7766b84fd690a8a0d97dfaa821f6d7f00e06227d0e5bc3311ba99338e3eda9ca

Analysis

max time kernel
37s
max time network
38s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2022 09:23

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

7766b84fd690a8a0d97dfaa821f6d7f00e06227d0e5bc3311ba99338e3eda9ca.exe
Size

1.4MB
MD5

2566b387db10c44815241f0952889dc9
SHA1

39a3a96a2e533769fd7dc97135201874b4baa896
SHA256

7766b84fd690a8a0d97dfaa821f6d7f00e06227d0e5bc3311ba99338e3eda9ca
SHA512

b46d61dcf0339b03c7f6d9bde580189af0e65e8cadcb23214650d36c9f944b209421e3ba04ea8215cc7ef8e863362eab1baa70bb66dc925288498cdedff60e6a
SSDEEP

3072:aSsvihLlTQz9z71iURo2SJJmY6uFNcgifDbmeTXwVdBR:rsqhJMxzJiU5SeLmNSbmebW1

Score

10^/10

persistence spyware stealer

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

EuP5ebpXX0y8CVNqS7qqOzD6R2SAFw8Y2M8dkyLIToqsvKcRxcggJn82d78dUV.cmd

description pid process target process

PID 4596 created 664 4596 EuP5ebpXX0y8CVNqS7qqOzD6R2SAFw8Y2M8dkyLIToqsvKcRxcggJn82d78dUV.cmd lsass.exe

description	pid	process	target process
PID 4596 created 664	4596	EuP5ebpXX0y8CVNqS7qqOzD6R2SAFw8Y2M8dkyLIToqsvKcRxcggJn82d78dUV.cmd	lsass.exe

Adds policy Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

EuP5ebpXX0y8CVNqS7qqOzD6R2SAFw8Y2M8dkyLIToqsvKcRxcggJn82d78dUV.cmd7766b84fd690a8a0d97dfaa821f6d7f00e06227d0e5bc3311ba99338e3eda9ca.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	EuP5ebpXX0y8CVNqS7qqOzD6R2SAFw8Y2M8dkyLIToqsvKcRxcggJn82d78dUV.cmd
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\input\\en-CA\\n1YmLoKLJy6uSrK6EZKaY1DDiv7FZLPMWtSSWvk1wi9JIGgXaLsmfGyIhore4bL.exe\" O"	EuP5ebpXX0y8CVNqS7qqOzD6R2SAFw8Y2M8dkyLIToqsvKcRxcggJn82d78dUV.cmd
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	7766b84fd690a8a0d97dfaa821f6d7f00e06227d0e5bc3311ba99338e3eda9ca.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\jZvscKmWME1hUNCs1u8Hc335dkeSWmDJjVZWM7C9LHgU5QwnuJYat2qnBaTFB.exe\" O"	7766b84fd690a8a0d97dfaa821f6d7f00e06227d0e5bc3311ba99338e3eda9ca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	7766b84fd690a8a0d97dfaa821f6d7f00e06227d0e5bc3311ba99338e3eda9ca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\WindowsHolographicDevices\\SpatialStore\\ThISFt1U9EkxE2MFVqZyHj8dMe8WEFpu5bsWZusKZRscKtA.exe\" O"	7766b84fd690a8a0d97dfaa821f6d7f00e06227d0e5bc3311ba99338e3eda9ca.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\input\\es-PA\\ZdBCA77LT.exe\" O"	7766b84fd690a8a0d97dfaa821f6d7f00e06227d0e5bc3311ba99338e3eda9ca.exe

Executes dropped EXE 2 IoCs

Processes:

EuP5ebpXX0y8CVNqS7qqOzD6R2SAFw8Y2M8dkyLIToqsvKcRxcggJn82d78dUV.cmdEuP5ebpXX0y8CVNqS7qqOzD6R2SAFw8Y2M8dkyLIToqsvKcRxcggJn82d78dUV.cmd

pid	process
4596	EuP5ebpXX0y8CVNqS7qqOzD6R2SAFw8Y2M8dkyLIToqsvKcRxcggJn82d78dUV.cmd
4488	EuP5ebpXX0y8CVNqS7qqOzD6R2SAFw8Y2M8dkyLIToqsvKcRxcggJn82d78dUV.cmd

Sets file execution options in registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

EuP5ebpXX0y8CVNqS7qqOzD6R2SAFw8Y2M8dkyLIToqsvKcRxcggJn82d78dUV.cmdEuP5ebpXX0y8CVNqS7qqOzD6R2SAFw8Y2M8dkyLIToqsvKcRxcggJn82d78dUV.cmd

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\Debugger = " "	EuP5ebpXX0y8CVNqS7qqOzD6R2SAFw8Y2M8dkyLIToqsvKcRxcggJn82d78dUV.cmd
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe	EuP5ebpXX0y8CVNqS7qqOzD6R2SAFw8Y2M8dkyLIToqsvKcRxcggJn82d78dUV.cmd
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = " "	EuP5ebpXX0y8CVNqS7qqOzD6R2SAFw8Y2M8dkyLIToqsvKcRxcggJn82d78dUV.cmd
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe	EuP5ebpXX0y8CVNqS7qqOzD6R2SAFw8Y2M8dkyLIToqsvKcRxcggJn82d78dUV.cmd
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\Debugger = " "	EuP5ebpXX0y8CVNqS7qqOzD6R2SAFw8Y2M8dkyLIToqsvKcRxcggJn82d78dUV.cmd
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe	EuP5ebpXX0y8CVNqS7qqOzD6R2SAFw8Y2M8dkyLIToqsvKcRxcggJn82d78dUV.cmd
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = " "	EuP5ebpXX0y8CVNqS7qqOzD6R2SAFw8Y2M8dkyLIToqsvKcRxcggJn82d78dUV.cmd
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe	EuP5ebpXX0y8CVNqS7qqOzD6R2SAFw8Y2M8dkyLIToqsvKcRxcggJn82d78dUV.cmd

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 64 IoCs

Processes:

7766b84fd690a8a0d97dfaa821f6d7f00e06227d0e5bc3311ba99338e3eda9ca.exeEuP5ebpXX0y8CVNqS7qqOzD6R2SAFw8Y2M8dkyLIToqsvKcRxcggJn82d78dUV.cmdLogonUI.exegpscript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	7766b84fd690a8a0d97dfaa821f6d7f00e06227d0e5bc3311ba99338e3eda9ca.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	7766b84fd690a8a0d97dfaa821f6d7f00e06227d0e5bc3311ba99338e3eda9ca.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion	7766b84fd690a8a0d97dfaa821f6d7f00e06227d0e5bc3311ba99338e3eda9ca.exe
Key created	\REGISTRY\USER\S-1-5-20	7766b84fd690a8a0d97dfaa821f6d7f00e06227d0e5bc3311ba99338e3eda9ca.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\Subresource Filter\\Unindexed Rules\\bBwI3bB1pm2uPBkPf23pcCqP2GRa5GClqte95vVy5lOQJnxb3tM.exe\" O 2>NUL"	EuP5ebpXX0y8CVNqS7qqOzD6R2SAFw8Y2M8dkyLIToqsvKcRxcggJn82d78dUV.cmd
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE	7766b84fd690a8a0d97dfaa821f6d7f00e06227d0e5bc3311ba99338e3eda9ca.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "223"	LogonUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft OneDrive\\UjmK41kmXqkokJgifJpkjRgt4YmfvRzQjBCKHqao.exe\" O 2>NUL"	EuP5ebpXX0y8CVNqS7qqOzD6R2SAFw8Y2M8dkyLIToqsvKcRxcggJn82d78dUV.cmd
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\TargetedContentCache\\v3\\338388\\gVHyp1f8tFhIzs2B6Tlj86J0bGzAceOIXch6aZvoxuy4jq1eNL6vIEdz.exe\" O"	EuP5ebpXX0y8CVNqS7qqOzD6R2SAFw8Y2M8dkyLIToqsvKcRxcggJn82d78dUV.cmd
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	7766b84fd690a8a0d97dfaa821f6d7f00e06227d0e5bc3311ba99338e3eda9ca.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies	7766b84fd690a8a0d97dfaa821f6d7f00e06227d0e5bc3311ba99338e3eda9ca.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\1527c705-839a-4832-9118-54d4Bd6a0c89_cw5n1h2txyewy\\AC\\SDWAE9M905Xx92dBAn7puw09P1wWQFuAeIBsJ1KD76ewgzg4DBIKR0mmPt0SLoYhu.exe\" O 2>NUL"	7766b84fd690a8a0d97dfaa821f6d7f00e06227d0e5bc3311ba99338e3eda9ca.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\AC\\5IPyJfcWuuw76TnIMtwOTdKvoxkK6SsV.exe\" O 2>NUL"	7766b84fd690a8a0d97dfaa821f6d7f00e06227d0e5bc3311ba99338e3eda9ca.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft	7766b84fd690a8a0d97dfaa821f6d7f00e06227d0e5bc3311ba99338e3eda9ca.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\CachedFiles\\9fAEgXzDnHPNIIRXZ5tDXeoEki5id5gNEbsfbIvcgNrEtv88ymmDW2Drxb.exe\" O 2>NUL"	EuP5ebpXX0y8CVNqS7qqOzD6R2SAFw8Y2M8dkyLIToqsvKcRxcggJn82d78dUV.cmd
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	EuP5ebpXX0y8CVNqS7qqOzD6R2SAFw8Y2M8dkyLIToqsvKcRxcggJn82d78dUV.cmd
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	EuP5ebpXX0y8CVNqS7qqOzD6R2SAFw8Y2M8dkyLIToqsvKcRxcggJn82d78dUV.cmd
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	7766b84fd690a8a0d97dfaa821f6d7f00e06227d0e5bc3311ba99338e3eda9ca.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Windows.CBSPreview_cw5n1h2txyewy\\AC\\Temp\\LRmGGzgNPpwaeZZTCHlrY9tq6MTVZA8uR3DolF3bHwrRITX.exe\" O"	EuP5ebpXX0y8CVNqS7qqOzD6R2SAFw8Y2M8dkyLIToqsvKcRxcggJn82d78dUV.cmd
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Adobe\\Acrobat\\BljbAmT2uyl8p5Hf5XRfVfVNzoS8mHTDPHo3UE9q3V18boIeE8PvJp1xu26j.exe\" O"	EuP5ebpXX0y8CVNqS7qqOzD6R2SAFw8Y2M8dkyLIToqsvKcRxcggJn82d78dUV.cmd
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	EuP5ebpXX0y8CVNqS7qqOzD6R2SAFw8Y2M8dkyLIToqsvKcRxcggJn82d78dUV.cmd
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	7766b84fd690a8a0d97dfaa821f6d7f00e06227d0e5bc3311ba99338e3eda9ca.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft	7766b84fd690a8a0d97dfaa821f6d7f00e06227d0e5bc3311ba99338e3eda9ca.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\E2A4F912-2574-4A75-9BB0-0D023378592B_cw5n1h2txyewy\\AppData\\oEnW9jynKOKushiREESGLYIcEl5AAu5JzeuHsn4N.exe\" O"	7766b84fd690a8a0d97dfaa821f6d7f00e06227d0e5bc3311ba99338e3eda9ca.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{4234D49B-0245-4DF3-B780-3893943456E1} {000214E6-0000-0000-C000-000000000046} 0xFFFF = 01000000000000005cdb67eee100d901	EuP5ebpXX0y8CVNqS7qqOzD6R2SAFw8Y2M8dkyLIToqsvKcRxcggJn82d78dUV.cmd
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	7766b84fd690a8a0d97dfaa821f6d7f00e06227d0e5bc3311ba99338e3eda9ca.exe
Key created	\REGISTRY\USER\.DEFAULT	7766b84fd690a8a0d97dfaa821f6d7f00e06227d0e5bc3311ba99338e3eda9ca.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\F46D4000-FD22-4DB4-AC8E-4E1DDDE828FE_cw5n1h2txyewy\\q3p1in0cZcMKOMYMU.exe\" O"	7766b84fd690a8a0d97dfaa821f6d7f00e06227d0e5bc3311ba99338e3eda9ca.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	7766b84fd690a8a0d97dfaa821f6d7f00e06227d0e5bc3311ba99338e3eda9ca.exe
Key created	\REGISTRY\USER\S-1-5-19	7766b84fd690a8a0d97dfaa821f6d7f00e06227d0e5bc3311ba99338e3eda9ca.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows	7766b84fd690a8a0d97dfaa821f6d7f00e06227d0e5bc3311ba99338e3eda9ca.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	7766b84fd690a8a0d97dfaa821f6d7f00e06227d0e5bc3311ba99338e3eda9ca.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	7766b84fd690a8a0d97dfaa821f6d7f00e06227d0e5bc3311ba99338e3eda9ca.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\AC\\INetCookies\\ESE\\EcZymvXbXqsFbdPqdR3XtCxalqEripxA34t7Jqn6VuduCS5ajn6onAglKSj866Lc3K.exe\" O"	7766b84fd690a8a0d97dfaa821f6d7f00e06227d0e5bc3311ba99338e3eda9ca.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion	7766b84fd690a8a0d97dfaa821f6d7f00e06227d0e5bc3311ba99338e3eda9ca.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	7766b84fd690a8a0d97dfaa821f6d7f00e06227d0e5bc3311ba99338e3eda9ca.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\input\\fr-ML\\lsdPNdh4pjstVmxyStq4r.exe\" O 2>NUL"	EuP5ebpXX0y8CVNqS7qqOzD6R2SAFw8Y2M8dkyLIToqsvKcRxcggJn82d78dUV.cmd
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	EuP5ebpXX0y8CVNqS7qqOzD6R2SAFw8Y2M8dkyLIToqsvKcRxcggJn82d78dUV.cmd
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\hMCqndRwPD9r5lc6MVl0AdFZYYEBaWC9QtZSBMBCTob.exe\" O 2>NUL"	EuP5ebpXX0y8CVNqS7qqOzD6R2SAFw8Y2M8dkyLIToqsvKcRxcggJn82d78dUV.cmd
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Diagnosis\\TenantStorage\\iQH7d7fGvH1GKOKmNcGDgkMCssqacDv2GFMU.exe\" O"	EuP5ebpXX0y8CVNqS7qqOzD6R2SAFw8Y2M8dkyLIToqsvKcRxcggJn82d78dUV.cmd
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Diagnosis\\Temp\\DiagTrackTraceSlot_aot\\pAH4TOUw4pATPq2nWHr3LCM.exe\" O"	EuP5ebpXX0y8CVNqS7qqOzD6R2SAFw8Y2M8dkyLIToqsvKcRxcggJn82d78dUV.cmd
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	7766b84fd690a8a0d97dfaa821f6d7f00e06227d0e5bc3311ba99338e3eda9ca.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	7766b84fd690a8a0d97dfaa821f6d7f00e06227d0e5bc3311ba99338e3eda9ca.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE	7766b84fd690a8a0d97dfaa821f6d7f00e06227d0e5bc3311ba99338e3eda9ca.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	EuP5ebpXX0y8CVNqS7qqOzD6R2SAFw8Y2M8dkyLIToqsvKcRxcggJn82d78dUV.cmd
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	EuP5ebpXX0y8CVNqS7qqOzD6R2SAFw8Y2M8dkyLIToqsvKcRxcggJn82d78dUV.cmd
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\Search\\Data\\FyKuZWmojt0DpCTols9rZxjYY1yy1dXIqcLabx.exe\" O 2>NUL"	7766b84fd690a8a0d97dfaa821f6d7f00e06227d0e5bc3311ba99338e3eda9ca.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Oracle\\Java\\2xqe9xabHMo3.exe\" O 2>NUL"	7766b84fd690a8a0d97dfaa821f6d7f00e06227d0e5bc3311ba99338e3eda9ca.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	7766b84fd690a8a0d97dfaa821f6d7f00e06227d0e5bc3311ba99338e3eda9ca.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\SlowContextMenuEntries = 6024b221ea3a6910a2dc08002b30309d9d0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	gpscript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	gpscript.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	EuP5ebpXX0y8CVNqS7qqOzD6R2SAFw8Y2M8dkyLIToqsvKcRxcggJn82d78dUV.cmd
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	7766b84fd690a8a0d97dfaa821f6d7f00e06227d0e5bc3311ba99338e3eda9ca.exe

Modifies registry class 10 IoCs

Processes:

7766b84fd690a8a0d97dfaa821f6d7f00e06227d0e5bc3311ba99338e3eda9ca.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\SOFTWARE\Microsoft	7766b84fd690a8a0d97dfaa821f6d7f00e06227d0e5bc3311ba99338e3eda9ca.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy\\LocalState\\iy2cpivNINhbhj2mTcDbixKH.exe\" O 2>NUL"	7766b84fd690a8a0d97dfaa821f6d7f00e06227d0e5bc3311ba99338e3eda9ca.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\SOFTWARE\Microsoft\Windows	7766b84fd690a8a0d97dfaa821f6d7f00e06227d0e5bc3311ba99338e3eda9ca.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	7766b84fd690a8a0d97dfaa821f6d7f00e06227d0e5bc3311ba99338e3eda9ca.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	7766b84fd690a8a0d97dfaa821f6d7f00e06227d0e5bc3311ba99338e3eda9ca.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\NcsiUwpApp_8wekyb3d8bbwe\\RoamingState\\PH7pPp9IQvPGqlhkqQtr5p.exe\" O"	7766b84fd690a8a0d97dfaa821f6d7f00e06227d0e5bc3311ba99338e3eda9ca.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\SOFTWARE\Microsoft\Command Processor	7766b84fd690a8a0d97dfaa821f6d7f00e06227d0e5bc3311ba99338e3eda9ca.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\SOFTWARE	7766b84fd690a8a0d97dfaa821f6d7f00e06227d0e5bc3311ba99338e3eda9ca.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	7766b84fd690a8a0d97dfaa821f6d7f00e06227d0e5bc3311ba99338e3eda9ca.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion	7766b84fd690a8a0d97dfaa821f6d7f00e06227d0e5bc3311ba99338e3eda9ca.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

EuP5ebpXX0y8CVNqS7qqOzD6R2SAFw8Y2M8dkyLIToqsvKcRxcggJn82d78dUV.cmd

pid	process
4488	EuP5ebpXX0y8CVNqS7qqOzD6R2SAFw8Y2M8dkyLIToqsvKcRxcggJn82d78dUV.cmd
4488	EuP5ebpXX0y8CVNqS7qqOzD6R2SAFw8Y2M8dkyLIToqsvKcRxcggJn82d78dUV.cmd

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

7766b84fd690a8a0d97dfaa821f6d7f00e06227d0e5bc3311ba99338e3eda9ca.exeEuP5ebpXX0y8CVNqS7qqOzD6R2SAFw8Y2M8dkyLIToqsvKcRxcggJn82d78dUV.cmdEuP5ebpXX0y8CVNqS7qqOzD6R2SAFw8Y2M8dkyLIToqsvKcRxcggJn82d78dUV.cmd

description	pid	process
Token: SeBackupPrivilege	4872	7766b84fd690a8a0d97dfaa821f6d7f00e06227d0e5bc3311ba99338e3eda9ca.exe
Token: SeRestorePrivilege	4872	7766b84fd690a8a0d97dfaa821f6d7f00e06227d0e5bc3311ba99338e3eda9ca.exe
Token: SeShutdownPrivilege	4872	7766b84fd690a8a0d97dfaa821f6d7f00e06227d0e5bc3311ba99338e3eda9ca.exe
Token: SeDebugPrivilege	4596	EuP5ebpXX0y8CVNqS7qqOzD6R2SAFw8Y2M8dkyLIToqsvKcRxcggJn82d78dUV.cmd
Token: SeRestorePrivilege	4596	EuP5ebpXX0y8CVNqS7qqOzD6R2SAFw8Y2M8dkyLIToqsvKcRxcggJn82d78dUV.cmd
Token: SeDebugPrivilege	4488	EuP5ebpXX0y8CVNqS7qqOzD6R2SAFw8Y2M8dkyLIToqsvKcRxcggJn82d78dUV.cmd
Token: SeRestorePrivilege	4488	EuP5ebpXX0y8CVNqS7qqOzD6R2SAFw8Y2M8dkyLIToqsvKcRxcggJn82d78dUV.cmd

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

LogonUI.exe

pid process

2796 LogonUI.exe

pid	process
2796	LogonUI.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

gpscript.exeEuP5ebpXX0y8CVNqS7qqOzD6R2SAFw8Y2M8dkyLIToqsvKcRxcggJn82d78dUV.cmd

description	pid	process	target process
PID 4688 wrote to memory of 4596	4688	gpscript.exe	EuP5ebpXX0y8CVNqS7qqOzD6R2SAFw8Y2M8dkyLIToqsvKcRxcggJn82d78dUV.cmd
PID 4688 wrote to memory of 4596	4688	gpscript.exe	EuP5ebpXX0y8CVNqS7qqOzD6R2SAFw8Y2M8dkyLIToqsvKcRxcggJn82d78dUV.cmd
PID 4596 wrote to memory of 4488	4596	EuP5ebpXX0y8CVNqS7qqOzD6R2SAFw8Y2M8dkyLIToqsvKcRxcggJn82d78dUV.cmd	EuP5ebpXX0y8CVNqS7qqOzD6R2SAFw8Y2M8dkyLIToqsvKcRxcggJn82d78dUV.cmd
PID 4596 wrote to memory of 4488	4596	EuP5ebpXX0y8CVNqS7qqOzD6R2SAFw8Y2M8dkyLIToqsvKcRxcggJn82d78dUV.cmd	EuP5ebpXX0y8CVNqS7qqOzD6R2SAFw8Y2M8dkyLIToqsvKcRxcggJn82d78dUV.cmd

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:664

C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\48\EuP5ebpXX0y8CVNqS7qqOzD6R2SAFw8Y2M8dkyLIToqsvKcRxcggJn82d78dUV.cmd
"C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\48\EuP5ebpXX0y8CVNqS7qqOzD6R2SAFw8Y2M8dkyLIToqsvKcRxcggJn82d78dUV.cmd" 2
2⤵
- Executes dropped EXE
- Sets file execution options in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4488

C:\Users\Admin\AppData\Local\Temp\7766b84fd690a8a0d97dfaa821f6d7f00e06227d0e5bc3311ba99338e3eda9ca.exe
"C:\Users\Admin\AppData\Local\Temp\7766b84fd690a8a0d97dfaa821f6d7f00e06227d0e5bc3311ba99338e3eda9ca.exe"
1⤵
- Adds policy Run key to start application
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4872

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3985855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2796

C:\Windows\system32\gpscript.exe
gpscript.exe /Shutdown
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:4688

C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\48\EuP5ebpXX0y8CVNqS7qqOzD6R2SAFw8Y2M8dkyLIToqsvKcRxcggJn82d78dUV.cmd
"C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\48\EuP5ebpXX0y8CVNqS7qqOzD6R2SAFw8Y2M8dkyLIToqsvKcRxcggJn82d78dUV.cmd" 1
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Adds policy Run key to start application
- Executes dropped EXE
- Sets file execution options in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4596

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Provisioning\9u07pWQ1Q0Vt0sU0.cmd
Filesize
3.9MB

MD5
b22e518045167c27d15a86d9b28baa90

SHA1
804ef369bceba7c5c57a9538c55076a383fd8bf5

SHA256
b732a41b7df9df6b1b96ad4d49467d48fb76d4bf05be6d8e5ce98099c7e6b0ee

SHA512
a1b5e7f07302d25e81627d5e624ee38b953e3f5499b75e662bbb05f3ab9b0e8be6a1c05c9d36dddc730d9137af488bcb8002cd7819c569c6e78178636e02954f

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office Tools\Rqk1iFfM2o0AIr5rYiXvk5jMnyZAZOqyhzndml5t.exe
Filesize
3.6MB

MD5
bd3e091a9f43bd2f5100c5c637ce8e00

SHA1
5df586b891b034be51d9554722456a0a861b620e

SHA256
54bd984229e5cd7e2e36b7668c648fa0b479823fa95599c974e4c73a42f440e8

SHA512
6f56c807e220bbebf2e7885ff163fbb12f7ee95f52a641a4b639af49e885f9fabf786fbc8e58eaf0f8d0b0233794b751ef380b241b6f9fbe1b58ea488694d3b3

Download Submit
C:\ProgramData\WindowsHolographicDevices\SpatialStore\ThISFt1U9EkxE2MFVqZyHj8dMe8WEFpu5bsWZusKZRscKtA.exe
Filesize
1.5MB

MD5
41e8427c7b22a80338a166d3d8476575

SHA1
7fbbe4134512a3d3149b93ab4340f99c1b039119

SHA256
f44db81b821b2650690a49aacfbd3ce7f4c35f767f940e78087e77ddac7daa05

SHA512
3bfebc4bafc4b1d925d6cd14947f5be86d453fcc225fc318eb695a94d29cd3a4a07d581df8656d1a8cac34ace64831062b2c6bcb7b4aceeb11ced85643e2d779

Download Submit
C:\Users\Admin\AppData\LocalLow\Oracle\Java\2xqe9xabHMo3.exe
Filesize
2.6MB

MD5
5fc404dc3182a647b1402ea0c39c5d6f

SHA1
7d2dd44850452b54562cbeb87b87ed77389bee6e

SHA256
991ca9427f79c90b8ab76f0499aaf8f19fa1d7907449cfecf9bf3fa0797fc4c1

SHA512
d58e3c32fee56d68cec5828e7db5b7160b8b76486233572db143ca32e99d782f7286be43080c1ff0f27d07b9bdf511140c4d665179ca7fc1c9c8a56a27873632

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\48\EuP5ebpXX0y8CVNqS7qqOzD6R2SAFw8Y2M8dkyLIToqsvKcRxcggJn82d78dUV.cmd
Filesize
2.1MB

MD5
3d02396a309751d85bdfcd31c8e3dcee

SHA1
75656516472c7f1defdc3fca9438f3df50cb0e06

SHA256
dc014ac6f994fe461ea0cfdaea095f09d1a51eaaaee7b4a414902ba76ef0b61b

SHA512
53e5697fc5572aeacaec454da6a77cc40836f12515a9e968540a8773a09e3c48d7751f22ea04445950b782da2e96359ea1c071892bfa529d1ba077841c062aae

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\48\EuP5ebpXX0y8CVNqS7qqOzD6R2SAFw8Y2M8dkyLIToqsvKcRxcggJn82d78dUV.cmd
Filesize
2.1MB

MD5
3d02396a309751d85bdfcd31c8e3dcee

SHA1
75656516472c7f1defdc3fca9438f3df50cb0e06

SHA256
dc014ac6f994fe461ea0cfdaea095f09d1a51eaaaee7b4a414902ba76ef0b61b

SHA512
53e5697fc5572aeacaec454da6a77cc40836f12515a9e968540a8773a09e3c48d7751f22ea04445950b782da2e96359ea1c071892bfa529d1ba077841c062aae

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\48\EuP5ebpXX0y8CVNqS7qqOzD6R2SAFw8Y2M8dkyLIToqsvKcRxcggJn82d78dUV.cmd
Filesize
2.1MB

MD5
3d02396a309751d85bdfcd31c8e3dcee

SHA1
75656516472c7f1defdc3fca9438f3df50cb0e06

SHA256
dc014ac6f994fe461ea0cfdaea095f09d1a51eaaaee7b4a414902ba76ef0b61b

SHA512
53e5697fc5572aeacaec454da6a77cc40836f12515a9e968540a8773a09e3c48d7751f22ea04445950b782da2e96359ea1c071892bfa529d1ba077841c062aae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\GPUCache\YUs6asRjLuvORggj35K9eYxaMqlyLTHLLeRC1jRN7QZLq.exe
Filesize
2.0MB

MD5
1cf7623e6ff4fbe3f3ea8ffd91d65009

SHA1
0b4391f8c273847a8d3ee6a39823e529deb2ccc1

SHA256
95cf5cc7ec67348f65a402451f6e8a26af5964ee618208a5b8cabcc9d8bc0902

SHA512
659dd3227e43d0fe2165f6e876dbf21b6330356c3bf786c395e944ecd371da54bb346aa51042acd4350d4bfb3bab43d6e5d63c1181b1294ca6751e86146f7cab

Download Submit
C:\Users\Admin\AppData\Local\Packages\1527c705-839a-4832-9118-54d4Bd6a0c89_cw5n1h2txyewy\AC\SDWAE9M905Xx92dBAn7puw09P1wWQFuAeIBsJ1KD76ewgzg4DBIKR0mmPt0SLoYhu.exe
Filesize
2.2MB

MD5
271a2a56f7c3f7a11e09013c76b63814

SHA1
b0a8c410aca5fea0f806ad9c1eb0802b61c7fb10

SHA256
7dafdfbde981418c95edc9866d0c104db31cbe9f84f5fbe833f14bfaee3a31c7

SHA512
5effdc71bcf3e93803c9009afb8aa5f81b07c30454c84062e1733f843756c197e54a21834226c4f6a1fdefb91795b1f89abde9268bf315ddae246c243a25b384

Download Submit
C:\Users\Admin\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\Co1423bQtldXvWnsm9kz2KCYYLjT6t2S7QbYhS6wJ9P5RmYlZ.exe
Filesize
1.6MB

MD5
581a75cef96315885b69c45c4fd7d99f

SHA1
c6c57ab24c4471125a4cdea211b703d5bb9a1b59

SHA256
5f6f6e121cda7fe566c2bad8562fcf8ddf54012952a17082eca3365982766621

SHA512
f8a732e687699da0e9ad45132039e9877c2079f8a4cb4a22b982cc328c03b504f9e5f5d47a918c4e91629b187136daad6a8bcafa6be2e5c26f01d97076dc9ee8

Download Submit
C:\Users\Admin\AppData\Local\Packages\E2A4F912-2574-4A75-9BB0-0D023378592B_cw5n1h2txyewy\AppData\oEnW9jynKOKushiREESGLYIcEl5AAu5JzeuHsn4N.exe
Filesize
2.7MB

MD5
3bd74f027bde50a1d75a715600dd7955

SHA1
d1db07676055751b2a7825e9593e85c143ea8c4d

SHA256
ae4b198de772bafeee600e54f813be41c92ca35a0e60550763a99c17b761077a

SHA512
be5ec027a6e898c11489c071759008acc765fa358ecef05dc1f233e36a4cd9dcaff2cbff7efe25188677a2d27f8394403193c15cc3f64ff732f7545ba2c8d391

Download Submit
C:\Users\Admin\AppData\Local\Packages\F46D4000-FD22-4DB4-AC8E-4E1DDDE828FE_cw5n1h2txyewy\q3p1in0cZcMKOMYMU.exe
Filesize
1.9MB

MD5
635856fee7edebae0937cd273de68454

SHA1
7a10f18f02171315dbd311929f8497fe74b4c642

SHA256
ef295ada306a547ec86c08aa8827bfeab3cea1a36d9ae666c88b08a8bef17d6d

SHA512
e3911e68d7365c6fd1375472c12de34dcabd2a64bd1b8cfe8ae8b795bcafcb5a6a11802d0c2c184c49510e3f868a5bfb1c63d9430abd4c22d2545dcefda90521

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\AC\5IPyJfcWuuw76TnIMtwOTdKvoxkK6SsV.exe
Filesize
1.4MB

MD5
313b7a508a58aa27b88b17334754b95d

SHA1
48eb9a704143afc339f9e7c9be95ab8af3a35569

SHA256
53d25304821b5b8cffc58ca16447eb5c660e3ca31dfef482366ee4930f6d3e82

SHA512
813ab216111e7b0a224572b2ed32ce0283273cd440ec4311758a1ceb7f08ae0e13ca0ab24b00007a8c7118f3f56e496aa973076f15f9705fcc74beb81924afef

Download Submit
memory/4488-147-0x0000000000000000-mapping.dmp

Download
memory/4488-152-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4596-143-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4596-146-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4596-149-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4596-134-0x0000000000000000-mapping.dmp

Download
memory/4872-132-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4872-133-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads