c438548d791979a287906fe42a1801f88dbb0c314b39ca209375e6452d685ad5

Analysis

max time kernel
147s
max time network
149s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
25-11-2022 09:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c438548d791979a287906fe42a1801f88dbb0c314b39ca209375e6452d685ad5.exe
Size

672KB
MD5

fa2c4c22089e8d276090e32e6343b32b
SHA1

aaeb98404f858b52f615243cc1f9f63df0510566
SHA256

c438548d791979a287906fe42a1801f88dbb0c314b39ca209375e6452d685ad5
SHA512

7f617e01deedf66ccda9a8f424f41b39b8f62ae5ce016fce85768ba9536c87f35211b6622d8d87a619fbebbbedf2a73790795ba831473da65fe9ec163629bc4b
SSDEEP

3072:aSsvihLlTQz9z71iURo2SJJmY6uFNcgifDbmeTXwVdBR:rsqhJMxzJiU5SeLmNSbmebW1

Score

10^/10

persistence spyware stealer

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

2r5WBiEidSDLxorSkHUVpzh2yOgESKYmGbbyHVg6iCWlxUjH3UYDVgX9JbALNSRRu.cmd

description pid process target process

PID 1932 created 580 1932 2r5WBiEidSDLxorSkHUVpzh2yOgESKYmGbbyHVg6iCWlxUjH3UYDVgX9JbALNSRRu.cmd svchost.exe

description	pid	process	target process
PID 1932 created 580	1932	2r5WBiEidSDLxorSkHUVpzh2yOgESKYmGbbyHVg6iCWlxUjH3UYDVgX9JbALNSRRu.cmd	svchost.exe

Adds policy Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

c438548d791979a287906fe42a1801f88dbb0c314b39ca209375e6452d685ad5.exe2r5WBiEidSDLxorSkHUVpzh2yOgESKYmGbbyHVg6iCWlxUjH3UYDVgX9JbALNSRRu.cmd

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\ja-JP\\e4bOPNP87AkBwvhA0P3myPctdZ26xcM6SwPNDzVG2Ito3si4FkYqyJXjIZN1EFFkGz8gd.exe\" O"	c438548d791979a287906fe42a1801f88dbb0c314b39ca209375e6452d685ad5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\6.0\\21\\IFQpdM1VxZswbOWwqAqsZgcfnrzcp25c06UvEFc4r9MLpiI7gwr6Z.exe\" O"	c438548d791979a287906fe42a1801f88dbb0c314b39ca209375e6452d685ad5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	2r5WBiEidSDLxorSkHUVpzh2yOgESKYmGbbyHVg6iCWlxUjH3UYDVgX9JbALNSRRu.cmd
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\Deployment\\iVU9Ej3WsDknwSIqyzCPdss6jzw.exe\" O"	2r5WBiEidSDLxorSkHUVpzh2yOgESKYmGbbyHVg6iCWlxUjH3UYDVgX9JbALNSRRu.cmd
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	c438548d791979a287906fe42a1801f88dbb0c314b39ca209375e6452d685ad5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Adobe\\Color\\s1NT9VZ6g6vJjQ.exe\" O"	c438548d791979a287906fe42a1801f88dbb0c314b39ca209375e6452d685ad5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	c438548d791979a287906fe42a1801f88dbb0c314b39ca209375e6452d685ad5.exe

Executes dropped EXE 2 IoCs

Processes:

2r5WBiEidSDLxorSkHUVpzh2yOgESKYmGbbyHVg6iCWlxUjH3UYDVgX9JbALNSRRu.cmd2r5WBiEidSDLxorSkHUVpzh2yOgESKYmGbbyHVg6iCWlxUjH3UYDVgX9JbALNSRRu.cmd

pid	process
1932	2r5WBiEidSDLxorSkHUVpzh2yOgESKYmGbbyHVg6iCWlxUjH3UYDVgX9JbALNSRRu.cmd
1056	2r5WBiEidSDLxorSkHUVpzh2yOgESKYmGbbyHVg6iCWlxUjH3UYDVgX9JbALNSRRu.cmd

Sets file execution options in registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

2r5WBiEidSDLxorSkHUVpzh2yOgESKYmGbbyHVg6iCWlxUjH3UYDVgX9JbALNSRRu.cmd2r5WBiEidSDLxorSkHUVpzh2yOgESKYmGbbyHVg6iCWlxUjH3UYDVgX9JbALNSRRu.cmd

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe	2r5WBiEidSDLxorSkHUVpzh2yOgESKYmGbbyHVg6iCWlxUjH3UYDVgX9JbALNSRRu.cmd
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = " "	2r5WBiEidSDLxorSkHUVpzh2yOgESKYmGbbyHVg6iCWlxUjH3UYDVgX9JbALNSRRu.cmd
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe	2r5WBiEidSDLxorSkHUVpzh2yOgESKYmGbbyHVg6iCWlxUjH3UYDVgX9JbALNSRRu.cmd
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\Debugger = " "	2r5WBiEidSDLxorSkHUVpzh2yOgESKYmGbbyHVg6iCWlxUjH3UYDVgX9JbALNSRRu.cmd
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe	2r5WBiEidSDLxorSkHUVpzh2yOgESKYmGbbyHVg6iCWlxUjH3UYDVgX9JbALNSRRu.cmd
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = " "	2r5WBiEidSDLxorSkHUVpzh2yOgESKYmGbbyHVg6iCWlxUjH3UYDVgX9JbALNSRRu.cmd
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe	2r5WBiEidSDLxorSkHUVpzh2yOgESKYmGbbyHVg6iCWlxUjH3UYDVgX9JbALNSRRu.cmd
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\Debugger = " "	2r5WBiEidSDLxorSkHUVpzh2yOgESKYmGbbyHVg6iCWlxUjH3UYDVgX9JbALNSRRu.cmd

Loads dropped DLL 3 IoCs

Processes:

gpscript.exe2r5WBiEidSDLxorSkHUVpzh2yOgESKYmGbbyHVg6iCWlxUjH3UYDVgX9JbALNSRRu.cmd

pid process

1164 gpscript.exe
1164 gpscript.exe
1932 2r5WBiEidSDLxorSkHUVpzh2yOgESKYmGbbyHVg6iCWlxUjH3UYDVgX9JbALNSRRu.cmd
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1164	gpscript.exe
1164	gpscript.exe
1932	2r5WBiEidSDLxorSkHUVpzh2yOgESKYmGbbyHVg6iCWlxUjH3UYDVgX9JbALNSRRu.cmd

Modifies data under HKEY_USERS 59 IoCs

Processes:

c438548d791979a287906fe42a1801f88dbb0c314b39ca209375e6452d685ad5.exe2r5WBiEidSDLxorSkHUVpzh2yOgESKYmGbbyHVg6iCWlxUjH3UYDVgX9JbALNSRRu.cmdgpscript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE	c438548d791979a287906fe42a1801f88dbb0c314b39ca209375e6452d685ad5.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion	c438548d791979a287906fe42a1801f88dbb0c314b39ca209375e6452d685ad5.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	c438548d791979a287906fe42a1801f88dbb0c314b39ca209375e6452d685ad5.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	c438548d791979a287906fe42a1801f88dbb0c314b39ca209375e6452d685ad5.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\2gLWACQUBfBrorQ7SV0M0HJjFnX423HM0Mif6wAh9mtW74cf7.exe\" O"	2r5WBiEidSDLxorSkHUVpzh2yOgESKYmGbbyHVg6iCWlxUjH3UYDVgX9JbALNSRRu.cmd
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion	c438548d791979a287906fe42a1801f88dbb0c314b39ca209375e6452d685ad5.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	c438548d791979a287906fe42a1801f88dbb0c314b39ca209375e6452d685ad5.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\NetFramework\\fRnIvIdbGQGZlR7513dwWAalnoYS3rp3ykeyYJmgZ93ITanVkLNimAiDLy.exe\" O 2>NUL"	2r5WBiEidSDLxorSkHUVpzh2yOgESKYmGbbyHVg6iCWlxUjH3UYDVgX9JbALNSRRu.cmd
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\6.0\\25\\nj6WJ6KV2lgAucomia9IQMD0dZFYGpMgi7vWzZBBxE5kmD0ymu3aF.exe\" O"	2r5WBiEidSDLxorSkHUVpzh2yOgESKYmGbbyHVg6iCWlxUjH3UYDVgX9JbALNSRRu.cmd
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	2r5WBiEidSDLxorSkHUVpzh2yOgESKYmGbbyHVg6iCWlxUjH3UYDVgX9JbALNSRRu.cmd
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows	c438548d791979a287906fe42a1801f88dbb0c314b39ca209375e6452d685ad5.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion	c438548d791979a287906fe42a1801f88dbb0c314b39ca209375e6452d685ad5.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Feeds\\Feeds for United States~\\JMmR8HpTBnBPzcFaGQ20ufJxyi1.exe\" O"	c438548d791979a287906fe42a1801f88dbb0c314b39ca209375e6452d685ad5.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\6.0\\host\\6TP5fCHPvvK0ttcBXa5.exe\" O"	2r5WBiEidSDLxorSkHUVpzh2yOgESKYmGbbyHVg6iCWlxUjH3UYDVgX9JbALNSRRu.cmd
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	c438548d791979a287906fe42a1801f88dbb0c314b39ca209375e6452d685ad5.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	c438548d791979a287906fe42a1801f88dbb0c314b39ca209375e6452d685ad5.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	2r5WBiEidSDLxorSkHUVpzh2yOgESKYmGbbyHVg6iCWlxUjH3UYDVgX9JbALNSRRu.cmd
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%windir%\System32\ie4uinit.exe",-738 = "Start Internet Explorer without ActiveX controls or browser extensions."	2r5WBiEidSDLxorSkHUVpzh2yOgESKYmGbbyHVg6iCWlxUjH3UYDVgX9JbALNSRRu.cmd
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Low\\JaqXtlu1F0Wlbe1tBcVcqPfB5UQDgWuF7dyHw1EIwNFU.exe\" O 2>NUL"	2r5WBiEidSDLxorSkHUVpzh2yOgESKYmGbbyHVg6iCWlxUjH3UYDVgX9JbALNSRRu.cmd
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	2r5WBiEidSDLxorSkHUVpzh2yOgESKYmGbbyHVg6iCWlxUjH3UYDVgX9JbALNSRRu.cmd
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\CertificateRevocation\\SoBnPNbMeq1uFgEcI4G9Ri0EtpbLF0H1GRrUAfrGGBZZkPKhTghkU4Fyo5GEkGvc2K.exe\" O"	2r5WBiEidSDLxorSkHUVpzh2yOgESKYmGbbyHVg6iCWlxUjH3UYDVgX9JbALNSRRu.cmd
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\PlayReady\\NNUdyw461afoNwTUlHm4tuWewPEv7DH8.exe\" O 2>NUL"	c438548d791979a287906fe42a1801f88dbb0c314b39ca209375e6452d685ad5.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	c438548d791979a287906fe42a1801f88dbb0c314b39ca209375e6452d685ad5.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{6C467336-8281-4E60-8204-430CED96822D} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000005cb3d8eb00d901	gpscript.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	2r5WBiEidSDLxorSkHUVpzh2yOgESKYmGbbyHVg6iCWlxUjH3UYDVgX9JbALNSRRu.cmd
Key created	\REGISTRY\USER\S-1-5-19	c438548d791979a287906fe42a1801f88dbb0c314b39ca209375e6452d685ad5.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows	c438548d791979a287906fe42a1801f88dbb0c314b39ca209375e6452d685ad5.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	2r5WBiEidSDLxorSkHUVpzh2yOgESKYmGbbyHVg6iCWlxUjH3UYDVgX9JbALNSRRu.cmd
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\Caches\\Hk67nXI2umSbZ95N5wO.exe\" O 2>NUL"	2r5WBiEidSDLxorSkHUVpzh2yOgESKYmGbbyHVg6iCWlxUjH3UYDVgX9JbALNSRRu.cmd
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	2r5WBiEidSDLxorSkHUVpzh2yOgESKYmGbbyHVg6iCWlxUjH3UYDVgX9JbALNSRRu.cmd
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	c438548d791979a287906fe42a1801f88dbb0c314b39ca209375e6452d685ad5.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	c438548d791979a287906fe42a1801f88dbb0c314b39ca209375e6452d685ad5.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft	c438548d791979a287906fe42a1801f88dbb0c314b39ca209375e6452d685ad5.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	c438548d791979a287906fe42a1801f88dbb0c314b39ca209375e6452d685ad5.exe
Key created	\REGISTRY\USER\S-1-5-20	c438548d791979a287906fe42a1801f88dbb0c314b39ca209375e6452d685ad5.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Nl5EfUJ7vR7DNZ3WcuqkmcUSpSwEPO2diK.exe\" O"	c438548d791979a287906fe42a1801f88dbb0c314b39ca209375e6452d685ad5.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	2r5WBiEidSDLxorSkHUVpzh2yOgESKYmGbbyHVg6iCWlxUjH3UYDVgX9JbALNSRRu.cmd
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	2r5WBiEidSDLxorSkHUVpzh2yOgESKYmGbbyHVg6iCWlxUjH3UYDVgX9JbALNSRRu.cmd
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	c438548d791979a287906fe42a1801f88dbb0c314b39ca209375e6452d685ad5.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	c438548d791979a287906fe42a1801f88dbb0c314b39ca209375e6452d685ad5.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows	c438548d791979a287906fe42a1801f88dbb0c314b39ca209375e6452d685ad5.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	gpscript.exe
Key created	\REGISTRY\USER\.DEFAULT	c438548d791979a287906fe42a1801f88dbb0c314b39ca209375e6452d685ad5.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\LocalLow\\prrBZL6PHU8K93JEXedDRJ2ToNgud31Y.exe\" O 2>NUL"	2r5WBiEidSDLxorSkHUVpzh2yOgESKYmGbbyHVg6iCWlxUjH3UYDVgX9JbALNSRRu.cmd
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	c438548d791979a287906fe42a1801f88dbb0c314b39ca209375e6452d685ad5.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Package Cache\\{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}v12.0.40660\\packages\\CY9z6SbEyK9VdanLdSEDFsyn7IOK.exe\" O 2>NUL"	c438548d791979a287906fe42a1801f88dbb0c314b39ca209375e6452d685ad5.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	c438548d791979a287906fe42a1801f88dbb0c314b39ca209375e6452d685ad5.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Package Cache\\CVBy2HjR4TPTMvE4sA08D7b5UyznzLnVavzJS.exe\" O"	c438548d791979a287906fe42a1801f88dbb0c314b39ca209375e6452d685ad5.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\FontLookupTableCache\\Kbsst0wyu.exe\" O 2>NUL"	2r5WBiEidSDLxorSkHUVpzh2yOgESKYmGbbyHVg6iCWlxUjH3UYDVgX9JbALNSRRu.cmd
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Search\\Data\\Applications\\9g2u8VjJqLRptpj07OHlyVWq1CWWTqFCTJtzPctS7povPqSDBDFBFsA699EWi3Wg.exe\" O"	2r5WBiEidSDLxorSkHUVpzh2yOgESKYmGbbyHVg6iCWlxUjH3UYDVgX9JbALNSRRu.cmd
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%systemroot%\system32\windowspowershell\v1.0\powershell.exe",-111 = "Performs object-based (command-line) functions"	2r5WBiEidSDLxorSkHUVpzh2yOgESKYmGbbyHVg6iCWlxUjH3UYDVgX9JbALNSRRu.cmd
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	c438548d791979a287906fe42a1801f88dbb0c314b39ca209375e6452d685ad5.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\E1pGURnp.exe\" O"	c438548d791979a287906fe42a1801f88dbb0c314b39ca209375e6452d685ad5.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE	c438548d791979a287906fe42a1801f88dbb0c314b39ca209375e6452d685ad5.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft	c438548d791979a287906fe42a1801f88dbb0c314b39ca209375e6452d685ad5.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Low\\OTxtIB1wTQCyiqKS.exe\" O 2>NUL"	c438548d791979a287906fe42a1801f88dbb0c314b39ca209375e6452d685ad5.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Platform Notifications\\ix42dMs4fr7To2lp.exe\" O 2>NUL"	c438548d791979a287906fe42a1801f88dbb0c314b39ca209375e6452d685ad5.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%windir%\System32\ie4uinit.exe",-732 = "Finds and displays information and Web sites on the Internet."	2r5WBiEidSDLxorSkHUVpzh2yOgESKYmGbbyHVg6iCWlxUjH3UYDVgX9JbALNSRRu.cmd
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{7BD29E01-76C1-11CF-9DD0-00A0C9034933} {000214E6-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000a0cf84e4eb00d901	2r5WBiEidSDLxorSkHUVpzh2yOgESKYmGbbyHVg6iCWlxUjH3UYDVgX9JbALNSRRu.cmd

Modifies registry class 12 IoCs

Processes:

c438548d791979a287906fe42a1801f88dbb0c314b39ca209375e6452d685ad5.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows Sidebar\\KOS5BaJA0BPk9dnxOshGzKD4bu7uPh53OAoCX8qXMWMMPoz00sPqVNNWbpSXXNxq.exe\" O"	c438548d791979a287906fe42a1801f88dbb0c314b39ca209375e6452d685ad5.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\SOFTWARE\Microsoft\Command Processor	c438548d791979a287906fe42a1801f88dbb0c314b39ca209375e6452d685ad5.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	c438548d791979a287906fe42a1801f88dbb0c314b39ca209375e6452d685ad5.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	c438548d791979a287906fe42a1801f88dbb0c314b39ca209375e6452d685ad5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\xAyo1qjpEElvFYgVHWkEAT4AVuT9bnYiYw.exe\" O 2>NUL"	c438548d791979a287906fe42a1801f88dbb0c314b39ca209375e6452d685ad5.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\SOFTWARE\Microsoft\Windows	c438548d791979a287906fe42a1801f88dbb0c314b39ca209375e6452d685ad5.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion	c438548d791979a287906fe42a1801f88dbb0c314b39ca209375e6452d685ad5.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	c438548d791979a287906fe42a1801f88dbb0c314b39ca209375e6452d685ad5.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	c438548d791979a287906fe42a1801f88dbb0c314b39ca209375e6452d685ad5.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_Classes\SOFTWARE\Microsoft\Command Processor	c438548d791979a287906fe42a1801f88dbb0c314b39ca209375e6452d685ad5.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\SOFTWARE	c438548d791979a287906fe42a1801f88dbb0c314b39ca209375e6452d685ad5.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\SOFTWARE\Microsoft	c438548d791979a287906fe42a1801f88dbb0c314b39ca209375e6452d685ad5.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

2r5WBiEidSDLxorSkHUVpzh2yOgESKYmGbbyHVg6iCWlxUjH3UYDVgX9JbALNSRRu.cmd

pid	process
1056	2r5WBiEidSDLxorSkHUVpzh2yOgESKYmGbbyHVg6iCWlxUjH3UYDVgX9JbALNSRRu.cmd
1056	2r5WBiEidSDLxorSkHUVpzh2yOgESKYmGbbyHVg6iCWlxUjH3UYDVgX9JbALNSRRu.cmd

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

c438548d791979a287906fe42a1801f88dbb0c314b39ca209375e6452d685ad5.exeAUDIODG.EXE2r5WBiEidSDLxorSkHUVpzh2yOgESKYmGbbyHVg6iCWlxUjH3UYDVgX9JbALNSRRu.cmd2r5WBiEidSDLxorSkHUVpzh2yOgESKYmGbbyHVg6iCWlxUjH3UYDVgX9JbALNSRRu.cmd

description	pid	process
Token: SeBackupPrivilege	1880	c438548d791979a287906fe42a1801f88dbb0c314b39ca209375e6452d685ad5.exe
Token: SeRestorePrivilege	1880	c438548d791979a287906fe42a1801f88dbb0c314b39ca209375e6452d685ad5.exe
Token: SeShutdownPrivilege	1880	c438548d791979a287906fe42a1801f88dbb0c314b39ca209375e6452d685ad5.exe
Token: 33	2024	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2024	AUDIODG.EXE
Token: 33	2024	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2024	AUDIODG.EXE
Token: SeDebugPrivilege	1932	2r5WBiEidSDLxorSkHUVpzh2yOgESKYmGbbyHVg6iCWlxUjH3UYDVgX9JbALNSRRu.cmd
Token: SeRestorePrivilege	1932	2r5WBiEidSDLxorSkHUVpzh2yOgESKYmGbbyHVg6iCWlxUjH3UYDVgX9JbALNSRRu.cmd
Token: SeDebugPrivilege	1056	2r5WBiEidSDLxorSkHUVpzh2yOgESKYmGbbyHVg6iCWlxUjH3UYDVgX9JbALNSRRu.cmd
Token: SeRestorePrivilege	1056	2r5WBiEidSDLxorSkHUVpzh2yOgESKYmGbbyHVg6iCWlxUjH3UYDVgX9JbALNSRRu.cmd

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

gpscript.exe2r5WBiEidSDLxorSkHUVpzh2yOgESKYmGbbyHVg6iCWlxUjH3UYDVgX9JbALNSRRu.cmd

description	pid	process	target process
PID 1164 wrote to memory of 1932	1164	gpscript.exe	2r5WBiEidSDLxorSkHUVpzh2yOgESKYmGbbyHVg6iCWlxUjH3UYDVgX9JbALNSRRu.cmd
PID 1164 wrote to memory of 1932	1164	gpscript.exe	2r5WBiEidSDLxorSkHUVpzh2yOgESKYmGbbyHVg6iCWlxUjH3UYDVgX9JbALNSRRu.cmd
PID 1164 wrote to memory of 1932	1164	gpscript.exe	2r5WBiEidSDLxorSkHUVpzh2yOgESKYmGbbyHVg6iCWlxUjH3UYDVgX9JbALNSRRu.cmd
PID 1932 wrote to memory of 1056	1932	2r5WBiEidSDLxorSkHUVpzh2yOgESKYmGbbyHVg6iCWlxUjH3UYDVgX9JbALNSRRu.cmd	2r5WBiEidSDLxorSkHUVpzh2yOgESKYmGbbyHVg6iCWlxUjH3UYDVgX9JbALNSRRu.cmd
PID 1932 wrote to memory of 1056	1932	2r5WBiEidSDLxorSkHUVpzh2yOgESKYmGbbyHVg6iCWlxUjH3UYDVgX9JbALNSRRu.cmd	2r5WBiEidSDLxorSkHUVpzh2yOgESKYmGbbyHVg6iCWlxUjH3UYDVgX9JbALNSRRu.cmd
PID 1932 wrote to memory of 1056	1932	2r5WBiEidSDLxorSkHUVpzh2yOgESKYmGbbyHVg6iCWlxUjH3UYDVgX9JbALNSRRu.cmd	2r5WBiEidSDLxorSkHUVpzh2yOgESKYmGbbyHVg6iCWlxUjH3UYDVgX9JbALNSRRu.cmd

C:\Users\Admin\AppData\Local\Temp\c438548d791979a287906fe42a1801f88dbb0c314b39ca209375e6452d685ad5.exe
"C:\Users\Admin\AppData\Local\Temp\c438548d791979a287906fe42a1801f88dbb0c314b39ca209375e6452d685ad5.exe"
1⤵
- Adds policy Run key to start application
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1880

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
1⤵
PID:580

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\8by27av1.Admin\2r5WBiEidSDLxorSkHUVpzh2yOgESKYmGbbyHVg6iCWlxUjH3UYDVgX9JbALNSRRu.cmd
"C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\8by27av1.Admin\2r5WBiEidSDLxorSkHUVpzh2yOgESKYmGbbyHVg6iCWlxUjH3UYDVgX9JbALNSRRu.cmd" 2
2⤵
- Executes dropped EXE
- Sets file execution options in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1056

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1116

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0xc8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2024

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:1068

C:\Windows\system32\gpscript.exe
gpscript.exe /Shutdown
1⤵
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1164

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\8by27av1.Admin\2r5WBiEidSDLxorSkHUVpzh2yOgESKYmGbbyHVg6iCWlxUjH3UYDVgX9JbALNSRRu.cmd
"C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\8by27av1.Admin\2r5WBiEidSDLxorSkHUVpzh2yOgESKYmGbbyHVg6iCWlxUjH3UYDVgX9JbALNSRRu.cmd" 1
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Adds policy Run key to start application
- Executes dropped EXE
- Sets file execution options in registry
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1932

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Assistance\Client\1.0\ja-JP\e4bOPNP87AkBwvhA0P3myPctdZ26xcM6SwPNDzVG2Ito3si4FkYqyJXjIZN1EFFkGz8gd.exe
Filesize
802KB

MD5
b75d6526df9a38c88fe4360d5dff2183

SHA1
ebf17bf143b1c94bf6c5f52d3c92e8bbf7670651

SHA256
80eb88eb5845b53c2939d087a6044558716947f210bf2909da3d5440170ecac7

SHA512
f8736ee342bd3b34eaa3d52f64ae130fa23649cef6aa4ce0bbdecc1593db209ca468028f7ebac569d9078280de18605cc25050303e0b1fbf20d11f8b0fb60db6

Download Submit
C:\ProgramData\Package Cache\CVBy2HjR4TPTMvE4sA08D7b5UyznzLnVavzJS.exe
Filesize
1.1MB

MD5
a9372446838b63f5a9f6fdea814468f8

SHA1
0b0ebadc8d1fe53ebe70ff2258e3ddf9397eb69f

SHA256
7726107292399d6b05874745485d89d70ba6b4c2ad67920d531e4557f55a0f44

SHA512
16542a87e7afe782993db5d446753dab087717c40b04b2f432cf7576ace2896465389c8a6cef19a5689770ecbc31c67137912da0347294122df9f7d29dfc5787

Download Submit
C:\ProgramData\Package Cache\{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}v12.0.40660\packages\CY9z6SbEyK9VdanLdSEDFsyn7IOK.exe
Filesize
1.3MB

MD5
3c70f0dcef2cb62262159430f95ca3b5

SHA1
a21b571e3616bb705c3b1e5463d6c89292b35f06

SHA256
119068dbaefe216a0bfeccd16e8fd427bf4bb4e970d6a518467c539c402dcac8

SHA512
2570ba40041069c8aeaecc4a921f4bceeec0c2615970d597657481860e6c1403139ec1ecf1a2dd8e5971b636d942f1f769b3291a20973ec90e57462e4b2440ab

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\6\jkpPpT3PrYPsUkTqlXwn32RkovpwkbYPdgMMdVFtCkD0kCjsG5LoYUoRxpkAvjzMEPYEu.exe
Filesize
1.7MB

MD5
0d67da1b0792ed2a0a863e6d27216969

SHA1
f571638d3dc83a0e34eeb0bdd4d755b99cd57a42

SHA256
485f924d062fc894e4305692cddc4379e8c1558e8d4e4478ef1e1d1a22adebf7

SHA512
32b44597c54dc383b6d74ee785ddac708d15f85ec3341f6c7b3644a5dfa2f3106873d27f35cdb88e314220d8a94bc9e7a013bb825510a58b2984ba061104f9c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Platform Notifications\ix42dMs4fr7To2lp.exe
Filesize
827KB

MD5
66b741b06cdf13401e53749ee3bc093e

SHA1
d4225425cb46f7b6a40cc2b44d86a085a0407270

SHA256
b92d0d5bb9b97b3bb5d479f93dcd881e3a8bf99a13762c6b1375ffe5abbfab9a

SHA512
1e779a5a5ef6527df63032868fbb0936e3de3c5940f904eedcae5c73a37a90467aaafb30f1154b61c4622f8aaf13423a11236df91dd18e8f073de6815590e9dc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Code Cache\js\xUoHycIeYHkFbSDHlwFJD5hV1dE52EwIXzxXnn.exe
Filesize
835KB

MD5
e0d27eed6304deff193c61c1ba3bf2e7

SHA1
e03300dd2dab999e2e87e53d3f7d76aa7f974f00

SHA256
6a9a92b7064f2c2593b2ba8018e58723e7b9b44a6a55cdadbe09b346deb6cbe1

SHA512
479e7243cf3e5e69ca7989af11c78778266bad2ddf1a064d8ab00d91f72ae0d5343294aafc234be43a35ded227bbeacae712274b6ea95cd1b82bbbd42195bc8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Feeds\Feeds for United States~\JMmR8HpTBnBPzcFaGQ20ufJxyi1.exe
Filesize
799KB

MD5
e8264a077526022e2907411fbe8b6eb9

SHA1
1c5887ac7932f2f79b701a4f3ecd9c259459caaa

SHA256
ee86adf1fa1ff71c3a126a3080e8802bfcd38a4a59af4224d8b6ca21b46e3993

SHA512
1928cad3205feab13b8bf9c56c631371dae8203d32df41ca2ee688adf249d3a0e389fd895451c6886bfbc3790df1c96716029544dd2cb50b6e17566cddb2eed0

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\8by27av1.Admin\2r5WBiEidSDLxorSkHUVpzh2yOgESKYmGbbyHVg6iCWlxUjH3UYDVgX9JbALNSRRu.cmd
Filesize
1.3MB

MD5
2f7dd8f81c5e1339cd125b7831f2a2be

SHA1
7eb7c841aadc2acb13e97276bdb5af1c17217455

SHA256
5ccd9b1928c0db62f2a723de4774e9b99d8ab2f2e6a5ce00cff183adede4107e

SHA512
e2df4459848c67e96bdb0614adbd32284f1d0089820b4d0a64da8cf9ffc66a97d93d5aac8868035dcc883ab70bf41cfe55415da82c72559dea9de7bb173492da

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\8by27av1.Admin\2r5WBiEidSDLxorSkHUVpzh2yOgESKYmGbbyHVg6iCWlxUjH3UYDVgX9JbALNSRRu.cmd
Filesize
1.3MB

MD5
2f7dd8f81c5e1339cd125b7831f2a2be

SHA1
7eb7c841aadc2acb13e97276bdb5af1c17217455

SHA256
5ccd9b1928c0db62f2a723de4774e9b99d8ab2f2e6a5ce00cff183adede4107e

SHA512
e2df4459848c67e96bdb0614adbd32284f1d0089820b4d0a64da8cf9ffc66a97d93d5aac8868035dcc883ab70bf41cfe55415da82c72559dea9de7bb173492da

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\8by27av1.Admin\2r5WBiEidSDLxorSkHUVpzh2yOgESKYmGbbyHVg6iCWlxUjH3UYDVgX9JbALNSRRu.cmd
Filesize
1.3MB

MD5
2f7dd8f81c5e1339cd125b7831f2a2be

SHA1
7eb7c841aadc2acb13e97276bdb5af1c17217455

SHA256
5ccd9b1928c0db62f2a723de4774e9b99d8ab2f2e6a5ce00cff183adede4107e

SHA512
e2df4459848c67e96bdb0614adbd32284f1d0089820b4d0a64da8cf9ffc66a97d93d5aac8868035dcc883ab70bf41cfe55415da82c72559dea9de7bb173492da

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\OTxtIB1wTQCyiqKS.exe
Filesize
1.1MB

MD5
11a0d77cff5ac1a5dae68d08a2621d07

SHA1
a9de425b83aa2e0db54e7d1cc0f11b483d9b0559

SHA256
5defdc736fa3c8246c91f49e7e5cee1c68f567e1c0222aa36cbb47930d960ccb

SHA512
8234530bc6be18ab1c2873a293629582cb5fc4653f4a7aa6cbd9d385dd2fb6a60be6db3ddb63f28fccc4f6a57a5d7eac8fb09466bad0f5b272b0b949f286c056

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Nl5EfUJ7vR7DNZ3WcuqkmcUSpSwEPO2diK.exe
Filesize
849KB

MD5
fa6ee18519b598ae66565e50fb4bf53a

SHA1
1764b8bc6d159432088d4200772d7189fdc603d7

SHA256
71b65bfc5d02a511be3340445b5eb23a26d287c01ed80f9c79c86a2169ea6592

SHA512
f59226b8580952c2fb44e355e91c4c6fc497da816bcf4a49ed18f36fd052b8dab4929021e2e72279c28c44fbe175785980a5ccf8e74fb9af1afc5f169fbc9e65

Download Submit
C:\Users\Public\Libraries\6BJfCpm7oaTV70cmqsYaP.bat
Filesize
2.4MB

MD5
50b434c4aa3a7015d099309fc2d814ef

SHA1
a5b3cb357f76a4fc6827366069d6c9ffd76ac6ed

SHA256
a86f409057c374437e800956ccc4e5ded3333111082dc58ca3c3cf5727fdbe02

SHA512
ec868c5a30ab691320a0855ec684a96bcc1bc3b8ae88af2c61d5a0a971bef9ecd4b02c8821e87c8753e177e6065979b2d2bdfc770a190361d78d54c065e4525a

Download Submit
\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\8by27av1.Admin\2r5WBiEidSDLxorSkHUVpzh2yOgESKYmGbbyHVg6iCWlxUjH3UYDVgX9JbALNSRRu.cmd
Filesize
1.3MB

MD5
2f7dd8f81c5e1339cd125b7831f2a2be

SHA1
7eb7c841aadc2acb13e97276bdb5af1c17217455

SHA256
5ccd9b1928c0db62f2a723de4774e9b99d8ab2f2e6a5ce00cff183adede4107e

SHA512
e2df4459848c67e96bdb0614adbd32284f1d0089820b4d0a64da8cf9ffc66a97d93d5aac8868035dcc883ab70bf41cfe55415da82c72559dea9de7bb173492da

Download Submit
\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\8by27av1.Admin\2r5WBiEidSDLxorSkHUVpzh2yOgESKYmGbbyHVg6iCWlxUjH3UYDVgX9JbALNSRRu.cmd
Filesize
1.3MB

MD5
2f7dd8f81c5e1339cd125b7831f2a2be

SHA1
7eb7c841aadc2acb13e97276bdb5af1c17217455

SHA256
5ccd9b1928c0db62f2a723de4774e9b99d8ab2f2e6a5ce00cff183adede4107e

SHA512
e2df4459848c67e96bdb0614adbd32284f1d0089820b4d0a64da8cf9ffc66a97d93d5aac8868035dcc883ab70bf41cfe55415da82c72559dea9de7bb173492da

Download Submit
\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\8by27av1.Admin\2r5WBiEidSDLxorSkHUVpzh2yOgESKYmGbbyHVg6iCWlxUjH3UYDVgX9JbALNSRRu.cmd
Filesize
1.3MB

MD5
2f7dd8f81c5e1339cd125b7831f2a2be

SHA1
7eb7c841aadc2acb13e97276bdb5af1c17217455

SHA256
5ccd9b1928c0db62f2a723de4774e9b99d8ab2f2e6a5ce00cff183adede4107e

SHA512
e2df4459848c67e96bdb0614adbd32284f1d0089820b4d0a64da8cf9ffc66a97d93d5aac8868035dcc883ab70bf41cfe55415da82c72559dea9de7bb173492da

Download Submit
memory/1056-84-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1056-81-0x0000000000000000-mapping.dmp

Download
memory/1056-87-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1116-56-0x000007FEFB991000-0x000007FEFB993000-memory.dmp

Filesize
8KB

Download
memory/1164-77-0x0000000000D30000-0x0000000000D5D000-memory.dmp

Filesize
180KB

Download
memory/1164-78-0x0000000000D30000-0x0000000000D5D000-memory.dmp

Filesize
180KB

Download
memory/1164-66-0x0000000000D30000-0x0000000000D5D000-memory.dmp

Filesize
180KB

Download
memory/1164-65-0x0000000000D30000-0x0000000000D5D000-memory.dmp

Filesize
180KB

Download
memory/1880-57-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1880-55-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1880-54-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1932-79-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1932-82-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1932-67-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1932-63-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads