35866cc2ea5937dbe0c4df8fbd429633043ba26b3d80199cd628f0f8a491286a

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
09/07/2024, 12:24

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

305cd06c536c9df79b687c1898d3709d_JaffaCakes118.exe
Size

130KB
MD5

305cd06c536c9df79b687c1898d3709d
SHA1

6afe6dcf3afac18476883ab6407c3e91ec7c8dc7
SHA256

35866cc2ea5937dbe0c4df8fbd429633043ba26b3d80199cd628f0f8a491286a
SHA512

5f5794789731a819795fe43d35d6a820d1661578d9731b4efef8666fea054b1d4c5702f0f398e04bdab7eb125336fc5dbaf4549dc14a6d7daeec0de396a22195
SSDEEP

1536:JsuQJc7vZ1bZjgf8pC++5B3ZOk4EEJtlY463Q8asf74pIpJJR7EJTZ:JQc7fbZs0pb+5L/3EJtlYdA8aS74goZ

Score

9^/10

persistence spyware stealer

Malware Config

Signatures

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Blocklisted process makes network request 4 IoCs

flow	pid	Process
17	776	rundll32.exe
18	776	rundll32.exe
35	776	rundll32.exe
47	776	rundll32.exe

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\EventSystem\Parameters\ServiceDll = "C:\\Windows\\system32\\EventSystem.dll"	avp.exe

Executes dropped EXE 2 IoCs

pid	Process
3856	wmimgmt.exe
884	avp.exe

Loads dropped DLL 1 IoCs

pid	Process
776	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	wmimgmt.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\hongzquit.dat	avp.exe
File created	C:\Windows\SysWOW64\EventSystem.dll	avp.exe

Discovers systems in the same network 1 TTPs 1 IoCs

discovery

Remote System Discovery

T1018

pid	Process
3376	net.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
2124	tasklist.exe

Gathers network information 2 TTPs 3 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
4136	ipconfig.exe
984	NETSTAT.EXE
2756	NETSTAT.EXE

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
2676	systeminfo.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
3628	NotePAD.exe

Runs net.exe

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeBackupPrivilege	2540	305cd06c536c9df79b687c1898d3709d_JaffaCakes118.exe
Token: SeBackupPrivilege	2540	305cd06c536c9df79b687c1898d3709d_JaffaCakes118.exe
Token: SeBackupPrivilege	2540	305cd06c536c9df79b687c1898d3709d_JaffaCakes118.exe
Token: SeRestorePrivilege	2540	305cd06c536c9df79b687c1898d3709d_JaffaCakes118.exe
Token: SeBackupPrivilege	2540	305cd06c536c9df79b687c1898d3709d_JaffaCakes118.exe
Token: SeBackupPrivilege	2540	305cd06c536c9df79b687c1898d3709d_JaffaCakes118.exe
Token: SeBackupPrivilege	2540	305cd06c536c9df79b687c1898d3709d_JaffaCakes118.exe
Token: SeRestorePrivilege	2540	305cd06c536c9df79b687c1898d3709d_JaffaCakes118.exe
Token: SeBackupPrivilege	2540	305cd06c536c9df79b687c1898d3709d_JaffaCakes118.exe
Token: SeRestorePrivilege	2540	305cd06c536c9df79b687c1898d3709d_JaffaCakes118.exe
Token: SeBackupPrivilege	2540	305cd06c536c9df79b687c1898d3709d_JaffaCakes118.exe
Token: SeRestorePrivilege	2540	305cd06c536c9df79b687c1898d3709d_JaffaCakes118.exe
Token: SeBackupPrivilege	3856	wmimgmt.exe
Token: SeBackupPrivilege	3856	wmimgmt.exe
Token: SeBackupPrivilege	3856	wmimgmt.exe
Token: SeRestorePrivilege	3856	wmimgmt.exe
Token: SeBackupPrivilege	3856	wmimgmt.exe
Token: SeIncBasePriorityPrivilege	884	avp.exe
Token: SeIncBasePriorityPrivilege	884	avp.exe
Token: SeDebugPrivilege	2124	tasklist.exe
Token: SeDebugPrivilege	984	NETSTAT.EXE
Token: SeBackupPrivilege	3856	wmimgmt.exe
Token: SeBackupPrivilege	3856	wmimgmt.exe
Token: SeBackupPrivilege	3856	wmimgmt.exe
Token: SeBackupPrivilege	3856	wmimgmt.exe
Token: SeBackupPrivilege	3856	wmimgmt.exe
Token: SeBackupPrivilege	3856	wmimgmt.exe
Token: SeRestorePrivilege	3856	wmimgmt.exe
Token: SeBackupPrivilege	3856	wmimgmt.exe
Token: SeBackupPrivilege	3856	wmimgmt.exe
Token: SeBackupPrivilege	3856	wmimgmt.exe
Token: SeBackupPrivilege	3856	wmimgmt.exe
Token: SeBackupPrivilege	3856	wmimgmt.exe
Token: SeBackupPrivilege	3856	wmimgmt.exe
Token: SeBackupPrivilege	3856	wmimgmt.exe
Token: SeBackupPrivilege	3856	wmimgmt.exe
Token: SeBackupPrivilege	3856	wmimgmt.exe
Token: SeBackupPrivilege	3856	wmimgmt.exe
Token: SeBackupPrivilege	3856	wmimgmt.exe
Token: SeBackupPrivilege	3856	wmimgmt.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2540 wrote to memory of 3856	2540	305cd06c536c9df79b687c1898d3709d_JaffaCakes118.exe	86
PID 2540 wrote to memory of 3856	2540	305cd06c536c9df79b687c1898d3709d_JaffaCakes118.exe	86
PID 2540 wrote to memory of 3856	2540	305cd06c536c9df79b687c1898d3709d_JaffaCakes118.exe	86
PID 3856 wrote to memory of 884	3856	wmimgmt.exe	87
PID 3856 wrote to memory of 884	3856	wmimgmt.exe	87
PID 3856 wrote to memory of 884	3856	wmimgmt.exe	87
PID 884 wrote to memory of 1580	884	avp.exe	88
PID 884 wrote to memory of 1580	884	avp.exe	88
PID 884 wrote to memory of 1580	884	avp.exe	88
PID 884 wrote to memory of 3628	884	avp.exe	89
PID 884 wrote to memory of 3628	884	avp.exe	89
PID 884 wrote to memory of 3628	884	avp.exe	89
PID 884 wrote to memory of 776	884	avp.exe	90
PID 884 wrote to memory of 776	884	avp.exe	90
PID 884 wrote to memory of 776	884	avp.exe	90
PID 884 wrote to memory of 3368	884	avp.exe	91
PID 884 wrote to memory of 3368	884	avp.exe	91
PID 884 wrote to memory of 3368	884	avp.exe	91
PID 3856 wrote to memory of 1928	3856	wmimgmt.exe	92
PID 3856 wrote to memory of 1928	3856	wmimgmt.exe	92
PID 3856 wrote to memory of 1928	3856	wmimgmt.exe	92
PID 1928 wrote to memory of 3876	1928	cmd.exe	94
PID 1928 wrote to memory of 3876	1928	cmd.exe	94
PID 1928 wrote to memory of 3876	1928	cmd.exe	94
PID 1928 wrote to memory of 3384	1928	cmd.exe	95
PID 1928 wrote to memory of 3384	1928	cmd.exe	95
PID 1928 wrote to memory of 3384	1928	cmd.exe	95
PID 1928 wrote to memory of 1460	1928	cmd.exe	96
PID 1928 wrote to memory of 1460	1928	cmd.exe	96
PID 1928 wrote to memory of 1460	1928	cmd.exe	96
PID 1460 wrote to memory of 1012	1460	net.exe	97
PID 1460 wrote to memory of 1012	1460	net.exe	97
PID 1460 wrote to memory of 1012	1460	net.exe	97
PID 1928 wrote to memory of 3968	1928	cmd.exe	98
PID 1928 wrote to memory of 3968	1928	cmd.exe	98
PID 1928 wrote to memory of 3968	1928	cmd.exe	98
PID 3968 wrote to memory of 3696	3968	net.exe	99
PID 3968 wrote to memory of 3696	3968	net.exe	99
PID 3968 wrote to memory of 3696	3968	net.exe	99
PID 1928 wrote to memory of 2124	1928	cmd.exe	100
PID 1928 wrote to memory of 2124	1928	cmd.exe	100
PID 1928 wrote to memory of 2124	1928	cmd.exe	100
PID 1928 wrote to memory of 2676	1928	cmd.exe	102
PID 1928 wrote to memory of 2676	1928	cmd.exe	102
PID 1928 wrote to memory of 2676	1928	cmd.exe	102
PID 1928 wrote to memory of 4324	1928	cmd.exe	104
PID 1928 wrote to memory of 4324	1928	cmd.exe	104
PID 1928 wrote to memory of 4324	1928	cmd.exe	104
PID 1928 wrote to memory of 3588	1928	cmd.exe	105
PID 1928 wrote to memory of 3588	1928	cmd.exe	105
PID 1928 wrote to memory of 3588	1928	cmd.exe	105
PID 1928 wrote to memory of 2824	1928	cmd.exe	106
PID 1928 wrote to memory of 2824	1928	cmd.exe	106
PID 1928 wrote to memory of 2824	1928	cmd.exe	106
PID 1928 wrote to memory of 532	1928	cmd.exe	107
PID 1928 wrote to memory of 532	1928	cmd.exe	107
PID 1928 wrote to memory of 532	1928	cmd.exe	107
PID 1928 wrote to memory of 3808	1928	cmd.exe	108
PID 1928 wrote to memory of 3808	1928	cmd.exe	108
PID 1928 wrote to memory of 3808	1928	cmd.exe	108
PID 1928 wrote to memory of 1492	1928	cmd.exe	109
PID 1928 wrote to memory of 1492	1928	cmd.exe	109
PID 1928 wrote to memory of 1492	1928	cmd.exe	109
PID 1928 wrote to memory of 3676	1928	cmd.exe	110

C:\Users\Admin\AppData\Local\Temp\305cd06c536c9df79b687c1898d3709d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\305cd06c536c9df79b687c1898d3709d_JaffaCakes118.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2540
- C:\ProgramData\Application Data\wmimgmt.exe
  "C:\ProgramData\Application Data\wmimgmt.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3856
- - C:\Users\Admin\AppData\Local\Temp\avp.exe
    C:\Users\Admin\AppData\Local\Temp\avp.exe
    3⤵
    - Server Software Component: Terminal Services DLL
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:884
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\avp.exe" /A /F /Q> nul
      4⤵
      PID:1580
  - - C:\Windows\SysWOW64\NotePAD.exe
      NotePAD.exe "C:\Users\Admin\AppData\Local\Temp\VMvareDnd.log"
      4⤵
      Opens file in notepad (likely ransom note)
      PID:3628
  - - C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe "C:\Windows\system32\EventSystem.dll",TStartUp 0x11
      4⤵
      Blocklisted process makes network request
      Loads dropped DLL
      PID:776
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\avp.exe" /A /F /Q> nul
      4⤵
      PID:3368
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /v:on /c C:\Users\Admin\AppData\Local\Temp\ghi.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1928
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /s "YM.CGP_" "C:\Users\Admin"\..\*.txt
      4⤵
      PID:3876
  - - C:\Windows\SysWOW64\chcp.com
      chcp
      4⤵
      PID:3384
  - - C:\Windows\SysWOW64\net.exe
      net user
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1460
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 user
        5⤵
        
        PID:1012
  - - C:\Windows\SysWOW64\net.exe
      net localgroup administrators
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3968
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        5⤵
        
        PID:3696
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2124
  - - C:\Windows\SysWOW64\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:2676
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer"
      4⤵
      PID:4324
  - - C:\Windows\SysWOW64\find.exe
      find "REG_"
      4⤵
      PID:3588
  - - C:\Windows\SysWOW64\reg.exe
      reg query HKEY_CURRENT_USER\Software\Microsoft\Office
      4⤵
      PID:2824
  - - C:\Windows\SysWOW64\reg.exe
      reg query HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Common\UserInfo
      4⤵
      PID:532
  - - C:\Windows\SysWOW64\reg.exe
      reg query HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Common\UserInfo
      4⤵
      PID:3808
  - - C:\Windows\SysWOW64\reg.exe
      reg query HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Common\UserInfo
      4⤵
      PID:1492
  - - C:\Windows\SysWOW64\reg.exe
      reg query HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Common\UserInfo
      4⤵
      PID:3676
  - - C:\Windows\SysWOW64\reg.exe
      reg query HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Common\UserInfo
      4⤵
      PID:4936
  - - C:\Windows\SysWOW64\reg.exe
      reg query HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Common\UserInfo
      4⤵
      PID:3128
  - - C:\Windows\SysWOW64\ipconfig.exe
      ipconfig /all
      4⤵
      Gathers network information
      PID:4136
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -ano
      4⤵
      Gathers network information
      Suspicious use of AdjustPrivilegeToken
      PID:984
  - - C:\Windows\SysWOW64\ARP.EXE
      arp -a
      4⤵
      PID:2532
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -r
      4⤵
      Gathers network information
      PID:2756
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Windows\system32\route.exe" print
        5⤵
        
        PID:3112
      - C:\Windows\SysWOW64\ROUTE.EXE
        
        C:\Windows\system32\route.exe print
        6⤵
        
        PID:680
  - - C:\Windows\SysWOW64\net.exe
      net start
      4⤵
      PID:4532
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start
        5⤵
        
        PID:844
  - - C:\Windows\SysWOW64\net.exe
      net use
      4⤵
      PID:3956
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo n"
      4⤵
      PID:3996
  - - C:\Windows\SysWOW64\net.exe
      net share
      4⤵
      PID:4396
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 share
        5⤵
        
        PID:2528
  - - C:\Windows\SysWOW64\net.exe
      net view /domain
      4⤵
      Discovers systems in the same network
      PID:3376
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\s.log "
      4⤵
      PID:1040
  - - C:\Windows\SysWOW64\find.exe
      find /i /v "------"
      4⤵
      PID:4404
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\t.log "
      4⤵
      PID:2144
  - - C:\Windows\SysWOW64\find.exe
      find /i /v "domain"
      4⤵
      PID:3356
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\s.log "
      4⤵
      PID:2464
  - - C:\Windows\SysWOW64\find.exe
      find /i /v "¬A╛╣"
      4⤵
      PID:4788
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\t.log "
      4⤵
      PID:1576
  - - C:\Windows\SysWOW64\find.exe
      find /i /v "░⌡ªµª¿"
      4⤵
      PID:1224
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\s.log "
      4⤵
      PID:4776
  - - C:\Windows\SysWOW64\find.exe
      find /i /v "├ⁿ┴ε"
      4⤵
      PID:3804
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\t.log "
      4⤵
      PID:4900
  - - C:\Windows\SysWOW64\find.exe
      find /i /v "completed successfully"
      4⤵
      PID:1764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Account Manipulation

T1098

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Account Manipulation

T1098

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Application Data\wmimgmt.exe

Filesize
130KB

MD5
305cd06c536c9df79b687c1898d3709d

SHA1
6afe6dcf3afac18476883ab6407c3e91ec7c8dc7

SHA256
35866cc2ea5937dbe0c4df8fbd429633043ba26b3d80199cd628f0f8a491286a

SHA512
5f5794789731a819795fe43d35d6a820d1661578d9731b4efef8666fea054b1d4c5702f0f398e04bdab7eb125336fc5dbaf4549dc14a6d7daeec0de396a22195

Download Submit
C:\Users\Admin\AppData\Local\Temp\AC#CCD.tmp

Filesize
181B

MD5
49f51bd841a21c00255fdfeaa7d16d3b

SHA1
c8bb61611a6ed4771d06d30fb7f6fcf113e4641e

SHA256
9247284bea9b243dc72f07ca15ef100c03683c4066dc3b8d05898083b9cafa4f

SHA512
11323e1d41267cbd1504859dc4e78c44c0fe9ae4f5c2fcb28b67d10b2f5fd96ec007f151c101fcec60770dd2f0ccbc1df739985b4869a3f98fc8b6625b7a286d

Download Submit
C:\Users\Admin\AppData\Local\Temp\AC#D6B.tmp

Filesize
311B

MD5
5b47bd27ce2ead22bcbd666b891bb753

SHA1
67fb4e825b16735bfc62a08dcc7866327441d976

SHA256
3332f998c77bcb7959e0133d36f2ee4308deb63ba8f66cecd40a1ca156518e58

SHA512
fc7baa4558c8b0475f0420cddfdff90abde7633a0eca45ea813b0f465756f593ba19bb911aacfc23c5e2e67e8b6fcab419583e1c06759d1d48cc4da109661b41

Download Submit
C:\Users\Admin\AppData\Local\Temp\AC#FBE4.tmp

Filesize
55B

MD5
9da78c06e728a4dd0fb39cc931e13745

SHA1
2b5ef9bccdcb87ced6a53cf8605d9664a8b3e8f6

SHA256
34415dee19e7fff291cf2b0cc7c355447436711ee24b0005e2392cac1758d53a

SHA512
7a7a5a273f50f97250f7d4302411be719d0d3196644e2da9a25e8f73ca682430a0b0411d9fde6153bcd35af50d2f54f9da1efc37314362d003cf3603b6f47e55

Download Submit
C:\Users\Admin\AppData\Local\Temp\INFO.TXT

Filesize
43B

MD5
fed0cfa560656c38d46d58d373d7d4ba

SHA1
3e5a5e0fc3d721a1bdf8e67930fe7cc5be0e6dac

SHA256
59338bc52dfc5e190a1c57dea588819e01871d13b8f1df5f991dcf098039eb1d

SHA512
7e821f3866202be74047578948404a7e74cd5fe5214722c2f912329b40b8bd36d148203eca98ff94917b87d2ad31bd5a8a60eccc2551ed179495f4e76b13515b

Download Submit
C:\Users\Admin\AppData\Local\Temp\INFO.TXT

Filesize
11KB

MD5
b7b2ad5fdc91d17b11765a0a95e1e4db

SHA1
c1880ab2238fc44835342054df65cad9c1d374a0

SHA256
e5ad505a270615a1afc154412a70ef31235a3d98b32900ee3bf2a009fffe1d65

SHA512
1abcb7a8c88a66857d9508e1dcd4c5771fe64ee54c197195b736333edfe6e71fed370ed63fe7f6317ce0212fb28467bf66ca09e0a22d80d54a5ddc93b0c1878a

Download Submit
C:\Users\Admin\AppData\Local\Temp\INFO.TXT

Filesize
21KB

MD5
0d5cc4ab370462ce81f80a4d6288430d

SHA1
25e73146482132381c939196f34b332d160d7309

SHA256
c34a3e26a0cfa8d5ba1ab6af09079dbcee1fbcb2d59484682181df4a9973e1e4

SHA512
6b669c5b95469cbf9d42c9008c6257d0cea86f5363b701c167f3605cb3bb04a4a005820a26f1d0b875ec5d4c8197a634ece13fb3f41db47f5311df37225a9c57

Download Submit
C:\Users\Admin\AppData\Local\Temp\INFO.TXT

Filesize
37.5MB

MD5
a59b403a622114c6c97c2fc1e0d65a05

SHA1
3705c876047f5d099a9c01eed9be71e7e999046a

SHA256
7f811ff455141adbf32519e0b5ad51758787c9e11806f60f4260a73d8fd90cd2

SHA512
7fe874bcaea0c98ec0acbe9f92897ccc1dda075485e6b34f23729f46306351a9b379f454beba93c676dc76a10c83f0625d35bfcca39c0f83df193bde1343c139

Download Submit
C:\Users\Admin\AppData\Local\Temp\avp.exe

Filesize
72KB

MD5
ec888fb39c475f42e61b646e0b072ad4

SHA1
5b66e53fe6eb11f7ab98f8a3e3ba7476b40438c4

SHA256
e766d53429ae9a4898f2f74edcce2b7c9e34bbf4aed7091f591c246eaf0af844

SHA512
9801940c2641109674cce96a7de6573ef18e28b695d9b8a6433c538c3efb4a11921f9d53c235bb22c844c49baad0f3544c425d1840f3dc416b06a07dfeedd2ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\drivers.p

Filesize
15B

MD5
4ff8e80638f36abd8fb131c19425317b

SHA1
358665afaf5f88dfebcdb7c56e963693c520c136

SHA256
6b8ceb900443f4924efd3187693038965ad7edb488879305489aa72d78f69626

SHA512
d4e6e3d789bc76102c500b46a5aa799c5ebfc432a44117aa0b7c7512439d33a423630b963fb04cda1da17a7f6517b276a3e9298c17cbf795964090f4b9e5d8f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ghi.bat

Filesize
3KB

MD5
b98e8fcde49a1caee295a6bd3d264e56

SHA1
71c82391a8617212ad48c8d79755e71be2e20be9

SHA256
e369c7e2e7ac0280882693038b213be0309c910df62f35a5159a125ecd18fb9a

SHA512
fb5fa414449e7dd4ce1fedcb92487f59ed18d7fbd3146eb59ec8f7256d68551adebb7d35e859fe7b6bce5a0b042b0de1e9ee56369a8686976dd121b44ff46742

Download Submit
C:\Users\Public\Documents\Media\line.dat

Filesize
422B

MD5
4b391677505f768f076be872e62f5ac1

SHA1
0c394fbc989a88f12844f564c563eaed83dd145c

SHA256
efddfed267d2779599ea40d4afe6e6d1ab0d8693a3a28d114797e7d3e8dced52

SHA512
644b0b4d2ade22db85d2121bafb18c0778d4370b586524c365615206a06d97c659ad6d22b601a6fb85df2c237a6fa226f055674b8071ec2977da701d81a8de61

Download Submit
C:\Windows\SysWOW64\EventSystem.dll

Filesize
60KB

MD5
66619fc139964fa43428cf904f62cf32

SHA1
b91a5969f241e73476595f52d5b976026ef32edf

SHA256
c5344560b0add73121b5d082f972781408e029a24924ca8d4afbb02e7a5e4119

SHA512
984a021438c8f236b2e0c267b89953a541897b1e53c09b03982eef83030d5370f19e05d2163fc364e5b5745562946a935fd9eea0c488529cc038b32174c3dfe0

Download Submit
memory/2540-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2540-8-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3856-64-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3856-7-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads