42d2c24e492154147631ad8360d730bc01bfb8e1f057563b5ba96fac199c438f

Analysis

max time kernel
88s
max time network
73s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
25-11-2022 09:37

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

42d2c24e492154147631ad8360d730bc01bfb8e1f057563b5ba96fac199c438f.exe
Size

394KB
MD5

0c985eba4c824c943dfd05035bc4eef1
SHA1

f5ba7a99bc283a5cc527c9e978986e7efad1b4f0
SHA256

42d2c24e492154147631ad8360d730bc01bfb8e1f057563b5ba96fac199c438f
SHA512

3b69bbcd67456cfb326e432016d7c292746cb8ef5897ab2bb3322452b7424189713d944ee3f768cb8c320db805c6de1c634e980549c806d41724e02e07b43bd9
SSDEEP

3072:dSsvihLlTQz9z71iURo2SJJmY6uFNcgifDbMtJyVdyw:ssqhJMxzJiU5SeLmNSbMtJU5

Score

10^/10

persistence spyware stealer

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

KxX8qFRgF41yYFgIRADX3RmgnDc0gwHsje7OQ9J187A8xbeaeDH90QtELv4vxPUufggHTL.cmd

description pid process target process

PID 1712 created 584 1712 KxX8qFRgF41yYFgIRADX3RmgnDc0gwHsje7OQ9J187A8xbeaeDH90QtELv4vxPUufggHTL.cmd svchost.exe

description	pid	process	target process
PID 1712 created 584	1712	KxX8qFRgF41yYFgIRADX3RmgnDc0gwHsje7OQ9J187A8xbeaeDH90QtELv4vxPUufggHTL.cmd	svchost.exe

Adds policy Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

KxX8qFRgF41yYFgIRADX3RmgnDc0gwHsje7OQ9J187A8xbeaeDH90QtELv4vxPUufggHTL.cmd42d2c24e492154147631ad8360d730bc01bfb8e1f057563b5ba96fac199c438f.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Package Cache\\wuKUr1ffKxQlLNHYO.exe\" O"	KxX8qFRgF41yYFgIRADX3RmgnDc0gwHsje7OQ9J187A8xbeaeDH90QtELv4vxPUufggHTL.cmd
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	42d2c24e492154147631ad8360d730bc01bfb8e1f057563b5ba96fac199c438f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\0FdoGdYF5mjkMU797zWmeet1tMagATJEFhXw8EnrEYskeiP4.exe\" O"	42d2c24e492154147631ad8360d730bc01bfb8e1f057563b5ba96fac199c438f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	42d2c24e492154147631ad8360d730bc01bfb8e1f057563b5ba96fac199c438f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\de-DE\\EgE22Vyo0sGy6bwRThu2Ym2hmGkB6w0iJlHhrAbAGj.exe\" O"	42d2c24e492154147631ad8360d730bc01bfb8e1f057563b5ba96fac199c438f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\fr-FR\\FM2YfHDtqhATO4e6zsxMVgTq82KxMQ5AXUw8gmLabzFWGdhPv.exe\" O"	42d2c24e492154147631ad8360d730bc01bfb8e1f057563b5ba96fac199c438f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	KxX8qFRgF41yYFgIRADX3RmgnDc0gwHsje7OQ9J187A8xbeaeDH90QtELv4vxPUufggHTL.cmd

Executes dropped EXE 2 IoCs

Processes:

KxX8qFRgF41yYFgIRADX3RmgnDc0gwHsje7OQ9J187A8xbeaeDH90QtELv4vxPUufggHTL.cmdKxX8qFRgF41yYFgIRADX3RmgnDc0gwHsje7OQ9J187A8xbeaeDH90QtELv4vxPUufggHTL.cmd

pid	process
1712	KxX8qFRgF41yYFgIRADX3RmgnDc0gwHsje7OQ9J187A8xbeaeDH90QtELv4vxPUufggHTL.cmd
2044	KxX8qFRgF41yYFgIRADX3RmgnDc0gwHsje7OQ9J187A8xbeaeDH90QtELv4vxPUufggHTL.cmd

Sets file execution options in registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

KxX8qFRgF41yYFgIRADX3RmgnDc0gwHsje7OQ9J187A8xbeaeDH90QtELv4vxPUufggHTL.cmdKxX8qFRgF41yYFgIRADX3RmgnDc0gwHsje7OQ9J187A8xbeaeDH90QtELv4vxPUufggHTL.cmd

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe	KxX8qFRgF41yYFgIRADX3RmgnDc0gwHsje7OQ9J187A8xbeaeDH90QtELv4vxPUufggHTL.cmd
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = " "	KxX8qFRgF41yYFgIRADX3RmgnDc0gwHsje7OQ9J187A8xbeaeDH90QtELv4vxPUufggHTL.cmd
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe	KxX8qFRgF41yYFgIRADX3RmgnDc0gwHsje7OQ9J187A8xbeaeDH90QtELv4vxPUufggHTL.cmd
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\Debugger = " "	KxX8qFRgF41yYFgIRADX3RmgnDc0gwHsje7OQ9J187A8xbeaeDH90QtELv4vxPUufggHTL.cmd
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe	KxX8qFRgF41yYFgIRADX3RmgnDc0gwHsje7OQ9J187A8xbeaeDH90QtELv4vxPUufggHTL.cmd
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = " "	KxX8qFRgF41yYFgIRADX3RmgnDc0gwHsje7OQ9J187A8xbeaeDH90QtELv4vxPUufggHTL.cmd
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe	KxX8qFRgF41yYFgIRADX3RmgnDc0gwHsje7OQ9J187A8xbeaeDH90QtELv4vxPUufggHTL.cmd
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\Debugger = " "	KxX8qFRgF41yYFgIRADX3RmgnDc0gwHsje7OQ9J187A8xbeaeDH90QtELv4vxPUufggHTL.cmd

Drops startup file 1 IoCs

Processes:

KxX8qFRgF41yYFgIRADX3RmgnDc0gwHsje7OQ9J187A8xbeaeDH90QtELv4vxPUufggHTL.cmd

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cbH0bRsLauqg1cczv8D56E9i7FGgAOOKA.exe	KxX8qFRgF41yYFgIRADX3RmgnDc0gwHsje7OQ9J187A8xbeaeDH90QtELv4vxPUufggHTL.cmd

Loads dropped DLL 3 IoCs

Processes:

gpscript.exeKxX8qFRgF41yYFgIRADX3RmgnDc0gwHsje7OQ9J187A8xbeaeDH90QtELv4vxPUufggHTL.cmd

pid process

1580 gpscript.exe
1580 gpscript.exe
1712 KxX8qFRgF41yYFgIRADX3RmgnDc0gwHsje7OQ9J187A8xbeaeDH90QtELv4vxPUufggHTL.cmd
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1580	gpscript.exe
1580	gpscript.exe
1712	KxX8qFRgF41yYFgIRADX3RmgnDc0gwHsje7OQ9J187A8xbeaeDH90QtELv4vxPUufggHTL.cmd

Modifies data under HKEY_USERS 59 IoCs

Processes:

42d2c24e492154147631ad8360d730bc01bfb8e1f057563b5ba96fac199c438f.exeKxX8qFRgF41yYFgIRADX3RmgnDc0gwHsje7OQ9J187A8xbeaeDH90QtELv4vxPUufggHTL.cmdgpscript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	42d2c24e492154147631ad8360d730bc01bfb8e1f057563b5ba96fac199c438f.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows	42d2c24e492154147631ad8360d730bc01bfb8e1f057563b5ba96fac199c438f.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Low\\f42KOoEYFs0.exe\" O 2>NUL"	KxX8qFRgF41yYFgIRADX3RmgnDc0gwHsje7OQ9J187A8xbeaeDH90QtELv4vxPUufggHTL.cmd
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\fjvnfg6v.Admin\\Ti5PRxyBJ7reDRLmdLQepM71W.exe\" O"	KxX8qFRgF41yYFgIRADX3RmgnDc0gwHsje7OQ9J187A8xbeaeDH90QtELv4vxPUufggHTL.cmd
Key created	\REGISTRY\USER\S-1-5-20	42d2c24e492154147631ad8360d730bc01bfb8e1f057563b5ba96fac199c438f.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\FIutG5cb4xaRoBaX9Cvff4XI8Pyea.exe\" O"	42d2c24e492154147631ad8360d730bc01bfb8e1f057563b5ba96fac199c438f.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	gpscript.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\iwv3qbnj.default-release\\bookmarkbackups\\JTsoV0klCgFQq0gX5ShSAldgBGngPftKQLx6p.exe\" O 2>NUL"	KxX8qFRgF41yYFgIRADX3RmgnDc0gwHsje7OQ9J187A8xbeaeDH90QtELv4vxPUufggHTL.cmd
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	42d2c24e492154147631ad8360d730bc01bfb8e1f057563b5ba96fac199c438f.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Package Cache\\{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}v14.30.30704\\packages\\vcRuntimeMinimum_x86\\wAZNd3EUB6FBVZlDOKDnivifUMPRt6fEKHSqDRhWKGtf3uuQsmy4QS6X2VEyi.exe\" O"	KxX8qFRgF41yYFgIRADX3RmgnDc0gwHsje7OQ9J187A8xbeaeDH90QtELv4vxPUufggHTL.cmd
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft Help\\r0b81CsBGzofjMF06XgNW9nUgLpu9kWr9XknMdk9leDpCRTT3O4rP90HiDsLRpxwgCzqUVH.exe\" O"	KxX8qFRgF41yYFgIRADX3RmgnDc0gwHsje7OQ9J187A8xbeaeDH90QtELv4vxPUufggHTL.cmd
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	42d2c24e492154147631ad8360d730bc01bfb8e1f057563b5ba96fac199c438f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Flash Player\\t5ddc8anfQtW1HqIoTqSJC8uNk3nJIdFpN2om8m3d1dWEzDDnxOzbFdsapRhdAnSow34p.exe\" O"	42d2c24e492154147631ad8360d730bc01bfb8e1f057563b5ba96fac199c438f.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion	42d2c24e492154147631ad8360d730bc01bfb8e1f057563b5ba96fac199c438f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%windir%\System32\ie4uinit.exe",-738 = "Start Internet Explorer without ActiveX controls or browser extensions."	KxX8qFRgF41yYFgIRADX3RmgnDc0gwHsje7OQ9J187A8xbeaeDH90QtELv4vxPUufggHTL.cmd
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	42d2c24e492154147631ad8360d730bc01bfb8e1f057563b5ba96fac199c438f.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	42d2c24e492154147631ad8360d730bc01bfb8e1f057563b5ba96fac199c438f.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	KxX8qFRgF41yYFgIRADX3RmgnDc0gwHsje7OQ9J187A8xbeaeDH90QtELv4vxPUufggHTL.cmd
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%windir%\System32\ie4uinit.exe",-732 = "Finds and displays information and Web sites on the Internet."	KxX8qFRgF41yYFgIRADX3RmgnDc0gwHsje7OQ9J187A8xbeaeDH90QtELv4vxPUufggHTL.cmd
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	KxX8qFRgF41yYFgIRADX3RmgnDc0gwHsje7OQ9J187A8xbeaeDH90QtELv4vxPUufggHTL.cmd
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\iwv3qbnj.default-release\\datareporting\\archived\\2022-08\\qplPCPcefXjX8Or6uCsm6EVND16eDfrbWDZIPhvdC6Xhow42zyavUNT0Af.exe\" O 2>NUL"	42d2c24e492154147631ad8360d730bc01bfb8e1f057563b5ba96fac199c438f.exe
Key created	\REGISTRY\USER\.DEFAULT	42d2c24e492154147631ad8360d730bc01bfb8e1f057563b5ba96fac199c438f.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	42d2c24e492154147631ad8360d730bc01bfb8e1f057563b5ba96fac199c438f.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	KxX8qFRgF41yYFgIRADX3RmgnDc0gwHsje7OQ9J187A8xbeaeDH90QtELv4vxPUufggHTL.cmd
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows Media\\6AYO1p4yxSjdI9E51mmL.exe\" O 2>NUL"	42d2c24e492154147631ad8360d730bc01bfb8e1f057563b5ba96fac199c438f.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\fr-FR\\t4dFI9RQTwUjSgHmaEe3Qel.exe\" O 2>NUL"	42d2c24e492154147631ad8360d730bc01bfb8e1f057563b5ba96fac199c438f.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE	42d2c24e492154147631ad8360d730bc01bfb8e1f057563b5ba96fac199c438f.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\Search\\tKtwt47qmMY2KlWbjTYqbv13azQTkohWFAvFEe1BhNpQZNbuAxdaZgpl02rM1Sj.exe\" O 2>NUL"	KxX8qFRgF41yYFgIRADX3RmgnDc0gwHsje7OQ9J187A8xbeaeDH90QtELv4vxPUufggHTL.cmd
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	KxX8qFRgF41yYFgIRADX3RmgnDc0gwHsje7OQ9J187A8xbeaeDH90QtELv4vxPUufggHTL.cmd
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE	42d2c24e492154147631ad8360d730bc01bfb8e1f057563b5ba96fac199c438f.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows	42d2c24e492154147631ad8360d730bc01bfb8e1f057563b5ba96fac199c438f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\6.0\\62\\fEjFEgKSm17pgBGYVWBHO4AOLBWc4WE3DnsuzZ5xGMU6W.exe\" O 2>NUL"	KxX8qFRgF41yYFgIRADX3RmgnDc0gwHsje7OQ9J187A8xbeaeDH90QtELv4vxPUufggHTL.cmd
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	KxX8qFRgF41yYFgIRADX3RmgnDc0gwHsje7OQ9J187A8xbeaeDH90QtELv4vxPUufggHTL.cmd
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion	42d2c24e492154147631ad8360d730bc01bfb8e1f057563b5ba96fac199c438f.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	42d2c24e492154147631ad8360d730bc01bfb8e1f057563b5ba96fac199c438f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\NonCritical_x64_15ac16619585aa27282df5e4c6acd0916524a313_cab_0768560b\\JpGgE1ITlmRnWoTbulikkYbf9fDYsHlsdBdeDSNZBwionDvOFZkdloH12N6fsJH.exe\" O"	42d2c24e492154147631ad8360d730bc01bfb8e1f057563b5ba96fac199c438f.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	KxX8qFRgF41yYFgIRADX3RmgnDc0gwHsje7OQ9J187A8xbeaeDH90QtELv4vxPUufggHTL.cmd
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	42d2c24e492154147631ad8360d730bc01bfb8e1f057563b5ba96fac199c438f.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	42d2c24e492154147631ad8360d730bc01bfb8e1f057563b5ba96fac199c438f.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft	42d2c24e492154147631ad8360d730bc01bfb8e1f057563b5ba96fac199c438f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\3ZJJ5nYKyz5.exe\" O 2>NUL"	KxX8qFRgF41yYFgIRADX3RmgnDc0gwHsje7OQ9J187A8xbeaeDH90QtELv4vxPUufggHTL.cmd
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	42d2c24e492154147631ad8360d730bc01bfb8e1f057563b5ba96fac199c438f.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	42d2c24e492154147631ad8360d730bc01bfb8e1f057563b5ba96fac199c438f.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\7DE3E2MWNa8pUCxDU193PzPeLAB.exe\" O"	42d2c24e492154147631ad8360d730bc01bfb8e1f057563b5ba96fac199c438f.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{6C467336-8281-4E60-8204-430CED96822D} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000d04bdb4fec00d901	gpscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	KxX8qFRgF41yYFgIRADX3RmgnDc0gwHsje7OQ9J187A8xbeaeDH90QtELv4vxPUufggHTL.cmd
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows	42d2c24e492154147631ad8360d730bc01bfb8e1f057563b5ba96fac199c438f.exe
Key created	\REGISTRY\USER\S-1-5-19	42d2c24e492154147631ad8360d730bc01bfb8e1f057563b5ba96fac199c438f.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion	42d2c24e492154147631ad8360d730bc01bfb8e1f057563b5ba96fac199c438f.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	42d2c24e492154147631ad8360d730bc01bfb8e1f057563b5ba96fac199c438f.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Site Characteristics Database\\cElrcVceAIaUqCGcOdzv6a7FHKhz9g5PVPdVX7PbO.exe\" O 2>NUL"	42d2c24e492154147631ad8360d730bc01bfb8e1f057563b5ba96fac199c438f.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{7BD29E01-76C1-11CF-9DD0-00A0C9034933} {000214E6-0000-0000-C000-000000000046} 0xFFFF = 010000000000000030aa9351ec00d901	KxX8qFRgF41yYFgIRADX3RmgnDc0gwHsje7OQ9J187A8xbeaeDH90QtELv4vxPUufggHTL.cmd
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Adobe\\MsZcCzw7D5SEgBx1C7l5WWQ0twC3ar.exe\" O"	KxX8qFRgF41yYFgIRADX3RmgnDc0gwHsje7OQ9J187A8xbeaeDH90QtELv4vxPUufggHTL.cmd
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	42d2c24e492154147631ad8360d730bc01bfb8e1f057563b5ba96fac199c438f.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft	42d2c24e492154147631ad8360d730bc01bfb8e1f057563b5ba96fac199c438f.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	42d2c24e492154147631ad8360d730bc01bfb8e1f057563b5ba96fac199c438f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\6.0\\1\\spNjFTNYW92l0nnpYc55Uw2.exe\" O"	KxX8qFRgF41yYFgIRADX3RmgnDc0gwHsje7OQ9J187A8xbeaeDH90QtELv4vxPUufggHTL.cmd
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	KxX8qFRgF41yYFgIRADX3RmgnDc0gwHsje7OQ9J187A8xbeaeDH90QtELv4vxPUufggHTL.cmd
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%systemroot%\system32\windowspowershell\v1.0\powershell.exe",-111 = "Performs object-based (command-line) functions"	KxX8qFRgF41yYFgIRADX3RmgnDc0gwHsje7OQ9J187A8xbeaeDH90QtELv4vxPUufggHTL.cmd

Modifies registry class 12 IoCs

Processes:

42d2c24e492154147631ad8360d730bc01bfb8e1f057563b5ba96fac199c438f.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	42d2c24e492154147631ad8360d730bc01bfb8e1f057563b5ba96fac199c438f.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\SOFTWARE\Microsoft\Windows	42d2c24e492154147631ad8360d730bc01bfb8e1f057563b5ba96fac199c438f.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion	42d2c24e492154147631ad8360d730bc01bfb8e1f057563b5ba96fac199c438f.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	42d2c24e492154147631ad8360d730bc01bfb8e1f057563b5ba96fac199c438f.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	42d2c24e492154147631ad8360d730bc01bfb8e1f057563b5ba96fac199c438f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Feeds Cache\\UN1Y26T5\\IDsP4aqY9i.exe\" O"	42d2c24e492154147631ad8360d730bc01bfb8e1f057563b5ba96fac199c438f.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\SOFTWARE\Microsoft\Command Processor	42d2c24e492154147631ad8360d730bc01bfb8e1f057563b5ba96fac199c438f.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\SOFTWARE	42d2c24e492154147631ad8360d730bc01bfb8e1f057563b5ba96fac199c438f.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\SOFTWARE\Microsoft	42d2c24e492154147631ad8360d730bc01bfb8e1f057563b5ba96fac199c438f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\FSoVEneZ0PvJXhcb2qmwonmN2aC2GWRDm0jhwBPlIxhuX0ipX2xh56MyfNNtxZstsHma.exe\" O 2>NUL"	42d2c24e492154147631ad8360d730bc01bfb8e1f057563b5ba96fac199c438f.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	42d2c24e492154147631ad8360d730bc01bfb8e1f057563b5ba96fac199c438f.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_Classes\SOFTWARE\Microsoft\Command Processor	42d2c24e492154147631ad8360d730bc01bfb8e1f057563b5ba96fac199c438f.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

KxX8qFRgF41yYFgIRADX3RmgnDc0gwHsje7OQ9J187A8xbeaeDH90QtELv4vxPUufggHTL.cmd

pid	process
2044	KxX8qFRgF41yYFgIRADX3RmgnDc0gwHsje7OQ9J187A8xbeaeDH90QtELv4vxPUufggHTL.cmd
2044	KxX8qFRgF41yYFgIRADX3RmgnDc0gwHsje7OQ9J187A8xbeaeDH90QtELv4vxPUufggHTL.cmd

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

42d2c24e492154147631ad8360d730bc01bfb8e1f057563b5ba96fac199c438f.exeAUDIODG.EXEKxX8qFRgF41yYFgIRADX3RmgnDc0gwHsje7OQ9J187A8xbeaeDH90QtELv4vxPUufggHTL.cmdKxX8qFRgF41yYFgIRADX3RmgnDc0gwHsje7OQ9J187A8xbeaeDH90QtELv4vxPUufggHTL.cmd

description	pid	process
Token: SeBackupPrivilege	548	42d2c24e492154147631ad8360d730bc01bfb8e1f057563b5ba96fac199c438f.exe
Token: SeRestorePrivilege	548	42d2c24e492154147631ad8360d730bc01bfb8e1f057563b5ba96fac199c438f.exe
Token: SeShutdownPrivilege	548	42d2c24e492154147631ad8360d730bc01bfb8e1f057563b5ba96fac199c438f.exe
Token: 33	1284	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1284	AUDIODG.EXE
Token: 33	1284	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1284	AUDIODG.EXE
Token: SeDebugPrivilege	1712	KxX8qFRgF41yYFgIRADX3RmgnDc0gwHsje7OQ9J187A8xbeaeDH90QtELv4vxPUufggHTL.cmd
Token: SeRestorePrivilege	1712	KxX8qFRgF41yYFgIRADX3RmgnDc0gwHsje7OQ9J187A8xbeaeDH90QtELv4vxPUufggHTL.cmd
Token: SeDebugPrivilege	2044	KxX8qFRgF41yYFgIRADX3RmgnDc0gwHsje7OQ9J187A8xbeaeDH90QtELv4vxPUufggHTL.cmd
Token: SeRestorePrivilege	2044	KxX8qFRgF41yYFgIRADX3RmgnDc0gwHsje7OQ9J187A8xbeaeDH90QtELv4vxPUufggHTL.cmd

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

gpscript.exeKxX8qFRgF41yYFgIRADX3RmgnDc0gwHsje7OQ9J187A8xbeaeDH90QtELv4vxPUufggHTL.cmd

description	pid	process	target process
PID 1580 wrote to memory of 1712	1580	gpscript.exe	KxX8qFRgF41yYFgIRADX3RmgnDc0gwHsje7OQ9J187A8xbeaeDH90QtELv4vxPUufggHTL.cmd
PID 1580 wrote to memory of 1712	1580	gpscript.exe	KxX8qFRgF41yYFgIRADX3RmgnDc0gwHsje7OQ9J187A8xbeaeDH90QtELv4vxPUufggHTL.cmd
PID 1580 wrote to memory of 1712	1580	gpscript.exe	KxX8qFRgF41yYFgIRADX3RmgnDc0gwHsje7OQ9J187A8xbeaeDH90QtELv4vxPUufggHTL.cmd
PID 1712 wrote to memory of 2044	1712	KxX8qFRgF41yYFgIRADX3RmgnDc0gwHsje7OQ9J187A8xbeaeDH90QtELv4vxPUufggHTL.cmd	KxX8qFRgF41yYFgIRADX3RmgnDc0gwHsje7OQ9J187A8xbeaeDH90QtELv4vxPUufggHTL.cmd
PID 1712 wrote to memory of 2044	1712	KxX8qFRgF41yYFgIRADX3RmgnDc0gwHsje7OQ9J187A8xbeaeDH90QtELv4vxPUufggHTL.cmd	KxX8qFRgF41yYFgIRADX3RmgnDc0gwHsje7OQ9J187A8xbeaeDH90QtELv4vxPUufggHTL.cmd
PID 1712 wrote to memory of 2044	1712	KxX8qFRgF41yYFgIRADX3RmgnDc0gwHsje7OQ9J187A8xbeaeDH90QtELv4vxPUufggHTL.cmd	KxX8qFRgF41yYFgIRADX3RmgnDc0gwHsje7OQ9J187A8xbeaeDH90QtELv4vxPUufggHTL.cmd

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
1⤵
PID:584

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\iwv3qbnj.default-release\safebrowsing\KxX8qFRgF41yYFgIRADX3RmgnDc0gwHsje7OQ9J187A8xbeaeDH90QtELv4vxPUufggHTL.cmd
"C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\iwv3qbnj.default-release\safebrowsing\KxX8qFRgF41yYFgIRADX3RmgnDc0gwHsje7OQ9J187A8xbeaeDH90QtELv4vxPUufggHTL.cmd" 2
2⤵
- Executes dropped EXE
- Sets file execution options in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2044

C:\Users\Admin\AppData\Local\Temp\42d2c24e492154147631ad8360d730bc01bfb8e1f057563b5ba96fac199c438f.exe
"C:\Users\Admin\AppData\Local\Temp\42d2c24e492154147631ad8360d730bc01bfb8e1f057563b5ba96fac199c438f.exe"
1⤵
- Adds policy Run key to start application
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:548

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:612

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x47c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1284

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:1604

C:\Windows\system32\gpscript.exe
gpscript.exe /Shutdown
1⤵
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1580

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\iwv3qbnj.default-release\safebrowsing\KxX8qFRgF41yYFgIRADX3RmgnDc0gwHsje7OQ9J187A8xbeaeDH90QtELv4vxPUufggHTL.cmd
"C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\iwv3qbnj.default-release\safebrowsing\KxX8qFRgF41yYFgIRADX3RmgnDc0gwHsje7OQ9J187A8xbeaeDH90QtELv4vxPUufggHTL.cmd" 1
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Adds policy Run key to start application
- Executes dropped EXE
- Sets file execution options in registry
- Drops startup file
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1712

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Assistance\Client\1.0\fr-FR\t4dFI9RQTwUjSgHmaEe3Qel.exe
Filesize
579KB

MD5
1a9c797d29682fee63193eb567a1aa3d

SHA1
f0fdd11f2c3512d4603903475e883a3a35c43992

SHA256
d3309fa0b459f840ced7636481dc71b80ceff1f6bee087ae0e3e85ca7486a940

SHA512
43ffe3ba837613195cdf66421a26c0fbaad2f21a755559505fb5b493b85365d95e5cafcb95b0946d46ddde7707cf07a12607bdf61c1a56f2e1b7b84e742e21a2

Download Submit
C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\de-DE\EgE22Vyo0sGy6bwRThu2Ym2hmGkB6w0iJlHhrAbAGj.exe
Filesize
621KB

MD5
065fd1ebb7963f6a053d8a8473a2c848

SHA1
ce25487153d8e3003089f3b89fb1b5b57744c9c1

SHA256
691e47b3328d1128bed6c88dd3f361e62f5b92b8557ef108f460d8229fcee9b9

SHA512
d13a6eb227f92a5292b91caa98b7e8bfe420ab8aeae5e6979dfed0ccc9ef472a7b54a23707acec3537f9eb6eb3069a75ab58d46e90e3008a941f8238785f9916

Download Submit
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\NonCritical_x64_15ac16619585aa27282df5e4c6acd0916524a313_cab_0768560b\JpGgE1ITlmRnWoTbulikkYbf9fDYsHlsdBdeDSNZBwionDvOFZkdloH12N6fsJH.exe
Filesize
480KB

MD5
dbd057ec1dd76e29ae90d05fea26add2

SHA1
4307fb9b6ac71e66a4068714928d4d729db1ca6e

SHA256
bde03ca134e87d4825c77afd9bfc282210bfc96b01609bf857c039f7a6804cf0

SHA512
4f28769ecb48b4d7ee0f30b50bcceb924477b6036373e3e51440f8896eba47117116bcc28bf64389889ed783f1b23fb30696280171f3e24d44868cf61c25b625

Download Submit
C:\ProgramData\Package Cache\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\packages\vcRuntimeMinimum_x86\FIutG5cb4xaRoBaX9Cvff4XI8Pyea.exe
Filesize
445KB

MD5
bd0ada4f329daf033cd19e7f3cfe0b42

SHA1
6ac7acea9d8146d21dfac453bc0a90b754f986d0

SHA256
8c586b3e87d993c684ea205ca3f8c04e37243d9f7b2480492ac0694261224b75

SHA512
8473e9f1fe369fe48b717d358aad5a4b23ba2090241e06c2b3447b18e4eb48cc5505ab777cf225fb99441585bbbae3ab07412ac5dd7c86c356c89620362fcf06

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\9.0\Cache\mPJkUeYYYkiJUp9MWU1pwM2C0K36RBr1VpS48tDK5puS.bat
Filesize
801KB

MD5
eada267b2b9cba7167ff096c48819a88

SHA1
9f5e7bd7b91da8b10bc13ddbd7096fdcb7fbcd6c

SHA256
a9489626d121feba6da66068e70686ac2395460b3a3d0d53f3e00565c16bcac8

SHA512
bc7e3abacaf5050eba84653f93e6a3ea77c9ddc3f5f624b3e7922a94f29936cfbb227fd2d5cbfd4e5ee1e4cfb0f642e51dd2db46ea79c76f42743101c39b2d19

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\cElrcVceAIaUqCGcOdzv6a7FHKhz9g5PVPdVX7PbO.exe
Filesize
408KB

MD5
92d2e59b29debd8cb2bfd33ef0eac6e0

SHA1
fdc3806fcb32328051cdd3432c0c3683b0e4e6d3

SHA256
b951b40f28345ca3927e730eb4ee959474bc752f4dad6efdc2615006e35a368e

SHA512
641b31b51b832a92e5e427017ffc4240e9a5d8035706016918dd2c11f1cda53ee1d9491670d0b1b2631eeded0e143dd0592dd40fc7a7e717e4f65171cdb0c700

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\JC7zvEjlYZNbhz1GOH5FagZYu8jON3wGZlPwdY3SryABZ9TCyy.exe
Filesize
1.2MB

MD5
cfe3630db95d9fc7a1f3a965711442a5

SHA1
6b3732f6225a2938d7961d417afd2d585e9bd3dc

SHA256
7d15fc8fd6a49f1b6810b7bbcf7e62cd3c00273e2765fcaca14a8442f977f040

SHA512
d06e3fcc4b75669fb9609bf43244f3ca5a94c44e05377641fe8de13491ddc95a8820c902f8c7b38d9399f5527d7eec100c764799bb940e3e16435d838f6951af

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\iwv3qbnj.default-release\safebrowsing\KxX8qFRgF41yYFgIRADX3RmgnDc0gwHsje7OQ9J187A8xbeaeDH90QtELv4vxPUufggHTL.cmd
Filesize
655KB

MD5
477919a24aa08ae9cf46e642c76b12cc

SHA1
eb04ff19f547190eedebffb3d9bb83578fd58e37

SHA256
1adce6b704df76214c0b1833d42ca75451663ee4a4024607aa9bd1276c2bc5af

SHA512
da9a6ed2b3afd5d3c2827b70ab62e50b1bf1c047d2c3a868fcc4b1e53c19e7b29d6b313f8ff33966871281dd323d733dba0524cc0290073cc9afb7644b8fa658

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\iwv3qbnj.default-release\safebrowsing\KxX8qFRgF41yYFgIRADX3RmgnDc0gwHsje7OQ9J187A8xbeaeDH90QtELv4vxPUufggHTL.cmd
Filesize
655KB

MD5
477919a24aa08ae9cf46e642c76b12cc

SHA1
eb04ff19f547190eedebffb3d9bb83578fd58e37

SHA256
1adce6b704df76214c0b1833d42ca75451663ee4a4024607aa9bd1276c2bc5af

SHA512
da9a6ed2b3afd5d3c2827b70ab62e50b1bf1c047d2c3a868fcc4b1e53c19e7b29d6b313f8ff33966871281dd323d733dba0524cc0290073cc9afb7644b8fa658

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\iwv3qbnj.default-release\safebrowsing\KxX8qFRgF41yYFgIRADX3RmgnDc0gwHsje7OQ9J187A8xbeaeDH90QtELv4vxPUufggHTL.cmd
Filesize
655KB

MD5
477919a24aa08ae9cf46e642c76b12cc

SHA1
eb04ff19f547190eedebffb3d9bb83578fd58e37

SHA256
1adce6b704df76214c0b1833d42ca75451663ee4a4024607aa9bd1276c2bc5af

SHA512
da9a6ed2b3afd5d3c2827b70ab62e50b1bf1c047d2c3a868fcc4b1e53c19e7b29d6b313f8ff33966871281dd323d733dba0524cc0290073cc9afb7644b8fa658

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Crash Reports\7DE3E2MWNa8pUCxDU193PzPeLAB.exe
Filesize
471KB

MD5
dcd4ddeb5aa30f9f98913cb4bfca7a0a

SHA1
d5dc6ec503c56eff61edd8aa7d78f3be725641a0

SHA256
41c09329c0ee8e13f1cdb3b6987666f304eb103eb5ea6e3cb4ad252fe0f3973f

SHA512
bacc7344304fc7500818b56b0af9fc154c4edb2cfe13008e608ffc751dd02443bc7ad0928b4dfeb669baabbd2c8abdabf885617ce7d9ab7050b362bc688d2269

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iwv3qbnj.default-release\datareporting\archived\2022-08\qplPCPcefXjX8Or6uCsm6EVND16eDfrbWDZIPhvdC6Xhow42zyavUNT0Af.exe
Filesize
472KB

MD5
e4a8d5aa37da0086311fb90ac661e953

SHA1
cff2bd9600a8fb1d658749854003ef05038c8ea3

SHA256
fece0451e64d54feec1302dd6bfe4f3ab2d3220a65a003f56cca326dba1792f2

SHA512
88ff90d5887ad21bdd7c0a1fa41888128f7327b9649356f6e168304531fb6ad510c56c21fd9ac36578067a4ce9389af88c5ae4195765a79199c3b5d4d590dea2

Download Submit
C:\Users\Admin\Links\2I39NnRrWizVgsI7wd6LV1ZnklgcORYzWt3RqCl240cTR2EO9hIQMqRPTzsPE7ULXSEo9jt.exe
Filesize
565KB

MD5
93121a5d14fccfc240ee87092c232ef7

SHA1
ddf32bfc347e68390dd710bdc32895fc64e96a52

SHA256
28c69a5d89c1d032a322a5591a825d54e8b5457ed44e58ecf3f2e7111c17772e

SHA512
d50c4984d185eae2130388d60a6137037ca52f1b5a9883bdecf6dddb2755457478269dcb3c1ef1f939453881abaf5a93d7b2bdbe12c9ead022bf8f0ad84a8f92

Download Submit
\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\iwv3qbnj.default-release\safebrowsing\KxX8qFRgF41yYFgIRADX3RmgnDc0gwHsje7OQ9J187A8xbeaeDH90QtELv4vxPUufggHTL.cmd
Filesize
655KB

MD5
477919a24aa08ae9cf46e642c76b12cc

SHA1
eb04ff19f547190eedebffb3d9bb83578fd58e37

SHA256
1adce6b704df76214c0b1833d42ca75451663ee4a4024607aa9bd1276c2bc5af

SHA512
da9a6ed2b3afd5d3c2827b70ab62e50b1bf1c047d2c3a868fcc4b1e53c19e7b29d6b313f8ff33966871281dd323d733dba0524cc0290073cc9afb7644b8fa658

Download Submit
\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\iwv3qbnj.default-release\safebrowsing\KxX8qFRgF41yYFgIRADX3RmgnDc0gwHsje7OQ9J187A8xbeaeDH90QtELv4vxPUufggHTL.cmd
Filesize
655KB

MD5
477919a24aa08ae9cf46e642c76b12cc

SHA1
eb04ff19f547190eedebffb3d9bb83578fd58e37

SHA256
1adce6b704df76214c0b1833d42ca75451663ee4a4024607aa9bd1276c2bc5af

SHA512
da9a6ed2b3afd5d3c2827b70ab62e50b1bf1c047d2c3a868fcc4b1e53c19e7b29d6b313f8ff33966871281dd323d733dba0524cc0290073cc9afb7644b8fa658

Download Submit
\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\iwv3qbnj.default-release\safebrowsing\KxX8qFRgF41yYFgIRADX3RmgnDc0gwHsje7OQ9J187A8xbeaeDH90QtELv4vxPUufggHTL.cmd
Filesize
655KB

MD5
477919a24aa08ae9cf46e642c76b12cc

SHA1
eb04ff19f547190eedebffb3d9bb83578fd58e37

SHA256
1adce6b704df76214c0b1833d42ca75451663ee4a4024607aa9bd1276c2bc5af

SHA512
da9a6ed2b3afd5d3c2827b70ab62e50b1bf1c047d2c3a868fcc4b1e53c19e7b29d6b313f8ff33966871281dd323d733dba0524cc0290073cc9afb7644b8fa658

Download Submit
memory/548-56-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/548-54-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/612-55-0x000007FEFC281000-0x000007FEFC283000-memory.dmp

Filesize
8KB

Download
memory/1580-76-0x0000000000C20000-0x0000000000C4D000-memory.dmp

Filesize
180KB

Download
memory/1580-64-0x0000000000C20000-0x0000000000C4D000-memory.dmp

Filesize
180KB

Download
memory/1580-65-0x0000000000C20000-0x0000000000C4D000-memory.dmp

Filesize
180KB

Download
memory/1712-62-0x0000000000000000-mapping.dmp

Download
memory/1712-77-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1712-81-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1712-66-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2044-79-0x0000000000000000-mapping.dmp

Download
memory/2044-84-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2044-85-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads