dfee7601db502cf783f5ccd683d37116db1927384e93919684d2324755aef330

Analysis

max time kernel
69s
max time network
49s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
25-11-2022 09:28

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

dfee7601db502cf783f5ccd683d37116db1927384e93919684d2324755aef330.exe
Size

747KB
MD5

cbf1f6898e4fb8cd8b0cbe3b68f86489
SHA1

239d25be201f0e27aaa0218b6bde5ab6a0960f67
SHA256

dfee7601db502cf783f5ccd683d37116db1927384e93919684d2324755aef330
SHA512

0f7127cd81edce66886f16fefbb1a372d018d38398f60f9973174f30630e5fabe04c6dd508fe9308fa9b0a9629f7553ad60b70e396e206d53cb93c5b890e7835
SSDEEP

3072:aSsvihLlTQz9z71iURo2SJJmY6uFNcgifDbmeTXwVdBR:rsqhJMxzJiU5SeLmNSbmebW1

Score

10^/10

persistence spyware stealer

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

Z5TrVguyzjRI5JzJH49DUXIIbGxEQY7bWmHRXYKGZcKJ8UIIRrz8QdI1jy1h7S.bat

description pid process target process

PID 2004 created 580 2004 Z5TrVguyzjRI5JzJH49DUXIIbGxEQY7bWmHRXYKGZcKJ8UIIRrz8QdI1jy1h7S.bat svchost.exe

description	pid	process	target process
PID 2004 created 580	2004	Z5TrVguyzjRI5JzJH49DUXIIbGxEQY7bWmHRXYKGZcKJ8UIIRrz8QdI1jy1h7S.bat	svchost.exe

Adds policy Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

dfee7601db502cf783f5ccd683d37116db1927384e93919684d2324755aef330.exeZ5TrVguyzjRI5JzJH49DUXIIbGxEQY7bWmHRXYKGZcKJ8UIIRrz8QdI1jy1h7S.bat

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	dfee7601db502cf783f5ccd683d37116db1927384e93919684d2324755aef330.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Mozilla\\h8cVUbnV5Dnqi4LUOEMzUwuMDxyn7QPzlmjmMQLNAvwN5utLfsCAhqu4MTwFIXkCmo.exe\" O"	dfee7601db502cf783f5ccd683d37116db1927384e93919684d2324755aef330.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	dfee7601db502cf783f5ccd683d37116db1927384e93919684d2324755aef330.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Cez2XpzIHsSnq8DuLWztdDhhqbFsY.exe\" O"	dfee7601db502cf783f5ccd683d37116db1927384e93919684d2324755aef330.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Adobe\\Updater6\\cNYeTsCWNoFaz2BucxEM1TxkUlarQ.exe\" O"	dfee7601db502cf783f5ccd683d37116db1927384e93919684d2324755aef330.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Z5TrVguyzjRI5JzJH49DUXIIbGxEQY7bWmHRXYKGZcKJ8UIIRrz8QdI1jy1h7S.bat
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportArchive\\JeqnZEgZkbNoU4ZuxVYoicoUhL6rsPLvt88v3hfqhphh29L3hwHQ0XspkO7GNyVRs6qql.exe\" O"	Z5TrVguyzjRI5JzJH49DUXIIbGxEQY7bWmHRXYKGZcKJ8UIIRrz8QdI1jy1h7S.bat

Executes dropped EXE 2 IoCs

Processes:

Z5TrVguyzjRI5JzJH49DUXIIbGxEQY7bWmHRXYKGZcKJ8UIIRrz8QdI1jy1h7S.batZ5TrVguyzjRI5JzJH49DUXIIbGxEQY7bWmHRXYKGZcKJ8UIIRrz8QdI1jy1h7S.bat

pid	process
2004	Z5TrVguyzjRI5JzJH49DUXIIbGxEQY7bWmHRXYKGZcKJ8UIIRrz8QdI1jy1h7S.bat
736	Z5TrVguyzjRI5JzJH49DUXIIbGxEQY7bWmHRXYKGZcKJ8UIIRrz8QdI1jy1h7S.bat

Sets file execution options in registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Z5TrVguyzjRI5JzJH49DUXIIbGxEQY7bWmHRXYKGZcKJ8UIIRrz8QdI1jy1h7S.batZ5TrVguyzjRI5JzJH49DUXIIbGxEQY7bWmHRXYKGZcKJ8UIIRrz8QdI1jy1h7S.bat

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = " "	Z5TrVguyzjRI5JzJH49DUXIIbGxEQY7bWmHRXYKGZcKJ8UIIRrz8QdI1jy1h7S.bat
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe	Z5TrVguyzjRI5JzJH49DUXIIbGxEQY7bWmHRXYKGZcKJ8UIIRrz8QdI1jy1h7S.bat
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\Debugger = " "	Z5TrVguyzjRI5JzJH49DUXIIbGxEQY7bWmHRXYKGZcKJ8UIIRrz8QdI1jy1h7S.bat
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe	Z5TrVguyzjRI5JzJH49DUXIIbGxEQY7bWmHRXYKGZcKJ8UIIRrz8QdI1jy1h7S.bat
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = " "	Z5TrVguyzjRI5JzJH49DUXIIbGxEQY7bWmHRXYKGZcKJ8UIIRrz8QdI1jy1h7S.bat
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe	Z5TrVguyzjRI5JzJH49DUXIIbGxEQY7bWmHRXYKGZcKJ8UIIRrz8QdI1jy1h7S.bat
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\Debugger = " "	Z5TrVguyzjRI5JzJH49DUXIIbGxEQY7bWmHRXYKGZcKJ8UIIRrz8QdI1jy1h7S.bat
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe	Z5TrVguyzjRI5JzJH49DUXIIbGxEQY7bWmHRXYKGZcKJ8UIIRrz8QdI1jy1h7S.bat

Loads dropped DLL 3 IoCs

Processes:

gpscript.exeZ5TrVguyzjRI5JzJH49DUXIIbGxEQY7bWmHRXYKGZcKJ8UIIRrz8QdI1jy1h7S.bat

pid process

1804 gpscript.exe
1804 gpscript.exe
2004 Z5TrVguyzjRI5JzJH49DUXIIbGxEQY7bWmHRXYKGZcKJ8UIIRrz8QdI1jy1h7S.bat
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1804	gpscript.exe
1804	gpscript.exe
2004	Z5TrVguyzjRI5JzJH49DUXIIbGxEQY7bWmHRXYKGZcKJ8UIIRrz8QdI1jy1h7S.bat

Modifies data under HKEY_USERS 63 IoCs

Processes:

dfee7601db502cf783f5ccd683d37116db1927384e93919684d2324755aef330.exeZ5TrVguyzjRI5JzJH49DUXIIbGxEQY7bWmHRXYKGZcKJ8UIIRrz8QdI1jy1h7S.batgpscript.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT	dfee7601db502cf783f5ccd683d37116db1927384e93919684d2324755aef330.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Z5TrVguyzjRI5JzJH49DUXIIbGxEQY7bWmHRXYKGZcKJ8UIIRrz8QdI1jy1h7S.bat
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Storage\\ext\\gfdkimpbcpahaombhbimeihdjnejgicl\\def\\Code Cache\\wasm\\xHR1i8AXgzhwl5HoWHbhI8cadati1O4gqSGiLE4mzQeGnF7xe.exe\" O"	Z5TrVguyzjRI5JzJH49DUXIIbGxEQY7bWmHRXYKGZcKJ8UIIRrz8QdI1jy1h7S.bat
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\6.0\\39\\aoSuSaOgAnqAT0FdOFj.exe\" O"	Z5TrVguyzjRI5JzJH49DUXIIbGxEQY7bWmHRXYKGZcKJ8UIIRrz8QdI1jy1h7S.bat
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	dfee7601db502cf783f5ccd683d37116db1927384e93919684d2324755aef330.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE	dfee7601db502cf783f5ccd683d37116db1927384e93919684d2324755aef330.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft	dfee7601db502cf783f5ccd683d37116db1927384e93919684d2324755aef330.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Z5TrVguyzjRI5JzJH49DUXIIbGxEQY7bWmHRXYKGZcKJ8UIIRrz8QdI1jy1h7S.bat
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\au9ni2dm.default-release\\h8F7oQAm9Q.exe\" O 2>NUL"	Z5TrVguyzjRI5JzJH49DUXIIbGxEQY7bWmHRXYKGZcKJ8UIIRrz8QdI1jy1h7S.bat
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Z5TrVguyzjRI5JzJH49DUXIIbGxEQY7bWmHRXYKGZcKJ8UIIRrz8QdI1jy1h7S.bat
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dfee7601db502cf783f5ccd683d37116db1927384e93919684d2324755aef330.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows	dfee7601db502cf783f5ccd683d37116db1927384e93919684d2324755aef330.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	Z5TrVguyzjRI5JzJH49DUXIIbGxEQY7bWmHRXYKGZcKJ8UIIRrz8QdI1jy1h7S.bat
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	dfee7601db502cf783f5ccd683d37116db1927384e93919684d2324755aef330.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	dfee7601db502cf783f5ccd683d37116db1927384e93919684d2324755aef330.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion	dfee7601db502cf783f5ccd683d37116db1927384e93919684d2324755aef330.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\MEIPreload\\At3x7Emgqn.exe\" O"	dfee7601db502cf783f5ccd683d37116db1927384e93919684d2324755aef330.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Office\\Groove\\User\\smSWS240CpmbZ4DbP08zS2JgjVBzdd0H2ZAhyZ2oen79INq.exe\" O 2>NUL"	Z5TrVguyzjRI5JzJH49DUXIIbGxEQY7bWmHRXYKGZcKJ8UIIRrz8QdI1jy1h7S.bat
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	dfee7601db502cf783f5ccd683d37116db1927384e93919684d2324755aef330.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	dfee7601db502cf783f5ccd683d37116db1927384e93919684d2324755aef330.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	dfee7601db502cf783f5ccd683d37116db1927384e93919684d2324755aef330.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Mozilla\\Firefox\\d4P12LiHl6TqRasdbnYDHPFdT34C5it83.exe\" O 2>NUL"	dfee7601db502cf783f5ccd683d37116db1927384e93919684d2324755aef330.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Default\\AppData\\Local\\Temp\\AHq9nTs5mTjZv2l58pRvbgHXHIcoXUWrjCIbeOAoWkT8yKQk0A69CKrGDhRIXab.exe\" O 2>NUL"	dfee7601db502cf783f5ccd683d37116db1927384e93919684d2324755aef330.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Low\\53cjC5jp3Mf.exe\" O"	dfee7601db502cf783f5ccd683d37116db1927384e93919684d2324755aef330.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%systemroot%\system32\windowspowershell\v1.0\powershell.exe",-111 = "Performs object-based (command-line) functions"	Z5TrVguyzjRI5JzJH49DUXIIbGxEQY7bWmHRXYKGZcKJ8UIIRrz8QdI1jy1h7S.bat
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	gpscript.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\x4o2HSXJMd.exe\" O 2>NUL"	Z5TrVguyzjRI5JzJH49DUXIIbGxEQY7bWmHRXYKGZcKJ8UIIRrz8QdI1jy1h7S.bat
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	Z5TrVguyzjRI5JzJH49DUXIIbGxEQY7bWmHRXYKGZcKJ8UIIRrz8QdI1jy1h7S.bat
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	dfee7601db502cf783f5ccd683d37116db1927384e93919684d2324755aef330.exe
Key created	\REGISTRY\USER\S-1-5-20	dfee7601db502cf783f5ccd683d37116db1927384e93919684d2324755aef330.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion	dfee7601db502cf783f5ccd683d37116db1927384e93919684d2324755aef330.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies	dfee7601db502cf783f5ccd683d37116db1927384e93919684d2324755aef330.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\Burn\\xigE6g7hSrezk5zxZGZ7mG70sVVXXrFvB4YG2AQP43S5ge1FS5zWKr5oI5h.exe\" O"	dfee7601db502cf783f5ccd683d37116db1927384e93919684d2324755aef330.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%windir%\System32\ie4uinit.exe",-732 = "Finds and displays information and Web sites on the Internet."	Z5TrVguyzjRI5JzJH49DUXIIbGxEQY7bWmHRXYKGZcKJ8UIIRrz8QdI1jy1h7S.bat
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE	dfee7601db502cf783f5ccd683d37116db1927384e93919684d2324755aef330.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	dfee7601db502cf783f5ccd683d37116db1927384e93919684d2324755aef330.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{6C467336-8281-4E60-8204-430CED96822D} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 010000000000000060db5150ec00d901	gpscript.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Network\\uEq3sESGm3n51Pn9H8BH.exe\" O"	Z5TrVguyzjRI5JzJH49DUXIIbGxEQY7bWmHRXYKGZcKJ8UIIRrz8QdI1jy1h7S.bat
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{B155BDF8-02F0-451E-9A26-AE317CFD7779} {ADD8BA80-002B-11D0-8F0F-00C04FD7D062} 0xFFFF = 010000000000000040a35955ec00d901	Z5TrVguyzjRI5JzJH49DUXIIbGxEQY7bWmHRXYKGZcKJ8UIIRrz8QdI1jy1h7S.bat
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	dfee7601db502cf783f5ccd683d37116db1927384e93919684d2324755aef330.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	dfee7601db502cf783f5ccd683d37116db1927384e93919684d2324755aef330.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	dfee7601db502cf783f5ccd683d37116db1927384e93919684d2324755aef330.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	Z5TrVguyzjRI5JzJH49DUXIIbGxEQY7bWmHRXYKGZcKJ8UIIRrz8QdI1jy1h7S.bat
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%windir%\System32\ie4uinit.exe",-738 = "Start Internet Explorer without ActiveX controls or browser extensions."	Z5TrVguyzjRI5JzJH49DUXIIbGxEQY7bWmHRXYKGZcKJ8UIIRrz8QdI1jy1h7S.bat
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	dfee7601db502cf783f5ccd683d37116db1927384e93919684d2324755aef330.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	dfee7601db502cf783f5ccd683d37116db1927384e93919684d2324755aef330.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\Search\\Data\\Applications\\Windows\\Projects\\MoOZqWWclDSstGbKsq1ePZC1GJ3a4Q.exe\" O 2>NUL"	Z5TrVguyzjRI5JzJH49DUXIIbGxEQY7bWmHRXYKGZcKJ8UIIRrz8QdI1jy1h7S.bat
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\N7za1LMxcBAEEr17iyMvox9o3gzr25SsrqhiQwK7CALehrwZeVO16R8.exe\" O"	Z5TrVguyzjRI5JzJH49DUXIIbGxEQY7bWmHRXYKGZcKJ8UIIRrz8QdI1jy1h7S.bat
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{7BD29E01-76C1-11CF-9DD0-00A0C9034933} {000214E6-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000a0d04653ec00d901	Z5TrVguyzjRI5JzJH49DUXIIbGxEQY7bWmHRXYKGZcKJ8UIIRrz8QdI1jy1h7S.bat
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{FF393560-C2A7-11CF-BFF4-444553540000} {000214E6-0000-0000-C000-000000000046} 0xFFFF = 010000000000000020692c55ec00d901	Z5TrVguyzjRI5JzJH49DUXIIbGxEQY7bWmHRXYKGZcKJ8UIIRrz8QdI1jy1h7S.bat
Key created	\REGISTRY\USER\S-1-5-19	dfee7601db502cf783f5ccd683d37116db1927384e93919684d2324755aef330.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows	dfee7601db502cf783f5ccd683d37116db1927384e93919684d2324755aef330.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft	dfee7601db502cf783f5ccd683d37116db1927384e93919684d2324755aef330.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	Z5TrVguyzjRI5JzJH49DUXIIbGxEQY7bWmHRXYKGZcKJ8UIIRrz8QdI1jy1h7S.bat
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Storage\\ext\\gfdkimpbcpahaombhbimeihdjnejgicl\\def\\Code Cache\\uGDSbxdx0W3Hg2JkBxbzbydygDi5XkH1nSWLzRzrM2hiHKFGfA.exe\" O 2>NUL"	Z5TrVguyzjRI5JzJH49DUXIIbGxEQY7bWmHRXYKGZcKJ8UIIRrz8QdI1jy1h7S.bat
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-999675638-2867687379-27515722-1000\\srbnSEkCwiQdm26cOg55YhyhRhVzxe0zVMVPU4tfUfC6kpZKI5FAGNov6duP1uPnzDgf.exe\" O"	Z5TrVguyzjRI5JzJH49DUXIIbGxEQY7bWmHRXYKGZcKJ8UIIRrz8QdI1jy1h7S.bat
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	Z5TrVguyzjRI5JzJH49DUXIIbGxEQY7bWmHRXYKGZcKJ8UIIRrz8QdI1jy1h7S.bat
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{35786D3C-B075-49B9-88DD-029876E11C01} {ADD8BA80-002B-11D0-8F0F-00C04FD7D062} 0xFFFF = 0100000000000000408d3355ec00d901	Z5TrVguyzjRI5JzJH49DUXIIbGxEQY7bWmHRXYKGZcKJ8UIIRrz8QdI1jy1h7S.bat
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\Windows\\56J0Gb4wA31T4.exe\" O 2>NUL"	dfee7601db502cf783f5ccd683d37116db1927384e93919684d2324755aef330.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	dfee7601db502cf783f5ccd683d37116db1927384e93919684d2324755aef330.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\u9EooIPx6XhGP0JvnaxlwisHhhW1VHsZwj61Wg7XVPfKZL6MvPolkv.exe\" O"	dfee7601db502cf783f5ccd683d37116db1927384e93919684d2324755aef330.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\6.0\\35\\40qaEdtTi5WFBY2ibq7PbLIojN2E6vgS82qBmtbhjNcUiHluXy.exe\" O 2>NUL"	dfee7601db502cf783f5ccd683d37116db1927384e93919684d2324755aef330.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	dfee7601db502cf783f5ccd683d37116db1927384e93919684d2324755aef330.exe

Modifies registry class 12 IoCs

Processes:

dfee7601db502cf783f5ccd683d37116db1927384e93919684d2324755aef330.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\SOFTWARE\Microsoft\Command Processor	dfee7601db502cf783f5ccd683d37116db1927384e93919684d2324755aef330.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	dfee7601db502cf783f5ccd683d37116db1927384e93919684d2324755aef330.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\Downloads\\1fhkBeGGKXu2xttvK4.exe\" O"	dfee7601db502cf783f5ccd683d37116db1927384e93919684d2324755aef330.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\MEIPreload\\BTihEC0j46G5gDgr0h06wFLwDoqKbtUFdqJae.exe\" O 2>NUL"	dfee7601db502cf783f5ccd683d37116db1927384e93919684d2324755aef330.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\SOFTWARE\Microsoft\Windows	dfee7601db502cf783f5ccd683d37116db1927384e93919684d2324755aef330.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion	dfee7601db502cf783f5ccd683d37116db1927384e93919684d2324755aef330.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	dfee7601db502cf783f5ccd683d37116db1927384e93919684d2324755aef330.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	dfee7601db502cf783f5ccd683d37116db1927384e93919684d2324755aef330.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_Classes\SOFTWARE\Microsoft\Command Processor	dfee7601db502cf783f5ccd683d37116db1927384e93919684d2324755aef330.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\SOFTWARE	dfee7601db502cf783f5ccd683d37116db1927384e93919684d2324755aef330.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\SOFTWARE\Microsoft	dfee7601db502cf783f5ccd683d37116db1927384e93919684d2324755aef330.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	dfee7601db502cf783f5ccd683d37116db1927384e93919684d2324755aef330.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

Z5TrVguyzjRI5JzJH49DUXIIbGxEQY7bWmHRXYKGZcKJ8UIIRrz8QdI1jy1h7S.bat

pid process

736 Z5TrVguyzjRI5JzJH49DUXIIbGxEQY7bWmHRXYKGZcKJ8UIIRrz8QdI1jy1h7S.bat
736 Z5TrVguyzjRI5JzJH49DUXIIbGxEQY7bWmHRXYKGZcKJ8UIIRrz8QdI1jy1h7S.bat

pid	process
736	Z5TrVguyzjRI5JzJH49DUXIIbGxEQY7bWmHRXYKGZcKJ8UIIRrz8QdI1jy1h7S.bat
736	Z5TrVguyzjRI5JzJH49DUXIIbGxEQY7bWmHRXYKGZcKJ8UIIRrz8QdI1jy1h7S.bat

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

dfee7601db502cf783f5ccd683d37116db1927384e93919684d2324755aef330.exeAUDIODG.EXEZ5TrVguyzjRI5JzJH49DUXIIbGxEQY7bWmHRXYKGZcKJ8UIIRrz8QdI1jy1h7S.batZ5TrVguyzjRI5JzJH49DUXIIbGxEQY7bWmHRXYKGZcKJ8UIIRrz8QdI1jy1h7S.bat

description	pid	process
Token: SeBackupPrivilege	1384	dfee7601db502cf783f5ccd683d37116db1927384e93919684d2324755aef330.exe
Token: SeRestorePrivilege	1384	dfee7601db502cf783f5ccd683d37116db1927384e93919684d2324755aef330.exe
Token: SeShutdownPrivilege	1384	dfee7601db502cf783f5ccd683d37116db1927384e93919684d2324755aef330.exe
Token: 33	1576	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1576	AUDIODG.EXE
Token: 33	1576	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1576	AUDIODG.EXE
Token: SeDebugPrivilege	2004	Z5TrVguyzjRI5JzJH49DUXIIbGxEQY7bWmHRXYKGZcKJ8UIIRrz8QdI1jy1h7S.bat
Token: SeRestorePrivilege	2004	Z5TrVguyzjRI5JzJH49DUXIIbGxEQY7bWmHRXYKGZcKJ8UIIRrz8QdI1jy1h7S.bat
Token: SeDebugPrivilege	736	Z5TrVguyzjRI5JzJH49DUXIIbGxEQY7bWmHRXYKGZcKJ8UIIRrz8QdI1jy1h7S.bat
Token: SeRestorePrivilege	736	Z5TrVguyzjRI5JzJH49DUXIIbGxEQY7bWmHRXYKGZcKJ8UIIRrz8QdI1jy1h7S.bat

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

gpscript.exeZ5TrVguyzjRI5JzJH49DUXIIbGxEQY7bWmHRXYKGZcKJ8UIIRrz8QdI1jy1h7S.bat

description	pid	process	target process
PID 1804 wrote to memory of 2004	1804	gpscript.exe	Z5TrVguyzjRI5JzJH49DUXIIbGxEQY7bWmHRXYKGZcKJ8UIIRrz8QdI1jy1h7S.bat
PID 1804 wrote to memory of 2004	1804	gpscript.exe	Z5TrVguyzjRI5JzJH49DUXIIbGxEQY7bWmHRXYKGZcKJ8UIIRrz8QdI1jy1h7S.bat
PID 1804 wrote to memory of 2004	1804	gpscript.exe	Z5TrVguyzjRI5JzJH49DUXIIbGxEQY7bWmHRXYKGZcKJ8UIIRrz8QdI1jy1h7S.bat
PID 2004 wrote to memory of 736	2004	Z5TrVguyzjRI5JzJH49DUXIIbGxEQY7bWmHRXYKGZcKJ8UIIRrz8QdI1jy1h7S.bat	Z5TrVguyzjRI5JzJH49DUXIIbGxEQY7bWmHRXYKGZcKJ8UIIRrz8QdI1jy1h7S.bat
PID 2004 wrote to memory of 736	2004	Z5TrVguyzjRI5JzJH49DUXIIbGxEQY7bWmHRXYKGZcKJ8UIIRrz8QdI1jy1h7S.bat	Z5TrVguyzjRI5JzJH49DUXIIbGxEQY7bWmHRXYKGZcKJ8UIIRrz8QdI1jy1h7S.bat
PID 2004 wrote to memory of 736	2004	Z5TrVguyzjRI5JzJH49DUXIIbGxEQY7bWmHRXYKGZcKJ8UIIRrz8QdI1jy1h7S.bat	Z5TrVguyzjRI5JzJH49DUXIIbGxEQY7bWmHRXYKGZcKJ8UIIRrz8QdI1jy1h7S.bat

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
1⤵
PID:580

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\au9ni2dm.default-release\storage\permanent\chrome\idb\3561288849sdhlie.files\Z5TrVguyzjRI5JzJH49DUXIIbGxEQY7bWmHRXYKGZcKJ8UIIRrz8QdI1jy1h7S.bat
"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\au9ni2dm.default-release\storage\permanent\chrome\idb\3561288849sdhlie.files\Z5TrVguyzjRI5JzJH49DUXIIbGxEQY7bWmHRXYKGZcKJ8UIIRrz8QdI1jy1h7S.bat" 2
2⤵
- Executes dropped EXE
- Sets file execution options in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:736

C:\Users\Admin\AppData\Local\Temp\dfee7601db502cf783f5ccd683d37116db1927384e93919684d2324755aef330.exe
"C:\Users\Admin\AppData\Local\Temp\dfee7601db502cf783f5ccd683d37116db1927384e93919684d2324755aef330.exe"
1⤵
- Adds policy Run key to start application
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1384

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:780

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x568
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1576

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:996

C:\Windows\system32\gpscript.exe
gpscript.exe /Shutdown
1⤵
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1804

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\au9ni2dm.default-release\storage\permanent\chrome\idb\3561288849sdhlie.files\Z5TrVguyzjRI5JzJH49DUXIIbGxEQY7bWmHRXYKGZcKJ8UIIRrz8QdI1jy1h7S.bat
"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\au9ni2dm.default-release\storage\permanent\chrome\idb\3561288849sdhlie.files\Z5TrVguyzjRI5JzJH49DUXIIbGxEQY7bWmHRXYKGZcKJ8UIIRrz8QdI1jy1h7S.bat" 1
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Adds policy Run key to start application
- Executes dropped EXE
- Sets file execution options in registry
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2004

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\u9EooIPx6XhGP0JvnaxlwisHhhW1VHsZwj61Wg7XVPfKZL6MvPolkv.exe
Filesize
1.0MB

MD5
b9568df22fdc988d5070d043a242c9ba

SHA1
f37014d847f1bb0f8151068601598f759eff7e69

SHA256
0020382a6704cb9cf5ecf39571f7321ed6ebf7446af417267bb823521e2efccf

SHA512
63369c2d8e836a7cacf5a70c8983f13645991b91508a36bf9af57f18104e71d345ef85e6a734819455463d91116d8f54476d90a11a4de553c13f5e095596ac5c

Download Submit
C:\ProgramData\Microsoft\Windows\56J0Gb4wA31T4.exe
Filesize
1.3MB

MD5
df537594fcfbbe44a0b926843c64192b

SHA1
ba515a189e23fb895af2ea2d7c1a7382996c5e30

SHA256
eef05b1f9c7ace88191856f138c4bb36b85576b01bbd9094e84ccfd4ec919a88

SHA512
9d04d8cc9b705d3242b6c794d6bdfdaed0bc8d7c62cb0d1ca5944440c3f279e0e9d74570a0566b19b67dc1c455d59ae60dcbe78e89de97d3f1001c93542ed809

Download Submit
C:\ProgramData\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\N1IznPUs5ToHYmkRVXhnc2MCutfzKIKZDFVzHlElfRkQQ.exe
Filesize
1.2MB

MD5
e1c4b04083e9c5a3bc29bb0dc1ac6a65

SHA1
a487ed5cb5595ce7b1aa6927dd9f4090e95cab06

SHA256
e8bbd167e5f8616e317ec03c606d2392aed4f880428c1ecc9f8cef8a7e00634c

SHA512
4e36dafa7a0b293838ca8a58f606b1702303779ec0b1229672a2918c6f98aec2aa5de59d3730c522f761ecb191d3267af21858ae1fd45ed9b8ca245c0b7b0aa5

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\27\8vHDeFR1D1vbbzigEspYnEwvNtG1piguSYQ1OR9joM347tMrFpp7Pdaxxex.bat
Filesize
1.3MB

MD5
3fcdba4b52454a769ca1b65c5161ce09

SHA1
4375bbee3f5c317c822960d5d679d393acbc689c

SHA256
72daaa5ac565c4e377878edc310a775dbebc4b841c342ee65443334bc283d1bd

SHA512
b6b59a68d1c12d30aa164e28b2ac7a23768ccdb84cf9c3ee6bc7bd3105a331d535a0ea4687fc18e83184114b1c9917b038182fc6419bd728dff6a76a67911f9c

Download Submit
C:\Users\Admin\AppData\Local\Google\Cez2XpzIHsSnq8DuLWztdDhhqbFsY.exe
Filesize
1.3MB

MD5
9ccf5c0297e88b319b94d14e3780acd9

SHA1
17cd81f8c53b58e052f47ce7f5bc41c3150c5856

SHA256
550d3604f5774b25c9c3a831523a8712ede57d55077afa5918189c4078ae649f

SHA512
1ba844533de9c5e949f9044dabf2ae3eacd2d8c6d5f565d6a660d7e2786d629325518c9bef44c1e224ca396b042d9115bcb37f9b15ff9fd25aec61d1e7057d59

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\MEIPreload\At3x7Emgqn.exe
Filesize
788KB

MD5
7bd3c63d72d03fa9097075a9341f9d37

SHA1
167956b01be09cf4d97d8132faa7c2cbfac3cad6

SHA256
00d2b3ab2f747b2dfb2b06ddc23a8f480bac3cfd7dc208bbe381591ab126a330

SHA512
4bf951088793c093fefe61672394269b88a2cf3be98ad42432b1024295f4af3049f4a184a217cd7bddd3dc820580db803ef5ec3c198e34dd09a9dbfa4694a3a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\Groove\User\PzFInNVXI1YBbZnmA2XRJS94Odb1Ctm6HEQt7cqgDwfjTCNgmbGpsQiB2J.exe
Filesize
1.4MB

MD5
0eb0c00ddba35dad59bcdad101ef8c13

SHA1
5cdd814039b9928fbc0510bd2131a9da5f6edb07

SHA256
58fe50e38314f759c900191bc9cafcb1e8ec926efe2dd082899ccb26c38c108c

SHA512
d4f9909199820bd3a6fbb944a4f9e2e8b570fbf10b58fae81600ace52e505492edffa83ac56e12482352976533d88723d93f433590ba22f630a9c9e9a2513074

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\d4P12LiHl6TqRasdbnYDHPFdT34C5it83.exe
Filesize
1.2MB

MD5
0511719ea09beaab9722db5fcbaea919

SHA1
bb5893ed09ad76931048c6d006003adeb6bc5f3a

SHA256
5f986f65cafc1e36923928df6bcf4689e09d298b33953e29a5b3703939fa82e8

SHA512
30bed00fda0893f8e7d7b052f4d36f01e83f16c15ae1ac46e911161e24bdba88e982081344815fc829b123eeb2321e5ade976eac67b6d797dd0ef3107ec70678

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\53cjC5jp3Mf.exe
Filesize
986KB

MD5
5c87e2ca740acc2380645acde2dd3443

SHA1
43de1fea4403f6f99d5a1a26264b114a7eae2660

SHA256
8fc5d3dfcc155b4d8ba2e96ecc8f70f916f0d29f99630fbac2f22d379db401d7

SHA512
61a143d88d0688e44a2795f5a7f5103529e87532e67195454d9e733892b17cbcbb90448d27796adbf88dd9f72b96521e401256866779356eb3e7ee6f8a5d51d8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\au9ni2dm.default-release\storage\permanent\chrome\idb\3561288849sdhlie.files\Z5TrVguyzjRI5JzJH49DUXIIbGxEQY7bWmHRXYKGZcKJ8UIIRrz8QdI1jy1h7S.bat
Filesize
1.1MB

MD5
8e191f0131967eff21a7cf82ed884189

SHA1
ecd7578db66c2e24a27454979eb2d4092362b4bd

SHA256
8607f72492438b5cbe662d547610806a51961f8cb424e442f54bd7271336e279

SHA512
7b849f508bf399afffa25b41437ed2c18191ae2c363476f2f99a9d7f100cc34508e2e20fb7c6975c42599e3bfb7900cb5865b138f275c4680e7527e019fbad64

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\au9ni2dm.default-release\storage\permanent\chrome\idb\3561288849sdhlie.files\Z5TrVguyzjRI5JzJH49DUXIIbGxEQY7bWmHRXYKGZcKJ8UIIRrz8QdI1jy1h7S.bat
Filesize
1.1MB

MD5
8e191f0131967eff21a7cf82ed884189

SHA1
ecd7578db66c2e24a27454979eb2d4092362b4bd

SHA256
8607f72492438b5cbe662d547610806a51961f8cb424e442f54bd7271336e279

SHA512
7b849f508bf399afffa25b41437ed2c18191ae2c363476f2f99a9d7f100cc34508e2e20fb7c6975c42599e3bfb7900cb5865b138f275c4680e7527e019fbad64

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\au9ni2dm.default-release\storage\permanent\chrome\idb\3561288849sdhlie.files\Z5TrVguyzjRI5JzJH49DUXIIbGxEQY7bWmHRXYKGZcKJ8UIIRrz8QdI1jy1h7S.bat
Filesize
1.1MB

MD5
8e191f0131967eff21a7cf82ed884189

SHA1
ecd7578db66c2e24a27454979eb2d4092362b4bd

SHA256
8607f72492438b5cbe662d547610806a51961f8cb424e442f54bd7271336e279

SHA512
7b849f508bf399afffa25b41437ed2c18191ae2c363476f2f99a9d7f100cc34508e2e20fb7c6975c42599e3bfb7900cb5865b138f275c4680e7527e019fbad64

Download Submit
C:\Users\Default\AppData\Local\Temp\AHq9nTs5mTjZv2l58pRvbgHXHIcoXUWrjCIbeOAoWkT8yKQk0A69CKrGDhRIXab.exe
Filesize
1.0MB

MD5
516f402d9cfa8f22c35dfc9da92fef02

SHA1
1c73f43e9c00b13774d44fbcb40b21525c0ffef3

SHA256
62b1755c2410fdeafba68f5ceadd0f60ab1137aa405a61f20e0d7d5b7fb2d3e7

SHA512
537f4396dd4275b69f1b7ba19c8b385746ea25a9bbdb0521ed2d7971bd09b61b9747bfc2532baa5ed3ea57e7b06c018a6785018930575bbc48154461593fabcf

Download Submit
\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\au9ni2dm.default-release\storage\permanent\chrome\idb\3561288849sdhlie.files\Z5TrVguyzjRI5JzJH49DUXIIbGxEQY7bWmHRXYKGZcKJ8UIIRrz8QdI1jy1h7S.bat
Filesize
1.1MB

MD5
8e191f0131967eff21a7cf82ed884189

SHA1
ecd7578db66c2e24a27454979eb2d4092362b4bd

SHA256
8607f72492438b5cbe662d547610806a51961f8cb424e442f54bd7271336e279

SHA512
7b849f508bf399afffa25b41437ed2c18191ae2c363476f2f99a9d7f100cc34508e2e20fb7c6975c42599e3bfb7900cb5865b138f275c4680e7527e019fbad64

Download Submit
\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\au9ni2dm.default-release\storage\permanent\chrome\idb\3561288849sdhlie.files\Z5TrVguyzjRI5JzJH49DUXIIbGxEQY7bWmHRXYKGZcKJ8UIIRrz8QdI1jy1h7S.bat
Filesize
1.1MB

MD5
8e191f0131967eff21a7cf82ed884189

SHA1
ecd7578db66c2e24a27454979eb2d4092362b4bd

SHA256
8607f72492438b5cbe662d547610806a51961f8cb424e442f54bd7271336e279

SHA512
7b849f508bf399afffa25b41437ed2c18191ae2c363476f2f99a9d7f100cc34508e2e20fb7c6975c42599e3bfb7900cb5865b138f275c4680e7527e019fbad64

Download Submit
\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\au9ni2dm.default-release\storage\permanent\chrome\idb\3561288849sdhlie.files\Z5TrVguyzjRI5JzJH49DUXIIbGxEQY7bWmHRXYKGZcKJ8UIIRrz8QdI1jy1h7S.bat
Filesize
1.1MB

MD5
8e191f0131967eff21a7cf82ed884189

SHA1
ecd7578db66c2e24a27454979eb2d4092362b4bd

SHA256
8607f72492438b5cbe662d547610806a51961f8cb424e442f54bd7271336e279

SHA512
7b849f508bf399afffa25b41437ed2c18191ae2c363476f2f99a9d7f100cc34508e2e20fb7c6975c42599e3bfb7900cb5865b138f275c4680e7527e019fbad64

Download Submit
memory/736-83-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/736-86-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/736-80-0x0000000000000000-mapping.dmp

Download
memory/780-55-0x000007FEFC391000-0x000007FEFC393000-memory.dmp

Filesize
8KB

Download
memory/1384-54-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1384-56-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1804-69-0x0000000000CB0000-0x0000000000CDD000-memory.dmp

Filesize
180KB

Download
memory/1804-68-0x0000000000CB0000-0x0000000000CDD000-memory.dmp

Filesize
180KB

Download
memory/1804-76-0x0000000000CB0000-0x0000000000CDD000-memory.dmp

Filesize
180KB

Download
memory/1804-77-0x0000000000CB0000-0x0000000000CDD000-memory.dmp

Filesize
180KB

Download
memory/2004-70-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2004-82-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2004-78-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2004-62-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads