7fb73d0b2a2e046bbfd758d61d21021e1224e00e67e20283ab9d1485f8772f29

Analysis

max time kernel
81s
max time network
69s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
25-11-2022 09:29

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

7fb73d0b2a2e046bbfd758d61d21021e1224e00e67e20283ab9d1485f8772f29.exe
Size

1.3MB
MD5

853888867984a10d241447ffb5b8c27d
SHA1

46638014aba3ae55304fcb29c098500dd8285d51
SHA256

7fb73d0b2a2e046bbfd758d61d21021e1224e00e67e20283ab9d1485f8772f29
SHA512

241dc49283514f3980a916a90d80c07d0a3412587164b34aef1c342f54c57627ef0b979c9b73b7e19bc8c97d57c3d9bce6450ab750f1f206d206cad86a4d990d
SSDEEP

3072:aSsvihLlTQz9z71iURo2SJJmY6uFNcgifDbmeTXwVdBR:rsqhJMxzJiU5SeLmNSbmebW1

Score

10^/10

persistence spyware stealer

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

jRsSyM4jaKR8jKsPGRQpR4hz7ntnfSmOAFImOUffHjvJVBryNcxs.bat

description pid process target process

PID 1364 created 580 1364 jRsSyM4jaKR8jKsPGRQpR4hz7ntnfSmOAFImOUffHjvJVBryNcxs.bat svchost.exe

description	pid	process	target process
PID 1364 created 580	1364	jRsSyM4jaKR8jKsPGRQpR4hz7ntnfSmOAFImOUffHjvJVBryNcxs.bat	svchost.exe

Adds policy Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

jRsSyM4jaKR8jKsPGRQpR4hz7ntnfSmOAFImOUffHjvJVBryNcxs.bat7fb73d0b2a2e046bbfd758d61d21021e1224e00e67e20283ab9d1485f8772f29.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	jRsSyM4jaKR8jKsPGRQpR4hz7ntnfSmOAFImOUffHjvJVBryNcxs.bat
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache\\cnZ5uyyLgVzvNtRcJ53KS3Vjz.exe\" O"	jRsSyM4jaKR8jKsPGRQpR4hz7ntnfSmOAFImOUffHjvJVBryNcxs.bat
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	7fb73d0b2a2e046bbfd758d61d21021e1224e00e67e20283ab9d1485f8772f29.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\VZKvOCokiqlw25jAXXudY7GWluAR6KAaWDKrh3agc2XFOOsMfDTaYJw394VpD95sjFTTU.exe\" O"	7fb73d0b2a2e046bbfd758d61d21021e1224e00e67e20283ab9d1485f8772f29.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	7fb73d0b2a2e046bbfd758d61d21021e1224e00e67e20283ab9d1485f8772f29.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\TKFzRzjbvbe5kJGt3AVWcKk4tmKImSn6anyiGqG07gXxNeZShHuByYn6QBks.exe\" O"	7fb73d0b2a2e046bbfd758d61d21021e1224e00e67e20283ab9d1485f8772f29.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\6.0\\45\\wtrffUXeBC5uo1xk6ycuYLtvm7okmNPUJLvihjwtSUbvwlBEiEC2ABQJcVjHdbWcmb4CW.exe\" O"	7fb73d0b2a2e046bbfd758d61d21021e1224e00e67e20283ab9d1485f8772f29.exe

Executes dropped EXE 2 IoCs

Processes:

jRsSyM4jaKR8jKsPGRQpR4hz7ntnfSmOAFImOUffHjvJVBryNcxs.batjRsSyM4jaKR8jKsPGRQpR4hz7ntnfSmOAFImOUffHjvJVBryNcxs.bat

pid process

1364 jRsSyM4jaKR8jKsPGRQpR4hz7ntnfSmOAFImOUffHjvJVBryNcxs.bat
1096 jRsSyM4jaKR8jKsPGRQpR4hz7ntnfSmOAFImOUffHjvJVBryNcxs.bat

pid	process
1364	jRsSyM4jaKR8jKsPGRQpR4hz7ntnfSmOAFImOUffHjvJVBryNcxs.bat
1096	jRsSyM4jaKR8jKsPGRQpR4hz7ntnfSmOAFImOUffHjvJVBryNcxs.bat

Sets file execution options in registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

jRsSyM4jaKR8jKsPGRQpR4hz7ntnfSmOAFImOUffHjvJVBryNcxs.batjRsSyM4jaKR8jKsPGRQpR4hz7ntnfSmOAFImOUffHjvJVBryNcxs.bat

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = " "	jRsSyM4jaKR8jKsPGRQpR4hz7ntnfSmOAFImOUffHjvJVBryNcxs.bat
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe	jRsSyM4jaKR8jKsPGRQpR4hz7ntnfSmOAFImOUffHjvJVBryNcxs.bat
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\Debugger = " "	jRsSyM4jaKR8jKsPGRQpR4hz7ntnfSmOAFImOUffHjvJVBryNcxs.bat
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe	jRsSyM4jaKR8jKsPGRQpR4hz7ntnfSmOAFImOUffHjvJVBryNcxs.bat
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = " "	jRsSyM4jaKR8jKsPGRQpR4hz7ntnfSmOAFImOUffHjvJVBryNcxs.bat
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe	jRsSyM4jaKR8jKsPGRQpR4hz7ntnfSmOAFImOUffHjvJVBryNcxs.bat
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\Debugger = " "	jRsSyM4jaKR8jKsPGRQpR4hz7ntnfSmOAFImOUffHjvJVBryNcxs.bat
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe	jRsSyM4jaKR8jKsPGRQpR4hz7ntnfSmOAFImOUffHjvJVBryNcxs.bat

Drops startup file 1 IoCs

Processes:

jRsSyM4jaKR8jKsPGRQpR4hz7ntnfSmOAFImOUffHjvJVBryNcxs.bat

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mZATYvVXq7hYz.cmd	jRsSyM4jaKR8jKsPGRQpR4hz7ntnfSmOAFImOUffHjvJVBryNcxs.bat

Loads dropped DLL 3 IoCs

Processes:

gpscript.exejRsSyM4jaKR8jKsPGRQpR4hz7ntnfSmOAFImOUffHjvJVBryNcxs.bat

pid process

1528 gpscript.exe
1528 gpscript.exe
1364 jRsSyM4jaKR8jKsPGRQpR4hz7ntnfSmOAFImOUffHjvJVBryNcxs.bat
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1528	gpscript.exe
1528	gpscript.exe
1364	jRsSyM4jaKR8jKsPGRQpR4hz7ntnfSmOAFImOUffHjvJVBryNcxs.bat

Modifies data under HKEY_USERS 63 IoCs

Processes:

jRsSyM4jaKR8jKsPGRQpR4hz7ntnfSmOAFImOUffHjvJVBryNcxs.bat7fb73d0b2a2e046bbfd758d61d21021e1224e00e67e20283ab9d1485f8772f29.exegpscript.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{FF393560-C2A7-11CF-BFF4-444553540000} {000214E6-0000-0000-C000-000000000046} 0xFFFF = 01000000000000000068d041eb00d901	jRsSyM4jaKR8jKsPGRQpR4hz7ntnfSmOAFImOUffHjvJVBryNcxs.bat
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{35786D3C-B075-49B9-88DD-029876E11C01} {ADD8BA80-002B-11D0-8F0F-00C04FD7D062} 0xFFFF = 0100000000000000e0640242eb00d901	jRsSyM4jaKR8jKsPGRQpR4hz7ntnfSmOAFImOUffHjvJVBryNcxs.bat
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{B155BDF8-02F0-451E-9A26-AE317CFD7779} {ADD8BA80-002B-11D0-8F0F-00C04FD7D062} 0xFFFF = 0100000000000000c0826d42eb00d901	jRsSyM4jaKR8jKsPGRQpR4hz7ntnfSmOAFImOUffHjvJVBryNcxs.bat
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	7fb73d0b2a2e046bbfd758d61d21021e1224e00e67e20283ab9d1485f8772f29.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows	7fb73d0b2a2e046bbfd758d61d21021e1224e00e67e20283ab9d1485f8772f29.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	jRsSyM4jaKR8jKsPGRQpR4hz7ntnfSmOAFImOUffHjvJVBryNcxs.bat
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%systemroot%\system32\windowspowershell\v1.0\powershell.exe",-111 = "Performs object-based (command-line) functions"	jRsSyM4jaKR8jKsPGRQpR4hz7ntnfSmOAFImOUffHjvJVBryNcxs.bat
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	7fb73d0b2a2e046bbfd758d61d21021e1224e00e67e20283ab9d1485f8772f29.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	7fb73d0b2a2e046bbfd758d61d21021e1224e00e67e20283ab9d1485f8772f29.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	7fb73d0b2a2e046bbfd758d61d21021e1224e00e67e20283ab9d1485f8772f29.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft	7fb73d0b2a2e046bbfd758d61d21021e1224e00e67e20283ab9d1485f8772f29.exe
Key created	\REGISTRY\USER\.DEFAULT	7fb73d0b2a2e046bbfd758d61d21021e1224e00e67e20283ab9d1485f8772f29.exe
Key created	\REGISTRY\USER\S-1-5-20	7fb73d0b2a2e046bbfd758d61d21021e1224e00e67e20283ab9d1485f8772f29.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Package Cache\\{CB0836EC-B072-368D-82B2-D3470BF95707}v12.0.40660\\packages\\ihw7zRX6E9BEPhHKzV7FfxH9aF6VVtEgyOzBgmRtNILu7fI0.exe\" O 2>NUL"	jRsSyM4jaKR8jKsPGRQpR4hz7ntnfSmOAFImOUffHjvJVBryNcxs.bat
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\8OHlcGf9jp.exe\" O 2>NUL"	7fb73d0b2a2e046bbfd758d61d21021e1224e00e67e20283ab9d1485f8772f29.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	7fb73d0b2a2e046bbfd758d61d21021e1224e00e67e20283ab9d1485f8772f29.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	7fb73d0b2a2e046bbfd758d61d21021e1224e00e67e20283ab9d1485f8772f29.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Printer Shortcuts\\ExmQqYU9eTDe08VC1u8X32eidplniJkrpSITdw7Y2uF8l912.exe\" O"	7fb73d0b2a2e046bbfd758d61d21021e1224e00e67e20283ab9d1485f8772f29.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Internet Explorer\\imagestore\\xvokO0Pe5xzbfKGrBP2Ovp8egaz2zmwdnMvNNe5CnhG8IPDR1dDCgQu.exe\" O"	jRsSyM4jaKR8jKsPGRQpR4hz7ntnfSmOAFImOUffHjvJVBryNcxs.bat
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Storage\\ext\\gfdkimpbcpahaombhbimeihdjnejgicl\\def\\Code Cache\\wjtD9Ep2TZQF.exe\" O"	jRsSyM4jaKR8jKsPGRQpR4hz7ntnfSmOAFImOUffHjvJVBryNcxs.bat
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%windir%\System32\ie4uinit.exe",-738 = "Start Internet Explorer without ActiveX controls or browser extensions."	jRsSyM4jaKR8jKsPGRQpR4hz7ntnfSmOAFImOUffHjvJVBryNcxs.bat
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	7fb73d0b2a2e046bbfd758d61d21021e1224e00e67e20283ab9d1485f8772f29.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	7fb73d0b2a2e046bbfd758d61d21021e1224e00e67e20283ab9d1485f8772f29.exe
Key created	\REGISTRY\USER\S-1-5-19	7fb73d0b2a2e046bbfd758d61d21021e1224e00e67e20283ab9d1485f8772f29.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion	7fb73d0b2a2e046bbfd758d61d21021e1224e00e67e20283ab9d1485f8772f29.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Storage\\ext\\wiFgFy1juZQzAm7bhlkcunKsUAMTJbVkD5pxkBX8OaXHpKzi.exe\" O"	7fb73d0b2a2e046bbfd758d61d21021e1224e00e67e20283ab9d1485f8772f29.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	jRsSyM4jaKR8jKsPGRQpR4hz7ntnfSmOAFImOUffHjvJVBryNcxs.bat
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\6.0\\61\\iBHK0pzho9TWpWsakylsQkmu6TM3RCF9i4Cx6Cp28ZDxKjRhQFUsYjcAfQrW.exe\" O 2>NUL"	7fb73d0b2a2e046bbfd758d61d21021e1224e00e67e20283ab9d1485f8772f29.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE	7fb73d0b2a2e046bbfd758d61d21021e1224e00e67e20283ab9d1485f8772f29.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{6C467336-8281-4E60-8204-430CED96822D} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 01000000000000000095313beb00d901	gpscript.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\History\\DqxOwybtqAeLvrqXEUh1qMYxxWjS2E8RQW2x6Ldgkn8M9OPxK9NhgRtdoBGjZtBuKk3cJ.exe\" O"	7fb73d0b2a2e046bbfd758d61d21021e1224e00e67e20283ab9d1485f8772f29.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	7fb73d0b2a2e046bbfd758d61d21021e1224e00e67e20283ab9d1485f8772f29.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	jRsSyM4jaKR8jKsPGRQpR4hz7ntnfSmOAFImOUffHjvJVBryNcxs.bat
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	7fb73d0b2a2e046bbfd758d61d21021e1224e00e67e20283ab9d1485f8772f29.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Adobe\\Color\\Profiles\\a97GXbaHRU8HCY35FDvUE3FULtZfwj.exe\" O 2>NUL"	jRsSyM4jaKR8jKsPGRQpR4hz7ntnfSmOAFImOUffHjvJVBryNcxs.bat
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\RAC\\StateData\\o1OWJDSJ3boRpLdDVMWj6e1twGqLzaj3wxTZu0qY5fgx7LG4wpJpvUsF8eW6WC5boWp7.exe\" O"	jRsSyM4jaKR8jKsPGRQpR4hz7ntnfSmOAFImOUffHjvJVBryNcxs.bat
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	jRsSyM4jaKR8jKsPGRQpR4hz7ntnfSmOAFImOUffHjvJVBryNcxs.bat
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Site Characteristics Database\\Nc7jMXongSf7nEO1fi32oKad9mceCgAJnHj8PFCYItuDv7xVmxJP8.exe\" O 2>NUL"	jRsSyM4jaKR8jKsPGRQpR4hz7ntnfSmOAFImOUffHjvJVBryNcxs.bat
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\History\\Low\\iGnO4Uk4WgeoaELf.exe\" O 2>NUL"	jRsSyM4jaKR8jKsPGRQpR4hz7ntnfSmOAFImOUffHjvJVBryNcxs.bat
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\NetFramework\\BreadcrumbStore\\3IVERYrMXDJHHCGYAXE2Mz7nH2Ms45cInI0ij7HvDUjjXQlvI7oiq4V.exe\" O 2>NUL"	jRsSyM4jaKR8jKsPGRQpR4hz7ntnfSmOAFImOUffHjvJVBryNcxs.bat
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	jRsSyM4jaKR8jKsPGRQpR4hz7ntnfSmOAFImOUffHjvJVBryNcxs.bat
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	jRsSyM4jaKR8jKsPGRQpR4hz7ntnfSmOAFImOUffHjvJVBryNcxs.bat
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	7fb73d0b2a2e046bbfd758d61d21021e1224e00e67e20283ab9d1485f8772f29.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{7BD29E01-76C1-11CF-9DD0-00A0C9034933} {000214E6-0000-0000-C000-000000000046} 0xFFFF = 010000000000000000bbe93eeb00d901	jRsSyM4jaKR8jKsPGRQpR4hz7ntnfSmOAFImOUffHjvJVBryNcxs.bat
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	jRsSyM4jaKR8jKsPGRQpR4hz7ntnfSmOAFImOUffHjvJVBryNcxs.bat
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies	7fb73d0b2a2e046bbfd758d61d21021e1224e00e67e20283ab9d1485f8772f29.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	gpscript.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\WRZXZATJ\\ePmj50QnC1C3snzkbOqPMoZlRbYDqq0fo4gNbGt9Y9D6bONeaIvNUwfCrOOe.exe\" O"	jRsSyM4jaKR8jKsPGRQpR4hz7ntnfSmOAFImOUffHjvJVBryNcxs.bat
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	7fb73d0b2a2e046bbfd758d61d21021e1224e00e67e20283ab9d1485f8772f29.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	7fb73d0b2a2e046bbfd758d61d21021e1224e00e67e20283ab9d1485f8772f29.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows	7fb73d0b2a2e046bbfd758d61d21021e1224e00e67e20283ab9d1485f8772f29.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion	7fb73d0b2a2e046bbfd758d61d21021e1224e00e67e20283ab9d1485f8772f29.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\au9ni2dm.default-release\\thumbnails\\8K4dmTVnNvkzPJqCC8Pd9G5pG3.exe\" O"	7fb73d0b2a2e046bbfd758d61d21021e1224e00e67e20283ab9d1485f8772f29.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft	7fb73d0b2a2e046bbfd758d61d21021e1224e00e67e20283ab9d1485f8772f29.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE	7fb73d0b2a2e046bbfd758d61d21021e1224e00e67e20283ab9d1485f8772f29.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	7fb73d0b2a2e046bbfd758d61d21021e1224e00e67e20283ab9d1485f8772f29.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	7fb73d0b2a2e046bbfd758d61d21021e1224e00e67e20283ab9d1485f8772f29.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	jRsSyM4jaKR8jKsPGRQpR4hz7ntnfSmOAFImOUffHjvJVBryNcxs.bat
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%windir%\System32\ie4uinit.exe",-732 = "Finds and displays information and Web sites on the Internet."	jRsSyM4jaKR8jKsPGRQpR4hz7ntnfSmOAFImOUffHjvJVBryNcxs.bat
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	7fb73d0b2a2e046bbfd758d61d21021e1224e00e67e20283ab9d1485f8772f29.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\Search\\Data\\Applications\\AD72ZhnH7LtqELYr0I25RiTrLqXtjBj4LcYdpgNK5R15fWwdHVWp7gPYKP6WNS.exe\" O 2>NUL"	7fb73d0b2a2e046bbfd758d61d21021e1224e00e67e20283ab9d1485f8772f29.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\6.0\\31\\FiHgxE0H4yn1x1hBdx.exe\" O"	jRsSyM4jaKR8jKsPGRQpR4hz7ntnfSmOAFImOUffHjvJVBryNcxs.bat
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\SendTo\\yvha2ndHgvfTeWVQIFEYDeoK9RoEb13URZOBbJQZ5a43KBe.exe\" O 2>NUL"	7fb73d0b2a2e046bbfd758d61d21021e1224e00e67e20283ab9d1485f8772f29.exe

Modifies registry class 12 IoCs

Processes:

7fb73d0b2a2e046bbfd758d61d21021e1224e00e67e20283ab9d1485f8772f29.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_Classes\SOFTWARE\Microsoft\Command Processor	7fb73d0b2a2e046bbfd758d61d21021e1224e00e67e20283ab9d1485f8772f29.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\SOFTWARE\Microsoft	7fb73d0b2a2e046bbfd758d61d21021e1224e00e67e20283ab9d1485f8772f29.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion	7fb73d0b2a2e046bbfd758d61d21021e1224e00e67e20283ab9d1485f8772f29.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	7fb73d0b2a2e046bbfd758d61d21021e1224e00e67e20283ab9d1485f8772f29.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	7fb73d0b2a2e046bbfd758d61d21021e1224e00e67e20283ab9d1485f8772f29.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	7fb73d0b2a2e046bbfd758d61d21021e1224e00e67e20283ab9d1485f8772f29.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\SOFTWARE	7fb73d0b2a2e046bbfd758d61d21021e1224e00e67e20283ab9d1485f8772f29.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\SOFTWARE\Microsoft\Command Processor	7fb73d0b2a2e046bbfd758d61d21021e1224e00e67e20283ab9d1485f8772f29.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Package Cache\\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\\lT9SEPTg3jFlCfgtB3BPva5zxBTTS3mKSYLE5b2B8ujARBcwnW.exe\" O 2>NUL"	7fb73d0b2a2e046bbfd758d61d21021e1224e00e67e20283ab9d1485f8772f29.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	7fb73d0b2a2e046bbfd758d61d21021e1224e00e67e20283ab9d1485f8772f29.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\SOFTWARE\Microsoft\Windows	7fb73d0b2a2e046bbfd758d61d21021e1224e00e67e20283ab9d1485f8772f29.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\events\\LviGLY8ojMgEPDJ74MJg3kBGiiQU.exe\" O"	7fb73d0b2a2e046bbfd758d61d21021e1224e00e67e20283ab9d1485f8772f29.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

jRsSyM4jaKR8jKsPGRQpR4hz7ntnfSmOAFImOUffHjvJVBryNcxs.bat

pid process

1096 jRsSyM4jaKR8jKsPGRQpR4hz7ntnfSmOAFImOUffHjvJVBryNcxs.bat
1096 jRsSyM4jaKR8jKsPGRQpR4hz7ntnfSmOAFImOUffHjvJVBryNcxs.bat

pid	process
1096	jRsSyM4jaKR8jKsPGRQpR4hz7ntnfSmOAFImOUffHjvJVBryNcxs.bat
1096	jRsSyM4jaKR8jKsPGRQpR4hz7ntnfSmOAFImOUffHjvJVBryNcxs.bat

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

7fb73d0b2a2e046bbfd758d61d21021e1224e00e67e20283ab9d1485f8772f29.exeAUDIODG.EXEjRsSyM4jaKR8jKsPGRQpR4hz7ntnfSmOAFImOUffHjvJVBryNcxs.batjRsSyM4jaKR8jKsPGRQpR4hz7ntnfSmOAFImOUffHjvJVBryNcxs.bat

description	pid	process
Token: SeBackupPrivilege	1192	7fb73d0b2a2e046bbfd758d61d21021e1224e00e67e20283ab9d1485f8772f29.exe
Token: SeRestorePrivilege	1192	7fb73d0b2a2e046bbfd758d61d21021e1224e00e67e20283ab9d1485f8772f29.exe
Token: SeShutdownPrivilege	1192	7fb73d0b2a2e046bbfd758d61d21021e1224e00e67e20283ab9d1485f8772f29.exe
Token: 33	852	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	852	AUDIODG.EXE
Token: 33	852	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	852	AUDIODG.EXE
Token: SeDebugPrivilege	1364	jRsSyM4jaKR8jKsPGRQpR4hz7ntnfSmOAFImOUffHjvJVBryNcxs.bat
Token: SeRestorePrivilege	1364	jRsSyM4jaKR8jKsPGRQpR4hz7ntnfSmOAFImOUffHjvJVBryNcxs.bat
Token: SeDebugPrivilege	1096	jRsSyM4jaKR8jKsPGRQpR4hz7ntnfSmOAFImOUffHjvJVBryNcxs.bat
Token: SeRestorePrivilege	1096	jRsSyM4jaKR8jKsPGRQpR4hz7ntnfSmOAFImOUffHjvJVBryNcxs.bat

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

gpscript.exejRsSyM4jaKR8jKsPGRQpR4hz7ntnfSmOAFImOUffHjvJVBryNcxs.bat

description	pid	process	target process
PID 1528 wrote to memory of 1364	1528	gpscript.exe	jRsSyM4jaKR8jKsPGRQpR4hz7ntnfSmOAFImOUffHjvJVBryNcxs.bat
PID 1528 wrote to memory of 1364	1528	gpscript.exe	jRsSyM4jaKR8jKsPGRQpR4hz7ntnfSmOAFImOUffHjvJVBryNcxs.bat
PID 1528 wrote to memory of 1364	1528	gpscript.exe	jRsSyM4jaKR8jKsPGRQpR4hz7ntnfSmOAFImOUffHjvJVBryNcxs.bat
PID 1364 wrote to memory of 1096	1364	jRsSyM4jaKR8jKsPGRQpR4hz7ntnfSmOAFImOUffHjvJVBryNcxs.bat	jRsSyM4jaKR8jKsPGRQpR4hz7ntnfSmOAFImOUffHjvJVBryNcxs.bat
PID 1364 wrote to memory of 1096	1364	jRsSyM4jaKR8jKsPGRQpR4hz7ntnfSmOAFImOUffHjvJVBryNcxs.bat	jRsSyM4jaKR8jKsPGRQpR4hz7ntnfSmOAFImOUffHjvJVBryNcxs.bat
PID 1364 wrote to memory of 1096	1364	jRsSyM4jaKR8jKsPGRQpR4hz7ntnfSmOAFImOUffHjvJVBryNcxs.bat	jRsSyM4jaKR8jKsPGRQpR4hz7ntnfSmOAFImOUffHjvJVBryNcxs.bat

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
1⤵
PID:580

C:\Users\Default\AppData\Local\Microsoft\Windows\GameExplorer\jRsSyM4jaKR8jKsPGRQpR4hz7ntnfSmOAFImOUffHjvJVBryNcxs.bat
"C:\Users\Default\AppData\Local\Microsoft\Windows\GameExplorer\jRsSyM4jaKR8jKsPGRQpR4hz7ntnfSmOAFImOUffHjvJVBryNcxs.bat" 2
2⤵
- Executes dropped EXE
- Sets file execution options in registry
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1096

C:\Users\Admin\AppData\Local\Temp\7fb73d0b2a2e046bbfd758d61d21021e1224e00e67e20283ab9d1485f8772f29.exe
"C:\Users\Admin\AppData\Local\Temp\7fb73d0b2a2e046bbfd758d61d21021e1224e00e67e20283ab9d1485f8772f29.exe"
1⤵
- Adds policy Run key to start application
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1192

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:964

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x144
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:852

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:816

C:\Windows\system32\gpscript.exe
gpscript.exe /Shutdown
1⤵
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1528

C:\Users\Default\AppData\Local\Microsoft\Windows\GameExplorer\jRsSyM4jaKR8jKsPGRQpR4hz7ntnfSmOAFImOUffHjvJVBryNcxs.bat
"C:\Users\Default\AppData\Local\Microsoft\Windows\GameExplorer\jRsSyM4jaKR8jKsPGRQpR4hz7ntnfSmOAFImOUffHjvJVBryNcxs.bat" 1
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Adds policy Run key to start application
- Executes dropped EXE
- Sets file execution options in registry
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1364

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Search\Data\Applications\AD72ZhnH7LtqELYr0I25RiTrLqXtjBj4LcYdpgNK5R15fWwdHVWp7gPYKP6WNS.exe
Filesize
1.3MB

MD5
0f1b4981c0c7e9ecb6dfa57e5a9f5d04

SHA1
a5260bf0255244247e638fed1b04b50c710fd83d

SHA256
a74340288b7dfbf112c60a0929d44418f20306a85cbce68a1266a0b2a5c320e4

SHA512
9c65969068f3b44984ffe71f7ae883648afd94d36c33c06c44b753a1331413e34d47c3126ed1ed25ce3da2f72b21ed11e9bb50ce967a5c27f66d1335ecd420ef

Download Submit
C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\TKFzRzjbvbe5kJGt3AVWcKk4tmKImSn6anyiGqG07gXxNeZShHuByYn6QBks.exe
Filesize
2.5MB

MD5
6eb3f2750081b933429e3321e7574df0

SHA1
4f70785e7e910f31f20dde561c20da8ecbf8580e

SHA256
ba3b4cc2ae9aefcbd5818f2f2cad1e1652b9e2b10162dbfd7150ff6024db4c44

SHA512
f0c5e4fc3d3a9671a0c35b18cee9fe59e60f9dacdeda4041817048b3c8aa7124787ec024a27d1cc705eec7c9f3b327cb90095328022a81e02b42d5bdb33cdb9f

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\1VHeRMmx2mWg47RBzEb.bat
Filesize
3.7MB

MD5
5edf3e201185a925057a3b3c95f9a64c

SHA1
d82bd4f5598639209218b067cc048c35780b571d

SHA256
51e9700ce13540b7cd033f4810861516e3c672f313e0a6a350188bb8bcd09f12

SHA512
51f20f7a5050b1cbf40fabef0472ba370ea57ee3a5b83f203b2faa3cc012bb9ee467576c105b613024ea9c344fef760bb646ca9c5941b1b28840c6c8850c3c42

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\61\iBHK0pzho9TWpWsakylsQkmu6TM3RCF9i4Cx6Cp28ZDxKjRhQFUsYjcAfQrW.exe
Filesize
1.6MB

MD5
2565e2a717ee53b11dfa48f70e8023f4

SHA1
3f3b037ce98c5f13f5f7c2556d66c8551b2c9a18

SHA256
0bec09eef812ac45e3eb00558eb66962858d91e5dfd7fb9bb778db6938a90407

SHA512
91d84488ff21025d495d103c7ef78f790237b8d733c400ca6bf826be5b78a07077000e6066afced412e54b1760a69115beadd58da67fe4c0bb4ca5f5ba54b804

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\wiFgFy1juZQzAm7bhlkcunKsUAMTJbVkD5pxkBX8OaXHpKzi.exe
Filesize
2.5MB

MD5
d2314d9c9d6bfdb69b54df30a05fc483

SHA1
a9a33cbd663c3f5eff24665ef25004e10814163f

SHA256
f86f44130ef85c5b990abff8eaccac4c4f909bd0484bafa7a08b911e7ca7a46a

SHA512
127126577b4a2d26fe67c6adc32b2203f944e6b61115605f9903315811be0e922e2ab894003bfa109d8b40657803490d9873de5377947811dcb55a4103fd0966

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\au9ni2dm.default-release\startupCache\8kmodYQNx91WEhcBPmE9V4PZrLzJsczZ4wz8BYkIOQ0sVdeNq.exe
Filesize
3.4MB

MD5
99964340951e0ef775449d07d4bc09dc

SHA1
3adbc7c5f884efdb8c653c0e5fc2d2180948cf2d

SHA256
3328dda83344594768d93b04bef58071f25c0fc7a4dcfdf035ce750a3665142c

SHA512
9e470901c2d57c2077bed635e7f033ab4a66197ab7db26e463b4cab5aa67cec5bacef03a2649332783c7564e1cdbcf4dcc193be8bde034a94990bd80c1614d8b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\au9ni2dm.default-release\thumbnails\8K4dmTVnNvkzPJqCC8Pd9G5pG3.exe
Filesize
2.4MB

MD5
ffec083b3c2f3e6ac109b934ebd05286

SHA1
30ec1153b357900f38f1baa7c92e638597c8d9b0

SHA256
3fe8979d96f5699b2d29fc7b83806f98b9468ef94babf41980729ba7abf79c7e

SHA512
81fb73c275c5710136bdbdcab3a3cba9b66fb3c1f16be693d2d97aea48e9522d9df5a18a75cbe4b55c764e99a3f3322d2a7e3ea057fcfb9c0e85e83842ae77f0

Download Submit
C:\Users\Admin\AppData\Roaming\Identities\C1wBcBVKr0pZEatDT8C2Rn3MsEHCZmDHI0eBHUiSGC3bJZuE7HK4QnAgC3i4IHEBqNFz.exe
Filesize
1.7MB

MD5
98f67e2637d334aa77ec67da1d47f9b1

SHA1
838a6504b21c13db054efccf463f5375a538c7b5

SHA256
555fc204ccc83df757be2659771a042368076daedf25daf0b4c887f31a40e6ba

SHA512
886e0a6dc696af8d20c4b2c3847721564288be1679946dffea5099634b0f39a9904dbf3f68a7974421964fad134fd52fc7b0bc25024e7999b3856f80fce839de

Download Submit
C:\Users\Default\AppData\Local\Microsoft\Windows\GameExplorer\jRsSyM4jaKR8jKsPGRQpR4hz7ntnfSmOAFImOUffHjvJVBryNcxs.bat
Filesize
2.5MB

MD5
4628092c5cc428f23db20bf2b20ef16a

SHA1
2fccaea1020bbe000d19907716400f340c0bb77d

SHA256
e4482f90c60139fe3d435f09fb6ef29723b300c5c691b0145056bc464eac5fc7

SHA512
77b50c8b1671e1e6d33c1f710e9b4e697a71802887fac22fb541a961ea8595a3d1398c0ddb3ce6c79c6d771be4930f56d76c5ae7e31dbe20bd35dab5c2bb95ba

Download Submit
C:\Users\Default\AppData\Local\Microsoft\Windows\GameExplorer\jRsSyM4jaKR8jKsPGRQpR4hz7ntnfSmOAFImOUffHjvJVBryNcxs.bat
Filesize
2.5MB

MD5
4628092c5cc428f23db20bf2b20ef16a

SHA1
2fccaea1020bbe000d19907716400f340c0bb77d

SHA256
e4482f90c60139fe3d435f09fb6ef29723b300c5c691b0145056bc464eac5fc7

SHA512
77b50c8b1671e1e6d33c1f710e9b4e697a71802887fac22fb541a961ea8595a3d1398c0ddb3ce6c79c6d771be4930f56d76c5ae7e31dbe20bd35dab5c2bb95ba

Download Submit
C:\Users\Default\AppData\Local\Microsoft\Windows\GameExplorer\jRsSyM4jaKR8jKsPGRQpR4hz7ntnfSmOAFImOUffHjvJVBryNcxs.bat
Filesize
2.5MB

MD5
4628092c5cc428f23db20bf2b20ef16a

SHA1
2fccaea1020bbe000d19907716400f340c0bb77d

SHA256
e4482f90c60139fe3d435f09fb6ef29723b300c5c691b0145056bc464eac5fc7

SHA512
77b50c8b1671e1e6d33c1f710e9b4e697a71802887fac22fb541a961ea8595a3d1398c0ddb3ce6c79c6d771be4930f56d76c5ae7e31dbe20bd35dab5c2bb95ba

Download Submit
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\ExmQqYU9eTDe08VC1u8X32eidplniJkrpSITdw7Y2uF8l912.exe
Filesize
2.4MB

MD5
dbb6e2244c5a0edf497ed0e496950d43

SHA1
5b19e7adc247cb51a0056ce88d201c3cc875ecda

SHA256
b669c2c35c8527a5cb04dcc48014fb0ab2d5b9829ae487cb8635100ee3ba698a

SHA512
58fbedc5ba2016e4238dd7301a97cb0809113f0f4802e36ddb1dd66e4c4509c64c703b348310b3ae3f8c23f2fc43856da383a850185de2ecba1c0d77dabd36ec

Download Submit
C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\yvha2ndHgvfTeWVQIFEYDeoK9RoEb13URZOBbJQZ5a43KBe.exe
Filesize
2.2MB

MD5
5c2686192487c34ed9d922d96a26c1cd

SHA1
3d2f3d0cc4e7bf711f5d7828ea0c06caac3c405f

SHA256
fc96f45a015c6831db7182bbf4cc9ff6f42002eb3662735992a6df118c1502bc

SHA512
4061200ad387880e18b3f5c8a66e7d661c673c427b8e1ff77e06c4963d3c0e225ba6913edc534491d8d901305dbee23f25612f049ae33b6463359d75cf129d2d

Download Submit
\Users\Default\AppData\Local\Microsoft\Windows\GameExplorer\jRsSyM4jaKR8jKsPGRQpR4hz7ntnfSmOAFImOUffHjvJVBryNcxs.bat
Filesize
2.5MB

MD5
4628092c5cc428f23db20bf2b20ef16a

SHA1
2fccaea1020bbe000d19907716400f340c0bb77d

SHA256
e4482f90c60139fe3d435f09fb6ef29723b300c5c691b0145056bc464eac5fc7

SHA512
77b50c8b1671e1e6d33c1f710e9b4e697a71802887fac22fb541a961ea8595a3d1398c0ddb3ce6c79c6d771be4930f56d76c5ae7e31dbe20bd35dab5c2bb95ba

Download Submit
\Users\Default\AppData\Local\Microsoft\Windows\GameExplorer\jRsSyM4jaKR8jKsPGRQpR4hz7ntnfSmOAFImOUffHjvJVBryNcxs.bat
Filesize
2.5MB

MD5
4628092c5cc428f23db20bf2b20ef16a

SHA1
2fccaea1020bbe000d19907716400f340c0bb77d

SHA256
e4482f90c60139fe3d435f09fb6ef29723b300c5c691b0145056bc464eac5fc7

SHA512
77b50c8b1671e1e6d33c1f710e9b4e697a71802887fac22fb541a961ea8595a3d1398c0ddb3ce6c79c6d771be4930f56d76c5ae7e31dbe20bd35dab5c2bb95ba

Download Submit
\Users\Default\AppData\Local\Microsoft\Windows\GameExplorer\jRsSyM4jaKR8jKsPGRQpR4hz7ntnfSmOAFImOUffHjvJVBryNcxs.bat
Filesize
2.5MB

MD5
4628092c5cc428f23db20bf2b20ef16a

SHA1
2fccaea1020bbe000d19907716400f340c0bb77d

SHA256
e4482f90c60139fe3d435f09fb6ef29723b300c5c691b0145056bc464eac5fc7

SHA512
77b50c8b1671e1e6d33c1f710e9b4e697a71802887fac22fb541a961ea8595a3d1398c0ddb3ce6c79c6d771be4930f56d76c5ae7e31dbe20bd35dab5c2bb95ba

Download Submit
memory/964-55-0x000007FEFC391000-0x000007FEFC393000-memory.dmp

Filesize
8KB

Download
memory/1096-86-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1096-85-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1096-80-0x0000000000000000-mapping.dmp

Download
memory/1192-54-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1192-56-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1364-78-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1364-62-0x0000000000000000-mapping.dmp

Download
memory/1364-82-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1364-66-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1528-64-0x0000000000F40000-0x0000000000F6D000-memory.dmp

Filesize
180KB

Download
memory/1528-77-0x0000000000F40000-0x0000000000F6D000-memory.dmp

Filesize
180KB

Download
memory/1528-76-0x0000000000F40000-0x0000000000F6D000-memory.dmp

Filesize
180KB

Download
memory/1528-65-0x0000000000F40000-0x0000000000F6D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads