83df7cc257ff7f1bac910e4358ad604ed5d336b21fa2ff291a1aa2188fcc30fc

Analysis

max time kernel
139s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2022 09:34

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

83df7cc257ff7f1bac910e4358ad604ed5d336b21fa2ff291a1aa2188fcc30fc.exe
Size

876KB
MD5

cdd93f4862198433b63a0d20133b982b
SHA1

b9d6231821ab5d1a53386646c11081ae99f886ac
SHA256

83df7cc257ff7f1bac910e4358ad604ed5d336b21fa2ff291a1aa2188fcc30fc
SHA512

1769b0100d3b2a196819bf57ada35e618954dc7d0eea4c4d4ad2584ae31f2eb8ccacd759a710da4c3ba74508dc0a209ac079cd89e8fd14717c47e6978affed3e
SSDEEP

3072:aSsvihLlTQz9z71iURo2SJJmY6uFNcgifDbmeTXwVdBR:rsqhJMxzJiU5SeLmNSbmebW1

Score

10^/10

persistence spyware stealer

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

xECOOWLytcs9Mztx5gupPRJraajWgn8fFC6hyMPiwF7x.cmd

description pid process target process

PID 3864 created 672 3864 xECOOWLytcs9Mztx5gupPRJraajWgn8fFC6hyMPiwF7x.cmd lsass.exe

description	pid	process	target process
PID 3864 created 672	3864	xECOOWLytcs9Mztx5gupPRJraajWgn8fFC6hyMPiwF7x.cmd	lsass.exe

Adds policy Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

xECOOWLytcs9Mztx5gupPRJraajWgn8fFC6hyMPiwF7x.cmd83df7cc257ff7f1bac910e4358ad604ed5d336b21fa2ff291a1aa2188fcc30fc.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\AC\\Temp\\miaYKm4xRW.exe\" O"	xECOOWLytcs9Mztx5gupPRJraajWgn8fFC6hyMPiwF7x.cmd
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	83df7cc257ff7f1bac910e4358ad604ed5d336b21fa2ff291a1aa2188fcc30fc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\ko\\vV9il9Wy6epoMjoWKZGOzOS3l0GsmId6kJOjqV7p.exe\" O"	83df7cc257ff7f1bac910e4358ad604ed5d336b21fa2ff291a1aa2188fcc30fc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	83df7cc257ff7f1bac910e4358ad604ed5d336b21fa2ff291a1aa2188fcc30fc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\input\\en-HK\\Fa1kXk6TxzpeUgFf8lB4TnRjRFQRnsTHy5nc6cyZ3.exe\" O"	83df7cc257ff7f1bac910e4358ad604ed5d336b21fa2ff291a1aa2188fcc30fc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.Search_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Input_{1f93d62c-2b1c-4a5a-b6a8-fea0dd42a5c7}\\mfNk8WPsfrmgcBVk6E4rZs9mlQxBrSjtfvLUViJBe0gLZqu.exe\" O"	83df7cc257ff7f1bac910e4358ad604ed5d336b21fa2ff291a1aa2188fcc30fc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	xECOOWLytcs9Mztx5gupPRJraajWgn8fFC6hyMPiwF7x.cmd

Executes dropped EXE 2 IoCs

Processes:

xECOOWLytcs9Mztx5gupPRJraajWgn8fFC6hyMPiwF7x.cmdxECOOWLytcs9Mztx5gupPRJraajWgn8fFC6hyMPiwF7x.cmd

pid process

3864 xECOOWLytcs9Mztx5gupPRJraajWgn8fFC6hyMPiwF7x.cmd
3632 xECOOWLytcs9Mztx5gupPRJraajWgn8fFC6hyMPiwF7x.cmd

pid	process
3864	xECOOWLytcs9Mztx5gupPRJraajWgn8fFC6hyMPiwF7x.cmd
3632	xECOOWLytcs9Mztx5gupPRJraajWgn8fFC6hyMPiwF7x.cmd

Sets file execution options in registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

xECOOWLytcs9Mztx5gupPRJraajWgn8fFC6hyMPiwF7x.cmdxECOOWLytcs9Mztx5gupPRJraajWgn8fFC6hyMPiwF7x.cmd

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe	xECOOWLytcs9Mztx5gupPRJraajWgn8fFC6hyMPiwF7x.cmd
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = " "	xECOOWLytcs9Mztx5gupPRJraajWgn8fFC6hyMPiwF7x.cmd
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe	xECOOWLytcs9Mztx5gupPRJraajWgn8fFC6hyMPiwF7x.cmd
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\Debugger = " "	xECOOWLytcs9Mztx5gupPRJraajWgn8fFC6hyMPiwF7x.cmd
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe	xECOOWLytcs9Mztx5gupPRJraajWgn8fFC6hyMPiwF7x.cmd
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = " "	xECOOWLytcs9Mztx5gupPRJraajWgn8fFC6hyMPiwF7x.cmd
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe	xECOOWLytcs9Mztx5gupPRJraajWgn8fFC6hyMPiwF7x.cmd
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\Debugger = " "	xECOOWLytcs9Mztx5gupPRJraajWgn8fFC6hyMPiwF7x.cmd

Drops startup file 42 IoCs

Processes:

xECOOWLytcs9Mztx5gupPRJraajWgn8fFC6hyMPiwF7x.cmd

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\wwS5ILGb2l72TVf6Apgw0U5atCkFf6XcX14LL1.exe	xECOOWLytcs9Mztx5gupPRJraajWgn8fFC6hyMPiwF7x.cmd
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cAMRCkezmFAEkYkGQwGvjL1Cjx6n2bgWqfLr6sIYHnrvM.cmd	xECOOWLytcs9Mztx5gupPRJraajWgn8fFC6hyMPiwF7x.cmd
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LVDy1Tx4hTshOQPs0QN4etOiOjU6B4QQl8D9S1dNCVfIBlLkfP.exe	xECOOWLytcs9Mztx5gupPRJraajWgn8fFC6hyMPiwF7x.cmd
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Gg106TGwD5tjAM1QE8yySa4Y.cmd	xECOOWLytcs9Mztx5gupPRJraajWgn8fFC6hyMPiwF7x.cmd
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\xwkwd6WewiFg9I8utAHXon7l72.bat	xECOOWLytcs9Mztx5gupPRJraajWgn8fFC6hyMPiwF7x.cmd
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Ufk7FSmSEEFcV5l0EPeYcx6R3uVg78.cmd	xECOOWLytcs9Mztx5gupPRJraajWgn8fFC6hyMPiwF7x.cmd
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5oNYhcI65jjteDtnbN9WIJfZFkQYvqW7nIsdjgI4lgvIhrAmrSBFCsHdVUHI0AMG8vOz6Lu.cmd	xECOOWLytcs9Mztx5gupPRJraajWgn8fFC6hyMPiwF7x.cmd
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\L55xbXdu1XOYnKykpEj0s1eHa0gnWbt56Z54m.exe	xECOOWLytcs9Mztx5gupPRJraajWgn8fFC6hyMPiwF7x.cmd
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\yu4ikESTvx3uUIRP0a.exe	xECOOWLytcs9Mztx5gupPRJraajWgn8fFC6hyMPiwF7x.cmd
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\OTTbmesAOtEcYrcPF0N0oHj9ivAq8D5qtcR4pUKCeYc1yshZjpzRZLDDPhqVrV.cmd	xECOOWLytcs9Mztx5gupPRJraajWgn8fFC6hyMPiwF7x.cmd
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\1xxBGdrl7EaAbvjmSXfIJADapi6Ego1XJnBnaphnMObaAxoFmxh1Q85KZJ.exe	xECOOWLytcs9Mztx5gupPRJraajWgn8fFC6hyMPiwF7x.cmd
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nE0xRhRkf2dSdSNjAqZ3z.cmd	xECOOWLytcs9Mztx5gupPRJraajWgn8fFC6hyMPiwF7x.cmd
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\MUe3HHm9XTnDrktUFwpvyugh91T1j87xGGUKuUOCgqvsVpgLpJ1A.bat	xECOOWLytcs9Mztx5gupPRJraajWgn8fFC6hyMPiwF7x.cmd
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\G2lCT6vg7.bat	xECOOWLytcs9Mztx5gupPRJraajWgn8fFC6hyMPiwF7x.cmd
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\FzWMFqNLiP2CH0hmGdz3REUAistBjKiE3JpAbF7riW0.cmd	xECOOWLytcs9Mztx5gupPRJraajWgn8fFC6hyMPiwF7x.cmd
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\J4cm34gIi.bat	xECOOWLytcs9Mztx5gupPRJraajWgn8fFC6hyMPiwF7x.cmd
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\A8ofVyDn.cmd	xECOOWLytcs9Mztx5gupPRJraajWgn8fFC6hyMPiwF7x.cmd
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\EdKGL6NuTw9.bat	xECOOWLytcs9Mztx5gupPRJraajWgn8fFC6hyMPiwF7x.cmd
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vZe3dWNhkn2vVQFP3ZMF3k7uK6bTvD8JETXEBAnTuX901CNZn8DPpCTpsm4lc3Y.exe	xECOOWLytcs9Mztx5gupPRJraajWgn8fFC6hyMPiwF7x.cmd
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xh9vKfewpuPcgKVRYWZ2IhqXihj5at7KFKzU6u9KjAKfe9vtzueHjIaGkYlGX08hSS9B3.exe	xECOOWLytcs9Mztx5gupPRJraajWgn8fFC6hyMPiwF7x.cmd
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EAPCHjUMsX7rSTttmZTs6CRAtNLEpIBV3piBg0kFIvkgZzs.cmd	xECOOWLytcs9Mztx5gupPRJraajWgn8fFC6hyMPiwF7x.cmd
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\dKMVlFiGx0UyNercVyVUlNpdM2SZXDNB3.bat	xECOOWLytcs9Mztx5gupPRJraajWgn8fFC6hyMPiwF7x.cmd
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\u5jdj0jSBqsliihneOICQeEIUpiNB.exe	xECOOWLytcs9Mztx5gupPRJraajWgn8fFC6hyMPiwF7x.cmd
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mGOiNU5G7PRczf9TOYFh0IflgPK1Y.exe	xECOOWLytcs9Mztx5gupPRJraajWgn8fFC6hyMPiwF7x.cmd
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FJillYFt03WZwpsFA9DI1gW9fs3gAzLTJQOAephvsgW0YsXFJve0UJjeANF17Q.exe	xECOOWLytcs9Mztx5gupPRJraajWgn8fFC6hyMPiwF7x.cmd
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KrB3l8uMUDUHECXs.cmd	xECOOWLytcs9Mztx5gupPRJraajWgn8fFC6hyMPiwF7x.cmd
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IQPmNnajQ3uISLqRfIHTWbPPmVmkOtHkfadev3ed5qGzrlC11pptfd3vH1vjrIeC1MVR.bat	xECOOWLytcs9Mztx5gupPRJraajWgn8fFC6hyMPiwF7x.cmd
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BTBPVkjxjxVRe6jI6MLPQUL6C9Zxx.cmd	xECOOWLytcs9Mztx5gupPRJraajWgn8fFC6hyMPiwF7x.cmd
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\B1cmdyArQkneefySC0dLRXfcTnWlTATazwIazdIGLAEAB.exe	xECOOWLytcs9Mztx5gupPRJraajWgn8fFC6hyMPiwF7x.cmd
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\k7Mgaos9vLOH.bat	xECOOWLytcs9Mztx5gupPRJraajWgn8fFC6hyMPiwF7x.cmd
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\V1FUo3fJAc5BnSX4O4ZFy8rQZKLkuCZ39wb3YSfXMQK5wWgNt7wDtk285B78h3W54nT5G.exe	xECOOWLytcs9Mztx5gupPRJraajWgn8fFC6hyMPiwF7x.cmd
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\6Cxkr9M4ewTNXePsFFDBmCP4c6Ba0T4IJrj0AE5ML6VYGs3HLvmyitLZpgWiaBB.exe	xECOOWLytcs9Mztx5gupPRJraajWgn8fFC6hyMPiwF7x.cmd
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\r1w3Wm4biUr7kjIaB12Up5odz.cmd	xECOOWLytcs9Mztx5gupPRJraajWgn8fFC6hyMPiwF7x.cmd
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\bRWkpXLB4G2niHRxsAZfKcY.cmd	xECOOWLytcs9Mztx5gupPRJraajWgn8fFC6hyMPiwF7x.cmd
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\HIVTocS7TXzNNxEyuqft3BKBmLfEQyyWQgi4grc7lgmsb2DdAxHq.exe	xECOOWLytcs9Mztx5gupPRJraajWgn8fFC6hyMPiwF7x.cmd
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\w64vg100CpkdnbXbvkpQ.bat	xECOOWLytcs9Mztx5gupPRJraajWgn8fFC6hyMPiwF7x.cmd
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\V4atpUV66SFdXKThDTL4wTIJ8JXhfhZ9bjyJuPn2N88oVn.exe	xECOOWLytcs9Mztx5gupPRJraajWgn8fFC6hyMPiwF7x.cmd
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8BDSiWxsB7ETyY1B5vKwglrMniS2jxabcxS1c4sDxQKzHOmK9aHubonjdBVdt0TSobmZX.cmd	xECOOWLytcs9Mztx5gupPRJraajWgn8fFC6hyMPiwF7x.cmd
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QGNMBPCX9eY902EldjxRTj7bY9Hn0tPPI3Ifm6MgrF3.cmd	xECOOWLytcs9Mztx5gupPRJraajWgn8fFC6hyMPiwF7x.cmd
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NcDKaGW8d7RxjagyyaURJzoNpgZMfK3eFEEGIuBekLjNnT7zIR9Gg1L.cmd	xECOOWLytcs9Mztx5gupPRJraajWgn8fFC6hyMPiwF7x.cmd
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\J85XkAvmooThi2JtDYHiCyf3TSfvtZamM8WYVQL4ZkRkLp26VbbXJtb1UTnup2zVnIPzUnS.cmd	xECOOWLytcs9Mztx5gupPRJraajWgn8fFC6hyMPiwF7x.cmd
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fmnGswlMMKWMrgJ7tZqjB9qonY6XpwJXd80YRMbDubt3Xfp.cmd	xECOOWLytcs9Mztx5gupPRJraajWgn8fFC6hyMPiwF7x.cmd

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Drops file in Windows directory 1 IoCs

Processes:

LogonUI.exe

description ioc process

File created C:\Windows\rescache\_merged\2229298842\619956953.pri LogonUI.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\rescache\_merged\2229298842\619956953.pri	LogonUI.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

83df7cc257ff7f1bac910e4358ad604ed5d336b21fa2ff291a1aa2188fcc30fc.exeLogonUI.exexECOOWLytcs9Mztx5gupPRJraajWgn8fFC6hyMPiwF7x.cmdgpscript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	83df7cc257ff7f1bac910e4358ad604ed5d336b21fa2ff291a1aa2188fcc30fc.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows	83df7cc257ff7f1bac910e4358ad604ed5d336b21fa2ff291a1aa2188fcc30fc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\LocalState\\gWDBrKbJhvfEfcGWsvfX1lSvqnRATy5CZicB2wng21MiM.exe\" O 2>NUL"	xECOOWLytcs9Mztx5gupPRJraajWgn8fFC6hyMPiwF7x.cmd
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\input\\en-IN\\rAzh1Fy4BBK7HvqtB8ULNDjW61YYdcD9lUlhmCrrVacpgiNwo0YZqZJlK8.exe\" O"	xECOOWLytcs9Mztx5gupPRJraajWgn8fFC6hyMPiwF7x.cmd
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	83df7cc257ff7f1bac910e4358ad604ed5d336b21fa2ff291a1aa2188fcc30fc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	83df7cc257ff7f1bac910e4358ad604ed5d336b21fa2ff291a1aa2188fcc30fc.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion	83df7cc257ff7f1bac910e4358ad604ed5d336b21fa2ff291a1aa2188fcc30fc.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	83df7cc257ff7f1bac910e4358ad604ed5d336b21fa2ff291a1aa2188fcc30fc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Windows\\AppRepository\\Packages\\Microsoft.BioEnrollment_10.0.19041.1023_neutral__cw5n1h2txyewy\\gsmVuGe4AoXem8bBZpua6qLutRH2lBnBz8ZO.exe\" O"	xECOOWLytcs9Mztx5gupPRJraajWgn8fFC6hyMPiwF7x.cmd
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.CallingShellApp_cw5n1h2txyewy\\AC\\INetHistory\\zUuclVUmEdxX1fgHi8EWKsuZcJJvNn3Zwf6S.exe\" O 2>NUL"	83df7cc257ff7f1bac910e4358ad604ed5d336b21fa2ff291a1aa2188fcc30fc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	83df7cc257ff7f1bac910e4358ad604ed5d336b21fa2ff291a1aa2188fcc30fc.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	xECOOWLytcs9Mztx5gupPRJraajWgn8fFC6hyMPiwF7x.cmd
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	xECOOWLytcs9Mztx5gupPRJraajWgn8fFC6hyMPiwF7x.cmd
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	83df7cc257ff7f1bac910e4358ad604ed5d336b21fa2ff291a1aa2188fcc30fc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\\SystemAppData\\le6vKMAJrnkF2rHviQc.exe\" O"	83df7cc257ff7f1bac910e4358ad604ed5d336b21fa2ff291a1aa2188fcc30fc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows	83df7cc257ff7f1bac910e4358ad604ed5d336b21fa2ff291a1aa2188fcc30fc.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\UEV\\Templates\\suAapy9JTOUdgQOO42VRQchluFT.exe\" O"	83df7cc257ff7f1bac910e4358ad604ed5d336b21fa2ff291a1aa2188fcc30fc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	gpscript.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	xECOOWLytcs9Mztx5gupPRJraajWgn8fFC6hyMPiwF7x.cmd
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	xECOOWLytcs9Mztx5gupPRJraajWgn8fFC6hyMPiwF7x.cmd
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	83df7cc257ff7f1bac910e4358ad604ed5d336b21fa2ff291a1aa2188fcc30fc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	83df7cc257ff7f1bac910e4358ad604ed5d336b21fa2ff291a1aa2188fcc30fc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.Search_cw5n1h2txyewy\\TempState\\jZbsWLn9g5WENIKqj88eXHMejYJ1YNThb9pSnT.exe\" O"	83df7cc257ff7f1bac910e4358ad604ed5d336b21fa2ff291a1aa2188fcc30fc.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion	83df7cc257ff7f1bac910e4358ad604ed5d336b21fa2ff291a1aa2188fcc30fc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	xECOOWLytcs9Mztx5gupPRJraajWgn8fFC6hyMPiwF7x.cmd
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.Search_cw5n1h2txyewy\\AC\\TokenBroker\\QP5pkvBtYWZp1.exe\" O 2>NUL"	83df7cc257ff7f1bac910e4358ad604ed5d336b21fa2ff291a1aa2188fcc30fc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	83df7cc257ff7f1bac910e4358ad604ed5d336b21fa2ff291a1aa2188fcc30fc.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE	83df7cc257ff7f1bac910e4358ad604ed5d336b21fa2ff291a1aa2188fcc30fc.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft	83df7cc257ff7f1bac910e4358ad604ed5d336b21fa2ff291a1aa2188fcc30fc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	83df7cc257ff7f1bac910e4358ad604ed5d336b21fa2ff291a1aa2188fcc30fc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\qml\\QtQuick\\Controls.2\\JAlzH8RS8LuYGFCBVCjslOlPDB3TIET6tmouz3tQi6qZ.exe\" O 2>NUL"	xECOOWLytcs9Mztx5gupPRJraajWgn8fFC6hyMPiwF7x.cmd
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\AC\\INetCookies\\ablVvHTKF9ZVzXXJex92DAiUWwgFp0qI7BFTe3lmxqq4FSsplDaBZjqM1B4Sz1V.exe\" O 2>NUL"	xECOOWLytcs9Mztx5gupPRJraajWgn8fFC6hyMPiwF7x.cmd
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\adm\\zh-TW\\2gvF0sDHtTb0bNxUKrKOGFtgtCibppNK3ZOfImtdHrWictzjp.exe\" O 2>NUL"	83df7cc257ff7f1bac910e4358ad604ed5d336b21fa2ff291a1aa2188fcc30fc.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	83df7cc257ff7f1bac910e4358ad604ed5d336b21fa2ff291a1aa2188fcc30fc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "169"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\SlowContextMenuEntries = 6024b221ea3a6910a2dc08002b30309d9c0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	gpscript.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE	83df7cc257ff7f1bac910e4358ad604ed5d336b21fa2ff291a1aa2188fcc30fc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Integration\\P5W2kZ1RAFa2CZFQptWdlO5ymtGgCzusGs7fw4rwBvRAxwBV3.exe\" O 2>NUL"	xECOOWLytcs9Mztx5gupPRJraajWgn8fFC6hyMPiwF7x.cmd
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Internet Explorer\\EmieUserList\\zRwXyKaElIXTkWVI12oQ2rH4.exe\" O"	xECOOWLytcs9Mztx5gupPRJraajWgn8fFC6hyMPiwF7x.cmd
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\7iXdyUCKBLfVFsXR1qonWhc9wUngc3E3NcomxWqejTGTJwv3.exe\" O"	xECOOWLytcs9Mztx5gupPRJraajWgn8fFC6hyMPiwF7x.cmd
Key created	\REGISTRY\USER\S-1-5-19	83df7cc257ff7f1bac910e4358ad604ed5d336b21fa2ff291a1aa2188fcc30fc.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\LocalCache\\jLap5qDL5Fkzkh9ApIMikWy86tchis.exe\" O"	83df7cc257ff7f1bac910e4358ad604ed5d336b21fa2ff291a1aa2188fcc30fc.exe
Key created	\REGISTRY\USER\.DEFAULT	83df7cc257ff7f1bac910e4358ad604ed5d336b21fa2ff291a1aa2188fcc30fc.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft	83df7cc257ff7f1bac910e4358ad604ed5d336b21fa2ff291a1aa2188fcc30fc.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\3YPZLUVlFlK6QV195OtXBbYHm03Vo0xWmg4oBdXiqcCsWD9XEiZ9XRm1oEhAkjnqkQKagH.exe\" O"	xECOOWLytcs9Mztx5gupPRJraajWgn8fFC6hyMPiwF7x.cmd
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	83df7cc257ff7f1bac910e4358ad604ed5d336b21fa2ff291a1aa2188fcc30fc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	xECOOWLytcs9Mztx5gupPRJraajWgn8fFC6hyMPiwF7x.cmd
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\Windows\\LfSvc\\L8IQd5dPCq88lgfwOCYoC32xHY7QLvvpBTgRmS0SulpyXj.exe\" O 2>NUL"	83df7cc257ff7f1bac910e4358ad604ed5d336b21fa2ff291a1aa2188fcc30fc.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	83df7cc257ff7f1bac910e4358ad604ed5d336b21fa2ff291a1aa2188fcc30fc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	83df7cc257ff7f1bac910e4358ad604ed5d336b21fa2ff291a1aa2188fcc30fc.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	83df7cc257ff7f1bac910e4358ad604ed5d336b21fa2ff291a1aa2188fcc30fc.exe
Key created	\REGISTRY\USER\S-1-5-20	83df7cc257ff7f1bac910e4358ad604ed5d336b21fa2ff291a1aa2188fcc30fc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe

Modifies registry class 10 IoCs

Processes:

83df7cc257ff7f1bac910e4358ad604ed5d336b21fa2ff291a1aa2188fcc30fc.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	83df7cc257ff7f1bac910e4358ad604ed5d336b21fa2ff291a1aa2188fcc30fc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Office\\DLP\\OuCfBDkHWTB9SVJmtLD.exe\" O"	83df7cc257ff7f1bac910e4358ad604ed5d336b21fa2ff291a1aa2188fcc30fc.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SOFTWARE\Microsoft\Command Processor	83df7cc257ff7f1bac910e4358ad604ed5d336b21fa2ff291a1aa2188fcc30fc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\input\\ms-MY\\RZo9HyE980MbJBX3aAjQjC59EchBtptGilc8.exe\" O 2>NUL"	83df7cc257ff7f1bac910e4358ad604ed5d336b21fa2ff291a1aa2188fcc30fc.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	83df7cc257ff7f1bac910e4358ad604ed5d336b21fa2ff291a1aa2188fcc30fc.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	83df7cc257ff7f1bac910e4358ad604ed5d336b21fa2ff291a1aa2188fcc30fc.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SOFTWARE	83df7cc257ff7f1bac910e4358ad604ed5d336b21fa2ff291a1aa2188fcc30fc.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SOFTWARE\Microsoft	83df7cc257ff7f1bac910e4358ad604ed5d336b21fa2ff291a1aa2188fcc30fc.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SOFTWARE\Microsoft\Windows	83df7cc257ff7f1bac910e4358ad604ed5d336b21fa2ff291a1aa2188fcc30fc.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion	83df7cc257ff7f1bac910e4358ad604ed5d336b21fa2ff291a1aa2188fcc30fc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

xECOOWLytcs9Mztx5gupPRJraajWgn8fFC6hyMPiwF7x.cmd

pid process

3632 xECOOWLytcs9Mztx5gupPRJraajWgn8fFC6hyMPiwF7x.cmd
3632 xECOOWLytcs9Mztx5gupPRJraajWgn8fFC6hyMPiwF7x.cmd

pid	process
3632	xECOOWLytcs9Mztx5gupPRJraajWgn8fFC6hyMPiwF7x.cmd
3632	xECOOWLytcs9Mztx5gupPRJraajWgn8fFC6hyMPiwF7x.cmd

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

83df7cc257ff7f1bac910e4358ad604ed5d336b21fa2ff291a1aa2188fcc30fc.exexECOOWLytcs9Mztx5gupPRJraajWgn8fFC6hyMPiwF7x.cmdxECOOWLytcs9Mztx5gupPRJraajWgn8fFC6hyMPiwF7x.cmd

description	pid	process
Token: SeBackupPrivilege	2496	83df7cc257ff7f1bac910e4358ad604ed5d336b21fa2ff291a1aa2188fcc30fc.exe
Token: SeRestorePrivilege	2496	83df7cc257ff7f1bac910e4358ad604ed5d336b21fa2ff291a1aa2188fcc30fc.exe
Token: SeShutdownPrivilege	2496	83df7cc257ff7f1bac910e4358ad604ed5d336b21fa2ff291a1aa2188fcc30fc.exe
Token: SeDebugPrivilege	3864	xECOOWLytcs9Mztx5gupPRJraajWgn8fFC6hyMPiwF7x.cmd
Token: SeRestorePrivilege	3864	xECOOWLytcs9Mztx5gupPRJraajWgn8fFC6hyMPiwF7x.cmd
Token: SeDebugPrivilege	3632	xECOOWLytcs9Mztx5gupPRJraajWgn8fFC6hyMPiwF7x.cmd
Token: SeRestorePrivilege	3632	xECOOWLytcs9Mztx5gupPRJraajWgn8fFC6hyMPiwF7x.cmd

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

LogonUI.exe

pid process

3168 LogonUI.exe
3168 LogonUI.exe

pid	process
3168	LogonUI.exe
3168	LogonUI.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

gpscript.exexECOOWLytcs9Mztx5gupPRJraajWgn8fFC6hyMPiwF7x.cmd

description	pid	process	target process
PID 1848 wrote to memory of 3864	1848	gpscript.exe	xECOOWLytcs9Mztx5gupPRJraajWgn8fFC6hyMPiwF7x.cmd
PID 1848 wrote to memory of 3864	1848	gpscript.exe	xECOOWLytcs9Mztx5gupPRJraajWgn8fFC6hyMPiwF7x.cmd
PID 3864 wrote to memory of 3632	3864	xECOOWLytcs9Mztx5gupPRJraajWgn8fFC6hyMPiwF7x.cmd	xECOOWLytcs9Mztx5gupPRJraajWgn8fFC6hyMPiwF7x.cmd
PID 3864 wrote to memory of 3632	3864	xECOOWLytcs9Mztx5gupPRJraajWgn8fFC6hyMPiwF7x.cmd	xECOOWLytcs9Mztx5gupPRJraajWgn8fFC6hyMPiwF7x.cmd

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:672

C:\Users\Admin\AppData\LocalLow\Adobe\AcroCef\xECOOWLytcs9Mztx5gupPRJraajWgn8fFC6hyMPiwF7x.cmd
"C:\Users\Admin\AppData\LocalLow\Adobe\AcroCef\xECOOWLytcs9Mztx5gupPRJraajWgn8fFC6hyMPiwF7x.cmd" 2
2⤵
- Executes dropped EXE
- Sets file execution options in registry
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3632

C:\Users\Admin\AppData\Local\Temp\83df7cc257ff7f1bac910e4358ad604ed5d336b21fa2ff291a1aa2188fcc30fc.exe
"C:\Users\Admin\AppData\Local\Temp\83df7cc257ff7f1bac910e4358ad604ed5d336b21fa2ff291a1aa2188fcc30fc.exe"
1⤵
- Adds policy Run key to start application
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2496

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39ed055 /state1:0x41c64e6d
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3168

C:\Windows\system32\gpscript.exe
gpscript.exe /Shutdown
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1848

C:\Users\Admin\AppData\LocalLow\Adobe\AcroCef\xECOOWLytcs9Mztx5gupPRJraajWgn8fFC6hyMPiwF7x.cmd
"C:\Users\Admin\AppData\LocalLow\Adobe\AcroCef\xECOOWLytcs9Mztx5gupPRJraajWgn8fFC6hyMPiwF7x.cmd" 1
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Adds policy Run key to start application
- Executes dropped EXE
- Sets file execution options in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3864

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\UEV\Templates\suAapy9JTOUdgQOO42VRQchluFT.exe
Filesize
958KB

MD5
51d6a73ea2f6527c8303ebdb45d5fd14

SHA1
33a5db059389dbfcf1d8991d6ca4b4a101f6e0e0

SHA256
4a4b800c8cef62a1e7d408eb145eb6c694486c8b1fff30d798972a3294923a57

SHA512
4582138f2956c4558452826aa0cc2553a334540ea7f4c41b41f256ef26487456019e2ba78655e453dfe0e0d39bcea289f7188477ebfd5ea096a15ae92b8f1a13

Download Submit
C:\ProgramData\Microsoft\Windows\LfSvc\L8IQd5dPCq88lgfwOCYoC32xHY7QLvvpBTgRmS0SulpyXj.exe
Filesize
1.1MB

MD5
bbf593b41d92db84185ca44794926af0

SHA1
1d45891810d0c82c5b0729baac52e21b00edfc0b

SHA256
334ba6f3e1ab6360b28201e1f4590ad13ffe399a17578f2d738c41f2d4ff87e0

SHA512
bb92f31c8a659e866db360c2271a55d5f9cf1a8ee323de5cf100f5b4e17cdb8f81ea2bb0c4bbd2940b95dc96443a38243deae72b271d9869b3646eddaa1a7bb0

Download Submit
C:\ProgramData\Package Cache\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\1mN08ZAMCqCD2tIZ1Lp3xnCbJS9Z3Eew5ICBvRQN9PVm7sAZ3VmCFPehPxHVfkL57TTE2b.exe
Filesize
1.4MB

MD5
e2bb2300bdda5b53aeb7ec5e6333efc5

SHA1
9f294d300b3321bc339f6c3e7881ff9dfff62950

SHA256
614b28979c436251c99939a2e1940f459f3dbe9b06d36a202c1c2795512085d0

SHA512
4958e8f7c09992349dc19150668314a398db00b6c0e0c2f8d77a222ff6f523740163b5303ae313682c17daef66b10d2140c16b52a61d0dae436b82e739c76c36

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\AcroCef\xECOOWLytcs9Mztx5gupPRJraajWgn8fFC6hyMPiwF7x.cmd
Filesize
1.1MB

MD5
7941abce3d2dfdaac0e01400985a40cc

SHA1
be47c2f23e6590b863b83ca2bd4ff55a2d90fbcb

SHA256
16e9033f50439f328c5b9612711b7f81fad6b377e5738ca96f8f0201163b9ca8

SHA512
18425e51a3cefc5ea19584069757f1dd02a74768f9a8f3d47eef80f8e3f9945cf6533955601d05fce818caa98e8a5a8798705611734e34f7865ecbdaa36d28ed

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\AcroCef\xECOOWLytcs9Mztx5gupPRJraajWgn8fFC6hyMPiwF7x.cmd
Filesize
1.1MB

MD5
7941abce3d2dfdaac0e01400985a40cc

SHA1
be47c2f23e6590b863b83ca2bd4ff55a2d90fbcb

SHA256
16e9033f50439f328c5b9612711b7f81fad6b377e5738ca96f8f0201163b9ca8

SHA512
18425e51a3cefc5ea19584069757f1dd02a74768f9a8f3d47eef80f8e3f9945cf6533955601d05fce818caa98e8a5a8798705611734e34f7865ecbdaa36d28ed

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\AcroCef\xECOOWLytcs9Mztx5gupPRJraajWgn8fFC6hyMPiwF7x.cmd
Filesize
1.1MB

MD5
7941abce3d2dfdaac0e01400985a40cc

SHA1
be47c2f23e6590b863b83ca2bd4ff55a2d90fbcb

SHA256
16e9033f50439f328c5b9612711b7f81fad6b377e5738ca96f8f0201163b9ca8

SHA512
18425e51a3cefc5ea19584069757f1dd02a74768f9a8f3d47eef80f8e3f9945cf6533955601d05fce818caa98e8a5a8798705611734e34f7865ecbdaa36d28ed

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\12\LkjYHILuzULjbGTq1dh8fTNje0y8VGy.exe
Filesize
1.5MB

MD5
386f631a0b8556aa42a6313d5ce4554e

SHA1
379c2a72eda6774a443bd81e64965443e709142a

SHA256
8f2e4330d945d85846debed0a1f514c968895504b1b284881037434c8dae95d4

SHA512
30df79c6ebe19826ae107da989c0643a8a427f28236973f15b75f4de9959bfe7b6ec8a41c228e569b6eda2f0c9ff14ba600d867adbabc3ad9d455935d773ad91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\adm\zh-TW\2gvF0sDHtTb0bNxUKrKOGFtgtCibppNK3ZOfImtdHrWictzjp.exe
Filesize
1.6MB

MD5
7aae77aa67a2f308c53b74cbc817ad9e

SHA1
f125d1e7b3a561bee640e2f23a67472c8c077fac

SHA256
0917764a25cbf59a77cefed9ecc1e0d94174f795b867dd6879fd4a3ffc8e32f2

SHA512
09c9547a246b9a15398160ca2dc5024492a6ad8d81c16c58dcb9b27587e3c7e4db9f0d5251eae030e1d0093538b04578309d5a6f89c98d9a6906c77d6d4c6681

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\input\en-HK\Fa1kXk6TxzpeUgFf8lB4TnRjRFQRnsTHy5nc6cyZ3.exe
Filesize
1.7MB

MD5
e6bc3f45fcb08b7a53788a1f55a17d48

SHA1
cfaf74d5098e703267dfe2e45a49445b1e64993e

SHA256
4dc14192d635d640d7789c8ee57e78082b0a878a59648109afbd9c9ecfecb8ab

SHA512
d4d5641648d22b86a297a9320a7c6d677af717cfec2f4928571aa25e49ecb691e2fcb73f5cd8d8f19cc446a2b20bef8bb9c7f3925c3e30f4f2b0a0d4112c8658

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\AC\INetHistory\7QHhXHpIyvQaYp4OU7z0XzaG.cmd
Filesize
2.2MB

MD5
c72f3faf21b7584b4ee761792793a058

SHA1
1934c9ea5241fec52bccb3ee943f64ddb877e7fa

SHA256
782208d23e5a18d9a9b76d9fa37740d563fa8bb28305affe6b18f0b484b1c27f

SHA512
f85f2a1030dba17d33579a12015e3bb0381dad4462df984d68ee5f83b7e26f4378014c6d4975870cabf78a88bd6117b2b4a9aa0486c3ef82980339457ccb3e5e

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\SystemAppData\le6vKMAJrnkF2rHviQc.exe
Filesize
1.6MB

MD5
39d6648dcaa0b79aabb79979fff8e22b

SHA1
ac5bcc141f1a449bee766633425acd436a77fbaf

SHA256
044e442eeb07ea47b94b03a925b2194edc95d9d810d1699d323c96e2f89186ff

SHA512
68e207644bddcf6b641365086ab96a1e3425fa74ddf927d18fc4e32a93e5c07a3709ad407b7493fb15004fc55e4bd58aeda2dc730a4bd8f807f8503dd408e55e

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\QP5pkvBtYWZp1.exe
Filesize
1.1MB

MD5
6290e36422747c0be30768938e827618

SHA1
504b7942a8fc726c9f156e380fcd1a5a8d7b3556

SHA256
96921131f8004ef9022953b0128572165bd49aa1a1f3df464bc54123c2ddb9c9

SHA512
29bdf71fab458e69a8f795d0c79104bdd152c0f3b464a127411cb18b70874c39fe8fa97681fb30064d0a0c67746bf1e90d41dd6e6e6fcf8656e8f5ba5d7c2fa1

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalCache\jLap5qDL5Fkzkh9ApIMikWy86tchis.exe
Filesize
1.3MB

MD5
a7c46e9cf8f96e33c296f3e46fb76461

SHA1
1d73ffdd523d9a4024d44e0602fec55dbdc2aa92

SHA256
78c0d774df461a41e4d91b93c41c75c7a9347f5648a86ae99fe3c74c6fec3d1d

SHA512
80193d877df9bae9e2ac30f4b4cd809e2ff3b680863909f2eb0df8deb4f73284b02636ad8015d52ad4fd1ffd28a58d94dee0eca302bdbbd18e6c7cd3102b5ce7

Download Submit
memory/2496-132-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2496-133-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3632-147-0x0000000000000000-mapping.dmp

Download
memory/3632-152-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3632-153-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3864-145-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3864-146-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3864-149-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3864-134-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads