d1127d4565a85dfe40d38b1c4dabd0890b8c3aa08633ccd5e3804983b8a666df

Reason

Machine shutdown

General

Target

d1127d4565a85dfe40d38b1c4dabd0890b8c3aa08633ccd5e3804983b8a666df.exe
Size

1.6MB
MD5

36f3fda0230ca7a65772c26a6f256350
SHA1

77ae24ac1114cb28424ccfbc7b5744577a9d6dbe
SHA256

d1127d4565a85dfe40d38b1c4dabd0890b8c3aa08633ccd5e3804983b8a666df
SHA512

47563b9bd36bbc0522abbfc549e6b4b98b8e973bb909118724ea8fb0212ab0691657a7975b3702f16847affcd9f50140d676c0e08ec63e1bf19d9a31f5865142
SSDEEP

3072:aSsvihLlTQz9z71iURo2SJJmY6uFNcgifDbmeTXwVdBR:rsqhJMxzJiU5SeLmNSbmebW1

Score

8^/10

persistence spyware stealer

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

d1127d4565a85dfe40d38b1c4dabd0890b8c3aa08633ccd5e3804983b8a666df.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	d1127d4565a85dfe40d38b1c4dabd0890b8c3aa08633ccd5e3804983b8a666df.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\Apy48GbchqY2PgMx2xxJqiqQJBcvcYPv7kEnBEmjRwavcSCd1iVft83IEz2.exe\" O"	d1127d4565a85dfe40d38b1c4dabd0890b8c3aa08633ccd5e3804983b8a666df.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	d1127d4565a85dfe40d38b1c4dabd0890b8c3aa08633ccd5e3804983b8a666df.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\rmA6xZeUaoy0PhvfM4pIBSCaR48pcygvPzErf6ACNwQD1rux.exe\" O"	d1127d4565a85dfe40d38b1c4dabd0890b8c3aa08633ccd5e3804983b8a666df.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Feeds\\Feeds for United States~\\Zdy0pDukBFNXnNPp8A0.exe\" O"	d1127d4565a85dfe40d38b1c4dabd0890b8c3aa08633ccd5e3804983b8a666df.exe

Executes dropped EXE 1 IoCs

Processes:

52aCldgXEUEu9OvLEycOLNHYQPogxgOg0FM8Cb.cmd

pid process

1192 52aCldgXEUEu9OvLEycOLNHYQPogxgOg0FM8Cb.cmd

pid	process
1192	52aCldgXEUEu9OvLEycOLNHYQPogxgOg0FM8Cb.cmd

Sets file execution options in registry 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

52aCldgXEUEu9OvLEycOLNHYQPogxgOg0FM8Cb.cmd

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options	52aCldgXEUEu9OvLEycOLNHYQPogxgOg0FM8Cb.cmd
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe	52aCldgXEUEu9OvLEycOLNHYQPogxgOg0FM8Cb.cmd
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe	52aCldgXEUEu9OvLEycOLNHYQPogxgOg0FM8Cb.cmd

Loads dropped DLL 2 IoCs

Processes:

gpscript.exe

pid process

1760 gpscript.exe
1760 gpscript.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1760	gpscript.exe
1760	gpscript.exe

Modifies data under HKEY_USERS 37 IoCs

Processes:

d1127d4565a85dfe40d38b1c4dabd0890b8c3aa08633ccd5e3804983b8a666df.exegpscript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	d1127d4565a85dfe40d38b1c4dabd0890b8c3aa08633ccd5e3804983b8a666df.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	d1127d4565a85dfe40d38b1c4dabd0890b8c3aa08633ccd5e3804983b8a666df.exe
Key created	\REGISTRY\USER\S-1-5-19	d1127d4565a85dfe40d38b1c4dabd0890b8c3aa08633ccd5e3804983b8a666df.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft	d1127d4565a85dfe40d38b1c4dabd0890b8c3aa08633ccd5e3804983b8a666df.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion	d1127d4565a85dfe40d38b1c4dabd0890b8c3aa08633ccd5e3804983b8a666df.exe
Key created	\REGISTRY\USER\S-1-5-20	d1127d4565a85dfe40d38b1c4dabd0890b8c3aa08633ccd5e3804983b8a666df.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	d1127d4565a85dfe40d38b1c4dabd0890b8c3aa08633ccd5e3804983b8a666df.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	d1127d4565a85dfe40d38b1c4dabd0890b8c3aa08633ccd5e3804983b8a666df.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion	d1127d4565a85dfe40d38b1c4dabd0890b8c3aa08633ccd5e3804983b8a666df.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion	d1127d4565a85dfe40d38b1c4dabd0890b8c3aa08633ccd5e3804983b8a666df.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	d1127d4565a85dfe40d38b1c4dabd0890b8c3aa08633ccd5e3804983b8a666df.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\NbzSqUWmlGE5rvzkf8LlgcwQLU1RQ7Pw04DTrzF51ckF.exe\" O"	d1127d4565a85dfe40d38b1c4dabd0890b8c3aa08633ccd5e3804983b8a666df.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	d1127d4565a85dfe40d38b1c4dabd0890b8c3aa08633ccd5e3804983b8a666df.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\jlyoofNwKe9gWjIJbWYv1Oyndy7g0.exe\" O"	d1127d4565a85dfe40d38b1c4dabd0890b8c3aa08633ccd5e3804983b8a666df.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\NetFramework\\BreadcrumbStore\\sEWyTl3cC7T1sYPNmnjMZgzIRuoWXBWibqAZ48iwLgPU8P24mP7h86K5.exe\" O"	d1127d4565a85dfe40d38b1c4dabd0890b8c3aa08633ccd5e3804983b8a666df.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	gpscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Accessibility\\lHn4ItZAegBtfwdmWdccnUDwr1f1SVjVxL15.exe\" O 2>NUL"	d1127d4565a85dfe40d38b1c4dabd0890b8c3aa08633ccd5e3804983b8a666df.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\6.0\\63\\5iTAQLbRpU6cUUmL1po4a6wGOy8iRciZVlq3oDOdNdWIqARxa5GBrFlETmYDcK9TCFm.exe\" O 2>NUL"	d1127d4565a85dfe40d38b1c4dabd0890b8c3aa08633ccd5e3804983b8a666df.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	d1127d4565a85dfe40d38b1c4dabd0890b8c3aa08633ccd5e3804983b8a666df.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft	d1127d4565a85dfe40d38b1c4dabd0890b8c3aa08633ccd5e3804983b8a666df.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{6C467336-8281-4E60-8204-430CED96822D} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000a0e57e8ced00d901	gpscript.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\gAZJdlOowE2Sqzui7lndv4DZjT0LpNcycxatEboxqQmtURtBsnKrkeJQb0c1yNbNtyj.exe\" O 2>NUL"	d1127d4565a85dfe40d38b1c4dabd0890b8c3aa08633ccd5e3804983b8a666df.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	d1127d4565a85dfe40d38b1c4dabd0890b8c3aa08633ccd5e3804983b8a666df.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE	d1127d4565a85dfe40d38b1c4dabd0890b8c3aa08633ccd5e3804983b8a666df.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE	d1127d4565a85dfe40d38b1c4dabd0890b8c3aa08633ccd5e3804983b8a666df.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	d1127d4565a85dfe40d38b1c4dabd0890b8c3aa08633ccd5e3804983b8a666df.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	d1127d4565a85dfe40d38b1c4dabd0890b8c3aa08633ccd5e3804983b8a666df.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\es-ES\\Ehv9Q3em0y8Gws5sRvsXI7JfgQIr5zSgqg45i1XaZP36Vj8.exe\" O 2>NUL"	d1127d4565a85dfe40d38b1c4dabd0890b8c3aa08633ccd5e3804983b8a666df.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows	d1127d4565a85dfe40d38b1c4dabd0890b8c3aa08633ccd5e3804983b8a666df.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	d1127d4565a85dfe40d38b1c4dabd0890b8c3aa08633ccd5e3804983b8a666df.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Adobe\\Color\\Profiles\\tgqlCB9TcfRh.exe\" O"	d1127d4565a85dfe40d38b1c4dabd0890b8c3aa08633ccd5e3804983b8a666df.exe
Key created	\REGISTRY\USER\.DEFAULT	d1127d4565a85dfe40d38b1c4dabd0890b8c3aa08633ccd5e3804983b8a666df.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	d1127d4565a85dfe40d38b1c4dabd0890b8c3aa08633ccd5e3804983b8a666df.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	d1127d4565a85dfe40d38b1c4dabd0890b8c3aa08633ccd5e3804983b8a666df.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	d1127d4565a85dfe40d38b1c4dabd0890b8c3aa08633ccd5e3804983b8a666df.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows	d1127d4565a85dfe40d38b1c4dabd0890b8c3aa08633ccd5e3804983b8a666df.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows	d1127d4565a85dfe40d38b1c4dabd0890b8c3aa08633ccd5e3804983b8a666df.exe

Modifies registry class 12 IoCs

Processes:

d1127d4565a85dfe40d38b1c4dabd0890b8c3aa08633ccd5e3804983b8a666df.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\SOFTWARE\Microsoft\Windows	d1127d4565a85dfe40d38b1c4dabd0890b8c3aa08633ccd5e3804983b8a666df.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion	d1127d4565a85dfe40d38b1c4dabd0890b8c3aa08633ccd5e3804983b8a666df.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	d1127d4565a85dfe40d38b1c4dabd0890b8c3aa08633ccd5e3804983b8a666df.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	d1127d4565a85dfe40d38b1c4dabd0890b8c3aa08633ccd5e3804983b8a666df.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Internet Explorer\\8PvpHFLPl8V1P5lPG1CJxttu2UwR5u.exe\" O"	d1127d4565a85dfe40d38b1c4dabd0890b8c3aa08633ccd5e3804983b8a666df.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	d1127d4565a85dfe40d38b1c4dabd0890b8c3aa08633ccd5e3804983b8a666df.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_Classes\SOFTWARE\Microsoft\Command Processor	d1127d4565a85dfe40d38b1c4dabd0890b8c3aa08633ccd5e3804983b8a666df.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\SOFTWARE	d1127d4565a85dfe40d38b1c4dabd0890b8c3aa08633ccd5e3804983b8a666df.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\SOFTWARE\Microsoft	d1127d4565a85dfe40d38b1c4dabd0890b8c3aa08633ccd5e3804983b8a666df.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\SOFTWARE\Microsoft\Command Processor	d1127d4565a85dfe40d38b1c4dabd0890b8c3aa08633ccd5e3804983b8a666df.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\ThirdPartyModuleList64\\FJrUasE9Q0WagaTXo7ZnDC.exe\" O 2>NUL"	d1127d4565a85dfe40d38b1c4dabd0890b8c3aa08633ccd5e3804983b8a666df.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	d1127d4565a85dfe40d38b1c4dabd0890b8c3aa08633ccd5e3804983b8a666df.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

d1127d4565a85dfe40d38b1c4dabd0890b8c3aa08633ccd5e3804983b8a666df.exeAUDIODG.EXE52aCldgXEUEu9OvLEycOLNHYQPogxgOg0FM8Cb.cmd

description	pid	process
Token: SeBackupPrivilege	304	d1127d4565a85dfe40d38b1c4dabd0890b8c3aa08633ccd5e3804983b8a666df.exe
Token: SeRestorePrivilege	304	d1127d4565a85dfe40d38b1c4dabd0890b8c3aa08633ccd5e3804983b8a666df.exe
Token: SeShutdownPrivilege	304	d1127d4565a85dfe40d38b1c4dabd0890b8c3aa08633ccd5e3804983b8a666df.exe
Token: 33	940	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	940	AUDIODG.EXE
Token: 33	940	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	940	AUDIODG.EXE
Token: SeDebugPrivilege	1192	52aCldgXEUEu9OvLEycOLNHYQPogxgOg0FM8Cb.cmd
Token: SeRestorePrivilege	1192	52aCldgXEUEu9OvLEycOLNHYQPogxgOg0FM8Cb.cmd

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

gpscript.exe

description	pid	process	target process
PID 1760 wrote to memory of 1192	1760	gpscript.exe	52aCldgXEUEu9OvLEycOLNHYQPogxgOg0FM8Cb.cmd
PID 1760 wrote to memory of 1192	1760	gpscript.exe	52aCldgXEUEu9OvLEycOLNHYQPogxgOg0FM8Cb.cmd
PID 1760 wrote to memory of 1192	1760	gpscript.exe	52aCldgXEUEu9OvLEycOLNHYQPogxgOg0FM8Cb.cmd

C:\Users\Admin\AppData\Local\Temp\d1127d4565a85dfe40d38b1c4dabd0890b8c3aa08633ccd5e3804983b8a666df.exe
"C:\Users\Admin\AppData\Local\Temp\d1127d4565a85dfe40d38b1c4dabd0890b8c3aa08633ccd5e3804983b8a666df.exe"
1⤵
- Adds policy Run key to start application
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:304

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1980

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x1ac
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:940

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:1320

C:\Windows\system32\gpscript.exe
gpscript.exe /Shutdown
1⤵
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1760

C:\Users\Admin\AppData\LocalLow\Sun\Java\52aCldgXEUEu9OvLEycOLNHYQPogxgOg0FM8Cb.cmd
"C:\Users\Admin\AppData\LocalLow\Sun\Java\52aCldgXEUEu9OvLEycOLNHYQPogxgOg0FM8Cb.cmd" 1
2⤵
- Executes dropped EXE
- Sets file execution options in registry
- Suspicious use of AdjustPrivilegeToken
PID:1192

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Sun\Java\52aCldgXEUEu9OvLEycOLNHYQPogxgOg0FM8Cb.cmd
Filesize
1.8MB

MD5
041f15c4a9f4f305ac4f271fcf5e01e5

SHA1
5e5cae02efbe8f788d8c4aa6c7d6503d06c5c81d

SHA256
e77dbb77df0452143626026a632fe55c93c6ad28959d574e6a10b05392bd2753

SHA512
a39d84e0a8b38dbeb7ffdaa155d5f37c3915958bbf47eefad60b0bfbcd38bee2391d60ffebd812cced0e867cd990be310413ef1dab4ecffd24c81afdace011fd

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\52aCldgXEUEu9OvLEycOLNHYQPogxgOg0FM8Cb.cmd
Filesize
1.8MB

MD5
041f15c4a9f4f305ac4f271fcf5e01e5

SHA1
5e5cae02efbe8f788d8c4aa6c7d6503d06c5c81d

SHA256
e77dbb77df0452143626026a632fe55c93c6ad28959d574e6a10b05392bd2753

SHA512
a39d84e0a8b38dbeb7ffdaa155d5f37c3915958bbf47eefad60b0bfbcd38bee2391d60ffebd812cced0e867cd990be310413ef1dab4ecffd24c81afdace011fd

Download Submit
\Users\Admin\AppData\LocalLow\Sun\Java\52aCldgXEUEu9OvLEycOLNHYQPogxgOg0FM8Cb.cmd
Filesize
1.8MB

MD5
041f15c4a9f4f305ac4f271fcf5e01e5

SHA1
5e5cae02efbe8f788d8c4aa6c7d6503d06c5c81d

SHA256
e77dbb77df0452143626026a632fe55c93c6ad28959d574e6a10b05392bd2753

SHA512
a39d84e0a8b38dbeb7ffdaa155d5f37c3915958bbf47eefad60b0bfbcd38bee2391d60ffebd812cced0e867cd990be310413ef1dab4ecffd24c81afdace011fd

Download Submit
\Users\Admin\AppData\LocalLow\Sun\Java\52aCldgXEUEu9OvLEycOLNHYQPogxgOg0FM8Cb.cmd
Filesize
1.8MB

MD5
041f15c4a9f4f305ac4f271fcf5e01e5

SHA1
5e5cae02efbe8f788d8c4aa6c7d6503d06c5c81d

SHA256
e77dbb77df0452143626026a632fe55c93c6ad28959d574e6a10b05392bd2753

SHA512
a39d84e0a8b38dbeb7ffdaa155d5f37c3915958bbf47eefad60b0bfbcd38bee2391d60ffebd812cced0e867cd990be310413ef1dab4ecffd24c81afdace011fd

Download Submit
memory/304-54-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/304-55-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/304-57-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1192-63-0x0000000000000000-mapping.dmp

Download
memory/1192-66-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1760-65-0x0000000000FD0000-0x0000000000FFD000-memory.dmp

Filesize
180KB

Download
memory/1980-56-0x000007FEFBD81000-0x000007FEFBD83000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads