dabbec6d955900ed10163668d38d407a9f2b02a16b111e916bb10e4c9ed83e74

Analysis

max time kernel
152s
max time network
95s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
25-11-2022 09:44

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

dabbec6d955900ed10163668d38d407a9f2b02a16b111e916bb10e4c9ed83e74.exe
Size

416KB
MD5

78c159c2f33babf985b4c66a041a4aac
SHA1

c4353452b693db7c4b046042ac798101e2ad101f
SHA256

dabbec6d955900ed10163668d38d407a9f2b02a16b111e916bb10e4c9ed83e74
SHA512

ae6f50d02c0d54979cf52411684ab04e16ad527957193921c83aa440e299093ee1aefcf5f81a63a17af13658340519401c42961bf9e95b82ae36efb13352d054
SSDEEP

3072:dSsvihLlTQz9z71iURo2SJJmY6uFNcgifDbMtJyVdyw:ssqhJMxzJiU5SeLmNSbMtJU5

Score

10^/10

persistence spyware stealer

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

atj2X8X78R8K7eiELB2KkG0GWqToiiBzcMeBg0R6BS814zQVv0iqKTGSHxra4JXKOPYfC.cmd

description pid process target process

PID 1252 created 576 1252 atj2X8X78R8K7eiELB2KkG0GWqToiiBzcMeBg0R6BS814zQVv0iqKTGSHxra4JXKOPYfC.cmd svchost.exe

description	pid	process	target process
PID 1252 created 576	1252	atj2X8X78R8K7eiELB2KkG0GWqToiiBzcMeBg0R6BS814zQVv0iqKTGSHxra4JXKOPYfC.cmd	svchost.exe

Adds policy Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

atj2X8X78R8K7eiELB2KkG0GWqToiiBzcMeBg0R6BS814zQVv0iqKTGSHxra4JXKOPYfC.cmddabbec6d955900ed10163668d38d407a9f2b02a16b111e916bb10e4c9ed83e74.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	atj2X8X78R8K7eiELB2KkG0GWqToiiBzcMeBg0R6BS814zQVv0iqKTGSHxra4JXKOPYfC.cmd
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Assistance\\Client\\J7DN0G7nWntrtBqNVADgmJq8Y8GAM6IT1KeH54i6ld9NaHBJFDjkBuiyy9t0NXXjSljeL.exe\" O"	atj2X8X78R8K7eiELB2KkG0GWqToiiBzcMeBg0R6BS814zQVv0iqKTGSHxra4JXKOPYfC.cmd
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	dabbec6d955900ed10163668d38d407a9f2b02a16b111e916bb10e4c9ed83e74.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\6.0\\23\\f4pzhdhEMzLZ7aRdeyXNMi0RPQSAsFD3GMSM58.exe\" O"	dabbec6d955900ed10163668d38d407a9f2b02a16b111e916bb10e4c9ed83e74.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	dabbec6d955900ed10163668d38d407a9f2b02a16b111e916bb10e4c9ed83e74.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\jVgApXcZBLC8D02krZTblRWmG8ddnz.exe\" O"	dabbec6d955900ed10163668d38d407a9f2b02a16b111e916bb10e4c9ed83e74.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Java Development Kit\\WDOh9ZLu31PvCJXwvfVFcQsPgWqJzTphc9YbvCthHJKFIufjm3VnfK.exe\" O"	dabbec6d955900ed10163668d38d407a9f2b02a16b111e916bb10e4c9ed83e74.exe

Executes dropped EXE 2 IoCs

Processes:

atj2X8X78R8K7eiELB2KkG0GWqToiiBzcMeBg0R6BS814zQVv0iqKTGSHxra4JXKOPYfC.cmdatj2X8X78R8K7eiELB2KkG0GWqToiiBzcMeBg0R6BS814zQVv0iqKTGSHxra4JXKOPYfC.cmd

pid	process
1252	atj2X8X78R8K7eiELB2KkG0GWqToiiBzcMeBg0R6BS814zQVv0iqKTGSHxra4JXKOPYfC.cmd
552	atj2X8X78R8K7eiELB2KkG0GWqToiiBzcMeBg0R6BS814zQVv0iqKTGSHxra4JXKOPYfC.cmd

Sets file execution options in registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

atj2X8X78R8K7eiELB2KkG0GWqToiiBzcMeBg0R6BS814zQVv0iqKTGSHxra4JXKOPYfC.cmdatj2X8X78R8K7eiELB2KkG0GWqToiiBzcMeBg0R6BS814zQVv0iqKTGSHxra4JXKOPYfC.cmd

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe	atj2X8X78R8K7eiELB2KkG0GWqToiiBzcMeBg0R6BS814zQVv0iqKTGSHxra4JXKOPYfC.cmd
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = " "	atj2X8X78R8K7eiELB2KkG0GWqToiiBzcMeBg0R6BS814zQVv0iqKTGSHxra4JXKOPYfC.cmd
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe	atj2X8X78R8K7eiELB2KkG0GWqToiiBzcMeBg0R6BS814zQVv0iqKTGSHxra4JXKOPYfC.cmd
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\Debugger = " "	atj2X8X78R8K7eiELB2KkG0GWqToiiBzcMeBg0R6BS814zQVv0iqKTGSHxra4JXKOPYfC.cmd
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe	atj2X8X78R8K7eiELB2KkG0GWqToiiBzcMeBg0R6BS814zQVv0iqKTGSHxra4JXKOPYfC.cmd
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = " "	atj2X8X78R8K7eiELB2KkG0GWqToiiBzcMeBg0R6BS814zQVv0iqKTGSHxra4JXKOPYfC.cmd
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe	atj2X8X78R8K7eiELB2KkG0GWqToiiBzcMeBg0R6BS814zQVv0iqKTGSHxra4JXKOPYfC.cmd
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\Debugger = " "	atj2X8X78R8K7eiELB2KkG0GWqToiiBzcMeBg0R6BS814zQVv0iqKTGSHxra4JXKOPYfC.cmd

Loads dropped DLL 3 IoCs

Processes:

gpscript.exeatj2X8X78R8K7eiELB2KkG0GWqToiiBzcMeBg0R6BS814zQVv0iqKTGSHxra4JXKOPYfC.cmd

pid process

1964 gpscript.exe
1964 gpscript.exe
1252 atj2X8X78R8K7eiELB2KkG0GWqToiiBzcMeBg0R6BS814zQVv0iqKTGSHxra4JXKOPYfC.cmd
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1964	gpscript.exe
1964	gpscript.exe
1252	atj2X8X78R8K7eiELB2KkG0GWqToiiBzcMeBg0R6BS814zQVv0iqKTGSHxra4JXKOPYfC.cmd

Modifies data under HKEY_USERS 59 IoCs

Processes:

dabbec6d955900ed10163668d38d407a9f2b02a16b111e916bb10e4c9ed83e74.exeatj2X8X78R8K7eiELB2KkG0GWqToiiBzcMeBg0R6BS814zQVv0iqKTGSHxra4JXKOPYfC.cmdgpscript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-20	dabbec6d955900ed10163668d38d407a9f2b02a16b111e916bb10e4c9ed83e74.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Search\\Data\\Applications\\Windows\\Projects\\SystemIndex\\PropMap\\3kT4nuC6LzraaSo42F3hxRsJjc1lIKlELncxQ9O2Rmm0fwY2QXfDNKGKanQiLIZj0.exe\" O"	atj2X8X78R8K7eiELB2KkG0GWqToiiBzcMeBg0R6BS814zQVv0iqKTGSHxra4JXKOPYfC.cmd
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\GBC66BG6\\WKFJ5OBkG3tcwXDaf3.exe\" O 2>NUL"	dabbec6d955900ed10163668d38d407a9f2b02a16b111e916bb10e4c9ed83e74.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	dabbec6d955900ed10163668d38d407a9f2b02a16b111e916bb10e4c9ed83e74.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	dabbec6d955900ed10163668d38d407a9f2b02a16b111e916bb10e4c9ed83e74.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Network\\JhucBGlqPNnW45POM422xGF.exe\" O"	atj2X8X78R8K7eiELB2KkG0GWqToiiBzcMeBg0R6BS814zQVv0iqKTGSHxra4JXKOPYfC.cmd
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows	dabbec6d955900ed10163668d38d407a9f2b02a16b111e916bb10e4c9ed83e74.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{6C467336-8281-4E60-8204-430CED96822D} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000705e4942ed00d901	gpscript.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	atj2X8X78R8K7eiELB2KkG0GWqToiiBzcMeBg0R6BS814zQVv0iqKTGSHxra4JXKOPYfC.cmd
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE	dabbec6d955900ed10163668d38d407a9f2b02a16b111e916bb10e4c9ed83e74.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft	dabbec6d955900ed10163668d38d407a9f2b02a16b111e916bb10e4c9ed83e74.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	atj2X8X78R8K7eiELB2KkG0GWqToiiBzcMeBg0R6BS814zQVv0iqKTGSHxra4JXKOPYfC.cmd
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%windir%\System32\ie4uinit.exe",-738 = "Start Internet Explorer without ActiveX controls or browser extensions."	atj2X8X78R8K7eiELB2KkG0GWqToiiBzcMeBg0R6BS814zQVv0iqKTGSHxra4JXKOPYfC.cmd
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	atj2X8X78R8K7eiELB2KkG0GWqToiiBzcMeBg0R6BS814zQVv0iqKTGSHxra4JXKOPYfC.cmd
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\COPX4L9J\\DobE5ljSBSLmVxIzWPT4fMD9a0qBTM7.exe\" O"	dabbec6d955900ed10163668d38d407a9f2b02a16b111e916bb10e4c9ed83e74.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows	dabbec6d955900ed10163668d38d407a9f2b02a16b111e916bb10e4c9ed83e74.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft Help\\sFRPPTjSGZjLnt2EMJfXqCpQU0PLs2z56cBiAn0synLEmi0FQ8y4tK4e4R.exe\" O 2>NUL"	atj2X8X78R8K7eiELB2KkG0GWqToiiBzcMeBg0R6BS814zQVv0iqKTGSHxra4JXKOPYfC.cmd
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{7BD29E01-76C1-11CF-9DD0-00A0C9034933} {000214E6-0000-0000-C000-000000000046} 0xFFFF = 010000000000000090d79e44ed00d901	atj2X8X78R8K7eiELB2KkG0GWqToiiBzcMeBg0R6BS814zQVv0iqKTGSHxra4JXKOPYfC.cmd
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	dabbec6d955900ed10163668d38d407a9f2b02a16b111e916bb10e4c9ed83e74.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\Favorites\\K7s2ALQ156qZd4L17mu7B.exe\" O 2>NUL"	atj2X8X78R8K7eiELB2KkG0GWqToiiBzcMeBg0R6BS814zQVv0iqKTGSHxra4JXKOPYfC.cmd
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Package Cache\\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\\CC99SaZf.exe\" O 2>NUL"	atj2X8X78R8K7eiELB2KkG0GWqToiiBzcMeBg0R6BS814zQVv0iqKTGSHxra4JXKOPYfC.cmd
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%windir%\System32\ie4uinit.exe",-732 = "Finds and displays information and Web sites on the Internet."	atj2X8X78R8K7eiELB2KkG0GWqToiiBzcMeBg0R6BS814zQVv0iqKTGSHxra4JXKOPYfC.cmd
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	dabbec6d955900ed10163668d38d407a9f2b02a16b111e916bb10e4c9ed83e74.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft	dabbec6d955900ed10163668d38d407a9f2b02a16b111e916bb10e4c9ed83e74.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	atj2X8X78R8K7eiELB2KkG0GWqToiiBzcMeBg0R6BS814zQVv0iqKTGSHxra4JXKOPYfC.cmd
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\IdentityCRL\\40RzuQ1Y7wDMcuz1wtoauNGgMuPM0TwytMzPbMKn7802psrCMZKIkmEO.exe\" O"	atj2X8X78R8K7eiELB2KkG0GWqToiiBzcMeBg0R6BS814zQVv0iqKTGSHxra4JXKOPYfC.cmd
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	atj2X8X78R8K7eiELB2KkG0GWqToiiBzcMeBg0R6BS814zQVv0iqKTGSHxra4JXKOPYfC.cmd
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Windows\\Power Efficiency Diagnostics\\cZsq5IV2rMk6fd12InAshzaf9c6n3Use1pxlMtyindOiv8Mu7A1rMgWD.exe\" O"	atj2X8X78R8K7eiELB2KkG0GWqToiiBzcMeBg0R6BS814zQVv0iqKTGSHxra4JXKOPYfC.cmd
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\LocalLow\\pR4Kp80P3bCt4agCjK1ZnRkdAyB429qmXJtEGjCaCm8Diz4zURAmvD.exe\" O 2>NUL"	dabbec6d955900ed10163668d38d407a9f2b02a16b111e916bb10e4c9ed83e74.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion	dabbec6d955900ed10163668d38d407a9f2b02a16b111e916bb10e4c9ed83e74.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\ja-JP\\7yBFI83y5wDthuqb4asfep3BVRkWwrCon.exe\" O 2>NUL"	atj2X8X78R8K7eiELB2KkG0GWqToiiBzcMeBg0R6BS814zQVv0iqKTGSHxra4JXKOPYfC.cmd
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\7co8ECAHGkjbz9LLc7FsCNqAxP018WKwoY.exe\" O"	dabbec6d955900ed10163668d38d407a9f2b02a16b111e916bb10e4c9ed83e74.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\mPIE7xcKqS3zKY.exe\" O 2>NUL"	dabbec6d955900ed10163668d38d407a9f2b02a16b111e916bb10e4c9ed83e74.exe
Key created	\REGISTRY\USER\S-1-5-19	dabbec6d955900ed10163668d38d407a9f2b02a16b111e916bb10e4c9ed83e74.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	dabbec6d955900ed10163668d38d407a9f2b02a16b111e916bb10e4c9ed83e74.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	dabbec6d955900ed10163668d38d407a9f2b02a16b111e916bb10e4c9ed83e74.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\6.0\\EYT8cLN098yj6ek90PpA0WJlX5Jj64kEI4GJG.exe\" O 2>NUL"	dabbec6d955900ed10163668d38d407a9f2b02a16b111e916bb10e4c9ed83e74.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE	dabbec6d955900ed10163668d38d407a9f2b02a16b111e916bb10e4c9ed83e74.exe
Key created	\REGISTRY\USER\.DEFAULT	dabbec6d955900ed10163668d38d407a9f2b02a16b111e916bb10e4c9ed83e74.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion	dabbec6d955900ed10163668d38d407a9f2b02a16b111e916bb10e4c9ed83e74.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	dabbec6d955900ed10163668d38d407a9f2b02a16b111e916bb10e4c9ed83e74.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\HXSaSLhRed5AYcm2mHUObZQ7Cf60QP4JMI6OI9G5z4z.exe\" O"	dabbec6d955900ed10163668d38d407a9f2b02a16b111e916bb10e4c9ed83e74.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion	dabbec6d955900ed10163668d38d407a9f2b02a16b111e916bb10e4c9ed83e74.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\DcZiTBstwBroWBXw.exe\" O 2>NUL"	atj2X8X78R8K7eiELB2KkG0GWqToiiBzcMeBg0R6BS814zQVv0iqKTGSHxra4JXKOPYfC.cmd
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	atj2X8X78R8K7eiELB2KkG0GWqToiiBzcMeBg0R6BS814zQVv0iqKTGSHxra4JXKOPYfC.cmd
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	dabbec6d955900ed10163668d38d407a9f2b02a16b111e916bb10e4c9ed83e74.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	dabbec6d955900ed10163668d38d407a9f2b02a16b111e916bb10e4c9ed83e74.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	gpscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\JqE6POj9uHEsKd5dK8SqmcGY56Ys0ebMpnc1XUcu12mNgiAbrHQuYNXvxlC.exe\" O"	atj2X8X78R8K7eiELB2KkG0GWqToiiBzcMeBg0R6BS814zQVv0iqKTGSHxra4JXKOPYfC.cmd
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	atj2X8X78R8K7eiELB2KkG0GWqToiiBzcMeBg0R6BS814zQVv0iqKTGSHxra4JXKOPYfC.cmd
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	dabbec6d955900ed10163668d38d407a9f2b02a16b111e916bb10e4c9ed83e74.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	dabbec6d955900ed10163668d38d407a9f2b02a16b111e916bb10e4c9ed83e74.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	atj2X8X78R8K7eiELB2KkG0GWqToiiBzcMeBg0R6BS814zQVv0iqKTGSHxra4JXKOPYfC.cmd
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows	dabbec6d955900ed10163668d38d407a9f2b02a16b111e916bb10e4c9ed83e74.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Adobe\\Acrobat\\AfBNXAoiCDbgE1OIwOL7hfuPdj7ATRrA2oREnG34c03WBzLL3NsStIHDKqYWH.exe\" O"	dabbec6d955900ed10163668d38d407a9f2b02a16b111e916bb10e4c9ed83e74.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%systemroot%\system32\windowspowershell\v1.0\powershell.exe",-111 = "Performs object-based (command-line) functions"	atj2X8X78R8K7eiELB2KkG0GWqToiiBzcMeBg0R6BS814zQVv0iqKTGSHxra4JXKOPYfC.cmd
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	dabbec6d955900ed10163668d38d407a9f2b02a16b111e916bb10e4c9ed83e74.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	dabbec6d955900ed10163668d38d407a9f2b02a16b111e916bb10e4c9ed83e74.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	dabbec6d955900ed10163668d38d407a9f2b02a16b111e916bb10e4c9ed83e74.exe

Modifies registry class 12 IoCs

Processes:

dabbec6d955900ed10163668d38d407a9f2b02a16b111e916bb10e4c9ed83e74.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	dabbec6d955900ed10163668d38d407a9f2b02a16b111e916bb10e4c9ed83e74.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion	dabbec6d955900ed10163668d38d407a9f2b02a16b111e916bb10e4c9ed83e74.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	dabbec6d955900ed10163668d38d407a9f2b02a16b111e916bb10e4c9ed83e74.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	dabbec6d955900ed10163668d38d407a9f2b02a16b111e916bb10e4c9ed83e74.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_Classes\SOFTWARE\Microsoft\Command Processor	dabbec6d955900ed10163668d38d407a9f2b02a16b111e916bb10e4c9ed83e74.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\SOFTWARE\Microsoft\Command Processor	dabbec6d955900ed10163668d38d407a9f2b02a16b111e916bb10e4c9ed83e74.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\iwv3qbnj.default-release\\bookmarkbackups\\bg6rW3eRbFzQ007UrzLnVRihGzLVui6Dnz9jbuGBuZrlE4agKnYtzwSGPPS.exe\" O 2>NUL"	dabbec6d955900ed10163668d38d407a9f2b02a16b111e916bb10e4c9ed83e74.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	dabbec6d955900ed10163668d38d407a9f2b02a16b111e916bb10e4c9ed83e74.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Default\\AppData\\t69QuvoV3KTDgtIU.exe\" O"	dabbec6d955900ed10163668d38d407a9f2b02a16b111e916bb10e4c9ed83e74.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\SOFTWARE	dabbec6d955900ed10163668d38d407a9f2b02a16b111e916bb10e4c9ed83e74.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\SOFTWARE\Microsoft	dabbec6d955900ed10163668d38d407a9f2b02a16b111e916bb10e4c9ed83e74.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\SOFTWARE\Microsoft\Windows	dabbec6d955900ed10163668d38d407a9f2b02a16b111e916bb10e4c9ed83e74.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

atj2X8X78R8K7eiELB2KkG0GWqToiiBzcMeBg0R6BS814zQVv0iqKTGSHxra4JXKOPYfC.cmd

pid	process
552	atj2X8X78R8K7eiELB2KkG0GWqToiiBzcMeBg0R6BS814zQVv0iqKTGSHxra4JXKOPYfC.cmd
552	atj2X8X78R8K7eiELB2KkG0GWqToiiBzcMeBg0R6BS814zQVv0iqKTGSHxra4JXKOPYfC.cmd

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

dabbec6d955900ed10163668d38d407a9f2b02a16b111e916bb10e4c9ed83e74.exeAUDIODG.EXEatj2X8X78R8K7eiELB2KkG0GWqToiiBzcMeBg0R6BS814zQVv0iqKTGSHxra4JXKOPYfC.cmdatj2X8X78R8K7eiELB2KkG0GWqToiiBzcMeBg0R6BS814zQVv0iqKTGSHxra4JXKOPYfC.cmd

description	pid	process
Token: SeBackupPrivilege	892	dabbec6d955900ed10163668d38d407a9f2b02a16b111e916bb10e4c9ed83e74.exe
Token: SeRestorePrivilege	892	dabbec6d955900ed10163668d38d407a9f2b02a16b111e916bb10e4c9ed83e74.exe
Token: SeShutdownPrivilege	892	dabbec6d955900ed10163668d38d407a9f2b02a16b111e916bb10e4c9ed83e74.exe
Token: 33	1376	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1376	AUDIODG.EXE
Token: 33	1376	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1376	AUDIODG.EXE
Token: SeDebugPrivilege	1252	atj2X8X78R8K7eiELB2KkG0GWqToiiBzcMeBg0R6BS814zQVv0iqKTGSHxra4JXKOPYfC.cmd
Token: SeRestorePrivilege	1252	atj2X8X78R8K7eiELB2KkG0GWqToiiBzcMeBg0R6BS814zQVv0iqKTGSHxra4JXKOPYfC.cmd
Token: SeDebugPrivilege	552	atj2X8X78R8K7eiELB2KkG0GWqToiiBzcMeBg0R6BS814zQVv0iqKTGSHxra4JXKOPYfC.cmd
Token: SeRestorePrivilege	552	atj2X8X78R8K7eiELB2KkG0GWqToiiBzcMeBg0R6BS814zQVv0iqKTGSHxra4JXKOPYfC.cmd

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

gpscript.exeatj2X8X78R8K7eiELB2KkG0GWqToiiBzcMeBg0R6BS814zQVv0iqKTGSHxra4JXKOPYfC.cmd

description	pid	process	target process
PID 1964 wrote to memory of 1252	1964	gpscript.exe	atj2X8X78R8K7eiELB2KkG0GWqToiiBzcMeBg0R6BS814zQVv0iqKTGSHxra4JXKOPYfC.cmd
PID 1964 wrote to memory of 1252	1964	gpscript.exe	atj2X8X78R8K7eiELB2KkG0GWqToiiBzcMeBg0R6BS814zQVv0iqKTGSHxra4JXKOPYfC.cmd
PID 1964 wrote to memory of 1252	1964	gpscript.exe	atj2X8X78R8K7eiELB2KkG0GWqToiiBzcMeBg0R6BS814zQVv0iqKTGSHxra4JXKOPYfC.cmd
PID 1252 wrote to memory of 552	1252	atj2X8X78R8K7eiELB2KkG0GWqToiiBzcMeBg0R6BS814zQVv0iqKTGSHxra4JXKOPYfC.cmd	atj2X8X78R8K7eiELB2KkG0GWqToiiBzcMeBg0R6BS814zQVv0iqKTGSHxra4JXKOPYfC.cmd
PID 1252 wrote to memory of 552	1252	atj2X8X78R8K7eiELB2KkG0GWqToiiBzcMeBg0R6BS814zQVv0iqKTGSHxra4JXKOPYfC.cmd	atj2X8X78R8K7eiELB2KkG0GWqToiiBzcMeBg0R6BS814zQVv0iqKTGSHxra4JXKOPYfC.cmd
PID 1252 wrote to memory of 552	1252	atj2X8X78R8K7eiELB2KkG0GWqToiiBzcMeBg0R6BS814zQVv0iqKTGSHxra4JXKOPYfC.cmd	atj2X8X78R8K7eiELB2KkG0GWqToiiBzcMeBg0R6BS814zQVv0iqKTGSHxra4JXKOPYfC.cmd

C:\Users\Admin\AppData\Local\Temp\dabbec6d955900ed10163668d38d407a9f2b02a16b111e916bb10e4c9ed83e74.exe
"C:\Users\Admin\AppData\Local\Temp\dabbec6d955900ed10163668d38d407a9f2b02a16b111e916bb10e4c9ed83e74.exe"
1⤵
- Adds policy Run key to start application
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:892

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
1⤵
PID:576

C:\Users\Admin\AppData\Local\Microsoft\Media Player\Sync Playlists\atj2X8X78R8K7eiELB2KkG0GWqToiiBzcMeBg0R6BS814zQVv0iqKTGSHxra4JXKOPYfC.cmd
"C:\Users\Admin\AppData\Local\Microsoft\Media Player\Sync Playlists\atj2X8X78R8K7eiELB2KkG0GWqToiiBzcMeBg0R6BS814zQVv0iqKTGSHxra4JXKOPYfC.cmd" 2
2⤵
- Executes dropped EXE
- Sets file execution options in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:552

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1524

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x598
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1376

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:1544

C:\Windows\system32\gpscript.exe
gpscript.exe /Shutdown
1⤵
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1964

C:\Users\Admin\AppData\Local\Microsoft\Media Player\Sync Playlists\atj2X8X78R8K7eiELB2KkG0GWqToiiBzcMeBg0R6BS814zQVv0iqKTGSHxra4JXKOPYfC.cmd
"C:\Users\Admin\AppData\Local\Microsoft\Media Player\Sync Playlists\atj2X8X78R8K7eiELB2KkG0GWqToiiBzcMeBg0R6BS814zQVv0iqKTGSHxra4JXKOPYfC.cmd" 1
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Adds policy Run key to start application
- Executes dropped EXE
- Sets file execution options in registry
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1252

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows NT\MSFax\Common Coverpages\mPIE7xcKqS3zKY.exe
Filesize
435KB

MD5
906db59bf8ea3d6936b943a446372fb7

SHA1
2244bb5989a170d365f789bbf9f9f33cd5be3ac3

SHA256
cf49ab7e554e94bb9ac86d47b3276a1ff5c6a3f81f93e5bc307a0928510f82a6

SHA512
8511b04dc3aabc97859f79721b1990965dbf27df43725eb91da906a4114872d0650fbe1184c2a8e3359841a92cdcd9452820fc8ccc4960514463b1533ceba009

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\7co8ECAHGkjbz9LLc7FsCNqAxP018WKwoY.exe
Filesize
615KB

MD5
6283138957604666068398f70c6a51b2

SHA1
4b8faebf5ab6048c879946799459094aa7e743f6

SHA256
b5b9cea8cdafb9ed738fb691e5535e724cf36b9d3e45b5f4a1b2f03407d0176b

SHA512
56ba1a73e2fc4fc9e7dbe5e1360e975b0c7a9cf7364781544afd6d6d33fc2da6c313b21e4aa3cff9587970a494cab511a92f7fb91f9fa7f9d22a997a17b477a4

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\EYT8cLN098yj6ek90PpA0WJlX5Jj64kEI4GJG.exe
Filesize
780KB

MD5
7cee039f8cd638988360b8cb74534608

SHA1
430c47b9be0a118c23dc190139a012958ba66e32

SHA256
cbf7208084d553442487808a59044d7ac46f9af9ca4e050e267a5b35a04e5e3e

SHA512
e382cab3076953b6206f4159195936887a72c908977a7da0282d3e6cc43bd4b6423598159af320d357e6f00c33f6153274012e59b3f0f969647c6793d9652ab2

Download Submit
C:\Users\Admin\AppData\LocalLow\pR4Kp80P3bCt4agCjK1ZnRkdAyB429qmXJtEGjCaCm8Diz4zURAmvD.exe
Filesize
722KB

MD5
507934edc6d670c13218dad9f3c70ac0

SHA1
9e0827211dd66c67ed939bf266becbadcf478e1c

SHA256
66618c50b54ab509bade691df3bd1cd36b642c7e27e5a6e92174b95228ce7225

SHA512
bc549cc66e81a2fb1c1813043f8cbedb84bbe46816c85f86297b61eb260719fb2cfc4f4332a616083bdd65cad4f65f2a8bab8176e224b216ce77c4103f08bc3a

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\AfBNXAoiCDbgE1OIwOL7hfuPdj7ATRrA2oREnG34c03WBzLL3NsStIHDKqYWH.exe
Filesize
626KB

MD5
9f714c85107c99c4662beef0d6f10177

SHA1
54cd8e13a2473c6b6cd4a3b6de5ed978a91a49e0

SHA256
abc671f371c86c223af9ad150dc4c86f8ad8d4ce77590553f28f9aae874bf1ca

SHA512
1990ba99b5c6ed795989cfcf1a1c9fa5c8a9f84e09d590f288f9e67dd4d0fad5848888a1cfe233b062f0df0835f84a8fa1c371f20c38a33637226173f4c04e23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\UvvnpWVQB2.cmd
Filesize
868KB

MD5
8bf8da1b0dc0af1ef000b7c1c998910e

SHA1
13777978a6d29d4e3d4722ca46c84ab57c96cc72

SHA256
a8af009597b4682b9cbe155774b8e340fdaaacc0e1af655c782e23900b2e8bd3

SHA512
73e71dde4022b4435866a79e4d74aa4055017ed3bac5ae0c5817029499ef061a9e26ca3ad82a98dd814f1accdb0c8747d2d79f7127a1eaf9cb866ec126002f14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\4YQmiYpKxZHqLPWfY.exe
Filesize
631KB

MD5
5a5ee9478e321b25c9e389d1a3639d32

SHA1
1b926c4e9aa5fe37d845cbf280353c190af7909b

SHA256
6af15af14f6ca95600ed73a520537f9de76147743ce2c74dcdad4400f176b94a

SHA512
3eaaa42a2154b0f87399a30b7d781fefabd91084a3a6d53df0192a5827ddf46cead0ae35f29267f769b39a84b74d7e8ac6e095472daa57bcea7b876598b330b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\Sync Playlists\atj2X8X78R8K7eiELB2KkG0GWqToiiBzcMeBg0R6BS814zQVv0iqKTGSHxra4JXKOPYfC.cmd
Filesize
769KB

MD5
2e08eb0b2d976bf1af629f7e9dbedf6a

SHA1
a436a006a44da3f7bf16cf7afc432f364dcd4daf

SHA256
c45552fdc36dad3ac87519334bed14e0fc4903259363f4ffaaf8a42bb5f85823

SHA512
e1efcd91853183725ffe99df65c4d322f14598cf1998590132ab56f92db362a09ff71953dbc5399a9635e5dc0d54e6f15f4c4b005a19fa7ee00d617ea7b57ea7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\Sync Playlists\atj2X8X78R8K7eiELB2KkG0GWqToiiBzcMeBg0R6BS814zQVv0iqKTGSHxra4JXKOPYfC.cmd
Filesize
769KB

MD5
2e08eb0b2d976bf1af629f7e9dbedf6a

SHA1
a436a006a44da3f7bf16cf7afc432f364dcd4daf

SHA256
c45552fdc36dad3ac87519334bed14e0fc4903259363f4ffaaf8a42bb5f85823

SHA512
e1efcd91853183725ffe99df65c4d322f14598cf1998590132ab56f92db362a09ff71953dbc5399a9635e5dc0d54e6f15f4c4b005a19fa7ee00d617ea7b57ea7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\Sync Playlists\atj2X8X78R8K7eiELB2KkG0GWqToiiBzcMeBg0R6BS814zQVv0iqKTGSHxra4JXKOPYfC.cmd
Filesize
769KB

MD5
2e08eb0b2d976bf1af629f7e9dbedf6a

SHA1
a436a006a44da3f7bf16cf7afc432f364dcd4daf

SHA256
c45552fdc36dad3ac87519334bed14e0fc4903259363f4ffaaf8a42bb5f85823

SHA512
e1efcd91853183725ffe99df65c4d322f14598cf1998590132ab56f92db362a09ff71953dbc5399a9635e5dc0d54e6f15f4c4b005a19fa7ee00d617ea7b57ea7

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Flash Player\AssetCache\46cY9hXWaTEaLE4yC4h7QIrtwq07nw.bat
Filesize
1.3MB

MD5
ab0309978b08efa70e49af51241e60f1

SHA1
a8dd3d16694a6cb7dcb205c753e1a3a4dfd78cd5

SHA256
3c19a8087518369aa6f72538044f0d65714565d87e50ef07c5413f0f11a813c8

SHA512
ea55ef8763fc2ae462f674dfc0a4096ac51a9ea9a3a4b9e9428545d88853c2fc736fdc531b4c652fcf42180392b7b5289a9ebc25fe4125e4c4fff3dfd9dfab62

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Flash Player\AssetCache\HXSaSLhRed5AYcm2mHUObZQ7Cf60QP4JMI6OI9G5z4z.exe
Filesize
578KB

MD5
92a9caf8c6528e057cf68b7b574faf37

SHA1
911387fb1a4c8626d266036f7eee17d5c372ce60

SHA256
c70a324f33999119398c60b650c54aa71acfa0ff2b973503fd9495591ffbb459

SHA512
c37810ccb9c768e03a00a55ed5ac590ec491e87b625c34aff1ee3573d61985d1333e378045d04d3592b33c65c25d4501468396c37a3a439456d36ec8142e6b43

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\jVgApXcZBLC8D02krZTblRWmG8ddnz.exe
Filesize
810KB

MD5
f7e661de904fd8c1fcbf75c16b05dcb8

SHA1
6803091055dda03f908f5ab9f2922144637af51f

SHA256
7885390127b08536295ef32c5f12429ac5cf84af20bd6387e0ce2227fe1abae5

SHA512
012baf0640d08258fb2cac8f320fafb9184816fc641da786d02b9520fbcb23e37599d7601858c500069550a96e70166987b5846f131ff0f65fbb57fadaf080a6

Download Submit
\Users\Admin\AppData\Local\Microsoft\Media Player\Sync Playlists\atj2X8X78R8K7eiELB2KkG0GWqToiiBzcMeBg0R6BS814zQVv0iqKTGSHxra4JXKOPYfC.cmd
Filesize
769KB

MD5
2e08eb0b2d976bf1af629f7e9dbedf6a

SHA1
a436a006a44da3f7bf16cf7afc432f364dcd4daf

SHA256
c45552fdc36dad3ac87519334bed14e0fc4903259363f4ffaaf8a42bb5f85823

SHA512
e1efcd91853183725ffe99df65c4d322f14598cf1998590132ab56f92db362a09ff71953dbc5399a9635e5dc0d54e6f15f4c4b005a19fa7ee00d617ea7b57ea7

Download Submit
\Users\Admin\AppData\Local\Microsoft\Media Player\Sync Playlists\atj2X8X78R8K7eiELB2KkG0GWqToiiBzcMeBg0R6BS814zQVv0iqKTGSHxra4JXKOPYfC.cmd
Filesize
769KB

MD5
2e08eb0b2d976bf1af629f7e9dbedf6a

SHA1
a436a006a44da3f7bf16cf7afc432f364dcd4daf

SHA256
c45552fdc36dad3ac87519334bed14e0fc4903259363f4ffaaf8a42bb5f85823

SHA512
e1efcd91853183725ffe99df65c4d322f14598cf1998590132ab56f92db362a09ff71953dbc5399a9635e5dc0d54e6f15f4c4b005a19fa7ee00d617ea7b57ea7

Download Submit
\Users\Admin\AppData\Local\Microsoft\Media Player\Sync Playlists\atj2X8X78R8K7eiELB2KkG0GWqToiiBzcMeBg0R6BS814zQVv0iqKTGSHxra4JXKOPYfC.cmd
Filesize
769KB

MD5
2e08eb0b2d976bf1af629f7e9dbedf6a

SHA1
a436a006a44da3f7bf16cf7afc432f364dcd4daf

SHA256
c45552fdc36dad3ac87519334bed14e0fc4903259363f4ffaaf8a42bb5f85823

SHA512
e1efcd91853183725ffe99df65c4d322f14598cf1998590132ab56f92db362a09ff71953dbc5399a9635e5dc0d54e6f15f4c4b005a19fa7ee00d617ea7b57ea7

Download Submit
memory/552-85-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/552-80-0x0000000000000000-mapping.dmp

Download
memory/892-54-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/892-56-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1252-78-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1252-62-0x0000000000000000-mapping.dmp

Download
memory/1252-66-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1252-82-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1524-55-0x000007FEFBA81000-0x000007FEFBA83000-memory.dmp

Filesize
8KB

Download
memory/1964-76-0x0000000001030000-0x000000000105D000-memory.dmp

Filesize
180KB

Download
memory/1964-77-0x0000000001030000-0x000000000105D000-memory.dmp

Filesize
180KB

Download
memory/1964-64-0x0000000001030000-0x000000000105D000-memory.dmp

Filesize
180KB

Download
memory/1964-65-0x0000000001030000-0x000000000105D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads