b1c587c109c75a5e0bc4470c3556227d165f53a60b0154c82312cdf86a4d1d05

Analysis

max time kernel
48s
max time network
66s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2022 09:25

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

b1c587c109c75a5e0bc4470c3556227d165f53a60b0154c82312cdf86a4d1d05.exe
Size

553KB
MD5

46ed318d666e106e5a3ace604abf830d
SHA1

e79ed4864252f63866a1158b47ea2d4917963a37
SHA256

b1c587c109c75a5e0bc4470c3556227d165f53a60b0154c82312cdf86a4d1d05
SHA512

97378a3367e6e415672d68872c59b92dcf9a3007e1a3e2793a039bcd38f022b895b06bc026dc76b4191c426f0afccb9a5a256e563446850f5c16de3e5803f6f3
SSDEEP

3072:aSsvihLlTQz9z71iURo2SJJmY6uFNcgifDbmeTXwVdBR:rsqhJMxzJiU5SeLmNSbmebW1

Score

10^/10

persistence spyware stealer

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

j4rmWNgszqKMmzn9DGKsuWTAJyKJ4mNuj4gB1VN0q9Qs5pbkZA.exe

description pid process target process

PID 4932 created 676 4932 j4rmWNgszqKMmzn9DGKsuWTAJyKJ4mNuj4gB1VN0q9Qs5pbkZA.exe lsass.exe

description	pid	process	target process
PID 4932 created 676	4932	j4rmWNgszqKMmzn9DGKsuWTAJyKJ4mNuj4gB1VN0q9Qs5pbkZA.exe	lsass.exe

Adds policy Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

b1c587c109c75a5e0bc4470c3556227d165f53a60b0154c82312cdf86a4d1d05.exej4rmWNgszqKMmzn9DGKsuWTAJyKJ4mNuj4gB1VN0q9Qs5pbkZA.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	b1c587c109c75a5e0bc4470c3556227d165f53a60b0154c82312cdf86a4d1d05.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\INetCookies\\DNTException\\Low\\LhODXeiwC2733ulegudIuChDyLvJnzNg8mZ9LPTRYI3YV0zQZ5Q.exe\" O"	b1c587c109c75a5e0bc4470c3556227d165f53a60b0154c82312cdf86a4d1d05.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	b1c587c109c75a5e0bc4470c3556227d165f53a60b0154c82312cdf86a4d1d05.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\AC\\INetHistory\\hRcbqmLgzIpOkuNXR86i8DFtB4ZwSDcbP8wWCgA.exe\" O"	b1c587c109c75a5e0bc4470c3556227d165f53a60b0154c82312cdf86a4d1d05.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.Search_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\nprIyUWADLdbyDu58HZ5siQYzgJ.exe\" O"	b1c587c109c75a5e0bc4470c3556227d165f53a60b0154c82312cdf86a4d1d05.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	j4rmWNgszqKMmzn9DGKsuWTAJyKJ4mNuj4gB1VN0q9Qs5pbkZA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Internet Explorer\\TabRoaming\\RCFNxPfWtWhUXdSRIpBdc.exe\" O"	j4rmWNgszqKMmzn9DGKsuWTAJyKJ4mNuj4gB1VN0q9Qs5pbkZA.exe

Executes dropped EXE 2 IoCs

Processes:

j4rmWNgszqKMmzn9DGKsuWTAJyKJ4mNuj4gB1VN0q9Qs5pbkZA.exej4rmWNgszqKMmzn9DGKsuWTAJyKJ4mNuj4gB1VN0q9Qs5pbkZA.exe

pid process

4932 j4rmWNgszqKMmzn9DGKsuWTAJyKJ4mNuj4gB1VN0q9Qs5pbkZA.exe
5016 j4rmWNgszqKMmzn9DGKsuWTAJyKJ4mNuj4gB1VN0q9Qs5pbkZA.exe

pid	process
4932	j4rmWNgszqKMmzn9DGKsuWTAJyKJ4mNuj4gB1VN0q9Qs5pbkZA.exe
5016	j4rmWNgszqKMmzn9DGKsuWTAJyKJ4mNuj4gB1VN0q9Qs5pbkZA.exe

Sets file execution options in registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

j4rmWNgszqKMmzn9DGKsuWTAJyKJ4mNuj4gB1VN0q9Qs5pbkZA.exej4rmWNgszqKMmzn9DGKsuWTAJyKJ4mNuj4gB1VN0q9Qs5pbkZA.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\Debugger = " "	j4rmWNgszqKMmzn9DGKsuWTAJyKJ4mNuj4gB1VN0q9Qs5pbkZA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe	j4rmWNgszqKMmzn9DGKsuWTAJyKJ4mNuj4gB1VN0q9Qs5pbkZA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = " "	j4rmWNgszqKMmzn9DGKsuWTAJyKJ4mNuj4gB1VN0q9Qs5pbkZA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe	j4rmWNgszqKMmzn9DGKsuWTAJyKJ4mNuj4gB1VN0q9Qs5pbkZA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\Debugger = " "	j4rmWNgszqKMmzn9DGKsuWTAJyKJ4mNuj4gB1VN0q9Qs5pbkZA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe	j4rmWNgszqKMmzn9DGKsuWTAJyKJ4mNuj4gB1VN0q9Qs5pbkZA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = " "	j4rmWNgszqKMmzn9DGKsuWTAJyKJ4mNuj4gB1VN0q9Qs5pbkZA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe	j4rmWNgszqKMmzn9DGKsuWTAJyKJ4mNuj4gB1VN0q9Qs5pbkZA.exe

Drops startup file 2 IoCs

Processes:

j4rmWNgszqKMmzn9DGKsuWTAJyKJ4mNuj4gB1VN0q9Qs5pbkZA.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yPPH78soSjK3vMaCyzYDNdORV97W.exe	j4rmWNgszqKMmzn9DGKsuWTAJyKJ4mNuj4gB1VN0q9Qs5pbkZA.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\GWZtE0p2tjVNrEZoIge5pJdA2Jmf8tiUMO9f4C.bat	j4rmWNgszqKMmzn9DGKsuWTAJyKJ4mNuj4gB1VN0q9Qs5pbkZA.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 64 IoCs

Processes:

b1c587c109c75a5e0bc4470c3556227d165f53a60b0154c82312cdf86a4d1d05.exej4rmWNgszqKMmzn9DGKsuWTAJyKJ4mNuj4gB1VN0q9Qs5pbkZA.exeLogonUI.exegpscript.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT	b1c587c109c75a5e0bc4470c3556227d165f53a60b0154c82312cdf86a4d1d05.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	b1c587c109c75a5e0bc4470c3556227d165f53a60b0154c82312cdf86a4d1d05.exe
Key created	\REGISTRY\USER\S-1-5-20	b1c587c109c75a5e0bc4470c3556227d165f53a60b0154c82312cdf86a4d1d05.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	b1c587c109c75a5e0bc4470c3556227d165f53a60b0154c82312cdf86a4d1d05.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Win32WebViewHost_cw5n1h2txyewy\\AC\\INetCache\\DQKG9ypHF4T68vHTR9Nn1LEiSEOn21pXvoZ0Bq6Z2QKclOoj9j2m8gdc4utZ5BzoLmO.exe\" O 2>NUL"	b1c587c109c75a5e0bc4470c3556227d165f53a60b0154c82312cdf86a4d1d05.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Credentials\\TXSY5holG3uLX80zEirjWs2uGKgY.exe\" O 2>NUL"	j4rmWNgszqKMmzn9DGKsuWTAJyKJ4mNuj4gB1VN0q9Qs5pbkZA.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy\\SystemAppData\\JKX4vItynZT20tHyqZSQv2sNegAyUXFa1KskXoQPharsCcyWPMYqj.exe\" O 2>NUL"	j4rmWNgszqKMmzn9DGKsuWTAJyKJ4mNuj4gB1VN0q9Qs5pbkZA.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	j4rmWNgszqKMmzn9DGKsuWTAJyKJ4mNuj4gB1VN0q9Qs5pbkZA.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Mozilla\\LfpDJLpw3flFfrpGDz7rrD2NOjnQqbv5mmxTfFANBkGFnJk3yuNLxmUz29vQQaZHLL0z60.exe\" O"	j4rmWNgszqKMmzn9DGKsuWTAJyKJ4mNuj4gB1VN0q9Qs5pbkZA.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	b1c587c109c75a5e0bc4470c3556227d165f53a60b0154c82312cdf86a4d1d05.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	b1c587c109c75a5e0bc4470c3556227d165f53a60b0154c82312cdf86a4d1d05.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	b1c587c109c75a5e0bc4470c3556227d165f53a60b0154c82312cdf86a4d1d05.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows	b1c587c109c75a5e0bc4470c3556227d165f53a60b0154c82312cdf86a4d1d05.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	j4rmWNgszqKMmzn9DGKsuWTAJyKJ4mNuj4gB1VN0q9Qs5pbkZA.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	b1c587c109c75a5e0bc4470c3556227d165f53a60b0154c82312cdf86a4d1d05.exe
Key created	\REGISTRY\USER\S-1-5-19	b1c587c109c75a5e0bc4470c3556227d165f53a60b0154c82312cdf86a4d1d05.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	gpscript.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\AC\\Microsoft\\CryptnetUrlCache\\MetaData\\sOBLGIvjX5Y.exe\" O 2>NUL"	j4rmWNgszqKMmzn9DGKsuWTAJyKJ4mNuj4gB1VN0q9Qs5pbkZA.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\RoamingState\\LGWXTSoh2IKTBKe2oqlIz2LxdXRjFZ9uelPXiOVJtXW.exe\" O 2>NUL"	b1c587c109c75a5e0bc4470c3556227d165f53a60b0154c82312cdf86a4d1d05.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	b1c587c109c75a5e0bc4470c3556227d165f53a60b0154c82312cdf86a4d1d05.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion	b1c587c109c75a5e0bc4470c3556227d165f53a60b0154c82312cdf86a4d1d05.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE	b1c587c109c75a5e0bc4470c3556227d165f53a60b0154c82312cdf86a4d1d05.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\U40Mv1Hqt2S9RvUJ.exe\" O 2>NUL"	b1c587c109c75a5e0bc4470c3556227d165f53a60b0154c82312cdf86a4d1d05.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE	b1c587c109c75a5e0bc4470c3556227d165f53a60b0154c82312cdf86a4d1d05.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	b1c587c109c75a5e0bc4470c3556227d165f53a60b0154c82312cdf86a4d1d05.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\input\\fr-SN\\Q5kSgCzxtJr.exe\" O"	b1c587c109c75a5e0bc4470c3556227d165f53a60b0154c82312cdf86a4d1d05.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft	b1c587c109c75a5e0bc4470c3556227d165f53a60b0154c82312cdf86a4d1d05.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion	b1c587c109c75a5e0bc4470c3556227d165f53a60b0154c82312cdf86a4d1d05.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\qml\\JLgegQCqTXbqyg8juvDJwOA2mZcXB.exe\" O"	j4rmWNgszqKMmzn9DGKsuWTAJyKJ4mNuj4gB1VN0q9Qs5pbkZA.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\RoamingState\\NGV7P6p2nxSVQSA6yJVfpaIM3cJaju20cGdDY7LCYHpPV5YHK3WS34cdDllBikYMbI.exe\" O"	j4rmWNgszqKMmzn9DGKsuWTAJyKJ4mNuj4gB1VN0q9Qs5pbkZA.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{FF393560-C2A7-11CF-BFF4-444553540000} {000214E6-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000dae458b3ea00d901	j4rmWNgszqKMmzn9DGKsuWTAJyKJ4mNuj4gB1VN0q9Qs5pbkZA.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	b1c587c109c75a5e0bc4470c3556227d165f53a60b0154c82312cdf86a4d1d05.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies	b1c587c109c75a5e0bc4470c3556227d165f53a60b0154c82312cdf86a4d1d05.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "169"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	j4rmWNgszqKMmzn9DGKsuWTAJyKJ4mNuj4gB1VN0q9Qs5pbkZA.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	b1c587c109c75a5e0bc4470c3556227d165f53a60b0154c82312cdf86a4d1d05.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows	b1c587c109c75a5e0bc4470c3556227d165f53a60b0154c82312cdf86a4d1d05.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	b1c587c109c75a5e0bc4470c3556227d165f53a60b0154c82312cdf86a4d1d05.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Windows\\AppRepository\\Packages\\Microsoft.BioEnrollment_10.0.19041.1023_neutral__cw5n1h2txyewy\\HOehcZSeOXfcWWt9bhLgiiK.exe\" O"	j4rmWNgszqKMmzn9DGKsuWTAJyKJ4mNuj4gB1VN0q9Qs5pbkZA.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\gWSDg4qoOlwtCQEQ8yAdpg5Hd5A78cSuQAhFprJKKWNmWeC0xtHVqa.exe\" O"	b1c587c109c75a5e0bc4470c3556227d165f53a60b0154c82312cdf86a4d1d05.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\\AppData\\6vEOtLFzAKI.exe\" O"	b1c587c109c75a5e0bc4470c3556227d165f53a60b0154c82312cdf86a4d1d05.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	j4rmWNgszqKMmzn9DGKsuWTAJyKJ4mNuj4gB1VN0q9Qs5pbkZA.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	b1c587c109c75a5e0bc4470c3556227d165f53a60b0154c82312cdf86a4d1d05.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	b1c587c109c75a5e0bc4470c3556227d165f53a60b0154c82312cdf86a4d1d05.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.Search_cw5n1h2txyewy\\Settings\\mAvulhNg6JceAhCobyvAE8B.exe\" O 2>NUL"	b1c587c109c75a5e0bc4470c3556227d165f53a60b0154c82312cdf86a4d1d05.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	j4rmWNgszqKMmzn9DGKsuWTAJyKJ4mNuj4gB1VN0q9Qs5pbkZA.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Office\\DLP\\aCOkvjyynw131wFY29GkPNEXML.exe\" O 2>NUL"	j4rmWNgszqKMmzn9DGKsuWTAJyKJ4mNuj4gB1VN0q9Qs5pbkZA.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft	b1c587c109c75a5e0bc4470c3556227d165f53a60b0154c82312cdf86a4d1d05.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\SlowContextMenuEntries = 6024b221ea3a6910a2dc08002b30309d9d0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	gpscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\SystemAppData\\D3IwZBJlED24DSM290dramI1GASq3v10Ns3gtAQGE4.exe\" O"	j4rmWNgszqKMmzn9DGKsuWTAJyKJ4mNuj4gB1VN0q9Qs5pbkZA.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\input\\lt-LT\\wL3YeFwLhMl2qGSi9Wyu61FdEQr7cAH1lG4NclcsCV721Xlq.exe\" O"	b1c587c109c75a5e0bc4470c3556227d165f53a60b0154c82312cdf86a4d1d05.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{35786D3C-B075-49B9-88DD-029876E11C01} {ADD8BA80-002B-11D0-8F0F-00C04FD7D062} 0xFFFF = 0100000000000000e36e62b3ea00d901	j4rmWNgszqKMmzn9DGKsuWTAJyKJ4mNuj4gB1VN0q9Qs5pbkZA.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	b1c587c109c75a5e0bc4470c3556227d165f53a60b0154c82312cdf86a4d1d05.exe

Modifies registry class 10 IoCs

Processes:

b1c587c109c75a5e0bc4470c3556227d165f53a60b0154c82312cdf86a4d1d05.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SOFTWARE\Microsoft	b1c587c109c75a5e0bc4470c3556227d165f53a60b0154c82312cdf86a4d1d05.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\VideoLAN\\5aG62NUZSTVXpGGM4y8AJNGKJcuMZ2DKpihhz8tJ9F.exe\" O 2>NUL"	b1c587c109c75a5e0bc4470c3556227d165f53a60b0154c82312cdf86a4d1d05.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion	b1c587c109c75a5e0bc4470c3556227d165f53a60b0154c82312cdf86a4d1d05.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	b1c587c109c75a5e0bc4470c3556227d165f53a60b0154c82312cdf86a4d1d05.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Windows\\ClipSVC\\Archive\\gz76Je2TXSWGbyuBYU8b25GXnPOp8Js8KKPnDm8hfPw1xGZosAlBkDof74V5.exe\" O"	b1c587c109c75a5e0bc4470c3556227d165f53a60b0154c82312cdf86a4d1d05.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SOFTWARE\Microsoft\Command Processor	b1c587c109c75a5e0bc4470c3556227d165f53a60b0154c82312cdf86a4d1d05.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SOFTWARE	b1c587c109c75a5e0bc4470c3556227d165f53a60b0154c82312cdf86a4d1d05.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	b1c587c109c75a5e0bc4470c3556227d165f53a60b0154c82312cdf86a4d1d05.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SOFTWARE\Microsoft\Windows	b1c587c109c75a5e0bc4470c3556227d165f53a60b0154c82312cdf86a4d1d05.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	b1c587c109c75a5e0bc4470c3556227d165f53a60b0154c82312cdf86a4d1d05.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

j4rmWNgszqKMmzn9DGKsuWTAJyKJ4mNuj4gB1VN0q9Qs5pbkZA.exe

pid process

5016 j4rmWNgszqKMmzn9DGKsuWTAJyKJ4mNuj4gB1VN0q9Qs5pbkZA.exe
5016 j4rmWNgszqKMmzn9DGKsuWTAJyKJ4mNuj4gB1VN0q9Qs5pbkZA.exe

pid	process
5016	j4rmWNgszqKMmzn9DGKsuWTAJyKJ4mNuj4gB1VN0q9Qs5pbkZA.exe
5016	j4rmWNgszqKMmzn9DGKsuWTAJyKJ4mNuj4gB1VN0q9Qs5pbkZA.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

b1c587c109c75a5e0bc4470c3556227d165f53a60b0154c82312cdf86a4d1d05.exej4rmWNgszqKMmzn9DGKsuWTAJyKJ4mNuj4gB1VN0q9Qs5pbkZA.exej4rmWNgszqKMmzn9DGKsuWTAJyKJ4mNuj4gB1VN0q9Qs5pbkZA.exe

description	pid	process
Token: SeBackupPrivilege	4244	b1c587c109c75a5e0bc4470c3556227d165f53a60b0154c82312cdf86a4d1d05.exe
Token: SeRestorePrivilege	4244	b1c587c109c75a5e0bc4470c3556227d165f53a60b0154c82312cdf86a4d1d05.exe
Token: SeShutdownPrivilege	4244	b1c587c109c75a5e0bc4470c3556227d165f53a60b0154c82312cdf86a4d1d05.exe
Token: SeDebugPrivilege	4932	j4rmWNgszqKMmzn9DGKsuWTAJyKJ4mNuj4gB1VN0q9Qs5pbkZA.exe
Token: SeRestorePrivilege	4932	j4rmWNgszqKMmzn9DGKsuWTAJyKJ4mNuj4gB1VN0q9Qs5pbkZA.exe
Token: SeDebugPrivilege	5016	j4rmWNgszqKMmzn9DGKsuWTAJyKJ4mNuj4gB1VN0q9Qs5pbkZA.exe
Token: SeRestorePrivilege	5016	j4rmWNgszqKMmzn9DGKsuWTAJyKJ4mNuj4gB1VN0q9Qs5pbkZA.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

LogonUI.exe

pid process

4044 LogonUI.exe

pid	process
4044	LogonUI.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

gpscript.exej4rmWNgszqKMmzn9DGKsuWTAJyKJ4mNuj4gB1VN0q9Qs5pbkZA.exe

description	pid	process	target process
PID 4664 wrote to memory of 4932	4664	gpscript.exe	j4rmWNgszqKMmzn9DGKsuWTAJyKJ4mNuj4gB1VN0q9Qs5pbkZA.exe
PID 4664 wrote to memory of 4932	4664	gpscript.exe	j4rmWNgszqKMmzn9DGKsuWTAJyKJ4mNuj4gB1VN0q9Qs5pbkZA.exe
PID 4932 wrote to memory of 5016	4932	j4rmWNgszqKMmzn9DGKsuWTAJyKJ4mNuj4gB1VN0q9Qs5pbkZA.exe	j4rmWNgszqKMmzn9DGKsuWTAJyKJ4mNuj4gB1VN0q9Qs5pbkZA.exe
PID 4932 wrote to memory of 5016	4932	j4rmWNgszqKMmzn9DGKsuWTAJyKJ4mNuj4gB1VN0q9Qs5pbkZA.exe	j4rmWNgszqKMmzn9DGKsuWTAJyKJ4mNuj4gB1VN0q9Qs5pbkZA.exe

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:676

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.CapturePicker_cw5n1h2txyewy\AppData\j4rmWNgszqKMmzn9DGKsuWTAJyKJ4mNuj4gB1VN0q9Qs5pbkZA.exe
"C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.CapturePicker_cw5n1h2txyewy\AppData\j4rmWNgszqKMmzn9DGKsuWTAJyKJ4mNuj4gB1VN0q9Qs5pbkZA.exe" 2
2⤵
- Executes dropped EXE
- Sets file execution options in registry
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5016

C:\Users\Admin\AppData\Local\Temp\b1c587c109c75a5e0bc4470c3556227d165f53a60b0154c82312cdf86a4d1d05.exe
"C:\Users\Admin\AppData\Local\Temp\b1c587c109c75a5e0bc4470c3556227d165f53a60b0154c82312cdf86a4d1d05.exe"
1⤵
- Adds policy Run key to start application
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4244

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39fd855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4044

C:\Windows\system32\gpscript.exe
gpscript.exe /Shutdown
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:4664

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.CapturePicker_cw5n1h2txyewy\AppData\j4rmWNgszqKMmzn9DGKsuWTAJyKJ4mNuj4gB1VN0q9Qs5pbkZA.exe
"C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.CapturePicker_cw5n1h2txyewy\AppData\j4rmWNgszqKMmzn9DGKsuWTAJyKJ4mNuj4gB1VN0q9Qs5pbkZA.exe" 1
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Adds policy Run key to start application
- Executes dropped EXE
- Sets file execution options in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4932

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\U40Mv1Hqt2S9RvUJ.exe
Filesize
863KB

MD5
83830f0f993f101c9f7325848cdeac6f

SHA1
a9654513a1a87a415e771eb907076964e8464f0d

SHA256
ec8e1174db543d205a847b2abbedf3b878d974ce5bce63bbb7c7d8936c3ca626

SHA512
8aa277c49498baf18494a2152f8beae4a748698e93e953a72dbeb51b2cf7d8e3f181bf500ebb6aaff7ba6aff59b970a102dc49a0d73385822834a2b6f8daaa05

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\input\fr-SN\Q5kSgCzxtJr.exe
Filesize
689KB

MD5
2b7ce1c09a57a226129f36440869624a

SHA1
6759477d31fa5a6de99f727604c496522b3cd3d5

SHA256
c89287cf59cccd82b9e18c5bd83e835e66a76c34f9efe186a7124a682b58a804

SHA512
fb9f0a853a51aa456bc3a79c8055b818385aa16c6594a3efc20ef61212da09e58828f9b9bff9efed9d2525847e245cac08eb23704151fcbe6482c8d7efb8de03

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\input\lt-LT\wL3YeFwLhMl2qGSi9Wyu61FdEQr7cAH1lG4NclcsCV721Xlq.exe
Filesize
807KB

MD5
f2a3500a507f28d525e4fce4517a5bff

SHA1
f7e0417a27dd3c0759e6fc15970ea12ded8ddc52

SHA256
3e47075aa57ae108db526a78d1c0213187102c717a2a6005a7e10d49b649518a

SHA512
018f31386fb4d06d5ffd24700aa88710776b10094d61b878e7b8bbda7d6ed3a6f724ba3d0b2e4203a72ed8d1b8fb20138569e8803e0eae2ebed7ce47acf8d2a2

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.AccountsControl_cw5n1h2txyewy\RoamingState\LGWXTSoh2IKTBKe2oqlIz2LxdXRjFZ9uelPXiOVJtXW.exe
Filesize
714KB

MD5
a51789a1fcf40cffa9894a1659976ab9

SHA1
24edbbbdd860fea1807325611cc7140c051d116d

SHA256
c17c393ec99a107237f40e48ae0a0a6a0b3e5190da50e4214eec778703b5c08d

SHA512
aafa44e1caa0bca3700f9c13b901d449f9bd26a0d8d23e481e2a6fe52fc2114f79bc462cdc6d91f0e1ccef035b493608112f3d660f2f4cbe4dd76a612048f079

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\AC\INetHistory\hRcbqmLgzIpOkuNXR86i8DFtB4ZwSDcbP8wWCgA.exe
Filesize
588KB

MD5
2183bb4535cc0f251f67937ced7cc5ee

SHA1
78c9a50a3bbef4a37498f464c9243e2fed264e41

SHA256
5a9cc41c17e690983a75980fe79357077ea5b6e5f4900923b5bff6451b0261ee

SHA512
d073fab334009c1be692b83681d42777993579875e04f46c52f2ac8766a2b0d327fb9fb389c18799df6185b6a9af35593787879794f7e7ff27cc07ac72bda6ab

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\TUDyBdiUA0yhTphs849hfwyof6yvPusaBu57AiFrGoEJkvAwcSORuwuc2gyOz4e.cmd
Filesize
1.3MB

MD5
f241af1ea7534167b185504a95efdb7e

SHA1
3b03d5e7aec00ec4d7a767a5e4b029b1587d25e8

SHA256
b1fdb3693876fa8001fee7f6a94b872957342946a6fb929b6c3222a63de97912

SHA512
e74239184660bce1e45b97e4c3f81cdccd0870eb2df1871250c4f7336cd23e02f3b64eb96ebff322a62f43bfadc159f4b75b70ce825a5e4794fa94c283acfcaa

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Win32WebViewHost_cw5n1h2txyewy\AC\INetCache\DQKG9ypHF4T68vHTR9Nn1LEiSEOn21pXvoZ0Bq6Z2QKclOoj9j2m8gdc4utZ5BzoLmO.exe
Filesize
1.0MB

MD5
41c2238d84ae12b899fcac0a7ff70d8e

SHA1
e8f85cc8f1fd2f339abb11fcfa910864065e8c02

SHA256
1923a78d1febc236ec50b6db33ee3ae81f5e80ff491f8a858e313297fd8ce43f

SHA512
423bb68fd573c5206d59fb217ecf51db23ca731ae327fc9390da5aa16e10192bf414063642212de2ad93a7a8d58bbb4c8222ec6826c196382c448564e2b191a5

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.CapturePicker_cw5n1h2txyewy\AppData\j4rmWNgszqKMmzn9DGKsuWTAJyKJ4mNuj4gB1VN0q9Qs5pbkZA.exe
Filesize
856KB

MD5
1197cd1b79e244a5382b373d29efea40

SHA1
6c95f3498ec01e1c1ce2a2ae1403f1cd1abed909

SHA256
f3e466291939be22f7b9af379b8a3c9f47c0d0f9f612caf2153ebc8e5e5af5d6

SHA512
4cb974cc239ed93c9a2809b0b914002dbddba2218ba2bb76ce814674469744abbe67d13a82e7cfad402d9420af588535aefdf8074f0098841d23c703c9041382

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.CapturePicker_cw5n1h2txyewy\AppData\j4rmWNgszqKMmzn9DGKsuWTAJyKJ4mNuj4gB1VN0q9Qs5pbkZA.exe
Filesize
856KB

MD5
1197cd1b79e244a5382b373d29efea40

SHA1
6c95f3498ec01e1c1ce2a2ae1403f1cd1abed909

SHA256
f3e466291939be22f7b9af379b8a3c9f47c0d0f9f612caf2153ebc8e5e5af5d6

SHA512
4cb974cc239ed93c9a2809b0b914002dbddba2218ba2bb76ce814674469744abbe67d13a82e7cfad402d9420af588535aefdf8074f0098841d23c703c9041382

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.CapturePicker_cw5n1h2txyewy\AppData\j4rmWNgszqKMmzn9DGKsuWTAJyKJ4mNuj4gB1VN0q9Qs5pbkZA.exe
Filesize
856KB

MD5
1197cd1b79e244a5382b373d29efea40

SHA1
6c95f3498ec01e1c1ce2a2ae1403f1cd1abed909

SHA256
f3e466291939be22f7b9af379b8a3c9f47c0d0f9f612caf2153ebc8e5e5af5d6

SHA512
4cb974cc239ed93c9a2809b0b914002dbddba2218ba2bb76ce814674469744abbe67d13a82e7cfad402d9420af588535aefdf8074f0098841d23c703c9041382

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\AppData\6vEOtLFzAKI.exe
Filesize
854KB

MD5
b73481e92d8de65957dc05ed89d21be2

SHA1
7a997ce2c80820479e380e7b664838d5e1770264

SHA256
6c5d2d9f2df26eb860c2701ecdd542e84d37e79ee47d637867c31f7fa7828838

SHA512
964742c988706a24b2fa87fcdd007c72434f896098be0a5898d9395e31dbd0e9fab680a56f3636606347c85683df6849735bc6fcc860685a8d54e21e34b265f0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vybwayxr.default-release\extensions\5HSkIKtArym8Tf1W.bat
Filesize
1.3MB

MD5
0b5c5156ed9238361f8b48b9f6544367

SHA1
c887b320a9239f9dddfc917923643b2eceb88729

SHA256
65a144ddd00e584b74162789827e9feedf141339bc1c6f9b5a3a79646223dca0

SHA512
7649f21d9a98dbd9c5a24e4bf4989f748f8f16924439b20df19909cca8e592d737223f1ec823f8e04e060101c12dbac39ad1dab7cb78ed7deb4b0703ac24f3cc

Download Submit
C:\Users\Default\AppData\Local\Microsoft\Windows Sidebar\hCLiF2KfYANtL6WlN9iLMoS61M4OMllYh72X5.exe
Filesize
600KB

MD5
48d62c642c64de1a55945bb79701496a

SHA1
1e16ad17c5f2c9effa8c429302a3c4b39437a618

SHA256
2bc91d4d78682ade4eac5011877b8e47119eb17c8be0af5792d88662edbddeb2

SHA512
6c0627b4a17cedca418d601d359e8d87aba2dfd028ddef039c9ca529730eaa2f0bc7cb196a852c323cd2c1d36cc26e0d6933e9633651d8b8ff694c57ca1b2130

Download Submit
memory/4244-132-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4244-133-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4932-137-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4932-135-0x0000000000000000-mapping.dmp

Download
memory/4932-146-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4932-149-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/5016-147-0x0000000000000000-mapping.dmp

Download
memory/5016-152-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads