjVHvDHjAEOiOc8MF2UzUiiJW0p97L4bVsRlLjaem2t.cmd
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\fxMNTcxh0dAipMn7MUMXhUeIPxxQ.exe\" O 2>NUL"	8988ee4cebf1f1ccef196d2c5ffc1ab2dd2cd81efee45567dadd54f3fb3acfd6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8by27av1.default-release\\storage\\permanent\\chrome\\idb\\2918063365piupsah.files\\4dFVpFh63ZxdlmxBYRKx3NHUPm9y9uQk0vKTDARvWfcVgRLX1o9QiDMrVDip7UMvpAVXOV.exe\" O 2>NUL"	8988ee4cebf1f1ccef196d2c5ffc1ab2dd2cd81efee45567dadd54f3fb3acfd6.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	8988ee4cebf1f1ccef196d2c5ffc1ab2dd2cd81efee45567dadd54f3fb3acfd6.exe
Key created	\REGISTRY\USER\S-1-5-20	8988ee4cebf1f1ccef196d2c5ffc1ab2dd2cd81efee45567dadd54f3fb3acfd6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8by27av1.default-release\\storage\\default\\moz-extension+++df0a4dae-fe60-489c-b8d2-ad17f3db00b4^userContextId=4294967295\\AcLW0tmG.exe\" O 2>NUL"	BizcespwRbKKGDMxaMveqRQPeKgMJjVHvDHjAEOiOc8MF2UzUiiJW0p97L4bVsRlLjaem2t.cmd
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	8988ee4cebf1f1ccef196d2c5ffc1ab2dd2cd81efee45567dadd54f3fb3acfd6.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows	8988ee4cebf1f1ccef196d2c5ffc1ab2dd2cd81efee45567dadd54f3fb3acfd6.exe
Key created	\REGISTRY\USER\S-1-5-19	8988ee4cebf1f1ccef196d2c5ffc1ab2dd2cd81efee45567dadd54f3fb3acfd6.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\ARYBULCxcRMp1ypalj9RBh8SgzPRz0iuOyoJ7Si0iognexsT1R8JZFK08k.exe\" O 2>NUL"	8988ee4cebf1f1ccef196d2c5ffc1ab2dd2cd81efee45567dadd54f3fb3acfd6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\IXEQDDjIRFYO4MeaW4t8RZ8Q8d1deAoYRPRsTxAqS5pj07K1ASh8CWnc.exe\" O"	8988ee4cebf1f1ccef196d2c5ffc1ab2dd2cd81efee45567dadd54f3fb3acfd6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8by27av1.default-release\\crashes\\OE2ze3e6wN64SEeyrn65eEyRoT.exe\" O"	BizcespwRbKKGDMxaMveqRQPeKgMJjVHvDHjAEOiOc8MF2UzUiiJW0p97L4bVsRlLjaem2t.cmd
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	BizcespwRbKKGDMxaMveqRQPeKgMJjVHvDHjAEOiOc8MF2UzUiiJW0p97L4bVsRlLjaem2t.cmd
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	BizcespwRbKKGDMxaMveqRQPeKgMJjVHvDHjAEOiOc8MF2UzUiiJW0p97L4bVsRlLjaem2t.cmd
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{7BD29E01-76C1-11CF-9DD0-00A0C9034933} {000214E6-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000304fc440eb00d901	BizcespwRbKKGDMxaMveqRQPeKgMJjVHvDHjAEOiOc8MF2UzUiiJW0p97L4bVsRlLjaem2t.cmd
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	8988ee4cebf1f1ccef196d2c5ffc1ab2dd2cd81efee45567dadd54f3fb3acfd6.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\snl73r42ABENCVasuVUQ5p5wgfxItrm7slLZ2AHDPvynx0yw0f2xGPZZfLJsEP2Ryy5nFjE.exe\" O 2>NUL"	8988ee4cebf1f1ccef196d2c5ffc1ab2dd2cd81efee45567dadd54f3fb3acfd6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\6.0\\47\\tYAojRlm.exe\" O 2>NUL"	BizcespwRbKKGDMxaMveqRQPeKgMJjVHvDHjAEOiOc8MF2UzUiiJW0p97L4bVsRlLjaem2t.cmd
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows	8988ee4cebf1f1ccef196d2c5ffc1ab2dd2cd81efee45567dadd54f3fb3acfd6.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Default\\AppData\\Local\\Temp\\b2DQwHwl89S3I6TTckTzgozTAGu0Y6.exe\" O"	8988ee4cebf1f1ccef196d2c5ffc1ab2dd2cd81efee45567dadd54f3fb3acfd6.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	8988ee4cebf1f1ccef196d2c5ffc1ab2dd2cd81efee45567dadd54f3fb3acfd6.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\49xUxtsbz7oDZlT8P9yuBDKkZnP0hSx.exe\" O"	8988ee4cebf1f1ccef196d2c5ffc1ab2dd2cd81efee45567dadd54f3fb3acfd6.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion	8988ee4cebf1f1ccef196d2c5ffc1ab2dd2cd81efee45567dadd54f3fb3acfd6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Default\\AppData\\Local\\Microsoft\\K8VuDbcM1fUJXKoifQLk8zrN.exe\" O"	8988ee4cebf1f1ccef196d2c5ffc1ab2dd2cd81efee45567dadd54f3fb3acfd6.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	BizcespwRbKKGDMxaMveqRQPeKgMJjVHvDHjAEOiOc8MF2UzUiiJW0p97L4bVsRlLjaem2t.cmd

Modifies registry class 12 IoCs

Processes:

8988ee4cebf1f1ccef196d2c5ffc1ab2dd2cd81efee45567dadd54f3fb3acfd6.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	8988ee4cebf1f1ccef196d2c5ffc1ab2dd2cd81efee45567dadd54f3fb3acfd6.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	8988ee4cebf1f1ccef196d2c5ffc1ab2dd2cd81efee45567dadd54f3fb3acfd6.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_Classes\SOFTWARE\Microsoft\Command Processor	8988ee4cebf1f1ccef196d2c5ffc1ab2dd2cd81efee45567dadd54f3fb3acfd6.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\SOFTWARE\Microsoft	8988ee4cebf1f1ccef196d2c5ffc1ab2dd2cd81efee45567dadd54f3fb3acfd6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\SafetyTips\\bQyTVEay9sjknGdV2WUk3nnN8MKlTy20UiGRl976rynwpJgFSysWS6dM349gpHfVS.exe\" O 2>NUL"	8988ee4cebf1f1ccef196d2c5ffc1ab2dd2cd81efee45567dadd54f3fb3acfd6.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion	8988ee4cebf1f1ccef196d2c5ffc1ab2dd2cd81efee45567dadd54f3fb3acfd6.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	8988ee4cebf1f1ccef196d2c5ffc1ab2dd2cd81efee45567dadd54f3fb3acfd6.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	8988ee4cebf1f1ccef196d2c5ffc1ab2dd2cd81efee45567dadd54f3fb3acfd6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3hmHRg2TmSdGiRHOAqCk2LR6v3LhiY6lYD.exe\" O"	8988ee4cebf1f1ccef196d2c5ffc1ab2dd2cd81efee45567dadd54f3fb3acfd6.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\SOFTWARE	8988ee4cebf1f1ccef196d2c5ffc1ab2dd2cd81efee45567dadd54f3fb3acfd6.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\SOFTWARE\Microsoft\Command Processor	8988ee4cebf1f1ccef196d2c5ffc1ab2dd2cd81efee45567dadd54f3fb3acfd6.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\SOFTWARE\Microsoft\Windows	8988ee4cebf1f1ccef196d2c5ffc1ab2dd2cd81efee45567dadd54f3fb3acfd6.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

BizcespwRbKKGDMxaMveqRQPeKgMJjVHvDHjAEOiOc8MF2UzUiiJW0p97L4bVsRlLjaem2t.cmd

pid	process
788	BizcespwRbKKGDMxaMveqRQPeKgMJjVHvDHjAEOiOc8MF2UzUiiJW0p97L4bVsRlLjaem2t.cmd
788	BizcespwRbKKGDMxaMveqRQPeKgMJjVHvDHjAEOiOc8MF2UzUiiJW0p97L4bVsRlLjaem2t.cmd

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

8988ee4cebf1f1ccef196d2c5ffc1ab2dd2cd81efee45567dadd54f3fb3acfd6.exeAUDIODG.EXEBizcespwRbKKGDMxaMveqRQPeKgMJjVHvDHjAEOiOc8MF2UzUiiJW0p97L4bVsRlLjaem2t.cmdBizcespwRbKKGDMxaMveqRQPeKgMJjVHvDHjAEOiOc8MF2UzUiiJW0p97L4bVsRlLjaem2t.cmd

description	pid	process
Token: SeBackupPrivilege	1788	8988ee4cebf1f1ccef196d2c5ffc1ab2dd2cd81efee45567dadd54f3fb3acfd6.exe
Token: SeRestorePrivilege	1788	8988ee4cebf1f1ccef196d2c5ffc1ab2dd2cd81efee45567dadd54f3fb3acfd6.exe
Token: SeShutdownPrivilege	1788	8988ee4cebf1f1ccef196d2c5ffc1ab2dd2cd81efee45567dadd54f3fb3acfd6.exe
Token: 33	988	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	988	AUDIODG.EXE
Token: 33	988	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	988	AUDIODG.EXE
Token: SeDebugPrivilege	1036	BizcespwRbKKGDMxaMveqRQPeKgMJjVHvDHjAEOiOc8MF2UzUiiJW0p97L4bVsRlLjaem2t.cmd
Token: SeRestorePrivilege	1036	BizcespwRbKKGDMxaMveqRQPeKgMJjVHvDHjAEOiOc8MF2UzUiiJW0p97L4bVsRlLjaem2t.cmd
Token: SeDebugPrivilege	788	BizcespwRbKKGDMxaMveqRQPeKgMJjVHvDHjAEOiOc8MF2UzUiiJW0p97L4bVsRlLjaem2t.cmd
Token: SeRestorePrivilege	788	BizcespwRbKKGDMxaMveqRQPeKgMJjVHvDHjAEOiOc8MF2UzUiiJW0p97L4bVsRlLjaem2t.cmd

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

gpscript.exeBizcespwRbKKGDMxaMveqRQPeKgMJjVHvDHjAEOiOc8MF2UzUiiJW0p97L4bVsRlLjaem2t.cmd

description	pid	process	target process
PID 1560 wrote to memory of 1036	1560	gpscript.exe	BizcespwRbKKGDMxaMveqRQPeKgMJjVHvDHjAEOiOc8MF2UzUiiJW0p97L4bVsRlLjaem2t.cmd
PID 1560 wrote to memory of 1036	1560	gpscript.exe	BizcespwRbKKGDMxaMveqRQPeKgMJjVHvDHjAEOiOc8MF2UzUiiJW0p97L4bVsRlLjaem2t.cmd
PID 1560 wrote to memory of 1036	1560	gpscript.exe	BizcespwRbKKGDMxaMveqRQPeKgMJjVHvDHjAEOiOc8MF2UzUiiJW0p97L4bVsRlLjaem2t.cmd
PID 1036 wrote to memory of 788	1036	BizcespwRbKKGDMxaMveqRQPeKgMJjVHvDHjAEOiOc8MF2UzUiiJW0p97L4bVsRlLjaem2t.cmd	BizcespwRbKKGDMxaMveqRQPeKgMJjVHvDHjAEOiOc8MF2UzUiiJW0p97L4bVsRlLjaem2t.cmd
PID 1036 wrote to memory of 788	1036	BizcespwRbKKGDMxaMveqRQPeKgMJjVHvDHjAEOiOc8MF2UzUiiJW0p97L4bVsRlLjaem2t.cmd	BizcespwRbKKGDMxaMveqRQPeKgMJjVHvDHjAEOiOc8MF2UzUiiJW0p97L4bVsRlLjaem2t.cmd
PID 1036 wrote to memory of 788	1036	BizcespwRbKKGDMxaMveqRQPeKgMJjVHvDHjAEOiOc8MF2UzUiiJW0p97L4bVsRlLjaem2t.cmd	BizcespwRbKKGDMxaMveqRQPeKgMJjVHvDHjAEOiOc8MF2UzUiiJW0p97L4bVsRlLjaem2t.cmd

C:\Users\Admin\AppData\Local\Temp\8988ee4cebf1f1ccef196d2c5ffc1ab2dd2cd81efee45567dadd54f3fb3acfd6.exe
"C:\Users\Admin\AppData\Local\Temp\8988ee4cebf1f1ccef196d2c5ffc1ab2dd2cd81efee45567dadd54f3fb3acfd6.exe"
1⤵
- Adds policy Run key to start application
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1788

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
1⤵
PID:600

C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\33\BizcespwRbKKGDMxaMveqRQPeKgMJjVHvDHjAEOiOc8MF2UzUiiJW0p97L4bVsRlLjaem2t.cmd
"C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\33\BizcespwRbKKGDMxaMveqRQPeKgMJjVHvDHjAEOiOc8MF2UzUiiJW0p97L4bVsRlLjaem2t.cmd" 2
2⤵
- Executes dropped EXE
- Sets file execution options in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:788

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1760

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x560
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:988

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:1200

C:\Windows\system32\gpscript.exe
gpscript.exe /Shutdown
1⤵
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1560

C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\33\BizcespwRbKKGDMxaMveqRQPeKgMJjVHvDHjAEOiOc8MF2UzUiiJW0p97L4bVsRlLjaem2t.cmd
"C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\33\BizcespwRbKKGDMxaMveqRQPeKgMJjVHvDHjAEOiOc8MF2UzUiiJW0p97L4bVsRlLjaem2t.cmd" 1
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Adds policy Run key to start application
- Executes dropped EXE
- Sets file execution options in registry
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1036

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows NT\MSFax\Common Coverpages\en-US\ARYBULCxcRMp1ypalj9RBh8SgzPRz0iuOyoJ7Si0iognexsT1R8JZFK08k.exe
Filesize
1.4MB

MD5
97378c0a7697c21ad0d0751648f2388a

SHA1
e14874e1b4a8a11849f5e43669885e0dca77d74e

SHA256
4bf3ac214d1dc8ffeef499b84add3cf420bcd40b836504aba290bf168a5f60af

SHA512
66f0a8123c127d602fc1d6aa24b3e2487770fbbce0693daaa243a00dd363e6b760cbd598ffbce70a71551ac49f87982173310b1e13d5c032b696ac58d800afa1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BNnr0qaqBUGhouQ7mGNkQQuCyOYUbFLJqNZ4BPDg22ZKA.exe
Filesize
1.4MB

MD5
00a90cb023de9380eebfea368c2b156f

SHA1
2b913a18cbb26afc41dd46dd4ee287de093c2b45

SHA256
ee9f5f0a7e6c7c6edab4f65d27a02074a0e76b1deb00fb1f8c2826a9442495e8

SHA512
fd639ca6bf25a400dd19f5ecec8404b90dbf61c12dbe7d48f44e70ad957a8bda61585a70a69128f6e70d59d9ed64464ccade069d0feb8b34e58ccb39f083fd11

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\33\BizcespwRbKKGDMxaMveqRQPeKgMJjVHvDHjAEOiOc8MF2UzUiiJW0p97L4bVsRlLjaem2t.cmd
Filesize
757KB

MD5
ca938b44972ec833d4276b69b87cc4ac

SHA1
20d4d0cdba3f67ae0a04ae03a0949f06a6e76517

SHA256
2368a17fc9339f26c570c2629f74867abc3d97bd188b0e4750fc44a59abac167

SHA512
c5fcd9952b6a1ef41832db7ece7d5f128eff13999760ec1795b31e866fa1d4db50051ef32da912fb79b24268a643cfb6b11f138268df8086038ed0459ed54b34

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\33\BizcespwRbKKGDMxaMveqRQPeKgMJjVHvDHjAEOiOc8MF2UzUiiJW0p97L4bVsRlLjaem2t.cmd
Filesize
757KB

MD5
ca938b44972ec833d4276b69b87cc4ac

SHA1
20d4d0cdba3f67ae0a04ae03a0949f06a6e76517

SHA256
2368a17fc9339f26c570c2629f74867abc3d97bd188b0e4750fc44a59abac167

SHA512
c5fcd9952b6a1ef41832db7ece7d5f128eff13999760ec1795b31e866fa1d4db50051ef32da912fb79b24268a643cfb6b11f138268df8086038ed0459ed54b34

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\33\BizcespwRbKKGDMxaMveqRQPeKgMJjVHvDHjAEOiOc8MF2UzUiiJW0p97L4bVsRlLjaem2t.cmd
Filesize
757KB

MD5
ca938b44972ec833d4276b69b87cc4ac

SHA1
20d4d0cdba3f67ae0a04ae03a0949f06a6e76517

SHA256
2368a17fc9339f26c570c2629f74867abc3d97bd188b0e4750fc44a59abac167

SHA512
c5fcd9952b6a1ef41832db7ece7d5f128eff13999760ec1795b31e866fa1d4db50051ef32da912fb79b24268a643cfb6b11f138268df8086038ed0459ed54b34

Download Submit
C:\Users\Admin\AppData\LocalLow\lFEgL7NUzBtbTWkgHrpKTermURCPyZF92WHFZu.exe
Filesize
799KB

MD5
15f56c2bde09828b70f18431ccf8be68

SHA1
0634f063932601b0fbb5e60fd39be1350073f549

SHA256
a6eb95c504b3ee94a2fc2c7946a0a4b4d07def81d98e9f77793443f63727e696

SHA512
0a2717c0c94c09690d914c37184505986d09a6cb9fdea4c678123897feeaafb3ba9ffc780f1d1b2fb59bf4ffa1e965c889ca26fb26102558a4e9cec89e166a6b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\snl73r42ABENCVasuVUQ5p5wgfxItrm7slLZ2AHDPvynx0yw0f2xGPZZfLJsEP2Ryy5nFjE.exe
Filesize
1.2MB

MD5
b87a259e0267da789e80e81ecb78223b

SHA1
5d2566d74761f51080c0b52844bcd96a10c496d3

SHA256
353c7c9a0e701706a8a9c098ae1f8e3a77b7df161e9ed4270b39171687e9302c

SHA512
d4dd7a9ff668d582671ea9ece4bb74ae5d1e5558fe89266249f89ce11aed7d9cc1a36f4c773a751db256c2c16697cdf724a7087d652c253f3a35afeb6bab601e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\OF1EYD7L\xUglHSqKx.cmd
Filesize
1.3MB

MD5
baa9c074182e68abf1dc4bc338f97c82

SHA1
60d864fec5f39fc2fdef3941267238c638d328eb

SHA256
14bde50fc5423be2988f80409f4888282d06905fe9f5c639bfb52aca37d79033

SHA512
e74268b05f5b820b0e0dbfe47a4806f33e7d27b00e0709384cdc0d687d31d1f0730202f04be930d970954739ea5fbbbbe508c3d1b77efbdff621beb5bf679530

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Feeds\Microsoft Feeds~\IXEQDDjIRFYO4MeaW4t8RZ8Q8d1deAoYRPRsTxAqS5pj07K1ASh8CWnc.exe
Filesize
806KB

MD5
b483a91e517dff4386f3af074a83e5ac

SHA1
1077f08414a14300c6fe3b0117a43e1424c43cef

SHA256
1852a3c8aa0134643b1c5a8c4edb9534d8c387030a92aa052727b671432ec94e

SHA512
3403741d9bae5646f9b39d0fd4c2c6f5788d0e7ad0ad3d4a16a5d6e8f4cb714c664a2a1568075598519d8f0b081b8b274f8789d1f0bb3f79ec8dba8c7fdf800a

Download Submit
C:\Users\Admin\AppData\Local\Temp\oT7WRLq4nQVlVmoDodfZ7DInFomWG0fYgwLnGDQpOihosZRNKskX4fPVAF2KMVsA.exe
Filesize
953KB

MD5
e24a162e4878d1b922940e7ac58af8d1

SHA1
b8b5eded98f5c7f19ffc871689eb6c4ea9a69575

SHA256
d8cf66e79ba01029fdef912c24dd484a73631800ca168f0d2120cb08e91bb650

SHA512
158c2890a7e246d8d72b189ad6eed3608e35eb798f1293ffda7e4813b9982e4ba8a66ca9cf77ceb700aedd68467837720d4a44e7beb783da0ad373aa0aac2b2c

Download Submit
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\49xUxtsbz7oDZlT8P9yuBDKkZnP0hSx.exe
Filesize
983KB

MD5
6ffa65344163fc206d286ac0ce306dac

SHA1
a29c9694f825734467f63fdce2ae51c4accebc6b

SHA256
6c80dfa8ac3b4073cdf00ce8d5719a7044229ff56575bab9090763f45acf1008

SHA512
0a1ccef0a307e0c02afb5ea6ff89d56ab3639cc88e2a96e9154887c1b99c25ce9d834c00d3919af38e3809e2013d8c1f7965e518203ce15ee166f3573db44731

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8by27av1.default-release\storage\permanent\chrome\idb\2918063365piupsah.files\4dFVpFh63ZxdlmxBYRKx3NHUPm9y9uQk0vKTDARvWfcVgRLX1o9QiDMrVDip7UMvpAVXOV.exe
Filesize
819KB

MD5
514d46616759848a494a763cb002546f

SHA1
716195666b4b8aab0ade48e06b0aa47769b2531d

SHA256
17666cfe214883877b4512a2fc9811eddc5d6305269d2a1ddf7e1b83166c65a5

SHA512
0964a8beb4ccbecf520aa4b11f60f7f126dbee5db4e1528008a2362afb1631b47b62c7fcaea352c8a569cb7e66d169c1cc3bae386496f65c8bc2f2c765adae4e

Download Submit
C:\Users\Default\AppData\Local\Temp\b2DQwHwl89S3I6TTckTzgozTAGu0Y6.exe
Filesize
1.1MB

MD5
2ac767375b35ac42c4894b26b460889b

SHA1
f5b439350a3e8f0f0ce15c1b34a576166fe6a805

SHA256
80ab9f45d3d3605df215f18b33aad8cf7eb33da713bd82d5aeddc14726fdd9e5

SHA512
185455525b743096c9fe58e1e2d8e04ebe50c360646cbe582b44791d3beaa9059e3bf524fb88af089fde41cefbc86037d91d5c9568a3f00cd4db4f4a7f144a06

Download Submit
\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\33\BizcespwRbKKGDMxaMveqRQPeKgMJjVHvDHjAEOiOc8MF2UzUiiJW0p97L4bVsRlLjaem2t.cmd
Filesize
757KB

MD5
ca938b44972ec833d4276b69b87cc4ac

SHA1
20d4d0cdba3f67ae0a04ae03a0949f06a6e76517

SHA256
2368a17fc9339f26c570c2629f74867abc3d97bd188b0e4750fc44a59abac167

SHA512
c5fcd9952b6a1ef41832db7ece7d5f128eff13999760ec1795b31e866fa1d4db50051ef32da912fb79b24268a643cfb6b11f138268df8086038ed0459ed54b34

Download Submit
\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\33\BizcespwRbKKGDMxaMveqRQPeKgMJjVHvDHjAEOiOc8MF2UzUiiJW0p97L4bVsRlLjaem2t.cmd
Filesize
757KB

MD5
ca938b44972ec833d4276b69b87cc4ac

SHA1
20d4d0cdba3f67ae0a04ae03a0949f06a6e76517

SHA256
2368a17fc9339f26c570c2629f74867abc3d97bd188b0e4750fc44a59abac167

SHA512
c5fcd9952b6a1ef41832db7ece7d5f128eff13999760ec1795b31e866fa1d4db50051ef32da912fb79b24268a643cfb6b11f138268df8086038ed0459ed54b34

Download Submit
\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\33\BizcespwRbKKGDMxaMveqRQPeKgMJjVHvDHjAEOiOc8MF2UzUiiJW0p97L4bVsRlLjaem2t.cmd
Filesize
757KB

MD5
ca938b44972ec833d4276b69b87cc4ac

SHA1
20d4d0cdba3f67ae0a04ae03a0949f06a6e76517

SHA256
2368a17fc9339f26c570c2629f74867abc3d97bd188b0e4750fc44a59abac167

SHA512
c5fcd9952b6a1ef41832db7ece7d5f128eff13999760ec1795b31e866fa1d4db50051ef32da912fb79b24268a643cfb6b11f138268df8086038ed0459ed54b34

Download Submit
memory/788-80-0x0000000000000000-mapping.dmp

Download
memory/788-85-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1036-68-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1036-62-0x0000000000000000-mapping.dmp

Download
memory/1036-82-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1036-78-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1560-76-0x0000000000EA0000-0x0000000000ECD000-memory.dmp

Filesize
180KB

Download
memory/1560-66-0x0000000000EA0000-0x0000000000ECD000-memory.dmp

Filesize
180KB

Download
memory/1560-77-0x0000000000EA0000-0x0000000000ECD000-memory.dmp

Filesize
180KB

Download
memory/1560-67-0x0000000000EA0000-0x0000000000ECD000-memory.dmp

Filesize
180KB

Download
memory/1760-55-0x000007FEFBE61000-0x000007FEFBE63000-memory.dmp

Filesize
8KB

Download
memory/1788-56-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1788-54-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads