194ce016322f59f52ff8311a77b81847e8330667ddbb476862104e72e6fcb818

Analysis

max time kernel
92s
max time network
55s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
25-11-2022 09:24

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

194ce016322f59f52ff8311a77b81847e8330667ddbb476862104e72e6fcb818.exe
Size

1.7MB
MD5

4a50ebb7357ed7ad2bdd2aa0b7adb247
SHA1

e95ead1ef996937878dafbc63ec1e2840dbc7b78
SHA256

194ce016322f59f52ff8311a77b81847e8330667ddbb476862104e72e6fcb818
SHA512

b0d3edfe5903bc5a02b2ca264c03e0100b82f69260ee6cc68588e8f88346ed38b1ac17b9505c11255dd44d89c45bc0b4ae90e6ba846c9fb48c278692101b098e
SSDEEP

3072:aSsvihLlTQz9z71iURo2SJJmY6uFNcgifDbmeTXwVdBR:rsqhJMxzJiU5SeLmNSbmebW1

Score

10^/10

persistence spyware stealer

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

aa3e5ssnfL6KLZQuH3zVxRt1eR1i8xWWkVUJdSAhMJooTNYgyqHeEEC03PMskoeX7Dx.bat

description pid process target process

PID 1932 created 580 1932 aa3e5ssnfL6KLZQuH3zVxRt1eR1i8xWWkVUJdSAhMJooTNYgyqHeEEC03PMskoeX7Dx.bat svchost.exe

description	pid	process	target process
PID 1932 created 580	1932	aa3e5ssnfL6KLZQuH3zVxRt1eR1i8xWWkVUJdSAhMJooTNYgyqHeEEC03PMskoeX7Dx.bat	svchost.exe

Adds policy Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

194ce016322f59f52ff8311a77b81847e8330667ddbb476862104e72e6fcb818.exeaa3e5ssnfL6KLZQuH3zVxRt1eR1i8xWWkVUJdSAhMJooTNYgyqHeEEC03PMskoeX7Dx.bat

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	194ce016322f59f52ff8311a77b81847e8330667ddbb476862104e72e6fcb818.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\hIxEQozgOTHuNkB5exnYbZC63.exe\" O"	194ce016322f59f52ff8311a77b81847e8330667ddbb476862104e72e6fcb818.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	194ce016322f59f52ff8311a77b81847e8330667ddbb476862104e72e6fcb818.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Package Cache\\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\\packages\\vcRuntimeMinimum_amd64\\9s98XUWGB5IlSYWiyQQWXFn5PXNWcY.exe\" O"	194ce016322f59f52ff8311a77b81847e8330667ddbb476862104e72e6fcb818.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\DVOqiLppVuvy5sCds5oEWBMtNOr2rbShmu0Du64nX6dMwwH.exe\" O"	194ce016322f59f52ff8311a77b81847e8330667ddbb476862104e72e6fcb818.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	aa3e5ssnfL6KLZQuH3zVxRt1eR1i8xWWkVUJdSAhMJooTNYgyqHeEEC03PMskoeX7Dx.bat
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Service\\dEKeiGIVjEKCSWpy8E91u2.exe\" O"	aa3e5ssnfL6KLZQuH3zVxRt1eR1i8xWWkVUJdSAhMJooTNYgyqHeEEC03PMskoeX7Dx.bat

Executes dropped EXE 2 IoCs

Processes:

aa3e5ssnfL6KLZQuH3zVxRt1eR1i8xWWkVUJdSAhMJooTNYgyqHeEEC03PMskoeX7Dx.bataa3e5ssnfL6KLZQuH3zVxRt1eR1i8xWWkVUJdSAhMJooTNYgyqHeEEC03PMskoeX7Dx.bat

pid	process
1932	aa3e5ssnfL6KLZQuH3zVxRt1eR1i8xWWkVUJdSAhMJooTNYgyqHeEEC03PMskoeX7Dx.bat
1040	aa3e5ssnfL6KLZQuH3zVxRt1eR1i8xWWkVUJdSAhMJooTNYgyqHeEEC03PMskoeX7Dx.bat

Sets file execution options in registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

aa3e5ssnfL6KLZQuH3zVxRt1eR1i8xWWkVUJdSAhMJooTNYgyqHeEEC03PMskoeX7Dx.bataa3e5ssnfL6KLZQuH3zVxRt1eR1i8xWWkVUJdSAhMJooTNYgyqHeEEC03PMskoeX7Dx.bat

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe	aa3e5ssnfL6KLZQuH3zVxRt1eR1i8xWWkVUJdSAhMJooTNYgyqHeEEC03PMskoeX7Dx.bat
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = " "	aa3e5ssnfL6KLZQuH3zVxRt1eR1i8xWWkVUJdSAhMJooTNYgyqHeEEC03PMskoeX7Dx.bat
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe	aa3e5ssnfL6KLZQuH3zVxRt1eR1i8xWWkVUJdSAhMJooTNYgyqHeEEC03PMskoeX7Dx.bat
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\Debugger = " "	aa3e5ssnfL6KLZQuH3zVxRt1eR1i8xWWkVUJdSAhMJooTNYgyqHeEEC03PMskoeX7Dx.bat
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe	aa3e5ssnfL6KLZQuH3zVxRt1eR1i8xWWkVUJdSAhMJooTNYgyqHeEEC03PMskoeX7Dx.bat
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = " "	aa3e5ssnfL6KLZQuH3zVxRt1eR1i8xWWkVUJdSAhMJooTNYgyqHeEEC03PMskoeX7Dx.bat
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe	aa3e5ssnfL6KLZQuH3zVxRt1eR1i8xWWkVUJdSAhMJooTNYgyqHeEEC03PMskoeX7Dx.bat
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\Debugger = " "	aa3e5ssnfL6KLZQuH3zVxRt1eR1i8xWWkVUJdSAhMJooTNYgyqHeEEC03PMskoeX7Dx.bat

Loads dropped DLL 3 IoCs

Processes:

gpscript.exeaa3e5ssnfL6KLZQuH3zVxRt1eR1i8xWWkVUJdSAhMJooTNYgyqHeEEC03PMskoeX7Dx.bat

pid process

1132 gpscript.exe
1132 gpscript.exe
1932 aa3e5ssnfL6KLZQuH3zVxRt1eR1i8xWWkVUJdSAhMJooTNYgyqHeEEC03PMskoeX7Dx.bat
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1132	gpscript.exe
1132	gpscript.exe
1932	aa3e5ssnfL6KLZQuH3zVxRt1eR1i8xWWkVUJdSAhMJooTNYgyqHeEEC03PMskoeX7Dx.bat

Modifies data under HKEY_USERS 59 IoCs

Processes:

194ce016322f59f52ff8311a77b81847e8330667ddbb476862104e72e6fcb818.exeaa3e5ssnfL6KLZQuH3zVxRt1eR1i8xWWkVUJdSAhMJooTNYgyqHeEEC03PMskoeX7Dx.batgpscript.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\6.0\\50\\7xsoCx1Uk4.exe\" O 2>NUL"	194ce016322f59f52ff8311a77b81847e8330667ddbb476862104e72e6fcb818.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Sessions\\FmMVEd9t6qdrivuul6xT2cprYnp.exe\" O 2>NUL"	194ce016322f59f52ff8311a77b81847e8330667ddbb476862104e72e6fcb818.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE	194ce016322f59f52ff8311a77b81847e8330667ddbb476862104e72e6fcb818.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\LocalLow\\NuRijiS5fPLi8CCa7DcFTn1U.exe\" O 2>NUL"	aa3e5ssnfL6KLZQuH3zVxRt1eR1i8xWWkVUJdSAhMJooTNYgyqHeEEC03PMskoeX7Dx.bat
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Windows Defender\\Support\\Bk0F1H8Xu8LLbfzcBEyrKOV.exe\" O"	aa3e5ssnfL6KLZQuH3zVxRt1eR1i8xWWkVUJdSAhMJooTNYgyqHeEEC03PMskoeX7Dx.bat
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Tablet PC\\qyaxrbMdWCRX6lgyB1SZLo0xqRsHPFyWBjECxdZw2gCiEnrq9ALCMbnhDsxcIT44ZUts.exe\" O"	aa3e5ssnfL6KLZQuH3zVxRt1eR1i8xWWkVUJdSAhMJooTNYgyqHeEEC03PMskoeX7Dx.bat
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	194ce016322f59f52ff8311a77b81847e8330667ddbb476862104e72e6fcb818.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	194ce016322f59f52ff8311a77b81847e8330667ddbb476862104e72e6fcb818.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{6C467336-8281-4E60-8204-430CED96822D} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000e061d982ea00d901	gpscript.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	aa3e5ssnfL6KLZQuH3zVxRt1eR1i8xWWkVUJdSAhMJooTNYgyqHeEEC03PMskoeX7Dx.bat
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	gpscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\HNd6zpNTkr2BOmRPeTbkDdc2OiUfD17UI1MoNXisZI9SS1yLr4jU.exe\" O"	194ce016322f59f52ff8311a77b81847e8330667ddbb476862104e72e6fcb818.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	194ce016322f59f52ff8311a77b81847e8330667ddbb476862104e72e6fcb818.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows	194ce016322f59f52ff8311a77b81847e8330667ddbb476862104e72e6fcb818.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion	194ce016322f59f52ff8311a77b81847e8330667ddbb476862104e72e6fcb818.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\W3SlwAhZzzpiFg2EgbFRCkU8SLkrJrXZ4NL34ZwVzVDkk5omfc4Znw.exe\" O 2>NUL"	194ce016322f59f52ff8311a77b81847e8330667ddbb476862104e72e6fcb818.exe
Key created	\REGISTRY\USER\.DEFAULT	194ce016322f59f52ff8311a77b81847e8330667ddbb476862104e72e6fcb818.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Public\\Downloads\\dLNqMxS5wdjlzZtbP4nt5IrAfl6KThxPCw47HZKqf7eHMf48YFzgIunn.exe\" O"	194ce016322f59f52ff8311a77b81847e8330667ddbb476862104e72e6fcb818.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	aa3e5ssnfL6KLZQuH3zVxRt1eR1i8xWWkVUJdSAhMJooTNYgyqHeEEC03PMskoeX7Dx.bat
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\Ringtones\\JTOFZZBK6uo8M0Wc1557.exe\" O"	aa3e5ssnfL6KLZQuH3zVxRt1eR1i8xWWkVUJdSAhMJooTNYgyqHeEEC03PMskoeX7Dx.bat
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	aa3e5ssnfL6KLZQuH3zVxRt1eR1i8xWWkVUJdSAhMJooTNYgyqHeEEC03PMskoeX7Dx.bat
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	194ce016322f59f52ff8311a77b81847e8330667ddbb476862104e72e6fcb818.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	194ce016322f59f52ff8311a77b81847e8330667ddbb476862104e72e6fcb818.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	194ce016322f59f52ff8311a77b81847e8330667ddbb476862104e72e6fcb818.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE	194ce016322f59f52ff8311a77b81847e8330667ddbb476862104e72e6fcb818.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\6.0\\15\\yZq6giioQqnYyhuYwthvPW2HthgGtN2lnWSB86P7whYnPsvthlmzX.exe\" O 2>NUL"	aa3e5ssnfL6KLZQuH3zVxRt1eR1i8xWWkVUJdSAhMJooTNYgyqHeEEC03PMskoeX7Dx.bat
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	194ce016322f59f52ff8311a77b81847e8330667ddbb476862104e72e6fcb818.exe
Key created	\REGISTRY\USER\S-1-5-19	194ce016322f59f52ff8311a77b81847e8330667ddbb476862104e72e6fcb818.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	aa3e5ssnfL6KLZQuH3zVxRt1eR1i8xWWkVUJdSAhMJooTNYgyqHeEEC03PMskoeX7Dx.bat
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	aa3e5ssnfL6KLZQuH3zVxRt1eR1i8xWWkVUJdSAhMJooTNYgyqHeEEC03PMskoeX7Dx.bat
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows	194ce016322f59f52ff8311a77b81847e8330667ddbb476862104e72e6fcb818.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	194ce016322f59f52ff8311a77b81847e8330667ddbb476862104e72e6fcb818.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	194ce016322f59f52ff8311a77b81847e8330667ddbb476862104e72e6fcb818.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\Subresource Filter\\Unindexed Rules\\z7HYSN2ucFaTmbNxHuQ08a05Jkxbi2qilwo7OTU4VqKFRkP9RZ5EGB8PXxFrC.exe\" O 2>NUL"	aa3e5ssnfL6KLZQuH3zVxRt1eR1i8xWWkVUJdSAhMJooTNYgyqHeEEC03PMskoeX7Dx.bat
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	aa3e5ssnfL6KLZQuH3zVxRt1eR1i8xWWkVUJdSAhMJooTNYgyqHeEEC03PMskoeX7Dx.bat
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft	194ce016322f59f52ff8311a77b81847e8330667ddbb476862104e72e6fcb818.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%systemroot%\system32\windowspowershell\v1.0\powershell.exe",-111 = "Performs object-based (command-line) functions"	aa3e5ssnfL6KLZQuH3zVxRt1eR1i8xWWkVUJdSAhMJooTNYgyqHeEEC03PMskoeX7Dx.bat
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\VGDXKXeOu1wPB6N29RaUqxYBAZaLeTNTsVh.exe\" O 2>NUL"	194ce016322f59f52ff8311a77b81847e8330667ddbb476862104e72e6fcb818.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion	194ce016322f59f52ff8311a77b81847e8330667ddbb476862104e72e6fcb818.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft	194ce016322f59f52ff8311a77b81847e8330667ddbb476862104e72e6fcb818.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%windir%\System32\ie4uinit.exe",-738 = "Start Internet Explorer without ActiveX controls or browser extensions."	aa3e5ssnfL6KLZQuH3zVxRt1eR1i8xWWkVUJdSAhMJooTNYgyqHeEEC03PMskoeX7Dx.bat
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	194ce016322f59f52ff8311a77b81847e8330667ddbb476862104e72e6fcb818.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion	194ce016322f59f52ff8311a77b81847e8330667ddbb476862104e72e6fcb818.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	194ce016322f59f52ff8311a77b81847e8330667ddbb476862104e72e6fcb818.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\BX0EkjfvhorJuJsbG8gBFXL1M5l8LDEkdpuCbi1LHjP1vv3nVuGh21FZC.exe\" O"	aa3e5ssnfL6KLZQuH3zVxRt1eR1i8xWWkVUJdSAhMJooTNYgyqHeEEC03PMskoeX7Dx.bat
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	194ce016322f59f52ff8311a77b81847e8330667ddbb476862104e72e6fcb818.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows	194ce016322f59f52ff8311a77b81847e8330667ddbb476862104e72e6fcb818.exe
Key created	\REGISTRY\USER\S-1-5-20	194ce016322f59f52ff8311a77b81847e8330667ddbb476862104e72e6fcb818.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Public\\Libraries\\AjkLNfc0D3h4iSdUt6RHp.exe\" O"	194ce016322f59f52ff8311a77b81847e8330667ddbb476862104e72e6fcb818.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\8by27av1.default-release\\thumbnails\\EHPpZ7Qp6muEzjwod7TG7dOnQvEgv5qrh.exe\" O 2>NUL"	aa3e5ssnfL6KLZQuH3zVxRt1eR1i8xWWkVUJdSAhMJooTNYgyqHeEEC03PMskoeX7Dx.bat
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	aa3e5ssnfL6KLZQuH3zVxRt1eR1i8xWWkVUJdSAhMJooTNYgyqHeEEC03PMskoeX7Dx.bat
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\E8H4X2cp.exe\" O"	aa3e5ssnfL6KLZQuH3zVxRt1eR1i8xWWkVUJdSAhMJooTNYgyqHeEEC03PMskoeX7Dx.bat
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%windir%\System32\ie4uinit.exe",-732 = "Finds and displays information and Web sites on the Internet."	aa3e5ssnfL6KLZQuH3zVxRt1eR1i8xWWkVUJdSAhMJooTNYgyqHeEEC03PMskoeX7Dx.bat
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{7BD29E01-76C1-11CF-9DD0-00A0C9034933} {000214E6-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000200a4985ea00d901	aa3e5ssnfL6KLZQuH3zVxRt1eR1i8xWWkVUJdSAhMJooTNYgyqHeEEC03PMskoeX7Dx.bat
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	194ce016322f59f52ff8311a77b81847e8330667ddbb476862104e72e6fcb818.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\6.0\\13\\NCUrBrTXB.exe\" O"	194ce016322f59f52ff8311a77b81847e8330667ddbb476862104e72e6fcb818.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	194ce016322f59f52ff8311a77b81847e8330667ddbb476862104e72e6fcb818.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	aa3e5ssnfL6KLZQuH3zVxRt1eR1i8xWWkVUJdSAhMJooTNYgyqHeEEC03PMskoeX7Dx.bat
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\6.0\\23\\rlqElWAsJqSoYpSM7LCtaLOrSPTvlj6v0rGVafH2dn6sEv0ol2oMUeA6rGhc4ue.exe\" O 2>NUL"	aa3e5ssnfL6KLZQuH3zVxRt1eR1i8xWWkVUJdSAhMJooTNYgyqHeEEC03PMskoeX7Dx.bat

Modifies registry class 12 IoCs

Processes:

194ce016322f59f52ff8311a77b81847e8330667ddbb476862104e72e6fcb818.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion	194ce016322f59f52ff8311a77b81847e8330667ddbb476862104e72e6fcb818.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	194ce016322f59f52ff8311a77b81847e8330667ddbb476862104e72e6fcb818.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Acrobat\\9.0\\Collab\\oa66RR5UBv5UkQ3JfT4cvgQ0jfv1mt4oEgwv36queCuYZ.exe\" O"	194ce016322f59f52ff8311a77b81847e8330667ddbb476862104e72e6fcb818.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_Classes\SOFTWARE\Microsoft\Command Processor	194ce016322f59f52ff8311a77b81847e8330667ddbb476862104e72e6fcb818.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\SOFTWARE	194ce016322f59f52ff8311a77b81847e8330667ddbb476862104e72e6fcb818.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\SOFTWARE\Microsoft\Command Processor	194ce016322f59f52ff8311a77b81847e8330667ddbb476862104e72e6fcb818.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\SOFTWARE\Microsoft\Windows	194ce016322f59f52ff8311a77b81847e8330667ddbb476862104e72e6fcb818.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	194ce016322f59f52ff8311a77b81847e8330667ddbb476862104e72e6fcb818.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	194ce016322f59f52ff8311a77b81847e8330667ddbb476862104e72e6fcb818.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\SOFTWARE\Microsoft	194ce016322f59f52ff8311a77b81847e8330667ddbb476862104e72e6fcb818.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Office\\Groove\\System\\UspksEjedWhrz01n8KgWhCdn1SLmGavmcBYxFp7Jxlu.exe\" O 2>NUL"	194ce016322f59f52ff8311a77b81847e8330667ddbb476862104e72e6fcb818.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	194ce016322f59f52ff8311a77b81847e8330667ddbb476862104e72e6fcb818.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

aa3e5ssnfL6KLZQuH3zVxRt1eR1i8xWWkVUJdSAhMJooTNYgyqHeEEC03PMskoeX7Dx.bat

pid	process
1040	aa3e5ssnfL6KLZQuH3zVxRt1eR1i8xWWkVUJdSAhMJooTNYgyqHeEEC03PMskoeX7Dx.bat
1040	aa3e5ssnfL6KLZQuH3zVxRt1eR1i8xWWkVUJdSAhMJooTNYgyqHeEEC03PMskoeX7Dx.bat

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

194ce016322f59f52ff8311a77b81847e8330667ddbb476862104e72e6fcb818.exeAUDIODG.EXEaa3e5ssnfL6KLZQuH3zVxRt1eR1i8xWWkVUJdSAhMJooTNYgyqHeEEC03PMskoeX7Dx.bataa3e5ssnfL6KLZQuH3zVxRt1eR1i8xWWkVUJdSAhMJooTNYgyqHeEEC03PMskoeX7Dx.bat

description	pid	process
Token: SeBackupPrivilege	752	194ce016322f59f52ff8311a77b81847e8330667ddbb476862104e72e6fcb818.exe
Token: SeRestorePrivilege	752	194ce016322f59f52ff8311a77b81847e8330667ddbb476862104e72e6fcb818.exe
Token: SeShutdownPrivilege	752	194ce016322f59f52ff8311a77b81847e8330667ddbb476862104e72e6fcb818.exe
Token: 33	1984	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1984	AUDIODG.EXE
Token: 33	1984	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1984	AUDIODG.EXE
Token: SeDebugPrivilege	1932	aa3e5ssnfL6KLZQuH3zVxRt1eR1i8xWWkVUJdSAhMJooTNYgyqHeEEC03PMskoeX7Dx.bat
Token: SeRestorePrivilege	1932	aa3e5ssnfL6KLZQuH3zVxRt1eR1i8xWWkVUJdSAhMJooTNYgyqHeEEC03PMskoeX7Dx.bat
Token: SeDebugPrivilege	1040	aa3e5ssnfL6KLZQuH3zVxRt1eR1i8xWWkVUJdSAhMJooTNYgyqHeEEC03PMskoeX7Dx.bat
Token: SeRestorePrivilege	1040	aa3e5ssnfL6KLZQuH3zVxRt1eR1i8xWWkVUJdSAhMJooTNYgyqHeEEC03PMskoeX7Dx.bat

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

gpscript.exeaa3e5ssnfL6KLZQuH3zVxRt1eR1i8xWWkVUJdSAhMJooTNYgyqHeEEC03PMskoeX7Dx.bat

description	pid	process	target process
PID 1132 wrote to memory of 1932	1132	gpscript.exe	aa3e5ssnfL6KLZQuH3zVxRt1eR1i8xWWkVUJdSAhMJooTNYgyqHeEEC03PMskoeX7Dx.bat
PID 1132 wrote to memory of 1932	1132	gpscript.exe	aa3e5ssnfL6KLZQuH3zVxRt1eR1i8xWWkVUJdSAhMJooTNYgyqHeEEC03PMskoeX7Dx.bat
PID 1132 wrote to memory of 1932	1132	gpscript.exe	aa3e5ssnfL6KLZQuH3zVxRt1eR1i8xWWkVUJdSAhMJooTNYgyqHeEEC03PMskoeX7Dx.bat
PID 1932 wrote to memory of 1040	1932	aa3e5ssnfL6KLZQuH3zVxRt1eR1i8xWWkVUJdSAhMJooTNYgyqHeEEC03PMskoeX7Dx.bat	aa3e5ssnfL6KLZQuH3zVxRt1eR1i8xWWkVUJdSAhMJooTNYgyqHeEEC03PMskoeX7Dx.bat
PID 1932 wrote to memory of 1040	1932	aa3e5ssnfL6KLZQuH3zVxRt1eR1i8xWWkVUJdSAhMJooTNYgyqHeEEC03PMskoeX7Dx.bat	aa3e5ssnfL6KLZQuH3zVxRt1eR1i8xWWkVUJdSAhMJooTNYgyqHeEEC03PMskoeX7Dx.bat
PID 1932 wrote to memory of 1040	1932	aa3e5ssnfL6KLZQuH3zVxRt1eR1i8xWWkVUJdSAhMJooTNYgyqHeEEC03PMskoeX7Dx.bat	aa3e5ssnfL6KLZQuH3zVxRt1eR1i8xWWkVUJdSAhMJooTNYgyqHeEEC03PMskoeX7Dx.bat

C:\Users\Admin\AppData\Local\Temp\194ce016322f59f52ff8311a77b81847e8330667ddbb476862104e72e6fcb818.exe
"C:\Users\Admin\AppData\Local\Temp\194ce016322f59f52ff8311a77b81847e8330667ddbb476862104e72e6fcb818.exe"
1⤵
- Adds policy Run key to start application
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:752

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
1⤵
PID:580

C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\8\aa3e5ssnfL6KLZQuH3zVxRt1eR1i8xWWkVUJdSAhMJooTNYgyqHeEEC03PMskoeX7Dx.bat
"C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\8\aa3e5ssnfL6KLZQuH3zVxRt1eR1i8xWWkVUJdSAhMJooTNYgyqHeEEC03PMskoeX7Dx.bat" 2
2⤵
- Executes dropped EXE
- Sets file execution options in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1040

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1100

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x514
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1984

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:1516

C:\Windows\system32\gpscript.exe
gpscript.exe /Shutdown
1⤵
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1132

C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\8\aa3e5ssnfL6KLZQuH3zVxRt1eR1i8xWWkVUJdSAhMJooTNYgyqHeEEC03PMskoeX7Dx.bat
"C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\8\aa3e5ssnfL6KLZQuH3zVxRt1eR1i8xWWkVUJdSAhMJooTNYgyqHeEEC03PMskoeX7Dx.bat" 1
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Adds policy Run key to start application
- Executes dropped EXE
- Sets file execution options in registry
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1932

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Device Stage\Device\4UhYzSBR8DvV9wrdcVqtttKiS21twVntGMOQQiwL.bat
Filesize
4.6MB

MD5
03a25551827a39f9e97f927b77688e98

SHA1
6ebf8a799a78da3237106454b48f4c5293a52079

SHA256
b488994367a52fd2c55ed8bdac0cd50d82f1fe446d63139726d4985869a329ef

SHA512
df0a950bb29cf16b11deed99b5a679fff36325e20dc4a04a86a4d0b76532b370a102b8137e1059968241e23d251870b30e4ff8c39a496dd52fe1f45e4a7e94e7

Download Submit
C:\ProgramData\Microsoft\Windows Defender\Definition Updates\g0g8peSmeJ4Zb9RTtChkj3NBXFB5XIRLF78f2w9smTB6q5V1o8veKVvZDcwQS3bwfDj1.exe
Filesize
5.5MB

MD5
c9e0db8e6b18d91cebb628d3a02215f3

SHA1
76c19bafa25af41c45617b90e5f1f16b3ed98f13

SHA256
52b12a32c73af35b6ea0c3ca36a22838d4fda914f5a5c295665250e403a9486a

SHA512
0230f748d5b842d6f52078460f2d199ebc4848d43f91c078619b51457e3abe968c324788834ac9abbd184ae6b29c0c0d720186840be2f4df3c669f9f5af7c8a6

Download Submit
C:\ProgramData\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\packages\vcRuntimeMinimum_amd64\9s98XUWGB5IlSYWiyQQWXFn5PXNWcY.exe
Filesize
2.7MB

MD5
cd31924621033fb392812589b5501be3

SHA1
dae196bc30cd33153379bfffb68e7f293f4a19d4

SHA256
77a4d47ac781296733d332b250a1e487f173e53018a30a3b83434d8d41f10860

SHA512
46465be53cca147b032b422b05a8c3d0bdb42500e0b7ba15f9d16151d5c77e5f829edc8fe1d5f3d9f3a413790c65d2fa392951341a4c4ac40096bf5b09defb05

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\50\7xsoCx1Uk4.exe
Filesize
1.9MB

MD5
1bcb08ccc99d8a3246e1f27e782ebef5

SHA1
cfac74d4921d274d5ecebc6c2d64201010d4c095

SHA256
5511bcae6b2d3e0180d27f4cb420cc24800a4520384617d1f002b60625a0ac34

SHA512
384c80a800834024528326cd57436c184baf4cd89c1a32906675c7611176bbbafd9be27421d88da8f8fac67469f7a655b0db5fc8034883eee17ffcfd6798d85b

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\8\aa3e5ssnfL6KLZQuH3zVxRt1eR1i8xWWkVUJdSAhMJooTNYgyqHeEEC03PMskoeX7Dx.bat
Filesize
3.1MB

MD5
06e31a0a058648a24052fddde79dd969

SHA1
30280e03829b2112434de76d85e98a3eea01932d

SHA256
ff05ef0e432b59730038998954859ac05bb21447fbd41067a893b9fd8642f43b

SHA512
747c7deb7b54c3daf45251861a577dabdcf58ce6a4607a168c82ceea4f8ada410c710834a7c87a9e0265ce5b98b7372fab8af050ab3c39d76420420d8ab74c4d

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\8\aa3e5ssnfL6KLZQuH3zVxRt1eR1i8xWWkVUJdSAhMJooTNYgyqHeEEC03PMskoeX7Dx.bat
Filesize
3.1MB

MD5
06e31a0a058648a24052fddde79dd969

SHA1
30280e03829b2112434de76d85e98a3eea01932d

SHA256
ff05ef0e432b59730038998954859ac05bb21447fbd41067a893b9fd8642f43b

SHA512
747c7deb7b54c3daf45251861a577dabdcf58ce6a4607a168c82ceea4f8ada410c710834a7c87a9e0265ce5b98b7372fab8af050ab3c39d76420420d8ab74c4d

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\8\aa3e5ssnfL6KLZQuH3zVxRt1eR1i8xWWkVUJdSAhMJooTNYgyqHeEEC03PMskoeX7Dx.bat
Filesize
3.1MB

MD5
06e31a0a058648a24052fddde79dd969

SHA1
30280e03829b2112434de76d85e98a3eea01932d

SHA256
ff05ef0e432b59730038998954859ac05bb21447fbd41067a893b9fd8642f43b

SHA512
747c7deb7b54c3daf45251861a577dabdcf58ce6a4607a168c82ceea4f8ada410c710834a7c87a9e0265ce5b98b7372fab8af050ab3c39d76420420d8ab74c4d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sessions\FmMVEd9t6qdrivuul6xT2cprYnp.exe
Filesize
2.6MB

MD5
3a142b97ae873db9f7a9bdd7be30025f

SHA1
a2dfc2dd38598d2c05c14037a227e7cd202a26fb

SHA256
c9bd7c2e30f5156fa54526ebc6c7ae0a6c1bf28f1ea163ab6591d6b549a90e16

SHA512
7973a72965d372f497761d12f0c1762a5d69941b06e3ff99f6e108e605da789a556611ebb3b595e44023d8d8f41d757428b9cc4aa9cc91e1ee582be96401de20

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Flash Player\AssetCache\3yTJRPBVTGhfHj94u5Ee1lkVugRz81WZY6wv5Y8ZYDI6agUzFxOKHrN2yUkZz22pG.exe
Filesize
2.1MB

MD5
5e8a82c00403f50406805e047a9e2653

SHA1
61101384c941e9be2fa4f2e285669d2431e3ea74

SHA256
7f0e17b26572e56ecbc0cfc35c55da4b1fc5b690ec30da62969fac630beae4d3

SHA512
03dd9edd7e880f906b0c245a561fcf72c68346e2a2171ac625611b844b77c73b239b195a9cd88818abbdc2530e9dc1fa666b6fc0b6ec221f9a815eb09463531b

Download Submit
C:\Users\Admin\VGDXKXeOu1wPB6N29RaUqxYBAZaLeTNTsVh.exe
Filesize
3.0MB

MD5
fe3ee1d6e6e19bf9e5cef3c594b1bb7c

SHA1
600dc3839ad18bbefddcb8c6bb6620f328f5a163

SHA256
b6b9329e6ed897745e005d8b48f660e3979088ccbe727e7c1f9da4eba7122678

SHA512
320673f535da67c9c1b3a2d4b4d544f90a37c678761ac443f6f8c41c740f6bfdab954f69df2e324ed5bce661786ebb7b355d16783dff54d8fc0df01371032b4f

Download Submit
C:\Users\Default\AppData\Local\Microsoft\Windows\Temporary Internet Files\HNd6zpNTkr2BOmRPeTbkDdc2OiUfD17UI1MoNXisZI9SS1yLr4jU.exe
Filesize
3.3MB

MD5
d2fd6ce593ff7c232928db0fddeca510

SHA1
9874c93db4bb07482b42ade97f6db86f8b76ef8f

SHA256
c8df5bbf8cfe7ac5748de69c2fb68f2443a7e93943095d30e68ee137555cc6fd

SHA512
0441c3119a5dfa0864ab0de18b7afa29176bad63f1e1a469fd1e4704ee27ee18cc7c78bee1154a4ed394a5996e458f9527ed601c75dacc2c458d8cbbdf6d2217

Download Submit
C:\Users\Public\Downloads\dLNqMxS5wdjlzZtbP4nt5IrAfl6KThxPCw47HZKqf7eHMf48YFzgIunn.exe
Filesize
2.4MB

MD5
3a12d09344d8248cf01bc018c14d9a0a

SHA1
1fb2743c98dcc2373a432bc22f8f263d9235214a

SHA256
8fa6cfca0f9dfd2ac276f96bceba5da9a6894f9e0cd351c836f130668ee116c1

SHA512
4f2c4337d5b7a3ad8c69c82ccf7710fd181c71eefc950b2d9f65f6ea7a3a481a2877a9472fcc3ec27352b2d9a9a1fa9a52d28de271a7ffbee6d622b17f83e310

Download Submit
C:\Users\Public\Libraries\AjkLNfc0D3h4iSdUt6RHp.exe
Filesize
2.1MB

MD5
01b38ce675fd02ab67d2eaae0c1d98ca

SHA1
8263df443a62ef3a9ab3979b73c9a74b6f4c9843

SHA256
56d4a38da0c310215467771fb19ed4132fce0a062df26f62367bd2ed1f5a8b97

SHA512
a5bdb550cf8a897274bf56434819b430cd83dfcd4af0264304d7f508b0ba1b4b5cd0c88c7a26f2e459b8c1bfd7bd1c56effcb41f0509db72b3eabddbf7d4c598

Download Submit
\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\8\aa3e5ssnfL6KLZQuH3zVxRt1eR1i8xWWkVUJdSAhMJooTNYgyqHeEEC03PMskoeX7Dx.bat
Filesize
3.1MB

MD5
06e31a0a058648a24052fddde79dd969

SHA1
30280e03829b2112434de76d85e98a3eea01932d

SHA256
ff05ef0e432b59730038998954859ac05bb21447fbd41067a893b9fd8642f43b

SHA512
747c7deb7b54c3daf45251861a577dabdcf58ce6a4607a168c82ceea4f8ada410c710834a7c87a9e0265ce5b98b7372fab8af050ab3c39d76420420d8ab74c4d

Download Submit
\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\8\aa3e5ssnfL6KLZQuH3zVxRt1eR1i8xWWkVUJdSAhMJooTNYgyqHeEEC03PMskoeX7Dx.bat
Filesize
3.1MB

MD5
06e31a0a058648a24052fddde79dd969

SHA1
30280e03829b2112434de76d85e98a3eea01932d

SHA256
ff05ef0e432b59730038998954859ac05bb21447fbd41067a893b9fd8642f43b

SHA512
747c7deb7b54c3daf45251861a577dabdcf58ce6a4607a168c82ceea4f8ada410c710834a7c87a9e0265ce5b98b7372fab8af050ab3c39d76420420d8ab74c4d

Download Submit
\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\8\aa3e5ssnfL6KLZQuH3zVxRt1eR1i8xWWkVUJdSAhMJooTNYgyqHeEEC03PMskoeX7Dx.bat
Filesize
3.1MB

MD5
06e31a0a058648a24052fddde79dd969

SHA1
30280e03829b2112434de76d85e98a3eea01932d

SHA256
ff05ef0e432b59730038998954859ac05bb21447fbd41067a893b9fd8642f43b

SHA512
747c7deb7b54c3daf45251861a577dabdcf58ce6a4607a168c82ceea4f8ada410c710834a7c87a9e0265ce5b98b7372fab8af050ab3c39d76420420d8ab74c4d

Download Submit
memory/752-54-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/752-56-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1040-76-0x0000000000000000-mapping.dmp

Download
memory/1040-81-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1100-55-0x000007FEFC161000-0x000007FEFC163000-memory.dmp

Filesize
8KB

Download
memory/1132-64-0x0000000000F60000-0x0000000000F8D000-memory.dmp

Filesize
180KB

Download
memory/1932-65-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1932-62-0x0000000000000000-mapping.dmp

Download
memory/1932-78-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads