7ade6d0ffeab3041178da5aca39bdd0f64b3d621fe154e8ebae0e780ed3a72fc

Analysis

max time kernel
151s
max time network
164s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
25-11-2022 09:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7ade6d0ffeab3041178da5aca39bdd0f64b3d621fe154e8ebae0e780ed3a72fc.exe
Size

297KB
MD5

6e6d2ead45ce3083eea2676b6e596daf
SHA1

c49561f2005982d8ed15230ac74c6188006d0f8b
SHA256

7ade6d0ffeab3041178da5aca39bdd0f64b3d621fe154e8ebae0e780ed3a72fc
SHA512

bdcba2196bfd907f8add9ac99a000e613bfc8a9d0ca6f21a894aedaebc60cd3c88c771322c5f39c0fc434d8c606ad01d76c18cdfe0b6db6218d43b949a8a932a
SSDEEP

3072:dSsvihLlTQz9z71iURo2SJJmY6uFNcgifDbMtJyVdyw:ssqhJMxzJiU5SeLmNSbMtJU5

Score

10^/10

persistence spyware stealer

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

rCaWnrBK2isrWJPvUW80s6I0SHoxiz8Qe466W43eumM9knzI3nc4KjQpzSlCwu.cmd

description pid process target process

PID 1968 created 592 1968 rCaWnrBK2isrWJPvUW80s6I0SHoxiz8Qe466W43eumM9knzI3nc4KjQpzSlCwu.cmd svchost.exe

description	pid	process	target process
PID 1968 created 592	1968	rCaWnrBK2isrWJPvUW80s6I0SHoxiz8Qe466W43eumM9knzI3nc4KjQpzSlCwu.cmd	svchost.exe

Adds policy Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rCaWnrBK2isrWJPvUW80s6I0SHoxiz8Qe466W43eumM9knzI3nc4KjQpzSlCwu.cmd7ade6d0ffeab3041178da5aca39bdd0f64b3d621fe154e8ebae0e780ed3a72fc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	rCaWnrBK2isrWJPvUW80s6I0SHoxiz8Qe466W43eumM9knzI3nc4KjQpzSlCwu.cmd
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\iwv3qbnj.default-release\\extensions\\wvWjF2UMYCnGAq7E97oOZJNpmpIq3R601XIHWakC0Kd5RfAkfUOOtVUwEoJd0anphuK.exe\" O"	rCaWnrBK2isrWJPvUW80s6I0SHoxiz8Qe466W43eumM9knzI3nc4KjQpzSlCwu.cmd
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	7ade6d0ffeab3041178da5aca39bdd0f64b3d621fe154e8ebae0e780ed3a72fc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\0dfoUhtikv.exe\" O"	7ade6d0ffeab3041178da5aca39bdd0f64b3d621fe154e8ebae0e780ed3a72fc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	7ade6d0ffeab3041178da5aca39bdd0f64b3d621fe154e8ebae0e780ed3a72fc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Storage\\dHSW56UkHcqml5A2edjdwEWkjVILySJbibdxxJgKM.exe\" O"	7ade6d0ffeab3041178da5aca39bdd0f64b3d621fe154e8ebae0e780ed3a72fc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\6.0\\11\\ceNvxKRG5Bk09OuPVqvkYCezPBbhzwXFxbU2RVrprfKsIA.exe\" O"	7ade6d0ffeab3041178da5aca39bdd0f64b3d621fe154e8ebae0e780ed3a72fc.exe

Executes dropped EXE 2 IoCs

Processes:

rCaWnrBK2isrWJPvUW80s6I0SHoxiz8Qe466W43eumM9knzI3nc4KjQpzSlCwu.cmdrCaWnrBK2isrWJPvUW80s6I0SHoxiz8Qe466W43eumM9knzI3nc4KjQpzSlCwu.cmd

pid	process
1968	rCaWnrBK2isrWJPvUW80s6I0SHoxiz8Qe466W43eumM9knzI3nc4KjQpzSlCwu.cmd
268	rCaWnrBK2isrWJPvUW80s6I0SHoxiz8Qe466W43eumM9knzI3nc4KjQpzSlCwu.cmd

Sets file execution options in registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rCaWnrBK2isrWJPvUW80s6I0SHoxiz8Qe466W43eumM9knzI3nc4KjQpzSlCwu.cmdrCaWnrBK2isrWJPvUW80s6I0SHoxiz8Qe466W43eumM9knzI3nc4KjQpzSlCwu.cmd

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe	rCaWnrBK2isrWJPvUW80s6I0SHoxiz8Qe466W43eumM9knzI3nc4KjQpzSlCwu.cmd
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\Debugger = " "	rCaWnrBK2isrWJPvUW80s6I0SHoxiz8Qe466W43eumM9knzI3nc4KjQpzSlCwu.cmd
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe	rCaWnrBK2isrWJPvUW80s6I0SHoxiz8Qe466W43eumM9knzI3nc4KjQpzSlCwu.cmd
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = " "	rCaWnrBK2isrWJPvUW80s6I0SHoxiz8Qe466W43eumM9knzI3nc4KjQpzSlCwu.cmd
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe	rCaWnrBK2isrWJPvUW80s6I0SHoxiz8Qe466W43eumM9knzI3nc4KjQpzSlCwu.cmd
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\Debugger = " "	rCaWnrBK2isrWJPvUW80s6I0SHoxiz8Qe466W43eumM9knzI3nc4KjQpzSlCwu.cmd
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe	rCaWnrBK2isrWJPvUW80s6I0SHoxiz8Qe466W43eumM9knzI3nc4KjQpzSlCwu.cmd
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = " "	rCaWnrBK2isrWJPvUW80s6I0SHoxiz8Qe466W43eumM9knzI3nc4KjQpzSlCwu.cmd

Loads dropped DLL 3 IoCs

Processes:

gpscript.exerCaWnrBK2isrWJPvUW80s6I0SHoxiz8Qe466W43eumM9knzI3nc4KjQpzSlCwu.cmd

pid process

1656 gpscript.exe
1656 gpscript.exe
1968 rCaWnrBK2isrWJPvUW80s6I0SHoxiz8Qe466W43eumM9knzI3nc4KjQpzSlCwu.cmd
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1656	gpscript.exe
1656	gpscript.exe
1968	rCaWnrBK2isrWJPvUW80s6I0SHoxiz8Qe466W43eumM9knzI3nc4KjQpzSlCwu.cmd

Modifies data under HKEY_USERS 63 IoCs

Processes:

rCaWnrBK2isrWJPvUW80s6I0SHoxiz8Qe466W43eumM9knzI3nc4KjQpzSlCwu.cmd7ade6d0ffeab3041178da5aca39bdd0f64b3d621fe154e8ebae0e780ed3a72fc.exegpscript.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Device Stage\\Device\\SbcuAFNZFYyycv7hbXGZ.exe\" O"	rCaWnrBK2isrWJPvUW80s6I0SHoxiz8Qe466W43eumM9knzI3nc4KjQpzSlCwu.cmd
Key created	\REGISTRY\USER\.DEFAULT	7ade6d0ffeab3041178da5aca39bdd0f64b3d621fe154e8ebae0e780ed3a72fc.exe
Key created	\REGISTRY\USER\S-1-5-19	7ade6d0ffeab3041178da5aca39bdd0f64b3d621fe154e8ebae0e780ed3a72fc.exe
Key created	\REGISTRY\USER\S-1-5-20	7ade6d0ffeab3041178da5aca39bdd0f64b3d621fe154e8ebae0e780ed3a72fc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\Favorites\\MSN Websites\\aQpMAJlZ9Pqws2eoQOyjeFWpufMuA1tsFtg1ohqATn4hpPP6J4c.exe\" O 2>NUL"	7ade6d0ffeab3041178da5aca39bdd0f64b3d621fe154e8ebae0e780ed3a72fc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	7ade6d0ffeab3041178da5aca39bdd0f64b3d621fe154e8ebae0e780ed3a72fc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	rCaWnrBK2isrWJPvUW80s6I0SHoxiz8Qe466W43eumM9knzI3nc4KjQpzSlCwu.cmd
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%windir%\System32\ie4uinit.exe",-732 = "Finds and displays information and Web sites on the Internet."	rCaWnrBK2isrWJPvUW80s6I0SHoxiz8Qe466W43eumM9knzI3nc4KjQpzSlCwu.cmd
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	7ade6d0ffeab3041178da5aca39bdd0f64b3d621fe154e8ebae0e780ed3a72fc.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE	7ade6d0ffeab3041178da5aca39bdd0f64b3d621fe154e8ebae0e780ed3a72fc.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	rCaWnrBK2isrWJPvUW80s6I0SHoxiz8Qe466W43eumM9knzI3nc4KjQpzSlCwu.cmd
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Adobe\\Color\\Profiles\\ILIw8sVPOb.exe\" O"	rCaWnrBK2isrWJPvUW80s6I0SHoxiz8Qe466W43eumM9knzI3nc4KjQpzSlCwu.cmd
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{FF393560-C2A7-11CF-BFF4-444553540000} {000214E6-0000-0000-C000-000000000046} 0xFFFF = 010000000000000020fe0e0ceb00d901	rCaWnrBK2isrWJPvUW80s6I0SHoxiz8Qe466W43eumM9knzI3nc4KjQpzSlCwu.cmd
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	7ade6d0ffeab3041178da5aca39bdd0f64b3d621fe154e8ebae0e780ed3a72fc.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\lLto7sm60Bq345ajZB5eKJjTkzrlRxnB2KJ9MFq1buXhULu8YBpspN2Sp.exe\" O"	7ade6d0ffeab3041178da5aca39bdd0f64b3d621fe154e8ebae0e780ed3a72fc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	rCaWnrBK2isrWJPvUW80s6I0SHoxiz8Qe466W43eumM9knzI3nc4KjQpzSlCwu.cmd
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{7BD29E01-76C1-11CF-9DD0-00A0C9034933} {000214E6-0000-0000-C000-000000000046} 0xFFFF = 010000000000000020a56c25eb00d901	rCaWnrBK2isrWJPvUW80s6I0SHoxiz8Qe466W43eumM9knzI3nc4KjQpzSlCwu.cmd
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	7ade6d0ffeab3041178da5aca39bdd0f64b3d621fe154e8ebae0e780ed3a72fc.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	7ade6d0ffeab3041178da5aca39bdd0f64b3d621fe154e8ebae0e780ed3a72fc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	rCaWnrBK2isrWJPvUW80s6I0SHoxiz8Qe466W43eumM9knzI3nc4KjQpzSlCwu.cmd
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%windir%\System32\ie4uinit.exe",-738 = "Start Internet Explorer without ActiveX controls or browser extensions."	rCaWnrBK2isrWJPvUW80s6I0SHoxiz8Qe466W43eumM9knzI3nc4KjQpzSlCwu.cmd
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{35786D3C-B075-49B9-88DD-029876E11C01} {ADD8BA80-002B-11D0-8F0F-00C04FD7D062} 0xFFFF = 0100000000000000e0c0130ceb00d901	rCaWnrBK2isrWJPvUW80s6I0SHoxiz8Qe466W43eumM9knzI3nc4KjQpzSlCwu.cmd
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	7ade6d0ffeab3041178da5aca39bdd0f64b3d621fe154e8ebae0e780ed3a72fc.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows	7ade6d0ffeab3041178da5aca39bdd0f64b3d621fe154e8ebae0e780ed3a72fc.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\6.0\\49\\Zu2gaQomoeNyCdw1jQqII8J4PGFSlbfYOn2Z5kApuzt.exe\" O 2>NUL"	7ade6d0ffeab3041178da5aca39bdd0f64b3d621fe154e8ebae0e780ed3a72fc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	7ade6d0ffeab3041178da5aca39bdd0f64b3d621fe154e8ebae0e780ed3a72fc.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion	7ade6d0ffeab3041178da5aca39bdd0f64b3d621fe154e8ebae0e780ed3a72fc.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows	7ade6d0ffeab3041178da5aca39bdd0f64b3d621fe154e8ebae0e780ed3a72fc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\Deployment\\d1ojupmLZmoXu4ZKzbduMtg4d4Ub9Ku8yWbHa5f0TSuxECXkSDV8Wh041xCbmTuVAQkl.exe\" O 2>NUL"	rCaWnrBK2isrWJPvUW80s6I0SHoxiz8Qe466W43eumM9knzI3nc4KjQpzSlCwu.cmd
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\Windows NT\\IvPoJbVjt6XBn.exe\" O 2>NUL"	rCaWnrBK2isrWJPvUW80s6I0SHoxiz8Qe466W43eumM9knzI3nc4KjQpzSlCwu.cmd
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	7ade6d0ffeab3041178da5aca39bdd0f64b3d621fe154e8ebae0e780ed3a72fc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	7ade6d0ffeab3041178da5aca39bdd0f64b3d621fe154e8ebae0e780ed3a72fc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{6C467336-8281-4E60-8204-430CED96822D} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 010000000000000040e3ed09eb00d901	gpscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\6.0\\37\\e7Dh4C8Xk8XvhU5kAl8iL1f5P1RqMp8boIsitAqKPymG5nnKqV9n0oHuGsJlN1g4LRRgg.exe\" O 2>NUL"	rCaWnrBK2isrWJPvUW80s6I0SHoxiz8Qe466W43eumM9knzI3nc4KjQpzSlCwu.cmd
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	7ade6d0ffeab3041178da5aca39bdd0f64b3d621fe154e8ebae0e780ed3a72fc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	gpscript.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE	7ade6d0ffeab3041178da5aca39bdd0f64b3d621fe154e8ebae0e780ed3a72fc.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft	7ade6d0ffeab3041178da5aca39bdd0f64b3d621fe154e8ebae0e780ed3a72fc.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Libraries\\CYhYoxeiZouzofQdwHiJl5OzfUbQ4PazoOlXbJrIvqY932.exe\" O 2>NUL"	rCaWnrBK2isrWJPvUW80s6I0SHoxiz8Qe466W43eumM9knzI3nc4KjQpzSlCwu.cmd
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Package Cache\\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\\o8IixGGMgtbIxs6pRzEghl.exe\" O"	rCaWnrBK2isrWJPvUW80s6I0SHoxiz8Qe466W43eumM9knzI3nc4KjQpzSlCwu.cmd
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	7ade6d0ffeab3041178da5aca39bdd0f64b3d621fe154e8ebae0e780ed3a72fc.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	7ade6d0ffeab3041178da5aca39bdd0f64b3d621fe154e8ebae0e780ed3a72fc.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	7ade6d0ffeab3041178da5aca39bdd0f64b3d621fe154e8ebae0e780ed3a72fc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	rCaWnrBK2isrWJPvUW80s6I0SHoxiz8Qe466W43eumM9knzI3nc4KjQpzSlCwu.cmd
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\E4tDdr7SJEQ110mpMcNCYgjdMGUK1pkXxQsUIW58x8bCdfLsS9pRxebePf1.exe\" O 2>NUL"	rCaWnrBK2isrWJPvUW80s6I0SHoxiz8Qe466W43eumM9knzI3nc4KjQpzSlCwu.cmd
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft	7ade6d0ffeab3041178da5aca39bdd0f64b3d621fe154e8ebae0e780ed3a72fc.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	7ade6d0ffeab3041178da5aca39bdd0f64b3d621fe154e8ebae0e780ed3a72fc.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	rCaWnrBK2isrWJPvUW80s6I0SHoxiz8Qe466W43eumM9knzI3nc4KjQpzSlCwu.cmd
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\BlkBNspf8VzmZCfue3o2.exe\" O"	rCaWnrBK2isrWJPvUW80s6I0SHoxiz8Qe466W43eumM9knzI3nc4KjQpzSlCwu.cmd
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{B155BDF8-02F0-451E-9A26-AE317CFD7779} {ADD8BA80-002B-11D0-8F0F-00C04FD7D062} 0xFFFF = 01000000000000004022160ceb00d901	rCaWnrBK2isrWJPvUW80s6I0SHoxiz8Qe466W43eumM9knzI3nc4KjQpzSlCwu.cmd
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	7ade6d0ffeab3041178da5aca39bdd0f64b3d621fe154e8ebae0e780ed3a72fc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\YTFihyCAKN73JHyCpXOkpGQhj8hX8tYlbwFgBo1JALdgInQOrb6ilX3vl7Le.exe\" O"	7ade6d0ffeab3041178da5aca39bdd0f64b3d621fe154e8ebae0e780ed3a72fc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\iwv3qbnj.default-release\\storage\\permanent\\chrome\\idb\\1657114595AmcateirvtiSty.files\\001KUnMvwPzpzQuUAunTAckG7Mk2zpjPYLZBhzFL9a782kTv3X2Zf3lEQMlDXGEU8wdGPQ.exe\" O"	rCaWnrBK2isrWJPvUW80s6I0SHoxiz8Qe466W43eumM9knzI3nc4KjQpzSlCwu.cmd
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Windows\\WER\\zVi25twBttsL44NDE6BGD8Tvc0c6nBOIQRpPb2GJXzO2wtq.exe\" O"	7ade6d0ffeab3041178da5aca39bdd0f64b3d621fe154e8ebae0e780ed3a72fc.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\iwv3qbnj.default-release\\storage\\default\\moz-extension+++8e30aaae-1cd1-4ccd-b4dd-119fc9692196^userContextId=4294967295\\gHaGn80yH21cPy.exe\" O 2>NUL"	7ade6d0ffeab3041178da5aca39bdd0f64b3d621fe154e8ebae0e780ed3a72fc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies	7ade6d0ffeab3041178da5aca39bdd0f64b3d621fe154e8ebae0e780ed3a72fc.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion	7ade6d0ffeab3041178da5aca39bdd0f64b3d621fe154e8ebae0e780ed3a72fc.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	7ade6d0ffeab3041178da5aca39bdd0f64b3d621fe154e8ebae0e780ed3a72fc.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	rCaWnrBK2isrWJPvUW80s6I0SHoxiz8Qe466W43eumM9knzI3nc4KjQpzSlCwu.cmd
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	rCaWnrBK2isrWJPvUW80s6I0SHoxiz8Qe466W43eumM9knzI3nc4KjQpzSlCwu.cmd
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%systemroot%\system32\windowspowershell\v1.0\powershell.exe",-111 = "Performs object-based (command-line) functions"	rCaWnrBK2isrWJPvUW80s6I0SHoxiz8Qe466W43eumM9knzI3nc4KjQpzSlCwu.cmd
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\Burn\\iv4kQzMZMpF5msRYFlva6lV8J2yCBW.exe\" O 2>NUL"	7ade6d0ffeab3041178da5aca39bdd0f64b3d621fe154e8ebae0e780ed3a72fc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Storage\\leveldb\\nkVPwMBSImS1QxQzcow8oZr5UO6wjR8U.exe\" O"	7ade6d0ffeab3041178da5aca39bdd0f64b3d621fe154e8ebae0e780ed3a72fc.exe

Modifies registry class 12 IoCs

Processes:

7ade6d0ffeab3041178da5aca39bdd0f64b3d621fe154e8ebae0e780ed3a72fc.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\SOFTWARE\Microsoft\Windows	7ade6d0ffeab3041178da5aca39bdd0f64b3d621fe154e8ebae0e780ed3a72fc.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion	7ade6d0ffeab3041178da5aca39bdd0f64b3d621fe154e8ebae0e780ed3a72fc.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	7ade6d0ffeab3041178da5aca39bdd0f64b3d621fe154e8ebae0e780ed3a72fc.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	7ade6d0ffeab3041178da5aca39bdd0f64b3d621fe154e8ebae0e780ed3a72fc.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_Classes\SOFTWARE\Microsoft\Command Processor	7ade6d0ffeab3041178da5aca39bdd0f64b3d621fe154e8ebae0e780ed3a72fc.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\SOFTWARE	7ade6d0ffeab3041178da5aca39bdd0f64b3d621fe154e8ebae0e780ed3a72fc.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\SOFTWARE\Microsoft\Command Processor	7ade6d0ffeab3041178da5aca39bdd0f64b3d621fe154e8ebae0e780ed3a72fc.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	7ade6d0ffeab3041178da5aca39bdd0f64b3d621fe154e8ebae0e780ed3a72fc.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\SOFTWARE\Microsoft	7ade6d0ffeab3041178da5aca39bdd0f64b3d621fe154e8ebae0e780ed3a72fc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Office\\Groove\\System\\1Pc1Izbbi4vBAk8ermnXLfIP8y5yWIvFAiozhvg8JheVIYryIbshpup4.exe\" O 2>NUL"	7ade6d0ffeab3041178da5aca39bdd0f64b3d621fe154e8ebae0e780ed3a72fc.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	7ade6d0ffeab3041178da5aca39bdd0f64b3d621fe154e8ebae0e780ed3a72fc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\6.0\\10\\Wpy21T0CVyPi.exe\" O"	7ade6d0ffeab3041178da5aca39bdd0f64b3d621fe154e8ebae0e780ed3a72fc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rCaWnrBK2isrWJPvUW80s6I0SHoxiz8Qe466W43eumM9knzI3nc4KjQpzSlCwu.cmd

pid process

268 rCaWnrBK2isrWJPvUW80s6I0SHoxiz8Qe466W43eumM9knzI3nc4KjQpzSlCwu.cmd
268 rCaWnrBK2isrWJPvUW80s6I0SHoxiz8Qe466W43eumM9knzI3nc4KjQpzSlCwu.cmd

pid	process
268	rCaWnrBK2isrWJPvUW80s6I0SHoxiz8Qe466W43eumM9knzI3nc4KjQpzSlCwu.cmd
268	rCaWnrBK2isrWJPvUW80s6I0SHoxiz8Qe466W43eumM9knzI3nc4KjQpzSlCwu.cmd

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

7ade6d0ffeab3041178da5aca39bdd0f64b3d621fe154e8ebae0e780ed3a72fc.exeAUDIODG.EXErCaWnrBK2isrWJPvUW80s6I0SHoxiz8Qe466W43eumM9knzI3nc4KjQpzSlCwu.cmdrCaWnrBK2isrWJPvUW80s6I0SHoxiz8Qe466W43eumM9knzI3nc4KjQpzSlCwu.cmd

description	pid	process
Token: SeBackupPrivilege	1628	7ade6d0ffeab3041178da5aca39bdd0f64b3d621fe154e8ebae0e780ed3a72fc.exe
Token: SeRestorePrivilege	1628	7ade6d0ffeab3041178da5aca39bdd0f64b3d621fe154e8ebae0e780ed3a72fc.exe
Token: SeShutdownPrivilege	1628	7ade6d0ffeab3041178da5aca39bdd0f64b3d621fe154e8ebae0e780ed3a72fc.exe
Token: 33	1304	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1304	AUDIODG.EXE
Token: 33	1304	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1304	AUDIODG.EXE
Token: SeDebugPrivilege	1968	rCaWnrBK2isrWJPvUW80s6I0SHoxiz8Qe466W43eumM9knzI3nc4KjQpzSlCwu.cmd
Token: SeRestorePrivilege	1968	rCaWnrBK2isrWJPvUW80s6I0SHoxiz8Qe466W43eumM9knzI3nc4KjQpzSlCwu.cmd
Token: SeDebugPrivilege	268	rCaWnrBK2isrWJPvUW80s6I0SHoxiz8Qe466W43eumM9knzI3nc4KjQpzSlCwu.cmd
Token: SeRestorePrivilege	268	rCaWnrBK2isrWJPvUW80s6I0SHoxiz8Qe466W43eumM9knzI3nc4KjQpzSlCwu.cmd

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

gpscript.exerCaWnrBK2isrWJPvUW80s6I0SHoxiz8Qe466W43eumM9knzI3nc4KjQpzSlCwu.cmd

description	pid	process	target process
PID 1656 wrote to memory of 1968	1656	gpscript.exe	rCaWnrBK2isrWJPvUW80s6I0SHoxiz8Qe466W43eumM9knzI3nc4KjQpzSlCwu.cmd
PID 1656 wrote to memory of 1968	1656	gpscript.exe	rCaWnrBK2isrWJPvUW80s6I0SHoxiz8Qe466W43eumM9knzI3nc4KjQpzSlCwu.cmd
PID 1656 wrote to memory of 1968	1656	gpscript.exe	rCaWnrBK2isrWJPvUW80s6I0SHoxiz8Qe466W43eumM9knzI3nc4KjQpzSlCwu.cmd
PID 1968 wrote to memory of 268	1968	rCaWnrBK2isrWJPvUW80s6I0SHoxiz8Qe466W43eumM9knzI3nc4KjQpzSlCwu.cmd	rCaWnrBK2isrWJPvUW80s6I0SHoxiz8Qe466W43eumM9knzI3nc4KjQpzSlCwu.cmd
PID 1968 wrote to memory of 268	1968	rCaWnrBK2isrWJPvUW80s6I0SHoxiz8Qe466W43eumM9knzI3nc4KjQpzSlCwu.cmd	rCaWnrBK2isrWJPvUW80s6I0SHoxiz8Qe466W43eumM9knzI3nc4KjQpzSlCwu.cmd
PID 1968 wrote to memory of 268	1968	rCaWnrBK2isrWJPvUW80s6I0SHoxiz8Qe466W43eumM9knzI3nc4KjQpzSlCwu.cmd	rCaWnrBK2isrWJPvUW80s6I0SHoxiz8Qe466W43eumM9knzI3nc4KjQpzSlCwu.cmd

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
1⤵
PID:592

C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\rCaWnrBK2isrWJPvUW80s6I0SHoxiz8Qe466W43eumM9knzI3nc4KjQpzSlCwu.cmd
"C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\rCaWnrBK2isrWJPvUW80s6I0SHoxiz8Qe466W43eumM9knzI3nc4KjQpzSlCwu.cmd" 2
2⤵
- Executes dropped EXE
- Sets file execution options in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:268

C:\Users\Admin\AppData\Local\Temp\7ade6d0ffeab3041178da5aca39bdd0f64b3d621fe154e8ebae0e780ed3a72fc.exe
"C:\Users\Admin\AppData\Local\Temp\7ade6d0ffeab3041178da5aca39bdd0f64b3d621fe154e8ebae0e780ed3a72fc.exe"
1⤵
- Adds policy Run key to start application
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1628

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:960

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x568
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1304

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:1256

C:\Windows\system32\gpscript.exe
gpscript.exe /Shutdown
1⤵
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1656

C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\rCaWnrBK2isrWJPvUW80s6I0SHoxiz8Qe466W43eumM9knzI3nc4KjQpzSlCwu.cmd
"C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\rCaWnrBK2isrWJPvUW80s6I0SHoxiz8Qe466W43eumM9knzI3nc4KjQpzSlCwu.cmd" 1
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Adds policy Run key to start application
- Executes dropped EXE
- Sets file execution options in registry
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1968

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\ja-JP\53F2NtKBYWc4rfO2AeGZYhwS5EhkQgMvdcRZtcdKt3u0zjSPvVXHYyjH.cmd
Filesize
807KB

MD5
5a510afbdf27600803ed4fef3b48b7dd

SHA1
afac23c83fdc077096b5620b3f0abbf5453b1b75

SHA256
e83548e84b15192c534adccdfffb376ded028abaaa4a86484048012d0f1dcaab

SHA512
dc29ae1a46e912f82241d4198c4ea297d7ab6fe9ba18cd7e5cd76324414e82c8db7f613c02f5fa10ca62320ad52e2b44e013f8783d2f9b547d49a2797fe14b30

Download Submit
C:\ProgramData\Microsoft\Windows\WER\zVi25twBttsL44NDE6BGD8Tvc0c6nBOIQRpPb2GJXzO2wtq.exe
Filesize
519KB

MD5
640859de2fbc605ffce18a316f92e4c0

SHA1
026497b9177ed2a8a7eb1749feb10cf94dc699a1

SHA256
0f74194f8c104e081a8cb9e2af8eb192553f714a5bf1c5638495e7847b26a37d

SHA512
50b681ac5ea6c9fa62f01af3923cd7e44ef82a499c204cb20099633483b142f32d21a9928ebe128d45e0c5d13c6f0a076f554cb12d57b69d77f6e56a5180923e

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\49\Zu2gaQomoeNyCdw1jQqII8J4PGFSlbfYOn2Z5kApuzt.exe
Filesize
469KB

MD5
df534b68398a82ad8f7300fbe9967b4c

SHA1
a395b11f6ca07c40c0eb01a9bab6ee6f64e84174

SHA256
6113ea0f69508eb71c189a36828f4381dfbed3d6d9ae57d71db2c57006f5c94a

SHA512
f065186db3734dd4c501e01f4e74de6f5c77e6ac210fabe0bd1867d19d0a550ea59844d57a424e6b4ca7889459a84660939d47f954dbb02a25081893d721c4a4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\dHSW56UkHcqml5A2edjdwEWkjVILySJbibdxxJgKM.exe
Filesize
477KB

MD5
c9a9d3ffb1b34fafe83ca78d5f399e0b

SHA1
b4a727cadd14990130518f69ae317326c9dea251

SHA256
5aeba0a7dc883fc6aea5e7b32bdfb74d0adaa2b9c15a245c010b857599083d5b

SHA512
94b51f5de01f00518488ed568ae9a20408b831acbf253729719c76df46287a2c1b05a161289cfb66b653fa4ff865b18b4c1adccb05504a188a179aff3bc52514

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\d997s9wCX4ZAXsEc5v.bat
Filesize
555KB

MD5
775af9a8a980523e1cb888059eaf5377

SHA1
d9089885afa911ca4769f1eb423349c8eccea8d2

SHA256
7e615a6c91150ba57082f694214b12255b16bd532849116728e93e45eaf4c6c5

SHA512
eb879d19cac743eaad157883f8f4eaea9db30a74f85251a71344590963dded742d833c7b170809731db59125eb101e835e36ca934693b78ca35c16d5e333f743

Download Submit
C:\Users\Admin\AppData\Local\Google\lLto7sm60Bq345ajZB5eKJjTkzrlRxnB2KJ9MFq1buXhULu8YBpspN2Sp.exe
Filesize
574KB

MD5
e150a57f82135722b0f3e02ae8098e9d

SHA1
ad00d613a7e794979669f7f2c747c21cbafbc14d

SHA256
2d8ba490fed431af094ae8bb60a04a34a1ccb4055fa584cc165f673085d2c217

SHA512
de37b2c3a54a5c656fb9d9bdd4f13cb5e2480b1185fbd9b8a1fb79921ced8b474d5784f758c4ebff98cb6d37181c6eb0a2a51d72fc7b56dead51d60026f126d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\iv4kQzMZMpF5msRYFlva6lV8J2yCBW.exe
Filesize
388KB

MD5
8ec3d683caee4703ed4fdab9898ec958

SHA1
7e7e4eacc117edcea29ec53306f24f89865de1fe

SHA256
e4298f66a51c4fc0980dbb7f03761f923dc2f064651cbc43abb8c0568c6f08fb

SHA512
1bd37f4457ebcb03a670bbb6cd4512098cd931958c702f193d9316babcdd0c59ade4f50afdeb3f2bc97f0a06aec45deb8981c86a3f672c5273ed5889711ab543

Download Submit
C:\Users\Admin\AppData\Local\Temp\YTFihyCAKN73JHyCpXOkpGQhj8hX8tYlbwFgBo1JALdgInQOrb6ilX3vl7Le.exe
Filesize
370KB

MD5
b3f1bf4339c64f997f7d0e3e4df70752

SHA1
94da8157ed3117929699de92244816168a571ea3

SHA256
3e79b9d9451d11f7801eb0e93df116af7372e37aa192ce29de6d0c767caa9eb7

SHA512
bf68c07a0aec75d507f4293a46247e1eb489e4af3432e7050368bacb78d1e04a00973a989dfa055592351986b00f23d1799bdd68c66b1925865851d32eb6a570

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\rCaWnrBK2isrWJPvUW80s6I0SHoxiz8Qe466W43eumM9knzI3nc4KjQpzSlCwu.cmd
Filesize
413KB

MD5
f904006a502aa318d78279e0e960d128

SHA1
843e0160dba2ce047a96ea651313569b3fc2aa62

SHA256
d6e8843a806d66d48448f51e2f2b70d1c344e72add4daf4e2ccd7e79582e5d07

SHA512
f3504057bddc80e58bd659c6c7dfbea3d63b05bcb0ef381984b5e23decd47fd882384c3acf2b405f8505e35b04bc8d58555481a369883a56ee659b42b9a84bea

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\rCaWnrBK2isrWJPvUW80s6I0SHoxiz8Qe466W43eumM9knzI3nc4KjQpzSlCwu.cmd
Filesize
413KB

MD5
f904006a502aa318d78279e0e960d128

SHA1
843e0160dba2ce047a96ea651313569b3fc2aa62

SHA256
d6e8843a806d66d48448f51e2f2b70d1c344e72add4daf4e2ccd7e79582e5d07

SHA512
f3504057bddc80e58bd659c6c7dfbea3d63b05bcb0ef381984b5e23decd47fd882384c3acf2b405f8505e35b04bc8d58555481a369883a56ee659b42b9a84bea

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\rCaWnrBK2isrWJPvUW80s6I0SHoxiz8Qe466W43eumM9knzI3nc4KjQpzSlCwu.cmd
Filesize
413KB

MD5
f904006a502aa318d78279e0e960d128

SHA1
843e0160dba2ce047a96ea651313569b3fc2aa62

SHA256
d6e8843a806d66d48448f51e2f2b70d1c344e72add4daf4e2ccd7e79582e5d07

SHA512
f3504057bddc80e58bd659c6c7dfbea3d63b05bcb0ef381984b5e23decd47fd882384c3acf2b405f8505e35b04bc8d58555481a369883a56ee659b42b9a84bea

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iwv3qbnj.default-release\storage\default\moz-extension+++8e30aaae-1cd1-4ccd-b4dd-119fc9692196^userContextId=4294967295\gHaGn80yH21cPy.exe
Filesize
301KB

MD5
2c014f3d8c333289eb99ab19c028ae3f

SHA1
fd78cba0fb982a966d785a88d021337d1ffd7131

SHA256
26ff822e26b9050cf1f56614d51edd1c23f16ea14bffa90b28b30058b0fe92bc

SHA512
87871f2305cd98eaf2a7ec787ca91784bf6b1a04470b7f3bdd8df80bb0cab7813c435d9efd459b2398fd2a425ac5aef9b6e98bed211e3327656dcc225b955e43

Download Submit
C:\Users\Default\AppData\Local\Microsoft\Windows\History\9ljfiLv7gOSFdNaeOafW8sK70RUHiH.exe
Filesize
388KB

MD5
a39757acbf1665ffa311739203db506f

SHA1
d6f33d10e2b0f880640700d5e66851602f873acd

SHA256
3ccf8d6135e76df0353b5b064148ee1b76164c01f65f5623bb962a1b21b910a5

SHA512
060c6e5ae82d60f33a0ead34b8bb4a8a7a5fb0b29308d4fc9e0dba8270c5b3c18a9f64a56fd5bb733907df85903e0be72b47bff3dd46d2e25ec750dd864defd5

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\rCaWnrBK2isrWJPvUW80s6I0SHoxiz8Qe466W43eumM9knzI3nc4KjQpzSlCwu.cmd
Filesize
413KB

MD5
f904006a502aa318d78279e0e960d128

SHA1
843e0160dba2ce047a96ea651313569b3fc2aa62

SHA256
d6e8843a806d66d48448f51e2f2b70d1c344e72add4daf4e2ccd7e79582e5d07

SHA512
f3504057bddc80e58bd659c6c7dfbea3d63b05bcb0ef381984b5e23decd47fd882384c3acf2b405f8505e35b04bc8d58555481a369883a56ee659b42b9a84bea

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\rCaWnrBK2isrWJPvUW80s6I0SHoxiz8Qe466W43eumM9knzI3nc4KjQpzSlCwu.cmd
Filesize
413KB

MD5
f904006a502aa318d78279e0e960d128

SHA1
843e0160dba2ce047a96ea651313569b3fc2aa62

SHA256
d6e8843a806d66d48448f51e2f2b70d1c344e72add4daf4e2ccd7e79582e5d07

SHA512
f3504057bddc80e58bd659c6c7dfbea3d63b05bcb0ef381984b5e23decd47fd882384c3acf2b405f8505e35b04bc8d58555481a369883a56ee659b42b9a84bea

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\rCaWnrBK2isrWJPvUW80s6I0SHoxiz8Qe466W43eumM9knzI3nc4KjQpzSlCwu.cmd
Filesize
413KB

MD5
f904006a502aa318d78279e0e960d128

SHA1
843e0160dba2ce047a96ea651313569b3fc2aa62

SHA256
d6e8843a806d66d48448f51e2f2b70d1c344e72add4daf4e2ccd7e79582e5d07

SHA512
f3504057bddc80e58bd659c6c7dfbea3d63b05bcb0ef381984b5e23decd47fd882384c3acf2b405f8505e35b04bc8d58555481a369883a56ee659b42b9a84bea

Download Submit
memory/268-85-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/268-80-0x0000000000000000-mapping.dmp

Download
memory/960-55-0x000007FEFC291000-0x000007FEFC293000-memory.dmp

Filesize
8KB

Download
memory/1628-56-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1628-54-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1656-77-0x0000000000FA0000-0x0000000000FCD000-memory.dmp

Filesize
180KB

Download
memory/1656-76-0x0000000000FA0000-0x0000000000FCD000-memory.dmp

Filesize
180KB

Download
memory/1656-64-0x0000000000FA0000-0x0000000000FCD000-memory.dmp

Filesize
180KB

Download
memory/1656-65-0x0000000000FA0000-0x0000000000FCD000-memory.dmp

Filesize
180KB

Download
memory/1968-78-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1968-62-0x0000000000000000-mapping.dmp

Download
memory/1968-66-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1968-82-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads