6cc171efd272eb7823bf08f22f88a7b5b57619eb5fcf41e4d98f286ccc3c44d0

Analysis

max time kernel
23s
max time network
27s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2022 09:28

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

6cc171efd272eb7823bf08f22f88a7b5b57619eb5fcf41e4d98f286ccc3c44d0.exe
Size

744KB
MD5

12449cb6eb1885a425461bf6a3ab5189
SHA1

6feb175c444823f44804f32f8718052f23dac9ba
SHA256

6cc171efd272eb7823bf08f22f88a7b5b57619eb5fcf41e4d98f286ccc3c44d0
SHA512

e69948aa5bd5b172aea9fbbd8569f34f600899061781062138ab8c6d2bd8dbe85208090d4059c689a7e5d96da248c1fb22e3c829aecd26288bbddaf620be7841
SSDEEP

3072:aSsvihLlTQz9z71iURo2SJJmY6uFNcgifDbmeTXwVdBR:rsqhJMxzJiU5SeLmNSbmebW1

Score

10^/10

persistence spyware stealer

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

S6mdogeMrlco3DN3p6Lu5yQBclzRKX0SQkOnz4DNUFiaiNXl5ivxYHNBiKzwbar.exe

description pid process target process

PID 3848 created 656 3848 S6mdogeMrlco3DN3p6Lu5yQBclzRKX0SQkOnz4DNUFiaiNXl5ivxYHNBiKzwbar.exe lsass.exe

description	pid	process	target process
PID 3848 created 656	3848	S6mdogeMrlco3DN3p6Lu5yQBclzRKX0SQkOnz4DNUFiaiNXl5ivxYHNBiKzwbar.exe	lsass.exe

Adds policy Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

6cc171efd272eb7823bf08f22f88a7b5b57619eb5fcf41e4d98f286ccc3c44d0.exeS6mdogeMrlco3DN3p6Lu5yQBclzRKX0SQkOnz4DNUFiaiNXl5ivxYHNBiKzwbar.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	6cc171efd272eb7823bf08f22f88a7b5b57619eb5fcf41e4d98f286ccc3c44d0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Crypto\\Keys\\LFcXME4HF3RVC.exe\" O"	6cc171efd272eb7823bf08f22f88a7b5b57619eb5fcf41e4d98f286ccc3c44d0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\6.0\\12\\xDilFdx4rsJ.exe\" O"	6cc171efd272eb7823bf08f22f88a7b5b57619eb5fcf41e4d98f286ccc3c44d0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	S6mdogeMrlco3DN3p6Lu5yQBclzRKX0SQkOnz4DNUFiaiNXl5ivxYHNBiKzwbar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Public\\Videos\\uVHVvAnbqpw.exe\" O"	S6mdogeMrlco3DN3p6Lu5yQBclzRKX0SQkOnz4DNUFiaiNXl5ivxYHNBiKzwbar.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	6cc171efd272eb7823bf08f22f88a7b5b57619eb5fcf41e4d98f286ccc3c44d0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\it\\TWbH2R2KTMEmX6pPfZAjSaKLYHXnYcVBIo.exe\" O"	6cc171efd272eb7823bf08f22f88a7b5b57619eb5fcf41e4d98f286ccc3c44d0.exe

Executes dropped EXE 2 IoCs

Processes:

S6mdogeMrlco3DN3p6Lu5yQBclzRKX0SQkOnz4DNUFiaiNXl5ivxYHNBiKzwbar.exeS6mdogeMrlco3DN3p6Lu5yQBclzRKX0SQkOnz4DNUFiaiNXl5ivxYHNBiKzwbar.exe

pid	process
3848	S6mdogeMrlco3DN3p6Lu5yQBclzRKX0SQkOnz4DNUFiaiNXl5ivxYHNBiKzwbar.exe
3852	S6mdogeMrlco3DN3p6Lu5yQBclzRKX0SQkOnz4DNUFiaiNXl5ivxYHNBiKzwbar.exe

Sets file execution options in registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

S6mdogeMrlco3DN3p6Lu5yQBclzRKX0SQkOnz4DNUFiaiNXl5ivxYHNBiKzwbar.exeS6mdogeMrlco3DN3p6Lu5yQBclzRKX0SQkOnz4DNUFiaiNXl5ivxYHNBiKzwbar.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = " "	S6mdogeMrlco3DN3p6Lu5yQBclzRKX0SQkOnz4DNUFiaiNXl5ivxYHNBiKzwbar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe	S6mdogeMrlco3DN3p6Lu5yQBclzRKX0SQkOnz4DNUFiaiNXl5ivxYHNBiKzwbar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\Debugger = " "	S6mdogeMrlco3DN3p6Lu5yQBclzRKX0SQkOnz4DNUFiaiNXl5ivxYHNBiKzwbar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe	S6mdogeMrlco3DN3p6Lu5yQBclzRKX0SQkOnz4DNUFiaiNXl5ivxYHNBiKzwbar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = " "	S6mdogeMrlco3DN3p6Lu5yQBclzRKX0SQkOnz4DNUFiaiNXl5ivxYHNBiKzwbar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe	S6mdogeMrlco3DN3p6Lu5yQBclzRKX0SQkOnz4DNUFiaiNXl5ivxYHNBiKzwbar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\Debugger = " "	S6mdogeMrlco3DN3p6Lu5yQBclzRKX0SQkOnz4DNUFiaiNXl5ivxYHNBiKzwbar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe	S6mdogeMrlco3DN3p6Lu5yQBclzRKX0SQkOnz4DNUFiaiNXl5ivxYHNBiKzwbar.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 64 IoCs

Processes:

6cc171efd272eb7823bf08f22f88a7b5b57619eb5fcf41e4d98f286ccc3c44d0.exeLogonUI.exeS6mdogeMrlco3DN3p6Lu5yQBclzRKX0SQkOnz4DNUFiaiNXl5ivxYHNBiKzwbar.exegpscript.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	6cc171efd272eb7823bf08f22f88a7b5b57619eb5fcf41e4d98f286ccc3c44d0.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	S6mdogeMrlco3DN3p6Lu5yQBclzRKX0SQkOnz4DNUFiaiNXl5ivxYHNBiKzwbar.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	6cc171efd272eb7823bf08f22f88a7b5b57619eb5fcf41e4d98f286ccc3c44d0.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.CredDialogHost_cw5n1h2txyewy\\LocalCache\\xUiyUTNjERIGWiKiHNdZi.exe\" O 2>NUL"	S6mdogeMrlco3DN3p6Lu5yQBclzRKX0SQkOnz4DNUFiaiNXl5ivxYHNBiKzwbar.exe
Key created	\REGISTRY\USER\S-1-5-19	6cc171efd272eb7823bf08f22f88a7b5b57619eb5fcf41e4d98f286ccc3c44d0.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\input\\af-ZA\\zL9DgFk5aofIe874lAgahg8JTmx0XcrrAL.exe\" O"	6cc171efd272eb7823bf08f22f88a7b5b57619eb5fcf41e4d98f286ccc3c44d0.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\eu\\KMEQI3rfO45ZrWW9RSJimUqIp28J1SlBrl1IMbbSqOCe.exe\" O 2>NUL"	6cc171efd272eb7823bf08f22f88a7b5b57619eb5fcf41e4d98f286ccc3c44d0.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	6cc171efd272eb7823bf08f22f88a7b5b57619eb5fcf41e4d98f286ccc3c44d0.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "223"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	6cc171efd272eb7823bf08f22f88a7b5b57619eb5fcf41e4d98f286ccc3c44d0.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\SlowContextMenuEntries = 6024b221ea3a6910a2dc08002b30309d9c0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	gpscript.exe
Key created	\REGISTRY\USER\.DEFAULT	6cc171efd272eb7823bf08f22f88a7b5b57619eb5fcf41e4d98f286ccc3c44d0.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\RoamingState\\lSkl17WL02Gj1eia70uKMtlQ9tMhAcnAhBmVWbMgkGmRdWusiWcj.exe\" O"	6cc171efd272eb7823bf08f22f88a7b5b57619eb5fcf41e4d98f286ccc3c44d0.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft	6cc171efd272eb7823bf08f22f88a7b5b57619eb5fcf41e4d98f286ccc3c44d0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Package Cache\\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\\sAZ7spx2FCop4506LryVk0uzF8sSImKbiCQ7kTXnRLDmVM6jqdUxTjI2wK.exe\" O"	6cc171efd272eb7823bf08f22f88a7b5b57619eb5fcf41e4d98f286ccc3c44d0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.NarratorQuickStart_8wekyb3d8bbwe\\AC\\VybPsT52ZOOri73ZQkwFa15QLC8PQRUYmbFztRxWcv4sKmso0m.exe\" O 2>NUL"	S6mdogeMrlco3DN3p6Lu5yQBclzRKX0SQkOnz4DNUFiaiNXl5ivxYHNBiKzwbar.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	S6mdogeMrlco3DN3p6Lu5yQBclzRKX0SQkOnz4DNUFiaiNXl5ivxYHNBiKzwbar.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\\LocalState\\0sbi8GQ3Ovy2vudHJFlk6v9WyGZAVf8AaGam07O8D4OY4p4tKGZfEbmtTo6qlOIS9.exe\" O 2>NUL"	6cc171efd272eb7823bf08f22f88a7b5b57619eb5fcf41e4d98f286ccc3c44d0.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	6cc171efd272eb7823bf08f22f88a7b5b57619eb5fcf41e4d98f286ccc3c44d0.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	6cc171efd272eb7823bf08f22f88a7b5b57619eb5fcf41e4d98f286ccc3c44d0.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion	6cc171efd272eb7823bf08f22f88a7b5b57619eb5fcf41e4d98f286ccc3c44d0.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	6cc171efd272eb7823bf08f22f88a7b5b57619eb5fcf41e4d98f286ccc3c44d0.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion	6cc171efd272eb7823bf08f22f88a7b5b57619eb5fcf41e4d98f286ccc3c44d0.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	6cc171efd272eb7823bf08f22f88a7b5b57619eb5fcf41e4d98f286ccc3c44d0.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	6cc171efd272eb7823bf08f22f88a7b5b57619eb5fcf41e4d98f286ccc3c44d0.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies	6cc171efd272eb7823bf08f22f88a7b5b57619eb5fcf41e4d98f286ccc3c44d0.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft	6cc171efd272eb7823bf08f22f88a7b5b57619eb5fcf41e4d98f286ccc3c44d0.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows	6cc171efd272eb7823bf08f22f88a7b5b57619eb5fcf41e4d98f286ccc3c44d0.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\input\\fr-CH\\NpKgPhKxkARGWDaLGo3agV3kXXGKhaaDhfBH8UMFJro8NETk52hcphRqFQUXKQgxNtGphC.exe\" O"	S6mdogeMrlco3DN3p6Lu5yQBclzRKX0SQkOnz4DNUFiaiNXl5ivxYHNBiKzwbar.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE	6cc171efd272eb7823bf08f22f88a7b5b57619eb5fcf41e4d98f286ccc3c44d0.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	S6mdogeMrlco3DN3p6Lu5yQBclzRKX0SQkOnz4DNUFiaiNXl5ivxYHNBiKzwbar.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	S6mdogeMrlco3DN3p6Lu5yQBclzRKX0SQkOnz4DNUFiaiNXl5ivxYHNBiKzwbar.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	gpscript.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\6.0\\57\\WHgiuFcIjo8ahmbgE15hvNJjavV0vHYjOZnI48td9yeFbWEgz2rGE19qq.exe\" O 2>NUL"	6cc171efd272eb7823bf08f22f88a7b5b57619eb5fcf41e4d98f286ccc3c44d0.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	6cc171efd272eb7823bf08f22f88a7b5b57619eb5fcf41e4d98f286ccc3c44d0.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	6cc171efd272eb7823bf08f22f88a7b5b57619eb5fcf41e4d98f286ccc3c44d0.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\iYkrcnHIkhUD9ijQjV5qvjBjRV9v8gmEhH8FZZoC8lx8b4DBbpLdsZmxs7hbyS.exe\" O"	S6mdogeMrlco3DN3p6Lu5yQBclzRKX0SQkOnz4DNUFiaiNXl5ivxYHNBiKzwbar.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\NcsiUwpApp_8wekyb3d8bbwe\\AC\\INetCookies\\Bn0HdlplkuspOTZDs5CGzI6GO2pZ5mWg64F0zfHR19kd4ZWL4AGVE7PtNvP.exe\" O"	6cc171efd272eb7823bf08f22f88a7b5b57619eb5fcf41e4d98f286ccc3c44d0.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	S6mdogeMrlco3DN3p6Lu5yQBclzRKX0SQkOnz4DNUFiaiNXl5ivxYHNBiKzwbar.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{4234D49B-0245-4DF3-B780-3893943456E1} {000214E6-0000-0000-C000-000000000046} 0xFFFF = 01000000000000008f7ca0c4e200d901	S6mdogeMrlco3DN3p6Lu5yQBclzRKX0SQkOnz4DNUFiaiNXl5ivxYHNBiKzwbar.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	6cc171efd272eb7823bf08f22f88a7b5b57619eb5fcf41e4d98f286ccc3c44d0.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\input\\ar-YE\\NQKVm2B4oPjZtXdnhJvzDDPkuXhW6kJi9zHhdY1NR1f0ply2WCg0hLW9920OaklXAM1yxPs.exe\" O 2>NUL"	6cc171efd272eb7823bf08f22f88a7b5b57619eb5fcf41e4d98f286ccc3c44d0.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	6cc171efd272eb7823bf08f22f88a7b5b57619eb5fcf41e4d98f286ccc3c44d0.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Edge\\User Data\\MVB545ytwA1QdNDY6ZW0biniQRN2T.exe\" O"	S6mdogeMrlco3DN3p6Lu5yQBclzRKX0SQkOnz4DNUFiaiNXl5ivxYHNBiKzwbar.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	S6mdogeMrlco3DN3p6Lu5yQBclzRKX0SQkOnz4DNUFiaiNXl5ivxYHNBiKzwbar.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	6cc171efd272eb7823bf08f22f88a7b5b57619eb5fcf41e4d98f286ccc3c44d0.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE	6cc171efd272eb7823bf08f22f88a7b5b57619eb5fcf41e4d98f286ccc3c44d0.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\INetCache\\IE\\naw0ZTL8map18Lcq5WFTwtR29WqOfFoTYIcnrMyJWNvrnRqvmTUby4lL7TV.exe\" O"	S6mdogeMrlco3DN3p6Lu5yQBclzRKX0SQkOnz4DNUFiaiNXl5ivxYHNBiKzwbar.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	6cc171efd272eb7823bf08f22f88a7b5b57619eb5fcf41e4d98f286ccc3c44d0.exe
Key created	\REGISTRY\USER\S-1-5-20	6cc171efd272eb7823bf08f22f88a7b5b57619eb5fcf41e4d98f286ccc3c44d0.exe

Modifies registry class 10 IoCs

Processes:

6cc171efd272eb7823bf08f22f88a7b5b57619eb5fcf41e4d98f286ccc3c44d0.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\SOFTWARE\Microsoft	6cc171efd272eb7823bf08f22f88a7b5b57619eb5fcf41e4d98f286ccc3c44d0.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\SOFTWARE\Microsoft\Windows	6cc171efd272eb7823bf08f22f88a7b5b57619eb5fcf41e4d98f286ccc3c44d0.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion	6cc171efd272eb7823bf08f22f88a7b5b57619eb5fcf41e4d98f286ccc3c44d0.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	6cc171efd272eb7823bf08f22f88a7b5b57619eb5fcf41e4d98f286ccc3c44d0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\el\\wjdIWTCFyPn5hJiSVvjP9IUulSDg8ftczDtAll4DGkwvNpy7pYt2g4g51XWIeGwuAd.exe\" O"	6cc171efd272eb7823bf08f22f88a7b5b57619eb5fcf41e4d98f286ccc3c44d0.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\SOFTWARE\Microsoft\Command Processor	6cc171efd272eb7823bf08f22f88a7b5b57619eb5fcf41e4d98f286ccc3c44d0.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\SOFTWARE	6cc171efd272eb7823bf08f22f88a7b5b57619eb5fcf41e4d98f286ccc3c44d0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\qml\\QtQuick\\Controls\\Styles\\wjXWCOzjksDlTmoXBO5HnV4fADiZbkOCsI4w.exe\" O 2>NUL"	6cc171efd272eb7823bf08f22f88a7b5b57619eb5fcf41e4d98f286ccc3c44d0.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	6cc171efd272eb7823bf08f22f88a7b5b57619eb5fcf41e4d98f286ccc3c44d0.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	6cc171efd272eb7823bf08f22f88a7b5b57619eb5fcf41e4d98f286ccc3c44d0.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

S6mdogeMrlco3DN3p6Lu5yQBclzRKX0SQkOnz4DNUFiaiNXl5ivxYHNBiKzwbar.exe

pid	process
3852	S6mdogeMrlco3DN3p6Lu5yQBclzRKX0SQkOnz4DNUFiaiNXl5ivxYHNBiKzwbar.exe
3852	S6mdogeMrlco3DN3p6Lu5yQBclzRKX0SQkOnz4DNUFiaiNXl5ivxYHNBiKzwbar.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

6cc171efd272eb7823bf08f22f88a7b5b57619eb5fcf41e4d98f286ccc3c44d0.exeS6mdogeMrlco3DN3p6Lu5yQBclzRKX0SQkOnz4DNUFiaiNXl5ivxYHNBiKzwbar.exeS6mdogeMrlco3DN3p6Lu5yQBclzRKX0SQkOnz4DNUFiaiNXl5ivxYHNBiKzwbar.exe

description	pid	process
Token: SeBackupPrivilege	4872	6cc171efd272eb7823bf08f22f88a7b5b57619eb5fcf41e4d98f286ccc3c44d0.exe
Token: SeRestorePrivilege	4872	6cc171efd272eb7823bf08f22f88a7b5b57619eb5fcf41e4d98f286ccc3c44d0.exe
Token: SeShutdownPrivilege	4872	6cc171efd272eb7823bf08f22f88a7b5b57619eb5fcf41e4d98f286ccc3c44d0.exe
Token: SeDebugPrivilege	3848	S6mdogeMrlco3DN3p6Lu5yQBclzRKX0SQkOnz4DNUFiaiNXl5ivxYHNBiKzwbar.exe
Token: SeRestorePrivilege	3848	S6mdogeMrlco3DN3p6Lu5yQBclzRKX0SQkOnz4DNUFiaiNXl5ivxYHNBiKzwbar.exe
Token: SeDebugPrivilege	3852	S6mdogeMrlco3DN3p6Lu5yQBclzRKX0SQkOnz4DNUFiaiNXl5ivxYHNBiKzwbar.exe
Token: SeRestorePrivilege	3852	S6mdogeMrlco3DN3p6Lu5yQBclzRKX0SQkOnz4DNUFiaiNXl5ivxYHNBiKzwbar.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

LogonUI.exe

pid process

4860 LogonUI.exe

pid	process
4860	LogonUI.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

gpscript.exeS6mdogeMrlco3DN3p6Lu5yQBclzRKX0SQkOnz4DNUFiaiNXl5ivxYHNBiKzwbar.exe

description	pid	process	target process
PID 4328 wrote to memory of 3848	4328	gpscript.exe	S6mdogeMrlco3DN3p6Lu5yQBclzRKX0SQkOnz4DNUFiaiNXl5ivxYHNBiKzwbar.exe
PID 4328 wrote to memory of 3848	4328	gpscript.exe	S6mdogeMrlco3DN3p6Lu5yQBclzRKX0SQkOnz4DNUFiaiNXl5ivxYHNBiKzwbar.exe
PID 3848 wrote to memory of 3852	3848	S6mdogeMrlco3DN3p6Lu5yQBclzRKX0SQkOnz4DNUFiaiNXl5ivxYHNBiKzwbar.exe	S6mdogeMrlco3DN3p6Lu5yQBclzRKX0SQkOnz4DNUFiaiNXl5ivxYHNBiKzwbar.exe
PID 3848 wrote to memory of 3852	3848	S6mdogeMrlco3DN3p6Lu5yQBclzRKX0SQkOnz4DNUFiaiNXl5ivxYHNBiKzwbar.exe	S6mdogeMrlco3DN3p6Lu5yQBclzRKX0SQkOnz4DNUFiaiNXl5ivxYHNBiKzwbar.exe

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:656

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Apprep.ChxApp_cw5n1h2txyewy\AppData\S6mdogeMrlco3DN3p6Lu5yQBclzRKX0SQkOnz4DNUFiaiNXl5ivxYHNBiKzwbar.exe
"C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Apprep.ChxApp_cw5n1h2txyewy\AppData\S6mdogeMrlco3DN3p6Lu5yQBclzRKX0SQkOnz4DNUFiaiNXl5ivxYHNBiKzwbar.exe" 2
2⤵
- Executes dropped EXE
- Sets file execution options in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3852

C:\Users\Admin\AppData\Local\Temp\6cc171efd272eb7823bf08f22f88a7b5b57619eb5fcf41e4d98f286ccc3c44d0.exe
"C:\Users\Admin\AppData\Local\Temp\6cc171efd272eb7823bf08f22f88a7b5b57619eb5fcf41e4d98f286ccc3c44d0.exe"
1⤵
- Adds policy Run key to start application
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4872

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39e9055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4860

C:\Windows\system32\gpscript.exe
gpscript.exe /Shutdown
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:4328

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Apprep.ChxApp_cw5n1h2txyewy\AppData\S6mdogeMrlco3DN3p6Lu5yQBclzRKX0SQkOnz4DNUFiaiNXl5ivxYHNBiKzwbar.exe
"C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Apprep.ChxApp_cw5n1h2txyewy\AppData\S6mdogeMrlco3DN3p6Lu5yQBclzRKX0SQkOnz4DNUFiaiNXl5ivxYHNBiKzwbar.exe" 1
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Adds policy Run key to start application
- Executes dropped EXE
- Sets file execution options in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3848

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Crypto\Keys\LFcXME4HF3RVC.exe
Filesize
1.1MB

MD5
4cd82c0a2a9af0222e0c95beb36f1a7a

SHA1
57f05c2a7b80aa2b121036b769fb0320f596a655

SHA256
6ead383dffc12c3c0a02d6e0514f84e82d4e9327395ad379265767217534a1b1

SHA512
137e97070ada0856c72b0e6e5ea06f14a417351c3d3c11f21d5c5bb6facd39214ee5c66e85be13f7f659235046be2343edf29e119691c6f8861b6f48d48e52e3

Download Submit
C:\ProgramData\Microsoft\Windows\AppRepository\Families\8MVc5IVlbc40bTxM2SWjJURv.cmd
Filesize
1.8MB

MD5
9751aadd2698c043db0268123d9242b0

SHA1
f93e7149822e3ab34b4cdbc73b24723cc3c0cd98

SHA256
c0a33166633dbe9cb82815e0f540f3f48e9c46e3e50c5e7ab8ff9a2ba18f742b

SHA512
83ec63c0e5a3b48a5a22aeb67238a28be4cf2a84f2b9e87649d8325321b78d5e681f535da30663ee00e971d326ab719e4b6299ffaebff4c38c7a01ccf30d3fee

Download Submit
C:\ProgramData\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\sAZ7spx2FCop4506LryVk0uzF8sSImKbiCQ7kTXnRLDmVM6jqdUxTjI2wK.exe
Filesize
1.4MB

MD5
5d365e3869fc3049d1a28caeedb0d26c

SHA1
313f0ea05d70796bf870e2301962e932a077bc2d

SHA256
1c25c206e95164b40191809286bc7159453e80b16511224f4dbdb91b111f81e7

SHA512
b72b33e404f4a5f0af0fd245af8e6c3e29bf9904353ed54f4e7c203ab221e36944744c0eec7011659a22ad2c2cc1ee9552fc6efb03748ea3eef2ebca5ab6b902

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\eu\KMEQI3rfO45ZrWW9RSJimUqIp28J1SlBrl1IMbbSqOCe.exe
Filesize
1.2MB

MD5
add65c16c593796661df466a16df2f54

SHA1
66a4acada771193e90d487212ee849d176cbb761

SHA256
5ba7e98601b6f00d01149ab468e2820cfa6de9d8477c3a4a8b58426925a71dc7

SHA512
dd7f892f831f7c80faa993af966124efd65957ae5f04e4a00859088f96a5be54898d2da1bd8cc5e61c97b977230a2fb131be30b0d25bf62c1960e572ba309570

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\input\af-ZA\zL9DgFk5aofIe874lAgahg8JTmx0XcrrAL.exe
Filesize
1.3MB

MD5
43d846f08a1fa6cc1346437f79fe3692

SHA1
6730019f56e8a12a468487b9713059c0d7c642aa

SHA256
334db0d762d9cb86440bae877b07de9e2bfbb144ca4dd7b4c05789b743ac1843

SHA512
08a8cbd8d928fd9005b7bba6d67229b5c82c140e876d7bcaaf992121871de3cfcb2fabfce107b159e3313643924215ec256a415aae871afb976fb7936e05d16d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\input\ar-YE\NQKVm2B4oPjZtXdnhJvzDDPkuXhW6kJi9zHhdY1NR1f0ply2WCg0hLW9920OaklXAM1yxPs.exe
Filesize
1.4MB

MD5
8d29f5054a4185099648360d33f18a4e

SHA1
04c499cbb031e57d4222c3a89388a3440f88416d

SHA256
2d8cd8ac027fb47be30681f63091335223f614371dd5164ea7f0ba23bb5bbedd

SHA512
9bb1df9cce5c12708a07bb13134724ce09ee8c1ee309247d53126cfdd405b8118743872c90eb6808a9183f12d8df3f3849d1a985da0dc73738e89ec1e2476fc9

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.LockApp_cw5n1h2txyewy\RoamingState\lSkl17WL02Gj1eia70uKMtlQ9tMhAcnAhBmVWbMgkGmRdWusiWcj.exe
Filesize
804KB

MD5
4182247f1f021d411216f59c175a38fe

SHA1
26276fc0c8fceda4f760d956d22476713d87b7b5

SHA256
ae568b40f8787530fde5704620c6ecda625cc2a1476fceb74d54fdb0ad5bb29f

SHA512
bf56b26fbd170ee7b696fced909585bd44a321b6683d564caecf5f3b256d5eed1eb4e7db418a3585ff0b3d22007d4e480a2f380933bd58b3e4a051e9978bb64c

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Apprep.ChxApp_cw5n1h2txyewy\AppData\S6mdogeMrlco3DN3p6Lu5yQBclzRKX0SQkOnz4DNUFiaiNXl5ivxYHNBiKzwbar.exe
Filesize
1.2MB

MD5
2d8f99a5e885d579b2a6bc90e8aa4689

SHA1
92c7f5054013c50144f508e27a638b8d507bd171

SHA256
f859c62a093f5f492958953e30ba2d9550f761b104e55c89b1539c3da02a5ca9

SHA512
aafc07f495960f5cb0f940147283dce4c9106af8bdf3e7cb3f6ab7646f79f8ffe6b985561eddd8b2fc23739c9a4dfcf4ed84e2203c1222aaa7b8d1990c36aac3

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Apprep.ChxApp_cw5n1h2txyewy\AppData\S6mdogeMrlco3DN3p6Lu5yQBclzRKX0SQkOnz4DNUFiaiNXl5ivxYHNBiKzwbar.exe
Filesize
1.2MB

MD5
2d8f99a5e885d579b2a6bc90e8aa4689

SHA1
92c7f5054013c50144f508e27a638b8d507bd171

SHA256
f859c62a093f5f492958953e30ba2d9550f761b104e55c89b1539c3da02a5ca9

SHA512
aafc07f495960f5cb0f940147283dce4c9106af8bdf3e7cb3f6ab7646f79f8ffe6b985561eddd8b2fc23739c9a4dfcf4ed84e2203c1222aaa7b8d1990c36aac3

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Apprep.ChxApp_cw5n1h2txyewy\AppData\S6mdogeMrlco3DN3p6Lu5yQBclzRKX0SQkOnz4DNUFiaiNXl5ivxYHNBiKzwbar.exe
Filesize
1.2MB

MD5
2d8f99a5e885d579b2a6bc90e8aa4689

SHA1
92c7f5054013c50144f508e27a638b8d507bd171

SHA256
f859c62a093f5f492958953e30ba2d9550f761b104e55c89b1539c3da02a5ca9

SHA512
aafc07f495960f5cb0f940147283dce4c9106af8bdf3e7cb3f6ab7646f79f8ffe6b985561eddd8b2fc23739c9a4dfcf4ed84e2203c1222aaa7b8d1990c36aac3

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\INetHistory\BackgroundTransferApiGroup\dNtXGgv5YCYPw4JlniSn2jDOROVooXQ7sOWyCZRm3jGO9EkUMUrV65NyvJrxRM8zQZTDb9.exe
Filesize
1.2MB

MD5
3981b024bc1d4ed6ba408d81424a1e99

SHA1
f0861c4ab67eee68c7bcb8f71c88db5364388943

SHA256
db8fa03fbdfa0904eb6a92c5220dea5757d699ef9a247c97ba25c9f2b91ff1af

SHA512
fa6688ea8dc80b771a937fbe9841743ae9ce14c9aaea92e05694d705c42fff4ea470a56a66da8e08b5bfde2b4dc4727bbe33db706b5d7d89d77aaf919cfb480a

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\LocalState\0sbi8GQ3Ovy2vudHJFlk6v9WyGZAVf8AaGam07O8D4OY4p4tKGZfEbmtTo6qlOIS9.exe
Filesize
1.0MB

MD5
6344dedfc14342b9d6948c4b3d1f8a9f

SHA1
cb49bffac896ab7fc5cc86567d2867472fc72dbc

SHA256
ff9af2ed10c76cc6b173b88987b9369288c68523ed6d65e72704b6f09c9b2677

SHA512
4b0f397671c61b569a4e5f76f8cfe5d5b254609918e336e4aee408554b57b3e8af4233dee530a77201b44c947093a7d64cf85122e3d941476cb8654b6d3b024b

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\Settings\hJ13Rxlz0hIPBVtPiLBAHbUvWeoCut.exe
Filesize
1.1MB

MD5
f164a046317f030ed805e06e583e4bb2

SHA1
02818a0990a8e57233cf0e595dcdd0b5b965ce76

SHA256
456eb8471ffd281253d4d8b4cd0ff8d95844936c31d18707e35060de81e842e4

SHA512
2575cef9c3ef703db97d8bc8ce948610625ac5c42bb947ae95574f89096a63ca2459c716024563f6f0362f094ce1a561ab2eddb99a9f69c2fd9620ab5cfbbd31

Download Submit
memory/3848-137-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3848-148-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3848-135-0x0000000000000000-mapping.dmp

Download
memory/3852-146-0x0000000000000000-mapping.dmp

Download
memory/3852-149-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4872-132-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4872-133-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads