e8940602d2bbd3f3ec5447e8bdbbf8cb9bdf3de0ecc0c9a28fc5be530c862bd3

Analysis

max time kernel
40s
max time network
32s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
25-11-2022 09:40

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

e8940602d2bbd3f3ec5447e8bdbbf8cb9bdf3de0ecc0c9a28fc5be530c862bd3.exe
Size

1.4MB
MD5

657490762b3af18de3c6ac4e75544172
SHA1

5ea5b9e41b3f59f486768b19c8347977384933a9
SHA256

e8940602d2bbd3f3ec5447e8bdbbf8cb9bdf3de0ecc0c9a28fc5be530c862bd3
SHA512

a46cd2da83c1433354e85c28d327e00fbe76845d33720dfd2140d80fdbf8ba09d8cf7f3d3d7cd4acc9671fb013ce164fdf9e35efd9b6af1b104f0b4f8f4c3c23
SSDEEP

3072:aSsvihLlTQz9z71iURo2SJJmY6uFNcgifDbmeTXwVdBR:rsqhJMxzJiU5SeLmNSbmebW1

Score

10^/10

persistence spyware stealer

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

zNcCwMsdjfiOTN5HbYcXYkUKK9oCCq0PL6vO5m.exe

description pid process target process

PID 1076 created 588 1076 zNcCwMsdjfiOTN5HbYcXYkUKK9oCCq0PL6vO5m.exe svchost.exe

description	pid	process	target process
PID 1076 created 588	1076	zNcCwMsdjfiOTN5HbYcXYkUKK9oCCq0PL6vO5m.exe	svchost.exe

Adds policy Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

zNcCwMsdjfiOTN5HbYcXYkUKK9oCCq0PL6vO5m.exee8940602d2bbd3f3ec5447e8bdbbf8cb9bdf3de0ecc0c9a28fc5be530c862bd3.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	zNcCwMsdjfiOTN5HbYcXYkUKK9oCCq0PL6vO5m.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\SMtlMKu8SPJ0IUhYKoS2g3cJscUGBZ8VpJCzB1roZNo9aeMRdxE7Rm.exe\" O"	zNcCwMsdjfiOTN5HbYcXYkUKK9oCCq0PL6vO5m.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	e8940602d2bbd3f3ec5447e8bdbbf8cb9bdf3de0ecc0c9a28fc5be530c862bd3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Credentials\\qZ3NXY7Nnxhu21BYX.exe\" O"	e8940602d2bbd3f3ec5447e8bdbbf8cb9bdf3de0ecc0c9a28fc5be530c862bd3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	e8940602d2bbd3f3ec5447e8bdbbf8cb9bdf3de0ecc0c9a28fc5be530c862bd3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\4gq1sglk.default-release\\datareporting\\archived\\cWErAnxfwyz5m8MAf2BN4nfRSq84FF3ARpWb2ywhHd1.exe\" O"	e8940602d2bbd3f3ec5447e8bdbbf8cb9bdf3de0ecc0c9a28fc5be530c862bd3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\6.0\\61\\V1BRX2vTUGZCH8uQMX4tA0Vbnrri54ZhMbpUXxsT.exe\" O"	e8940602d2bbd3f3ec5447e8bdbbf8cb9bdf3de0ecc0c9a28fc5be530c862bd3.exe

Executes dropped EXE 2 IoCs

Processes:

zNcCwMsdjfiOTN5HbYcXYkUKK9oCCq0PL6vO5m.exezNcCwMsdjfiOTN5HbYcXYkUKK9oCCq0PL6vO5m.exe

pid process

1076 zNcCwMsdjfiOTN5HbYcXYkUKK9oCCq0PL6vO5m.exe
1168 zNcCwMsdjfiOTN5HbYcXYkUKK9oCCq0PL6vO5m.exe

pid	process
1076	zNcCwMsdjfiOTN5HbYcXYkUKK9oCCq0PL6vO5m.exe
1168	zNcCwMsdjfiOTN5HbYcXYkUKK9oCCq0PL6vO5m.exe

Sets file execution options in registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

zNcCwMsdjfiOTN5HbYcXYkUKK9oCCq0PL6vO5m.exezNcCwMsdjfiOTN5HbYcXYkUKK9oCCq0PL6vO5m.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\Debugger = " "	zNcCwMsdjfiOTN5HbYcXYkUKK9oCCq0PL6vO5m.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe	zNcCwMsdjfiOTN5HbYcXYkUKK9oCCq0PL6vO5m.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = " "	zNcCwMsdjfiOTN5HbYcXYkUKK9oCCq0PL6vO5m.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe	zNcCwMsdjfiOTN5HbYcXYkUKK9oCCq0PL6vO5m.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\Debugger = " "	zNcCwMsdjfiOTN5HbYcXYkUKK9oCCq0PL6vO5m.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe	zNcCwMsdjfiOTN5HbYcXYkUKK9oCCq0PL6vO5m.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = " "	zNcCwMsdjfiOTN5HbYcXYkUKK9oCCq0PL6vO5m.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe	zNcCwMsdjfiOTN5HbYcXYkUKK9oCCq0PL6vO5m.exe

Loads dropped DLL 3 IoCs

Processes:

gpscript.exezNcCwMsdjfiOTN5HbYcXYkUKK9oCCq0PL6vO5m.exe

pid process

1740 gpscript.exe
1740 gpscript.exe
1076 zNcCwMsdjfiOTN5HbYcXYkUKK9oCCq0PL6vO5m.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1740	gpscript.exe
1740	gpscript.exe
1076	zNcCwMsdjfiOTN5HbYcXYkUKK9oCCq0PL6vO5m.exe

Modifies data under HKEY_USERS 59 IoCs

Processes:

zNcCwMsdjfiOTN5HbYcXYkUKK9oCCq0PL6vO5m.exee8940602d2bbd3f3ec5447e8bdbbf8cb9bdf3de0ecc0c9a28fc5be530c862bd3.exegpscript.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\ja-JP\\AMfjBK43S6woDNTgICeY9eXdWJpuR2E2MqSqeUtizxVN6Eb0S4vg44lU9ZcHXk2Q.exe\" O 2>NUL"	zNcCwMsdjfiOTN5HbYcXYkUKK9oCCq0PL6vO5m.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	zNcCwMsdjfiOTN5HbYcXYkUKK9oCCq0PL6vO5m.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	e8940602d2bbd3f3ec5447e8bdbbf8cb9bdf3de0ecc0c9a28fc5be530c862bd3.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\BrowserMetrics\\InlI25fgQgN9BuCOdE16Ue1Syq3C4uPqn8o1XCh1TBejQU4CJWc5Ky0.exe\" O 2>NUL"	e8940602d2bbd3f3ec5447e8bdbbf8cb9bdf3de0ecc0c9a28fc5be530c862bd3.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows	e8940602d2bbd3f3ec5447e8bdbbf8cb9bdf3de0ecc0c9a28fc5be530c862bd3.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	e8940602d2bbd3f3ec5447e8bdbbf8cb9bdf3de0ecc0c9a28fc5be530c862bd3.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\it-IT\\9FeeelGIINMypth4vL2cj5lxsSWDY9lmW7P.exe\" O"	zNcCwMsdjfiOTN5HbYcXYkUKK9oCCq0PL6vO5m.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	e8940602d2bbd3f3ec5447e8bdbbf8cb9bdf3de0ecc0c9a28fc5be530c862bd3.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion	e8940602d2bbd3f3ec5447e8bdbbf8cb9bdf3de0ecc0c9a28fc5be530c862bd3.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	e8940602d2bbd3f3ec5447e8bdbbf8cb9bdf3de0ecc0c9a28fc5be530c862bd3.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{7BD29E01-76C1-11CF-9DD0-00A0C9034933} {000214E6-0000-0000-C000-000000000046} 0xFFFF = 010000000000000090707349e400d901	zNcCwMsdjfiOTN5HbYcXYkUKK9oCCq0PL6vO5m.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion	e8940602d2bbd3f3ec5447e8bdbbf8cb9bdf3de0ecc0c9a28fc5be530c862bd3.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\Favorites\\Links for United States\\tGSwBXr0LdGkRPiWr2CODXNjjnzjJ3TJUlcFmrzbV6zLP4GioycoTZUYyimmxwLI.exe\" O"	e8940602d2bbd3f3ec5447e8bdbbf8cb9bdf3de0ecc0c9a28fc5be530c862bd3.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\jo93OpZAQTg0iRsnoHETiFQ1QSBAf3NZ7HQZZ6kVBDdRDA3.exe\" O 2>NUL"	zNcCwMsdjfiOTN5HbYcXYkUKK9oCCq0PL6vO5m.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows	e8940602d2bbd3f3ec5447e8bdbbf8cb9bdf3de0ecc0c9a28fc5be530c862bd3.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	e8940602d2bbd3f3ec5447e8bdbbf8cb9bdf3de0ecc0c9a28fc5be530c862bd3.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft	e8940602d2bbd3f3ec5447e8bdbbf8cb9bdf3de0ecc0c9a28fc5be530c862bd3.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Site Characteristics Database\\V5nFhFS4Ud62v0XLAgao7TuI5IomwvSwhn21a8IZ0uHuhuM1evDytcrig8Xfync4aF9.exe\" O 2>NUL"	e8940602d2bbd3f3ec5447e8bdbbf8cb9bdf3de0ecc0c9a28fc5be530c862bd3.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	zNcCwMsdjfiOTN5HbYcXYkUKK9oCCq0PL6vO5m.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft	e8940602d2bbd3f3ec5447e8bdbbf8cb9bdf3de0ecc0c9a28fc5be530c862bd3.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows	e8940602d2bbd3f3ec5447e8bdbbf8cb9bdf3de0ecc0c9a28fc5be530c862bd3.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	zNcCwMsdjfiOTN5HbYcXYkUKK9oCCq0PL6vO5m.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE	e8940602d2bbd3f3ec5447e8bdbbf8cb9bdf3de0ecc0c9a28fc5be530c862bd3.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\NjQKil75OBbNgarhglyAbz5V8S0o2pUcKmJC5XQQ2s9NwntujZ3xHqzKPtX1rBGebCODT.exe\" O"	e8940602d2bbd3f3ec5447e8bdbbf8cb9bdf3de0ecc0c9a28fc5be530c862bd3.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\HDKVF02BtbrYZrMswDWyDowwUAvkGkhAXvUkiAcVZmbaqyw0oXfOMlaA.exe\" O 2>NUL"	zNcCwMsdjfiOTN5HbYcXYkUKK9oCCq0PL6vO5m.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\6.0\\46\\INKuCiFVf.exe\" O"	zNcCwMsdjfiOTN5HbYcXYkUKK9oCCq0PL6vO5m.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\P0nqEMJKJkmzbiLasdgY7Z1.exe\" O 2>NUL"	e8940602d2bbd3f3ec5447e8bdbbf8cb9bdf3de0ecc0c9a28fc5be530c862bd3.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	e8940602d2bbd3f3ec5447e8bdbbf8cb9bdf3de0ecc0c9a28fc5be530c862bd3.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\6.0\\51\\xE4VMcfJudls1I4FEaz5rpv4MbS1zGZgqFF29.exe\" O"	e8940602d2bbd3f3ec5447e8bdbbf8cb9bdf3de0ecc0c9a28fc5be530c862bd3.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{6C467336-8281-4E60-8204-430CED96822D} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000f0924d47e400d901	gpscript.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	zNcCwMsdjfiOTN5HbYcXYkUKK9oCCq0PL6vO5m.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	zNcCwMsdjfiOTN5HbYcXYkUKK9oCCq0PL6vO5m.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%windir%\System32\ie4uinit.exe",-738 = "Start Internet Explorer without ActiveX controls or browser extensions."	zNcCwMsdjfiOTN5HbYcXYkUKK9oCCq0PL6vO5m.exe
Key created	\REGISTRY\USER\.DEFAULT	e8940602d2bbd3f3ec5447e8bdbbf8cb9bdf3de0ecc0c9a28fc5be530c862bd3.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE	e8940602d2bbd3f3ec5447e8bdbbf8cb9bdf3de0ecc0c9a28fc5be530c862bd3.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	e8940602d2bbd3f3ec5447e8bdbbf8cb9bdf3de0ecc0c9a28fc5be530c862bd3.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	zNcCwMsdjfiOTN5HbYcXYkUKK9oCCq0PL6vO5m.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	e8940602d2bbd3f3ec5447e8bdbbf8cb9bdf3de0ecc0c9a28fc5be530c862bd3.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	e8940602d2bbd3f3ec5447e8bdbbf8cb9bdf3de0ecc0c9a28fc5be530c862bd3.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Mozilla\\jX5AoLO5VIOHrtYs4.exe\" O"	zNcCwMsdjfiOTN5HbYcXYkUKK9oCCq0PL6vO5m.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\ActivityLog\\URisSZzBm8C2gRJCQASICkf1g9.exe\" O"	zNcCwMsdjfiOTN5HbYcXYkUKK9oCCq0PL6vO5m.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	e8940602d2bbd3f3ec5447e8bdbbf8cb9bdf3de0ecc0c9a28fc5be530c862bd3.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\6.0\\61\\8RCd5hst7H.exe\" O"	e8940602d2bbd3f3ec5447e8bdbbf8cb9bdf3de0ecc0c9a28fc5be530c862bd3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	gpscript.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	e8940602d2bbd3f3ec5447e8bdbbf8cb9bdf3de0ecc0c9a28fc5be530c862bd3.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion	e8940602d2bbd3f3ec5447e8bdbbf8cb9bdf3de0ecc0c9a28fc5be530c862bd3.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\ja-JP\\PlOpNSML7TKD9ZJRVi1ZbFjjbT4Xz.exe\" O 2>NUL"	zNcCwMsdjfiOTN5HbYcXYkUKK9oCCq0PL6vO5m.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	zNcCwMsdjfiOTN5HbYcXYkUKK9oCCq0PL6vO5m.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	e8940602d2bbd3f3ec5447e8bdbbf8cb9bdf3de0ecc0c9a28fc5be530c862bd3.exe
Key created	\REGISTRY\USER\S-1-5-19	e8940602d2bbd3f3ec5447e8bdbbf8cb9bdf3de0ecc0c9a28fc5be530c862bd3.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	e8940602d2bbd3f3ec5447e8bdbbf8cb9bdf3de0ecc0c9a28fc5be530c862bd3.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\7-Zip\\ziSLNRYhltdVu9wL1nMZTwit58ss45mWxRtPGOz27U9Nqrpxd4E.exe\" O 2>NUL"	e8940602d2bbd3f3ec5447e8bdbbf8cb9bdf3de0ecc0c9a28fc5be530c862bd3.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%systemroot%\system32\windowspowershell\v1.0\powershell.exe",-111 = "Performs object-based (command-line) functions"	zNcCwMsdjfiOTN5HbYcXYkUKK9oCCq0PL6vO5m.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%windir%\System32\ie4uinit.exe",-732 = "Finds and displays information and Web sites on the Internet."	zNcCwMsdjfiOTN5HbYcXYkUKK9oCCq0PL6vO5m.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	zNcCwMsdjfiOTN5HbYcXYkUKK9oCCq0PL6vO5m.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad\\13dmx085wZs35FXN.exe\" O"	zNcCwMsdjfiOTN5HbYcXYkUKK9oCCq0PL6vO5m.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	e8940602d2bbd3f3ec5447e8bdbbf8cb9bdf3de0ecc0c9a28fc5be530c862bd3.exe
Key created	\REGISTRY\USER\S-1-5-20	e8940602d2bbd3f3ec5447e8bdbbf8cb9bdf3de0ecc0c9a28fc5be530c862bd3.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\6.0\\52\\isKAv88wAiR65cKJznzKiRppmR.exe\" O 2>NUL"	zNcCwMsdjfiOTN5HbYcXYkUKK9oCCq0PL6vO5m.exe

Modifies registry class 12 IoCs

Processes:

e8940602d2bbd3f3ec5447e8bdbbf8cb9bdf3de0ecc0c9a28fc5be530c862bd3.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Roaming\\Macromedia\\ssmiA5yKFoD9HyRu8XqfGZhh0VyFfXQENsG.exe\" O 2>NUL"	e8940602d2bbd3f3ec5447e8bdbbf8cb9bdf3de0ecc0c9a28fc5be530c862bd3.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\SOFTWARE\Microsoft\Windows	e8940602d2bbd3f3ec5447e8bdbbf8cb9bdf3de0ecc0c9a28fc5be530c862bd3.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion	e8940602d2bbd3f3ec5447e8bdbbf8cb9bdf3de0ecc0c9a28fc5be530c862bd3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Accessibility\\EutKzEClGU0niubZn1ENysp5ckfuo3GSdvaSZKABZ2wwM1uvC7AmNj1qZmXFOTAsoJo1N.exe\" O"	e8940602d2bbd3f3ec5447e8bdbbf8cb9bdf3de0ecc0c9a28fc5be530c862bd3.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_Classes\SOFTWARE\Microsoft\Command Processor	e8940602d2bbd3f3ec5447e8bdbbf8cb9bdf3de0ecc0c9a28fc5be530c862bd3.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\SOFTWARE	e8940602d2bbd3f3ec5447e8bdbbf8cb9bdf3de0ecc0c9a28fc5be530c862bd3.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\SOFTWARE\Microsoft	e8940602d2bbd3f3ec5447e8bdbbf8cb9bdf3de0ecc0c9a28fc5be530c862bd3.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\SOFTWARE\Microsoft\Command Processor	e8940602d2bbd3f3ec5447e8bdbbf8cb9bdf3de0ecc0c9a28fc5be530c862bd3.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	e8940602d2bbd3f3ec5447e8bdbbf8cb9bdf3de0ecc0c9a28fc5be530c862bd3.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	e8940602d2bbd3f3ec5447e8bdbbf8cb9bdf3de0ecc0c9a28fc5be530c862bd3.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	e8940602d2bbd3f3ec5447e8bdbbf8cb9bdf3de0ecc0c9a28fc5be530c862bd3.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	e8940602d2bbd3f3ec5447e8bdbbf8cb9bdf3de0ecc0c9a28fc5be530c862bd3.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

zNcCwMsdjfiOTN5HbYcXYkUKK9oCCq0PL6vO5m.exe

pid process

1168 zNcCwMsdjfiOTN5HbYcXYkUKK9oCCq0PL6vO5m.exe
1168 zNcCwMsdjfiOTN5HbYcXYkUKK9oCCq0PL6vO5m.exe

pid	process
1168	zNcCwMsdjfiOTN5HbYcXYkUKK9oCCq0PL6vO5m.exe
1168	zNcCwMsdjfiOTN5HbYcXYkUKK9oCCq0PL6vO5m.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

e8940602d2bbd3f3ec5447e8bdbbf8cb9bdf3de0ecc0c9a28fc5be530c862bd3.exeAUDIODG.EXEzNcCwMsdjfiOTN5HbYcXYkUKK9oCCq0PL6vO5m.exezNcCwMsdjfiOTN5HbYcXYkUKK9oCCq0PL6vO5m.exe

description	pid	process
Token: SeBackupPrivilege	1444	e8940602d2bbd3f3ec5447e8bdbbf8cb9bdf3de0ecc0c9a28fc5be530c862bd3.exe
Token: SeRestorePrivilege	1444	e8940602d2bbd3f3ec5447e8bdbbf8cb9bdf3de0ecc0c9a28fc5be530c862bd3.exe
Token: SeShutdownPrivilege	1444	e8940602d2bbd3f3ec5447e8bdbbf8cb9bdf3de0ecc0c9a28fc5be530c862bd3.exe
Token: 33	2012	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2012	AUDIODG.EXE
Token: 33	2012	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2012	AUDIODG.EXE
Token: SeDebugPrivilege	1076	zNcCwMsdjfiOTN5HbYcXYkUKK9oCCq0PL6vO5m.exe
Token: SeRestorePrivilege	1076	zNcCwMsdjfiOTN5HbYcXYkUKK9oCCq0PL6vO5m.exe
Token: SeDebugPrivilege	1168	zNcCwMsdjfiOTN5HbYcXYkUKK9oCCq0PL6vO5m.exe
Token: SeRestorePrivilege	1168	zNcCwMsdjfiOTN5HbYcXYkUKK9oCCq0PL6vO5m.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

gpscript.exezNcCwMsdjfiOTN5HbYcXYkUKK9oCCq0PL6vO5m.exe

description	pid	process	target process
PID 1740 wrote to memory of 1076	1740	gpscript.exe	zNcCwMsdjfiOTN5HbYcXYkUKK9oCCq0PL6vO5m.exe
PID 1740 wrote to memory of 1076	1740	gpscript.exe	zNcCwMsdjfiOTN5HbYcXYkUKK9oCCq0PL6vO5m.exe
PID 1740 wrote to memory of 1076	1740	gpscript.exe	zNcCwMsdjfiOTN5HbYcXYkUKK9oCCq0PL6vO5m.exe
PID 1076 wrote to memory of 1168	1076	zNcCwMsdjfiOTN5HbYcXYkUKK9oCCq0PL6vO5m.exe	zNcCwMsdjfiOTN5HbYcXYkUKK9oCCq0PL6vO5m.exe
PID 1076 wrote to memory of 1168	1076	zNcCwMsdjfiOTN5HbYcXYkUKK9oCCq0PL6vO5m.exe	zNcCwMsdjfiOTN5HbYcXYkUKK9oCCq0PL6vO5m.exe
PID 1076 wrote to memory of 1168	1076	zNcCwMsdjfiOTN5HbYcXYkUKK9oCCq0PL6vO5m.exe	zNcCwMsdjfiOTN5HbYcXYkUKK9oCCq0PL6vO5m.exe

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
1⤵
PID:588

C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Backup\new\zNcCwMsdjfiOTN5HbYcXYkUKK9oCCq0PL6vO5m.exe
"C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Backup\new\zNcCwMsdjfiOTN5HbYcXYkUKK9oCCq0PL6vO5m.exe" 2
2⤵
- Executes dropped EXE
- Sets file execution options in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1168

C:\Users\Admin\AppData\Local\Temp\e8940602d2bbd3f3ec5447e8bdbbf8cb9bdf3de0ecc0c9a28fc5be530c862bd3.exe
"C:\Users\Admin\AppData\Local\Temp\e8940602d2bbd3f3ec5447e8bdbbf8cb9bdf3de0ecc0c9a28fc5be530c862bd3.exe"
1⤵
- Adds policy Run key to start application
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1444

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:676

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4e8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2012

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:1516

C:\Windows\system32\gpscript.exe
gpscript.exe /Shutdown
1⤵
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1740

C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Backup\new\zNcCwMsdjfiOTN5HbYcXYkUKK9oCCq0PL6vO5m.exe
"C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Backup\new\zNcCwMsdjfiOTN5HbYcXYkUKK9oCCq0PL6vO5m.exe" 1
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Adds policy Run key to start application
- Executes dropped EXE
- Sets file execution options in registry
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1076

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Network\Downloader\QOqQdOtHnB5zjgKz8YZeo7QFh89aVfSfoLrLqz5aed.cmd
Filesize
4.9MB

MD5
38c75048bd90f0ec5059ace05273e048

SHA1
cf11090ec537da07a8f8d85f5da1b90534fc1e3c

SHA256
1e3b640fa9033e7182f729a37ab4c027cf2b238878e4f767b59a1723013eab38

SHA512
a58aa0f3b6d369c528d53a20bce10552a9ab09195124c9f8cd3be6187212a0b0eca924e345b7c571fe83b11a884cdc893913da28919f71f8dae332029be17421

Download Submit
C:\ProgramData\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\packages\48HTpH536H9.bat
Filesize
4.4MB

MD5
d0c5577ea0ed99c4aff0ebf86cb2396c

SHA1
6d0f9f9dbdd91530966b9f385e76c080e36fcf8d

SHA256
cc526cad8f6a43f39a1aed70b7bdfec0bfe255242053ced7a9c2f64a0860b52c

SHA512
2eaf0945a5fee6b47d76128b0880d6718a75b05fe997f4e4aee11a00181ba1526243c1023cc015ac679c678b89cd5e8f2528a0489f2870fe6a9fde1c387cdea2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\NjQKil75OBbNgarhglyAbz5V8S0o2pUcKmJC5XQQ2s9NwntujZ3xHqzKPtX1rBGebCODT.exe
Filesize
2.2MB

MD5
944c2ff8b97d1cbb78623f8fe8c45fbf

SHA1
e02deb870981a7c29d664b5049f9e10d8b2cc460

SHA256
bc4c3b533e748de4a1d84c3d18eb6151e2b8f61558f4faacb8bbf9b8ca804ff9

SHA512
f83b410fcccb380ac4f4583ebd180d44a10aa8ce688c578f52829ae2facadfb09acf421087086cd9c26239542693c8f54ef6e6351d39db9a132db84a9010762f

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\61\8RCd5hst7H.exe
Filesize
2.4MB

MD5
cf5b43cf03e694f58d6f7fe064f8de0f

SHA1
fd7edfe27a3a59764abd6a61fd081d5fd8dae458

SHA256
0bc4944f9c8586ae80df1a1bc239066738de3f79b563f674a73380194da6dc7c

SHA512
ed3e7a5161d95d99db3180e53a10449bec92167593173b3a6085ec1f280d966599951acb08bf1cf6bee998002ff3293fc16d2f9757631595ce60be0b05b0a4c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\BrowserMetrics\InlI25fgQgN9BuCOdE16Ue1Syq3C4uPqn8o1XCh1TBejQU4CJWc5Ky0.exe
Filesize
2.8MB

MD5
57b2011e94a8565ed5fff3618557ca7a

SHA1
42b08ddf393c408e77f6e827c67b47b1667f3653

SHA256
813096866076e783afc8e9dc8def172065e23f4716c8eb7dd161d423f05d0edc

SHA512
77d4a040a8d175567ae377b50ae7cd1af055763249541fcc4873f8849ab4a2c8b72b3e7d75859e2301397c32fae865e0b4c62ab48ff871811d69e7611b686d00

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\V5nFhFS4Ud62v0XLAgao7TuI5IomwvSwhn21a8IZ0uHuhuM1evDytcrig8Xfync4aF9.exe
Filesize
2.8MB

MD5
cbe1642b005b3622f0620e39f214ad04

SHA1
e23ac1823e74080aac7312d8e45774bcde8fd6b8

SHA256
63e36293596733c77a25cd1b68f231d76391d36032e78d011c0fddc93e4e2530

SHA512
fa742bc13dc0490946c454716700a8850b02f56353cf47b214fc648871f38bd68400a72715af9186dee5cc4ed9cc3a134a80314ab7a25bde3f53f72aeb646372

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Backup\new\zNcCwMsdjfiOTN5HbYcXYkUKK9oCCq0PL6vO5m.exe
Filesize
2.8MB

MD5
c8ce51b7f672973187362230bc976fcf

SHA1
65440864ebc32ebbcd8eac3daa826e262a844f4d

SHA256
1c2f70e10bcc2a7fb656ee1dddcc9c80bed74eb8f4f34ab66d0a036986051f13

SHA512
f93b3054fea58d2afe355ad7cc9edce207c9e88e328f617f801cb8938044fea2b1c0376c67f51043bd6270ffc6f21ffd4e00c8e906ef75b9d1b18793087939c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Backup\new\zNcCwMsdjfiOTN5HbYcXYkUKK9oCCq0PL6vO5m.exe
Filesize
2.8MB

MD5
c8ce51b7f672973187362230bc976fcf

SHA1
65440864ebc32ebbcd8eac3daa826e262a844f4d

SHA256
1c2f70e10bcc2a7fb656ee1dddcc9c80bed74eb8f4f34ab66d0a036986051f13

SHA512
f93b3054fea58d2afe355ad7cc9edce207c9e88e328f617f801cb8938044fea2b1c0376c67f51043bd6270ffc6f21ffd4e00c8e906ef75b9d1b18793087939c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Backup\new\zNcCwMsdjfiOTN5HbYcXYkUKK9oCCq0PL6vO5m.exe
Filesize
2.8MB

MD5
c8ce51b7f672973187362230bc976fcf

SHA1
65440864ebc32ebbcd8eac3daa826e262a844f4d

SHA256
1c2f70e10bcc2a7fb656ee1dddcc9c80bed74eb8f4f34ab66d0a036986051f13

SHA512
f93b3054fea58d2afe355ad7cc9edce207c9e88e328f617f801cb8938044fea2b1c0376c67f51043bd6270ffc6f21ffd4e00c8e906ef75b9d1b18793087939c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\GameExplorer\XBdxAZe8fMZ9cPtgcuL3PJfQb7y1W4VJC7U0Gd5a7R9o9t4LzsbLRPb.exe
Filesize
2.6MB

MD5
b21e2a6b40c9f527f740f5128bf63d4a

SHA1
7453adeb07752d257655124c9d497636d2683592

SHA256
1687acf7de60388608dc6883d4410567711ae8a9521455d413f8ebd35797cf83

SHA512
07aa2c4a1c0d0ac68f74fa1d562f5298b096f7d462110c93b487eab904d7af2fa3dde7fb50f5c9ff0d1ca9f56caab401000b2b6d544cc2275f9fae418b650c5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\P0nqEMJKJkmzbiLasdgY7Z1.exe
Filesize
2.6MB

MD5
03b526b5b8713a3299343754f7724741

SHA1
67ff4e6e1b9db843a59c462c5e555fd6f9eacfff

SHA256
7051f5d7177c5a1199b8bd9b1f5111c613a1efc0d4f4e35e072efc3612438ba5

SHA512
dc19b02b3bf4c454098a0a895a01efb1fb0efa1b523e2974a5ba0b858b023ea83b2e2ea12995b2a29de0640d351b5e9366de3cc151b6a4fa23f6a3f7849e2dbc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4gq1sglk.default-release\datareporting\archived\cWErAnxfwyz5m8MAf2BN4nfRSq84FF3ARpWb2ywhHd1.exe
Filesize
2.7MB

MD5
eaaa1d05308f66e8dea59da135d03908

SHA1
f97d93c6d8505d5aa2ff76648551ee9066fb3c56

SHA256
5d417859fbb02fde0a26bef6432e0bc7ad9f19a085b8d595a843e3595cb14cab

SHA512
9204ec0d9abaf1b5d4e1a0ee9e88de864474656939ad1e72246de8843249af25fec70df43db423afddf4f132de2889c1362d60c3336efaa819e8e9bfd30beb39

Download Submit
C:\Users\Admin\Favorites\Links for United States\tGSwBXr0LdGkRPiWr2CODXNjjnzjJ3TJUlcFmrzbV6zLP4GioycoTZUYyimmxwLI.exe
Filesize
1.5MB

MD5
278a984bc8c1e254064a06cd186a9952

SHA1
2b87f6b326b027a99090fcf04d184d27a4f05e42

SHA256
dc3cfab9e9447ae6b47f3779968e22eda5b111fbbd1421a895eceabab1c20c0a

SHA512
f1a013da2c2a8c09a3899f1755fbdab9408ee3cb89427badccb6ebb5d92cfb7488994298e9fcc1a896833364f01c101e1c6e02a46dd89b6dfbe504e0705a8673

Download Submit
\Users\Admin\AppData\Local\Microsoft\Windows Mail\Backup\new\zNcCwMsdjfiOTN5HbYcXYkUKK9oCCq0PL6vO5m.exe
Filesize
2.8MB

MD5
c8ce51b7f672973187362230bc976fcf

SHA1
65440864ebc32ebbcd8eac3daa826e262a844f4d

SHA256
1c2f70e10bcc2a7fb656ee1dddcc9c80bed74eb8f4f34ab66d0a036986051f13

SHA512
f93b3054fea58d2afe355ad7cc9edce207c9e88e328f617f801cb8938044fea2b1c0376c67f51043bd6270ffc6f21ffd4e00c8e906ef75b9d1b18793087939c0

Download Submit
\Users\Admin\AppData\Local\Microsoft\Windows Mail\Backup\new\zNcCwMsdjfiOTN5HbYcXYkUKK9oCCq0PL6vO5m.exe
Filesize
2.8MB

MD5
c8ce51b7f672973187362230bc976fcf

SHA1
65440864ebc32ebbcd8eac3daa826e262a844f4d

SHA256
1c2f70e10bcc2a7fb656ee1dddcc9c80bed74eb8f4f34ab66d0a036986051f13

SHA512
f93b3054fea58d2afe355ad7cc9edce207c9e88e328f617f801cb8938044fea2b1c0376c67f51043bd6270ffc6f21ffd4e00c8e906ef75b9d1b18793087939c0

Download Submit
\Users\Admin\AppData\Local\Microsoft\Windows Mail\Backup\new\zNcCwMsdjfiOTN5HbYcXYkUKK9oCCq0PL6vO5m.exe
Filesize
2.8MB

MD5
c8ce51b7f672973187362230bc976fcf

SHA1
65440864ebc32ebbcd8eac3daa826e262a844f4d

SHA256
1c2f70e10bcc2a7fb656ee1dddcc9c80bed74eb8f4f34ab66d0a036986051f13

SHA512
f93b3054fea58d2afe355ad7cc9edce207c9e88e328f617f801cb8938044fea2b1c0376c67f51043bd6270ffc6f21ffd4e00c8e906ef75b9d1b18793087939c0

Download Submit
memory/676-55-0x000007FEFBEE1000-0x000007FEFBEE3000-memory.dmp

Filesize
8KB

Download
memory/1076-62-0x0000000000000000-mapping.dmp

Download
memory/1076-67-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1076-79-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1168-77-0x0000000000000000-mapping.dmp

Download
memory/1168-82-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1444-54-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1444-56-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1740-64-0x0000000000EC0000-0x0000000000EED000-memory.dmp

Filesize
180KB

Download
memory/1740-65-0x0000000000EC0000-0x0000000000EED000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads