ed80f23ce087e4141e31f7cc278932effeda192da2afa076ee03de28ffa058f2

Analysis

max time kernel
178s
max time network
188s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2022 09:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ed80f23ce087e4141e31f7cc278932effeda192da2afa076ee03de28ffa058f2.exe
Size

625KB
MD5

75758ea1bddf91e249edf6387adbd794
SHA1

06c1256c9d5f8305a8b34580a4963b4fdf86377c
SHA256

ed80f23ce087e4141e31f7cc278932effeda192da2afa076ee03de28ffa058f2
SHA512

f53a9f02a46c73fb3d775e8fb73ae135097849e95448100cd87fbfeda91a4f8409231f8ee096512eedf3a6e49ed212b1a29eb493cd487b508fc20ff6d7acce1e
SSDEEP

3072:aSsvihLlTQz9z71iURo2SJJmY6uFNcgifDbmeTXwVdBR:rsqhJMxzJiU5SeLmNSbmebW1

Score

8^/10

persistence spyware stealer

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

pK9Rw5RkZXcU7vKHmVjoCw.cmded80f23ce087e4141e31f7cc278932effeda192da2afa076ee03de28ffa058f2.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\ml-IN\\kY4PmLhb59CL9wkz4H3NeNFrRofP9d3RApIL.exe\" O"	pK9Rw5RkZXcU7vKHmVjoCw.cmd
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	ed80f23ce087e4141e31f7cc278932effeda192da2afa076ee03de28ffa058f2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\Settings\\Ci1TpohuC7GQXQgnRkRzXOXppq81VC1gbl1iHKkrn6DG4Xob9pAH6Sj7LA21ei8UO3Dp.exe\" O"	ed80f23ce087e4141e31f7cc278932effeda192da2afa076ee03de28ffa058f2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	ed80f23ce087e4141e31f7cc278932effeda192da2afa076ee03de28ffa058f2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\input\\sr-Cyrl-ME\\VdbqSW9gIU7fSAuqbVStkRNjEv8ZsQaPsFRxYK0i49SwhjNdsOWdBbgVrFGFtax6NE2wlvA.exe\" O"	ed80f23ce087e4141e31f7cc278932effeda192da2afa076ee03de28ffa058f2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Adobe\\smKm8Xe5uMr56KIK6YLdkPsvzLStHTpa00.exe\" O"	ed80f23ce087e4141e31f7cc278932effeda192da2afa076ee03de28ffa058f2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	pK9Rw5RkZXcU7vKHmVjoCw.cmd

Executes dropped EXE 1 IoCs

Processes:

pK9Rw5RkZXcU7vKHmVjoCw.cmd

pid process

3428 pK9Rw5RkZXcU7vKHmVjoCw.cmd

pid	process
3428	pK9Rw5RkZXcU7vKHmVjoCw.cmd

Sets file execution options in registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

pK9Rw5RkZXcU7vKHmVjoCw.cmd

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe	pK9Rw5RkZXcU7vKHmVjoCw.cmd
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\Debugger = " "	pK9Rw5RkZXcU7vKHmVjoCw.cmd
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe	pK9Rw5RkZXcU7vKHmVjoCw.cmd
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = " "	pK9Rw5RkZXcU7vKHmVjoCw.cmd

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 64 IoCs

Processes:

pK9Rw5RkZXcU7vKHmVjoCw.cmded80f23ce087e4141e31f7cc278932effeda192da2afa076ee03de28ffa058f2.exeLogonUI.exegpscript.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\th\\nuuD3hCpU1dLPQWjm0l.exe\" O"	pK9Rw5RkZXcU7vKHmVjoCw.cmd
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	ed80f23ce087e4141e31f7cc278932effeda192da2afa076ee03de28ffa058f2.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE	ed80f23ce087e4141e31f7cc278932effeda192da2afa076ee03de28ffa058f2.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "169"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	pK9Rw5RkZXcU7vKHmVjoCw.cmd
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	ed80f23ce087e4141e31f7cc278932effeda192da2afa076ee03de28ffa058f2.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	ed80f23ce087e4141e31f7cc278932effeda192da2afa076ee03de28ffa058f2.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\Windows\\Power Efficiency Diagnostics\\15Eo8SC0QJ7CiocKweYvTLjp3XE5wCCFBZxaVL7sUWbuXHd0BrQaTOb7p.exe\" O 2>NUL"	ed80f23ce087e4141e31f7cc278932effeda192da2afa076ee03de28ffa058f2.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	pK9Rw5RkZXcU7vKHmVjoCw.cmd
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion	ed80f23ce087e4141e31f7cc278932effeda192da2afa076ee03de28ffa058f2.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\E2A4F912-2574-4A75-9BB0-0D023378592B_cw5n1h2txyewy\\Settings\\CaH0DD3Pz3sxH3AcHevFdyoTjbi4g0cGfzhXOei6y.exe\" O"	ed80f23ce087e4141e31f7cc278932effeda192da2afa076ee03de28ffa058f2.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\AC\\LM7cuZMCs2SqNWwi2CpeneZ1hdaEe.exe\" O 2>NUL"	pK9Rw5RkZXcU7vKHmVjoCw.cmd
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\Subresource Filter\\Unindexed Rules\\37y1jPGn12Z82X4ent1MokSZCqICNtFawm.exe\" O 2>NUL"	pK9Rw5RkZXcU7vKHmVjoCw.cmd
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\input\\de-DE\\TQeSuRKDSLY3olJ0Ef5scKcxK5FyA.exe\" O"	pK9Rw5RkZXcU7vKHmVjoCw.cmd
Key created	\REGISTRY\USER\.DEFAULT	ed80f23ce087e4141e31f7cc278932effeda192da2afa076ee03de28ffa058f2.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\LocalCache\\lfQ8ciOgeJ4E6qnMkznhUEWV0Kd8viGOgdrclSnMTblAyRxgM.exe\" O"	ed80f23ce087e4141e31f7cc278932effeda192da2afa076ee03de28ffa058f2.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	ed80f23ce087e4141e31f7cc278932effeda192da2afa076ee03de28ffa058f2.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion	ed80f23ce087e4141e31f7cc278932effeda192da2afa076ee03de28ffa058f2.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\tn-ZA\\qU2aTfZOexDywY077DwuF4d7JLFqLs078JBAe4lv70rianT3Ocsx.exe\" O"	ed80f23ce087e4141e31f7cc278932effeda192da2afa076ee03de28ffa058f2.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\6.0\\46\\wNTwT3QqJ4Y6E9IqLmGkkXcWMsKCX0u7ijqGfdE.exe\" O 2>NUL"	ed80f23ce087e4141e31f7cc278932effeda192da2afa076ee03de28ffa058f2.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE	ed80f23ce087e4141e31f7cc278932effeda192da2afa076ee03de28ffa058f2.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Windows\\AppRepository\\Packages\\Microsoft.AsyncTextService_10.0.19041.1023_neutral__8wekyb3d8bbwe\\7Gbc1VzI0301hExRdW6Ro933bdP2wLTFjdYp.exe\" O"	pK9Rw5RkZXcU7vKHmVjoCw.cmd
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	ed80f23ce087e4141e31f7cc278932effeda192da2afa076ee03de28ffa058f2.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	ed80f23ce087e4141e31f7cc278932effeda192da2afa076ee03de28ffa058f2.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows	ed80f23ce087e4141e31f7cc278932effeda192da2afa076ee03de28ffa058f2.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	ed80f23ce087e4141e31f7cc278932effeda192da2afa076ee03de28ffa058f2.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	ed80f23ce087e4141e31f7cc278932effeda192da2afa076ee03de28ffa058f2.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft	ed80f23ce087e4141e31f7cc278932effeda192da2afa076ee03de28ffa058f2.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	ed80f23ce087e4141e31f7cc278932effeda192da2afa076ee03de28ffa058f2.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft	ed80f23ce087e4141e31f7cc278932effeda192da2afa076ee03de28ffa058f2.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows	ed80f23ce087e4141e31f7cc278932effeda192da2afa076ee03de28ffa058f2.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	ed80f23ce087e4141e31f7cc278932effeda192da2afa076ee03de28ffa058f2.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	ed80f23ce087e4141e31f7cc278932effeda192da2afa076ee03de28ffa058f2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.Search_cw5n1h2txyewy\\TempState\\S1u39ohjD8mlVm4lkISxT4g1GBuGYP3q0IJYQFbbN2QYQCf1om0BHgHxqVv45V41AGHMs.exe\" O 2>NUL"	ed80f23ce087e4141e31f7cc278932effeda192da2afa076ee03de28ffa058f2.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	pK9Rw5RkZXcU7vKHmVjoCw.cmd
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	pK9Rw5RkZXcU7vKHmVjoCw.cmd
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\6.0\\53\\MXFv8dHZW3T9dcJwWPjQZof.exe\" O 2>NUL"	pK9Rw5RkZXcU7vKHmVjoCw.cmd
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	ed80f23ce087e4141e31f7cc278932effeda192da2afa076ee03de28ffa058f2.exe
Key created	\REGISTRY\USER\S-1-5-20	ed80f23ce087e4141e31f7cc278932effeda192da2afa076ee03de28ffa058f2.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\SlowContextMenuEntries = 6024b221ea3a6910a2dc08002b30309d9c0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	gpscript.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	pK9Rw5RkZXcU7vKHmVjoCw.cmd
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\LocalState\\EDu35c7E6oSEwQjIJS5wVY1TKp675e2AmU7FwdF6jZqvOErXoPYgH1Kxy1OeisKX2N3SB.exe\" O"	pK9Rw5RkZXcU7vKHmVjoCw.cmd
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies	ed80f23ce087e4141e31f7cc278932effeda192da2afa076ee03de28ffa058f2.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	ed80f23ce087e4141e31f7cc278932effeda192da2afa076ee03de28ffa058f2.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\a6QR3Tfkck1ySnnhTilCX4X2AhD4VCyRYBdbk8enURkZ6JthfJuzXzisv7KGELZ563mMkeb.exe\" O"	pK9Rw5RkZXcU7vKHmVjoCw.cmd
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	ed80f23ce087e4141e31f7cc278932effeda192da2afa076ee03de28ffa058f2.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	ed80f23ce087e4141e31f7cc278932effeda192da2afa076ee03de28ffa058f2.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	ed80f23ce087e4141e31f7cc278932effeda192da2afa076ee03de28ffa058f2.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	gpscript.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\TempState\\pIJeKRQYSw8SpPZCF2WGVVmwWHuKL4WuawjLJ0qRAj1UHYjHprvN12Q2kou6SY.exe\" O 2>NUL"	pK9Rw5RkZXcU7vKHmVjoCw.cmd
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	pK9Rw5RkZXcU7vKHmVjoCw.cmd

Modifies registry class 10 IoCs

Processes:

ed80f23ce087e4141e31f7cc278932effeda192da2afa076ee03de28ffa058f2.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SOFTWARE	ed80f23ce087e4141e31f7cc278932effeda192da2afa076ee03de28ffa058f2.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SOFTWARE\Microsoft	ed80f23ce087e4141e31f7cc278932effeda192da2afa076ee03de28ffa058f2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\FileTypePolicies\\zf5g3gCp3r47Y9.exe\" O 2>NUL"	ed80f23ce087e4141e31f7cc278932effeda192da2afa076ee03de28ffa058f2.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SOFTWARE\Microsoft\Windows	ed80f23ce087e4141e31f7cc278932effeda192da2afa076ee03de28ffa058f2.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion	ed80f23ce087e4141e31f7cc278932effeda192da2afa076ee03de28ffa058f2.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SOFTWARE\Microsoft\Command Processor	ed80f23ce087e4141e31f7cc278932effeda192da2afa076ee03de28ffa058f2.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	ed80f23ce087e4141e31f7cc278932effeda192da2afa076ee03de28ffa058f2.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	ed80f23ce087e4141e31f7cc278932effeda192da2afa076ee03de28ffa058f2.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	ed80f23ce087e4141e31f7cc278932effeda192da2afa076ee03de28ffa058f2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\AC\\Microsoft\\CryptnetUrlCache\\sTZZZk1BCLPWN3SGIilbUeFT0IXgxXVwpA43OuyyJP3VFKdeL4k5Q9KQViv0LmhDnUxHg.exe\" O"	ed80f23ce087e4141e31f7cc278932effeda192da2afa076ee03de28ffa058f2.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

ed80f23ce087e4141e31f7cc278932effeda192da2afa076ee03de28ffa058f2.exepK9Rw5RkZXcU7vKHmVjoCw.cmd

description	pid	process
Token: SeBackupPrivilege	4852	ed80f23ce087e4141e31f7cc278932effeda192da2afa076ee03de28ffa058f2.exe
Token: SeRestorePrivilege	4852	ed80f23ce087e4141e31f7cc278932effeda192da2afa076ee03de28ffa058f2.exe
Token: SeShutdownPrivilege	4852	ed80f23ce087e4141e31f7cc278932effeda192da2afa076ee03de28ffa058f2.exe
Token: SeDebugPrivilege	3428	pK9Rw5RkZXcU7vKHmVjoCw.cmd
Token: SeRestorePrivilege	3428	pK9Rw5RkZXcU7vKHmVjoCw.cmd

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

LogonUI.exe

pid process

2632 LogonUI.exe

pid	process
2632	LogonUI.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

gpscript.exe

description	pid	process	target process
PID 3932 wrote to memory of 3428	3932	gpscript.exe	pK9Rw5RkZXcU7vKHmVjoCw.cmd
PID 3932 wrote to memory of 3428	3932	gpscript.exe	pK9Rw5RkZXcU7vKHmVjoCw.cmd

C:\Users\Admin\AppData\Local\Temp\ed80f23ce087e4141e31f7cc278932effeda192da2afa076ee03de28ffa058f2.exe
"C:\Users\Admin\AppData\Local\Temp\ed80f23ce087e4141e31f7cc278932effeda192da2afa076ee03de28ffa058f2.exe"
1⤵
- Adds policy Run key to start application
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4852

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39ed855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2632

C:\Windows\system32\gpscript.exe
gpscript.exe /Shutdown
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:3932

C:\Users\Admin\AppData\Local\Microsoft\input\fr-FR\pK9Rw5RkZXcU7vKHmVjoCw.cmd
"C:\Users\Admin\AppData\Local\Microsoft\input\fr-FR\pK9Rw5RkZXcU7vKHmVjoCw.cmd" 1
2⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Sets file execution options in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3428

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Power Efficiency Diagnostics\15Eo8SC0QJ7CiocKweYvTLjp3XE5wCCFBZxaVL7sUWbuXHd0BrQaTOb7p.exe
Filesize
1.1MB

MD5
96405a28c9c30c72de48f11ff6dc1537

SHA1
55e8a80ae5e67da75aee8782d7c20cd467db6ab2

SHA256
b85eb6c28047375003dd34c06496f57ffb184396cd987d168a306204dea8ba05

SHA512
ae555e28c51d4a9f7780a85b22592372a35e5e0b038fb436cbda6f9e2c7b68a38d00d1b072d92f358eeba433e2ac5b0407b04f33b2896701b31c9f61e2752ee7

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\46\wNTwT3QqJ4Y6E9IqLmGkkXcWMsKCX0u7ijqGfdE.exe
Filesize
1.1MB

MD5
eaf93017908968d92ddf4d3c1b63fa5c

SHA1
5045a0dec63c77b601262d80fa73ef263a3944ee

SHA256
fd96644f89140a0ebf3d0060e6ef01476fd5d0f2274af17c9258a8cfdf3f3c86

SHA512
2fcb1b78b2f3db5158c97a1e0701f007119691d0524e996fdb7e1232562fa0e82ccc8597daf8db2fc9c63f6347db3bb425b0da41f381afb85f785cc41f8752d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\kk\Izz3owLtlLGZSY61ZhxLlUoV1YbEQ4WBY3KkzolG771iNDvZviEtSPKpgVcJ4LnJ5KBV.exe
Filesize
736KB

MD5
1f5e46906d7ba300b6dc318392879cd1

SHA1
f8ff04d59198233cc0f70125ed66a95da48f04c7

SHA256
1f7eef7ecc18a9847bcfe555fa569b016d11f1c8df775dcdd8a07a9c519d3884

SHA512
5a14a5c0b4dd7c69fe3bf42b5900dd531ba973499bea2a87bb03829da9d9017564cb2597028e4efe1a7635d6cebffe08d655a21aa6422a6b6c609afaa3f3d9b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\tn-ZA\qU2aTfZOexDywY077DwuF4d7JLFqLs078JBAe4lv70rianT3Ocsx.exe
Filesize
778KB

MD5
8307e6e04db2b1c19f5cdb68d4a26f93

SHA1
5a8d9e901ead392a3858ec9b84af330128d5b3d4

SHA256
d7f0aab599ee5b6caf3d3e7e5cdab2247c2ebdd9fcbfe1ae37c795eb0da5a776

SHA512
42b9afe41fde346f1218c24ccd2e9757e7f04f30e9edf2332c1adc0f2f2c811b0bbe4e5001eb4336fe53cf39a4cd75106243781ad49f6510b9b2b8a03d5c9b42

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\input\es-419\8t2JJzMBwgbbZZ352lYZECqKrxhiThZHmFjP8Uqe6tWAgqTajqBZcXpAaOLYotN51.exe
Filesize
732KB

MD5
67a468bc5a274067bf99af5b481dcce7

SHA1
088fd7569406baea50324eff37373d58430b081a

SHA256
9893397326567fe5a8ae94a57b90bff80215713a0d773c085db6f3713aec8d90

SHA512
b0d1eaf8a417391b2b1ec4e328a0635dea6e849f8701b017990fa027376b3d5673d80a92382be7e154a229f0b027c48fa37c159c48e10c2ee55c57661f9fada4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\input\fr-FR\pK9Rw5RkZXcU7vKHmVjoCw.cmd
Filesize
635KB

MD5
299d337f1255db838026e908f881032e

SHA1
9fa3df3ff1bab6b132157a2035f4a073f61f373f

SHA256
e36252404e82ed2c8931c8d9cee92a25663c4a2294c0d4fbe78006b742312e33

SHA512
5c28b282c5107ea4556635cecb5ae5ccb00adabe6a3a9ad69afc16371ece41700577475b2287aed366110534231b7c8ffb139126b5c676315cb08023a5c642c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\input\fr-FR\pK9Rw5RkZXcU7vKHmVjoCw.cmd
Filesize
635KB

MD5
299d337f1255db838026e908f881032e

SHA1
9fa3df3ff1bab6b132157a2035f4a073f61f373f

SHA256
e36252404e82ed2c8931c8d9cee92a25663c4a2294c0d4fbe78006b742312e33

SHA512
5c28b282c5107ea4556635cecb5ae5ccb00adabe6a3a9ad69afc16371ece41700577475b2287aed366110534231b7c8ffb139126b5c676315cb08023a5c642c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\input\sr-Cyrl-ME\VdbqSW9gIU7fSAuqbVStkRNjEv8ZsQaPsFRxYK0i49SwhjNdsOWdBbgVrFGFtax6NE2wlvA.exe
Filesize
837KB

MD5
d863091c27556d1e5eb7db68239dbc56

SHA1
f6392d99ff72ff8a06fa5f5735425a16758175eb

SHA256
5831f834506bd0f5e87c5680f5152ed7b60654d20ff204d6d9f0ac17f4e4e5b6

SHA512
9917e7a3dda2f4f9698501f340f38550591897d4e1d1b1920b2a0b2c8bda3403c046515eba5063ecac00eb93588116d6c629b67d9cbfb341ca6afe1008aa4a55

Download Submit
C:\Users\Admin\AppData\Local\Packages\E2A4F912-2574-4A75-9BB0-0D023378592B_cw5n1h2txyewy\Settings\CaH0DD3Pz3sxH3AcHevFdyoTjbi4g0cGfzhXOei6y.exe
Filesize
800KB

MD5
cb43300f9ea4cb208f87caa2e49795b8

SHA1
2ab781fe5d3e56b96378ac69b88ccaf0bc3ff05d

SHA256
ab007a4dff91061261afb42ce9a77d1348b421115bf663ea52b1a68511e6c6ed

SHA512
26d85035e9c5c990442ba30d7672eb63f48e233d84f72e6243bd5a10d1efc6241aeae575dc6fabf5b3aab8a16bfbe69df2f558eb6c883aca13a4f47fa87175e5

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\LocalCache\lfQ8ciOgeJ4E6qnMkznhUEWV0Kd8viGOgdrclSnMTblAyRxgM.exe
Filesize
1.2MB

MD5
68af0baff8d86be6c4ea0a5affb7fa0a

SHA1
942e3dfd806d6bc5afe9fa0d7486ce464eeea9f2

SHA256
c71ab2f5443224c45e9dae6704e4490ef0d1ab040dcf81491d3f2272f9e096ac

SHA512
e739ee30076172974e21660413a72cb5fe226f23ceaa5eb1a26fec6f866163a477ef28560700e10fe409e5671195588d8d49af96f559885b49a4d0c148e40c77

Download Submit
memory/3428-134-0x0000000000000000-mapping.dmp

Download
memory/3428-141-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3428-146-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4852-132-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4852-133-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download