Analysis
-
max time kernel
12s -
max time network
32s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
14-01-2024 12:25
Static task
static1
Behavioral task
behavioral1
Sample
5b3b205391d33ff3e85780985bd44398.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
5b3b205391d33ff3e85780985bd44398.exe
Resource
win10v2004-20231215-en
Errors
General
-
Target
5b3b205391d33ff3e85780985bd44398.exe
-
Size
2.6MB
-
MD5
5b3b205391d33ff3e85780985bd44398
-
SHA1
408bda11e611b5b5b4a7d4ab952722c5c5ca395f
-
SHA256
6ea34f6a117de5a499a46a7713523817b222ae7ff483861fb41212edb59878cf
-
SHA512
cac77c9cf536e02ec12b624336739382322e85b9427eec7ccae89a905d873b172d4c6b8fdb1128ecec61e45e2a4b3fb0303fbca25b0001ef952a6ef3042c5b74
-
SSDEEP
3072:aSsvihLlTQz9z71iURo2SJJmY6uFNcgifDbmeTXwVdBR:rsqhJMxzJiU5SeLmNSbmebW1
Malware Config
Signatures
-
Adds policy Run key to start application 2 TTPs 7 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 5b3b205391d33ff3e85780985bd44398.exe Set value (str) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\TempState\\XjMVdb2rlvcT56vM.exe\" O" 5b3b205391d33ff3e85780985bd44398.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 5b3b205391d33ff3e85780985bd44398.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\input\\pl-PL\\igkSd8ObWow.exe\" O" 5b3b205391d33ff3e85780985bd44398.exe Set value (str) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\input\\LdXKAWPtPfm8cs8g3un9Otxgxy.exe\" O" 5b3b205391d33ff3e85780985bd44398.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run w5pIr8OkXHy3hnow9getMtQyB.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.6_0\\_locales\\pl\\EoiL3vBT8SZDKq7djCr79ELG0Y90tPBp8Pw8cPDQrU8uGGKdJ7LH2gMOE7cFrPrRszJr.exe\" O" w5pIr8OkXHy3hnow9getMtQyB.exe -
Sets file execution options in registry 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe w5pIr8OkXHy3hnow9getMtQyB.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\Debugger = " " w5pIr8OkXHy3hnow9getMtQyB.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe w5pIr8OkXHy3hnow9getMtQyB.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = " " w5pIr8OkXHy3hnow9getMtQyB.exe -
Executes dropped EXE 1 IoCs
pid Process 3836 w5pIr8OkXHy3hnow9getMtQyB.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 5b3b205391d33ff3e85780985bd44398.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\SBY9YcW3mLV9LC9In3qDu8sFQLCZH4Q0JHtKZzF.exe\" O" 5b3b205391d33ff3e85780985bd44398.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\Windows\\Parental Controls\\settings\\yCgxBKELIoRjT.exe\" O 2>NUL" 5b3b205391d33ff3e85780985bd44398.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE 5b3b205391d33ff3e85780985bd44398.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft 5b3b205391d33ff3e85780985bd44398.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion 5b3b205391d33ff3e85780985bd44398.exe Key created \REGISTRY\USER\S-1-5-19 5b3b205391d33ff3e85780985bd44398.exe Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion 5b3b205391d33ff3e85780985bd44398.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\GameDVR\\9izfIEKwWTSIqORzgshyjsmCiG1dW9d.exe\" O 2>NUL" 5b3b205391d33ff3e85780985bd44398.exe Key created \REGISTRY\USER\.DEFAULT 5b3b205391d33ff3e85780985bd44398.exe Set value (str) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\3RLag4qt4hLHHIbZKA0sMsM9X4.exe\" O" w5pIr8OkXHy3hnow9getMtQyB.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\LocalCache\\j4VhtilNegGhOxJEUkfuR88O6ItfV00BRSnQQ.exe\" O" w5pIr8OkXHy3hnow9getMtQyB.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 5b3b205391d33ff3e85780985bd44398.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\AC\\MeF4cCRziJRuCNJf27MNWoMmZMaNYj93Kqt2.exe\" O 2>NUL" w5pIr8OkXHy3hnow9getMtQyB.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\input\\ru-RU\\5NSIVJdnJgzq4W8EPkC9g6MSWcIxJ63GjpQVQC.exe\" O 2>NUL" w5pIr8OkXHy3hnow9getMtQyB.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.Search_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Apps_{34936d15-aae0-443f-992a-b40ef439a9d7}\\Op76rkLX16DhY9rVtpDGgO8688dVfMznvffucay5cPhwyXcGeakZJoXiGzBVe9GKXX.exe\" O" w5pIr8OkXHy3hnow9getMtQyB.exe Set value (str) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\QSF7tTNptQGgSFg0CYcuNEYFZJ6dMnqKx5M9t6rlvXMsNXXpzxTWoajWEsHg94j4L.exe\" O 2>NUL" 5b3b205391d33ff3e85780985bd44398.exe Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer 5b3b205391d33ff3e85780985bd44398.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Default\\AppData\\Hs5bminyk4zxmSihixnrJqznGFRJKvnpwltPe7sHtMkKeAk50Zj9o5AFgf08v38.exe\" O 2>NUL" w5pIr8OkXHy3hnow9getMtQyB.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 5b3b205391d33ff3e85780985bd44398.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\AC\\Microsoft\\CryptnetUrlCache\\Content\\dirUFO5Ng15qM4Z0LDOl01djEV8iUG5fwlJk3XPJrTvlsrmcVEq9mvdfZPf2P9DCS0e7x1a.exe\" O" 5b3b205391d33ff3e85780985bd44398.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft 5b3b205391d33ff3e85780985bd44398.exe Set value (str) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\qml\\QtQuick\\Extras\\rI5aImUhLpS9kE2iU0EXFOi44AmTrseLvPl98tXuKZ.exe\" O" 5b3b205391d33ff3e85780985bd44398.exe Key created \REGISTRY\USER\S-1-5-19\SOFTWARE 5b3b205391d33ff3e85780985bd44398.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\SlowContextMenuEntries = 6024b221ea3a6910a2dc08002b30309d9c0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 gpscript.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor w5pIr8OkXHy3hnow9getMtQyB.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows 5b3b205391d33ff3e85780985bd44398.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer 5b3b205391d33ff3e85780985bd44398.exe Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run w5pIr8OkXHy3hnow9getMtQyB.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor 5b3b205391d33ff3e85780985bd44398.exe Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows 5b3b205391d33ff3e85780985bd44398.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 5b3b205391d33ff3e85780985bd44398.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows 5b3b205391d33ff3e85780985bd44398.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor 5b3b205391d33ff3e85780985bd44398.exe Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies 5b3b205391d33ff3e85780985bd44398.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "63" LogonUI.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\SoftwareDistribution\\9j6qItHsji.exe\" O 2>NUL" w5pIr8OkXHy3hnow9getMtQyB.exe Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor w5pIr8OkXHy3hnow9getMtQyB.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run w5pIr8OkXHy3hnow9getMtQyB.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies 5b3b205391d33ff3e85780985bd44398.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (str) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\\LOL3rsuqfJ.exe\" O 2>NUL" w5pIr8OkXHy3hnow9getMtQyB.exe Key created \REGISTRY\USER\S-1-5-20 5b3b205391d33ff3e85780985bd44398.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion 5b3b205391d33ff3e85780985bd44398.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer gpscript.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run w5pIr8OkXHy3hnow9getMtQyB.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.Search_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Apps_{34936d15-aae0-443f-992a-b40ef439a9d7}\\WFx2jQAGm3jwSi7qANdTNio3uMNJfihGNq4OS6BOsWZJ4mAiOXdKuWBRMhXVEc.exe\" O" w5pIr8OkXHy3hnow9getMtQyB.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Extensions\\7SEfGHzMJTPAQ1q2E5j2YjKT6NdRuJyHFKu9Xi8NSE0U9CDw0.exe\" O 2>NUL" 5b3b205391d33ff3e85780985bd44398.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Package Cache\\{C7141A99-592B-4226-A4E9-B767C1D0FBAF}v48.100.4028\\x4EpU6eMvJaaqgPCXqJ8jnhWSLTweW8lhCrNxaV4BPTCqL0w2hzYqQK.exe\" O" 5b3b205391d33ff3e85780985bd44398.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor w5pIr8OkXHy3hnow9getMtQyB.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies 5b3b205391d33ff3e85780985bd44398.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft 5b3b205391d33ff3e85780985bd44398.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer 5b3b205391d33ff3e85780985bd44398.exe -
Modifies registry class 10 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessibility\\E6w3b2QHbZthEPjEgaMfn7j6dQo5iHq.exe\" O" 5b3b205391d33ff3e85780985bd44398.exe Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\SOFTWARE\Microsoft\Command Processor 5b3b205391d33ff3e85780985bd44398.exe Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\SOFTWARE 5b3b205391d33ff3e85780985bd44398.exe Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\SOFTWARE\Microsoft 5b3b205391d33ff3e85780985bd44398.exe Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\SOFTWARE\Microsoft\Windows 5b3b205391d33ff3e85780985bd44398.exe Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion 5b3b205391d33ff3e85780985bd44398.exe Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies 5b3b205391d33ff3e85780985bd44398.exe Set value (str) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\SystemAppData\\qJ8A5eKkMd1OdNLeiJW85jSTLZqtE.exe\" O 2>NUL" 5b3b205391d33ff3e85780985bd44398.exe Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 5b3b205391d33ff3e85780985bd44398.exe Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer 5b3b205391d33ff3e85780985bd44398.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeBackupPrivilege 1520 5b3b205391d33ff3e85780985bd44398.exe Token: SeRestorePrivilege 1520 5b3b205391d33ff3e85780985bd44398.exe Token: SeShutdownPrivilege 1520 5b3b205391d33ff3e85780985bd44398.exe Token: SeDebugPrivilege 3836 w5pIr8OkXHy3hnow9getMtQyB.exe Token: SeRestorePrivilege 3836 w5pIr8OkXHy3hnow9getMtQyB.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4580 LogonUI.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 3700 wrote to memory of 3836 3700 gpscript.exe 111 PID 3700 wrote to memory of 3836 3700 gpscript.exe 111
Processes
-
C:\Users\Admin\AppData\Local\Temp\5b3b205391d33ff3e85780985bd44398.exe"C:\Users\Admin\AppData\Local\Temp\5b3b205391d33ff3e85780985bd44398.exe"1⤵
- Adds policy Run key to start application
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1520
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3982855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4580
-
C:\Windows\system32\gpscript.exegpscript.exe /Shutdown1⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:3700 -
C:\Users\Admin\AppData\Local\Microsoft\input\ar-TN\w5pIr8OkXHy3hnow9getMtQyB.exe"C:\Users\Admin\AppData\Local\Microsoft\input\ar-TN\w5pIr8OkXHy3hnow9getMtQyB.exe" 12⤵
- Adds policy Run key to start application
- Sets file execution options in registry
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3836
-
-
C:\Users\Admin\AppData\Local\Microsoft\input\ar-TN\w5pIr8OkXHy3hnow9getMtQyB.exe"C:\Users\Admin\AppData\Local\Microsoft\input\ar-TN\w5pIr8OkXHy3hnow9getMtQyB.exe" 21⤵PID:4072
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
94KB
MD5b42f0cc80349be918a559f7779754d2f
SHA1d212ed139ffd15e663aa2ebd9438c6dbc23b4613
SHA256d9d82b37a5eec8543cb649cfaa94d399277deb6acfae654b0cb85aac7b81842d
SHA512a10ee4921a57a9b17d326f22b6beca4cbd01f9d7da87c5bb9bcce1a31109a4a835ad45e801cf446d8a561f47edbfadabbb8cb23746888f05495209dbae857c21
-
Filesize
546KB
MD52d29be7d6e6b48e1e5584296bd796f71
SHA1a90f177f3e26a9272a313a04774efb5a7ea1ba76
SHA25625975a708c9646a6cd36bb9d78a500afe18434bc358b0ff9165f044d2445a6ee
SHA51255ffe66d8daae741abb8a4aef6c3344da0dcfc93f38d3ee4813abf8259a35815e60ed4fc291907d89281add171c33f7bc242439d749fed570fea43b8c21b819b
-
Filesize
810KB
MD5c2e88ea6566c8adbeea031f6e3854312
SHA15a302ac50b579fb45b75f60aa5ef1123a28a912e
SHA2567851b570564138910a9e0414af62296ec9c4d417f7e825d1bb5811ccab7ed8ac
SHA51296d62e0d96cf7eca653ccd0a53bf64823d4dfe640d2ccb18c9c403c039edb82e23b01bcbe489fa3d4effd4dc45013b597eea882fbc2570c98d7c9e2b6eab1362
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\qml\QtQuick\Extras\rI5aImUhLpS9kE2iU0EXFOi44AmTrseLvPl98tXuKZ.exe
Filesize576KB
MD5b6f95a35e9d79ed83cb0fb83b6fcef9d
SHA13bdf73d189de26570e0ec19eba4b42d7bdb28ca5
SHA25667560fd424241a0e212c6ca454dbbdf6d3c8f21f31660d9beff6da48820ac76a
SHA512d71604dc3dcc37d2084ab099f811c8be5b183580997fbfde7d3a9fcf8a5c2b6d182c3dcd6e584c2699e032fe3b8ec9850705de16a9939d35646d185aeb4256b4
-
Filesize
1.9MB
MD5ada7c110f9b9fb4c9299daeb634e02df
SHA13075bfbb8cc296b4583e627c9cea7a00bbc6104a
SHA256f25e58773ecb1b49f96d787f0e52e1669cb553a38c8caa7b1fa4df89970962c6
SHA512c5ef4f5a541f5aba20798343d7b2b0fcea68c3e5be7fb072f06991801e4d06f7decbf460705aafe51c3f7b6219a2143a56f38619a1092e0acc83cf2a221b7814
-
Filesize
925KB
MD555fa9ed370c30363f0e9f03e0021f01c
SHA12542206e4cdb807c1b4bdffa1b6ad2e80ceb5d91
SHA25628da68499e9b17d57788ff8098de17d1806b2ec8399b80e271710ce0b1bd99bd
SHA512d1a6c807261f07215b05d2641c563c470c8ae18fc685e9d8e65d26f4192da4cde7c4f67fd5c9b57ecb3027b69162de888171c55e10fccddb3b294e114f97f5ce
-
Filesize
1.0MB
MD596999c59b791639e0d9a3c40555cd167
SHA1fd80ac95194e726e159e8b646b96af1e301644df
SHA256203031e9b1e82526c441be7bb259b4cfa9b21374092c7a2acc4153478a374a2d
SHA512672f2a7c55211105e71f3aa2ce6e7762f20e9c13c67922bfed0df5cd518bf2bff2f7bdd6ba3738b3ed351638dcb83cc6d03bbb73d59347b0e4e846bec54d16d6
-
Filesize
518KB
MD5eb83a58df37f10a0fec85eeb6c45913b
SHA1e0d7c58e3aab9d5a79d3121169a4a4e613301125
SHA256848f591a01308a825303463f62daefc58ca7a1879ffe64b95c398da73b6c28a6
SHA512f77a2229b0eedf1e62401d832337973f9c81b6ed9d3695814794ba2c50bfecf2d114f331ef86cece1c018c177a14278f18d2ea8ad8c5387a1196b233963c2be2
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\Content\dirUFO5Ng15qM4Z0LDOl01djEV8iUG5fwlJk3XPJrTvlsrmcVEq9mvdfZPf2P9DCS0e7x1a.exe
Filesize642KB
MD5ca90f894d1d3b5b39facd0acd8652a6c
SHA136e75d2ed962ad74aad6127d4c4d1c14696aa981
SHA256f48b45cab722ae4c1fc07c84992dbc33280d6e43f642ac2bbfbed63bd824dd54
SHA512d4f35397aff20c44da6eb706722a728435533da3992753c35279ca7ea514ee2bebf3c071593021531369a7e6ef82b25bcbeb19b772a31147de41b40f123b6e4d
-
C:\Users\Admin\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\AppData\uGTQfgaNF4bGF95xzH03ZKFiZzyje5cT2gmHAAk3GpM5AtOIntguq0E3WMyEYjPkhCBsz.exe
Filesize64KB
MD5003bce03f63eb63dec992faacd5150f8
SHA1ed64c9d32dc0d72ddcf47ae311b852a2b7082235
SHA25608727a3c984361e1077326be2ec6f2f68fecc22b0e2a61347a80c9e8daa67506
SHA5123ee190a92b9ca8aeae201e46d3fbda387cd13bae382db09565692ec3c423d586d83ccc547fc3d2a1f3f581952b33bd11e23ea801ee2666178b477e1d66f27468
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\9RhRb96VPIU8IpWDJbQ339HHnO6bfOTYUfn9hqjdM0wN4G6W7pFhn2TjhqSpRkNz.cmd
Filesize615KB
MD5351c1adbcbb380a1e61325f6b05e6bf5
SHA1c73ff6d4c4482fca09799d5096cc080a921791e4
SHA2561e908394462e32450b2cb957e97b0f357a62798b21b233b3d8148625323d5a32
SHA512744c7b1304f8ce601b1213d13e04dfe6371b6aa17d31ecf86bcf7bd2b7f95087a23237120b6e3b89b23ed633ca243c48432c0eb2fc7ab67cbe1f4fc44dd31d1f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Extensions\7SEfGHzMJTPAQ1q2E5j2YjKT6NdRuJyHFKu9Xi8NSE0U9CDw0.exe
Filesize689KB
MD5f77705eb87318010db719f1568849af5
SHA10c7d1913268c3d58482327be8ad676a3d31dd107
SHA2566022f2d24d87b1c69346bb9d888b8b13313f3d30076236add3452d0cd4564a96
SHA5128f6c35dab11b0ca4a6059cd1805ee70b2bfe79d6df803bbde6cb34cc479bd9981bdd1f24426ccc30f873aa219424c7f542c4398e45a80850ce5f5552d2358682
-
C:\Users\Default\AppData\Local\Microsoft\Windows Sidebar\QSF7tTNptQGgSFg0CYcuNEYFZJ6dMnqKx5M9t6rlvXMsNXXpzxTWoajWEsHg94j4L.exe
Filesize952KB
MD5b7aea418d57a3514a81f7f4672859cf7
SHA1697b96d0a81aa15c4421c24d4661fb18ee8a388e
SHA256dbee41641d46165ba2b9fca35fe3cebb8c882695e1406c2708be1476d7ce6aa4
SHA51299bd32a8eca61979b40e67ef30465c9e36e1fae795d4d85e194a552f6f2ea8638383721284a1821d1a4176a7240ba56fef1602c8055084b3c27b8b66b05fd43f
-
C:\Users\Default\AppData\Local\Microsoft\Windows Sidebar\QSF7tTNptQGgSFg0CYcuNEYFZJ6dMnqKx5M9t6rlvXMsNXXpzxTWoajWEsHg94j4L.exe
Filesize1.2MB
MD56d0b5598071cc432a3afd4d00ed1dbb9
SHA1d0d70b71fd122bd314f5b7d890058a1ac3a39dba
SHA2566fcb1d03f0f384ecd3fc8e56a8e0d9020a92476a7ddf90635232ef46a0a9ae55
SHA512912b012298e91e37ffa651965361047987287aa07f865d488dbdc4737dda0a4b911fdca32f39f3e10cfadbcb22659f8bc1a1adfb2f024046e861b40489b8cd59