7ade6d0ffeab3041178da5aca39bdd0f64b3d621fe154e8ebae0e780ed3a72fc

Analysis

max time kernel
153s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2022 09:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7ade6d0ffeab3041178da5aca39bdd0f64b3d621fe154e8ebae0e780ed3a72fc.exe
Size

297KB
MD5

6e6d2ead45ce3083eea2676b6e596daf
SHA1

c49561f2005982d8ed15230ac74c6188006d0f8b
SHA256

7ade6d0ffeab3041178da5aca39bdd0f64b3d621fe154e8ebae0e780ed3a72fc
SHA512

bdcba2196bfd907f8add9ac99a000e613bfc8a9d0ca6f21a894aedaebc60cd3c88c771322c5f39c0fc434d8c606ad01d76c18cdfe0b6db6218d43b949a8a932a
SSDEEP

3072:dSsvihLlTQz9z71iURo2SJJmY6uFNcgifDbMtJyVdyw:ssqhJMxzJiU5SeLmNSbMtJU5

Score

8^/10

persistence spyware stealer

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

7ade6d0ffeab3041178da5aca39bdd0f64b3d621fe154e8ebae0e780ed3a72fc.exeHP0Tuh995UB5JBD6e.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	7ade6d0ffeab3041178da5aca39bdd0f64b3d621fe154e8ebae0e780ed3a72fc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\AC\\v60FlkpXY7qhRsCvJMju428ZEf1j0ZfHkNpu3d2KliWPU08lmP.exe\" O"	7ade6d0ffeab3041178da5aca39bdd0f64b3d621fe154e8ebae0e780ed3a72fc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	7ade6d0ffeab3041178da5aca39bdd0f64b3d621fe154e8ebae0e780ed3a72fc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Adobe\\Acrobat\\DC\\jweefqrln6Jf9ffbo2PKXc4.exe\" O"	7ade6d0ffeab3041178da5aca39bdd0f64b3d621fe154e8ebae0e780ed3a72fc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\TempState\\hOUEzAhBFo2jnx4e.exe\" O"	7ade6d0ffeab3041178da5aca39bdd0f64b3d621fe154e8ebae0e780ed3a72fc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	HP0Tuh995UB5JBD6e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\B11EF506-7DE1-455F-8E20-67264DD4AF60\\x-none.16\\6o58BQ116NMWxnY8E1o3Gmcc13nX5Mxv3ZNSCK4FJPZU0BHv9gpWB73FGuPE6d4ALkt.exe\" O"	HP0Tuh995UB5JBD6e.exe

Executes dropped EXE 1 IoCs

Processes:

HP0Tuh995UB5JBD6e.exe

pid process

3464 HP0Tuh995UB5JBD6e.exe

pid	process
3464	HP0Tuh995UB5JBD6e.exe

Sets file execution options in registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

HP0Tuh995UB5JBD6e.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe	HP0Tuh995UB5JBD6e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\Debugger = " "	HP0Tuh995UB5JBD6e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe	HP0Tuh995UB5JBD6e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = " "	HP0Tuh995UB5JBD6e.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Drops file in Windows directory 1 IoCs

Processes:

LogonUI.exe

description ioc process

File created C:\Windows\rescache\_merged\2229298842\4066884077.pri LogonUI.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\rescache\_merged\2229298842\4066884077.pri	LogonUI.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

7ade6d0ffeab3041178da5aca39bdd0f64b3d621fe154e8ebae0e780ed3a72fc.exeLogonUI.exegpscript.exeHP0Tuh995UB5JBD6e.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion	7ade6d0ffeab3041178da5aca39bdd0f64b3d621fe154e8ebae0e780ed3a72fc.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	7ade6d0ffeab3041178da5aca39bdd0f64b3d621fe154e8ebae0e780ed3a72fc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs	gpscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Public\\4sg9SAGPf1bkCuL7wT.exe\" O 2>NUL"	HP0Tuh995UB5JBD6e.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\RoamingState\\s8Qho17wTE8Bc32H7pMgTQCjsTQwKjbwoJx4RvbT7W8qWdHI1Va6vKVEcyGt.exe\" O"	7ade6d0ffeab3041178da5aca39bdd0f64b3d621fe154e8ebae0e780ed3a72fc.exe
Key created	\REGISTRY\USER\S-1-5-20	7ade6d0ffeab3041178da5aca39bdd0f64b3d621fe154e8ebae0e780ed3a72fc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{4234D49B-0245-4DF3-B780-3893943456E1} {000214E6-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000c2ce590eeb00d901	HP0Tuh995UB5JBD6e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\\LocalCache\\v2bf1iV7YRxsWXPGB1Hg8TLSuG.exe\" O"	7ade6d0ffeab3041178da5aca39bdd0f64b3d621fe154e8ebae0e780ed3a72fc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	HP0Tuh995UB5JBD6e.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	HP0Tuh995UB5JBD6e.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC\\INetHistory\\wF5tCEAZ6fVT6VkO1eOGSpgbppIjAc.exe\" O"	HP0Tuh995UB5JBD6e.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft	7ade6d0ffeab3041178da5aca39bdd0f64b3d621fe154e8ebae0e780ed3a72fc.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft	7ade6d0ffeab3041178da5aca39bdd0f64b3d621fe154e8ebae0e780ed3a72fc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	7ade6d0ffeab3041178da5aca39bdd0f64b3d621fe154e8ebae0e780ed3a72fc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\INetCache\\IE\\GMQ6XNBF\\qf5okqMIFmOo7cOAlAskygYu2BK61rSSyHo21fzKBJirFBvp0sQzwyClADTS9.exe\" O"	HP0Tuh995UB5JBD6e.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\SlowContextMenuEntries = 6024b221ea3a6910a2dc08002b30309d9d0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	gpscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\ClickToRun\\UserData\\yLhybRAYKVQV1LOCrkcThQerILYaXe5yFncR6uNBsTp.exe\" O 2>NUL"	HP0Tuh995UB5JBD6e.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	7ade6d0ffeab3041178da5aca39bdd0f64b3d621fe154e8ebae0e780ed3a72fc.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	7ade6d0ffeab3041178da5aca39bdd0f64b3d621fe154e8ebae0e780ed3a72fc.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\Search\\Data\\Applications\\Windows\\GatherLogs\\xvwEEn8WGeUxhvYyJfsBgrcEz4KL8hcxdvpoXriX5dWCfyZfF3wYReKZXEd.exe\" O 2>NUL"	7ade6d0ffeab3041178da5aca39bdd0f64b3d621fe154e8ebae0e780ed3a72fc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	HP0Tuh995UB5JBD6e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Default\\Vmx6H9nPP3DCZiqizgH1XMjc3keiCK0XnG2UUmnP9VYiKlAOYKtzUb.exe\" O 2>NUL"	7ade6d0ffeab3041178da5aca39bdd0f64b3d621fe154e8ebae0e780ed3a72fc.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	7ade6d0ffeab3041178da5aca39bdd0f64b3d621fe154e8ebae0e780ed3a72fc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	HP0Tuh995UB5JBD6e.exe
Key created	\REGISTRY\USER\S-1-5-19	7ade6d0ffeab3041178da5aca39bdd0f64b3d621fe154e8ebae0e780ed3a72fc.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows	7ade6d0ffeab3041178da5aca39bdd0f64b3d621fe154e8ebae0e780ed3a72fc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Package Cache\\{61087a79-ac85-455c-934d-1fa22cc64f36}\\dr6ZAoJ1Y18Euq5tQwG19CKwWcP3G7bqRGENaVQBVFEzcoFakmYH0zP9815rq5iQm.exe\" O"	HP0Tuh995UB5JBD6e.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	7ade6d0ffeab3041178da5aca39bdd0f64b3d621fe154e8ebae0e780ed3a72fc.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\regid.1991-06.com.microsoft\\b6k1QZbR3LoXcdIS2B5eTWPhaHuLT0rE71yHpqCt6aJ1uovAg711YqKxWTYn98SnH.exe\" O"	7ade6d0ffeab3041178da5aca39bdd0f64b3d621fe154e8ebae0e780ed3a72fc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	7ade6d0ffeab3041178da5aca39bdd0f64b3d621fe154e8ebae0e780ed3a72fc.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE	7ade6d0ffeab3041178da5aca39bdd0f64b3d621fe154e8ebae0e780ed3a72fc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\WinX\\Group3\\13U4zKmrzC1.exe\" O"	HP0Tuh995UB5JBD6e.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\B11EF506-7DE1-455F-8E20-67264DD4AF60\\LfwlD1NEZhCqhYVcdSHvJ1NUsEAhTfsENxqER.exe\" O"	HP0Tuh995UB5JBD6e.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	HP0Tuh995UB5JBD6e.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	7ade6d0ffeab3041178da5aca39bdd0f64b3d621fe154e8ebae0e780ed3a72fc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	7ade6d0ffeab3041178da5aca39bdd0f64b3d621fe154e8ebae0e780ed3a72fc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\AC\\e4N8LxZRp2EsfD9.exe\" O 2>NUL"	HP0Tuh995UB5JBD6e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\NcsiUwpApp_8wekyb3d8bbwe\\AppData\\U8uP4n11ck5GoyfnvENKKcbLwLhmDeA1cx8LXWm1g1ltjvS.exe\" O 2>NUL"	HP0Tuh995UB5JBD6e.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies	7ade6d0ffeab3041178da5aca39bdd0f64b3d621fe154e8ebae0e780ed3a72fc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	HP0Tuh995UB5JBD6e.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	7ade6d0ffeab3041178da5aca39bdd0f64b3d621fe154e8ebae0e780ed3a72fc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	7ade6d0ffeab3041178da5aca39bdd0f64b3d621fe154e8ebae0e780ed3a72fc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Diagnosis\\TenantStorage\\P-ARIA\\akOe8C0voNE93Mz4bl8sGKpgnJx9.exe\" O"	7ade6d0ffeab3041178da5aca39bdd0f64b3d621fe154e8ebae0e780ed3a72fc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "174"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\MRUListEx = ffffffff	gpscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	gpscript.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	7ade6d0ffeab3041178da5aca39bdd0f64b3d621fe154e8ebae0e780ed3a72fc.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	7ade6d0ffeab3041178da5aca39bdd0f64b3d621fe154e8ebae0e780ed3a72fc.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion	7ade6d0ffeab3041178da5aca39bdd0f64b3d621fe154e8ebae0e780ed3a72fc.exe
Key created	\REGISTRY\USER\.DEFAULT	7ade6d0ffeab3041178da5aca39bdd0f64b3d621fe154e8ebae0e780ed3a72fc.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows	7ade6d0ffeab3041178da5aca39bdd0f64b3d621fe154e8ebae0e780ed3a72fc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\input\\ms-BN\\13wh1CZ9dR59FowtRJ0r993bzoSjBtuCmix.exe\" O 2>NUL"	HP0Tuh995UB5JBD6e.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	HP0Tuh995UB5JBD6e.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	7ade6d0ffeab3041178da5aca39bdd0f64b3d621fe154e8ebae0e780ed3a72fc.exe

Modifies registry class 10 IoCs

Processes:

7ade6d0ffeab3041178da5aca39bdd0f64b3d621fe154e8ebae0e780ed3a72fc.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\SOFTWARE\Microsoft	7ade6d0ffeab3041178da5aca39bdd0f64b3d621fe154e8ebae0e780ed3a72fc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\Burn\\Burn2\\PDNKbLelXgnytWaIaLwAduLiANoPO0r6q8VBzxXlve5X.exe\" O 2>NUL"	7ade6d0ffeab3041178da5aca39bdd0f64b3d621fe154e8ebae0e780ed3a72fc.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	7ade6d0ffeab3041178da5aca39bdd0f64b3d621fe154e8ebae0e780ed3a72fc.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\SOFTWARE\Microsoft\Windows	7ade6d0ffeab3041178da5aca39bdd0f64b3d621fe154e8ebae0e780ed3a72fc.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion	7ade6d0ffeab3041178da5aca39bdd0f64b3d621fe154e8ebae0e780ed3a72fc.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	7ade6d0ffeab3041178da5aca39bdd0f64b3d621fe154e8ebae0e780ed3a72fc.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	7ade6d0ffeab3041178da5aca39bdd0f64b3d621fe154e8ebae0e780ed3a72fc.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\SOFTWARE\Microsoft\Command Processor	7ade6d0ffeab3041178da5aca39bdd0f64b3d621fe154e8ebae0e780ed3a72fc.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\SOFTWARE	7ade6d0ffeab3041178da5aca39bdd0f64b3d621fe154e8ebae0e780ed3a72fc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\input\\uz-Latn-UZ\\W7hi7t4TXh4yB.exe\" O"	7ade6d0ffeab3041178da5aca39bdd0f64b3d621fe154e8ebae0e780ed3a72fc.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

7ade6d0ffeab3041178da5aca39bdd0f64b3d621fe154e8ebae0e780ed3a72fc.exeHP0Tuh995UB5JBD6e.exe

description	pid	process
Token: SeBackupPrivilege	4212	7ade6d0ffeab3041178da5aca39bdd0f64b3d621fe154e8ebae0e780ed3a72fc.exe
Token: SeRestorePrivilege	4212	7ade6d0ffeab3041178da5aca39bdd0f64b3d621fe154e8ebae0e780ed3a72fc.exe
Token: SeShutdownPrivilege	4212	7ade6d0ffeab3041178da5aca39bdd0f64b3d621fe154e8ebae0e780ed3a72fc.exe
Token: SeDebugPrivilege	3464	HP0Tuh995UB5JBD6e.exe
Token: SeRestorePrivilege	3464	HP0Tuh995UB5JBD6e.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

LogonUI.exe

pid process

3336 LogonUI.exe
3336 LogonUI.exe

pid	process
3336	LogonUI.exe
3336	LogonUI.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

gpscript.exe

description	pid	process	target process
PID 768 wrote to memory of 3464	768	gpscript.exe	HP0Tuh995UB5JBD6e.exe
PID 768 wrote to memory of 3464	768	gpscript.exe	HP0Tuh995UB5JBD6e.exe

C:\Users\Admin\AppData\Local\Temp\7ade6d0ffeab3041178da5aca39bdd0f64b3d621fe154e8ebae0e780ed3a72fc.exe
"C:\Users\Admin\AppData\Local\Temp\7ade6d0ffeab3041178da5aca39bdd0f64b3d621fe154e8ebae0e780ed3a72fc.exe"
1⤵
- Adds policy Run key to start application
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4212

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39ca055 /state1:0x41c64e6d
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3336

C:\Windows\system32\gpscript.exe
gpscript.exe /Shutdown
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:768

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\HP0Tuh995UB5JBD6e.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\HP0Tuh995UB5JBD6e.exe" 1
2⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Sets file execution options in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3464

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\GatherLogs\xvwEEn8WGeUxhvYyJfsBgrcEz4KL8hcxdvpoXriX5dWCfyZfF3wYReKZXEd.exe
Filesize
475KB

MD5
c9e1ec1d6f7509f78feb0ae5d51f4d66

SHA1
f41f22768c28b549c35f4afa904c40fef901b614

SHA256
f5b397c971bf6269f7c5b9cee194a3d160d1bd11d63b75de75f3c7bb1e20fb40

SHA512
456a7b7768d8bed57cdd48ba06d5b023accf2c626b446b0dc53b597624057bebd962cd613bc7fbd34beddc76149fb1fbe2d540cba574051e26f5d01f8ea30522

Download Submit
C:\ProgramData\regid.1991-06.com.microsoft\b6k1QZbR3LoXcdIS2B5eTWPhaHuLT0rE71yHpqCt6aJ1uovAg711YqKxWTYn98SnH.exe
Filesize
523KB

MD5
5b92bacb8328bd544ecf29914a6b9339

SHA1
15eef7722405071243826b5946149bc61352fbf4

SHA256
09ef876645a38ca3b3873c90f8ea6bb387d42668e85d289f2725963aeac03e65

SHA512
1ab61730f50449ede5ce6d568674841bff0ec9fce3fafbdecb9b4a22fb48106a4ba03d5ecd55d8cf4df2322fbcc84b0539769e95111b31dbe251f923d4dfc993

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\jweefqrln6Jf9ffbo2PKXc4.exe
Filesize
351KB

MD5
14603b7799478ec4ac2a30d5aa342a09

SHA1
de7d0a5df5c10af2881f9b8092a4f5f675882238

SHA256
51ceef517b62fa7777ba7112e630b749a09ced078aaf8f6e72e8c9c86c6088f1

SHA512
dea1b9697c336d1f5d17fe4e1c5ceb4d25eb8dc6718226fbe46f1de5cf9a3bd0dcf70827300ceec73eb6c5fef58ec663536259b076267a02c5c616ef8b1e6dbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\input\es-CL\GPTpBuHFNJa6CGRCThFMw8SENO8AwW5Eti3aZiEoPPdFh9wwur0jzO9.exe
Filesize
459KB

MD5
5f9b5f6c0ff745ea2ac88efb62550fc3

SHA1
1f30a74f66b1088ffaa4a14174f799d761585509

SHA256
2b84ecdf022a3673dff9429a365c17f732098c84c80ce69bba589f76f50230b4

SHA512
a47b19eeabc6b61bf94d7f0e235a66328d43e701095a839686875d73e186073d1cd3febe4fd75ac5f9d63cb2b883b9fe6c0e3469e4107ea2dea2408f6d3ffe59

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\RoamingState\s8Qho17wTE8Bc32H7pMgTQCjsTQwKjbwoJx4RvbT7W8qWdHI1Va6vKVEcyGt.exe
Filesize
462KB

MD5
9c875252b2c483412b15d45b28048986

SHA1
50be38f3d53aad66a93a34c5a958a10abe0de92c

SHA256
0ce1307977baee1cf3b1ada1095619c434028cffd53e0a1ebee97c3a71b03c09

SHA512
c2f25b81105a438137b2d71cf34f0d5b169029b0627df12806a9a3a35f1e127c01970afe71150186afc44d6c631e131232fab36c5a38ad64cec6fc328180fa09

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\LocalCache\v2bf1iV7YRxsWXPGB1Hg8TLSuG.exe
Filesize
570KB

MD5
29be6ef041de4add8d1d1e34d23202cd

SHA1
c372313ab1c0e12227eaf37656baa49017e49b9a

SHA256
e6c9cca8ab3d543fc1cf5186b6c959c1eaccf8831d08fb0bad301bdad468c6d0

SHA512
d01921f7fee45d4f0ee25d1c2edf23492fe5be82d63e7eae546da4bfe4272956c7ce9be2482f401b88b48c316f5f8e38899cf0b68006b71fba12d8ef292be2ac

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\INetCookies\I4GzVRowZ2msh.exe
Filesize
383KB

MD5
1ecefb8106e40f73f42598bb40e15d71

SHA1
8780e027bae5ad1225a5dbde52107b63c9c9f0a4

SHA256
fe6aa43b9de19d43f52ae9f310e559b39e595264ebdc01a2d2a825ddf9f29ac4

SHA512
c7370e8d09b3bdfe07c0dd5f83b4fbb4c1b44e67c12a9c0c940fdfea3f650006e35b982d549c0244e7e3a9a5017311e210f9bfcb844c923b0221efe9072f4ccf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\HP0Tuh995UB5JBD6e.exe
Filesize
327KB

MD5
5ce64e2958f57e773860d44667a7618c

SHA1
daad50d1ca7a913dd461890f61791018953ec05b

SHA256
69be7b94431fac7dd4b30d924013d6284eadd1f694d389d382907911b9a386e2

SHA512
0fbf7c4f508b43d0711c3313297dba6f157a7abe3fedaf2d8bed1edc15dbef4a288676bf8fc463b53ad62fa8a8d0c6d85297f6269ecc337cbcd5538021fb06e6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\HP0Tuh995UB5JBD6e.exe
Filesize
327KB

MD5
5ce64e2958f57e773860d44667a7618c

SHA1
daad50d1ca7a913dd461890f61791018953ec05b

SHA256
69be7b94431fac7dd4b30d924013d6284eadd1f694d389d382907911b9a386e2

SHA512
0fbf7c4f508b43d0711c3313297dba6f157a7abe3fedaf2d8bed1edc15dbef4a288676bf8fc463b53ad62fa8a8d0c6d85297f6269ecc337cbcd5538021fb06e6

Download Submit
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\6juEEVJsUqYsWBzX7uFqcTEjSA4vyKyxh.exe
Filesize
502KB

MD5
ebeb4b04c6fa03f28d7c87b1d841f75e

SHA1
27dd59b20a3679362b982ef86ebdbdc8536eec8b

SHA256
25c8389c8976737b6ba865c72545f19d36a08b9858998e107ffd69fa2063741f

SHA512
ec8275d4a23203792f76330641ec0f6bf4baba34f6933b5ed603c3ff62c2c1f1ec22973fa0331f08908b90462e34e78aa782235187e4c0239f74d971118c6c17

Download Submit
memory/3464-137-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3464-135-0x0000000000000000-mapping.dmp

Download
memory/3464-146-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4212-132-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4212-133-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download